Original release date: October 24, 2016

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

• High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

• Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

• Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 21, 2016

US-CERT is aware of a Linux kernel vulnerability known as Dirty COW (CVE-2016-5195). Exploitation of this vulnerability may allow an attacker to take control of an affected system.

US-CERT recommends that users and administrators review the Red Hat CVE Database, the Canoical Ubuntu CVE Tracker, and CERT Vulnerability Note VU#243144 for additional details, and refer to their Linux or Unix-based OS vendors for appropriate patches.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 20, 2016

Mozilla has released Firefox 49.0.2 to address a security vulnerability. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review Mozilla Security Advisory for Firefox and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 20, 2016

The Internet Systems Consortium (ISC) has released a security advisory to highlight a vulnerability in versions of BIND software released before May 2013, and in third-party versions that do not include fix #3548. Exploitation of this vulnerability may allow a remote attacker to cause a denial-of-service condition. Using unpatched software increases risks from viruses and other security threats, and attackers may target vulnerabilities for months or even years after patches are available.

Users and administrators are encouraged to review the ISC Security Advisory and apply the necessary updates. See US-CERT Security Tip on Understanding Patches for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 19, 2016

Cisco has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

US-CERT encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates:

• Cisco ASA Software Identity Firewall Feature Buffer Overflow Vulnerability [cisco-sa-20161019-asa-idfw]
• Cisco Firepower Detection Engine HTTP Denial of Service Vulnerability [cisco-sa-20161019-fpsnort]
• Cisco ASA Software Local Certificate Authority Denial of Service Vulnerability [cisco-sa-20161019-asa-ca]
• Cisco Meeting Server Information Disclosure Vulnerability [cisco-sa-20161019-cms1]
• Cisco Meeting Server Cross-Site Request Forgery Vulnerability [cisco-sa-20161019-cms]

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 18, 2016

Oracle has released its Critical Patch Update for October 2016 to address 247 vulnerabilities across multiple products. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review the Oracle October 2016 Critical Patch Update and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 17, 2016

In partnership with DHS, the National Cyber Security Alliance has released information on recognizing cyber crime and how to protect yourself online. Recommendations include deleting suspicious communications, being wary of “too good to be true” offers, and using strong authentication. The #CyberAware Tip of the Week is to keep a clean machine—make sure the security software on all your electronic devices is updated.

US-CERT encourages users and administrators to review the Stop.Think.Connect. Phishing Tip Card and the US-CERT Tip Understanding Patches for additional information. Visit the US-CERT website for articles on Week 1 and Week 2 of the campaign.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 17, 2016

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

• High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

• Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

• Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 14, 2016

Systems Affected

Internet of Things (IoT)—an emerging network of devices (e.g., printers, routers, video cameras, smart TVs) that connect to one another via the Internet, often automatically sending and receiving data

Overview

Recently, IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service (DDoS) attacks. IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.

Description

On September 20, 2016, Brian Krebs’ security blog (krebsonsecurity.com) was targeted by a massive DDoS attack, one of the largest on record, exceeding 620 gigabits per second (Gbps).[1] An IoT botnet powered by Mirai malware created the DDoS attack. The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices.[2] The purported Mirai author claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack on Krebs’ website.[3]

In late September, a separate Mirai attack on French webhost OVH broke the record for largest recorded DDoS attack. That DDoS was at least 1.1 terabits per second (Tbps), and may have been as large as 1.5 Tbps.[4]

The IoT devices affected in the latest Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders.[5] Mirai malware source code was published online at the end of September, opening the door to more widespread use of the code to create other DDoS attacks.

In early October, Krebs on Security reported on a separate malware family responsible for other IoT botnet attacks.[6] This other malware, whose source code is not yet public, is named Bashlite. This malware also infects systems through default usernames and passwords. Level 3 Communications, a security firm, indicated that the Bashlite botnet may have about one million enslaved IoT devices.[7]

Impact

With the release of the Mirai source code on the Internet, there are increased risks of more botnets being generated. Both Mirai and Bashlite can exploit the numerous IoT devices that still use default passwords and are easily compromised. Such botnet attacks could severely disrupt an organization’s communications or cause significant financial harm.

Software that is not designed to be secure contains vulnerabilities that can be exploited. Software-connected devices collect data and credentials that could then be sent to an adversary’s collection point in a back-end application.

Solution

Cybersecurity professionals should harden networks against the possibility of a DDoS attack. For more information on DDoS attacks, please refer to US-CERT Security Publication DDoS Quick Guide and the US-CERT Alert on UDP-Based Amplification Attacks.

Mitigation

In order to remove the Mirai malware from an infected IoT device, users and administrators should take the following actions:

• Disconnect device from the network.
• While disconnected from the network and Internet, perform a reboot. Because Mirai malware exists in dynamic memory, rebooting the device clears the malware.
• Ensure that the password for accessing the device has been changed from the default password to a strong password. See US-CERT Tip Choosing and Protecting Passwords for more information.
• You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly reinfected with the Mirai malware.

Preventive Steps

In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:

• Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
• Update IoT devices with security patches as soon as patches become available.
• Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.[8]
• Purchase IoT devices from companies with a reputation for providing secure devices.
• Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
• Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
• Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.[9]
• Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.

References

• [1] KrebsOnSecurity: KrebsOnSecurity Hit With Record DDoS
• [2] Sophos: Mirai “internet of things” malware from Krebs DDoS attack goes open source
• [3] PCWorld: Smart device malware behind record DDoS attack is now available to all hackers
• [4] ArsTechnica: Record-breaking DDoS reportedly delivered by >145k hacked cameras
• [5] InformationWeek DarkReading: IoT DDoS Attack Code Released
• [6] KrebsOnSecurity: Source Code for IoT Botnet “Mirai” Released
• [7] Level 3 Threat Research Labs: Attack of Things!
• [8] Federal Bureau of Investigation Public Service Announcement: Internet of Things Poses Opportunities for Cyber Crime
• [9] SANS ISC InfoSec Forums: What is happening on 2323/TCP?

Revision History

• October 14, 2016: Initial release

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 13, 2016

Google has released Chrome version 54.0.2840.59 to address multiple vulnerabilities for Windows, Mac, and Linux. Exploitation of some of these vulnerabilities may allow an attacker to take control of an affected system.

Users and administrators are encouraged to review the Chrome Releases page and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.