Cisco has released security updates to address multiple vulnerabilities to its products. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system.

Users and Administrators are encouraged to review Cisco Security Advisories and Alerts page and apply necessary updates. For more information click links below:

• Cisco Policy Suite Policy Builder Unauthenticated Access Vulnerability
• Cisco Policy Suite OSGi Interface Unauthenticated Access Vulnerability
• Cisco Policy Suite Policy Builder Database Unauthenticated Access Vulnerability
• Cisco Policy Suite Cluster Manager Default Password Vulnerability
• Cisco Webex Network Recording Players Remote Code Execution Vulnerabilities
• Cisco SD-WAN Solution Arbitrary File Overwrite Vulnerability
• Cisco SD-WAN Solution Zero Touch Provisioning Denial of Service Vulnerability
• Cisco SD-WAN Solution Configuration and Management Database Remote Code Execution Vulnerability
• Cisco SD-WAN Solution Command Injection Vulnerability
• Cisco SD-WAN Solution CLI Command Injection Vulnerability
• Cisco SD-WAN Solution VPN Subsystem Command Injection Vulnerability
• Cisco SD-WAN Solution Zero Touch Provisioning Command Injection Vulnerability
• Cisco Nexus 9000 Series Fabric Switches Application-Centric Infrastructure Mode DHCP Version 6 Denial of Service Vulnerability

Advisory No: TZCERT/SA/2018/07/03

Date of First Release: 3^rd July 2018 .

Source: Linux Kernel Organization, Cisco, Bugzilla et.c

Product Affected: Linux kernel prior to 4.16.6

Overview:

A vulnerability has been reported in Linux kernel which could allow a local attacker to read out kernel memory leading to information disclosure of sensitive information.

Description:

This vulnerability exists in the cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c of the Linux Kernel due to its failure to handle incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl. A local attacker could exploit this vulnerability by executing a malicious input to the target system.

Impact:

Successful exploitation of this vulnerability could allow the attacker to read kernel memory leading to disclosure of sensitive information.

Solution:

Users and administrators are urged to apply appropriate updates and patches as mentioned in the following links:  Kernel 4.16.6 or later   and cdrom: information leak in cdrom_ioctl_media_changed()

Furthermore, system administrators are recommended to monitor their critical systems running on linux operating systems (OS) and ensure that only trusted and privileged users have access.

References:

1. https://tools.cisco.com/security/center/viewAlert.x?alertId=58170&vs_f=Alert%20RSS&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Linux%20Kernel%20cdrom_ioctl_media_changed%20Function%20Kernel%20Memory%20Read%20Vulnerability&vs_k=1
2. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9de4ee40547fd315d4a0ed1dd15a2fa3559ad707
   
3. https://bugzilla.redhat.com/show_bug.cgi?id=1577408

Advisory No: TZCERT/SA/2018/07/02

Date of First Release: 3^rd July 2018 .

Source: CERT Coordination Center (Cert/CC), Electronic Frontier Foundation.

Product Affected:

Mozilla Thunderbird, Microsoft, MailMate, Kmail, GnuPG, Apple, Airmail, eM Client, Evolution, Google, IBM Corporation, 9Folders Inc, Flipdog Solutions, Postbox Inc etc.

Overview:

Mail clients configured to use OpenPGP (Pretty Good Privacy) or S/MIME (Secure / Multipurpose Internet Mail Extensions) are vulnerable to the disclosure of encrypted message content.

Description:

Mail client configured to use OpenPGP uses the Cipher Feedback (CFB) mode of operation and those configured to use S/MIME uses the Cipher Block Chaining (CBC) mode of operation. These modes of operation are used by the protocols to secure the message transmitted. Vulnerability in these modes of operation provide an attacker  with capability to read plain text without decryption key.

For an attack to happen, an attacker must have an access to an encrypted mail either by eavesdropping on network traffic or compromising email accounts, email servers, backup system or client computer.

Impact:

Exploitation of these vulnerabilities may allow disclosure of information.

Solution:

Currently there is no confirmed practical solution to the vulnerabilities, however there are  some recommendations to reduce the risks of exploiting the vulnerabilities as highlighted below;

1. Remove your private key from mail client or decrypt your encrypted message by pasting it on a separate tool that will decrypt the content for you;
2. Disable HTML rendering i.e. a most famous way of exploiting the vulnerabilities will be closed; and
3.  Check with your vendor for update to fix the vulnerabilities.

References:

1. https://www.kb.cert.org/vuls/id/122919
2. https://efail.de/
3. https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
4. https://tools.ietf.org/pdf/rfc4880.pdf

Advisory No:  TZCERT/SA/2018/07/01

Date of First Release: 3^rd July 2018 .

Source: Cisco Talos

Product Affected:

Linksys, MikroTik, NETGEAR,  ASUS, D-Link, Huawei, Ubiquiti, UPVEL, ZTE and TP-Link networking equipment as well as QNAP network-attached storage (NAS) devices.

Overview:

VPNFilter is malware infecting routers produced by several vendors and other networked-attached storage devices worldwide.

Description:

VPNFilter is a multi-staged piece of malware targeting routers and network-attacked storage (NAS) devices which uses default credentials(passwords) and/or have publicly known exploits, particularly older versions. Atleast 500,000 devices are infected in atleast 54 countries worldwide. A narration below describes its mode of propagation and how the attack happens;

i. Stage 1:

Malware is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C2) server to download further modules;

ii. Stage 2:

Malware contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers; and

iii. Stage 3

Includes several modules, which act as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Other Stage 3 modules allows Stage 2 to communicate using Tor and provides any stage 2 module that lacks the kill command the capability to disable the device.

Impact:

VPNFilter malware is capable of blocking web traffic, collecting information that passes through home and office routers, device exploitation including disabling your devices entirely and the ability to deliver exploits to endpoints via a man-in-the-middle capability.

Solution

It is recommended that:-

1. Users of Small Office or Home Office (SOHO) routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware;
2. Internet service providers that provide SOHO routers to their customers are advised to reboot the routers on their behalf and to work aggressively with their customers to ensure that their devices are patched to the most recent firmware/software versions;
3. If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately; and
4. Users and administrators are adviced to consider disabling remote management settings on their devices and also secure them with strong password.

References:

1. https://blogs.cisco.com/security/talos/vpnfilter
2. https://blog.talosintelligence.com/2018/05/VPNFilter.html
3. https://www.ic3.gov/media/2018/180525.aspx
4. https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware
5. https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected
6. https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

Mozilla Foundation has released security updates to address multiple vulnerabilities in Thunderbird. Exploitation of these vulnerabilities may allow attacker to take control of affected system.

Users and administrators are encouraged to review released Thunderbird Security Advisory and apply necessary updates.