Vulnerabilities

VU#119704: Microsoft Windows Task Scheduler SetJobFileSecurityByName privilege escalation vulnerability

2 months ago
Task Scheduler is a set of Microsoft Windows components that allows for the execution of scheduled tasks. The front-end components of Task Scheduler,such as schtasks.exe,are interfaces that allow for users to view,create,and modify scheduled tasks. The back-end part of Task Scheduler is a Windows service that runs with SYSTEM privileges. One of the libraries used by the Task Scheduler service,schedsvc.dll,has a function called tsched::SetJobFileSecurityByName(),which sets permissions of job files. The permissions of the job file in the%Windir%\system32\tasks directory are modified to give the calling user full permissions to the job file that they have created. At the point where the SetSecurityInfo()function is called,the Task Scheduler service has the NT Authority\SYSTEM security token. This means that the Task Scheduler service can give full user access permissions to files that may only be controlled by the SYSTEM or other privileged accounts. Public proof-of-concept exploit code leverages the legacy schtasks.exe and schedsvc.dll code from Windows XP to take advantage of these high privilege levels when setting file permissions. Versions of Windows prior to Vista used job files in the%Windir%\tasks directory. Legacy versions of schtasks.exe will cause these jobs to be migrated to the%Windir%\system32\tasks directory when those program versions are executed on modern Windows platforms. In conjunction with the SYSTEM security token used by the Task Scheduler service,this migration behavior can be used along with hard links to grant full permissions of protected files to any user on a Windows system. We have confirmed that the public exploit code functions reliably on 32- and 64-bit Windows 10 platforms,as well as Windows Server 2016 and Windows Server 2019. While Windows 8 still contains this vulnerability,exploitation using the publicly-described technique is limited to files where the current user has write access,in our testing. As such,the impact on Windows 8 systems using the technique used by the public exploit appears to be negligible. We have not been able to demonstrate the vulnerability on Windows 7 systems.
CERT

VU#169249: PrinterLogic Print Management Software fails to validate SSL certificates or the integrity of software updates.

2 months ago
PrinterLogic versions up to and including 18.3.1.96 are vulnerable to multiple attacks. The PrinterLogic agent,running as SYSTEM,does not validate the PrinterLogic Management Portal's SSL certificate,validate PrinterLogic update packages,or sanitize web browser input. CVE-2018-5408:The PrinterLogic Print Management software does not validate,or incorrectly validates,the PrinterLogic management portal's SSL certificate. When a certificate is invalid or malicious,it might allow an attacker to spoof a trusted entity by using a man-in-the-middle(MITM)attack. The software might connect to a malicious host while believing it is a trusted host,or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. (C WE-295) CVE-2018-5409:PrinterLogic Print Management software updates and executes the code without sufficiently verifying the origin and integrity of the code. An attacker can execute malicious code by compromising the host server,performing DNS spoofing,or modifying the code in transit. (CWE-494) CVE-2019-9505:PrinterLogic Print Management software does not sanitize special characters allowing for remote unauthorized changes to configuration files. (CWE-159)
CERT

VU#395981: Self-encrypting hard drives do not adequately protect data

2 months ago
CVE-2018-12037 There is no cryptographic relation between the password provided by the end user and the key used for the encryption of user data. This can allow an attacker to access the key without knowing the password provided by the end user,allowing the attacker to decrypt information encrypted with that key. According to National Cyber Security Centre - The Netherlands(NCSC-NL),the following products are affected by CVE-2018-12037: Crucial(Micron)MX100,MX200 and MX300 drives Samsung T3 and T5 portable drives Samsung 840 EVO and 850 EVO drives(In"ATA high" mode these devices are vulnerable,In"TCG"or"ATA max"mode these devices are NOT vulnerable.) CVE-2018-12038 Key information is stored within a wear-leveled storage chip. Wear-leveling does not guarantee that an old copy of updated data is fully removed. If the updated data is written to a new segment,old versions of data may exist in the previous segment for some time after it has been updated(until that previous segment is overwritten). This means that if a key is updated with a new password,the previous version of the key(either unprotected,or with an old password)could be accessible,negating the need to know the updated password. According to NCSC-NL,the following products are affected by CVE-2018-12038: Samsung 840 EVO drives Other products were not reported to have been tested,and similar vulnerabilities may be found in those products.
CERT

VU#400865: Cisco Trust Anchor module (TAm) improperly checks code and Cisco IOS XE web UI does not sanitize user input

2 months 1 week ago
CVE-2019-1649:Secure Boot Tampering,also known as Thrangrycat The logic that handles Cisco's Secure Boot improperly checks an area of code that manages the Field Programmable Gate Array(FPGA). The secure boot feature is a proprietary FPGA based implementation used for ensuring chain of trust for software. The secure boot can be bypassed by modifying the bitstream of the FPGA,allowing an authenticated,local attacker to make persistent modification to the root of trust for software integrity. CVE-2019-1862:IOS XE Web UI Command Injection The web user interface of Cisco IOS XE improperly sanitizes user-supplied input. This could allow an authenticated,remote attacker to execute commands as root on the underlying Linux shell.
CERT

VU#871675: WPA3 design issues and implementation vulnerabilities in hostapd and wpa_supplicant

2 months 1 week ago
CERT continues to review the WPA3 protocol in support of this body of research. The root cause of the numerous"implementation"vulnerabilities may involve modifying the protocol. WPA3 uses Simultaneous Authentication of Equals(SAE),also known as Dragonfly Key Exchange,as the initial key exchange protocol,replacing WPA2's Pre-Shared Key(PSK)protocol. hostapd is a daemon for access point and authentication servers used by WPA3 authentication. wpa_supplicant is a wireless supplicant that implements key negotiation with the WPA Authenticator and supports WPA3. Both of these components,as implemented with Extensible Authentication Protocol Password(EAP-PWD)and SAE,are vulnerable as follows: CVE-2019-9494:SAE cache attack against ECC groups(SAE side-channel attacks)- CWE-208 and CWE-524 The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. CVE-2019-9495:EAP-PWD cache attack against ECC groups(EAP-PWD side-channel attack)- CWE-524 The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of cache access patterns. Versions of hostapd and wpa_supplicant versions 2.7 and earlier,with EAP-PWD support are vulnerable. CVE-2019-9496:SAE confirm missing state validation - CWE-642 An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. CVE-2019-9497:EAP-PWD reflection attack(EAP-PWD missing commit validation)- CWE-301 The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. CVE-2019-9498:EAP-PWD server missing commit validation for scalar/element - CWE-346 The implementations of EAP-PWD in hostapd EAP Server,when built against a crypto library missing explicit validation on imported elements,do not validate the scalar and element values in EAP-pwd-Commit. CVE-2019-9499:EAP-PWD peer missing commit validation for scalar/element - CWE-346 The implementations of EAP-PWD in wpa_supplicant EAP Peer,when built against a crypto library missing explicit validation on imported elements,do not validate the scalar and element values in EAP-pwd-Commit.
CERT

VU#192371: VPN applications insecurely store session cookies

2 months 4 weeks ago
Virtual Private Networks(VPNs)are used to create a secure connection with another network over the internet. Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files. CWE-311:Missing Encryption of Sensitive Data The following products and versions store the cookie insecurely in log files: - CVE-2019-1573:Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0- CVE-2019-11213: Pulse Desktop Client 9.0R2 and earlier and 5.3R6 and earlier; Pulse Connect Secure(for Network Connect customers)9.0R2 and earlier,8.3R6 and earlier,and 8.1R13 and earlier The following products and versions store the cookie insecurely in memory: - CVE-2019-1573:Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 - CVE-2019-11213:Pulse Desktop Client 9.0R2 and earlier and 5.3R6 and earlier; Pulse Connect Secure(for Network Connect customers)9.0R2 and earlier,8.3R6 and earlier,and 8.1R13 and earlier - Cisco AnyConnect 4.7.x and prior It is likely that this configuration is generic to additional VPN applications. If you believe that your organization is vulnerable,please contact CERT/CC at cert@cert.org with the affected products,version numbers,patch information,and self-assigned CVE.
CERT

VU#166939: Broadcom WiFi chipset drivers contain multiple vulnerabilities

3 months ago
Quarkslab has researched and reported multiple vulnerabilities affecting Broadcom WiFi drivers. Vulnerabilities in the open source brcmfmac driver: CVE-2019-9503:If the brcmfmac driver receives a firmware event frame from a remote source,the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host,the appropriate handler is called. This frame validation can be bypassed if the bus used is USB(for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed. CVE-2019-9500:If the Wake-up on Wireless LAN functionality is configured,a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited by compromised chipsets to compromise the host,or when used in combination with the above frame validation bypass,can be used remotely. NOTE:The brcmfmac driver only works with Broadcom FullMAC chipsets. Vulnerabilities in the Broadcom wl driver: Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point(AP). CVE-2019-9501:By supplying a vendor information element with a data length larger than 32 bytes,a heap buffer overflow is triggered in wlc_wpa_sup_eapol. CVE-2019-9502:If the vendor information element data length is larger than 164 bytes,a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. NOTE:When the wl driver is used with SoftMAC chipsets,these vulnerabilities are triggered in the host's kernel. When a FullMAC chipset is being used,these vulnerabilities would be triggered in the chipset's firmware.
CERT

VU#730261: Marvell Avastar wireless SoCs have multiple vulnerabilities

3 months ago
A presentation at the ZeroNights 2018 conference describes multiple security issues with Marvell Avastar SoCs(models 88W8787,88W8797,88W8801,88W8897,and 88W8997). The presentation provides some detail about a block pool memory overflow. During Wi-Fi network scans,an overflow condition can be triggered,overwriting certain block pool data structures. Because many devices conduct automatic background network scans,this vulnerability could be exploited regardless of whether the target is connected to a Wi-Fi network and without user interaction.
CERT

VU#174715: MyCar Controls uses hard-coded credentials

3 months 2 weeks ago
MyCar is a small aftermarket telematics unit from AutoMobility Distribution Inc. MyCar add smartphone-controlled geolocation,remote start/stop and lock/unlock capabilities to a vehicle with a compatible remote start unit. The MyCar Controls mobile application contains hard-coded admin credentials(CWE-798)which can be used in place of a user's username and password to communicate with the server endpoint for a target user's account. This vulnerability affects versions prior to 3.4.24 on iOS and prior to 4.1.2 on Android.
CERT

VU#465632: Microsoft Exchange server 2013 and newer are vulnerable to NTLM relay attacks

5 months ago
Microsoft Exchange supports a API called Exchange Web Services(EWS). One of the EWS API functions is called PushSubscriptionRequest,which can be used to cause the Exchange server to connect to an arbitrary website. Connections made using the PushSubscriptionRequest function will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013,the NTLM authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks. Microsoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object,this means that the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server.
CERT
Checked
1 month 3 weeks ago
CERT publishes vulnerability advisories called "Vulnerability Notes." Vulnerability Notes include summaries, technical details, remediation information, and lists of affected vendors. Many vulnerability notes are the result of private coordination and disclosure efforts.
Subscribe to Vulnerabilities feed