//Week in review - 9 Aug 2019

AusCERT Week in Review for 9th August 2019


Two sagas continue this week, and neither one is Star Wars.

The Spectre family tree has gained a new member called SWAPGS. It was announced at Black Hat and allows access to protected data in the CPU cache.

Another two vulnerabilities have also been added to the Dragonblood family, affecting the cutting-edge WPA 3 WiFi standard.

A million-dollar email should serve as a reminder to your staff to always consider whether BCC is a better tool for mass-mail than CC.


SWAPGS Vulnerability in Modern CPUs Fixed in Windows, Linux, ChromeOS
Author: BleepingComputer
Date published: 06/08/2019

At BlackHat today, Bitdefender disclosed a new variant of the Spectre 1 speculative execution side channel vulnerabilities that could allow a malicious program to access and read the contents of privileged memory in an operating system.
This SWAPGS vulnerability allows local programs, like malware, to read data from memory that is should normally not have access to, such as the Windows or Linux kernel memory.
During the July 2019 Patch Tuesday security updates, Microsoft secretly patched the new SWAPGS speculative vulnerability using software mitigations.  [Red Hat and Google have also released advisories and patches.]

App that patients use to book GP appointments now facing millions in fines for selling health data
Author: ABC News
Date published: 07/08/2019

Australia’s biggest medical appointment booking app HealthEngine is facing multi-million-dollar penalties after an ABC investigation exposed its practice of funnelling users’ personal health information to law firms. The Australian Competition and Consumer Commission has launched legal action against the Perth-based company in the Federal Court, accusing it of misleading and deceptive conduct. HealthEngine is facing a fine of $1.1 million for each breach of the law, but the ACCC has yet to determine how many breaches it will allege.

New Dragonblood vulnerabilities found in WiFi WPA3 standard
Author: ZDNet
Date published: 03/08/2019

Earlier this year in April, two security researchers disclosed details about five vulnerabilities (collectively known as Dragonblood) in the WiFi Alliance’s recently launched WPA3 WiFi security and authentication standard. Yesterday, the same security researchers disclosed two new additional bugs impacting the same standard. The two researchers — Mathy Vanhoef and Eyal Ronen — found these two new bugs in the security recommendations the WiFi Alliance created for equipment vendors in order to mitigate the initial Dragonblood attacks.

When ‘CC’ should have been ‘BCC’: How an email gaffe cost one Australian
company dearly
Author: The Age
Date published: 02/08/2019

It started as a simple oversight, but quickly ended as a six-figure mistake. At the heart of the tale is a global real estate company, where one marketing email sent by an employee to just 300 customers exposed a major gap in the firm’s cyber security governance.
The problem began when the employee mistakenly pasted 300 email addresses in the “carbon copy” or “CC” email field, instead of the “blind copy” or “BCC” field, a technological misstep familiar to almost anyone using email in 2019.


This week’s noteworthy bulletins:

1. [ALERT] Cisco Enterprise NFV Infrastructure Software: Multiple vulnerabilities
Authentication bypass and command injection attacks leading to an
unauthenticated administrator compromise.

2.  keycloak-httpd-client-install: Multiple vulnerabilities
Install scripts can have significant vulnerabilities too! This one used
insecure temp files to enable privilege escalation.

3. LibreOffice: Execute arbitrary code/commands – Remote with user interaction
Nooo don’t open that file!

4. IBM Business Automation Workflow: Access confidential data – Remote/unauthenticated
“Reverse tabnabbing” is a little-seen web vulnerability.

Stay safe, stay patched and have a great weekend!