Oct 24, 2016

ランサムウェア

恐怖をあおる新種ランサムウエア チャートを使って慌てず対応 (10/24)
 
- Petya  解除専用ツール Petya Sector Extractor
 
ツールでの復旧手順→
ランサムウェア「Petyaによってアクセスできなくなったドライブ修復手順メモ(04/12)

- Jigsaw -> 解除専用ツール JigSawDecrypter

ツールでの復旧手順→
ランサムウェア「Jigsaw」に感染してみました & 復号メモ (04/18)


IoTのセキュリティ

--> 10/17分を以下に転記

・ハニーポットでIoT機器への攻撃を観測、  最大の感染理由はTelnetサービスの稼働 (10/17)


--> 10/18 追記

・感染IoT機器は60種類以上、ビデオレコーダーの感染が多数 (10/18)


 Telnetが突出して危険と捉えるよりも、
TelnetHTTPHTTPSSSH あたりは、インターネット側にサービス(port)openして、(ハードコーディングされたID/passwordにも関らず)監視も何もないなら、その時点でアウト。
不要なサービスは止めておくのが吉ですね。

IoT deviceがそうしたサービスを必要とするのは、ベンダーやService Providerがサービスするのが目的か。
だとしても、Client側をinitiatorにするとか、interfaceを外内に二つにしてNATするとか、実装の工夫もメーカに期待します。

--> 10/24追記

IoT セキュリティガイドライン ver 1.0 (案) - 総務省


『第3 一般利用者のためのルール
ルール1)問合せ窓口やサポートがない機器やサービスの購入・利用を控える
ルール2)初期設定に気をつける
ルール3)使用しなくなった機器については電源を切る
ルール4)機器を手放す時はデータを消す

一般消費者に可能な対策の有効性は限度がありそう。
メーカーの実装に期待
--> 11/13 追記
メーカーに期待も難しそう
 ↓

・50万台のIoTデバイスを乗っ取ったDDoS攻撃「Mirai」の引き金になったダメすぎるパスワード60個 (10/12)

jp.techcrunch.com/2016/10/11/20161010hackers-release-source-code-for-a-powerful-ddos-app-called-mirai/

「安価なIoTデバイスの需要があることで、いろいろ切り詰めて『幸福』になるメーカーがいて、ネットコミュニティの危険性が高まる」

Oct 18, 2016

CVE 10/10

High Vulnerabilities
Primary
Vendor -- Product
Description
Published
CVSS Score
Source & Patch Info
adobe -- acrobat
Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC Classic before 15.006.30243, and Acrobat and Acrobat Reader DC Continuous before 15.020.20039 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-1091, CVE-2016-6944, CVE-2016-6945, CVE-2016-6946, CVE-2016-6949, CVE-2016-6952, CVE-2016-6953, CVE-2016-6961, CVE-2016-6962, CVE-2016-6963, CVE-2016-6964, CVE-2016-6965, CVE-2016-6967, CVE-2016-6968, CVE-2016-6969, CVE-2016-6971, CVE-2016-6979, CVE-2016-6988, and CVE-2016-6993.
2016-10-13
adobe -- acrobat

以下、省略。多すぎるので




adobe -- flash_player
Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185 on Windows and OS X and before 11.2.202.637 on Linux allows attackers to bypass intended access restrictions via unspecified vectors.
2016-10-13





apache -- tomcat
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.

Updated Packages があるので、適用すれば良い
2016-10-13
canonical -- ubuntu_linux
Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel before 4.5.2 allows remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing.
2016-10-10
google -- android
Multiple use-after-free vulnerabilities in sound/soc/msm/qdsp6v2/msm-lsm-client.c in the Qualcomm sound driver in Android before 2016-10-05 on Nexus 5X, Nexus 6P, and Android One devices allow attackers to gain privileges via a crafted application, aka Android internal bug 30142668 and Qualcomm internal bug CR 948902.
2016-10-10
google -- android
The GPS component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows man-in-the-middle attackers to cause a denial of service (memory consumption, and device hang or reboot) via a large xtra.bin or xtra2.bin file on a spoofed Qualcomm gpsonextra.net or izatcloud.net host, aka internal bug 29555864.
2016-10-10
google -- android
The fingerprint login feature in Android 6.0.1 before 2016-10-01 and 7.0 before 2016-10-01 does not track the user account during the authentication process, which allows physically proximate attackers to authenticate as an arbitrary user by leveraging lockscreen access, aka internal bug 30744668.
2016-10-10

google – android

以下省略。
Qualcomm driver crafted applicationを中心に多くのレポートあり)



intel -- solid-state_drive_toolbox
The updater subsystem in Intel SSD Toolbox before 3.3.7 allows local users to gain privileges via unspecified vectors.
2016-10-10
linux -- linux_kernel
Multiple race conditions in drivers/char/adsprpc.c and drivers/char/adsprpc_compat.c in the ADSPRPC driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service (zero-value write) or possibly have unspecified other impact via a COMPAT_FASTRPC_IOCTL_INVOKE_FD ioctl call.
2016-10-10
linux -- linux_kernel
drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2 Voice Service driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write request, as demonstrated by a voice_svc_send_req buffer overflow.
2016-10-10
microsoft -- edge
Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Browser Memory Corruption Vulnerability."
2016-10-13
microsoft -- edge
The scripting engines in Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, as demonstrated by the Chakra JavaScript engine, aka "Scripting Engine Memory Corruption Vulnerability."
2016-10-13
microsoft -- internet_explorer
Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Browser Memory Corruption Vulnerability."
2016-10-13
microsoft -- internet_explorer
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
2016-10-13
microsoft -- internet_explorer
The scripting engine in Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability."
2016-10-13
microsoft -- edge
The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3389, CVE-2016-7190, and CVE-2016-7194.
2016-10-13
microsoft -- edge
Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain privileges via unspecified vectors, aka "Microsoft Browser Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3387.
2016-10-13
microsoft -- edge
The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code via a crafted web site, aka "Scripting Engine Remote Code Execution Vulnerability."
2016-10-13
mirror_manager_project -- mirror_manager
Mirror Manager version 0.7.2 and older is vulnerable to remote code execution in the checkin code
2016-10-07
openstack -- cinder
The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image.
2016-10-07
redhat -- cloudforms_management_engine
Red Hat CloudForms Management Engine 4.1 does not properly handle regular expressions passed to the expression engine via the JSON API and the web-based UI, which allows remote authenticated users to execute arbitrary shell commands by leveraging the ability to view and filter collections.
2016-10-07
ruckus -- wireless_h500
Ruckus Wireless H500 web management interface authenticated command injection
2016-10-10

Oct 17, 2016

いろいろ 10/17

・閃きが生んだBose「ノイズキャンセリングヘッドホン」 (10/12)

・グローバル視点で考える「IT統制」のポイント (2015.04.29)

EUデータ保護指令改定に関する調査・分析報告書」の公表について (H24.4)

米クラウドサービス上のデータは監視対象? 再燃する「愛国者法リスク」 (2013/07/18)

・海外拠点PCを“リスクの温床”にしない管理術 (10.14)


Oct 16, 2016

Adobe Flash Player の脆弱性 (APSB16-32) に関する注意喚起 (JPCERT, 10/12)

・Adobe Flash Player の脆弱性 (APSB16-32) に関する注意喚起 (10/12)
 http://www.jpcert.or.jp/at/2016/at160040.html

 Adobe Flash Playerの脆弱性のニュースを聞かない週は無い印象。
 ChromeやFirefoxはFlashをブロックする線で進んでいる。
 正しい判断だと思う。

 関連
  http://akasaka-taro.blogspot.jp/2016/07/flash.html

CVE 9/26分

High Vulnerabilities から

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
adobe -- digital_editionsUse-after-free vulnerability in Adobe Digital Editions before 4.5.2 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4263.2016-09-2610.0CVE-2016-6980
BID
CONFIRM
apple -- apple_tvlibxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.2016-09-2510.0CVE-2016-4658
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple -- mac_os_xThe Apache HTTP Server in Apple OS X before 10.12 and OS X Server before 5.2 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted CGI client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue, a related issue to CVE-2016-5387.2016-09-257.5CVE-2016-4694
APPLE
APPLE
CONFIRM
CONFIRM





apple -- iphone_osAppleMobileFileIntegrity in Apple iOS before 10 and OS X before 10.12 mishandles process entitlement and Team ID values in the task port inheritance policy, which allows attackers to execute arbitrary code in a privileged context via a crafted app.2016-09-259.3CVE-2016-4698
APPLE
APPLE
CONFIRM
CONFIRM




apple -- safariWebKit in Apple iOS before 10 and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4731.2016-09-259.3CVE-2016-4729
APPLE
APPLE
CONFIRM
CONFIRM




citrix -- linux_virtual_delivery_agentCitrix Linux Virtual Delivery Agent (aka VDA, formerly Linux Virtual Desktop) before 1.4.0 allows local users to gain root privileges via unspecified vectors.2016-09-267.2CVE-2016-6276
CONFIRM
BID




hp -- network_automationHP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.2016-09-297.5CVE-2016-4385
CONFIRM
huawei -- anyoffice_secureappHuawei AnyMail before 2.6.0301.0060 allows remote attackers to cause a denial of service (application crash) via a crafted compressed email attachment.2016-09-267.1CVE-2016-6826
CONFIRM
huawei -- honor6_firmwareThe video driver in Huawei Mate S smartphones with software CRR-TL00 before CRR-TL00C01B362, CRR-UL20 before CRR-UL20C00B362, CRR-CL00 before CRR-CL00C92B362, and CRR-CL20 before CRR-CL20C92B362; P8 smartphones with software GRA-TL00 before GRA-TL00C01B366, GRA-UL00 before GRA-UL00C00B366, GRA-UL10 before GRA-UL10C00B366, and GRA-CL00 before GRA-CL00C92B366; and Honor 6 and Honor 6 Plus smartphones with software before 6.9.16 allows attackers to cause a denial of service (device reboot) via a crafted application.2016-09-267.1CVE-2016-8279
CONFIRM
iperf_project -- iperfThe parse_string function in cjson.c in the cJSON library mishandles UTF8/16 strings, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a non-hex character in a JSON string, which triggers a heap-based buffer overflow.2016-09-267.5CVE-2016-4303
MISC
SUSE
SUSE
CONFIRM
MISC
CONFIRM
CONFIRM
isc -- bindbuffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query.

日本語情報はこちら
  ↓
・ISC BIND 9 サービス運用妨害の脆弱性 (CVE-2016-2776) に関する注意喚起 (10/05)
  http://www.jpcert.or.jp/at/2016/at160037.html
 警察庁も、攻撃を観測した、
 修正版にバージョンアップすれば良い
 とのこと
2016-09-287.8CVE-2016-2776
CONFIRM
libgd -- libgdInteger overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted imagewebp and imagedestroy calls.2016-09-287.5CVE-2016-7568
CONFIRM
CONFIRM
CONFIRM
CONFIRM





openssl -- opensslMultiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.2016-09-267.8CVE-2016-6304
CONFIRM
CONFIRM
openssl -- opensslstatem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages.2016-09-267.1CVE-2016-6308
CONFIRM
CONFIRM
openssl -- opensslstatem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.

日本語情報はこちら
 ↓
・OpenSSL の脆弱性 (CVE-2016-6309) に関する注意喚起 (9/28)
http://www.jpcert.or.jp/at/2016/at160038.html
バージョンアップすればよいとのこと
2016-09-2610.0CVE-2016-6309
CONFIRM
CONFIRM




powerdns -- authoritative_serverPowerDNS (aka pdns) Authoritative Server before 4.0.1 allows remote primary DNS servers to cause a denial of service (memory exhaustion and secondary DNS server crash) via a large (1) AXFR or (2) IXFR response.2016-09-267.1CVE-2016-6172
SUSE
MLIST
CONFIRM
CONFIRM
CONFIRM
CONFIRM
MISC
MLIST
redhat -- jboss_operations_networkThe server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737.2016-09-279.0CVE-2016-6330
BID
CONFIRM
sap -- trexAn unspecified function in SAP TREX 7.10 Revision 63 allows remote attackers to execute arbitrary OS commands via unknown vectors, aka SAP Security Note 2203591.2016-09-2710.0CVE-2016-6137
MISC
MISC
FULLDISC
FULLDISC