Each month, Nebula Consulting posts vulnerability notes from CERT’s vulnerability database. Check back often for updates! 18 Jul 2017 - VU#547255 - Dahua IP cameras Sonia web interface is vulnerable to stack buffer overflow

Dahua IP camera products include an application known as Sonia (/usr/bin/sonia) that provides the web interface and other services for controlling the IP camera remotely.

Versions of Sonia included in firmware versions prior to DH_IPC-Consumer-Zi-Themis_Eng_P_V2.408.0000.11.R.20170621 do not validate input data length for the 'password' field of the web interface. A remote, unauthenticated attacker may submit a crafted POST request to the IP camera's Sonia web interface that may lead to out-of-bounds memory operations and loss of availability or remote code execution.

A remote, unauthenticated attacker may submit a crafted POST request to the IP camera's Sonia web interface that may lead to out-of-bounds memory operations and loss of availability or remote code execution.

Solution: Apply Update. Dahua has released firmware version DH_IPC-ACK-Themis_Eng_P_V2.400.0000.14.R.20170713.bin to address this issue. All affected users should update their firmware as soon as possible. If you have any questions, you may contact cybersecurity@dahuatech.com.

20 Jul 2017 - VU#586501 - Inmarsat AmosConnect8 Mail Client Vulnerable to SQL Injection and Backdoor Account

Inmarsat Solutions offers a shipboard email client service, AmosConnect 8 (AC8), which was designed to be utilized over satellite networks in a highly optimized manner. A third-party security research firm has identified two security vulnerabilities in the client software: On-board ship network access could provide visibility of user names and passwords configured on the client device. A backdoor account has been identified in the client that provides full system privileges. This vulnerability could be exploited remotely. An attacker with high skill would be able to exploit this vulnerability. AmosConnect 8 has been deemed end of life, and no longer supported. Inmarsat customers must contact Inmarsat Customer Service to obtain the replacement mail client software.

Unauthenticated attackers having network access to the AmosConnect Server can exploit a Blind SQL Injection vulnerability in the login form to gain access to credentials stored in its internal database, containing user names and passwords.

Successful exploitation of this vulnerability may allow a remote attacker to access or influence AmosConnect 8 email databases on computers that are installed onboard ships.

Solution: Delete Software. As of July 2017, support for The Inmarsat AmosConnect8 service has been decommissioned and clients will no longer be able to download the software from the software distribution website. Customers can contact Inmarsat Customer Service to obtain further information/updates for the replacement email client.

25 Jul 2017 - VU#838200 - Telerik Web UI contains cryptographic weakness

The Telerik Web UI, versions R2 2017 (2017.2.503) and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys.

The Telerik.Web.UI.dll is vulnerable to a cryptographic weakness which allows the attacker to extract the  Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey. Versions R2 2017 (2017.2.503) and prior are vulnerable.

A remote, unauthenticated attacker could perform arbitrary file upload and downloads, cross-site scripting attacks, leak the MachineKey, or compromise the ASP.NET ViewState. Software vendors who use Telerik web components may also be impacted.

Solution: Apply an update. Please see the Telerik's support article for update information for specific versions.

27 Jul 2017 - VU#793496 - Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency

Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency for LSAs with MaxSequenceNumber. Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to poison routing tables within the domain.

Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency with MaxSequenceNumber. According to RFC 2328 section 13.1, for two instances of the same LSA, recency is determined by first comparing sequence numbers, then checksums, and finally MaxAge. In a case where the sequence numbers are the same, the LSA with the larger checksum is considered more recent, and will not be flushed from the Link State Database (LSDB). Since the RFC does not explicitly state that the values of links carried by a LSA must be the same when prematurely aging a self-originating LSA with MaxSequenceNumber, it is possible in vulnerable OSPF implementations for an attacker to craft a LSA with MaxSequenceNumber and invalid links that will result in a larger checksum and thus a 'newer' LSA that will not be flushed from the LSDB. Propagation of the crafted LSA can result in the erasure or alteration of the routing tables of routers within the routing domain, creating a denial of service condition or the re-routing of traffic on the network.

Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to erase or alter the routing tables of routers within the domain, resulting in denial of service or the re-routing of traffic on the network.

Solution: Install updates. The OSPF protocol is a popular interior routing protocol that is used by many devices and manufacturers. This vulnerability is implementation-specific, so some vendors may not be affected. The Vendor Information section below contains known affected or non-affected vendors. Please consult your network equipment vendor to confirm how they are affected by this vulnerability