Hey all,
Here are this week’s cyber updates.
(1) Windows 8 & 10 are
vulnerable to a server-side memory corruption vulnerability
(CVE-2017-0016) in the SMB service. The vulnerability allows attackers to
conduct a denial of service attack (BSOD) and possibly even execute code on the
remote machine.
Currently, Microsoft has yet to issue a fix
for this vulnerability, and an exploit for this vulnerability is reported to
be seen in the wild.
Please restrict
SMB traffic in the FW until a patch is issued by Microsoft.
Here are all the details:
And here’s the exploit code: https://github.com/lgandx/PoC/tree/master/SMBv3%20Tree%20Connect
(2) Guests of the Romantik Seehotel Jaegerwirt hotel could not enter
their rooms as their keycard was not working, and some guests’ reservations
were gone from the system. Apparently, the computers running the electronic key
lock were infected with a ransomware.
If you ask me, this just shows you the
difference between a generic attack and a target-driven approach. The attackers
could have easily collected all guests’ credit card details for years, allowing
them to earn much more than the paid ransom (1,500 EUR).
In this case, the hotel had to pay the
ransom ASAP, as any other alternative would have ended up in very unhappy
guests. But, I guess they are already used to it, as the very same hotel was
hacked three times before this incident.
Now you think that the hotel would want to
protect its systems and prevent such an incident from reoccurring. Well, the hotel
management found a rather “creative” solution – they are considering switching
back to actual door keys and locks instead of key cards and electronic locks.
Here are all the details:
(3) WordPress just patched
their environment against 0-day vulnerabilities. One of their bugs existed in
their REST API, allowing remote privilege escalation as well as content
injection. Basically speaking, the exploit has allowed any unauthenticated
user to modify all pages.
In particular, by calling to
/wp-json/wp/v2/posts/123?id=456ABC, WordPress attempts to check if the
user has permissions to edit post id 456ABC, and if they don’t’ the
function exits. Since such a post doesn’t’ exist (post ids should be numeric),
the code then calls to update_item, which should have failed again. However,
update_item casts the parameter to an int, causing the value to be changed to
456. Now a malicious unauthenticated user can update item 456 (which is
a valid and existing post).
Here are all the details:
(4) Netgear routers have been
found to contain 31 different vulnerabilities, including unauthenticated
password disclosure. While by default the admin interface is not publicly
accessible, this vulnerability can be used by internal attackers to infect
routers, and possibly allow a malicious entity to own a big botnet for DDoS
attacks. Alternatively, the attacker can conduct MiTM attacks. Think about it
the next time you connect to a Starbucks Wi-Fi network.
Here are the details:
Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit