Advisory – Sense of Security Wed, 26 Feb 2020 00:40:13 +0000 en-US hourly 1 https://wordpress.org/?v=5.3.2 Security Advisory – SOS-19-001 – XML External Entities Injection (XXE) in XNAT 1.7 /security-advisory-sos-19-001-xml-external-entities-injection-xxe-in-xnat-1-7/ /security-advisory-sos-19-001-xml-external-entities-injection-xxe-in-xnat-1-7/#respond Wed, 23 Oct 2019 01:18:10 +0000 /?p=6542 The Inteset Secure Lockdown desktop application allows the use of the deprecated SHA-1 hash function to store the Inteset administrator’s password in the Windows registry.

The post Security Advisory – SOS-19-001 – XML External Entities Injection (XXE) in XNAT 1.7 appeared first on Sense of Security.

]]>

Inteset Secure Lockdown Standard Edition – Privilege Escalation and Insecure Cryptographic Storage.

Release Date: 23-Oct-2019

Last Update:

Vendor Notification Date: 09-Jul-2019

Product: XNAT

Platform: Linux and possibly others

Affected versions: 1.7.5.3 (confirmed) and possibly earlier versions

Severity Rating: High

Impact: System Access

Attack Vector: Remote with authentication

Solution Status: XNAT 1.7.5.4 Hotfix Release

CVE reference: CVE – 2019-14276

Details

An XML External Entity (XXE) vulnerability is an attack against an application that parses XML input. Importing an XML file that contains an XML external entity to the XNAT application permits an attacker to retrieve a local file from the web server. The attacker must be authenticated to the application. This attack occurs when XML input contains a reference to an external entity such as a local file on the web server. Common targets include configuration files, e.g. ASP.NET web.config or Linux password files, e.g. /etc/shadow.

The following URL is affected: /REST/search

Please refer to the PDF version of this advisory  for proof of concept code examples.

Solution

Apply patch from XNAT 1.7.5.4 Hotfix Release.

Additional information is available at:

https://wiki.xnat.org/news/blog/2019/08/xnat-1-7-5-4-hotfix-release-now-available

https://wiki.xnat.org/documentation/getting-started-with-xnat/what-s-new-in-xnat/xnat-1-7-5-4-release-notes

Discovered By

Hamed Merati from Sense of Security Labs.

Our expert consultants are here to help you. For all your Cyber Security needs please contact us today.

The post Security Advisory – SOS-19-001 – XML External Entities Injection (XXE) in XNAT 1.7 appeared first on Sense of Security.

]]>
/security-advisory-sos-19-001-xml-external-entities-injection-xxe-in-xnat-1-7/feed/ 0
Security Advisory – SOS-18-003 – Inteset Secure Lockdown /security-advisory-inteset-secure-lockdown/ /security-advisory-inteset-secure-lockdown/#respond Thu, 25 Oct 2018 03:18:20 +0000 /?p=5618 The Inteset Secure Lockdown desktop application allows the use of the deprecated SHA-1 hash function to store the Inteset administrator’s password in the Windows registry.

The post Security Advisory – SOS-18-003 – Inteset Secure Lockdown appeared first on Sense of Security.

]]>

Inteset Secure Lockdown Standard Edition – Privilege Escalation and Insecure Cryptographic Storage.

Release Date: 25-Oct-2018

Last Update:

Vendor Notification Date: 23-Feb-2018

Product: Inteset Secure Lockdown Standard Edition

Platform: Tested on Microsoft Windows 7, 8.1 and 10

Affected versions: Tested versions v2.00.160 -> v2.00.196

Severity Rating: High

Impact: Privilege escalation , Security bypass

Attack Vector: From local system

Solution Status: Currently no solution

CVE reference: CVE – Not yet assigned

Details

The Inteset Secure Lockdown desktop application allows the use of the deprecated SHA-1 hash function to store the Inteset administrator’s password in the Windows registry.

The hash can be found at the following registry location: HKEY_CURRENT_USER\Software\Inteset\SecureLockdown_v2\Password

The above key is configured to be read and can be written to by the logged in user by design. This allows an attacker to view or edit the registry while the application is running and replace the stored hash with a self-generated known plain-text hash value. More recent versions of the application use a stronger PKCS1 RSA function to store the password, though the stored value is still susceptible to being replaced with an attacker-known value to escalate permissions.

Once the hash has been replaced the user can open Inteset using the ‘alt + shift + s’ key combination and enter the newly configured password to take control of the locked down system.

Please refer to the PDF version of this advisory  for proof of concept code examples.

Solution

No vendor supplied solution has been offered.

Discovered By

Nathaniel Carew from Sense of Security Labs.

Our expert consultants are here to help you. For all your Cyber Security needs please contact us today.

The post Security Advisory – SOS-18-003 – Inteset Secure Lockdown appeared first on Sense of Security.

]]>
/security-advisory-inteset-secure-lockdown/feed/ 0
Security Advisory – SOS-18-002 – CA Workload Automation AE SQL Injection /security-advisory-sos-18-002-ca-workload-automation-ae-sql-injection/ /security-advisory-sos-18-002-ca-workload-automation-ae-sql-injection/#respond Thu, 29 Mar 2018 04:55:18 +0000 /?p=5642 The Inteset Secure Lockdown desktop application allows the use of the deprecated SHA-1 hash function to store the Inteset administrator’s password in the Windows registry.

The post Security Advisory – SOS-18-002 – CA Workload Automation AE SQL Injection appeared first on Sense of Security.

]]>

Release Date: 29-Mar-2018

Last Update:

Vendor Notification Date: 17-Oct-2017

Product: CA Workload Automation AE

Platform: Microsoft Windows

Affected versions: CA Workload Automation AE r11.3.5, r11.3.6 SP6 and earlier

Severity Rating: Medium

Impact: Exposure of sensitive information and exposure of system information

Attack Vector: Remote with authentication

Solution Status: CA Workload Automation AE Release 11.3.6 SP7

CVE reference: CVE-2018-8953

Details

CA Workload Automation AE (AutoSys Edition) is a workload automation tool supplied by CA Technologies. CA Workload Automation AE suffers from SQL injection vulnerabilities as it fails to validate data supplied before being used in a SQL query.

Please refer to the PDF version of this advisory for proof of concept code examples.

Solution

Apply patch from CA Workload Automation AE Release 11.3.6 SP7 released on 2 March 2018.

Additional information is available here.

Discovered By

Hamed Merati from Sense of Security Labs.

Our expert consultants are here to help you. For all your Cyber Security needs please contact us today.

The post Security Advisory – SOS-18-002 – CA Workload Automation AE SQL Injection appeared first on Sense of Security.

]]>
/security-advisory-sos-18-002-ca-workload-automation-ae-sql-injection/feed/ 0
Security Advisory – SOS-18-001 – CA Workload Automation AE RCE /security-advisory-sos-18-001-ca-workload-automation-ae-rce/ /security-advisory-sos-18-001-ca-workload-automation-ae-rce/#respond Thu, 29 Mar 2018 04:41:42 +0000 /?p=5634 CA Workload Automation AE uses MyFaces client-side ViewState and has disabled the default encryption

The post Security Advisory – SOS-18-001 – CA Workload Automation AE RCE appeared first on Sense of Security.

]]>

CA Workload Automation AE RCE

Release Date: 29-Mar-2018

Last Update:

Vendor Notification Date: 25-Oct-2017

Product: CA Workload Automation AE

Platform: Windows

Tested versions: CA Workload Control Center (CA WCC) r11.4 SP5 and earlier

Severity Rating: High

Impact: System Access

Attack Vector: Remote with authentication

Solution Status: CA WCC Release 11.4 SP6

CVE reference: CVE-2018-8954

Details

CA Workload Automation AE (AutoSys Edition) is a workload automation tool supplied by CA Technologies. Apache MyFaces is an implementation of Java Server Faces (JSF). CA Workload Automation AE uses MyFaces client-side ViewState and has disabled the default encryption (i.e. org.apache.myfaces.USE_ENCRYPTION).

As a result, the attacker can send a malicious serialised payload in the ViewState back to the server. MyFaces will try to deserialise the provided ViewState and the payload will be executed even before the deserialisation of the ViewState has ended.

This allows an authenticated remote attacker to conduct remote code execution attacks and obtain system level access.

All URLs that accept javax.faces.ViewStateparameter are vulnerable to this attack.

Please refer to the PDF version of this advisory for proof of concept code examples.

Solution

Apply patch from CA WCC Release 11.4 SP6 released on 8 March 2018.
Additional information is available at: CA Support.

Discovered By

Hamed Merati and Kacper Nowak from Sense of Security Labs.

Our expert consultants are here to help you. For all your Cyber Security needs please contact us today.

The post Security Advisory – SOS-18-001 – CA Workload Automation AE RCE appeared first on Sense of Security.

]]>
/security-advisory-sos-18-001-ca-workload-automation-ae-rce/feed/ 0
Security Advisory – SOS-17-001 – Emsisoft Anti-Malware Behavior Blocker Bypass /security-advisory-sos-17-001-emsisoft-anti-malware-behavior-blocker-bypass/ /security-advisory-sos-17-001-emsisoft-anti-malware-behavior-blocker-bypass/#respond Fri, 10 Feb 2017 05:06:10 +0000 /?p=5645 The Inteset Secure Lockdown desktop application allows the use of the deprecated SHA-1 hash function to store the Inteset administrator’s password in the Windows registry.

The post Security Advisory – SOS-17-001 – Emsisoft Anti-Malware Behavior Blocker Bypass appeared first on Sense of Security.

]]>

Release Date: 10-Feb-2017

Last Update:

Vendor Notification Date: 20-Jan-2017

Product: Emsisoft Anti-Malware

Platform: Microsoft Windows 8/8.1/10

Affected versions: a2hooks32.dll 10.0.0.218

Severity Rating: Medium

Impact: Security bypass

Attack Vector: From local system

Solution Status: Vendor patch

CVE reference: Not yet assigned

Details

Emsisoft Anti-Malware injects user mode hooks into each running process via a2hooks32.dll. The hooks allow Emsisoft Anti-Malware to analyse the behaviour of the process and alert the user when malware actions are suspected, such as listening on a port or interacting with other processes.

The issue exists in the dynamic library a2hooks32.dll as it can be unloaded from memory without alerting the user. A malware developer can unload the hooks to bypass the Behavior Blocker.

Please refer to the PDF version of this advisory  for proof of concept code examples.

Solution

Emsisoft fixed the issue in the latest version by making the hooks DLL statically linked.

Discovered By

Ayman Sagy from Sense of Security Labs.

Our expert consultants are here to help you. For all your Cyber Security needs please contact us today.

The post Security Advisory – SOS-17-001 – Emsisoft Anti-Malware Behavior Blocker Bypass appeared first on Sense of Security.

]]>
/security-advisory-sos-17-001-emsisoft-anti-malware-behavior-blocker-bypass/feed/ 0