Each month, Nebula Consulting posts vulnerability notes from CERT’s vulnerability database. Check back often for updates! 07 Jun 2017 - VU#489392 - Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin
Several WiMAX routers making use of a custom httpd plugin for libmtk (the MediaTek SDK library) are vulnerable to an authentication bypass that allows a remote, unauthenticated attacker to change the administrator password on the device.
By sending a crafted POST request to commit2.cgi, an unauthenticated, remote attacker may reset the administrator password by sending a new password in the POST ADMIN_PASSWD variable.
A remote, unauthenticated attacker may gain administrator access to the device after changing the administrator password on the device with a crafted POST request.
The reporter has identified the following model routers as being impacted; other models and firmware versions may also be impacted. The reporter notes that some devices have remote administration enabled by default, allowing an internet-based attacker to attempt this exploit.
GreenPacket OX350 (Version: ?) GreenPacket OX-350 (Version: ?) Huawei BM2022 (Version: v2.10.14) Huawei HES-309M (Version: ?) Huawei HES-319M (Version: ?) Huawei HES-319M2W (Version: ?) Huawei HES-339M (Version: ?) MADA Soho Wireless Router (Version: v2.10.13) ZTE OX-330P (Version: ?) ZyXEL MAX218M (Version: 2.00(UXG.0)D0) ZyXEL MAX218M1W (Version: 2.00(UXE.3)D0) ZyXEL MAX218MW (Version: 2.00(UXD.2)D0) ZyXEL MAX308M (Version: 2.00(UUA.3)D0) ZyXEL MAX318M (Version: ?) ZyXEL MAX338M (Version: ?)
Solution: The CERT/CC is currently unaware of a practical solution to this problem. Check often with the vendor for a possible solution.
08 Jun 2017 - VU#251927 - CalAmp LMU-3030 devices may not authenticate SMS interface
OBD-II devices are used to provide telematics information for managers of fleets of vehicles. One type of device, manufactured by CalAmp, has an SMS (text message) interface. We have found multiple deployments where no password was configured for this interface by the integrator / reseller. Companies using the CalAmp hardware should be aware that they need to set a password or disable SMS. Vendors were notified and the SMS interface was disabled or password-protected by all vendors known to be affected.
The CalAmp LMU 3030 series of devices includes an SMS interface on both CDMA and GSM versions of the device. This interface must be password protected, otherwise, the attacker only needs to know the phone number of the device (via an IMSI Catcher, for example) to send administrative commands to the device. These commands can be used to provide ongoing, real-time access to the device and can configure parameters such as IP addresses, firewall rules, and passwords.
The devices provide vehicle tracking via GPS coordinates, heading, and speed, as well as maintenance information. Older versions of the firmware could be remotely updated with malicious code that could affect the CAN bus of the vehicle.
Solution: Configure SMS password. Vendors that were known to be affected have been contacted and have password-protected or disabled the SMS interface. Other vendors that use the CalAmp LMU-3030 in their system should do the same.
13 Jun 2017 - VU#768399 - HPE SiteScope contains multiple vulnerabilities
HPE's SiteScope is vulnerable to several vulnerabilities. The researcher reports that version 11.31.461 is affected; other versions may also be impacted. CERT/CC has not received further information on affected versions from HPE
Previously reported as ZDI-12-176 in 2012, SiteScope version 11.31.461 and possibly other versions do not properly authenticate users before allowing file access. Successful exploits allows attackers to bypass security restrictions and to perform unauthorized actions such as downloading arbitrary files from the system. A Metasploit modulehp_sitescope_getfileinternal_access released in 2012 is confirmed by the reporter to still work against version 11.31.461.
An unauthenticated, remote attacker may be able to access arbitrary files from the system running SiteScope, or obtain credentials to SiteScope.\
Solution: Apply an update. HPE has released updated and mitigation advice in a security advisory dated 2017 June 27. Affected users are encouraged to apply all available updates and follow HPE's recommended mitigations.
15 Jun 2017 - VU#846320 - Samsung Magician fails to update itself securely
Samsung Magician fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code with administrator privileges
Samsung Magician is a management utility for Samsung SSDs. Prior to version 5.0, Samsung Magician checks for and retrieves updates over HTTP. Prior to version 5.1, Samsung Magician uses HTTPS to perform update operations, however it does not validate SSL certificates.
An attacker on the same network as, or who can otherwise affect network traffic from, a Samsung Magician user can cause the Magician update process to execute arbitrary code with system administrator privileges.
Solution: Apply an update. This issue is addressed in Samsung Magician 5.1. Note that because the update mechanism is vulnerable, do not use the self-update mechanism for Samsung Magician to obtain the fixed version.
19 Jun 2017 - VU#489392 - Acronis True Image fails to update itself securely
Acronis True Image fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code with administrator privileges.
Acronis True Image is a disk backup utility for Windows and Mac systems. Acronis True Image versions through and including 2017 Build 8053 performs update operations over unprotected HTTP channels. Downloaded updates are not validated beyond verifying the server-provided MD5 hash.
An attacker on the same network as, or who can otherwise affect network traffic from, an Acronis True Image user can cause the True Image update process to execute arbitrary code with system administrator privileges.
Solution: Apply an update. his issue is addressed in Acronis True Image 2017 Build 8058. Although the updates are still checked and downloaded over HTTP, the certificate of the downloaded update is verified.