5 min
Metasploit
Testing Developer Security with Metasploit Pro Task Chains
In this modern age, technology continues to make inroads into all sorts of
industries. Everything from smartphones to late-model automobiles to
internet-connected toasters requires software to operate, and this proliferation
of software has brought along gaggles of software developers with their
tools-of-the-trade. All this technology —not to mention the people utilizing it—
can result in an increased attack surface for organizations doing software
development.
In this blog post, we’ll explore
4 min
Vulnerability Disclosure
R7-2017-08: BPC SmartVista SQL Injection Vulnerability
Important update: 2018/01/25
BPC informed Rapid7 that this vulnerability only impacted the specified version
of SmartVista Front-End (2.2.10, revision 287921), which had very limited
distribution. Once the vulnerability described below was discovered, BPC
released a patch on Jul 19, 2017, before the issuance of the public disclosure
by Rapid7 on Oct 17, 2017. We have no reason to believe that any other versions
of SmartVista Front-End are vulnerable to this issue. Rapid7 believed the issue
to st
8 min
Vulnerability Management
No-Priority, Post-Auth Vulnerabilities
In the course of collecting and disclosing vulnerabilities, I occasionally come
across an issue that walks like a vuln, quacks like a vuln, but… it’s not
exactly a vuln. As per our usual vulnerability disclosure process
[https://www.rapid7.com/security/disclosure/], we still report these issues to
vendors. The behavior observed is nearly always a bug of some sort, but it’s not
immediately exploitable, or the “exploit” is merely exercising the expected
level of privilege, but in an unexpected con
6 min
Vulnerability Disclosure
Vulnerabilities Affecting Four Rapid7 Products (FIXED)
Today we are announcing four fixed vulnerabilities in four Rapid7 products,
summarized in the table below. These issues are low to medium severity (mostly
due to the high exploitation requirements), but we want to make sure that our
customers have all the information they need to make informed security
decisions. This article includes detailed descriptions of the vulnerabilities,
as well as how to ensure they are mitigated in your environment. Some of the
updates are automatic, but some may requ
8 min
Vulnerability Disclosure
Multiple vulnerabilities in Wink and Insteon smart home systems
Today we are announcing four issues affecting two popular home automation
solutions: Wink's Hub 2 and Insteon's Hub. Neither vendor stored sensitive
credentials securely on their associated Android apps. In addition, the Wink
cloud-based management API does not properly expire and revoke authentication
tokens, and the Insteon Hub uses an unencrypted radio transmission protocol for
potentially sensitive security controls such as garage door locks.
As most of these issues have not yet been addres
7 min
Research
Cisco Smart Install Exposure
Cisco Smart Install (SMI) provides configuration and image management
capabilities for Cisco switches. Cisco’s SMI documentation
[http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html]
goes into more detail than we’ll be touching on in this post, but the short
version is that SMI leverages a combination of DHCP, TFTP and a proprietary TCP
protocol to allow organizations to deploy and manage Cisco switches. Using SMI
yields a number of be
5 min
Authentication
R7-2017-07: Multiple Fuze TPN Handset Portal vulnerabilities (FIXED)
This post describes three security vulnerabilities related to access controls
and authentication in the TPN Handset Portal, part of the Fuze platform. Fuze
fixed all three issues by May 6, 2017, and user action is not required to
remediate. Rapid7 thanks Fuze for their quick and thoughtful response to these
vulnerabilities:
* R7-2017-07.1, CWE-284 (Improper Access Control)
[https://cwe.mitre.org/data/definitions/284.html]: An unauthenticated remote
attacker can enumerate through MAC addr
2 min
Vulnerability Disclosure
R7-2017-06 | CVE-2017-5241: Biscom SFT XSS (FIXED)
Summary
The Workspaces component of Biscom Secure File Transfer (SFT) version 5.1.1015
is vulnerable to stored cross-site scripting in two fields. An attacker would
need to have the ability to create a Workspace and entice a victim to visit the
malicious page in order to run malicious Javascript in the context of the
victim's browser. Since the victim is necessarily authenticated, this can allow
the attacker to perform actions on the Biscom Secure File Transfer instance on
the victim's behalf.
2 min
Vulnerability Disclosure
R7-2017-16 | CVE-2017-5244: Lack of CSRF protection for stopping tasks in Metasploit Pro, Express, and Community editions (FIXED)
Summary
A vulnerability in Metasploit Pro, Express, and Community was patched in
Metasploit v4.14.0 (Update 2017061301)
[https://help.rapid7.com/metasploit/release-notes/archive/2017/06/#20170613].
Routes used to stop running tasks (either particular ones or all tasks) allowed
GET requests. Only POST requests should have been allowed, as the stop/stop_all
routes change the state of the service. This could have allowed an attacker to
stop currently-running Metasploit tasks by getting an authenti
4 min
Nexpose
R7-2017-13 | CVE-2017-5243: Nexpose Hardware Appliance SSH Enabled Obsolete Algorithms
Summary
Nexpose [https://www.rapid7.com/products/nexpose/] physical appliances shipped
with an SSH configuration that allowed obsolete algorithms to be used for key
exchange and other functions. Because these algorithms are enabled, attacks
involving authentication to the hardware appliances are more likely to succeed.
We strongly encourage current hardware appliance owners to update their systems
to harden their SSH configuration using the steps outlined under “Remediation”
below. In addition,
3 min
Vulnerability Disclosure
R7-2017-05 | CVE-2017-3211: Centire Yopify Information Disclosure
This post describes a vulnerability in Yopify (a plugin for various popular
e-commerce platforms), as well as remediation steps that have been taken. Yopify
leaks the first name, last initial, city, and recent purchase data of customers,
all without user authorization. This poses a significant privacy risk for
customers. This vulnerability is characterized as: CWE-213 (Intentional
Information Disclosure) [https://cwe.mitre.org/data/definitions/213.html].
Product Description
Yopify [https://yopi
17 min
Vulnerability Disclosure
R7-2016-23, R7-2016-26, R7-2016-27: Multiple Home Security Vulnerabilities
Executive Summary
In October of 2016, former Rapid7 researcher Phil Bosco
[https://twitter.com/secillusion] discovered a number of relatively low-risk
vulnerabilities and issues involving home security systems that are common
throughout the United States, and which have significant WiFi or Ethernet
capabilities. The three systems tested were offerings from Comcast XFINITY, ADT,
and AT&T Digital Life, and the issues discovered ranged from an apparent "fail
open" condition on the external door and
1 min
Vulnerability Disclosure
On the lookout for Intel AMT CVE-2017-5689
We've had some inquiries about checks for CVE-2017-5689, a vulnerability
affecting Intel AMT devices. On May 5th, 2017, we released a potential
vulnerability check that can help identify assets that may be vulnerable. We
initially ran into issues with trying to determine the exact version of the
firmware remotely, and so a potential check was released so that you would still
be able to identify devices that may be impacted by this.
We didn't stop there though. As part of yesterday's Nexpose rel
3 min
Vulnerability Disclosure
R7-2017-02: Hyundai Blue Link Potential Info Disclosure (FIXED)
Summary
Due to a reliance on cleartext communications and the use of a hard-coded
decryption password, two outdated versions of Hyundai Blue Link application
software, 3.9.4 and 3.9.5 potentially expose sensitive information about
registered users and their vehicles, including application usernames, passwords,
and PINs via a log transmission feature. This feature was introduced in version
3.9.4 on December 8, 2016, and removed by Hyundai on March 6, 2017 with the
release of version 3.9.6.
Affec
4 min
Public Policy
Rapid7 urges NIST and NTIA to promote coordinated disclosure processes
Rapid7 has long been a champion of coordinated vulnerability disclosure and
handling processes as they play a critical role in both strengthening risk
management practices and protecting security researchers. We not only use
coordinated disclosure processes in our own vulnerability disclosure
[https://www.rapid7.com/security/disclosure/] and receiving activities, but also
advocate for broader adoption in industry and in government policies.
Building on this, we recently joined forces with other