Thursday, March 31, 2016
Thursday, March 10, 2016
Cisco Cable Modem with Digital Voice Remote Code Execution Vulnerability
Source: Cisco
A vulnerability in the web server used in the Cisco Cable Modem with Digital Voice Model DPC2203 could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.
The vulnerability is due to improper input validation for HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.
Cisco has released software updates to its service provider customers that address the vulnerability described in this advisory. Prior to contacting Cisco TAC, customers are advised to contact their service providers to confirm the software deployed by the service provider includes the fix that addresses this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160309-cmre
Affected Products
-
Vulnerable Products
The following Cisco product are vulnerable:
- Cisco Cable Modem with Digital Voice Model DPC2203
- Cisco Cable Modem with Digital Voice Model EPC2203
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this vulnerability.
Workarounds
-
There are no workarounds that address this vulnerability.
Fixed Software
-
Cisco has released software updates to its service provider customers that address the vulnerability described in this advisory. Prior to contacting Cisco TAC, customers are advised to contact their service providers to confirm the software deployed by the service provider includes the fix that addresses this vulnerability.
By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Exploitation and Public Announcements
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
There are no workarounds that address this vulnerability.
Fixed Software
- Cisco has released software updates to its service provider customers that address the vulnerability described in this advisory. Prior to contacting Cisco TAC, customers are advised to contact their service providers to confirm the software deployed by the service provider includes the fix that addresses this vulnerability.
By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Exploitation and Public Announcements
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Tuesday, March 8, 2016
DoD Issues Cybersecurity Discipline Guidance
Source: Army Times http://www.armytimes.com/
The Defense Department recently issued a military-wide cybersecurity discipline implementation plan, a document that aims to hold leaders accountable for cybersecurity up and down the chain of command and report progress and setbacks.
The plan was originally issued in October but updated in February and made public on the DoD CIO site in early March. It shares some similarities with the Pentagon’s other large-scale cyber assessment tool, the department’s strategic cybersecurity scorecard that reports service-level compliance directly to the Defense secretary. The difference between the two is that the discipline implementation plan targets tactical-level compliance, and each has different reporting mechanisms – the discipline plan routes users to the Defense Readiness Reporting System to report their status with the requirements.
The new plan centers on four lines of effort, which actually correspond with the cybersecurity scorecard. They include:- Strong authentication to degrade the adversaries' ability to maneuver on DoD information networks;
- Device hardening to reduce internal and external attack vectors into DoD information networks;
- Reduce attack surface to reduce external attack vectors into DoD information networks; and
- Alignment to cybersecurity/computer network defense service providers to improve detection of and response to adversary activity
"The requirements within each line of effort represent a prioritization of all existing DoD cybersecurity requirements. Each line of effort focuses on a different aspect of cybersecurity defense-in-depth that is being exploited by our adversaries to gain access to DoD information networks,” the document states. “Securing DoD information networks to provide mission assurance requires leadership at all levels to implement cybersecurity discipline, enforce accountability, and manage the shared risk to all DoD missions … this campaign forces awareness and accountability for these key tasks into the command chains and up to senior leadership, where resourcing decisions can be made to address compliance shortfalls."
Each of the four lines of effort includes a thorough explanation of the goal, followed by multiple tasks and questions designed to assess compliance, vulnerability and progress. An appendix further details prioritizes tasks from the discipline implementation and from previously issued DoD cybersecurity campaign guidance, and weights DoD’s cybersecurity objectives.
"Work on these tasks can proceed in parallel; these lists guide the application of limited resources to the most critical tasks for securing and defending segments of the network across the Department,” the document notes. “Of primary importance is implementing a healthy cybersecurity culture across all ranks, one that ingrains a self-correcting discipline similar to the nuclear enterprise or other critical, highly reliable organizations. If we fail to change the culture, we will fail to secure the enterprise regardless of any defenses installed otherwise."
Despite the use of the term ‘discipline’ in its title though, one thing the new plan seems to lack, at least in the unclassified version: consequences for failing to meet goals or maintain security. It’s not immediately clear what might happen to people who fall short of requirements or fall to cyberattacks.
Wednesday, March 2, 2016
IRS and US-CERT Caution Users: Prepare for Heightened Phishing Risk This Tax Season
Overview
Throughout the year, scam artists pose as legitimate entities—such as the Internal Revenue Service (IRS), other government agencies, and financial institutions—in an attempt to defraud taxpayers. They employ sophisticated phishing campaigns to lure users to malicious sites or entice them to activate malware in infected email attachments. To protect sensitive data, credentials, and payment information, US-CERT and the IRS recommend taxpayers prepare for heightened risk this tax season and remain vigilant year-round.Remain alert
Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. In many successful incidents, recipients are fooled into believing the phishing communication is from someone they trust. An actor may take advantage of knowledge gained from research and earlier attempts to masquerade as a legitimate source, including the look and feel of authentic communications. These targeted messages can trick any user into taking action that may compromise enterprise security.Spot common elements of the phishing lifecycle
- A Lure: enticing email content.
- A Hook: an email-based exploit.
- Email with embedded malicious content that is executed as a side effect of opening the email
- Email with malicious attachments that are activated as a side effect of opening an attachment
- Email with “clickable” URLs: the body of the email includes a link, which displays as a recognized, legitimate website, though the actual URL redirects the user to malicious content
- A Catch: a transaction conducted by an actor following a successful attempt.
- Unexplainable charges
- Unexplainable password changes
Understand how the IRS communicates electronically with taxpayers
- The IRS does not initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.
- This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
- The official website of the IRS is www.irs.gov.
Take action to avoid becoming a victim
If you believe you might have revealed sensitive information about your organization or access credentials, report it to the appropriate contacts within the organization, including network administrators. They can be alert for any suspicious or unusual activity.Watch for any unexplainable charges to your financial accounts. If you believe your accounts may be compromised, contact your financial institution immediately and close those accounts.
If you believe you might have revealed sensitive account information, immediately change the passwords you might have revealed. If you used the same password for multiple accounts, make sure to change the password for each account and do not use that password in the future.
Report suspicious phishing communications
- Email: If you read an email claiming to be from the IRS, do not reply or click on attachments and/or links. Forward the email as-is to phishing@irs.gov (link sends e-mail), then delete the original email.
- Website: If you find a website that claims to be the IRS and suspect it is fraudulent, send the URL of the suspicious site to phishing@irs.gov (link sends e-mail) with subject line, “Suspicious website”.
- Text Message: If you receive a suspicious text message, do not reply or click on attachments and/or links. Forward the text as-is to 202-552-1226 (standard text rates apply), and then delete the original message (if you clicked on links in SMS and entered confidential information, visit the IRS’ identity protection page).
Additional Resources
For more information on phishing, other suspicious IRS-related communications including phone or fax scams, or additional guidance released by Treasury/IRS and DHS/US-CERT, visit:- Avoiding Social Engineering and Phishing Attacks
- Recognizing and Avoiding Email Scams
- Phishing and Other Schemes Using the IRS Name
- IRS Repeats Warning about Phone Scams
- Report Phishing and Online Scams
- Tips for Taxpayers, Victims about Identity Theft and Tax Returns
Tuesday, March 1, 2016
OpenSSL Security Advisory
National Cyber Awareness System:
OpenSSL Security Advisory [1st March 2016]
=========================================
NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as
well as removing SSLv2 EXPORT ciphers. We strongly advise against the use of
SSLv2 due not only to the issues described below, but to the other known
deficiencies in the protocol as described at
https://tools.ietf.org/html/rfc6176
Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
================================================================
Severity: High
A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle. Note that traffic between clients and
non-vulnerable servers can be decrypted provided another server supporting
SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or
POP) shares the RSA keys of the non-vulnerable server. This vulnerability is
known as DROWN (CVE-2016-0800).
Recovering one session key requires the attacker to perform approximately 2^50
computation, as well as thousands of connections to the affected server. A more
efficient variant of the DROWN attack exists against unpatched OpenSSL servers
using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
19/Mar/2015 (see CVE-2016-0703 below).
Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS
servers, if they've not done so already. Disabling all SSLv2 ciphers is also
sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and
1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol,
and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
ciphers are nominally disabled, because malicious clients can force the use of
SSLv2 with EXPORT ciphers.
OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN:
SSLv2 is now by default disabled at build-time. Builds that are not configured
with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will
need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
as appropriate. Even if either of those is used, or the application explicitly
uses the version-specific SSLv2_method() or its client or server variants,
SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed.
Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no
longer available.
In addition, weak ciphers in SSLv3 and up are now disabled in default builds of
OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will
not provide any "EXPORT" or "LOW" strength ciphers.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
More At: https://www.openssl.org/news/secadv/20160301.txt
03/01/2016 11:04 AM EST
Original release date: March 01, 2016
OpenSSL has released updates to address vulnerabilities in prior versions. Exploitation of some of these vulnerabilities may allow a remote attacker to obtain sensitive information. Updates available include:
OpenSSL has released updates to address vulnerabilities in prior versions. Exploitation of some of these vulnerabilities may allow a remote attacker to obtain sensitive information. Updates available include:
- OpenSSL 1.0.2g for 1.0.2 users
- OpenSSL 1.0.1s for 1.0.1 users
=========================================
NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as
well as removing SSLv2 EXPORT ciphers. We strongly advise against the use of
SSLv2 due not only to the issues described below, but to the other known
deficiencies in the protocol as described at
https://tools.ietf.org/html/rfc6176
Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
================================================================
Severity: High
A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle. Note that traffic between clients and
non-vulnerable servers can be decrypted provided another server supporting
SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or
POP) shares the RSA keys of the non-vulnerable server. This vulnerability is
known as DROWN (CVE-2016-0800).
Recovering one session key requires the attacker to perform approximately 2^50
computation, as well as thousands of connections to the affected server. A more
efficient variant of the DROWN attack exists against unpatched OpenSSL servers
using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
19/Mar/2015 (see CVE-2016-0703 below).
Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS
servers, if they've not done so already. Disabling all SSLv2 ciphers is also
sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and
1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol,
and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
ciphers are nominally disabled, because malicious clients can force the use of
SSLv2 with EXPORT ciphers.
OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN:
SSLv2 is now by default disabled at build-time. Builds that are not configured
with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will
need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
as appropriate. Even if either of those is used, or the application explicitly
uses the version-specific SSLv2_method() or its client or server variants,
SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed.
Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no
longer available.
In addition, weak ciphers in SSLv3 and up are now disabled in default builds of
OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will
not provide any "EXPORT" or "LOW" strength ciphers.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
More At: https://www.openssl.org/news/secadv/20160301.txt
Subscribe to:
Posts (Atom)