Security Bulletin #118 – 1 June 2017
A recently discovered Linux flaw could be exploited by Sudo Users to gain Root Privileges
Security researchers at Qualys Security have discovered a Linux flaw that could be exploited to gain root privileges and overwrite any file on the filesystem on SELinux-enabled systems. The high severity flaw, tracked as CVE-2017-1000367, resides in the Sudo’s get_process_ttyname() for Linux and is related to the way Sudo parses tty information from the process status file in the proc filesystem. The Linux flaw could be exploited by a local user with privileges to execute commands via Sudo and could allow attackers to escalate their privileges to root. Sudoer users on SELinux-enabled systems could escalate their privileges to overwrite any file on the filesystem with their command’s output, including root-owned files. To exploit the issue, a Sudo user would have to choose a device number that doesn’t exist under “/dev”. If the terminal isn’t present under the /dev/pts directory when the Sudo performs a breadth-first search of /dev, the user could allocate a pseudo-terminal between the two searchers and create a “symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm,” The Linux flaw affects all Sudo versions from 1.8.6p7 through 1.8.20, the Sudo 1.8.20p1 fixes it, the issue was rated with a CVSS3 Base Score of 7.8.
ESET releases decryptor for AESNI ransomware variants, including XData
Releasing master keys for older ransomware variants has become somewhat of a trend these days. Shortly after the release of the updated Crysis decryptor, master keys for some of the variants of the AES-NI family were published – specifically Win32/Filecoder.AESNI.B and Win32/Filecoder.AESNI.C, also known as XData. Based on this, ESET experts have prepared an AES-NI decryption tool. The tool works for files encrypted by the offline RSA key used by AES-NI variant B, which adds the extensions .aes256, .aes_ni, and .aes_ni_0day to the affected files, as well as files affected by AES-NI variant C (or XData) with the extensions .~xdata~. Victims who still have their encrypted files can now download the decryptor from the utilities page.
Judy may have a sweet name but it doesn’t Love You – Judy Malware may have infected 36 million users
Current Alerts CERTFR-2017-ALE-008 : Multiples vulnérabilités dans Microsoft Windows XP et Windows Server 2003 (15 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-008.pdf CERTFR-2017-ALE-011 : Campagne de messages électroniques non sollicités de type Jaff (14 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-011.pdf CERTFR-2017-ALE-010 : Propagation d’un rançongiciel exploitant les vulnérabilités MS17-010 (12 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-010.pdf