Each month, Nebula Consulting posts vulnerability notes from CERT’s vulnerability database. Check back often for updates! 06 Sep 2017 - VU#112992 - Apache Struts 2 framework, versions 2.5 to 2.5.12, with REST plugin insecurely deserializes untrusted XML data.

In Apache Struts 2 framework, versions 2.5 to 2.5.12, the REST plugin uses XStreamHandler with an instance of XStream to deserialize XML data. Because there is no type filtering, a remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code in the context of the Struts application.

A remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code on vulnerable servers in the context of the Struts application.

Solution: Apply an update. The vendor has released version 2.5.13 to address this vulnerability. No workaround is possible according to the vendor, so patching is strongly recommended.

08 Sep 2017 - VU#166743 - Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities.

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data.

Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data.

An attacker with physical access to the device may be able to decrypt the device's contents.

Solution: The CERT/CC is currently unaware of a practical solution to this problem. U-Boot versions prior to 2017.09 contain the vulnerable code; the feature was deprecated and removed in the 2017.09 release.

12 Sep 2017 - VU#240311 - Multiple Bluetooth implementation vulnerabilities affect many devices.

A collection of Bluetooth implementation vulnerabilities known as "BlueBorne" has been released. These vulnerabilities collectively affect Windows, iOS, and Linux-kernel-based operating systems including Android and Tizen, and may in worst case allow an unauthenticated attacker to perform commands on the device. For more details, please read Armis's BlueBorne disclosure website and Technical White Paper.

An unauthenticated, remote attacker may be able to obtain private information about the device or user, or execute arbitrary code on the device.

Solution: Apply an update. Patches are available in the latest releases of Windows (see Microsoft bulletin), iOS, the Linux kernel, and Android (see September 2017 security bulletin).

13 Sep 2017 - VU#101048 - Microsoft .NET framework SOAP Moniker PrintClientProxy remote code execution vulnerability.

The Microsoft .NET framework fails to properly parse WSDL content, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

The PrintClientProxy method in the WSDL-parsing component of the Microsoft .NET framework fails to properly handle linefeed characters. If an attacker can trigger the .NET framework to trigger a specially-crafted WSDL file, this can result in arbitrary code execution.

This vulnerability is currently being exploited in the wild, by way of an RTF file with an embedded Soap Moniker object that triggers a remote WSDL file to be retrieved and parsed. Other attack vectors may be possible.

By causing the .NET framework to parse a specially-crafted WSDL file with the SOAP Moniker, an unauthenticated remote attacker may be able to execute arbitrary code on a vulnerable system. Current exploits achieve this by convincing a user to open a RTF document.

Solution: Apply an update. This issue is addressed in CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability