With Black Hat USA 2019 fast approaching, we continue our blog series highlighting training sessions and research briefings that we think Qualys customers will find relevant and valuable. Our pick this week is the training session An Introduction To IoT Pentesting With Linux.

The course offers “a hands-on, example-driven introduction to IoT hacking” and focuses on tactics for assessing and exploiting devices. Participants will learn why perimeter security falls short for securing private LANs from Internet attackers, and how vulnerability assessment techniques can be implemented using the Bash Unix shell and command language. Such skills are critical today due to the booming popularity and weak security of Internet of Things systems.

The two-day course is aimed at anyone wanting a hands-on introduction on using Linux to perform software-based security analysis of embedded Linux devices. The instructor, Craig Young, is a Tripwire computer security researcher who has used the course’s techniques to identify over 100 CVEs on embedded IoT devices. He has discovered dozens of vulnerabilities in products from Google, Amazon, Apple and others.

Continue reading …

In our latest security news digest, we check out the Facebook hack heard ’round the world, a Twitter bug that rattled users but may not amount to much, and a pair of serious Linux kernel vulnerabilities.

Facebook scrambles to investigate major breach affecting tens of millions of users

The cyber security world shook on Friday upon learning that attackers exploited a software flaw on Facebook that allowed them to obtain access tokens for 50 million accounts, with another 40 million accounts possibly also affected.

Equally or even more concerning: The purloined tokens could have been used to access accounts in other websites into which their users log in with their Facebook credentials, such as Spotify and AirBnB.

Facebook inadvertently introduced the bug in July of last year. After investigating unusual activity detected in mid-September of this year, Facebook discovered the attack last week.

The attack has made global headlines since its disclosure on Sept. 28, and has naturally drawn scrutiny from security experts, government regulators, Facebook users, and industry observers.

“It’s surprising to me that as popular as Facebook is, no white hat hacker ever discovered and reported this flaw in the past, neither an external pen tester nor Facebook’s internal IT security team,” Paul Bischoff, privacy advocate with Comparitech, told Dark Reading.

Continue reading …

What is the Stack Clash?

The Stack Clash is a vulnerability in the memory management of several operating systems. It affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64.  It can be exploited by attackers to corrupt memory and execute arbitrary code.

Qualys researchers discovered this vulnerability and developed seven exploits and seven proofs of concept for this weakness, then worked closely with vendors to develop patches. As a result we are releasing this advisory today as a coordinated effort, and patches for all distributions are available June 19, 2017. We strongly recommend that users place a high priority on patching these vulnerabilities immediately.

Continue reading …

Today Oracle released a total of 299 new security fixes across all product families. It is important to note that it fixed 25 instances of the infamous Apache Struts vulnerability which could allow a remote attacker to take complete control of the server running Struts. The struts fix was applied to 19 instances of Oracle Financial Services Applications along with WebCenter, WebLogic, Siebel, Oracle Communications, MySQL and Oracle Retail.

Oracle also released Patch 25878798 for Solaris 10 and 11.3 which fixed the second Shadow Brokers EXTREMEPARR vulnerability CVE-2017-3622. EXTREMEPARR  has a CVSS Base Score of 7.8, and if successfully exploited allows a local privilege escalation in the ‘dtappgather’ component. The other Shadow Brokers vulnerability CVE-2017-3623 (a.k.a. “Ebbisland” or “Ebbshave”) was previously addressed by Oracle in several Solaris 10 patch distributions issued since January 26^th 2012 and does not affect Solaris 11.

Out of the 299 total fixes MySQL, Financial Services, Retail and Fusion Middleware take the lion’s share of fixes and the distribution is shown in the chart below. Majority of the vulnerabilities in the Financial Services, Retail and Fusion Middleware could be exploited via the HTTP protocol and attackers can take complete control of the system remotely without the need of any credentials.

Continue reading …

As we approach the peak of the holiday online shopping season, Qualys BrowserCheck adds new features to help Internet users better protect their browsers.  With today’s new release, Qualys BrowserCheck increases the range of browsers it scans, including Linux browsers, beta releases of browsers, and more plugins.  BrowserCheck also reports zero-day vulnerabilities and makes it easier to upgrade out-of-date plugins.

Here’s a round-up of the new features:

1. Linux Support: BrowserCheck adds support for Firefox, Chrome, and Opera on Linux to its current support of major browsers on Windows and Mac OS X.  See supported browsers for details.
2. Plugin / Add-on Support: BrowserCheck adds checks for additional plugins and add-ons. The new checks extend support to Linux for the most popular plugins like Adobe Reader, and add support across all relevant platforms for plugins like DivX Web Player. See supported checks for details.
3. Beta Browser Support: Qualys BrowserCheck now scans beta versions of browsers including Internet Explorer 9, Firefox 4, Chrome 9 and Opera 11. See supported browsers for details.
4. Zero-day Vulnerabilities: Sometimes a vulnerability exists, but there is no fix (yet) for it.  Qualys BrowserCheck now detects these zero-day vulnerabilities and points to any available advisories containing recommended workarounds. When the fix becomes available, BrowserCheck is updated to display the Fix-it Button with a link to the download containing the fix.
5. Easier Upgrades: Wherever possible, we are updating Fix It button links in the scan results to point directly to the download that fixes the vulnerable plugin or add-on, rather than the homepage for the plugin or add-on. This makes it easier to quickly upgrade and protect your browser from the vulnerability.

Thanks to the BrowserCheck users who have reported feedback or enhancements. Your input helps us identify areas of improvement, and have certainly been a factor in today’s release. We encourage you to continue letting us know how BrowserCheck is working for you.