Monthly Archives: July 2015

Redhat

RHSA-2015:1219-1: Moderate: php54-php security update

Red Hat Enterprise Linux: Updated php54-php packages that fix multiple security issues are now
available for Red Hat Software Collections 2.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2015-4021, CVE-2015-4022, CVE-2015-4024, CVE-2015-4025, CVE-2015-4026, CVE-2015-4598

Redhat

RHSA-2015:1218-1: Moderate: php security update

Red Hat Enterprise Linux: Updated php packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2014-9425, CVE-2014-9705, CVE-2014-9709, CVE-2015-0232, CVE-2015-0273, CVE-2015-2301, CVE-2015-2783, CVE-2015-2787, CVE-2015-3307, CVE-2015-3329, CVE-2015-3411, CVE-2015-3412, CVE-2015-4021, CVE-2015-4022, CVE-2015-4024, CVE-2015-4026, CVE-2015-4147, CVE-2015-4148, CVE-2015-4598, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603

Ubuntu

USN-2671-1: Django vulnerabilities

Ubuntu Security Notice USN-2671-1

9th July, 2015

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Django.

Software description

  • python-django
    – High-level Python web development framework

Details

Eric Peterson and Lin Hua Cheng discovered that Django incorrectly handled
session records. A remote attacker could use this issue to cause a denial
of service. (CVE-2015-5143)

Sjoerd Job Postmus discovered that DJango incorrectly handled newline
characters when performing validation. A remote attacker could use this
issue to perform header injection attacks. (CVE-2015-5144)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
python3-django

1.7.6-1ubuntu2.1
python-django

1.7.6-1ubuntu2.1
Ubuntu 14.10:
python3-django

1.6.6-1ubuntu2.3
python-django

1.6.6-1ubuntu2.3
Ubuntu 14.04 LTS:
python-django

1.6.1-2ubuntu0.9
Ubuntu 12.04 LTS:
python-django

1.3.1-4ubuntu1.17

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-5143,

CVE-2015-5144

Ubuntu

USN-2672-1: NSS vulnerabilities

Ubuntu Security Notice USN-2672-1

9th July, 2015

nss vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in NSS.

Software description

  • nss
    – Network Security Service library

Details

Karthikeyan Bhargavan discovered that NSS incorrectly handled state
transitions for the TLS state machine. If a remote attacker were able to
perform a man-in-the-middle attack, this flaw could be exploited to skip
the ServerKeyExchange message and remove the forward-secrecy property.
(CVE-2015-2721)

Watson Ladd discovered that NSS incorrectly handled Elliptical Curve
Cryptography (ECC) multiplication. A remote attacker could possibly use
this issue to spoof ECDSA signatures. (CVE-2015-2730)

As a security improvement, this update modifies NSS behaviour to reject DH
key sizes below 768 bits, preventing a possible downgrade attack.

This update also refreshes the NSS package to version 3.19.2 which includes
the latest CA certificate bundle.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
libnss3

2:3.19.2-0ubuntu15.04.1
Ubuntu 14.10:
libnss3

2:3.19.2-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:
libnss3

2:3.19.2-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
libnss3

3.19.2-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.

References

CVE-2015-2721,

CVE-2015-2730

Ubuntu

USN-2656-1: Firefox vulnerabilities

Ubuntu Security Notice USN-2656-1

9th July, 2015

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.10
  • Ubuntu 14.04 LTS

Summary

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software description

  • firefox
    – Mozilla Open Source web browser

Details

Karthikeyan Bhargavan discovered that NSS incorrectly handled state
transitions for the TLS state machine. If a remote attacker were able to
perform a man-in-the-middle attack, this flaw could be exploited to skip
the ServerKeyExchange message and remove the forward-secrecy property.
(CVE-2015-2721)

Looben Yan discovered 2 use-after-free issues when using XMLHttpRequest in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit these to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2015-2722,
CVE-2015-2733)

Bob Clary, Christian Holler, Bobby Holley, Andrew McCreight, Terrence
Cole, Steve Fink, Mats Palmgren, Wes Kocher, Andreas Pehrson, Tooru
Fujisawa, Andrew Sutherland, and Gary Kwong discovered multiple memory
safety issues in Firefox. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit these to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2015-2724,
CVE-2015-2725, CVE-2015-2726)

Armin Razmdjou discovered that opening hyperlinks with specific mouse
and key combinations could allow a Chrome privileged URL to be opened
without context restrictions being preserved. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to bypass security restrictions. (CVE-2015-2727)

Paul Bandha discovered a type confusion bug in the Indexed DB Manager. If
a user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via
application crash or execute arbitrary code with the priviliges of the
user invoking Firefox. (CVE-2015-2728)

Holger Fuhrmannek discovered an out-of-bounds read in Web Audio. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to obtain sensitive information.
(CVE-2015-2729)

Watson Ladd discovered that NSS incorrectly handled Elliptical Curve
Cryptography (ECC) multiplication. A remote attacker could possibly use
this issue to spoof ECDSA signatures. (CVE-2015-2730)

A use-after-free was discovered when a Content Policy modifies the DOM to
remove a DOM object. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash or execute arbitrary code with the
priviliges of the user invoking Firefox. (CVE-2015-2731)

Ronald Crane discovered multiple security vulnerabilities. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737,
CVE-2015-2738, CVE-2015-2739, CVE-2015-2740)

David Keeler discovered that key pinning checks can be skipped when an
overridable certificate error occurs. This allows a user to manually
override an error for a fake certificate, but cannot be exploited on its
own. (CVE-2015-2741)

Jonas Jenwald discovered that some internal workers were incorrectly
executed with a high privilege. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this in
combination with another security vulnerability, to execute arbitrary code
in a privileged scope. (CVE-2015-2743)

Matthew Green discovered a DHE key processing issue in NSS where a MITM
could force a server to downgrade TLS connections to 512-bit export-grade
cryptography. An attacker could potentially exploit this to impersonate
the server. (CVE-2015-4000)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
firefox

39.0+build5-0ubuntu0.15.04.1
Ubuntu 14.10:
firefox

39.0+build5-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:
firefox

39.0+build5-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2015-2721,

CVE-2015-2722,

CVE-2015-2724,

CVE-2015-2725,

CVE-2015-2726,

CVE-2015-2727,

CVE-2015-2728,

CVE-2015-2729,

CVE-2015-2730,

CVE-2015-2731,

CVE-2015-2733,

CVE-2015-2734,

CVE-2015-2735,

CVE-2015-2736,

CVE-2015-2737,

CVE-2015-2738,

CVE-2015-2739,

CVE-2015-2740,

CVE-2015-2741,

CVE-2015-2743,

CVE-2015-4000

Panda Security

Public WiFi networks. Are they safe?

free wifi

Airports, hotels… On vacation we also spend the whole day connected to the Internet. WhatsApp has in many countries become an essential tool for personal communication. We all want to be able to check Facebook, post photos on Instagram, tweet something we’ve seen, and answer work emails from wherever we  are… and it’s possible. We mostly do all these things from a smartphone, or perhaps from tablets or (increasingly less) from laptops.

It is quite common to scan for and connect to public WiFi networks which aren’t password-protected and let you connect to the Internet cheaply and simply. In fact, a typical selling-point of many restaurant chains nowadays is that they offer free WiFi connections to customers, and in many places there are public WiFi hotspots provided by local councils.

Even though the price of mobile data connections has dropped considerably (largely thanks to competition and technological advances), and connection speeds continue to increase (GPRS, 3G, HDSPA, 4G…), most users, if they can, still try to avoid using mobile data. The reason is simple: many of the mobile data rates on offer include a limit on data download volume, and once this threshold is exceeded, either the connection speed drops or the charges increase. Moreover, not everywhere has good mobile data coverage, and that directly affects the connection speed. And that’s not to mention the question of data roaming when traveling to other countries, where prices are very often completely prohibitive.

It’s obvious that most of us at one time or another will try to connect to a public WiFi network. Is it safe? What are the risks? Can anyone spy on data sent from my device? Can I get infected if the network is malicious? These are some of the questions that we’ll answer below.

When you connect to the Internet from home or from your office, you know who is responsible for the network and which people can connect to it.  However, on a public network, anyone can be connected, and you have no idea of their intentions. One of the first questions that arises concerns the level of security on any Web page that requires you to enter your login credentials.

wifi airport

How to connect safely to a public WiFi network

Could someone connect to the same network and spy on data communications?

Yes, anyone connected to the network could capture the data traffic sent from your device, and there are simple, free apps available for this purpose.

Does this mean that someone could steal my Facebook username and password?

No. Fortunately, Facebook, along with many other social networks, webmail services, online stores, etc. have secure Web pages. You connect to them via SSL, which you can see on your browser (depending on which one you use) when the padlock icon is displayed next to the page address. This means that all the data sent to this page is encrypted, so even if it is captured by a third-party, it cannot be read.

What about other websites? Could someone see which pages I’m visiting, or access the data I enter on unencrypted site?

Yes. It’s very simple to capture this information, and anyone could see what pages you connect to, what you write on a forum or any other type of unencrypted page.

So as long as the Web page is secure, I’m alright, aren’t I?

Yes, but it must really be secure. Capturing network traffic is just one type of possible attack. If the hotspot has been deliberately set up by an attacker, they could, for example, alter the settings of the WiFi router to take you to the page they want. Imagine you enter www.facebook.com in your browser, yet the page you see is not really Facebook but a copy, so when you enter your username and password you are giving it directly to the attacker. Or, worse still, the page you are taken to contains an exploit which infects your device without you realizing. In any event, the fake page won’t be secure, which should help you detect that it is not the real site.

But is this still the case if I know that the WiFi hotspot is reliable, such as in a shop or restaurant?

Yes. although it is obviously safer, no one can guarantee that the router hasn’t been compromised, or that the DNS configuration hasn’t been changed, which would enable an attack like the one described above where you’re directed to a fake page. In fact in 2014, security holes have been discovered in popular routers which allow them to be hacked so an attacker could easily change the configuration.

This is chaos! Is there any way of protecting myself against these attacks?

Yes. One good way is to use a VPN (Virtual Private Network) service. This ensures all data traffic from your device is encrypted. It doesn’t matter whether the site is secure or not, everything is encrypted. When you are connected to the VPN, the router’s DNS settings are not used in any event, so you’re protected from the types of attack described above.

And what about password-protected WiFi networks? Is there the same risk?

This in effect ensures that only people who know the password can connect to the same WiFi access point, nothing else. In a way, you could say that this reduces risks by reducing the number of people who can connect, although the same kind of attacks can still occur in the same way as on an open network without password protection.

Does this apply to all types of devices or just to computers?

To all kinds: computers, tablets, smartphones or any other device with which you can connect to a network.

And so what about WhatsApp? Can anyone see my chats or the photos and videos that I send?

No. Fortunately that information is now encrypted. Previously it wasn’t, and in fact, an app was developed that allowed you to see people’s chats if you were connected to the same network. This is no longer possible, although there is a way someone could find out your phone number if you are connected to WhatsApp on the same network as them, but that’s the most they can do.

The post Public WiFi networks. Are they safe? appeared first on MediaCenter Panda Security.