Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-05-17 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

VMWare Security Advisories VMSA-2016-0005

Published: 2016-05-17
Last Updated: 2016-05-17 19:54:20 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
0 comment(s)

VMWare published today a security advisory about the following CVEs:

  • CVE-2016-3427 Critical JMX issue when deserializing authentication credentials. This vulnerability allows to execute commands to the RMI Server of Oracle JRE JMX without proper authentication. This is a remote and local vulnerability.
  • CVE-2016-2077 Important VMWare Workstation and Player for Windows host privilege escalation vulnerability. This vulnerability allows privilege escalation. It's a local vulnerability.

Not all products are affected and not all affected products already has a patch. If there is not a patch, there is a workaround. Check https://www.vmware.com/security/advisories/VMSA-2016-0005.html for more information about your product.

We have not noticed exploits in the wild so far. If you notice one, please let us know using our contact form.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Keywords:
0 comment(s)

CVE-2016-2208 Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation

Published: 2016-05-17
Last Updated: 2016-05-17 19:23:19 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
3 comment(s)

More vulnerabilities! This time the Symantec Antivirus engine. There is a buffer overflow that can be triggered by malformed PE executables is the SizeofRawData PE attribute is greater than SizeofImage PE attribute. Exploiting this bug will give the attacker root in UNIX and kernel memory corruption in Windows being able to execute anything with maximum privileges. This bug can be dangerous because the PE malformation is not usually checked within Antivirus, Host IPS platform or proxies.

Want to perform a PoC yourself? Download the test file . If vulnerable, a kernel panic like this in Windows systems should appear.

You should patch this vulnerability ASAP with Symantec Antivirus Engine 20151.1.1.4. Red the full Symantec Advisory here.

We are unaware of exploits in the wild for this vulnerability. If you notice one, please let us know by our contact form.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Keywords:
3 comment(s)

Exploit Available For Cisco IKEv1 and IKEv2 Buffer Overflow Vulnerability

Published: 2016-05-17
Last Updated: 2016-05-17 15:20:44 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

An exploit has been made publicly available for CVE-2016-1287. A patch for the vulnerability, and quite a bit of detail about the vulnerability, was released in February [1]. We recommend you expedite patching this problem if you haven't already done so.

[1] https://blog.exodusintel.com/2016/02/10/firewall-hacking/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
3 comment(s)
ISC Stormcast For Tuesday, May 17th 2016 http://isc.sans.edu/podcastdetail.html?id=4999
Diary Archives