3 min
Vulnerability Disclosure
R7-2017-06 | CVE-2017-5241: Biscom SFT XSS (FIXED)
Summary
The Workspaces component of Biscom Secure File Transfer (SFT) version 5.1.1015
is vulnerable to stored cross-site scripting in two fields. An attacker would
need to have the ability to create a Workspace and entice a victim to visit the
malicious page in order to run malicious Javascript in the context of the
victim's browser. Since the victim is necessarily authenticated, this can allow
the attacker to perform actions on the Biscom Secure File Transfer instance on
the victim's behalf.
4 min
Linux
Patching CVE-2017-7494 in Samba: It's the Circle of Life
With the scent of scorched internet still lingering in the air from the
WannaCry
Ransomworm
[http://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained]
, today we see a new scary-and-potentially-incendiary bug hitting the twitter
news. The vulnerability - CVE-2017-7494
[https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2017-7494] -
affects versions 3.5 (released March 1, 2010) and onwards of Samba, the defacto
standard for providing Wind
1 min
Vulnerability Disclosure
On the lookout for Intel AMT CVE-2017-5689
We've had some inquiries about checks for CVE-2017-5689, a vulnerability
affecting Intel AMT devices. On May 5th, 2017, we released a potential
vulnerability check that can help identify assets that may be vulnerable. We
initially ran into issues with trying to determine the exact version of the
firmware remotely, and so a potential check was released so that you would still
be able to identify devices that may be impacted by this.
We didn't stop there though. As part of yesterday's Nexpose rel
1 min
Microsoft
Cisco Enable / Privileged Exec Support
In Nexpose [https://rapid7.com/products/nexpose/] version 6.4.28, we are adding
support for privileged elevation on Cisco devices through enable command for
those that are running SSH version 2.
A fully privileged policy scan provides more accurate information on the
target's compliance status, and the ability to do so through enable password,
while keeping the actual user privilege low, adds an additional layer of
security for your devices. This allows our users to run fully privileged policy
1 min
Application Security
Apache Struts Vulnerability (CVE-2017-5638) Protection: Scanning with Nexpose
On March 9th, 2017 we highlighted the availability of a vulnerability check in
Nexpose for CVE-2017-5638
[https://rapid7.com/db/modules/exploit/multi/http/struts2_content_type_ognl] –
see the full blog post describing the Apache Struts vulnerability here
[/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild]. This check would
be performed against the root URI of any HTTP/S endpoints discovered during a
scan.
On March 10th, 2017 we added an additional check that would work in conjunctio
4 min
Microsoft
Attacking Microsoft Office - OpenOffice with Metasploit Macro Exploits
It is fair to say that Microsoft Office and OpenOffice are some of the most
popular applications in the world. We use them for writing papers, making slides
for presentations, analyzing sales or financial data, and more. This software is
so important to businesses that, even in developing countries, workers that are
proficient in an Office suite can make a decent living based on this skill
alone.
Unfortunately, high popularity for software also means more high-value targets
in the eyes of an at
2 min
Government
Wikileaks Releases Vault7: Our First Impressions
What follows are some first impressions on the contents of the WikiLeaks Vault7
[https://wikileaks.org/ciav7p1/] dump. I won't be addressing the legal or
ethical concerns about posting classified data that can endanger the missions
and goals of American intelligence organizations. I also won't be talking about
whether or not the CIA should be involved in developing cyber capabilities in
the first place as we have previously written
[/2016/04/01/security-vs-security-rapid7-supports-strong-encrypt
9 min
Exploits
12 Days of HaXmas: A Fireside Foray into a Firefox Fracas
Merry HaXmas to you! Each year we mark the 12 Days of HaXmas [/tag/haxmas/] with
12 blog posts on hacking-related topics and roundups from the year. This year,
we're highlighting some of the “gifts” we want to give back to the community.
And while these gifts may not come wrapped with a bow, we hope you enjoy them.
Towards the end of November, the Tor community was shaken up by the revelation
of an previously unknown vulnerability being actively exploited against
pedo^H^H^H^H Tor Browser user
3 min
Nexpose
Nexpose Dimensional Data Warehouse and Reporting Data Model: What's the Difference?
The Data Warehouse Export recently
[/2016/11/24/dimensional-data-warehouse-export-part-of-nexpose-646] added
support for a Dimensional Model for its export schema. This provides a much more
comprehensive, accessible, and scalable model of data than the previous (now
referred to as "Legacy") model. The foundation for this dimensional model is the
same as the Reporting Data Model, which backs the built-in reporting for SQL
Query Export. So what exactly is the difference between the Reporting Data
4 min
Vulnerability Disclosure
R7-2016-24, OpenNMS Stored XSS via SNMP (CVE-2016-6555, CVE-2016-6556)
Stored server cross-site scripting (XSS) vulnerabilities in the web application
component of OpenNMS [https://www.opennms.org/en] via the Simple Network
Management Protocol (SNMP). Authentication is not required to exploit.
Credit
This issue was discovered by independent researcher Matthew Kienow
[https://twitter.com/hacksforprofit], and reported by Rapid7.
Products Affected
The following versions were tested and successfully exploited:
* OpenNMS version 18.0.0
* OpenNMS version 18.0.1
Ope
13 min
Vulnerability Disclosure
Multiple Disclosures for Multiple Network Management Systems, Part 2
As you may recall, back in December Rapid7 disclosed six vulnerabilities
[/2015/12/16/multiple-disclosures-for-multiple-network-management-systems] that
affect four different Network Management System (NMS) products, discovered by
Deral Heiland [https://twitter.com/percent_x] of Rapid7 and independent
researcher Matthew Kienow [https://twitter.com/hacksforprofit]. In March, Deral
followed up with another pair of vulnerabilities
[/2016/03/17/r7-2016-02-multiple-vulnerabilities-in-mangeengine-opu
7 min
Exploits
Bringing Home The EXTRABACON [Exploit]
by Derek Abdine & Bob Rudis [/author/bob-rudis/] (photo CC-BY-SA Kalle
Gustafsson)
Astute readers will no doubt remember the Shadow Brokers leak of the Equation
Group exploit kits and hacking tools back in mid-August. More recently, security
researchers at SilentSignal noted
[https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/] that it was
possible to modify the EXTRABACON exploit from the initial dump to work on newer
Cisco ASA (Adaptive Security Appliance) devices, meaning that
2 min
Exploits
R7-2016-19: Persistent XSS via Unescaped Parameters in Swagger-UI (CVE-2016-5682)
Parameters within a Swagger document are insecurely loaded into a browser based
documentation. Persistent XSS occurs when this documentation is then hosted
together on a public site. This issue was resolved in Swagger-UI 2.2.1
[https://github.com/swagger-api/swagger-ui/releases/tag/v2.2.1].
Summary
One of the components used to build the interactive documentation portion of the
swagger ecosystem is the Swagger-UI [https://github.com/swagger-api/swagger-ui].
This interface generates dynamic docu
1 min
Public Policy
NIST 800-53 Control Mappings in SQL Query Export
In July, we added National Institute of Standards and Technology (NIST) Special
Publication 800-53r4 controls mappings to version 2.0.2 of the reporting data
model for SQL Query Export reports. NIST 800-53 is a publication that develops a
set of security controls standards that are designed to aid organizations in
protecting themselves from an array of threats.
What does this mean for you? Well, now you can measure your compliance against
these controls by writing SQL queries. For example, say
8 min
Vulnerability Disclosure
R7-2016-10: Multiple OSRAM SYLVANIA Osram Lightify Vulnerabilities (CVE-2016-5051 through 5059)
Nine issues affecting the Home or Pro versions of Osram LIGHTIFY were
discovered, with the practical exploitation effects ranging from the accidental
disclosure of sensitive network configuration information, to persistent
cross-site scripting (XSS) on the web management console, to operational command
execution on the devices themselves without authentication. The issues are
designated in the table below. At the time of this disclosure's publication, the
vendor has indicated that all but the la