Microsoft patched three zero day vulnerabilities actively under attack today as part of its May Patch Tuesday release. Researchers with FireEye who uncovered the three vulnerabilities said the bugs were actively being exploited by threat actors Turla and APT28. Two of the zero day vulnerabilities (CVE-2017-0261 and CVE-2017-0262) were remote code execution (RCE) bugs related to how Microsoft’s Office suite handled Encapsulated PostScript (EPS). FireEye said the third zero day vulnerability was tied to Windows and is an escalation of privilege vulnerability (CVE-2017-0263). According to security experts the RCE bugs could be triggered by simply viewing a malicious image in any number of Microsoft Office applications. The elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, according to Microsoft. “An attacker who successfully exploited this vulnerability (CVE-2017-0263) could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said. In total, Microsoft released patches for 55 unique CVEs for Internet Explorer, Edge, Office, Windows and the .NET Framework as part of its May Patch Tuesday release. Fourteen of vulnerabilities were rated critical. “The use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary,” said Ben Read, a cyber espionage analyst with FireEye who co-authored the blog. “APT28’s use of two zero days (CVE-2017-0262 and CVE-2017-0263) continues to demonstrate they are a very capable actor. Some of the talk about them doing less technically sophisticated credential theft, shows they can bring the fast ball when they need to against a harder target,” Read said in an interview with Threatpost. He added that CVE-2017-0261 is being used by both a nation state (Turla) and an unidentified financially motivated group. This, he said, illustrated a dynamic vulnerability market where both nation states and criminals are buying from the same vendors. In April, researchers at Kaspersky Lab said there was a link between Moonlight Maze cyberespionage operation of the mid- and late-1990s and the modern-day Turla APT. The malware hides on infected systems, steals data and sends it off to a remote server, much like other cyber espionage tools. In December, the Federal Bureau of Investigation and the US Department of Homeland Security implicated hacking group APT28 (also known as Fancy Bear and Sofacy) in attacks against several election-related targets. The three zero day vulnerabilities come on the heels of Microsoft issuing an emergency out-of-band patch for a zero day reported by Google Project Zero in Microsoft’s Malware Protection Engine on Monday. Also part of Patch Tuesday were updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning. “This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates,” Microsoft wrote. For the past couple of years, browser makers have raced to migrate from SHA-1 to SHA-2 as researchers have intensified warnings about collision attacks moving from theoretical to practical. Browser makers Google and Mozilla have already begun the deprecation of SHA-1. The Microsoft updates follow in the footsteps of Adobe, who earlier in the day released a surprisingly small update, patching just eight vulnerabilities. The post Microsoft Plugs Three Zero Day Holes as Part of May Patch Tuesday appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/microsoft-plugs-three-zero-day-holes-as-part-of-may-patch-tuesday/
0 Comments
The numbers are in — and judging by them, OSS-Fuzz, the program Google unveiled last December to continuously fuzz open source software, has been a success. In five months time the effort has unearthed over 1,000 bugs, a quarter of them potential security vulnerabilities, Google says. OSS-Fuzz, still in beta mode, is built on fuzzing engineers like libFuzzer, sanitizers, Address Sanitizer, and a distributed fuzzing architecture that catalogs statistics as they pop up. The project was one of two Google unveiled last December. It also released Project Wycheproof, a collection of unit tests designed to help cryptographers check for weaknesses in cryptographic algorithms. Engineers behind the platform – Oliver Chang and Abhishek Arya with Chrome Security, Kostya Serebryany, software Engineer with Dynamic Tools, and Josh Armour, a Security Program Manager with Google – wrote a blog post to fill the public in on the last five months on Monday. While it can’t disclose all of the bugs – some are still restricted – Google says the project has helped find bugs in all types of open source software, including 10 bugs in FreeType2, 17 in FFmpeg, 33 in LibreOffice, eight in SQLite 3, 10 inGnuTLS, 25 in PCRE2, nine in gRPC, and seven in WireShark. Roughly 50 percent of the bugs OSS-Fuzz has identified so far fall under ubsan, or UndefinedBehaviorSanitizer, or leaks. A good chunk are heap buffer overflows, unknown crashes, and ooms, out of memory terminations, Google said. In December, Google said the project was producing four trillion test cases a week. On Monday, engineers said activity on the platform has spiked, and that it’s now processing more than twice that figure in even less time: 10 trillion test inputs a day. While the statistics behind OSS-Fuzz are positive news, Google also said something else that should put a smile on developers’ faces. The engineers said the company wants to help developers behind some of the open source projects, many which operate on a shoestring budget, better fund their projects. The company announced Monday it will extend its current patch rewards program to include rewards for integrating fuzz targets into OSS-Fuzz. There are some prerequisites. Google is mandating the projects have a large user base or be critical to global IT infrastructure. Those that are eligible will receive $1,000 for “initial integration” and up to $20,000 for what it calls ideal integration. The engineers said they’re broadening the scope of the program in hopes of recruiting more open source programs. “We believe that user and internet security as a whole can benefit greatly if more open source projects include fuzzing in their development process. To this end, we’d like to encourage more projects to participate and adopt the ideal integration guidelines that we’ve established,” the engineers wrote. Open source projects are required to have a large user base in order to join OSS-Fuzz as it is. Since the project is based around disclosing and fixing bugs, developers have to subject themselves to Google’s 90-day disclosure deadline. The company claims it’s begun reaching out to preliminary projects eligible for the $1,000, but is also directing interested parties to a submission form on its site. Google is one of several companies over the last several months to extend an olive branch to open source developers. In March, the bug bounty platform HackerOne announced it would offer open source projects free access to a version of its platform called HackerOne Community Edition. Eligible projects receive a Professional subscription of the service, including vulnerability submission coordination, analytics, and bounty programs, for free. HackerOne’s CEO Marten Mickos told Threatpost at the time the move was done to give back and to ensure that open source projects can get as much support as possible. The post Google’s OSS-Fuzz Finds 1,000 Open Source Bugs appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/googles-oss-fuzz-finds-1000-open-source-bugs/ Microsoft released an update for the malware scanning engine bundled with most of its Windows security products in order to fix a highly critical vulnerability that could allow attackers to hack computers. The vulnerability was discovered by Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich on Saturday and was serious enough for Microsoft to create and release a patch by Monday. This was an unusually fast response for the company, which typically releases security updates on the second Tuesday of every month and rarely breaks out of that cycle. Ormandy announced Saturday on Twitter that he and his colleague found a “crazy bad” vulnerability in Windows and described it as “the worst Windows remote code execution in recent memory.” At the time, the researcher didn’t disclose any other details about the flaw that would have allowed others to figure out where it’s located, but said that potential exploits would affect Windows installations in their default configurations and could be self-propagating. According to a Microsoft security advisory published Monday, the vulnerability can be triggered when the Microsoft Malware Protection Engine scans a specially crafted file. The engine is used by Windows Defender, the malware scanner preinstalled on Windows 7 and later, as well as by other Microsoft consumer and enterprise security products: Microsoft Security Essentials, Microsoft Forefront Endpoint Protection 2010, Microsoft Endpoint Protection, Microsoft Forefront Security for SharePoint Service Pack 3, Microsoft System Center Endpoint Protection and Windows Intune Endpoint Protection. Desktop and server Windows deployments might be at risk, especially if real-time protection is turned on in the affected security products. With real-time protection on, the Malware Protection Engine inspects files automatically as soon as they appear on the file system, as opposed to processing them during scheduled or manually triggered scanning operations. According to the Google Project Zero description of this vulnerability, the mere presence of a specially crafted file in any form and with any extension on the computer could trigger exploitation. This includes unopened email attachments, unfinished downloads, temporary internet files cached by the browser and even user content submitted to a website that’s hosted on a Windows-based web server running Internet Information Services (IIS). Because the Microsoft Malware Protection Engine runs with LocalSystem privileges, successful exploitation of this vulnerability could allow hackers to take full control of the underlying OS. According to Microsoft, attackers could then “install programs; view, change, or delete data; or create new accounts with full user rights.” Users should check that the Microsoft Malware Protection Engine version used in their products is 1.1.10701.0 or later. Propagation of the fix to products that are configured for automatic updates can take up to 48 hours, but users can also trigger a manual update. “Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions,” Microsoft said in its advisory. “Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment.” The post Microsoft fixes remote hacking flaw in Windows Malware Protection Engine appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/microsoft-fixes-remote-hacking-flaw-in-windows-malware-protection-engine/ Adobe and Microsoft both issued updates today to fix critical security vulnerabilities in their software. Microsoft actually released an emergency update on Monday just hours ahead of today’s regularly scheduled “Patch Tuesday” (the 2nd Tuesday of each month) to fix a dangerous flaw present in most of Microsoft’s anti-malware technology that’s being called the worst Windows bug in recent memory. Separately, Adobe has a new version of its Flash Player software available that squashes at least seven nasty bugs.
“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine,” Microsoft warned. “If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned.” On May 8, Microsoft released an out-of-band fix for the problem, demonstrating unusual swiftness in addressing a serious issue with its software. “Still blown away at how quickly @msftsecurity responded to protect users, can’t give enough kudos.” Google’s Ormandy tweeted on Monday. “Amazing.” In addition to the anti-malware product update, Microsoft today released fixes for dangerous security flaws in a range of products, from Internet Explorer and Edge to Windows, Microsoft Office, .NET, and of course Adobe Flash Player.
An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware, and failing to keep up with its continuous security updates can leave users dangerously exposed. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player. If you choose to keep Flash, please update it today. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Tags: Adobe Flash Player update, Flash Player 25.0.0.171, google, Microsoft Patch Tuesday May 2017, tavis ormandy
You can skip to the end and leave a comment. Pinging is currently not allowed. The post Emergency Fix for Windows Anti-Malware Flaw Leads May’s Patch Tuesday appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/emergency-fix-for-windows-anti-malware-flaw-leads-mays-patch-tuesday/ Adobe fixed eight vulnerabilities, seven critical, in Flash Player and its Adobe Experience Manager (AEM) Forms product as part of a regularly scheduled update Tuesday morning. All seven of the Flash Player bugs can lead to code execution and should be considered critical, according to a security bulletin released by Adobe Tuesday. Jihui Lu, a researcher with Tencent KeenLab, found six of the bugs, including a use-after-free vulnerability that could directly lead to code execution. Two researchers with Google’s Project Zero research team, Mateusz Jurczyk and Natalie Silvanovich, found a memory corruption vulnerability. Until updated, Adobe is cautioning of vulnerabilities in Flash Player for Windows and Linux (versions 25.0.0.148 and earlier) and versions of Flash Player for Macintosh (versions 25.0.0.163 and earlier). The updates bring Flash Player, across all platforms – Desktop Runtime, Chrome, Edge, Internet Explorer 11, and Linux – to version 25.0.0.171. Adobe also patched an issue in Adobe Experience Manager (AEM) Forms on Tuesday. The product, which helps customers improve document processes, such as form filing, tracking, and responses, suffered from an information disclosure vulnerability. According to Adobe, a pre-population service in the platform was being abused. The company fixed the issue by giving administrators additional controls in the service’s configuration manager to restrict file paths and protocols used to pre-fill forms. Unlike the Flash Player vulnerabilities, the Adobe Experience Manager bug wasn’t found by a researcher. Instead Ruben Reusser, CTO at Headwire.com, a service that helps companies implement AEM, discovered it and reported it to Adobe. The update brings AEM 6.2 to 6.2 SP1 CFP3 and 6.1 to 6.1 SP2 CFP8. Version 6.0 of AEM also received a HotFix to version 2.0.5.8. Only eight patches makes for a relatively tame Patch Tuesday for Adobe, compared to last month which saw the company patch 59 vulnerabilities across five different products. Forty-four of those vulnerabilities – in Flash Player, Acrobat/Reader, Photoshop, Adobe Campaign, and its Adobe Creative Cloud App – were code execution bugs. The post Adobe Patches Seven Critical Vulnerabilities in Flash, AEM appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/adobe-patches-seven-critical-vulnerabilities-in-flash-aem/ Even with Patch Tuesday less than 24 hours away, Microsoft didn’t wait to patch a dangerous Windows remote code execution flaw that was discovered by Google’s Project Zero just days earlier. Microsoft released the out of band patch Monday evening and revealed the issue (CVE-2017-0290) was in the Microsoft Malware Protection Engine and enables attackers to perform remote code execution (RCE) or trigger a denial of service attack through type confusion and application crashes. The out of band patch comes just three days after Google Project Zero vulnerability researchers Tavis Ormandy and Natalie Silvanovich reported the flaw to Microsoft. The out of band patch will be pushed out automatically to users within 48 hours of release. After the Microsoft advisory regarding the out of band patch was posted, the Google Project Zero disclosure became public and Ormandy added new details on Twitter, saying that “Any service or program that touches the filesystem (IIS, SMB, Exhange, Outlook, IE, etc) can reach it though, hence RCE.” In the Project Zero disclosure, Ormandy wrote that the flaw affected Windows 8, Windows 8.1, Windows 10 and — after clarification from Microsoft — in a more limited way on Windows Server 2016. “Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” Ormandy wrote. “MsMpEng runs as NT AUTHORITYSYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services, including Exchange, IIS, and so on. On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on.” Ormandy has a long history of digging through antivirus and antimalware code to find bugs going back to 2011 with issues Ormandy reported in Sophos products, and more recently with vulnerabilities in Kaspersky and Symantec antivirus engines. The Project Zero page showed that Ormandy and Silvanovich reported the Windows flaw to Microsoft on May 5th, the day Ormandy teased the issue on Twitter. At the time, Ormandy only said the vulnerability was “the worst Windows remote code exec in recent memory” and that the issue was “wormable” and even a default installation could be exploited. Ormandy’s Tweet triggered a debate over responsible vulnerability disclosure. Some security professionals criticized Ormandy for announcing the bug discovery on Twitter, while others felt the Tweet was harmless because no technical details were divulged. Ormandy updated the Project Zero page the day it was posted with a response from Microsoft that it was already working on the out of band patch. He also repeatedly praised Microsoft for its work on the out of band patch on Twitter.
The post Microsoft out of band patch hits the day before Patch Tuesday appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/microsoft-out-of-band-patch-hits-the-day-before-patch-tuesday/ Microsoft made quick work of what two prominent Google researchers called the worst Windows vulnerability in recent memory, releasing an emergency patch Monday night, 48 hours after Google’s private disclosure was made. The mystery Windows zero day (CVE-2017-0290) was in the Microsoft Malware Protection Engine running in most of Microsoft’s antimalware offerings bundled with Windows. The engine, known as MsMpEng, is over-privileged and un-sandboxed, according to Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich. Worse, MsMpEng accessible remotely through a number of critical, ubiquitous Windows services, including Exchange and the IIS webserver. With one email—one that would not have to be read by the user—an attacker could execute code remotely on a vulnerable computer running MsMpEng. “Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” Google said in its bug report. Updates will be automatically pushed to the engine within 48 hours, Microsoft said last night. Admins should verify that version 1.1.13704.0 of the engine is running. Microsoft listed a number of affected products in its advisory, all of them rated critical, including Forefront Endpoint Protection, System Center Endpoint Protection, Security Essentials, Defender for Windows 7, 8.1, RT 8.1, 10 and Windows Server 2016. “The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file,” Microsoft said. “An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.”
Ormandy and Silvanovich warned via Twitter on Saturday that they had just found a severe Windows vulnerability without sharing much more information, other than it was wormable. It was also thought to be unlikely that Microsoft would be able to turn around a patch so quickly, especially given that today is Patch Tuesday. Attackers can use a crafted file to access the mpengine component which scans and analyzes files. Ormandy and Silvanovich wrote that an attacker could find success without user interaction with the malicious file because the engine analyzes filesystem activity using a minifilter. “So writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine,” they wrote. “MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it’s own content identification system.” The researchers said mpengine offers attackers a “vast and complex attack surface,” with numerous components including executable packers an cryptors, system emulators and interpreters that are accessible remotely. Further, mpengine contains a component called NScript that evaluates filesystem and network activity that looks like JavaScript for malicious behavior. “To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems,” Ormandy and Silvanovich wrote. “This is as surprising as it sounds.” The researchers said they wrote a tool to access NScript via command shell. They found that a particular function in the engine fails to validate message properties from an object before passing it along to a runtime state. An attacker can take advantage of this type of confusion and pass arbitrary objects to runtime, the researchers wrote. “Before executing JavaScript, mpengine uses a number of heuristics to decide if evaluation is necessary,” Ormandy and Silvanovich wrote. “One such heuristic estimates file entropy before deciding whether to evaluate any javascript, but we’ve found that appending some complex comments is enough to trigger this.” Attackers can exploit this vulnerability through a number of avenues aside from email attachments, including links to sites hosting an exploit sent via email or any instant messenger. The engine will scan the file once it’s opened from the internet, exploiting the vulnerability. “The update addresses the vulnerability by correcting the manner in which the Microsoft Malware Protection Engine scans specially crafted files,” Microsoft said. The post Emergency Update Patches Zero Day in Microsoft Malware Protection Engine appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/emergency-update-patches-zero-day-in-microsoft-malware-protection-engine/ ![]() Microsoft Microsoft has released a patch rapidly developed to combat a severe zero-day vulnerability discovered only days ago. Late Monday, the Redmond giant issued a security advisory for CVE-2017-0290, a remote code execution flaw impacting the Windows operating system. The security vulnerability was disclosed over the weekend by Google Project Zero security experts Natalie Silvanovich and Tavis Ormandy. On Twitter, prominent vulnerability hunter Ormandy revealed the existence of a zero-day flaw in Microsoft Malware Protection Engine (MsMpEng), used by Windows Defender and other security products. The researcher deemed the find a “crazy bad” bug which may be “the worst Windows remote code exec [execution flaw] in recent memory.” ![]() Ormandy did not reveal anything else at the time understandably, as to give Microsoft time to fix the scripting engine memory corruption vulnerability after it was reported privately. The built-in deployment system and scanner engine in Microsoft’s products will issue the patch to vendors automatically over the next 48 hours and so more details have been disclosed. The vulnerability allows attackers to remotely execute code if the Microsoft Malware Protection Engine scans a specially crafted file. When successfully exploited, attackers are able to worm their way into the LocalSystem account and hijack an entire system. With such power, they have complete control to install or delete programs, steal information, create new accounts with full user rights and download additional malware. Microsoft Build 2017
The Project Zero team says the vulnerability can be leveraged against victims by only sending an email to users — without the need for the message to be opened or any attachments to be downloaded. An attack leveraging the exploit could also be conducted through malicious website visits or instant messaging. According to Ormandy, the vulnerability could not only be exploited to work against default systems, but is also “wormable.” In other words, malware using the exploit can replicate itself and spread beyond the target system. “Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” the team says. “If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned,” Microsoft said. “If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited.” Microsoft Forefront Endpoint Protection 2010, Microsoft Endpoint Protection, Microsoft Forefront Security for SharePoint Service Pack 3, Microsoft System Center Endpoint Protection, Microsoft Security Essentials, Windows Defender for Windows 7, Windows Defender for Windows 8.1 and RT 8.1, Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703, and Windows Intune Endpoint Protection are all affected. However, Microsoft told the Project Zero team that the Control Flow Guard (CFG) security feature lowers the risk of compromise on some of the latest platforms where the feature is enabled. Ormandy praised Microsoft for how quickly the emergency patch was issued, saying that he was “blown away at how quickly @msftsecurity responded to protect users, can’t give enough kudos.” Microsoft says there have been no reports of the issue being exploited in the wild. System administrators do not need to act as Microsoft’s internal systems will push the engine updates to vulnerable systems, however, the update can also be applied manually for a quicker fix. The post Microsoft Releases Emergency Patch For Crazy Bad Windows Zero-Day Bug appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/microsoft-releases-emergency-patch-for-crazy-bad-windows-zero-day-bug/ Hikvision, a Chinese manufacturer of video surveillance equipment, recently patched a backdoor in a slew of its cameras that could have made it possible for a remote attacker to gain full admin access to affected devices. The backdoor stems from two bugs: an improper authentication bug and a password in configuration file vulnerability. Both bugs could have allowed an attacker to escalate privileges and access sensitive information. The United States Computer Emergency Readiness Team (US-CERT) disclosed the vulnerabilities in an advisory on Friday, assigning the highest possible CVSS rating, 10.0 to the improper authentication vulnerability. The password in configuration file issue, meanwhile, received a high severity 8.8 rating. The warning reiterates a bulletin the company, which is partially owned by the Chinese government, sent customers in March. In the notice, Hikvision warned that request code could be used to access certain IP cameras directly. From there, it could be possible for an attacker to escalate user privileges, and “acquire or tamper with device information.” The company provided firmware updates for seven lines of cameras at the time, the same updates US-CERT pointed out on Friday:
An independent researcher who goes by the handle “Montecrypto” first disclosed the backdoor in a post to the forum IPCamTalk in early March saying it “makes it possible to gain full admin access to the device.” At the time, he gave the company two weeks to “come forward, acknowledge, and explain why the backdoor is there and when it is going to be removed.” Montecrypto confirmed the privilege escalation aspect of the vulnerability the same day the company warned of the issue, acknowledging an attacker could remotely escalate their privileges “from anonymous web surfer to admin.” The researcher promised to disclose details around his findings on March 20, two weeks after he initially disclosed, but retreaded on that decision after making contact with the company. “Per agreement with Hikvision I am delaying the disclosure,” Montecrypto wrote, “Hikvision promised to responsibly disclose and resolve the vulnerability. They are working with ICS-CERT and other organizations, and it is expected that more details will be communicated soon via those channels. If nothing is communicated in the next few weeks, I will proceed with full disclosure.” According to IVPM, a video surveillance publication that’s been keeping track of the vulnerabilities, it’s believed the bugs affect millions of cameras, “given Hikvision’s own regular declarations of shipping tens of millions of cameras.” According to the company, until customers apply the respective firmware patch, the following cameras are still vulnerable:
Hikvision, via US-CERT, warned customers Friday that trying to update some “grey market” cameras – devices sold through unauthorized channels, thus with unauthorized firmware – could result in complications. “Updating the firmware may result in converting the camera’s interface back to its original state. Users of ‘grey market’ cameras who cannot update due to this unauthorized firmware will still be susceptible to these vulnerabilities.” While Hikvision fixed the improper authentication vulnerability it has yet to fix the password in the configuration file vulnerability, US-CERT points out. The company did not immediately return a request for comment on Monday when asked if it was planning on fixing the issue. Several years ago, Hikvision, in an effort to better secure its products, contracted the security firm Rapid7 to carry out a penetration test and vulnerability assessment of its IP cameras, embedded recorders, and software tools. That partnership was spurred after Rapid7 identified a series of vulnerabilities, buffer overflows that allowed the remote execution of arbitrary code, in Hikvision DVRs in 2014. It’s unclear how long since the audit the vulnerabilities identified in March have existed in Hikvision cameras. The Hikvision advisory comes a day after US-CERT warned of a similar set of vulnerabilities in IP cameras and digital video recorders manufactured by another Chinese company, Dahua. The company told customers and partners in early March the vulnerabilities were caused called “a small piece of code.” Bashis, an independent researcher, found the issues, a backdoor that allowed remote unauthorized admin access via the web, and disclosed them via the Full Disclosure mailing list on March 6. A spokesman from Dahua confirmed the information in US-CERT’s advisory early Monday and said that customers can download updated firmware from the “Device Upgrade Kit” section of the company’s website to mitigate the vulnerabilities. The post Hikvision Patches Backdoor in IP Cameras appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/hikvision-patches-backdoor-in-ip-cameras/ |
ABOUT USFree, secure collections for I.T recycling and CESG approved data erasure for individuals, businesses and large-scale projects. I.T Asset Disposal | Computer Recycling | Re-marketing & Cashback | Secure Data Erasure. Archives
May 2017
Categories |