3 min
Vulnerability Disclosure
R7-2017-02: Hyundai Blue Link Potential Info Disclosure (FIXED)
Summary
Due to a reliance on cleartext communications and the use of a hard-coded
decryption password, two outdated versions of Hyundai Blue Link application
software, 3.9.4 and 3.9.5 potentially expose sensitive information about
registered users and their vehicles, including application usernames, passwords,
and PINs via a log transmission feature. This feature was introduced in version
3.9.4 on December 8, 2016, and removed by Hyundai on March 6, 2017 with the
release of version 3.9.6.
Affec
6 min
Vulnerability Disclosure
R7-2016-28: Multiple Eview EV-07S GPS Tracker Vulnerabilities
Seven issues were identified with the Eview EV-07S GPS tracker, which can allow
an unauthenticated attacker to identify deployed devices, remotely reset
devices, learn GPS location data, and modify GPS data. Those issues are briefly
summarized on the table below.
These issues were discovered by Deral Heiland of Rapid7, Inc., and this advisory
was prepared in accordance with Rapid7's disclosure policy.
Vulnerability DescriptionR7 IDCVEExploit VectorUnauthenticated remote factory
resetR7-2016-28
4 min
IoT
On the Recent DSL Modem Vulnerabilities
by Tod Beardsley [https://twitter.com/todb] and Bob Rudis
[https://twitter.com/hrbrmstr]
What's Going On?
Early in November, a vulnerability was disclosed affecting Zyxel DSL modems,
which are rebranded and distributed to many DSL broadband customers across
Europe. Approximately 19 days later, this vulnerability was leveraged in
widespread attacks across the Internet, apparently connected with a new round of
Mirai botnet activity.
If you are a DSL broadband customer, you can check to see if yo
4 min
Vulnerability Disclosure
R7-2016-24, OpenNMS Stored XSS via SNMP (CVE-2016-6555, CVE-2016-6556)
Stored server cross-site scripting (XSS) vulnerabilities in the web application
component of OpenNMS [https://www.opennms.org/en] via the Simple Network
Management Protocol (SNMP). Authentication is not required to exploit.
Credit
This issue was discovered by independent researcher Matthew Kienow
[https://twitter.com/hacksforprofit], and reported by Rapid7.
Products Affected
The following versions were tested and successfully exploited:
* OpenNMS version 18.0.0
* OpenNMS version 18.0.1
Ope
11 min
Vulnerability Disclosure
Multiple Bluetooth Low Energy (BLE) Tracker Vulnerabilities
Executive Summary
While examining the functionality of three vendors' device tracker products, a
number of issues surfaced that leak personally identifying geolocation data to
unauthorized third parties. Attackers can leverage these vulnerabilities to
locate individual users' devices, and in some cases, alter geolocation data for
those devices. The table below briefly summarizes the twelve vulnerabilities
identified across three products.
VulnerabilityDeviceR7 IDCVECleartext PasswordTrackR Brav
4 min
IoT
Mirai FAQ: When IoT Attacks
Update: Following the attack on Dyn back in October, there is some speculation
over whether a similar Mirai-style attack could be leveraged to influence the
election. This feels like FUD to me; there doesn't seem to be a mechanism to
knock out one critical service to kick over enough state and county election
websites, Dyn-style, to make such an attack practical. It could potentially be
feasible if it turns out that a lot of city, county, and state websites are
sharing one unique upstream resour
4 min
Research
NCSAM: Independent Research and IoT
October is National Cyber Security Awareness month and Rapid7 is taking this
time to celebrate security research. This year, NCSAM coincides with new legal
protections for security research under the DMCA and the 30th anniversary of the
CFAA - a problematic law that hinders beneficial security research. Throughout
the month, we will be sharing content that enhances understanding of what
independent security research is, how it benefits the digital ecosystem, and the
challenges that researchers f
7 min
Vulnerability Disclosure
R7-2016-07: Multiple Vulnerabilities in Animas OneTouch Ping Insulin Pump
Today we are announcing three vulnerabilities in the Animas OneTouch Ping
insulin pump system, a popular pump with a blood glucose meter that services as
a remote control via RF communication. Before we get into the technical details,
we want to flag that we believe the risk of wide scale exploitation of these
insulin pump vulnerabilities is relatively low, and we don't believe this is
cause for panic. We recommend that users of the devices consult their healthcare
providers before making major
13 min
Vulnerability Disclosure
Multiple Disclosures for Multiple Network Management Systems, Part 2
As you may recall, back in December Rapid7 disclosed six vulnerabilities
[/2015/12/16/multiple-disclosures-for-multiple-network-management-systems] that
affect four different Network Management System (NMS) products, discovered by
Deral Heiland [https://twitter.com/percent_x] of Rapid7 and independent
researcher Matthew Kienow [https://twitter.com/hacksforprofit]. In March, Deral
followed up with another pair of vulnerabilities
[/2016/03/17/r7-2016-02-multiple-vulnerabilities-in-mangeengine-opu
8 min
Vulnerability Disclosure
R7-2016-10: Multiple OSRAM SYLVANIA Osram Lightify Vulnerabilities (CVE-2016-5051 through 5059)
Nine issues affecting the Home or Pro versions of Osram LIGHTIFY were
discovered, with the practical exploitation effects ranging from the accidental
disclosure of sensitive network configuration information, to persistent
cross-site scripting (XSS) on the web management console, to operational command
execution on the devices themselves without authentication. The issues are
designated in the table below. At the time of this disclosure's publication, the
vendor has indicated that all but the la
2 min
Vulnerability Disclosure
R7-2016-08: Seeking Alpha Mobile App Unencrypted Sensitive Information Disclosure
Due to a lack of encryption in communication with the associated web services,
the Seeking Alpha [http://seekingalpha.com] mobile application for Android and
iPhone leaks personally identifiable and confidential information, including the
username and password to the associated account, lists of user-selected stock
ticker symbols and associated positions, and HTTP cookies.
Credit
Discovered by Derek Abdine (@dabdine [https://twitter.com/dabdine]) of Rapid7,
Inc., and disclosed in accordance wit
2 min
Microsoft
On Badlock for Samba (CVE-2016-2118) and Windows (CVE-2016-0128)
Today is Badlock Day
You may recall that the folks over at badlock.org [http://badlock.org/] stated
about 20 days ago that April 12 would see patches for "Badlock," a serious
vulnerability in the SMB/CIFS protocol that affects both Microsoft Windows and
any server running Samba, an open source workalike for SMB/CIFS services. We
talked about it back in our Getting Ahead of Badlock
[/2016/03/30/getting-ahead-of-badlock] post, and hopefully, IT administrators
have taken advantage of the pre-releas
3 min
Malware
Ransomware FAQ: Avoiding the latest trend in malware
Recently, a number of Rapid7's customers have been evaluating the risks posed by
the swift rise of ransomware as an attack vector. Today, I'd like to address
some of the more common concerns.
What is Ransomware?
Cryptowall [http://www.theregister.co.uk/2015/11/09/cryptowall_40/] and
Cryptolocker [https://www.us-cert.gov/ncas/alerts/TA13-309A] are among of the
best known ransomware criminal malware packages today. In most cases, users are
afflicted by ransomware by clicking on a phishing link o
4 min
Vulnerability Disclosure
R7-2016-02: Multiple Vulnerabilities in ManageEngine OpUtils
Disclosure Summary
ManageEngine OpUtils is an enterprise switch port and IP address management
system. Rapid7's Deral Heiland discovered a persistent cross-site scripting
(XSS) vulnerability, as well as a number of insecure direct object references.
The vendor and CERT have been notified of these issues. The version tested was
OpUtils 8.0, which was the most recent version at the time of initial
disclosure. As of today, the current version offered by ManageEngine is OpUtils
12.0.
R7-2016-02.1:
5 min
IoT
R7-2016-01: Null Credential on Moxa NPort (CVE-2016-1529)
This advisory was written by the discoverer of the NPort issue, Joakim Kennedy
of Rapid7, Inc.
Securing legacy hardware is a difficult task, especially when the hardware is
being connected in a way that was never initially intended. One way of making
legacy hardware more connectable is to use serial servers. The serial server
acts as a bridge and allows serial devices to communicate over TCP/IP. The
device then appears on the network as a normal network-connected device. This
allows for remote