Security Alerts

AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability

US-CERT - Mon, 2019-06-17 06:37
Original release date: June 17, 2019
Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a vulnerability, known as “BlueKeep,” that exists in the following Microsoft Windows Operating Systems (OSs), including both 32- and 64-bit versions, as well as all Service Pack versions:

  • Windows 2000
  • Windows Vista
  • Windows XP
  • Windows 7
  • Windows Server 2003
  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2

An attacker can exploit this vulnerability to take control of an affected system.     

Technical Details

BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows OSs listed above. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system. 

According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled.[1] After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs. This exploit, which requires no user interaction, must occur before authentication to be successful.

BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.[2]

CISA tested BlueKeep against a Windows 2000 machine and achieved remote code execution. Windows OS versions prior to Windows 8 that are not mentioned in this Activity Alert may also be affected; however, CISA has not tested these systems.  

Mitigations

CISA encourages users and administrators review the Microsoft Security Advisory [3] and the Microsoft Customer Guidance for CVE-2019-0708 [4] and apply the appropriate mitigation measures as soon as possible:

  • Install available patches. Microsoft has released security updates to patch this vulnerability. Microsoft has also released patches for a number of OSs that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. As always, CISA encourages users and administrators to test patches before installation.
  • Upgrade end-of-life (EOL) OSs. Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.
  • Disable unnecessary services. Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.  
  • Enable Network Level Authentication. Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.
  • Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall. Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.
References Revisions
  • June 17, 2019: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability

Cisco Security Advisories - Wed, 2019-06-12 16:00

A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.

The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190612-iosxe-csrf


Security Impact Rating: High
CVE: CVE-2019-1904
Categories: Security Alerts

Cisco Identity Services Engine Privileged Account Sensitive Information Disclosure Vulnerability

Cisco Security Advisories - Thu, 2019-06-06 20:32

A vulnerability in the Admin portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain confidential information for privileged accounts.

The vulnerability is due to the improper handling of confidential information. An attacker could exploit this vulnerability by logging into the web interface on a vulnerable system. An exploit could allow an attacker to obtain confidential information for privileged accounts. This information could then be used to impersonate or negatively impact the privileged account on the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-ise-info-disclosure


Security Impact Rating: Medium
CVE: CVE-2018-0187
Categories: Security Alerts

Offline Cryptographic Attacks Targeting the Wi-Fi Protected Access 2 Protocol

Cisco Security Advisories - Thu, 2019-06-06 19:45

On August 4, 2018, Jens Steube from the Hashcat project published an article introducing a new method to obtain cryptographic information from wireless traffic that can then be used by an attacker to attempt the offline recovery of the preshared key (PSK) used to secure a Wi-Fi network.

Both the Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access 2 (WPA2) protocols are known to be susceptible to offline cryptographic attacks when a PSK is used as an authentication mechanism. This is not a new vulnerability or a new attack against these protocols. This is a new vector that allows an attacker to obtain the information required to attempt an offline attack against the PSK.

This new method is different from the existing attacks against the PSK because it does not require an attacker to wait for an Extensible Authentication Protocol over LAN (EAPOL) authentication exchange, capture it, and proceed to attempt an offline PSK recovery. This new vector allows an attacker to extract the required information from a single wireless frame transmitted during a roaming event. The following conditions for this capture apply:

  • The frame contains a Robust Security Network-Pairwise Master Key Identification (RSN-PMKID) option
  • The wireless infrastructure is configured to use WPA2 with a PSK mode of authentication
  • The wireless infrastructure supports the Proactive Key Caching (PKC) fast roaming option (PMKID roaming)
The wireless frame can be acquired by passively listening to traffic from the wireless network during the roaming.

It is important to note that this method does not make it easier or faster to recover the PSK for a Wi-Fi network. Instead, it is easier for an attacker to collect the information required to conduct a subsequent offline cryptographic attack. The likelihood of a successful recovery of the PSK is highly dependent on the complexity of the PSK in use.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180809-wpa2


Security Impact Rating: Informational
Categories: Security Alerts

Cisco Unified Communications Manager IM&P Service, Cisco TelePresence VCS, and Cisco Expressway Series Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2019-06-05 16:00

A vulnerability in the authentication service of the Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, Cisco TelePresence Video Communication Server (VCS), and Cisco Expressway Series could allow an unauthenticated, remote attacker to cause a service outage for users attempting to authenticate, resulting in a denial of service (DoS) condition.

The vulnerability is due to insufficient controls for specific memory operations. An attacker could exploit this vulnerability by sending a malformed Extensible Messaging and Presence Protocol (XMPP) authentication request to an affected system. A successful exploit could allow the attacker to cause an unexpected restart of the authentication service, preventing users from successfully authenticating. Exploitation of this vulnerability does not impact users who were authenticated prior to an attack.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-cucm-imp-dos


Security Impact Rating: High
CVE: CVE-2019-1845
Categories: Security Alerts

Cisco Webex Meetings Server Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2019-06-05 16:00

A vulnerability in the web-based management interface of Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to access sensitive system information.

The vulnerability is due to improper access control to files within the web-based management interface. An attacker could exploit this vulnerability by sending a malicious request to an affected device. A successful exploit could allow the attacker to access sensitive system information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-webexmeetings-id


Security Impact Rating: Medium
CVE: CVE-2019-1868
Categories: Security Alerts

Cisco TelePresence Video Communication Server and Cisco Expressway Series Server-Side Request Forgery Vulnerability

Cisco Security Advisories - Wed, 2019-06-05 16:00

A vulnerability in Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Series software could allow an unauthenticated, remote attacker to cause an affected system to send arbitrary network requests.

The vulnerability is due to improper restrictions on network services in the affected software. An attacker could exploit this vulnerability by sending malicious requests to the affected system. A successful exploit could allow the attacker to send arbitrary network requests sourced from the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-vcs


Security Impact Rating: Medium
CVE: CVE-2019-1872
Categories: Security Alerts

Cisco Unified Computing System BIOS Signature Bypass Vulnerability

Cisco Security Advisories - Wed, 2019-06-05 16:00

A vulnerability in the BIOS upgrade utility of Cisco Unified Computing System (UCS) C-Series Rack Servers could allow an authenticated, local attacker to install compromised BIOS firmware on an affected device.

The vulnerability is due to insufficient validation of the firmware image file. An attacker could exploit this vulnerability by executing the BIOS upgrade utility with a specific set of options. A successful exploit could allow the attacker to bypass the firmware signature-verification process and install compromised BIOS firmware on an affected device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ucs-biossig-bypass


Security Impact Rating: Medium
CVE: CVE-2019-1880
Categories: Security Alerts

Cisco IOS XR Software Secure Shell Authentication Vulnerability

Cisco Security Advisories - Wed, 2019-06-05 16:00

A vulnerability in the Secure Shell (SSH) authentication function of Cisco IOS XR Software could allow an authenticated, remote attacker to successfully log in to an affected device using two distinct usernames.

The vulnerability is due to a logic error that may occur when certain sequences of actions are processed during an SSH login event on the affected device. An attacker could exploit this vulnerability by initiating an SSH session to the device with a specific sequence that presents the two usernames. A successful exploit could result in logging data misrepresentation, user enumeration, or, in certain circumstances, a command authorization bypass.

See the Details section for more information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-iosxr-ssh


Security Impact Rating: Medium
CVE: CVE-2019-1842
Categories: Security Alerts

Cisco Industrial Network Director Stored Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2019-06-05 16:00

A vulnerability in Cisco Industrial Network Director could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks.

The vulnerability is due to improper validation of content submitted to the affected application. An attacker could exploit this vulnerability by sending requests containing malicious values to the affected system. A successful exploit could allow the attacker to conduct XSS attacks.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ind-xss


Security Impact Rating: Medium
CVE: CVE-2019-1882
Categories: Security Alerts

Cisco Industrial Network Director Remote Code Execution Vulnerability

Cisco Security Advisories - Wed, 2019-06-05 16:00

A vulnerability in the software update feature of Cisco Industrial Network Director could allow an authenticated, remote attacker to execute arbitrary code.

The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ind-rce


Security Impact Rating: High
CVE: CVE-2019-1861
Categories: Security Alerts

Cisco Industrial Network Director Cross-Site Request Forgery Vulnerability

Cisco Security Advisories - Wed, 2019-06-05 16:00

A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.

The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on an affected device.

For more information about CSRF attacks and potential mitigations, see Understanding Cross-Site Request Forgery Threat Vectors.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ind-csrf


Security Impact Rating: Medium
CVE: CVE-2019-1881
Categories: Security Alerts

Cisco Enterprise Chat and Email Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2019-06-05 16:00

A vulnerability in the web-based management interface of Cisco Enterprise Chat and Email (ECE) Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web interface or allow the attacker to access sensitive browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ece-xss


Security Impact Rating: Medium
CVE: CVE-2019-1870
Categories: Security Alerts

Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers MPLS OAM Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2019-05-15 16:00

A vulnerability in the Multiprotocol Label Switching (MPLS) Operations, Administration, and Maintenance (OAM) implementation of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device.

The vulnerability is due to the incorrect handling of certain MPLS OAM packets. An attacker could exploit this vulnerability by sending malicious MPLS OAM packets to an affected device. A successful exploit could allow the attacker to cause the lspv_server process to crash. The crash could lead to system instability and the inability to process or forward traffic though the device, resulting in a DoS condition that require manual intervention to restore normal operating conditions.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-iosxr-mpls-dos


Security Impact Rating: High
CVE: CVE-2019-1846
Categories: Security Alerts

Cisco AnyConnect Secure Mobility Client for Linux Out-of-Bounds Memory Read Vulnerability

Cisco Security Advisories - Wed, 2019-05-15 16:00

A vulnerability in the HostScan component of Cisco AnyConnect Secure Mobility Client for Linux could allow an unauthenticated, remote attacker to read sensitive information on an affected system.

The vulnerability exists because the affected software performs improper bounds checks. An attacker could exploit this vulnerability by crafting HTTP traffic for the affected component to download and process. A successful exploit could allow the attacker to read sensitive information on the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-anyconnectclient-oob-read


Security Impact Rating: Medium
CVE: CVE-2019-1853
Categories: Security Alerts

Cisco Webex Network Recording Player Arbitrary Code Execution Vulnerabilities

Cisco Security Advisories - Wed, 2019-05-15 16:00

Multiple vulnerabilities in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.

The vulnerabilities exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit these vulnerabilities by sending a user a malicious ARF or WRF file via a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to execute arbitrary code on the affected system. 

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. No exploit code proving exploitability of the vulnerabilities is publicly available.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-webex-player


Security Impact Rating: High
CVE: CVE-2019-1771,CVE-2019-1772,CVE-2019-1773
Categories: Security Alerts

Cisco Small Business 300 Series Managed Switches DHCP Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2019-05-15 16:00

A vulnerability in the interactions between the DHCP and TFTP features for Cisco Small Business 300 Series (Sx300) Managed Switches could allow an unauthenticated, remote attacker to cause the device to become low on system memory, which in turn could lead to an unexpected reload of the device and result in a denial of service (DoS) condition on an affected device.

The vulnerability is due to a failure to free system memory when an unexpected DHCP request is received. An attacker could exploit this vulnerability by sending a crafted DHCP packet to the targeted device. A successful exploit could allow the attacker to cause an unexpected reload of the device.

There are no workarounds that address this vulnerability. 

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-sb300sms-dhcp


Security Impact Rating: Medium
CVE: CVE-2019-1814
Categories: Security Alerts

Cisco Small Business Series Switches Simple Network Management Protocol Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2019-05-15 16:00

A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco Small Business Sx200, Sx300, Sx500, ESW2 Series Managed Switches and Small Business Sx250, Sx350, Sx550 Series Switches could allow an authenticated, remote attacker to cause the SNMP application of an affected device to cease processing traffic, resulting in the CPU utilization reaching one hundred percent. Manual intervention may be required before a device resumes normal operations.

The vulnerability is due to improper validation of SNMP protocol data units (PDUs) in SNMP packets. An attacker could exploit this vulnerability by sending a malicious SNMP packet to an affected device. A successful exploit could allow the attacker to cause the device to cease forwarding traffic, which could result in a denial of service (DoS) condition.

Cisco has released firmware updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-sb-snmpdos


Security Impact Rating: High
CVE: CVE-2019-1806
Categories: Security Alerts

Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL Injection Vulnerabilities

Cisco Security Advisories - Wed, 2019-05-15 16:00

Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary SQL queries.

These vulnerabilities exist because the software improperly validates user-supplied input in SQL queries. An attacker could exploit these vulnerabilities by sending a crafted HTTP request that contains malicious SQL statements to the affected application. A successful exploit could allow the attacker to view or modify entries in some database tables, affecting the integrity of the data.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-sqlinject


Security Impact Rating: High
CVE: CVE-2019-1824,CVE-2019-1825
Categories: Security Alerts

Cisco Prime Infrastructure and Evolved Programmable Network Manager Remote Code Execution Vulnerabilities

Cisco Security Advisories - Wed, 2019-05-15 16:00

Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system.

These vulnerabilities exist because the software improperly validates user-supplied input. An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce


Security Impact Rating: High
CVE: CVE-2019-1821,CVE-2019-1822,CVE-2019-1823
Categories: Security Alerts

Pages

Subscribe to Willing Minds aggregator - Security Alerts