cutimage - Fotolia
Cisco issues fix for Vault 7 vulnerability without help from WikiLeaks
News roundup: Cisco fixes a Vault 7 flaw unaided, despite WikiLeaks' pledge to work with vendors. Plus, LastPass flaws leak user data; Apple held hostage by hackers; and more.
Cisco found and mitigated a security vulnerability that affects more than 300 models of its switches. The vulnerability is said to be one found in the Vault 7 documents posted on WikiLeaks last week.
The critical vulnerability is in the Cisco Cluster Management Protocol, or CMP, processing code in IOS and IOS XE software. According to the Cisco advisory, the flaw "could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges."
Cisco also noted that the CMP, which uses Telnet, is vulnerable because of two factors: "The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and the incorrect processing of malformed CMP-specific Telnet options." Cisco said there currently aren't any patches available, but mitigated the risk by disabling Telnet.
The Cisco advisory named the source of the vulnerability as the "documents related to the Vault 7 disclosure."
Earlier in the month, WikiLeaks released documents allegedly containing descriptions of hacking tools and zero-day exploits from the CIA. The documents, dubbed Vault 7, did not include specific details or code about any of the vulnerabilities, and WikiLeaks claimed it would work with software vendors to patch them -- under certain conditions.
But Cisco didn't wait to work with WikiLeaks before it addressed the vulnerabilities in the Vault 7 documents that affected its switches. This raised some questions about how Cisco could know it was addressing the same vulnerabilities as those named in the Vault 7 documents and whether WikiLeaks did enough to protect vendors.
"Based on the limited detail that was released, Cisco engineers launched an investigation into the specific Cisco products and code that could potentially be affected by the exploits and vulnerabilities that were alluded to in the public materials," a Cisco representative told SearchSecurity. "During the course of this investigation, our internal teams, which have detailed knowledge of our products, focused on key areas of software code and discovered the vulnerability that we subsequently disclosed."
In its advisory, the Cisco Product Security Incident Response Team said it's not aware of any exploits of the vulnerabilities. The Cisco representative refused to speculate on the likelihood of malicious actors discovering the vulnerability referenced in the Vault 7 documents.
In other news:
- Google Project Zero researcher Tavis Ormandy discovered and reported two vulnerabilities in the browser extensions for password manager LastPass that allowed malicious websites to extract usernames and passwords. The first is a message-hijacking bug found in Firefox 3.3.2 that allowed malicious websites posing as legitimate to trick the LastPass add-on into providing credentials for the site. The second vulnerability is a website-connector bug that affects Chrome, Firefox and Edge browsers. According to the LastPass blog post addressing the vulnerabilities, "A malicious website could trick LastPass by masking as a trusted party and steal site credentials. Users running the LastPass binary component (less than 10% of LastPass userbase) were further susceptible to remote exploit when lured to a malicious website." LastPass issued fixes for both the Firefox message-hijacking bug and the website-connector bug.
- A German security researcher, Dominik Herrmann, published findings from a study he ran, which found that domain name systems (DNS) can reveal more private information than previously thought. DNS, according to Herrmann, can be used to identify users based on their browser behavior. By tracking a user's browsing behavior on one IP address, DNS data can identify the same user on a completely different IP address. Herrmann conducted a study at the University of Regensburg, and in a sample of 3,800 students over a period of two months, this "behavior-chaining" DNS data correctly identified 86% of students from one IP to another. A larger study of 12,000 students maintained the high rate of identification at 76%. These findings raise privacy concerns, especially considering Herrmann's argument that law enforcement could now see specific pages on a site a user visited, rather than just the site. The way to beat the system, Herrmann said, is to frequently change IP addresses.
- Hackers allegedly extorting Apple claimed to have around 300,000 user credentials that they will use to remotely wipe devices if Apple doesn't pay a ransom. According to a Motherboard report, the hackers demanded $75,000 in bitcoin by April 7, or they will remotely wipe victims' Apple devices. The hacking group claimed to have credentials for iCloud and Apple ID accounts, though it's unclear how much they actually have. They reached out to ZDNet and provided a sample of 54 iCloud credentials. While all were reportedly valid in the Apple database, ZDNet was only able to independently verify 10 credentials. However, an Apple spokesperson told Motherboard, "There have not been any breaches in any of Apple's systems, including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services. We're actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved."