- Recently Patched Dnsmasq still affect Siemens Industrial devices
- Bitcoin Gold (BTG) dev team warns its users about a security breach
- Kazakhstan-born Canadian citizen pleads guilty to 2014 Yahoo hack, he admits helping Russian Intelligence
- A bug in macOS High Sierra allows Root access with no password
Posted: 29 Nov 2017 06:38 AM PST
Siemens published a security advisory to confirm that four of the seven Dnsmasq vulnerabilities affect some of its SCALANCE products
In October, Google security experts disclosed seven distinct vulnerabilities in the Dnsmasq software package.
From the authors' website, "Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot." In practice, the Dnsmasq code has been widely leveraged in routers, firewalls, IoT devices, virtualization frameworks and even mobile devices when you need to set up a portable hotspot. In other words, there is a lot of Dnsmasq code "in the wild" and bugs in this code could be a big deal depending on the nature of the vulnerabilities.
Dnsmasq can be found in Linux distributions, smartphones, routers, and many IoT devices.
Siemens, like other companies, warned of the risks related to the set of flaws discovered by Google. Siemens published a security advisory to confirm that four of the seven vulnerabilities affect some of its SCALANCE products, including W1750D controller-based direct access points, M800 industrial routers, and S615 firewalls.
The ICS-CERT also published an advisory on the flaws affecting Siemens products.
Three of the vulnerabilities (CVE-2017-13704, CVE-2017-14495 and CVE-2017-14496) can be exploited by attackers to crash the Dnsmasq process by sending specially crafted requests to the service on UDP port 53.
“Vulnerability 1 (CVE-2017-13704) – An attacker can cause a crash of the DNSmasq process by sending specially crafted request messages to the service on port 53/udp” reads the advisory.
The Siemens SCALANCE products are also affected by the CVE-2017-14491 flaw, that could be exploited by attackers to trigger a DoS condition or possibly execute arbitrary code on the vulnerable device.
"An attacker can cause a crash or potentially execute arbitrary code by sending specially crafted DNS responses to the DNSmasq process. In order to exploit this vulnerability, an attacker must be able to trigger DNS requests from the device, and must be in a position that allows him to inject malicious DNS responses, e.g. the attacker must be in a Man-inthe-Middle position." continues the advisory.
Siemens is working on security patches to address the Dnsmasq flaws in its products. Waiting for the fixes users need to adopt the suggested mitigations, such as using firewall rules to block incoming traffic on UDP port 53 (applies to W1750D if OpenDNS, Captive Portal or URL redirection functionality is not used), and disabling the DNS proxy and configure devices to use a different DNS server (applies to M800 and S615).
The post Recently Patched Dnsmasq still affect Siemens Industrial devices appeared first on Security Affairs.
Posted: 29 Nov 2017 04:07 AM PST
The development team of the Bitcoin Gold (BTG) cryptocurrency is warning all users users about a security breach involving its Windows version of wallet app
The development team of the Bitcoin Gold (BTG) cryptocurrency is warning all users users about a security breach involving the official Windows wallet application offered for download via its official website. Bitcoin Gold is the fork of the official Bitcoin cryptocurrency that was created on October 25.
The development team of the Bitcoin Gold (BTG) explained that attackers gained access to this GitHub account and replaced the legitimate Windows installer with a “suspicious” file that were created to steal funds from the victims and other information.
Developers confirmed the Linux version of the official wallet app was not changed during the incident.
The development team discovered the security breach over the weekend when the experts noticed that the SHA-256 checksum for the Windows installer did not match the original SHA-256 checksum for the file present on the GitHub repository.
“Please be aware that for approximately 4.5 days, a link on our Download page and the file downloads on our Github release page have been serving two suspicious files of unknown origin.” reads the security advisory.
Below are the correct SHA-256 checksums for BTG’s Windows wallet app.
Further investigation allowed the development team to discover that the “malicious” file was available in the GitHub repository between November 21, 2017, 09:39 UTC, and November 25, 2017, 22:30 UTC.
The bad news for end-users is that the malware was not detected by antivirus software.
“Until we know otherwise, all users should presume these files were created with malicious intent – to steal cryptocurrencies and/or user information. The file does not trigger antivirus / anti-malware software, but do not presume the file is safe.” continues the advisory.
“Any user who verified the SHA-256 checksum of the download against the checksum listed on our Download pages is already aware the file is not authentic and should not have used the file, but nobody should assume that all users take this important step.”
Affected users urge to transfer funds to new wallet addresses and reinstall affected computers.
“If the file was used, the computer on which it was used should be addressed with extreme caution; the file should be deleted, the machine should be thoroughly checked for malware and viruses (or wiped clean), and any cryptocurrencies with wallets accessible on that machine should be moved to new wallet addresses immediately,” suggested the Bitcoin Gold development team that meantime has restored the original files and has secured its GitHub account.
(Security Affairs – cryptocurrency, hacking)
The post Bitcoin Gold (BTG) dev team warns its users about a security breach appeared first on Security Affairs.
Posted: 29 Nov 2017 02:40 AM PST
The Kazakhstan-born Canadian citizen Karim Baratov (22) has pleaded guilty to massive 2014 Yahoo hack that affected three billion accounts.
The Kazakhstan-born Canadian citizen Karim Baratov (22) (Kay, a.k.a Karim Taloverov, a.k.a Karim Akehmet Tokbergenov), has pleaded guilty to massive 2014 Yahoo data breach that affected three billion accounts.
Karim Baratov was arrested in Toronto at his home by the Toronto Police Department in March.
In the federal district court in San Francisco on Tuesday, Baratov admitted to helping the Russian intelligence and pleaded guilty to a total of nine counts, including:
“As part of his plea agreement, Baratov not only admitted to his hacking activities on behalf of his co-conspirators in the FSB, but also to hacking more than 11,000 webmail accounts in total on behalf of the FSB conspirators and other customers from in or around 2010 until his March 2017 arrest by Canadian authorities. Baratov advertised his services through a network of primarily Russian-language hacker-for-hire web pages hosted on servers around the world.” reads the press release published by the Department of Justice.
“He admitted that he generally spearphished his victims, sending them emails from accounts he established to appear to belong to the webmail provider at which the victim's account was hosted (such as Google or Yandex). Baratov's spearphishing emails tricked victims into (i) visiting web pages he constructed to appear legitimate, as though they belonged to the victims' webmail providers and (ii) entering their account credentials into those web pages. Once Baratov collected the victims' account credentials, he sent his customers screen shots of the victims' account contents to prove that he had obtained access and, upon receipt of payment, provided his customers the victims' log-in credentials.”
In March, the US Justice Department charged two Russian intelligence officers (Dmitry Dokuchaev and Igor Sushchin) from Russia’s Federal Security Service (FSB) and two hackers (Alexsey Belan and Karim Baratov) for breaking into Yahoo servers in 2014.
Unlike Baratov, the hacker Alexsey Belan and both FSB officers currently reside in Russia.
According to prosecutors, the Russian Intelligence agency FSB directed the Yahoo hack and hired Baratov to target persons of interest to the FSB (i.e. Journalists, government officials, and technology company employees) that were using email accounts different from Yahoo ones.
“Baratov’s role in the charged conspiracy was to hack webmail accounts of individuals of interest to the FSB and send those accounts’ passwords to Dokuchaev in exchange for money,” his plea agreement reads.
Baratov’s lawyers tried to change the position of the man, they said that at the time of the hack, Baratov had no idea he was working with Russian intelligence.
Baratov hacked at least 80 non-Yahoo email accounts, including at least 50 Google accounts, he used spear phsting attack to trick victims into providing their credentials.
Baratov’s sentencing hearing will be held on 20th February next year in federal district court in San Francisco. The man could face up to 87 months in jail for the first charge and 24 months for the identity theft charges.
“These threats are even more insidious when cybercriminals such as Baratov are employed by foreign government agencies acting outside the rule of law.” US Attorney Brian Stretch said.
Baratov has also agreed to pay restitution to the affected Yahoo users and a fine up to $2,250,000 (at $250,000 per count).
(Security Affairs – 2014 Yahoo hack, DoJ)
Posted: 29 Nov 2017 12:51 AM PST
macOS High Sierra is plagued by a vulnerability that can be exploited to gain root access to a machine with no password.
An easy exploitable vulnerability in macOS 10.13, aka macOS High Sierra, could be triggered by users to gain admin rights, or log in as root, without a password.
The vulnerability is exploitable via the authentication dialog box in the Apple macOS High Sierra that asks for an administrator’s username and password when the user needs to do specific actions like configure privacy and network settings.
From the user login screen, if the user provides “root” as the username, leave the password box blank, hit “enter” and then click on unlock a few times, the prompt disappears and he gains admin rights.
The attack scenario needs physical access to the machine to log in, once inside the attacker can perform several malicious activities such as install a malware.
Waiting for a fix, users should mitigate the bug not leaving vulnerable macOS High Sierra unattended, nor allowing remote desktop access.
The flaw was publicly disclosed via Twitter by the developer Lemi Orhan Ergan.
With the access to the machine it is possible to disable FileVault encryption that protects the files from being seen or copied.
Experts noticed that If they have a root account enabled and a password for it set, the trick will not work.
To set the password, type the following command from the Terminal.
sudo passwd -u root
Apple promptly published this guide to enabling the root account and setting a password for it. If you have remote desktop access enabled for VNC, RDP, screen sharing and similar, it can be used to gain admin rights on your machine. Apple will release a patch to address the issue.
In October, macOS users noticed that another easy-to-exploit bug in macOS High Sierra was disclosing the password for encrypted drives.
In September, the cyber security expert Patrick Wardle, director of research at Synack, revealed that unsigned applications can steal macOS Keychain passwords from the latest version of macOS High Sierra and previous versions of macOS.
(Security Affairs – macOS High Sierra, hacking)
The post A bug in macOS High Sierra allows Root access with no password appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|