The Acer Portal Android application version 3.9.3.2006 and below, installed by the manufacturer on all Acer branded Android devices, does not validate the SSL certificate it receives when connecting to the mobile application login server.
Monthly Archives: July 2016
CVE-2016-4979: HTTPD webserver – X509 Client certificate based authentication can be bypassed when HTTP/2 is used [vs]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Security Advisory - Apache Software Foundation
Apache HTTPD WebServer / httpd.apache.org
X509 Client certificate based authentication can
be bypassed when HTTP/2 is used
CVE-2016-4979 / CVSS 7.5
The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509
client certificate correctly when experimental module for the HTTP/2
protocol is used to access a resource.
The net result is that a resource that should require a valid client certificate
in order to get access can be accessed without that credential.
Background:
- -----------
Apache can control access to resources based on various things; such as
a password, IP address and so on. One of the options, when SSL or TLS is
used, is gating access based on the client having access to a private-key of
a X509 client certificate. These client certificates are typically held on
a chipcard (e.g. the CAC card in the US, national identity, banking cards
or, for example, medical-chip cards in Europe). In some cases they
are 'soft tokens' - i.e. files, often called PKCS#12 files, which are loaded
into the browser or the 'keychain'.
Gating access based on a client certificate is done by adding a line such as
SSLVerifyClient require
to the httpd configuration; along with a list of trusted client certificate
authorities (SSLCACertificateFile).
Version 2.4.17 of the Apache HTTP Server introduced an experimental feature:
mod_http2 for the HTTP/2 protocol (RFC7540, previous versions were known as
Google SPDY).
This module is NOT compiled in by default -and- is not enabled by default,
although some distribution may have chosen to do so.
It is generally needs to be enabled in the 'Protocols' line in httpd by
adding 'h2' and/or 'h2c' to the 'http/1.1' only default.
The default distributions of the Apache Software Foundation do not include
this experimental feature.
Details:
- --------
- From version 2.4.18, upto and including version 2.4.20 the server failed
to take the (failed/absent) client certificate validation into account
when providing access to a resource over HTTP/2. This issue has been fixed
in version 2.4.23 (r1750779).
As a result - a resource thought to be secure and requiring a valid
client certificate - would be accessible without authentication
provided that the mod_http2 was loaded, h2 or h2c activated, that
that the browser used the HTTP/2 protocol and it would do more than
one request over a given connection.
Impact:
- -------
A third party can gain access to resources on the web server without
the requisite credentials.
This can then lead to unauthorised disclosure of information.
Versions affected:
- ------------------
All versions from 2.4.18 to 2.4.20. The issue is fixed in
version 2.4.23 (released 2015-6-5)
Resolution:
- -----------
Upgrade to version 2.4.23 or newer.
Mitigations and work arounds:
- -----------------------------
As a temporary workaround - HTTP/2 can be disabled by changing
the configuration by removing h2 and h2c from the Protocols
line(s) in the configuration file.
The resulting line should read:
Protocols http/1.1
Credits and timeline
- --------------------
The flaw was found and reported by Erki Aring <[email protected]>
from Liewenthal Electronics Ltd on 2016-06-30. The issue was
resolved by Stefan Eissing that same day and incorporated in
the release of 5th of July 2015 (thus avoiding a bank holiday).
Apache would like to thank all involved for their help with this.
Common Vulnerability Scoring (Version 3) and vector
- ---------------------------------------------------
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
CVSS Base Score 7.5
CVSS Temporal Score 7.0
1.05 / : 2339 $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4
Comment: This message is encrypted and/or signed with PGP (gnu-pg, gpg). Contact [email protected]
if you cannot read it.
iEYEARECAAYFAld7tREACgkQ/W+IxiHQpxssBwCg2PU1xiye20scB23ZEAdhuEjA
JPoAmwUaZFh/tr2tR3opAVnFo+mSgMDi
=zNG2
-----END PGP SIGNATURE-----
[ANNOUNCE] Apache HTTP Server 2.4.23 Released
Apache HTTP Server 2.4.23 Released
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.23 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
principally a feature and bug fix release.
NOTE: Versions 2.4.22 and 2.4.21 were not released.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.4.23 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.4 please see:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Of particular note are 2 reverse proxy additions: Support of
HTTP/2 and dynamic health checks.
Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.23 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_24.html
This release requires the Apache Portable Runtime (APR) version 1.5.x
and APR-Util version 1.5.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
Please note that Apache Web Server Project will only provide maintenance
releases of the 2.2.x flavor through June of 2017, and will provide some
security patches beyond this date through at least December of 2017.
Minimal maintenance patches of 2.2.x are expected throughout this period,
and users are strongly encouraged to promptly complete their transitions
to the the 2.4.x flavor of httpd to benefit from a much larger assortment
of minor security and bug fixes as well as new features.
GDPR: Enabling Digital Transformation in the EU
There is a growing amount of personal information and data available on the internet that is accessible to an infinite number of businesses and organizations. In regard to this, there is something we must keep in mind: GDPR.
The General Data Protection Regulation (GDPR) affects all businesses in the European Union. It also affects businesses that offer services to EU citizens, monitor their behavior, or obligate them to give information extracted from data processors.
But, what will happen to the IT security sector once the BREXIT is in full swing?
The GDPR and Cybersecurity Post-Brexit
Two facts influenced the title of this article:
- Businesses are currently immersed in a technological revolution. Cybersecurity has opened the door for Digital Transformation. In fact, 43% of company heads consider that security should be the first priority when implementing Digital Transformation. IT security is a true business value because businesses cannot be digital without first protecting themselves.
- The Brexit: It is impossible to ignore the strong influence that the UK has had on the EU, especially in the cybersecurity sector. We cannot disregard the level of paternity that the UK has had in regards to cybersecurity laws, which mostly come from the European Convention on Human Rights (a humorous example of this can be seen in this Monty Python remake).
When summarizing the GDPR, there are three main points to keep in mind:
1- The baseline scenario for most organizations and companies larger than 250 employees in the EU: institutions who have successfully empowered employees with business silo information, who have implemented Big Data tools, and generated trillions of data files from productivity tools.
2- To fix the IT problem we need to take back control of the distributed information silo and comply with rules 12-21 of the GDPR (clear ownership, custodian and new specific accesses like the right to be forgotten, serious and proactive reporting of all data leakage and manipulation incidents, etc.) while satisfying the growing demand for digital transformation. This suggests that there is a greater distribution of business data that is both quick and automatic.
3- Lastly, we must place some importance on some of the technologies that have been implemented and personalized in different companies (Spain) over the last two years. The results have been positive with a different operational impact deriving from the GDPR based on intelligent threat platforms like Panda Adaptive Defense 360.
The future of GDPR after the BREXIT
These changes should be in full swing by mid-2018. It is uncertain how to anticipate the GDPR changes, especially when it comes to implementing operational changes related to cross-border data transfer. We hope this information is useful for people in IT roles who are up against similar situations. We will continue to look over the current regulations and wait for GDPR updates following the BREXIT. Stay tuned!
Author: Salvador Sánchez Taboada https://www.linkedin.com/in/salvadorsanchez/es
The post GDPR: Enabling Digital Transformation in the EU appeared first on Panda Security Mediacenter.
Data leak dangers: Know your weak spots
When it comes to data leaks, what are the major weak spots you need to be looking out for? This feature explores three common causes.
The post Data leak dangers: Know your weak spots appeared first on We Live Security.
Apple Safari 9.1.1 Local XXE Injection
Apple Safari version 9.1.1 for Mac OS X suffers from a local XXE vulnerability when processing specially crafted SVG images. This does not work with downloaded files.
Apache 2.4.20 X509 Authentication Bypass
Apache HTTPD WebServer versions 2.4.18 through 2.4.20 do not validate an X509 client certificate correctly when the experimental module for the HTTP/2 protocol is used to access a resource.
Chinese Ad Firm Infected 85 Million Android Users to Get More Clicks
An Android-based malware campaign has been found to control as many as 85 million Android devices globally and is making its gang an estimated $300,000 per month in fraudulent ad revenue.
A Chinese advertising company called Yingmob is responsible for distributing the malware on a massive scale and would appear to be the same firm behind Yispecter iOS malware, cybersecurity company Check
Second 'Fappening' Hacker Pleads Guilty; Facing up to 5 years in Prison
A second man has pleaded guilty for his role in ‘The Fappening’ breach of 2014, in which the Internet was flooded with thousands of nude photographs of popular celebrities, including Jennifer Lawrence, Kim Kardashian, Kate Upton and Kirsten Dunst.
Edward Majerczyk (28) of Chicago, Illinois agreed to plead guilty last Friday to hacking into the Apple iCloud and Gmail accounts of more than 300
Kaspersky Lab Report Reveals Business Executives Are Exposing Critical Corporate Data While Traveling
The Kaspersky Lab International Travel Report found that business travelers, especially senior-level executives, admit to experiencing cybercrime while traveling.