//Week in review - 25 Jan 2019

AusCERT Week in Review for 25th January 2019

AusCERT Week in Review
25 January 2019


This week has been raining shells for all the lucky pentesters around the world.

We’ve had Cisco, Debian and Apple release several patches to address a range of remote code execution vulnerabilities across their products.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title: If you installed PEAR PHP in the last 6 months, you may be infected
Date Published: 1/24/2019
URL: https://arstechnica.com/information-technology/2019/01/pear-php-site-breach-lets-hackers-slip-malware-into-official-download/
Author: Dan Goodin
“Officials with the widely used PHP Extension and Application Repository have temporarily shut down most of their website and are urging users to inspect their systems after discovering hackers replaced the main package manager with a malicious one.”

“If you have downloaded this go-pear.phar [package manager] in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes,” officials wrote on the site’s blog. “If different, you may have the infected file.”

Title: DHS issues security alert about recent DNS hijacking attacks
Date Published: January 22, 2019
URL: https://www.zdnet.com/article/dhs-issues-security-alert-about-recent-dns-hijacking-attacks/
Author: Catalin Cimpanu
“The US Department of Homeland Security (DHS) has published today an “emergency directive” that contains guidance in regards to a recent report detailing a wave of DNS hijacking incidents perpetrated out of Iran.
More security news

The emergency directive [1, 2] orders government agencies to audit DNS records for unauthorized edits, change passwords, and enable multi-factor authentication for all accounts through which DNS records can be managed.

The DHS documents also urges government IT personnel to monitor Certificate Transparency (CT) logs for newly-issued TLS certificates that have been issued for government domains, but which have not been requested by government workers (a sign that a malicious actor has hijacked a government domain’s DNS records, and is now requesting TLS certificates in its).”

Title: A vulnerability in Debian’s apt allows for easy lateral movement in data centers
Date Published: January 23, 2019
URL: https://www.guardicore.com/2019/01/a-vulnerability-in-debians-apt-allows-for-easy-lateral-movement-in-data-centers
Author: Daniel Goldberg
“A new vulnerability in Debian’s Advanced Package Tool (apt) is the latest big tool in the data center attacker’s arsenal. The vulnerability (CVE-2019-3462) is in Debian’s high-level package management system, which is used by system administrators to install, upgrade and remove software packages. The vulnerability can be exploited when administrators install or upgrade software package on vulnerable servers.

The apt package management software is part of every Debian based Linux distribution, covering Debian, Ubuntu and a whole group of smaller distributions such as Kali, TailsOS and many others. Distrowatch lists over 100 active distributions (large and small) based on Debian. All of these are likely to be vulnerable.”

Title: Internet experiment goes wrong, takes down a bunch of Linux routers
Date Published: January 24, 2019
URL: https://www.zdnet.com/article/internet-experiment-goes-wrong-takes-down-a-bunch-of-linux-routers/
Author: Catalin Cimpanu
“Earlier this month, an academic experiment studying the impact of newly released security features for the Border Gateway Protocol (BGP) went horribly wrong and crashed a bunch of Linux-based internet routers.

The experiment, organized by academics from all over the world, was first announced last year in mid-December and was described as “an experiment to evaluate alternatives for speeding up adoption of BGP route origin validation.”

BGP Route Origin Validation, or ROV, is a newly released standard part of a three-pronged security pack for the BGP standard, together with BGP Resource Public Key Infrastructure (RPKI) and BGP Path Validation (also known as BGPsec).”

Title: Targeted Attacks Abusing Google Cloud Platform Open Redirection
Date Published: Jan 24 2019
URL: https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection
Author: Ashwin Vamshi
“Netskope Threat Research Labs detected several targeted themed attacks across 42 customer instances mostly in the banking and finance sector. The threat actors involved in these attacks used the App Engine Google Cloud computing platform (GCP) to deliver malware via PDF decoys. After further research, we confirmed evidence of these attacks targeting governments and financial firms worldwide. Several decoys were likely related to an infamous threat actor group named ‘Cobalt Strike’.

The attacks were carried out by abusing the GCP URL redirection in PDF decoys and redirecting to the malicious URL hosting the malicious payload. This targeted attack is more convincing than the traditional attacks because the URL hosting the malware points the host URL to Google App Engine, thus making the victim believe the file is delivered from a trusted source like Google.”

Here are this week’s noteworthy security bulletins:

1) ESB-2019.0182 – ALERT [UNIX/Linux][Debian] apt: Root compromise – Remote/unauthenticated
Man in the middle vulnerability which allows an attacker to man in the middle traffic between APT and the mirror, then inject malicious content into the connection.

2) ESB-2019.0228 – [Win] iTunes: Multiple vulnerabilities
A maliciously crafted SQL query may lead to arbitrary code and an out-of-bounds read which leads to privilege escalation

3)ESB-2019.0210 – [Cisco] Texas Instruments Bluetooth Low Energy: Execute arbitrary code/commands – Remote/unauthenticated
Broadcasting malformed BLE frames can cause memory corruption condition, which may result in remote code execution & denial of service.


Stay safe, stay patched and have a great weekend,

Rameez Agnew