6 min
Vulnerability Disclosure
R7-2016-28: Multiple Eview EV-07S GPS Tracker Vulnerabilities
Seven issues were identified with the Eview EV-07S GPS tracker, which can allow
an unauthenticated attacker to identify deployed devices, remotely reset
devices, learn GPS location data, and modify GPS data. Those issues are briefly
summarized on the table below.
These issues were discovered by Deral Heiland of Rapid7, Inc., and this advisory
was prepared in accordance with Rapid7's disclosure policy.
Vulnerability DescriptionR7 IDCVEExploit VectorUnauthenticated remote factory
resetR7-2016-28
1 min
Application Security
Apache Struts Vulnerability (CVE-2017-5638) Protection: Scanning with Nexpose
On March 9th, 2017 we highlighted the availability of a vulnerability check in
Nexpose for CVE-2017-5638
[https://rapid7.com/db/modules/exploit/multi/http/struts2_content_type_ognl] –
see the full blog post describing the Apache Struts vulnerability here
[/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild]. This check would
be performed against the root URI of any HTTP/S endpoints discovered during a
scan.
On March 10th, 2017 we added an additional check that would work in conjunctio
4 min
Vulnerability Disclosure
R7-2017-01: Multiple Vulnerabilities in Double Robotics Telepresence Robot
This post describes three vulnerabilities in the Double Robotics Telepresence
Robot ecosystem related to improper authentication, session fixation, and weak
Bluetooth pairing. We would like to thank Double Robotics for their prompt
acknowledgement of the vulnerabilities, and in addressing the ones that they
considered serious. Two of the three vulnerabilities were patched via updates to
Double Robotics servers on Mon, Jan 16, 2017.
Credit
These issues were discovered by Rapid7 researcher Deral
4 min
Vulnerability Disclosure
The Cloudflare (Cloudbleed) Proxy Service Vulnerability Explained
TL;DR
This week a vulnerability was disclosed, which could result in sensitive data
being leaked from websites using Cloudflare's proxy services. The vulnerability
- referred to as "Cloudbleed" - does not affect Rapid7's solutions/services.
This is a serious security issue, but it's not a catastrophe. Out of an
abundance of caution, we recommend you reset your passwords, starting with your
most important accounts (especially admin accounts). A reasonable dose of
skepticism and prudence will go
4 min
Vulnerability Disclosure
R7-2016-24, OpenNMS Stored XSS via SNMP (CVE-2016-6555, CVE-2016-6556)
Stored server cross-site scripting (XSS) vulnerabilities in the web application
component of OpenNMS [https://www.opennms.org/en] via the Simple Network
Management Protocol (SNMP). Authentication is not required to exploit.
Credit
This issue was discovered by independent researcher Matthew Kienow
[https://twitter.com/hacksforprofit], and reported by Rapid7.
Products Affected
The following versions were tested and successfully exploited:
* OpenNMS version 18.0.0
* OpenNMS version 18.0.1
Ope
2 min
Nexpose
Nexpose integrates with McAfee ePO and DXL: The first unified vulnerability management solution for Intel Security customers!
We wanted to give you a preview into Nexpose's new integration with both McAfee
ePolicy Orchestrator (ePO) and McAfee Data Exchange Layer (DXL); this is the
next stage of our partnership with Intel as their chosen vendor for
vulnerability management . This partnership is also a first for both Rapid7 and
Intel, as Nexpose is the only vulnerability management
[https://www.rapid7.com/solutions/vulnerability-management/] solution to not
only push our unique risk scoring into ePO for analysis, but al
11 min
Vulnerability Disclosure
Multiple Bluetooth Low Energy (BLE) Tracker Vulnerabilities
Executive Summary
While examining the functionality of three vendors' device tracker products, a
number of issues surfaced that leak personally identifying geolocation data to
unauthorized third parties. Attackers can leverage these vulnerabilities to
locate individual users' devices, and in some cases, alter geolocation data for
those devices. The table below briefly summarizes the twelve vulnerabilities
identified across three products.
VulnerabilityDeviceR7 IDCVECleartext PasswordTrackR Brav
7 min
Vulnerability Disclosure
R7-2016-07: Multiple Vulnerabilities in Animas OneTouch Ping Insulin Pump
Today we are announcing three vulnerabilities in the Animas OneTouch Ping
insulin pump system, a popular pump with a blood glucose meter that services as
a remote control via RF communication. Before we get into the technical details,
we want to flag that we believe the risk of wide scale exploitation of these
insulin pump vulnerabilities is relatively low, and we don't believe this is
cause for panic. We recommend that users of the devices consult their healthcare
providers before making major
13 min
Vulnerability Disclosure
Multiple Disclosures for Multiple Network Management Systems, Part 2
As you may recall, back in December Rapid7 disclosed six vulnerabilities
[/2015/12/16/multiple-disclosures-for-multiple-network-management-systems] that
affect four different Network Management System (NMS) products, discovered by
Deral Heiland [https://twitter.com/percent_x] of Rapid7 and independent
researcher Matthew Kienow [https://twitter.com/hacksforprofit]. In March, Deral
followed up with another pair of vulnerabilities
[/2016/03/17/r7-2016-02-multiple-vulnerabilities-in-mangeengine-opu
8 min
Vulnerability Disclosure
R7-2016-10: Multiple OSRAM SYLVANIA Osram Lightify Vulnerabilities (CVE-2016-5051 through 5059)
Nine issues affecting the Home or Pro versions of Osram LIGHTIFY were
discovered, with the practical exploitation effects ranging from the accidental
disclosure of sensitive network configuration information, to persistent
cross-site scripting (XSS) on the web management console, to operational command
execution on the devices themselves without authentication. The issues are
designated in the table below. At the time of this disclosure's publication, the
vendor has indicated that all but the la
2 min
Vulnerability Disclosure
R7-2016-08: Seeking Alpha Mobile App Unencrypted Sensitive Information Disclosure
Due to a lack of encryption in communication with the associated web services,
the Seeking Alpha [http://seekingalpha.com] mobile application for Android and
iPhone leaks personally identifiable and confidential information, including the
username and password to the associated account, lists of user-selected stock
ticker symbols and associated positions, and HTTP cookies.
Credit
Discovered by Derek Abdine (@dabdine [https://twitter.com/dabdine]) of Rapid7,
Inc., and disclosed in accordance wit
5 min
Vulnerability Disclosure
R7-2016-06: Remote Code Execution via Swagger Parameter Injection (CVE-2016-5641)
This disclosure will address a class of vulnerabilities in a Swagger Code
Generator [https://github.com/swagger-api/swagger-codegen] in which injectable
parameters in a Swagger JSON or YAML file facilitate remote code execution. This
vulnerability applies to NodeJS [https://nodejs.org/en/], PHP, Ruby
[https://www.ruby-lang.org/en/], and Java [https://java.com/en/download/] and
probably other languages as well. Other code generation tools
[https://apimatic.io/] may also be vulnerable to paramete
4 min
Vulnerability Disclosure
R7-2016-02: Multiple Vulnerabilities in ManageEngine OpUtils
Disclosure Summary
ManageEngine OpUtils is an enterprise switch port and IP address management
system. Rapid7's Deral Heiland discovered a persistent cross-site scripting
(XSS) vulnerability, as well as a number of insecure direct object references.
The vendor and CERT have been notified of these issues. The version tested was
OpUtils 8.0, which was the most recent version at the time of initial
disclosure. As of today, the current version offered by ManageEngine is OpUtils
12.0.
R7-2016-02.1:
5 min
IoT
R7-2016-01: Null Credential on Moxa NPort (CVE-2016-1529)
This advisory was written by the discoverer of the NPort issue, Joakim Kennedy
of Rapid7, Inc.
Securing legacy hardware is a difficult task, especially when the hardware is
being connected in a way that was never initially intended. One way of making
legacy hardware more connectable is to use serial servers. The serial server
acts as a bridge and allows serial devices to communicate over TCP/IP. The
device then appears on the network as a normal network-connected device. This
allows for remote
2 min
IoT
CVE-2015-7547: Revenge of Glibc Resolvers
If you've been involved in patch frenzies for any reasonable amount of time, you
might remember last year's hullabaloo around GHOST
[/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed], a
vulnerability in glibc's gethostbyname() function. Well, another year, another
resolver bug.
gethostbyname(), meet getaddrinfo()
This time, it's an exploitable vulnerability in glibc's getaddrinfo(). Like
GHOST, this will affect loads and loads of Linux client and server applications,
and lik