Cisco Blogs

Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

Threat Research

  • Vulnerability Spotlight: Multiple Vulnerabilities in Zabbix

    - April 27, 2017 - 0 Comments

    These vulnerabilities were discovered by Lilith Wyatt of Cisco ASIG

    Summary

    Zabbix is an enterprise monitoring solution that is designed to give organizations the ability to monitor the health and status of various systems within their networks, including: network services, servers, and networking equipment. Cisco recently discovered multiple vulnerabilities in the Zabbix Server software component that could be leveraged by attackers to write directly to the Zabbix Proxy database or achieve remote code execution on the Zabbix Server. Cisco worked with Zabbix to responsibly disclose these vulnerabilities and ensure that a patch is available. Zabbix has released public advisories regarding these vulnerabilities which are located here and here.

    Read More >>

  • Vulnerability Spotlight: IrfanView Jpeg2000 Reference Tile width Arbitrary Code Execution Vulnerability

    - April 26, 2017 - 0 Comments

    Discovered by Aleksandar Nikolic of Cisco Talos

    Overview

    Talos is disclosing TALOS-2017-0310 / CVE-2017-2813, an arbitrary code execution vulnerability in the JP2 plugin for IrfanView image viewer. IrfanView is a widely used, Windows based, image viewing and editing application.

    This particular vulnerability is in the jpeg2000 plugin (JP2) for IrfanView resulting in an integer overflow which leads to a wrong memory allocation and eventual arbitrary code execution. This vulnerability is specifically related to the way in which the plugin leverages the reference tile width value in a buffer size allocation. There are insufficient checks being done which can result in a small buffer being allocated for a large tile. This results in a controlled out of bounds write vulnerability. This out of bounds write bug can be further leveraged to achieve code execution in the application. This vulnerability can be triggered by either viewing an image in the application or by using the thumb nailing feature of IrfanView.

    Read More >>

  • Vulnerability Spotlight: Hard-coded Credential Flaw in Moxa ICS Wireless Access Points Identified and Fixed

    - April 21, 2017 - 0 Comments

    Earlier this month, Talos responsibly disclosed a set of vulnerabilities in Moxa ICS wireless access points. While most of the vulnerabilities were addressed in the previous set of advisories, Talos has continued to work with Moxa to ensure all remaining vulnerabilities that Talos identified are patched. Today in coordination with Moxa, Talos is disclosing the TALOS-2016-0231, a hard-coded credential vulnerability that could allow an attacker to gain complete control of the device. Moxa has released a software update to address TALOS-2016-0231 and other bugs.

    Read more »

  • Threat Spotlight: Mighty Morphin Malware Purveyors: Locky Returns Via Necurs

    - April 21, 2017 - 0 Comments

    This post was authored by Nick Biasini

    Throughout the majority of 2016, Locky was the dominant ransomware in the threat landscape.  It was an early pioneer when it came to using scripting formats Windows hosts would natively handle, like .js, .wsf, and .hta. These scripting formats acted as a vehicle to deliver the payload via email campaigns.  However, late in 2016 Locky distribution declined dramatically largely due to the slowdown of Necurs that occurred at the same time.  

    On April 21st, Talos observed the first large scale Locky campaign in months from Necurs.  This campaign leveraged techniques associated with a recent Dridex campaign and is currently being distributed in very high volumes. Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky. This large wave of distribution has been attributed to the Necurs botnet which, until recently, had been focused on more traditional spam such as pump-and-dump spam, Russian dating spam, and work-from-home spam.

    Read More >>

  • Threat Round-up for Apr 14 – Apr 21

    - April 21, 2017 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 14 and April 21. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.
    Read more »

  • Vulnerability Spotlight: ARM Mbedtls x509 ECDSA invalid public key Code Execution Vulnerability

    - April 19, 2017 - 0 Comments

    Vulnerability Discovered by Aleksandar Nikolic

    Overview

    Talos is disclosing TALOS-2017-0274/CVE-2017-2784, a code execution vulnerability in ARM MbedTLS. This vulnerability is specifically related to how MbedTLS handles x509 certificates. MbedTLS is an SSL/TLS implementation aimed specifically at embedded devices that was previously known as PolarSSL.

     

    The vulnerability exists in the part of the code responsible for handling elliptic curve cryptography keys. An attacker can trigger this vulnerability by providing a specially crafted x509 certificate to the target which performs a series of checks on the certificate. While performing these checks the application fails to properly parse the public key. This results in the invalid free of a stack pointer. There is a mitigating factor associated with this vulnerability in that the memory space that is pointed to is zeroed out shortly before the vulnerability is triggered. However, since it’s designed to be used in embedded platforms that may not have modern heap exploitation mitigations in place it may be possible to achieve code execution in certain circumstances.  Full details of the vulnerability are available in our advisory.

    Read More >>