Back to qualys.com
Juan C. Perez

Timely Password-Change Call from Twitter, as Bugs Hit WebEx and GPON routers

The cyber security news cycle is always active, so to help you stay in the loop here’s a selection of incidents that caught our attention over the past week or so involving, among others, Twitter, Cisco and GPON routers.

Twitter picks a good day for password-change call

As “change your password” calls from vendors go, the one from Twitter last week ranks right up there, and not just because of the scope of users involved. As Jon Swartz pointed out in Barron’s, Twitter’s alert went out on Thursday, which happened to be World Password Day.

The social media juggernaut reached out to all of its 330 million users and advised them to take a moment, go to their account settings page and enter a new password. Twitter also suggested they enable Twitter’s two-step verification feature, a move strongly endorsed by Forbes’ Thomas Fox-Brewster. In addition, Twitter recommended that users change their password on any other online services where they used their Twitter password. (It bears repeating: It’s a bad idea to re-use passwords.)

The reason for the brouhaha: An IT slip-up caused user passwords to be stored in plain text in an internal Twitter log. Twitter’s security policy is to instead mask passwords using the “bcrypt” hashing technique. That way, passwords are stored on Twitter systems as a string of random characters.

Twitter said it fixed the bug, and found no evidence that the data was compromised, but decided to alert its users “out of an abundance of caution.” “We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” CTO Parag Agrawal wrote on the company’s blog.

Absent from the company’s communication: The number of passwords involved, and the length of time they were stored in plain text. Also of interest: Just two days before Twitter’s alert, GitHub sent an email to some of its users telling them to change their passwords, citing a very similar bug.

Another WebEx bug discovered

Cisco has disclosed a WebEx vulnerability (CVE-2018-0264) that could allow attackers to run code in a compromised system, the second WebEx bug announced in recent weeks. This time around, the problem lies within the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files, which is an application used to play back recorded meetings.

According to Cisco, a likely attack scenario would involve a hacker sending out a link or email attachment with a malicious ARF file. If the recipient follows the link or opens the file, the unauthenticated attacker could then execute arbitrary code remotely on the targeted computer.

“Given how many businesses use WebEx, and how many workers attend WebEx meetings and events, it’s easily conceivable that an email using a lure along the lines of “Thanks for attending our webinar. Follow the link to access the event on-demand” could be spectacularly effective,” Tara Seals wrote in ThreatPost.

Cisco said it has updated affected versions of Cisco WebEx Business Suite meeting sites, Cisco WebEx Meetings sites, Cisco WebEx Meetings Server, and the Cisco WebEx ARF Player to address this vulnerability, for which no workarounds exist.

In late April, Cisco patched another vulnerability (CVE-2018-0112) affecting Cisco WebEx Business Suite clients, Cisco WebEx Meetings, and Cisco WebEx Meetings Server, that could allow an authenticated, remote attacker to execute arbitrary code on a targeted system.

The bug was caused by insufficient input validation by the Cisco WebEx clients. An attack scenario would be for attackers to provide meeting attendees with a malicious Flash (.swf) file via the file-sharing capabilities of the WebEx client, according to Cisco.

“The fact that WebEx is so widely used inside businesses could make it an increasing target for malicious hackers eager to break inside specific organisations,” independent security analyst Graham Cluley wrote.

“If your business is not licensed for WebEx software updates you may be wise to either renegotiate your contract, or remove WebEx from your systems,” he added.

Super fast routers found to be super vulnerable

A million-plus GPON (Gigabit Passive Optical Networks) home routers have serious vulnerabilities that could give attackers complete control over the devices and, by extension, of people’s home networks. That’s according to vpnMentor, which documented its troubling findings in a blog post and video.

“We found a way to bypass all authentication on the devices (CVE-2018-10561). With this authentication bypass, we were also able to unveil another command injection vulnerability (CVE-2018-10562) and execute commands on the device,” reads the post.

This means that attackers could, among other things, use the vulnerabilities to see the IP address of specific routers, matching them to physical addresses in some cases, see what the user is doing on the web, and set up man-in-the-middle (MiTM) phishing pages, Seals explained in ThreatPost.

“There’s a privacy aspect here too,” Ariel Hochstadt, co-founder of vpnMentor, told ThreatPost. “It’s possible to take an entire browsing history for someone from the last 30 days and send it to all of their friends, via Facebook or mail, because you have access to the browsing history and you can skim credentials.”

Days after these vulnerability disclosures, attackers began exploiting the vulnerabilities, an unsurprising development, since hackers crave opportunities to make botnets with compromised routers for DDoS attacks, Lucian Constantin reported Friday in Security Boulevard.

“The fact that GPON devices are used for gigabit-size fiber connections makes them even more attractive since the firepower they provide is considerably greater than that of DSL or cable modems,” he wrote.

In addition, this situation highlights the risks of using ISP-supplied home networking equipment, which is usually made by the same OEM, with the same firmware, but used by multiple ISPs globally under their own brands, according to Constantin.

“This makes it difficult to identify all vulnerable devices when a security issue is found. It’s also highly unlikely that any patch released by an OEM will ever reach all affected devices, since those patches need to be distributed by every ISP that uses those devices,” Constantin wrote.

In other security news …

  • The National Institute of Standards and Technology (NIST) has released version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity, four years after the original version came out. ThreatPost has a detailed rundown of what’s new.
  • TrendMicro issued a warning that the FacexWorm, a malicious Chrome browser extension which was discovered last year and spreads via Facebook Messenger, has been revamped and is now using “a miscellany of techniques to target cryptocurrency trading platforms accessed on an affected browser.”
  • Medical device maker Beckton Dickinson disclosed that some of its products are vulnerable to the Krack Wi-Fi WPA2 vulnerabilities discovered last year. Lisa Vaas from Naked Security puts it all in context.

Leave a Reply