CERT-EU - Publications - Security Advisories

2017-027: Multiple Security Vulnerabilities Affecting VMware Products

Friday, December 22, 2017 03:58:00 PM CET

On the 19th of December 2017, VMware released updates to address multiple security vulnerabilities in ESXi, vCenter Server Appliance, Workstation and Fusion. The most serious of the vulnerabilities could allow remote arbitrary code execution in a virtual machine.

2017-026: UPDATE Unauthenticated Root Access in macOS High Sierra

Wednesday, November 29, 2017 12:05:00 PM CET

On November 28th, a security researcher Lemi Orhan Ergin has notified Apple about a serious security issue in macOS Hight Sierra. It appears that anyone can login as root by providing an empty password. The bypass works by putting the word root in the user name field of a login window, moving the cursor into the password field, and then hitting Enter with the password field empty. With that - after a few tries in some cases - the latest version of Apple's operating system logs the user in with root privileges.

2017-025: Critical Vulnerabilities Affecting Intel Firmware

Wednesday, November 22, 2017 08:02:00 AM CET

On the 20th of November 2017, Intel reported that it has identified security vulnerabilities that could impact Intel Management Engine, Intel Trusted Execution Engine, and Intel Server Platform Services. As the result, an attacker could gain unauthorized access to platforms by impersonating the Intel Engines and platforms. An attacker could execute arbitrary code or cause system crash. The attacks can be conducted even when a computer is powered off.

2017-024: Increased Use of Browser Cryptojacking

Wednesday, November 15, 2017 04:40:00 PM CET

Since summer 2017 -- mostly due to significant increase of the price of Bitcoin -- browser-based mining services have increased their popularity. By providing easy to use JavaScript libraries they allow website owners to increase their revenues by hijacking visitors' browsers for cryptocurrency mining. The browser-based mining service will then award part of the profit to the site owners. As cryptocurrency
mining is extremely resource-consuming, it may impact the performance of the visitors' browser and operating system, as well as waste electricity on behalf of the owners of the infrastructure.

2017-023: UPDATE RSA Key Generation Prone to Factorization Attack

Wednesday, October 18, 2017 12:17:00 PM CEST

A vulnerability (CVE-2017-15361) in the procedure of RSA key generation used by a software library allows a practical factorization attack. As a result it is possible to compute the private part of an RSA key based only on its public part. The vulnerable library is used in cryptographic smartcards, security tokens, and other secure hardware chips manufactured by Infineon Technologies AG. An attack is feasible for commonly used key lengths - including 1024 and 2048 bits - and it
affects chips manufactured as early as 2012.

2017-022: Actively Exploited Critical Zero-Day Vulnerability in Adobe Flash

Tuesday, October 17, 2017 05:03:00 PM CEST

On 16th of October 2017, Adobe has released a security update for Adobe Flash Player for Windows, MacOS, Linux, and Chrome OS. This update addresses a critical type confusion vulnerability that could lead to code execution (CVE-2017-11292). Adobe also alerted that this vulnerability is being actively exploited in targeted attacks. The exploit was identified on 10th of October by Kaspersky's researchers.

2017-021: KRACK - Key Reinstallation Attacks: Breaking WPA2

Tuesday, October 17, 2017 04:27:00 PM CEST

Researchers in the KU Leuven University have discovered a serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within the range of the Wi-Fi of the victim can exploit these weaknesses using key reinstallation attack (KRACK). Attackers can use this attack to read information that was previously assumed to be safely encrypted. The weakness was found in the 4-way handshake that all protected Wi-Fi networks use to generate a fresh
session key. The adversary can trick a victim into reinstalling an already-in-use key. The impact depends on the handshake being attacked, and the data-confidentiality protocol in use.

2017-020: Critical Vulnerabilities Impacting Dnsmasq

Wednesday, October 04, 2017 02:42:00 PM CEST

On October 2nd, 2017, Google published a blog post detailing severalcritical vulnerabilities impacting dnsmasq. Dnsmasq is widely used in Linux and BSD distributions, Android devices and proprietary firmwares for for serving DNS, DHCP, router advertisements, and network boot. It is often exposed to Internet and widely used on internal networks. The vulnerabilities allow an attacker to perform remote code execution, to get access to sensitive information, or to perform a denial-of-service attack on the service.

2017-019: Joomla! Super User Password Leak

Tuesday, September 26, 2017 03:29:00 PM CEST

A previously unknown LDAP injection vulnerability could allow remote attackers to leak the super user password with blind injection techniques and to fully take over any affected Joomla! installation.

2017-018: BlueBorne Attack against Bluetooth

Wednesday, September 13, 2017 03:14:00 PM CEST

A new attack vector endangering major mobile, desktop, and IoT operating systems and the devices using them - including Android, iOS, Windows, and Linux - has been revealed. The new attack is dubbed BlueBorne, as it spreads through the air (airborne) and attacks devices via Bluetooth.
Eight related zero-day vulnerabilities, four of which are classified as critical have been also disclosed. BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure air-gapped networks, and spread malware laterally to adjacent devices

2017-017: Remote Code Execution Attack Against Apache Struts REST Plugin

Thursday, September 07, 2017 04:47:00 PM CEST

On August 16th 2017, a new vulnerability affecting Apache Struts 2 (CVE-2017-9805) was published. This vulnerability allows remote code execution attacks, when the Struts REST plugin is used with XStreamHandler to handle XML payloads. It is important to note that the code that exploits the vulnerability has been released through Metasploit.

2017-016: CISCO WebEx Browser Extension Remote Code Execution Vulnerability

Thursday, July 20, 2017 04:40:00 PM CEST

A vulnerability in CISCO WebEx browser extensions could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on a targeted system. This vulnerability affects the browser extensions for CISCO WebEx Meetings Server and CISCO WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center) and Cisco WebEx Meetings when they are running on Microsoft Windows.

2017-015: Cisco SNMP Remote Code Execution Vulnerabilities

Friday, June 30, 2017 02:32:00 PM CEST

The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.

2017-014: Petya-Like Malware Campaign

Wednesday, June 28, 2017 11:34:00 AM CEST

A large malware campaign broke out on Tuesday, 27/06/2017 and was widely reported in the news. The malware used -- which appears to be similar to Petya -- has been augmented with efficient local network spreading mechanisms, which resulted in a very rapid infection rate inside affected organizations. The local propagation is apparently achieved by a combination of the use of EternalBlue (the same exploit as the one used by WannaCry earlier), EternalRomance, and WMIC/psexec propagation vector using credentials harvested with a code similar to Mimikatz. First analysis points to at least one likely infection vector being associated with software update systems for a Ukrainian tax accounting package called MeDoc. However, as among the impacted organizations there were those that did not use the software, it is likely that other infection vectors are also used.

2017-013: Privileges Escalation Vulnerabilities in Unix Operating Systems

Tuesday, June 20, 2017 03:40:00 PM CEST

On 19th of June 2017, Qualys Research Team published a blog post and a security advisory about vulnerabilities in the memory management of several UNIX operating systems. These vulnerabilities can lead to privilege escalation on these systems, by corrupting memory and executing arbitrary code. They named the bug Stack Clash as it exploits flaws in the way these operating system are handling the stack in memory.

2017-012: UPDATE! WannaCry Ransomware Campaign Exploiting SMB Vulnerability

Monday, May 22, 2017 03:46:00 PM CEST

A large ransomware campaign has been observed since Friday, May 12th, 2017. The payload delivered is a variant of ransomware malware called WannaCry. It appears to infect computers through a recent SMB vulnerability in Microsoft Windows operating system (CVE-2017-0145).

2017-011: Critical Microsoft Scripting Engine Memory Corruption Vulnerability

Wednesday, May 10, 2017 12:20:00 PM CEST

A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file leading to memory corruption. An attacker who successfully exploits this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

2017-010: UPDATE Critical Privileges Escalation Vulnerability in Intel AMT Service

Tuesday, May 02, 2017 04:58:00 PM CEST

On 1st of May 2017, Intel reported that there is "an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small BusinessTechnology that can allow an unprivileged attacker to gain control of the manageability features provided by these products". Once exploited,it allows for DMA access to the system, which means that the attacker can arbitrarily read and write to memory on the system.

2017-009: UPDATE Critical zero-day vulnerability in Microsoft Office actively exploited

Wednesday, April 12, 2017 10:37:00 AM CEST

A vulnerability in Microsoft Office is actively exploited to distribute Dridex banking Trojan.

2017-008: Broadcom Critical Wi-Fi SoC Vulnerability in iOS and Android

Friday, April 07, 2017 09:02:00 AM CEST

The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. An attacker within range may be able to execute arbitrary code on the Wi-Fi chip. Google Project Zero researcher Gal Beniamini, who discovered the flaw said it allowed the execution of malicious code by Wi-Fi proximity alone, requiring no user interaction [1].

2017-007: UPDATE Critical Vulnerabilities in VMWare ESXi, Workstation, and Fusion

Wednesday, March 29, 2017 03:16:00 PM CEST

VMWare released an advisory for VMWare ESXi, Workstation, and Fusion products [1]. The advisory addresses critical and moderate security issues that may allow a guest system to execute code on the host system (CVE-2017-4902, CVE-2017-4903, and CVE-2017-4904).

2017-006: UPDATE Critical Cisco CMP Remote Code Execution Vulnerability

Tuesday, March 21, 2017 11:44:00 AM CET

Cisco security researchers found a vulnerability in the Cluster Management Protocol (CMP) code in Cisco IOS and Cisco IOS XE software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. Cisco has now released a software fix for this vulnerability.

2017-005: Critical Apache Struts 2 Framework Vulnerability

Thursday, March 09, 2017 02:30:00 PM CET

Remote code execution is possible via Apache Struts 2 framework, when performing file upload based on Jakarta multipart parser. There are already several exploits in the wild (CVE-2017-5638).

2017-004: Arbitrary Code Execution in Internet Explorer and Edge

Tuesday, February 28, 2017 02:11:00 PM CET

A high-severity vulnerability in Microsoft's Edge and Internet Explorer browsers allows attackers to execute malicious code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code (CVE-2017-0037).

2017-003: CISCO Smart Install Protocol Issues

Wednesday, February 22, 2017 03:28:00 PM CET

It has been reported that there exists a way to misuse the Cisco Smart Install protocol messages. The misuse is directed towards Smart Install Clients allowing an unauthenticated remote attacker to change the startup configuration, load alternative IOS versions, and execute commands on affected devices. Cisco does not consider this issue a vulnerability. However, since Cisco Smart Install is enabled by default in a big number of modern switches and routers, CERT-EU considers this protocol abuse a potentially serious threat.

2017-002: Ticketbleed Vulnerability Affecting F5 BIG-IP

Thursday, February 09, 2017 04:39:00 PM CET

A vulnerability called Ticketbleed in F5 BIG-IP devices (CVE-2016-9244) could allow an unauthenticated, remote attacker to obtain sensitive information from memory if the non-default Session Tickets option is enabled for a Client SSL profile.

2017-001: UPDATE CISCO WebEx Browser Extension Remote Code Execution Vulnerability

Tuesday, January 24, 2017 03:13:00 PM CET

A vulnerability in CISCO WebEx browser extensions could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the browser on the affected system. This vulnerability concerns browser extensions for CISCO WebEx Meetings Server and CISCO WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center) when they are running on Microsoft Windows with Google Chrome, Mozilla Firefox, and Internet Explorer.

Security Advisories