Saturday, May 6, 2017

Cyber Updates - 06/05

Hey all,
Here are this week's cyber updates:

(1) Intel processors remote management features were found to be vulnerable (CVE-2017-5689) to remote code execution.
Intel’s Active Management Technology (AMT), uses a web-based control panel, which is accessible from port 16992 and 16993, and allows an administrator to remotely manage a system. The web server uses digest as its authentication mechanism, but does not properly compare the users_response digest value with the computed_response value. In particular, the website uses the strncmp function with the user_response length instead of the computed_response length.
This means that a null value submitted as the user’s digest response, would invoke the strncmp function with a length of 0, therefore causing it to always return 0 (success). Thus, malicious users can successfully authenticate to the webserver and manage users’ computer.
Fortunately, the AMT features are not installed by default, so not all organizations are affected by this vulnerability.

Here are all the details:

(2) WordPress was found to be vulnerable (CVE-2017-8295) to a logical flaw that might allow an attacker to reset users’ passwords. In particular, WordPress sends a “password reset” email from the following address:, with “” parsed from the user’s request host header. Thus, a mail can be sent from the attacker’s domain if he/she submits a password reset request with their own domain (to the victim's IP address).

A malicious user can flood the user’s mailbox with numerous big attachments (unrelated to the WordPress platform). This would result in the user’s mailbox being flooded, and thus becoming unavailable to receive new emails. 
The attacker can then send the "forgot password" email (from their own domain), which will cause the victim’s MX server to reply to the original email with a "552 mailbox full" error. However, since the attacker has managed to control the domain, the email would be sent to the attacker, and would contain the original email, including the token to reset the password.

Here are all the details:

(3) Flicker was found to be vulnerable to an account takeover vulnerability: the authentication mechanism to Flicker relies on Yahoo, where the user receives a token from Yahoo and sends it to Flicker. Due to insufficient validation on the address URL in Yahoo, a malicious user who causes their victim to invoke a call to Yahoo can receive the victim's Flicker token and login on their behalf.

Here are all the details:

(4) Albert Einstein once said that two things are infinite: the universe and human stupidity. A new phishing campaign proves the latter. Users have received an email from Apple iCloud, requesting them not only to provide their password, but also their credit card details, address, and government issued credit card.

Here are all the details:

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Uni