//Week in review - 21 Jul 2017

AusCERT Week in Review for 21st July 2017

As Friday 21st July comes to a close along with the latest Oracle and Apple security updates, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title: Cisco patches critical bug in WebEx plug-in for Chrome, Firefox on Windows
Date Published: July 18 2017
URL: http://www.zdnet.com/google-amp/article/cisco-patches-critical-bug-in-webex-plug-in-for-chrome-firefox-on-windows/
Author: Liam Tung
“Google’s Project Zero researcher Tavis Ormandy reported the bug to Cisco earlier this month. It was discovered by him and Chris Neckar of Divergent Security, a former member of the Chrome security team. Ormandy earlier this year found two other flaws in the WebEx extension that allowed remote code execution.

WebEx is a popular video conferencing tool in the enterprise. Ormandy notes that the WebEx extension for Chrome alone has 20 million active users. It’s also installed on 731,000 Firefox instances.”

Title: Issues found via fuzzing by Guido Vranken
Date Published: July 17 2017
URL: http://freeradius.org/security/fuzzer-2017.html
Author: FreeRADIUS
“In order to improve the security of FreeRADIUS, we asked Guido to try fuzzing FreeRADIUS. He spent a week working with us, and managed to find a number of issues. We worked together to create and validate fixes for all of them. His blog contains a short note on the subject.

The short summary is that if your RADIUS server is on a private network, accessible only by managed devices, you are likely safe. If your RADIUS server is part of a roaming consortium, then anyone within that consortium can attack it. If your RADIUS server is on the public internet, then you are not following best practices, and anyone on the net can attack your systems.”

Title: Oracle e-business suite flaw allows downloads of documents
Date Published: July 18 2017
URL: https://threatpost.com/oracle-e-business-suite-flaw-allows-downloads-of-documents/126897/
Author: Michael Mimoso
“Oracle admins have more than 300 patches to contend with today, but one that should be considered a top priority is a bug in the E-Business Suite of business applications that could allow an attacker to download data without the need for authentication.

The vulnerability, CVE-2017-10244, was addressed in today’s quarterly Critical Patch Update, but given the critical apps and data moving through the suite, and the potential downtime required to patch, it’s unknown how long it would take for the bulk of installations to be update and the risk be mitigated completely.”

Title: Apple patches BROADPWN bug in IOS 10.3.3
Date Published: July 20 2017
URL: https://threatpost.com/apple-patches-broadpwn-bug-in-ios-10-3-3/126955/
Author: Tom Spring
“Apple released iOS 10.3.3 Wednesday, which serves as a cumulative update that includes patches for multiple vulnerabilities including the high-profile BroadPwn bug that allowed an attacker to seize control of a targeted iOS device.

BroadPwn was revealed earlier this month as a flaw in Broadcom Wi-Fi chipsets used in Apple and Android devices. Apple said the vulnerability affected the iPhone 5 to iPhone 7, the fourth-generation iPad and later versions, and the iPod Touch 6th generation.”


Here are this week’s noteworthy security bulletins:

1) ESB-2017.1765 – ALERT [Win] Cisco WebEx extensions: Execute arbitrary code/commands – Remote with user interaction

WebEx is one the most widely used meeting and collaboration tools in use today. If you use the Google Chrome or Firefox WebEx extension on Windows, then upgrade as soon as possible. This vulnerability could allow an attacker to execute arbitrary code with the privileges of the affected browser on the affected system.

2) ESB-2017.1767 – ALERT [UNIX/Linux][BSD][RedHat] freeradius: Multiple vulnerabilities

FreeRADIUS is a Remote Authentication Dial In User Service (RADIUS) server. It provides centralised authentication and authorization for many Fortune-500 companies and ISPs. It’s also widely used for Enterprise Wi-Fi and IEEE 802.1X network security, particularly in the academic community, including eduroam.

A remote attacker could crash the FreeRADIUS server or execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet. For more information see the article we referenced earlier.

3) ASB-2017.0121 – ALERT [Appliance][Solaris] Oracle Sun Systems: Multiple vulnerabilities

If you have Oracle Sun Solaris systems in your environment, we advise patching as soon as possible to mitigate a shadowbrokers EASYSTREET (CVE-2017-3632) vulnerability. This easily exploitable vulnerability allows an unauthenticated attacker with network access via TCP to completely take over the system.

4) ASB-2017.0106 – ALERT [Win][UNIX/Linux] Oracle E-Business Suite: Multiple vulnerabilities

An easily exploitable vulnerability (CVE-2017-10244) would allow an unauthenticated attacker with network access to access any document stored there with a single HTTP request.

5) ASB-2017.0104.2 – UPDATE ALERT [Win][UNIX/Linux] Oracle Fusion Middleware: Multiple vulnerabilities

This easily exploitable vulnerability (CVE-2017-10137) is rated 10.0 and allows the unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in the takeover of Oracle WebLogic Server.

6) ESB-2017.1783 – [Apple iOS] Apple iOS: Multiple vulnerabilities

Of interest is the BroadPwn vulnerability (CVE-2017-9417). An attacker within range of an iPhone, iPad or IPod touch may be able to execute arbitrary code on the Wi-Fi chip. See more information in the article we referenced earlier.


Stay safe, stay patched and have a good weekend!