EMC has released security fixes for three vulnerabilities that, when combined, can be used to take full control of products from its Data Protection Suite: the Avamar Server, the NetWorker Virtual Edition and the Integrated Data Protection Appliance.
All three products contain a component called the Avamar Installation Manager (AVI), which is vulnerable to the flaws found by researchers from Digital Defense. One of the vulnerabilities allows for authentication to be bypassed and the other two allow for arbitrary file access and file uploads with root privileges.
“All three vulnerabilities can be combined to fully compromise the virtual appliance by modifying the sshd_config file to allow root login, uploading a new authorized_keys file for root, and a web shell to restart the SSH service,” the Digital Defense researchers said in a blog post. “The web shell can also run commands with the same privileges as the ‘admin’ user.”
The affected products are Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4. x, 7.5.0; NetWorker Virtual Edition 0.x, 9.1.x, 9.2.x and Integrated Data Protection Appliance 2.0. EMC has released an advisory for customers with support contracts.
Apple Devices Are Protected Against Meltdown, But Not Yet Against Spectre
Apple had already released software updates to protect Mac and iOS devices against the Meltdown attack that affects Intel processors before it became public this week. However, the devices have not yet been patched against Spectre, a related attack that could allow attackers to steal secrets from applications.
“All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time,” Apple said in a support document. “Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.”
A defense against Meltdown, which can be exploited by malicious apps to access information from the kernel’s memory, was included in macOS 10.13.2, iOS 11.2 and tvOS 11.2, which were released in early December.
“We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS,” Apple said.
Word Feature Can Be Abused to Steal Credentials
Security researchers from Rhino Security Labs have found that a little-known Microsoft Word feature can be abused to phish credentials and automatically steal NTLMv2 authentication hashes.
The feature is called subDoc and allows users to load information from one document directly into the body of another document. It is supported in all Microsoft Word versions since 2007.
The Rhino researchers found that subDoc can be used to display a credible Windows-style authentication prompt that could trick users into inputting their login credentials. A very similar phishing technique has been used in the past through another Word feature called attachedTemplate.
However, it turns out that subDoc can load content from a document hosted on a remote server on the internet and this can be used to force the document to make an SMB request when opened.
“We’ve found some organizations are not filtering egress SMB requests, and therefore would leak the NTLMv2 hash in the initial SMB request,” Rhino researcher Hector Monsegur said in a blog post.
Monsegur has created a proof-of-concept tool called the SubDoc Injector that can be used to include a user-defined URL into a parent document so that an SMB request is triggered when the document is opened. The attacker the only has to run a listener program on the remote server in order to harvest the NTLMv2 hashes.