Monday, December 26, 2016

Cyber Updates - 26/12

Hey all,
Here are this week’s cyber updates:

(1) PHPMailer was found to exposed to a critical remote code execution vulnerability (CVE-2016-10033).
While the security researcher didn’t yet published a working exploit (due to his responsible disclosure), by looking into the diff between version 5.2.17 and 5.2.18 (the patched version) it appears that the “from” email address is not validated. Thus, it is possible to inject commands into that parameter that will later be executed by the OS.

PHPMailer is used by several open-source projects, including: WordPress, Drupal, 1CRM, SugarCRM, Yii and Joomla. 

Clients are requested to update their PHPMailer version immediately.

(2) An SQL injection vulnerability exists in Panasonic Avionics, allowing malicious users to affect the entertainment system in your flight. While illegal, you can try to exploit it the next time you fly with American Airlines, United, Virgin, Emirates, Etihad, Qatar, FinnAir, KLM, Iberia, Scandinavian, Air France, Singapore, or Aerolineas Argentinas. Just in case you had any doubt, I am not telling you to hack these systems and I will definitely not bail you out if you’ve chosen to so J

(3) In a “surprising” timing after this incident, Gogo, one of Panasonic Avionics major competitor, has engaged with a new bug bounty program, asking security researches to find vulnerabilities in their product.
The company’s products are used by numerous airlines, such as: Aeroméxico, Aer Lingus, American Airlines, Air Canada, Alaska Airlines, Beijing Capital, British Airways, Delta Air Lines, GOL, Hainan Airlines, Iberia, Japan Airlines, JTA, United Airlines, Vietnam Airlines, Virgin America and Virgin Atlantic.

(4) This Xmas has brought a surprising “gift” to UK Groupon users. Many of them have reported that their account was hacked.
Groupon says there hasn't been any security breach of its own site or app, but acknowledges it's seen a series of cases where fraudsters have managed to hack into Groupon accounts after accessing log-in and password information via third party websites. In other words, Groupon blames their clients and does not intend to do anything about it.

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit