Posts

WordPress and Drupal patched for DDoS vulnerability

WordPress and Drupal have been patched for, amongst other things, a vulnerability that allows an attacker to take down a WordPress or Drupal site.

The PHP XML parser used by both projects has a XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

Users of WordPress should upgrade to 3.9.2 as soon as possible: https://www.drupal.org/SA-CORE-2014-004

More information:

Vulnerability in Cisco ASA

Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
Cisco ASA ASDM Privilege Escalation Vulnerability
Cisco ASA SSL VPN Privilege Escalation Vulnerability
Cisco ASA SSL VPN Authentication Bypass Vulnerability
Cisco ASA SIP Denial of Service Vulnerability
These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.

Successful exploitation of the Cisco ASA ASDM Privilege Escalation Vulnerability and the Cisco ASA SSL VPN Privilege Escalation Vulnerability may allow an attacker or an unprivileged user to elevate privileges and gain administrative access to the affected system.

Successful exploitation of the Cisco ASA SSL VPN Authentication Bypass Vulnerability may allow an attacker to obtain unauthorized access to the internal network via SSL VPN.

It is recommended to upgrade as soon as possible in order to avoid breaches.

More information and upgrade information: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa

Critical OpenSSL vulnerability

A security vulnerability in OpenSSL was published on April 7. With this vulnerability, an attacker is able to remotely dump the memory contents of a process using OpenSSL.
This exposes both the content of SSL/TLS encrypted communications, and the associated private keys. This is a major issue as OpenSSL is a critical component of most encrypted Internet services.

Basefarm’s Security Incident Response Team, together with other Basefarm personnel, investigated which of the servers hosted by us were affected, and to what extent. Those services which were managed by Basefarm were then patched and affected customers were notified. This was completed Tuesday afternoon.

There is unfortunately no way of knowing for certain which information has been stolen during the attack window, so we recommend anyone being affected by this vulnerability to assume that your SSL/TLS private keys have been stolen, even if we have no concrete indication of this.
This means that you will need a new key pair and certificate for any exposed SSL/TLS keys and certificates. Basefarm will help you with this if we manage the keys for you. Your old certificates will also need to be revoked.

Any other information passed over a vulnerable SSL/TLS connection may also have been captured, including usernames, passwords, credit card numbers and other personally identifiable information.
We recommend that you initiate a password change for any account where the password has been passed over av vulnerable SSL/TLS connection over the last day or so.

Please note that if Personally Identifiable Information, credit card or cardholder data, or other sensitive data may have been compromised, you probably have an obligation to alert the proper authorities.
Unfortunately, there is no way of knowing exactly which data has been compromised.

Here are the mitigation steps in detail
1. Emergency fix the vulnerability itself by patching, reconfiguring, or both, on all exposed servers.
2. Generate a new key pair following best practice guidelines.
3. Purchase a new certificate using the new key pair. Without a new key pair, the old and possibly stolen key pair could be abused, e.g. to eavesdrop or to impersonate the service.
4. Switch to the new certificate on all relevant servers.
5. Revoke the old certificate. This is important, as otherwise a stolen private key could still be used to impersonate the web server until the old certificate expires.
6. Consider initiating a change of all passwords etc. that have been sent over SSL/TLS using the old key pair, at least those sent over the last day or so. If someone has an old “recording” of an encrypted conversation, and also gets hold of the old keys, they can now decrypt that conversation. There’s nothing to be done about that in itself, but any reusable credentials could be stolen this way and abused if they are not changed.

Step 6 really is up to you and/or your end users. High-profile and/or high-value sites would be well advised to at least recommend that their users change their passwords, and could use this as an opportunity to convey a strong message that they care about the security of their users.
We have previously written a note in our security tips section of this newsletter about passwords: http://bfblogg.wpengine.com/blog/basefarm-sirt-newsletter-2013-03-08/

So what are the lessons learned?
Things can always be done faster and automated better and that’s something we’re always working towards, and in this case we should have focused a bit more on communication – actually been better at informing the customers that we were working with patching their services.

Apple security updates

Apple have released multiple critical security updates for iOS, OS X, Safari and Quicktime. These updates fixes critical issues with SSL traffic, so make sure you update as soon as possible.
The updates will push your iOS devices to 7.0.6, your OS X to 10.9.2, your Quicktime to 7.7.5 and Safari to 7.0.2 (included in the 10.9.2 version of OS X).

More information:
http://support.apple.com/kb/HT6150
http://support.apple.com/kb/HT6151
http://support.apple.com/kb/HT6145
http://support.apple.com/kb/HT6147

Adobe Flash Vulnerability

Adobe has released security updates for Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.336 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions.

You can find some tips regarding Flash here;
http://bfblogg.wpengine.com/blog/bf-sirt-newsletter-2014-07/

More information: http://helpx.adobe.com/security/products/flash-player/apsb14-07.html

Solr <4.6 vulnerable

Several vulnerabilities were fixed in recent versions of Solr:
– directory traversal when using XSLT or Velocity templates
(CVE-2013-6397 / SOLR-4882)
– XXE in UpdateRequestHandler (CVE-2013-6407 / SOLR-3895)
– XXE in DocumentAnalysisRequestHandler (CVE-2013-6408 / SOLR-4881)

These vulnerabilities were confirmed to be exploitable also on old
versions like 3.6.2. Gaining remote code execution is easy by combining
the directory traversal and XXE vulnerabilities.

If you wonder how these vulnerabilities could be exploited in real life
setups when Solr isn’t reachable directly from the Internet, you may be
interested in the following blog post:

http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html

Ruby on Rails vulnerability pre 3.2.16 and 4.0.2

Rails 3.2.16 and 4.0.2 have been released!

These two releases contain important security fixes, so please upgrade as soon as possible! In order to make upgrading as smooth as possible, we’ve only included commits directly related to each security issue.

More information: Rails 3.2.16 and 4.0.2 have been released!

Drupal core – Highly Critical Vulnerability

Drupal has sent out a notification about new highly critical issues with the Drupal core. This means that anyone running Drupal should update as soon as possible.

Advisory ID: DRUPAL-SA-CORE-2013-003
Project: Drupal core
Version: 6.x, 7.x
Date: 2013-November-20
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

More information: https://drupal.org/security

Cisco ASA VPN Denial of Service Vulnerability

A vulnerability in the VPN authentication code that handles parsing of the username from the certificate on the Cisco ASA firewall could allow an unauthenticated, remote attacker to cause a reload of the affected device.

The vulnerability is due to parallel processing of a large number of Internet Key Exchange (IKE) requests for which username-from-cert is configured. An attacker could exploit this vulnerability by sending a large number of IKE requests when the affected device is configured with the username-from-cert command. An exploit could allow the attacker to cause a reload of the affected device, leading to a denial of service (DoS) condition.

More information: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5544

Apple security updates

Apple have released security updates for the following applications:
iTunes 11.1.2
Apple Remote Desktop 3.7
Apple Remote Desktop 3.5.4
Keynote 6.0
Safari 6.1

They have also released the following Operating System updates.
OS X Mavericks v10.9
OS X Server 3.0
iOS 7.0.3

These updates fixes more than a hundred security vulnerabilities, with many being labeled as critical, and it’s highly recommended to apply them as soon as possible!