[USN-3692-1] OpenSSL vulnerabilities

---------- Forwarded message ----------

From: Marc Deslauriers 
Date: 2018-06-26 20:32 GMT+08:00
...

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
- openssl1.0: Secure Socket Layer (SSL) cryptographic library and tools

Details:

Keegan Ryan discovered that OpenSSL incorrectly handled ECDSA key
generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private ECDSA keys. (CVE-2018-0495)

Guido Vranken discovered that OpenSSL incorrectly handled very large prime
values during a key agreement. A remote attacker could possibly use this
issue to consume resources, leading to a denial of service. (CVE-2018-0732)

Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis
Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA key
generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private RSA keys. (CVE-2018-0737)
...

References:
  https://usn.ubuntu.com/usn/usn-3692-1
  CVE-2018-0495, CVE-2018-0732, CVE-2018-0737

TrendLabs: The New Face of Necurs: Noteworthy Changes to Necurs’ Behaviors

Figure 3. Example: the directory storing credentials with a string in email format as part of the filename

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors/

European Union Public License v. 1.2 added to license list

...While the EUPL-1.2's copyleft by itself is incompatible with the GNU GPL, the license provides a few mechanisms for re-licensing which enable combination with GNU GPL-licensed works. We explain the situation more fully in the entry itself:

This is a free software license. By itself, it has a copyleft comparable
to the GPL's, and incompatible with it. However, it gives recipients
ways to relicense the work under the terms of other selected licenses,
and some of those—the Eclipse Public License in particular—only provide
a weaker copyleft. Thus, developers can't rely on this license to
provide a strong copyleft.

The EUPL allows relicensing to GPLv2 only and GPLv3 only, because those
licenses are listed as two of the alternative licenses that users may
convert to. It also, indirectly, allows relicensing to GPL version 3 or
any later version, because there is a way to relicense to the CeCILL v2,
and the CeCILL v2 gives a way to relicense to any version of the GNU GPL.

To do this two-step relicensing, you need to first write a piece of code
which you can license under the CeCILL v2, or find a suitable module
already available that way, and add it to the program. Adding that code
to the EUPL-covered program provides grounds to relicense it to the
CeCILL v2. Then you need to write a piece of code which you can license
under the GPLv3+, or find a suitable module already available that way,
and add it to the program. Adding that code to the CeCILL-covered
program provides grounds to relicense it to GPLv3+.

These comments are very similar to the ones we made for the EUPL-1.1, as the EUPL-1.2 is an update that is very much in line with its predecessor. The biggest change was adding the GNU GPLv3 only as an alternative license, simplifying the process of incorporating EUPL-1.2 code into a GNU GPLv3 only project. Note, however, that the two-step re-licensing process previously described is still needed in order to incorporate EUPL-1.2 code into a GNU GPLv3+ project....

REF: https://www.fsf.org/blogs/licensing/european-union-public-license-v-1-2-added-to-license-list

TrendLabs: Cryptocurrency-Mining Bot Targets Devices With Running SSH Service via Potential Scam Site

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-bot-targets-devices-with-running-ssh-service-via-potential-scam-site/

NDI® Version 3.5 SDK Update

Highlights include:

• Vast improvements in NDI^® Studio Monitor, now controllable by mobile devices, with support for video overlays and much more.
• NDI^® Scan Converter handles full frame-rate screen capture with webcam and external mic support.
• Significantly improved Mac^® support, including full registration of HX cameras on Mac Video Monitor, Full Access Manager, and more.
• Greatly improved SDK including full support with automatically configured UDP and forwards error correction, multicast support, multiple NIC bandwidth sharing, better discovery, new color formats, SDK simplification, and much more.

REF: http://pages.newtek.com/NDI-Developers-SDK-Download-Link.html

TrendLabs: June Patch Tuesday: Microsoft Addresses DNS-related Vulnerability, Adobe Patches Critical Flash Player Flaw

... In addition to CVE-2018-8267, the following vulnerabilities were also disclosed via ZDI:

• CVE-2018-8207 – Windows Kernel Information Disclosure Vulnerability
• CVE-2018-8236 – Microsoft Edge Memory Corruption Vulnerability
• CVE-2018-8239 – Windows GDI Information Disclosure Vulnerability
• CVE-2018-8251 – Media Foundation Memory Corruption Vulnerability

In line with Microsoft’s release, Adobe also published their set of updates for vulnerabilities affecting Adobe Flash Player 29.0.0.171 and earlier versions in the APSB18-19 Security Bulletin. The most critical Flash Player vulnerability addressed is CVE-2018-5002, a stack-based buffer overflow that could result in remote code execution performed by an attacker. This vulnerability is reportedly being actively used in targeted attacks.

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/june-patch-tuesday-microsoft-addresses-dns-related-vulnerability-adobe-patches-critical-flash-player-flaw/

Plex: See more of your channel lineup

Plex Live TV and DVR in our web app now displays your programming in a familiar, grid-style view, making it easier than ever to see what’s on now and upcoming. Plex Pass subscribers are now able to navigate quickly to the program they want to watch live or record their favorite shows with one click.

REF: https://www.plex.tv/blog/grid-who/

TrendLabs: Necurs Poses a New Challenge Using Internet Query File

Figure 1. Sample email that has IQY attachment

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-a-new-challenge-using-internet-query-file/

New Check_MK stable release 1.4.0p34

---------- Forwarded message ---------

From: Check_mk Announcements
Date: Wed, Jun 13, 2018 at 10:02 PM

...
Changes in all Check_MK Editions:

WATO:
* 6155 FIX: Service discovery page: Active checks were not correctly shown in specific cases
* 6184 FIX: LDAP: LDAP connection was not correctly using the sites trusted CAs

HW/SW inventory:
* 6110 FIX: inv_if: Don't return Unknown if no data for OID 1.3.6.1.2.1.2.1.0 is present

Core & setup:
* 6174 FIX: Fixed discovery for host with management board without IP addresses configured

Checks & agents:
* 6083 FIX: websphere_mq_instance: Fixed crash if no standby status is reported
* 6088 FIX: steelhead_connections: Skip values of connection types which are not reported
* 6149 FIX: ps: The linux ps check CPU utilization calculation changed since 1.4.0p27
* 6086 FIX: oracle_processes: Handle Oracle specific error
* 6133 FIX: mssql_counters.locks: Fixed confusion of warn and crit check state
* 5522 FIX: mkbackup: Fix crash in case of multiple backup jobs
* 5813 FIX: mk_oracle.ps1: temporary files are no longer written to c:\windows\system32
* 6129 FIX: megaraid_ldisks: Fixed crash if item not found
* 6130 FIX: ipmi: Fixed unknown device status handling
* 6085 FIX: innovaphone_licenses: Do not discover if no data is sent by special agent
* 6109 FIX: etherbox.temp: fix unicode error
* 6221 FIX: emc_datadomain_disks: Fix crash caused by missing busy data
* 6087 FIX: cups_queues: Fixed missing parameters if old format is used
* 6131 FIX: brocade_fcport: Fixed wrong look up of indices which might lead to stale services
* 6084 FIX: apc_rackpdu_power: Do not discover services if device information is missing
* 6082 FIX: aix_hacmp_services: Fixed parsing data; If a subsystem is in 'inoperative' status no PID is reported
* 6190 FIX: Win-agent: prevent unsigned integer overflow in process uptime
...
You can download Check_MK from our download page:
 * http://mathias-kettner.de/check_mk_download.html

Trendlabs: Drupal Vulnerability (CVE-2018-7602) Exploited to Deliver Monero-Mining Malware

Figure 1: Code snippet showing how CVE-2018-7602 is exploited
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/drupal-vulnerability-cve-2018-7602-exploited-to-deliver-monero-mining-malware/

Use Any Joystick with NewTek NDI PTZ Camera

REF: http://newtek.com

TrendLabs: FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users

Figure 1: Sample SMSs containing links to the malware
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/

Open source intelligence tools for pen testing

Typical Hacker Lifecycle
In 2011, researchers from Lockheed Martin created their version of the hacker lifecycle called the Cyber Kill Chain.
...
REF: http://www.admin-magazine.com/Archive/2018/45/Open-source-intelligence-tools-for-pen-testing

TrendLabs: North American Malware Trends: Taking a Proactive Approach to Modern Threats

Total malware detections in North America in Q1 2018

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/north-american-malware-trends-taking-proactive-approach-modern-threats/

[Check_mk Announce] New Check_MK beta release 1.5.0b7

---------- Forwarded message ---------
From: Check_mk Announcements
Date: Sat, Jun 16, 2018 at 2:47 AM

...
This release will be in active maintenance until 2018-07-15.
The passive maintenance will be until 2018-08-14. For details take
a look at the Check_MK versions chapter of the Check_MK handbook.
...
Changes in all Check_MK Editions:

WATO:
* 5822 FIX: WATO Web-API set_ruleset: Now able to delete complete rulesets from folders
* 5819 FIX: Host DNS names may include underscores again
* 5821 FIX: Fixed exception during configuration changes
* 5815 FIX: Background Job/User synchronization: Fixed text encoding bug / Fixed incorrect exception message

User interface:
* 6114 Add a analyze configuration rule for ESX

HW/SW inventory:
* 5995 FIX: Status data inventory: Fixed fetching client data once more

Core & setup:
* 6186 FIX: Fixed crash of Check_MK service on counter wraps in parse functions (e.g. MKCounterWrapped: WMI query timed out)

Checks & agents:
* 6113 FIX: winperf_processor, esx_vsphere_hostsystem.cpu_usage: shift duplicate service detection from the special agent to the check
* 6134 FIX: sap_hana_full_backup: Fixed crash if backup is running
* 5813 FIX: mk_oracle.ps1: temporary files are no longer written to c:\windows\system32
* 6132 FIX: ipmi_sensors.include: Treat states 'S0G0' (System full operational, working) and 'System Restart' as 'OK'
* 6221 FIX: emc_datadomain_disks: Fix crash caused by missing busy data
* 6220 FIX: df: Fix crashing check for vanished filesystems
* 6131 FIX: brocade_fcport: Fixed wrong look up of indices which might lead to stale services
* 6190 FIX: Win-agent: prevent unsigned integer overflow in process uptime
* 5817 FIX: The "Check for correct version of Check_MK agent" rule no longer applies to datasource programs
* 5806 FIX: Periodic service discovery: Fixed scenario where process could get stuck
* 5814 FIX: Fixed missing clustered snmp services on cluster hosts
* 5818 FIX: Fixed "unknown agent version" message in Check_MK check, shown by cluster hosts
* 5816 FIX: Check parse_function is no longer called multiple times if there are several subchecks for the same section
...
You can download Check_MK from our download page:
 * http://mathias-kettner.de/check_mk_download.html

TrendLabs: Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor

Figure 1. Comparison of the infection chains used in the previous and current campaigns

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/

[USN-3674-1] Linux kernel vulnerabilities

---------- Forwarded message ----------

From: Steve Beattie 
Date: 2018-06-12 10:18 GMT+08:00
==========================================================================
Ubuntu Security Notice USN-3677-1
June 11, 2018

linux, linux-raspi2 vulnerabilities
==========================================================================Details:

It was discovered that the netfilter subsystem of the Linux kernel did not
properly validate ebtables offsets. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2018-1068)
Wen Xu discovered that the ext4 filesystem implementation in the Linux
kernel did not properly handle corrupted meta data in some situations. An
attacker could use this to specially craft an ext4 file system that caused
a denial of service (system crash) when mounted. (CVE-2018-1092)
It was discovered that a NULL pointer dereference existed in the RDS(Reliable Datagram Sockets) protocol implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2018-7492)

It was discovered that the 802.11 software simulator implementation in the
Linux kernel contained a memory leak when handling certain error
conditions. A local attacker could possibly use this to cause a denial of
service (memory exhaustion). (CVE-2018-8087)
Eyal Itkin discovered that the USB displaylink video adapter driver in the
Linux kernel did not properly validate mmap offsets sent from userspace. A
local attacker could use this to expose sensitive information (kernel
memory) or possibly execute arbitrary code. (CVE-2018-8781)
Update instructions:

The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
  linux-image-4.13.0-1022-raspi2  4.13.0-1022.23
  linux-image-4.13.0-45-generic   4.13.0-45.50
  linux-image-4.13.0-45-generic-lpae  4.13.0-45.50
  linux-image-4.13.0-45-lowlatency  4.13.0-45.50
  linux-image-generic             4.13.0.45.48
  linux-image-generic-lpae        4.13.0.45.48
  linux-image-lowlatency          4.13.0.45.48
  linux-image-raspi2              4.13.0.1022.20

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:  https://usn.ubuntu.com/usn/usn-3677-1
  CVE-2018-1068, CVE-2018-1092, CVE-2018-7492, CVE-2018-8087,
  CVE-2018-8781

Package Information:
  https://launchpad.net/ubuntu/+source/linux/4.13.0-45.50
  https://launchpad.net/ubuntu/+source/linux-raspi2/4.13.0-1022.23

TrendLabs: Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner

Figure 1: The campaign’s infection chain
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/rig-exploit-kit-now-using-cve-2018-8174-to-deliver-monero-miner/

The new Blackmagic Mini Converter UpDownCross HD

The new Blackmagic Mini Converter UpDownCross HD https://www.blackmagicdesign.com/products/miniconverters
and, The new Blackmagic Micro Converter BiDirectional SDI/HDMI

SDI signals with jitter degradation

Clean, reclocked SDI signals

TrendLabs: How Machine Learning Techniques Helped Us Find Massive Certificate Abuse by BrowseFox

Figure 1. A screen capture of the signature information of a BrowseFox file as seen on VirusTotal

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/how-machine-learning-techniques-helped-us-find-massive-certificate-abuse-by-browsefox/

A New CentOS

Users are urged to upgrade to the latest version of CentOS. “This release supersedes all previously released content for CentOS Linux 7, and therefore we highly encourage all users to upgrade their machines. Information on different upgrade strategies and how to handle stale content is included in the Release Notes,” said Singh.

The system upgrade can be performed with these commands:

$ sudo yum clean all

$ sudo yum upgrade

$ sudo systemctl reboot

Download CentOS at the official download page.

REF: http://www.linux-magazine.com/Online/News/A-New-CentOS

TrendLabs: New KillDisk Variant Hits Latin American Financial Organizations Again

Figure 3. How the malware carries out its MBR-wiping routine
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/

Scale-Out File Server Improvements in Windows Server 2019

REF: https://blogs.msdn.microsoft.com/clustering/2018/05/31/scale-out-file-server-improvements-in-windows-server-2019/

TrendLabs: Post-Tax Season Spam Campaign Delivers URSNIF to North American Taxpayers

Figure 1: Location of the IP addresses targeted in the campaign. Most of the targets are users located in Canada. However, around half are US IPs because US providers hosted them

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/post-tax-season-spam-campaign-delivers-ursnif-to-north-american-taxpayers/

New BSD Issue is Out! LLVM and Sanitizers in BSD!

Table of Contents

In Brief
Ewa & The BSD Team
This column presents the latest coverage of breaking news, events, product releases, and trending topics from the BSD sector.

Practical ZFS On FreeBSD
Abdorrahman Homaei
ZFS is an advanced file system that was originally developed by Sun. It combines the roles of volume manager and file system to realize unique advantages. ZFS is aware of the underlying structure of the disks. It can detect low-level interrupt and provide RAID mechanism. ZFS is also capable of sharing its volume separately. ZFS’s awareness of the physical layout of the disks lets you grow your storage without any hassle. Additionally, it has different properties that can be applied to each file system, giving many advantages of creating a number of different file systems and datasets rather than a single monolithic file system.

LLVM and Sanitizers in BSD
David Carlier
LLVM and clang frontend is available on various BSD as the main compiler for FreeBSD x86, ppc, and arm since the 10.x ( was fully optional in the previous 9.x branch), OpenBSD x86 and arm since 6.2, NetBSD x86, arm, ppc, and sparc64. LLVM provides the frontends and various tools, and there are different types of sanitizers to help with debugging applications.

C Programming, UNIX and Main Data Structures
Rafael Santiago de Souza Netto
Nowadays, UNIX stands more as a model for an operating system to follow than as an operating system implementation. In the beginning, UNIX as a software was originally written at Bell Labs by two famous developers, Kenneth Thompson and Dennis Ritchie.

Monitoring OpenBSD using CollectD, InfluxDB, and Grafana
Joel Carnat
www.tumfatig.net
In a “get pretty graphs” mood, I’m looking at what can be done regarding OpenBSD monitoring using the CollectD collector and Grafana dashboard renderer. OpenBSD 6.2-current provides InfluxDB and Grafana packages, a great stack for pretty reportings.

Expert Speak by E.G. Nadhan
From Unconscious Bias to Unbiased Consciousness
E.G. Nadhan
A member of the audience attending a panel session on Unconscious Bias accidentally referred to the topic as Unbiased Consciousness. Perhaps, it was no accident and was a sublime message instead about the world to come – a world where we are consciously unbiased rather than being unconsciously biased. However, this utopian world can become real only if proactive actions are taken to combat such mindsets that may not be in our control.

With Facebook attempting to slam the privacy stable door well after the horse has bolted, the corporate giant has suspended over 200 applications which snarfed large amounts of profile data. What does the future hold for this global platform?
Rob Somerville
I have a certain degree of sympathy for Mark Zuckerberg after being hauled before Congress in light of the Cambridge Analytica fiasco. Inevitably, any cutting-edge technology will eventually feel the hot breath of the establishment breathing down on it, be it via indirect legislation or as in the case of Mark Zuckerberg, in a personal appearance before “the powers that be” to give account.

REF: https://bsdmag.org/download/debugging-applications/

TrendLabs: Identifying Top Vulnerabilities in Networks: Old Vulnerabilities, IoT Botnets, Wireless Connection Exploits

Figure 1. Top 10 vulnerabilities in connected devices

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/identifying-top-vulnerabilities-in-networks-old-vulnerabilities-iot-botnets-wireless-connection-exploits/

Linux Magazine Tutorials – Minetest

Figure 1: You can model the worlds of Minetest in more ways than one.
REF: http://www.linux-magazine.com/Issues/2018/212/Tutorials-Minetest

TrendLabs: Emerging 5G Technology Could Compromise SIM Card-Dependent IoT Devices on Massive Scale

Figure 1. SIM-OTA SMS communication (adapted from “Smart Card Handbook” by Wolfgang Rankl and Wolfgang Effing)

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/emerging-5g-technology-could-compromise-sim-card-dependent-iot-devices/

FSF: Zerocat Chipflasher "board-edition-1" now FSF-certified to Respect Your Freedom

From May 14

The FSF has awarded Respects Your Freedom (RYF) certification to the Zerocat Chipflasher board-edition-1. The RYF certification mark means that the product meets the FSF's standards in regard to users' freedom, control over the product, and privacy. The Chipflasher enables users to flash devices such as laptops, allowing them to replace proprietary software with free software like Libreboot. While users are able to purchase RYF-certified laptops that already come with Libreboot pre-loaded, for the first time ever they are capable of freeing their own laptops using an RYF-certified device.

These first ten limited edition boards are signed by Kai Mertens, chief developer of The Zerocat Label, and will help to fund additional production and future development of RYF-certified devices.

REF: https://www.fsf.org/free-software-supporter/2018/june

Introducing Asylo: an open-source framework for confidential computing

Asylo is an open source framework for confidential computing

REF: https://cloudplatform.googleblog.com/2018/05/Introducing-Asylo-an-open-source-framework-for-confidential-computing.html