Friday, February 3, 2017

Cyber Updates - 03/02

Hey all,
Here are this week’s cyber updates.

(1) Windows 8 & 10 are vulnerable to a server-side memory corruption vulnerability (CVE-2017-0016) in the SMB service. The vulnerability allows attackers to conduct a denial of service attack (BSOD) and possibly even execute code on the remote machine.
Currently, Microsoft has yet to issue a fix for this vulnerability, and an exploit for this vulnerability is reported to be seen in the wild.
Please  restrict SMB traffic in the FW until a patch is issued by Microsoft.

Here are all the details:


(2) Guests of the Romantik Seehotel Jaegerwirt hotel could not enter their rooms as their keycard was not working, and some guests’ reservations were gone from the system. Apparently, the computers running the electronic key lock were infected with a ransomware.

If you ask me, this just shows you the difference between a generic attack and a target-driven approach. The attackers could have easily collected all guests’ credit card details for years, allowing them to earn much more than the paid ransom (1,500 EUR).

In this case, the hotel had to pay the ransom ASAP, as any other alternative would have ended up in very unhappy guests. But, I guess they are already used to it, as the very same hotel was hacked three times before this incident.
Now you think that the hotel would want to protect its systems and prevent such an incident from reoccurring. Well, the hotel management found a rather “creative” solution – they are considering switching back to actual door keys and locks instead of key cards and electronic locks.

Here are all the details:

(3) WordPress just patched their environment against 0-day vulnerabilities. One of their bugs existed in their REST API, allowing remote privilege escalation as well as content injection. Basically speaking, the exploit has allowed any unauthenticated user to modify all pages.
In particular, by calling to /wp-json/wp/v2/posts/123?id=456ABC, WordPress attempts to check if the user has permissions to edit post id 456ABC, and if they don’t’ the function exits. Since such a post doesn’t’ exist (post ids should be numeric), the code then calls to update_item, which should have failed again. However, update_item casts the parameter to an int, causing the value to be changed to 456. Now a malicious unauthenticated user can update item 456 (which is a valid and existing post).

Here are all the details:

(4) Netgear routers have been found to contain 31 different vulnerabilities, including unauthenticated password disclosure. While by default the admin interface is not publicly accessible, this vulnerability can be used by internal attackers to infect routers, and possibly allow a malicious entity to own a big botnet for DDoS attacks. Alternatively, the attacker can conduct MiTM attacks. Think about it the next time you connect to a Starbucks Wi-Fi network.

Here are the details:

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit