MyCERT : Advisories

MA-682.092017: MyCERT Advisory - Apache Software Foundation Releases Security Update

19 Sep 2017
Advisory

1.0 Introduction
The Apache Software Foundation has released a security update to address multiple vulnerabilities in Apache Struts 2.

2.0 CVE Number
Attach the CVE numbers of the vulnerabilities for detailed information.

No	CVE Number	Description
1.	CVE-2017-5638	The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.
2.	CVE-2017-7672	If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12.
3.	CVE-2017-9787	When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
4.	CVE-2017-9791	The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
5.	CVE-2017-9805	The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

3.0   Impact
A remote attacker could exploit this vulnerability to take control of an affected system.

4.0   Affected Products
•   Struts 2.1.2 - Struts 2.3.33
•   Struts 2.5 - Struts 2.5.12

4.0 Recommendation

a.   Apply an Update:
The vendor has released version 2.5.13 and 2.3.34 to address these vulnerabilities.

Or the below workaround;

b.   Remove or limit the REST plugin
If it is not used, consider removing the REST plugin. Per the vendor, it is also possible to limit its functionality to normal server pages or JSON with the following configuration change in struts.xml:

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor, apply necessary updates and follow best practice security policies.

For further enquiries, please contact MyCERT through the following channels:
E-mail: [email protected] or [email protected]
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT
Web: https://www.mycert.org.my
Twitter: http://www.twitter.com/mycert
Facebook: http://www.facebook.com/mycert.org.my
Cyber999 Mobile Apps: IOS Users or Android Users

5.0   References

•   https://www.us-cert.gov/ncas/current-activity/2017/09/06/Apache-Software-Foundation-Releases-Security-Update
•    https://cwiki.apache.org/confluence/display/WW/S2-052
•   https://www.kb.cert.org/vuls/id/112992

MA-683.092017: MyCERT Advisory - Multiple Security Vulnerabilities Affecting D-Link DIR-800 Series Routers

19 Sep 2017
Advisory

1.0 Introduction

MyCERT has received information from valid sources regarding publicly disclosed details of multiple security vulnerabilities affecting D-Link DIR-800 series routers.

2.0   Impact
Routers can be compromised to install malicious firmware, as well as compromise user’s information.

3.0   Affected Products
•   D-Link DIR-850L
•   D-Link DIR-885L
•   D-Link DIR-890L
•   D-Link DIR-895L

4.0 Recommendation

D-Link has issued firmware update for DIR-850L on their website. Users and administrators are recommended to review the URL below and apply necessary updates:
•   http://www.dlink.com.my/dir-850l-msia/#firmware

For other series, kindly refer the workaround below:

Workarounds:

Users are advised to go to D-Link support website to get updates about the remaining series of the router.

Until a firmware update is available, users should take the following steps in the meantime to minimize the risk of your router being compromised.

Disable remote management.
Use strong passwords for your WIFI to reduce the risk of unauthorized access to your network.
Change the device’s administrator password. Be sure to use a strong new password.

Users should also consider disabling the router’s SharePort feature. Below are the URL for the instructions:

ftp://ftp2.dlink.com/PRODUCTS/DIR-850L/REVB/DIR-850L_REVB_MANUAL_2.00_EN_US.PDF

DIR-885L:

ftp://ftp.dlink.ca/PRODUCTS/DIR-885L/DIR-885L_REVA_MANUAL_1.00_EN.PDF

DIR-890L:

ftp://ftp2.dlink.com/PRODUCTS/DIR-890L/REVA/DIR-890L_REVA_MANUAL_1.00_EN_US.PDF

DIR-895L:

http://global.dlink.com.sg/site_support/DIR-895L/Manual/DIR-895L_A1_Manual_v1.pdf

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor, apply necessary updates and follow best practice security policies.

For further enquiries, please contact MyCERT through the following channels:
E-mail: [email protected] or [email protected]
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT
Web: https://www.mycert.org.my
Twitter: http://www.twitter.com/mycert
Facebook: http://www.facebook.com/mycert.org.my
Cyber999 Mobile Apps: IOS Users or Android Users

5.0 References

MA-681.092017: MyCERT Alert - BlueBorne Bluetooth Vulnerabilities

18 Sep 2017
Alert

1.0 Introduction

MyCERT is aware of a collection of Bluetooth vulnerabilities, known as BlueBorne, potentially affecting millions of unpatched mobile phones, computers, and Internet of Things (IoT) devices. The vulnerabilities are as listed below:

• Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2017-1000251

• Out-of-bounds Read - CVE-2017-1000250

• Out-of-bounds Read - CVE-2017-0785

• Heap-based Buffer Overflow - CVE-2017-0781

• Integer Underflow (Wrap or Wraparound) - CVE-2017-0782

• Heap-based Buffer Overflow- CVE-2017-14315

2.0 Impact

A remote attacker could exploit several of these vulnerabilities to take control of affected devices.

3.0 Affected Products

This vulnerability affects unpatched operating systems, mobile phones and IT devices. For more detail list of affected operating systems (Android, Windows, Linux), kindly refer to the below URL:

• https://www.jpcert.or.jp/english/at/2017/at170037.html

4.0 Recommendations

• Apply an update.

Patches are available in the latest releases of Windows, iOS, the Linux kernel, and Android. Check with your device manufacturer to determine if firmware updates will be available.

• Disable Bluetooth on your device.

Affected users should consider disabling Bluetooth on affected devices if Bluetooth is unused or unnecessary.

Users and administrators are recommended to review the below URL for more information about this vulnerability and the solution:

• https://www.kb.cert.org/vuls/id/240311

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor, apply necessary updates and follow best practice security policies.

For further enquiries, please contact MyCERT through the following channels:

E-mail: [email protected] or [email protected]

Phone: 1-300-88-2999 (monitored during business hours)

Fax: +603 89453442

Mobile: +60 19 2665850 (24x7 call incident reporting)

SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888

Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT

Web: https://www.mycert.org.my

Twitter: http://www.twitter.com/mycert

Facebook: http://www.facebook.com/mycert.org.my

Cyber999 Mobile Apps: IOS Users or Android Users

5.0 References

• https://www.us-cert.gov/ncas/current-activity/2017/09/12/BlueBorne-Bluetooth-Vulnerabilities

• https://www.kb.cert.org/vuls/id/240311

• https://www.jpcert.or.jp/english/at/2017/at170037.html

MA-680.092017: MyCERT Advisory - Multiple Cisco Products Affected By Multiple Apache Struts Vulnerabilities

14 Sep 2017
Advisory

1.0 Introduction

On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity.

Multiple Cisco products incorporate a version of the Apache Struts 2 package those are affected by these vulnerabilities. List of vulnerabilities are as below:

• Apache Struts REST Plug-In XML Processing Arbitrary Code Execution Vulnerability (CVE-2017-9805)

• Apache Struts REST Plug-n Denial of Service Vulnerability (CVE-2017-9793)

• Apache Struts URL Validator Resource Exhaustion Denial of Service Vulnerability (CVE-2017-9804)

2.0 Impact

A successful exploit could allow the attacker to execute arbitrary code and/or to cause a Denial of Service (DoS) condition on a targeted product or system.

3.0 Affected Products

Users and administrators are recommended to review the below URL for the list of affected products:

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor, apply necessary updates and follow best practice security policies.

For further enquiries, please contact MyCERT through the following channels:

E-mail: [email protected] or [email protected]

Phone: 1-300-88-2999 (monitored during business hours)

Fax: +603 89453442

Mobile: +60 19 2665850 (24x7 call incident reporting)

SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888

Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT

Web: https://www.mycert.org.my

Twitter: http://www.twitter.com/mycert

Facebook: http://www.facebook.com/mycert.org.my

Cyber999 Mobile Apps: IOS Users or Android Users

4.0 References