Security Bulletin #132 – 21 June 2017
Stack Clash vulnerability allows an attacker to execute code as root
Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code as root. Stack Clash is a local privilege escalation vulnerability tracked as CVE-2017-1000364 that affects some open source systems, including Linux, BSD, and Solaris. The Stack Clash affects the memory management of several OSs, it can be exploited by attackers to corrupt memory and execute arbitrary code. Security patches have been released today for many Linux and open source distros, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon. Experts warn of the possibility to chain this flaw with other vulnerabilities to run arbitrary code with the highest privileges. The stack is the memory region used by a program during its execution, it grows automatically when the program needs more stack memory. If this region grows too much it can interfere with the stack of another process, an attacker can force the growth to overwrite another memory region. The researchers do not know of any remotely exploitable application, however they don’t exclude remote exploitation of the Stack Clash. In order to temporarily mitigate the attack, Qualys recommends increasing the size of the stack guard-page to 1MB at a minimum.
Two Ztorg Trojans Removed from Google Play Store
For the second time in a month, Google removed malicious apps infected with the Ztorg Trojans that could allow attackers to root targeted devices. Most software developers update their apps to patch vulnerabilities and add new features. But when the software is malware, an update could be the worst thing to do. The Google Play Store is always working to prevent malware from being downloaded by unsuspecting users. The bad guys using Ztorg are adding features and capabilities over time. Once the initial app is installed, it utilizes a wide range of advanced techniques to evade detection, get updates from the Command and Control infrastructure and ultimately try to get Root on the phone. The two apps recently removed from the Google Play Store, “Magic Browser” and “Noise Detector” show an evolution of Ztorg Trojan capabilities and include some nifty new techniques for making illegitimate money.
Microsoft to Remove SMBv1 Protocol in Next Windows 10 Version (RedStone 3)
The Server Message Block version 1 (SMBv1) — a 30-year-old file sharing protocol which came to light last month after the devastating WannaCry outbreak — will be removed from the upcoming Windows 10 (1709) Redstone 3 Update. The SMBv1 is one of the internet's most ancient networking protocols that allows the operating systems and applications to read and write data to a system and a system to request services from a server. Although Microsoft patched the vulnerability in SMBv1 in March in MS17-010, the company meanwhile strongly advised users to disable the three decades old protocol completely. Microsoft has also been planning to remove SMBv1 from Windows 10 Fall Creators Update (Version 1709), which is expected to release in September/October 2017. Microsoft has recently announced the beta release of Windows 10 ``Creators Update,`` also known as ``Redstone 2`` (Version 1703), which disables the SMB1 protocol by default, and after testing and getting feedback from the community, the company has decided to completely remove the protocol in the next stable version of the operating system.
CERTFR-2017-AVI-188: Multiples vulnerabilities in Linux SUSE (20 June 2017)
CERTFR-2017-AVI-187: Multiples vulnerabilities in Linux RedHat (20 June 2017)
CERTFR-2017-AVI-186: Multiples vulnerabilities in Oracle Solaris (20 June 2017)
CERTFR-2017-AVI-185: Multiples vulnerabilities in Linux Ubuntu (20 June 2017)