Feed aggregator

TA16-144A: WPAD Name Collision Vulnerability

US-CERT Security Alerts - Mon, 05/23/2016 - 03:38
Original release date: May 23, 2016
Systems Affected

Windows, OS X, Linux systems, and web browsers with WPAD enabled

Overview

Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are intended for resolution on private or enterprise DNS servers have been observed reaching public DNS servers [1]. In combination with the New generic Top Level Domain (gTLD) program’s incorporation of previously undelegated gTLDs for public registration, leaked WPAD queries could result in domain name collisions with internal network naming schemes [2] [3]. Collisions could be abused by opportunistic domain registrants to configure an external proxy for network traffic, allowing the potential for man-in-the-middle (MitM) attacks across the Internet.

Description

WPAD is a protocol used to ensure all systems in an organization utilize the same web proxy configuration. Instead of individually modifying configurations on each device connected to a network, WPAD locates a proxy configuration file and applies the configuration automatically.

The use of WPAD is enabled by default on all Microsoft Windows operating systems and Internet Explorer browsers. WPAD is supported but not enabled by default on Mac and Linux-based operating systems, as well as, Safari, Chrome, and Firefox browsers.

With the New gTLD program, previously undelegated gTLD strings are now being delegated for public domain name registration [3]. These strings may be used by private or enterprise networks, and in certain circumstances, such as when a work computer is connected from a home or external network, WPAD DNS queries may be made in error to public DNS servers. Attackers may exploit such leaked WPAD queries by registering the leaked domain and setting up MitM proxy configuration files on the Internet.
 

Impact

Leaked WPAD queries could result in domain name collisions with internal network naming schemes. If an attacker registers a domain to answer leaked WPAD queries and configures a valid proxy, there is potential to conduct man-in-the-middle (MitM) attacks across the Internet.

The WPAD vulnerability is significant to corporate assets such as laptops. In some cases these assets are vulnerable even while at work but observations indicate that most assets become vulnerable when used outside an internal network (e.g. home networks, public Wi-Fi networks).

Solution

US-CERT encourages users and network administrators to implement the following recommendations to provide a more secure and efficient network infrastructure:

  • Consider disabling automatic proxy discovery/configuration in browsers and operating systems during device setup if it will not be used for internal networks.
  • Consider using a fully qualified domain name (FQDN) from global DNS as the root for enterprise and other internal namespace.
  • Configure internal DNS servers to respond authoritatively to internal TLD queries.
  • Configure firewalls and proxies to log and block outbound requests for wpad.dat files.
  • Identify expected WPAD network traffic and monitor the public namespace or consider registering domains defensively to avoid future name collisions.
  • File a report with ICANN if your system is suffering demonstrably severe harm as a consequence of name collision by visiting https://forms.icann.org/en/help/name-collision/report-problems.
References Revision History
  • May 23, 2016: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

MS16-035 - Important: Security Update for .NET Framework to Address Security Feature Bypass (3141780) - Version: 2.1

Microsoft Security Notifications - Wed, 05/18/2016 - 09:00
Severity Rating: Important
Revision Note: V2.1 (May 18, 2016): Revised bulletin to clarify the distribution audience for the Microsoft .NET Framework 4.5.2 and Microsoft .NET Framework 4.6/4.6.1 security updates that were re-released on May 10, 2016, as follows: The security updates for Microsoft .NET Framework 4.5.2 have been re-released to Limited Distribution Release (LDR) customers only. The security updates for Microsoft .NET Framework 4.6/4.6.1 have been re-released to all customers.
Summary: This security update resolves a vulnerability in Microsoft .NET Framework. The security feature bypass exists in a .NET Framework component that does not properly validate certain elements of a signed XML document.
Categories: Security Alerts

MS16-067 - Important: Security Update for Volume Manager Driver (3155784) - Version: 1.1

Microsoft Security Notifications - Fri, 05/13/2016 - 09:00
Severity Rating: Important
Revision Note: V1.1 (May 13, 2016): Bulletin revised to change the vulnerability severity rating for Windows 8.1 and Windows RT 8.1 to Not applicable, because these operating systems are not affected by the vulnerability described in this bulletin. Customers who have applied security update 3155784 do not need to take any further action. This is an informational change only.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user.
Categories: Security Alerts

MS16-064 - Critical: Security Update for Adobe Flash Player (3157993) - Version: 2.0

Microsoft Security Notifications - Fri, 05/13/2016 - 09:00
Severity Rating: Critical
Revision Note: V2.0 (May 13, 2016): Bulletin revised to announce the release of update 3163207 to address the vulnerabilities included in Adobe Security Bulletin APSB16-15. Note that update 3163207 replaces the update previously released in this bulletin (update 3157993). Microsoft strongly recommends that customers install update 3163207 to help be protected from the vulnerabilities described in Adobe Security Bulletin APSB16-15.
Summary: This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.
Categories: Security Alerts

MS16-065 - Important: Security Update for .NET Framework (3156757) - Version: 1.1

Microsoft Security Notifications - Thu, 05/12/2016 - 09:00
Severity Rating: Important
Revision Note: V1.1 (May 12, 2016): Revised bulletin to announce a detection change for the 3142037 update for .NET Framework 4.6. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could cause information disclosure if an attacker injects unencrypted data into the target secure channel and then performs a man-in-the-middle (MiTM) attack between the targeted client and a legitimate server.
Categories: Security Alerts

MS16-061 - Important: Security Update for Microsoft RPC (3155520) - Version: 1.1

Microsoft Security Notifications - Wed, 05/11/2016 - 09:00
Severity Rating: Important
Revision Note: V1.1 (May 11, 2016): Bulletin revised to change the vulnerability impact from elevation of privilege to remote code execution, and the title of CVE 2016-0178 to RPC Network Data Representation Engine Remote Code Execution Vulnerability. This is an informational change only.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an authenticated attacker makes malformed Remote Procedure Call (RPC) requests to an affected host.
Categories: Security Alerts

TA16-132A: Exploitation of SAP Business Applications

US-CERT Security Alerts - Wed, 05/11/2016 - 03:31
Original release date: May 11, 2016
Systems Affected

Outdated or misconfigured SAP systems

Overview

At least 36 organizations worldwide are affected by an SAP vulnerability [1]. Security researchers from Onapsis discovered indicators of exploitation against these organizations’ SAP business applications.

The observed indicators relate to the abuse of the Invoker Servlet, a built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms). The Invoker Servlet contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems.

Description

SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks.

The Invoker Servlet vulnerability affects business applications running on SAP Java platforms.

SAP Java platforms are the base technology stack for many SAP business applications and technical components, including:

  • SAP Enterprise Resource Planning (ERP),
  • SAP Product Lifecycle Management (PLM),
  • SAP Customer Relationship Management (CRM),
  • SAP Supply Chain Management (SCM),
  • SAP Supplier Relationship Management (SRM),
  • SAP NetWeaver Business Warehouse (BW),
  • SAP Business Intelligence (BI),
  • SAP NetWeaver Mobile Infrastructure (MI),
  • SAP Enterprise Portal (EP),
  • SAP Process Integration (PI),
  • SAP Exchange Infrastructure (XI),
  • SAP Solution Manager (SolMan),
  • SAP NetWeaver Development Infrastructure (NWDI),
  • SAP Central Process Scheduling (CPS),
  • SAP NetWeaver Composition Environment (CE),
  • SAP NetWeaver Enterprise Search,
  • SAP NetWeaver Identity Management (IdM), and
  • SAP Governance, Risk & Control 5.x (GRC).

The vulnerability resides on the SAP application layer, so it is independent of the operating system and database application that support the SAP system.

Impact

Exploitation of the Invoker Servlet vulnerability gives unauthenticated remote attackers full access to affected SAP platforms, providing complete control of the business information and processes on these systems, as well as potential access to other systems.

Solution

In order to mitigate this vulnerability, US-CERT recommends users and administrators implement SAP Security Note 1445998 and disable the Invoker Servlet. For more mitigation details, please review the Onapsis threat report [1].

In addition, US-CERT encourages that users and administrators:

  • Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.
  • Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.
  • Analyze systems for malicious or excessive user authorizations.
  • Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.
  • Monitor systems for suspicious user behavior, including both privileged and non-privileged users.
  • Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
  • Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

These recommendations apply to SAP systems in public, private, and hybrid cloud environments.

Note: The U.S. Government does not endorse or support any particular product or vendor.

References Revision History
  • May 11, 2016: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

MS16-066 - Important: Security Update for Virtual Secure Mode (3155451) - Version: 1.0

Microsoft Security Notifications - Tue, 05/10/2016 - 09:00
Severity Rating: Important
Revision Note: V1.0 (May 10, 2016): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker runs a specially crafted application to bypass code integrity protections in Windows.
Categories: Security Alerts

MS16-060 - Important: Security Update for Windows Kernel (3154846) - Version: 1.0

Microsoft Security Notifications - Tue, 05/10/2016 - 09:00
Severity Rating: Important
Revision Note: V1.0 (May 10, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
Categories: Security Alerts

MS16-059 - Important: Security Update for Windows Media Center (3150220) - Version: 1.0

Microsoft Security Notifications - Tue, 05/10/2016 - 09:00
Severity Rating: Important
Revision Note: V1.0 (May 10, 2016): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

MS16-056 - Critical: Security Update for Windows Journal (3156761) - Version: 1.0

Microsoft Security Notifications - Tue, 05/10/2016 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (May 10, 2016): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Categories: Security Alerts

MS16-054 - Critical: Security Update for Microsoft Office (3155544) - Version: 1.0

Microsoft Security Notifications - Tue, 05/10/2016 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (May 10, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

MS16-055 - Critical: Security Update for Microsoft Graphics Component (3156754) - Version: 1.0

Microsoft Security Notifications - Tue, 05/10/2016 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (May 10, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a specially crafted website. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Categories: Security Alerts

MS16-062 - Important: Security Update for Windows Kernel-Mode Drivers (3158222) - Version: 1.0

Microsoft Security Notifications - Tue, 05/10/2016 - 09:00
Severity Rating: Important
Revision Note: V1.0 (May 10, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
Categories: Security Alerts

MS16-057 - Critical: Security Update for Windows Shell (3156987) - Version: 1.0

Microsoft Security Notifications - Tue, 05/10/2016 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (May 10, 2016): Click here to enter text.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website that accepts user-provided online content, or convinces a user to open specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

MS16-053 - Critical: Cumulative Security Update for JScript and VBScript (3156764) - Version: 1.0

Microsoft Security Notifications - Tue, 05/10/2016 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (May 10, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in the JScript and VBScript scripting engines in Microsoft Windows. The vulnerabilities could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Categories: Security Alerts

MS16-052 - Critical: Cumulative Security Update for Microsoft Edge (3155538) - Version: 1.0

Microsoft Security Notifications - Tue, 05/10/2016 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (May 10, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.
Categories: Security Alerts

MS16-051 - Critical: Cumulative Security Update for Internet Explorer (3155533) - Version: 1.0

Microsoft Security Notifications - Tue, 05/10/2016 - 09:00
Severity Rating: Critical
Revision Note: V1.0 (May 10, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Categories: Security Alerts

MS16-058 - Important: Security Update for Windows IIS (3141083) - Version: 1.0

Microsoft Security Notifications - Tue, 05/10/2016 - 09:00
Severity Rating: Important
Revision Note: V1.0 (May 10, 2016): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

MS16-039 - Critical: Security Update for Microsoft Graphics Component (3148522) - Version: 2.0

Microsoft Security Notifications - Tue, 04/19/2016 - 09:00
Severity Rating: Critical
Revision Note: V2.0 (April 19, 2016): To comprehensively address CVE-2016-0145, Microsoft re-released security update 3144432 for affected editions of Microsoft Live Meeting 2007 Console. Customers running Microsoft Live Meeting 2007 Console should install the update to be fully protected from the vulnerability. See Microsoft Knowledge Base Article 3144432 for more information.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.
Categories: Security Alerts
Syndicate content