Security Bulletin #103
iCloud Keychain vulnerability allowed hackers to Steal sensitive data
The flaw allowed hackers to run man-in-the-middle (MitM) attacks to obtain sensitive user information (i.e. names, passwords, credit card data, and Wi-Fi network information). The researcher Alex Radocea of Longterm Security discovered in March a vulnerability tracked as CVE-2017-2448 that affects the iCloud Keychain. Radocea discovered that the signature verification procedure for OTR could have been bypassed, this means that an attacker can launch a MitM attack to negotiate an OTR session without needing the syncing identity key. The hacker can exploit the flaw to impersonate other devices in the circle when keychain data is being synced intercepting the related data. The expert highlighted that if the user doesn’t enable two-factor verification for its account, an attacker can access the target accounts by capturing its iCloud password. The expert also warned of possible modification of iCloud KVS entries and the lack of certificate pinning for TLS communications that opens the door to the attackers. Apple has fixed the vulnerability by improving the validation for the authenticity of OTR packets.
Cisco patches leaked 0-day in 300+ of its switches
Cisco has plugged a critical security hole in over 300 of its switches, and is urging users to apply the patches as soon as possible because an exploit for it has been available for a month now. A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The vulnerability exists partly because of a failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members, and partly because malformed CMP-specific Telnet options are incorrectly processed. Another option for those who, for whatever reason, don’t want to implement the offered patches is to disable the Telnet protocol for incoming connections. Cisco has been recommending the switch to SSH. But this move only eliminates the exploit vector, not the vulnerability. The criticality of the vulnerability is reflected in its CVSS Score: 9.8 (out of 10). So if you own one of these Cisco switches, get patching.
Adobe fixes critical and important flaws in Flash Player and Experience Manager
The last Flash Player release 188.8.131.52 addresses seven vulnerabilities that can be exploited to take over vulnerable systems. According to the security advisory published by Adobe, the vulnerabilities include a use-after-free and other memory corruption flaws that can be exploited by attackers to execute arbitrary code. These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2017-3068, CVE-2017-3069, CVE-2017-3070, CVE-2017-3072, CVE-2017-3073, CVE-2017-3074). The vulnerability was discovered by Ruben Reusser and affects the Versions 6.0 through 6.2 are. The flaw is related to the abuse of the pre-population service in Experience Manager Forms, also in this case, Adobe confirmed that there is no evidence of exploitation in the wild.
CERTFR-2017-ALE-009 : Vulnérabilité dans Microsoft Malware Protection Engine (09 mai 2017)
CERTFR-2017-ALE-008 : Vulnérabilité dans RDP pour Microsoft Windows XP et Windows Server 2003 (14 avril 2017)
CERTFR-2017-AVI-151 : Vulnérabilité dans Microsoft Malware Protection Engine (10 mai 2017)
CERTFR-2017-AVI-150 : Multiples vulnérabilités dans Microsoft Edge (10 mai 2017)
CERTFR-2017-AVI-149 : Multiples vulnérabilités dans Windows Internet Explorer (10 mai 2017)
CERTFR-2017-AVI-148 : Multiples vulnérabilités dans Microsoft Windows (10 mai 2017)
CERTFR-2017-AVI-147 : Multiples vulnérabilités dans Microsoft Office (10 mai 2017)
CERTFR-2017-AVI-146 : Vulnérabilité dans Microsoft .NET Framework (10 mai 2017)
CERTFR-2017-AVI-145 : Vulnérabilités dans Microsoft Skype for Business 2016 (10 mai 2017)
CERTFR-2017-AVI-144 : Multiples vulnérabilités dans Adobe Flash Player (10 mai 2017)
CERTFR-2017-AVI-143 : Vulnérabilité dans les commutateurs Cisco (10 mai 2017)