Security Bulletin #114 – 26 May 2017
CVE-2017-7494 Samba vulnerability, patch your installation now!
A seven-year-old remote code execution vulnerability affects all versions of the Samba software since 3.5.0. The flaw has been patched by the development team of the project. An attacker can exploit the CVE-2017-7494 RCE to upload a shared library to a writable share, and then cause the server to load and execute it. The popular CVE-2017-7494 flaw can be easily exploited, just a line of could be used for the hack under specific conditions: 1) make file- and printer-sharing port 445 reachable on the Internet 2) configure shared files to have write privileges 3) use known or guessable server paths for those files. When those conditions are satisfied, remote attackers can upload any code of their choosing and cause the server to execute it, possibly with unfettered root privileges, depending on the vulnerable platform. Sysadmins have to patch their versions as soon as possible, if it is not possible for any reason a workaround can be implemented by the adding the line ‘nt pipe support = no’ to their Samba configuration file and restarting the network’s SMB daemon. The change will limit clients from accessing some network computers. The Samba bug appears to be a network wormable issue that could be exploited by a malicious code to self-replicate from vulnerable machine to vulnerable machine without requiring user interaction. Hurry up, the exploit for the Samba bug is expected to be available in the days for the Metasploit framework.
All android phones are vulnerable to full device takeover attack
Researchers have discovered a new attack, dubbed 'Cloak and Dagger', that works against all versions of Android, up to version 7.1.2. Cloak and Dagger attack allows hackers to silently take full control of your device and steal private data, including keystrokes, chats, device PIN, online account passwords, OTP passcode, and contacts. The attack doesn't exploit any vulnerability in Android ecosystem; instead, it abuses a pair of legitimate app permissions that is being widely used in popular applications to access certain features on an Android device. Cloak and Dagger attacks utilize two basic Android permissions: 1) SYSTEM_ALERT_WINDOW (``draw on top``) 2) BIND_ACCESSIBILITY_SERVICE (``a11y``) The first permission, known as ``draw on top,`` is a legitimate overlay feature that allows apps to overlap on a device's screen and top of other apps. The second permission, known as ``a11y,`` is designed to help disabled, blind and visually impaired users, allowing them to enter inputs using voice commands, or listen content using screen reader feature. In short, the attackers can secretly take over your Android device and spy on your every activity you do on your phone. The easiest way to disable the Cloak and Dagger attacks in Android 7.1.2 is to turn off the ``draw on top`` permission by heading on to: ‘Settings → Apps → Gear symbol → Special access → Draw over other apps.’ Always download apps from Google Play Store and from trusted and verified developers. Check app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.
NSA EsteemAudit exploit could trigger a new WannaCry-like attack
The WannaCry emergency could not be ended because the NSA dump leaked by the Shadow Brokers team included many other dangerous exploits. The group had released another batch of data containing exploit codes still unpatched by Microsoft such as the “EnglishmanDentist,” “EsteemAudit,” and “ExplodingCan.” The availability of such exploits and hacking tools represents a serious problem, an attacker with technical knowledge can exploit them to compromise millions of Windows systems across the world. The EsteemAudit exploit is a hacking tool that targets RDP service (port 3389) on machines running no longer supported Microsoft Windows Server 2003 / Windows XP. It has been estimated that over 24,000 systems remain vulnerable to the EsteemAudit exploit. Experts warn of possible exploitation of EsteemAudit exploit in network wormable threats. Threat actors in the wild can develop malware that is able to propagate itself in target’s networks without user’s interaction. Users and enterprises running the vulnerable systems are advised to upgrade them to the higher versions to secure themselves from EsteenAudit attacks. When it is impossible to upgrade the systems it is necessary to secure them, for example disabling RDP port or putting it behind the firewall. You can also deploy the unofficial patch developed by Ensilo to secure your systems.
CERTFR-2017-ALE-008 : Multiples vulnérabilités dans Microsoft Windows XP et Windows Server 2003 (15 mai 2017)
CERTFR-2017-ALE-011 : Campagne de messages électroniques non sollicités de type Jaff (14 mai 2017)
CERTFR-2017-ALE-010 : Propagation d’un rançongiciel exploitant les vulnérabilités MS17-010 (12 mai 2017)