Cisco Blogs

Cisco Blog > Threat Research

Microsoft Patch Tuesday – September 2015

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 55 CVEs. Five bulletins are rated “Critical” this month and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Journal, and Office. The other seven bulletins are rated “Important” and address vulnerabilities in the .NET Framework, Active Directory, Exchange, Hyper-V, Media Center, Skype for Business, and Task Management.

Read More »

Tags: , , ,

Vulnerability Spotlight: Apple Quicktime Corrupt stbl Atom Remote Code Execution

This post was authored by Rich Johnson, William Largent, and Ryan Pentney. Earl Carter contributed to this post.

Cisco Talos, in conjunction with Apple’s security advisory issued on June 30th,  is disclosing the discovery of a remote code execution vulnerability within Apple Quicktime. This vulnerability was initially discovered by the Talos Vulnerability Research & Development Team and reported in accordance with responsible disclosure policies to Apple.

There is a remote code execution vulnerability in Apple Quicktime (TALOS-2015-0018/CVE-2015-3667). An attacker who can control the data inside an stbl atom in a .MOV file can cause an undersized allocation which can lead to an out-of-bounds read. An attacker can use this to create a use-after-free scenario that could lead to remote code execution.

There is a function within QuickTime (QuickTimeMPEG4!0x147f0) which is responsible for processing the data in an hdlr atom. There is a 16-byte memory region, allocated near the beginning of the function, if the hdlr subtype field in an mdia atom is set to ‘vide’, this reference is passed to a set of two functions.


Read More »

Tags: , , , , , , ,

Cisco PSIRT – Notice about public exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability

Cisco PSIRT is aware of public exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability identified by Cisco bug ID CSCup36829 (registered customers only) and CVE ID CVE-2014-3393. This vulnerability was disclosed on the 8th of October 2014 in the Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software.

All customers that have customizations applied to their Clientless SSL VPN portal and regardless of the Cisco ASA Software release in use should review the security advisory and this blog post for additional remediation actions.

NOTE: The Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software should be used as the Single Source of Truth (SSoT) for all details of this vulnerability and for any revisions of information going forward. Read More »

Tags: , , , ,

Cisco 2015 Annual Security Report: Java on the Decline as Attack Vector

As recently as 2013, vulnerabilities involving Java appeared to be a favored tool of adversaries: Java was easy to exploit and, and exploits involving the programming language were difficult to detect. However, as reported in the Cisco 2015 Annual Security Report, Java is losing its front-runner position as a favored tool of bad actors looking to breach network security.

The decline in Java’s high profile as an attack vector in 2014 was recorded by Cisco Security Research. Only one of the top 10 most commonly exploited vulnerabilities in 2014 was related to Java (see chart below). In 2013, Cisco tracked 54 urgent new Java vulnerabilities; in 2014, the number of tracked vulnerabilities fell to just 19. We saw a corresponding decline in reports from the National Vulnerability Database (NVD), which includes all reported vulnerabilities: from 309 Java vulnerabilities in 2013, down to 253 in 2014.

Read More »

Tags: , , , , ,

CVE-2015-0235: A GHOST in the Machine

This post was authored by Nick BiasiniEarl Carter, Alex Chiu and Jaeson Schultz

On Tuesday January 27, 2015, security researchers from Qualys published information concerning a 0-day vulnerability in the GNU C library. The vulnerability, known as “GHOST” (a.k.a. CVE-2015-0235), is a buffer overflow in the __nss_hostname_digits_dots() function. As a proof-of-concept, Qualys has detailed a remote exploit for the Exim mail server that bypasses all existing protections, and results in arbitrary command execution. Qualys intends to release the exploit as a Metasploit module.

CVE-2015-0235 affects the functions gethostbyname() and gethostbyname2() –functions originally used to resolve a hostname to an IP address. However, these functions have been deprecated for approximately fifteen years, largely because of their lack of support for IPv6.  The superseding function is getaddrinfo() which does support IPv6 and is not affected by this buffer overflow.  Programs that still utilize the deprecated gethostbyname() and gethostbyname2() functions may potentially be affected by GHOST.

Read More »

Tags: , ,