Information Security all in one place!

Posts tagged “Security

Mobile Devices and the Growing Concern


A pile of mobile devices including smart phone...

If you use any type of mobile device in your day to day life….keep reading. Ignorance can only bring you so far!

Two separate studies of mobile devices have found serious privacy and security issues. One of the studies found that smartphones and tablet PCs can be eavesdropped on when they are being used to make purchases, conduct online banking transactions, or access VPNs (virtual private networks). Another study uncovered a number of ways to break into Apple’s iOS, its operating system for mobile devices. It is likely that cyber criminals will increasingly turn to mobile devices in their attacks as the devices become more and more commonplace in business transactions.

Related Information: http://www.usatoday.com/tech/news/story/2012-04-08/smartphone-security-flaw/54122468/1

Proof of Concept Video: http://bcove.me/44ip4sgw


McAfee Email and Web Security Appliance v5.6: Multiple Vulnerabilities


NGS Secure has discovered a high risk vulnerabilities in the McAfee Email and Web Security Appliance

All versions prior to 5.5 Patch 6, Email and Web Security 5.6 Patch 3, McAfee Email Gateway 7.0 Patch 1

Vulnerabilities Include:

  • Reflective XSS allowing an attacker to gain session tokens
  • Session hijacking and bypassing client-side session timeouts
  • Any logged-in user can bypass controls to reset passwords of other administrators
  • Active sesssion tokens of other users are disclosed within the UI
  • Password hashes can be recovered from a system backup and easily cracked
  • Arbitrary file download is possible with a crafted URL when logged in as any user

 

NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.


Cisco Security Advisory: Cisco IOS Software Smart Install Denial of Service Vulnerability


 

 

Cisco IOS Software contains a vulnerability in the Smart Install feature that could allow an unauthenticated, remote attacker to cause a reload of an affected device if the Smart Install feature is enabled. The vulnerability is triggered when an affected device processes a malformed Smart Install message on TCP port 4786.

Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-smartinstall

 

 


Cisco Security Advisory: Cisco IOS Software RSVP Denial of Service Vulnerability


Cisco IOS Software and Cisco IOS XE Software contain a vulnerability in the RSVP feature when used on a device configured with VPN routing and forwarding (VRF) instances. This vulnerability could allow an
unauthenticated, remote attacker to cause an interface wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other denial of service (DoS) conditions. This vulnerability could be exploited repeatedly to cause an extended DoS condition.

A workaround is available to mitigate this vulnerability.

Cisco has released free software updates that address this
vulnerability. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-rsvp


Kaspersky Labs: New Generation of Ultimate PC Protection; for Home


Kaspersky Lab, a leading developer of secure content and threat management solutions today announced a new version of its flagship product for at-home PC protection — Kaspersky PURE 2.0 Total Security. Using Kaspersky Lab’s award-winning anti-malware protection and an array of additional security tools, Kaspersky PURE 2.0 Total Security is the easiest way to keep multiple PCs secure, irreplaceable digital assets protected, and children safe and responsible online.

Central Home PC Management

Ideal for households with multiple computers, including families with children, Kaspersky PURE uses Home Network Management to easily protect, manage and monitor every PC in the household from a single machine.

From one PC, you can:

— Run all scans, updates, and backup tasks on every PC in the house automatically or on-demand

— Fix security issues without getting up from your desk

— Manage parental controls from anywhere in the house, so your kids are protected even when they’re out of view

— Conveniently update the Kaspersky PURE licenses throughout your home

Total Package of Security Tools

Kaspersky PURE also includes everything you need to secure your online identity and protect your irreplaceable digital property. When you install Kaspersky PURE, our extra layers of security mean you can say good-bye to overpriced and inefficient niche products.

This is great work. I am demoing the product now and will post my review shortly. Very excited about how this will shape the home and small business central management landscape. Will vendors pile on?

 

More on this breaking news can be found here: http://www.marketwatch.com/story/kaspersky-lab-announces-new-generation-of-ultimate-pc-protection-for-your-home-2012-03-26


Cyberoam Unified Threat Management: Insecure Password Handling


CybeRoam Unified Threat Management appliances offer assured security, connectivity and productivity to Small Office-Home Office (SOHO) and Remote Office-Branch Office (ROBO) users by allowing user identity-based policy controls.

Cyberoam UTM integrates with Active Directory. In order to query data from a configured AD, domain credentials are stored within the device. These credentials are retrievable by an authenticated user.

Domain credentials are stored on the device and passed to web clients on a diagnostic page (Identity –> Authentication –> Authentication Server –> /Select Configured AD/ ).  Authenticated clients can thus easily access stored credentials.

A trivial check for this follows (replace cookie value):

curl -s -b “JSESSIONID=u2ur76lhy4qt” -H “Referer: blah”
http:///corporate/webpages/identity/ActiveDirectoryEdit.jsp?__RequestType=ajax&&objectID=1&pageid=pagePopupForm1″|egrep
‘(adminusername|passwdvalue)’

The vulnerability allows a malicious user to access potentially privileged domain credentials. Should default passwords not be changed, then this is a trivial entry point onto a Windows domain.

Systems affected: Severity High

Cyberoam CR50ia 10.01.0 build 678


Aruba Networks: OS command injection in RAP web interface and 802.1X EAP-TLS user authentication


offical logo of Aruba Networks

 

An OS command injection vulnerability has been discovered in the Aruba Remote Access Point’s Diagnostic Web Interface. When running the diagnostic web interface, arbitrary system commands can be executed as the root user on the Remote device by an unauthenticated attacker.

The Remote Access Point provides a web interface to facilitate initial provisioning of the device. This web interface provides functionality to run some basic network diagnostics and enter configuration parameters necessary for successful provisioning. An OS command injection vulnerability has been discovered in this web interface where malicious user input can be injected via form elements and run arbitrary system commands on the device as root user. This diagnostic web interface can be disabled after initial provisioning of the device.

An unauthenticated attacker can run arbitrary system commands on the device as root user. This could lead to a full compromise of the device’s operating system.

This vulnerability applies only to the Aruba Remote Access Point and other Aruba devices are not affected.

Aruba Networks recommends not allowing access to the Aruba Remote Access
Point’s diagnostic web interface after initial provisioning by applying an
access list (acl) to block HTTP and HTTPS protocol to its local IP. This
restricted acl needs to be in the highest position of the acl rules for
each user-role that should not have access to the diagnostic web
interface.

Example restricted IP access list added to a user-role called guest:

ip access-list session local_debug_restricted
user localip svc-http deny
user localip svc-https deny

user-role guest
access-list session local_debug_restricted
access-list session dns-acl
access-list session dhcp-acl
access-list session icmp-acl
access-list session http-acl
access-list session https-acl

Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical.

The following patches have the fix (any newer patch will also have the
fix):

– – – ArubaOS 5.0.4.2
– – – ArubaOS 6.0.2.1
– – – ArubaOS 6.1.2.4