STE WILLIAMS

Twenty-three towns in Texas have been targeted with ransomware in what appears to be a coordinated attack.

On Friday, the Texas Department of Information Resources (DIR), which handles state IT operations, said at least twenty local government entities had been affected.

The following day, the DIR said reports from local governments came in Friday morning and the State Operations Center began operating day and night to deal with the crisis.

“At this time, the evidence gathered indicates the attacks came from one single threat actor,” the DIR said in a statement. “Twenty-three entities have been confirmed as impacted. Responders are actively working with these entities to bring their systems back online.”

Ransomware involves malicious code that encrypts an organization’s files and demands payment for access to the encryption key that will – possibly – unlock the files.

In response to an inquiry from The Register, a spokesperson for the DIR said the agency has not named the affected entities or the attack vector used. Reports have suggested attack employed the Sodinokibi ransomware; the DIR declined to confirm this.

The DIR spokesperson had no information to provide about whether the towns in question have access to data backups.

On Monday afternoon, the City of Borger, Texas, said in a statement that it was among the municipalities affected by the attack. The statement says City operations have been affected but the City has activated its continuity of operations plan to assure continued delivery of basic and emergency services. Work is underway to restore affected systems but it’s not yet clear how long that will take.

Ransomware attackers have gone from ‘spray and pray’ to ‘slayin’ prey’

READ MORE

“Currently, Vital Statistics (birth and death certificates) remains offline, and the City is unable to take utility or other payments,” the City said. “Until such time as normal operations resume, no late fees will be assessed, and no services will be shut off.”

No customer credit card or personal information has been compromised, the City said, adding that no further information about the origin of the attack will be released until the investigation is complete.

Ransomware attacks have hit government entities in all US states except for Delaware and Kentucky, cybersecurity biz Recorded Future said in May. Examples of such incidents have occurred in Florida and Maryland, as well as cities in other countries, such as Johannesburg, South Africa last month.

The security shop said ransomware attacks on state and local governments are on the rise, though it conceded that its metrics may be incomplete because such incidents are not necessarily reported.

In a phone interview with The Register, Sean Curran, a senior director with West Monroe Partners, a management and technology consultancy, said there has been a shift over the past few years in the way attackers go after data.

“Ransoming data has a bigger impact and a bigger payday than trying to resell stolen personal information,” he said. “It’s a more direct, immediate return.”

Curran said ransomware appears to be extremely profitable and many organizations haven’t yet revised their security posture to account for the possibility. “Many companies don’t test their backups to make sure they’re functional or move them off-site so they can’t be deleted,” he said, noting that the first thing ransomware attackers do is delete accessible backups.

Organizations, he said, should make sure they’ve stored their data somewhere safe. “Sometimes old school is best,” he said. “Tapes are really hard to steal from.”

He also advised organizations to inform employees about the dangers of phishing, which is often how malware gets onto an organization’s network.

“In almost every ransomware attack we’ve looked at, the company was been compromised six to nine months before the attack was launched,” he said, noting that allows the attacker to conduct reconnaissance.

When the attack occurs, he said, it tends to happen at a time when few people are around monitoring IT systems, because it can take time to encrypt large amounts of data. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/20/texas_towns_ransomware/

iPhone hackers have discovered Apple’s most recent iOS update, 12.4, released in July, accidentally reopened a code-execution vulnerability that was previously patched – a vulnerability that can be abused to jail-break iThings.

Pwn20wnd, the developer of the iPhone jail-breaking tool unc0ver, says the newest version of their software, 3.5.2, successfully exploits the SockPuppet flaw on iOS 12.4 to unlock a fully patched up-to-date device from the walled garden of Apple’s App Store, thus allowing any third-party software, good and bad, to be installed and run.

The SockPuppet hole was found and reported to Apple in March by Googler Ned Williamson, and patched in May by the Cupertino giant with its iOS 12.2 release, locking out the jail-break tool. Then the iOS 12.4 release came along in late July, and broke that patch, allowing a slightly tweaked unc0ver to run as before.

So, basically, if you’re using iOS 12.3 or 12.2, update to iOS 12.4, and jail break your handset, if you so wish, or go ahead right now if you’re already running iOS 12.4. It’s not generally recommended for security reasons, though; be aware of the risks and benefits before diving in.

Google’s Project Zero reveals Apple jailbreak exploit

READ MORE

“It was a wild ride… I was utterly unprepared for something like this,” Pwn20wnd wrote. “I had to re-schedule almost everything to test this before release.”

And why is this of any importance to those who don’t jail-break their phones? The techniques used to jail-break handsets require some level of arbitrary code execution to succeed. It is understood government surveillance and phone unlocking tools can potentially use these types of code-execution flaws to carry out their snooping.

When an iOS update “breaks” a jail-break tool, it is usually because Apple has patched the vulnerability that was used to compromise the device. It seems that, in this case, one of those fixes has failed.

To put it another way, iOS 12.4, released on July 22, has apparently reopened an arbitrary code-execution flaw that Apple had previously patched as a security concern. And unc0ver, which can exploit that reopened hole, is open-source, so miscreants can find and reuse the exploit code needed to compromise a victim’s device via the flaw. It is also worth noting that this is the first time in years that jail-breakers have had a working exploit for the latest, fully-patched version of iOS.

The Register has asked Apple for comment on the matter, and has yet to hear back at the time of publication. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/20/apples_ios_update_jailbreak/

iPhone hackers have discovered Apple’s most recent iOS update, 12.4, released in July, accidentally reopened a code-execution vulnerability that was previously patched – a vulnerability that can be abused to jail-break iThings.

Pwn20wnd, the developer of the iPhone jail-breaking tool unc0ver, says the newest version of their software, 3.5.2, successfully exploits the SockPuppet flaw on iOS 12.4 to unlock a fully patched up-to-date device from the walled garden of Apple’s App Store, thus allowing any third-party software, good and bad, to be installed and run.

The SockPuppet hole was found and reported to Apple in March by Googler Ned Williamson, and patched in May by the Cupertino giant with its iOS 12.2 release, locking out the jail-break tool. Then the iOS 12.4 release came along in late July, and broke that patch, allowing a slightly tweaked unc0ver to run as before.

So, basically, if you’re using iOS 12.3 or 12.2, update to iOS 12.4, and jail break your handset, if you so wish, or go ahead right now if you’re already running iOS 12.4. It’s not generally recommended for security reasons, though; be aware of the risks and benefits before diving in.

Google’s Project Zero reveals Apple jailbreak exploit

READ MORE

“It was a wild ride… I was utterly unprepared for something like this,” Pwn20wnd wrote. “I had to re-schedule almost everything to test this before release.”

And why is this of any importance to those who don’t jail-break their phones? The techniques used to jail-break handsets require some level of arbitrary code execution to succeed. It is understood government surveillance and phone unlocking tools can potentially use these types of code-execution flaws to carry out their snooping.

When an iOS update “breaks” a jail-break tool, it is usually because Apple has patched the vulnerability that was used to compromise the device. It seems that, in this case, one of those fixes has failed.

To put it another way, iOS 12.4, released on July 22, has apparently reopened an arbitrary code-execution flaw that Apple had previously patched as a security concern. And unc0ver, which can exploit that reopened hole, is open-source, so miscreants can find and reuse the exploit code needed to compromise a victim’s device via the flaw. It is also worth noting that this is the first time in years that jail-breakers have had a working exploit for the latest, fully-patched version of iOS.

The Register has asked Apple for comment on the matter, and has yet to hear back at the time of publication. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/20/apples_ios_update_jailbreak/

New Harris Poll survey says most will weigh candidates’ cybersecurity positions.

Nearly half of Americans whose endpoint devices were affected in a ransomware attack say their employers paid the ransom to attackers, a new survey shows.

A new ransomware survey by the Harris Poll on behalf of Anomali also found that one in five Americans say they have experienced a ransomware attack either at work or on their personal devices, and some 79% say they would look at candidates’ positions on cybersecurity as part of their voting decision-making process.

The findings, based on responses from 2,000 American adults, show that the majority oppose government and businesses paying ransomware attackers. Others say it’s acceptable in some cases for governments (34%) and businesses (36%) to pay ransom, mostly for protecting customer or employee personal information or safety.

Read the full report here.

 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/what-americans-think-about-ransomware/d/d-id/1335571?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New Harris Poll survey says most will weigh candidates’ cybersecurity positions.

Nearly half of Americans whose endpoint devices were affected in a ransomware attack say their employers paid the ransom to attackers, a new survey shows.

A new ransomware survey by the Harris Poll on behalf of Anomali also found that one in five Americans say they have experienced a ransomware attack either at work or on their personal devices, and some 79% say they would look at candidates’ positions on cybersecurity as part of their voting decision-making process.

The findings, based on responses from 2,000 American adults, show that the majority oppose government and businesses paying ransomware attackers. Others say it’s acceptable in some cases for governments (34%) and businesses (36%) to pay ransom, mostly for protecting customer or employee personal information or safety.

Read the full report here.

 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/what-americans-think-about-ransomware/d/d-id/1335571?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The maintainers of Webmin – an open-source application for system administration tasks on Unix-flavored systems – have released Webmin version 1.930 and the related Usermin version 1.780 to patch a vulnerability that can be exploited to achieve remote code execution in certain configurations.

Joe Cooper, one of the contributing developers, announced the patch in a blog post over the weekend.

“This release addresses CVE-2019-15107, which was disclosed earlier today,” Cooper said. “We received no advance notification of it, which is unusual and unethical on the part of the researcher who discovered it. But, in such cases there’s nothing we can do but fix it ASAP.”

The patch also deals with several XSS issues that were responsibly disclosed, he said, noting that a bounty has been paid to the researcher who reported them.

The bug at issue is a command injection flaw in the unix_crypt function used in the password_change.cgi file, used to check the password against the system’s /etc/shadow file. By adding a pipe command (“|”), an attacker can execute remote code.

To be vulnerable, Cooper said, the Perl-based software must have the Webmin – Webmin Configuration – Authentication – Password expiry policy set to Prompt users with expired passwords to enter a new one.

“This option is not set by default, but if it is set, it allows remote code execution,” he said.

Webmin hole allows attackers to wipe servers clean

READ MORE

That may be the case for most versions – the vulnerability exists in versions 1.882 through 1.920 – but Webmin 1.890 is vulnerable in its default configuration.

The bug appears to have been revealed on Saturday, August 10, by Özkan Mustafa Akkuş at DEF CON and to have been made available as an exploit in a module for the Metasploit framework. The Webmin maintainers didn’t hear about it until Saturday, August 17, when they noticed people discussing the issue on Twitter and Reddit. The CVE was created Thursday, August 15.

Webmin has about 215,000 installations, according to a Shodan search (account required), and about 13,000 instances of the particularly vulnerable version 1.890.

Tiago Henriques, developer relations lead for Microsoft Azure and founder of binaryedge.io, puts that number higher at about 598,000 Webmin instances and 29,000 instances of version 1.890.

According to Cooper, the malicious code was introduced into Webmin and Usermin through the project’s build infrastructure. “We’re still investigating how and when, but the exploitable code has never existed in our GitHub repositories, so we’ve rebuilt from git source on new infrastructure,” he said.

In an email to The Register, Cooper said the malicious code – which appeared in the Sourceforge repo but not the GitHub repo – was introduced to Webmin on local package build infrastructure before it reached Sourceforge.

“Jamie [Cameron, the project’s primary author,] would know more details, but my understanding is that it was a build server in his home that had been in service for many years,” Cooper said.

“It was shut down a few months ago, but the build directories were copied over from backups to the new build system…so, the exploit came along with it. The new build is from new infrastructure and from a fresh git checkout; Jamie compared the exploited code against the git code, as well, looking for any other introduced code.”

Cooper said the bug is of fairly limited risk in the version of the software (Webmin 1.920, Usermin 1.770) that immediately preceded today’s patch because it requires changes to the default configuration.

“An earlier iteration, presumably introduced by the same attacker since it was introduced through the same vector, was more serious (in Webmin 1.890, and did not need any non-default options for a similar attack), and it took Jamie a while to find it (or even realize the reported bug was real) because it was not in git, so we were looking at, and trying to reproduce, against code that didn’t have the problem,” he explained.

The Register asked Cameron if he could shed any light on the origin of the server compromise, but he didn’t immediately respond. Cooper however suggested the project’s ability to investigate may be limited.

“The build server that was originally exploited is no longer available for forensics, so we’re kinda left guessing about how the attacker got in, but that’s maybe less useful than just putting in place practices that make that vector impossible to exploit again,” said Cooper. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/19/webmin_project_zero_day_patch/

A new analysis shows the scale of risk posed by networking vulnerabilities in a popular embedded real-time operating system.

When a major vulnerability recently was found in VxWorks, it may not have hit the radar screen of most IT departments. But for organizations in the automated process control and building automation sectors, the news was troubling. And even more troubling is that hundreds of thousands of organizations don’t know they could now be at risk to VxWorks-borne cyberattacks.

The scale of the risk posed by the VxWorks TCP/IP stack vulnerability is the subject of a new report from Kovrr, a firm that analyzes risk for the insurance and financial industries. The report, scheduled to be made public this week, points out that VxWorks is embedded in more than 2 billion devices. Shalom Bublil, co-founder and chief risk officer at Kovrr, says the pervasiveness of Vxworks was eye-opening.

“The surprising thing is the sheer popularity of the operating system embedded in many other devices that are common in manufacturing. This was a surprise to us and I believe it will be a surprise to others as well,” Bublil says.

While most IT risk scenarios focus on data loss, the report says that the  greatest impact of an exploit targeting this vulnerability could be business interruption — an attack on the ability of a business to deliver products and serve the needs of their customers.

The Kovrr report doesn’t name any specific companies vulnerable to such an attack, but it includes companies large enough to have an impact on global stock markets and gross domestic products are affected. The report goes into detail on the methodology used for setting the risk and its potential economic cost.

According to the report, Kovrr took into account the specifics of company attributes and multiplied that score by the number of VxWorks instances on the ground at the company’s facilities. In the example of a theoretical automobile manufacturer, the result is a financial risk of $4,377,011,494. Using the same formula applied to a larger set of industrial companies, Kovrr calculates a total financial risk of more than $11 billion.

Though Bublil feels confident that the companies will remediate the vulnerability — eventually — he says that there are factors that contribute to a long on-ramp to remediation. “It’s not because of our lack of access to expertise, but operational complexity and the overwhelming need for the devices to keep running without interruption means that there are these tradeoffs that the companies have to make,” he explains.

In addition, many of the vulnerable devices contain VXworks in a configuration that makes the OS invisible to the company’s staff. That makes the manufacturers captive to supply chain issues that can involve multiple layers of suppliers and responsibility. “It’s not just the manufacturers that have to patch — they have to get their third-party providers to do that,” Bublil says.

This is an example, the report states, of the risk that can come from a single point of failure — in this case, a single embedded operating system. Ultimately, the risk at an individual company comes down to whether or not the company has a reasonable threat scenario in place, Bublil says. “The tricky piece is understanding the security controls the business has in place and the mitigations they can employ,” he explains.

Related Content:

• Tough Love: Debunking Myths about DevOps Security
• The Flaw in Vulnerability Management: It’s Time to Get Real
• Security Flaws Discovered in 40 Microsoft-Certified Device Drivers
• Siemens S7 PLCs Share Same Crypto Key Pair, Researchers Find

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: Modern Technology, Modern Mistakes.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/risk-management/vxworks-tcp-ip-stack-vulnerability-poses-major-manufacturing-risk/d/d-id/1335563?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The state government and cybersecurity groups have mobilized to respond to a mass ransomware attack that simultaneously hit 23 different towns statewide.

The state of Texas has been hit with a rare coordinated ransomware attack that disrupted systems of 23 different local governments.

The Texas Department of Information Resources (DIR) issued a statewide alert on Aug. 16 warning towns and cities across the state about the attack campaign. The attack hit Friday morning and appears to be the work of a single threat actor, the DIR said in a statement on Aug. 17. Later that day, Texas government officials activated a multi-organizational task force, including the Department of Information Resources (DIR), the Texas AM University System’s Security Operations Center (SOC), the Texas Department of Public Safety, and emergency and military responders.

By Saturday, all affected entities had been notified and the DIR confirmed that state systems had not been affected by the attack. 

“Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time,” the DIR alert stated. “Responders are actively working with these entities to bring their systems back online.”

The coordinated attack against Texas’ local governments represents, arguably, the most brazen ransomware operation to date. While ransomware attacks are becoming more targeted, a single coordinated attack against a state is rare.

It is unclear what made the simultaneous attack possible. The same type of vulnerable systems could have been present in each network, or a third-party service provider could have been compromised, says Adam Kujawa, director of security research at Malwarebytes.  

“[I]t is very alarming to see this kind of coordinated attack happen all at once,” he says. “More than likely, most of these networks were already compromised by some other threat and the ransomware aspect just hadn’t been downloaded and launched until last Friday.”

Yet, the coordinated nature of the attack will likely end up as a miscalculation. In July, mayors from the largest towns and cities in the United States pledged to not pay future ransom demands. The pledge, made at the US Conference of Mayors, came after several high profile ransomware attacks against both large cities, such as Atlanta and Baltimore, and small towns, such as Riviera Beach and Lake City, both in Florida.

By attacking many towns and elevating the response to the state-level, the ransomware operators have made it less likely that the victims will pay, Tim Erlin, vice president of product management and strategy at Tripwire, said in a statement.

“If this is really a coordinated attack, it’s hard to imagine how it’s a good thing for the ransomware attackers and for this specific criminal. Raising the bar on the response to a coordinated state level will decrease the likelihood that ransom will actually get paid, and increase the likelihood that both Texas and other states are better prepared for these events in the future,” he said.

Ransomware is generally on the rise. In 2018, more than half of all organizations (53%) polled by messaging service provider Mimecast encountered a ransomware attack that impacted operations, according to the company’s State of E-mail Security 2019 report. 

On Alert

The attack on Texas mainly targeted small local governments, but the DIR did not rule out that other systems had been affected.

“Currently, DIR, the Texas Military Department, and the Texas AM University System’s Cyberresponse and Security Operations Center teams are deploying resources to the most critically impacted jurisdictions,” the agency stated. “Further resources will be deployed as they are requested.”

Kujawa says while the mayors of larger US towns have committed to not paying ransom, it’s unclear if the Texas towns will follow suit.

“If they do, it could hearten other victims, but it may not have a long-term benefit,” says Kujawa. “I think we could see it as a sign of resistance and a light in the dark for some organizations, especially those who aren’t sure they could actually fight against a ransomware attack.” 

That wouldn’t likely deter attackers from employing ransomware, though, he notes. “I think at this point they hope that if they get even 50% of what they are demanding from their attacks, they are sitting pretty with a good profit,” he says.

Related Content:

• US Mayors Commit to Just Saying No to Ransomware
• Ransomware Used in Multimillion-Dollar Attacks Gets More Automated
• Ransomware Hits Georgia Court System
• Baltimore Ransomware Attack Takes Strange Twist

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today‘s top story: Modern Technology, Modern Mistakes. 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/towns-across-texas-hit-in-coordinated-ransomware-attack/d/d-id/1335567?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Social media giant also launches invitation-only bug bounty program for ‘Checkout on Instagram’.

Instagram users aware of a third-party application developer misusing their personal data can now report the activity to the company and potentially earn a reward for it.

Facebook, which owns Instagram, on Monday expanded its Data Abuse Bounty program to Instagram in a continuing effort to crack down on application developers and other third parties that are misusing user data on the company’s social media platforms.

The issue has become a huge liability for Facebook. The US Federal Trade Commission recently fined Facebook a record-breaking $5 billion for allowing app developers and other third parties to access and use user data without proper notice and often in violation of the user’s explicit privacy preferences.

The best known example of this is London-based political consulting firm Cambridge Analytica’s controversial use of Facebook data to influence the outcome of the 2016 US presidential election. More recently, cybersecurity firm UpGuard reported on finding two instances of third-party services improperly gathering data on tens of millions of Facebook users and then leaving the data exposed in unsecured storage buckets on Amazon’s AWS.

Under Facebook’s newly expanded program, the company will reward people who report a third-party app currently or formerly operating on Instagram that might have misused user data. Anyone can submit a report to the company under the program if they have “specific and direct” knowledge of such misuse, Facebook said.

Reports that lead to the discovery of what Facebook calls “significant actionable misuse” will be eligible for rewards. The actual reward amounts will vary based on the impact and scope of the reported misuse. Examples of misuse include any disclosure, buying, selling, or transferring of user data in a manner that violates Instagram’s data use policies for third-party app developers.

Facebook has not set an upper-limit on the rewards that are available under the Instagram data abuse bounty program. In the past it has paid out as much as $40,000 for a single high-impact report.

Bug Bounty Program for ‘Checkout on Instagram’

In addition to the Instagram data abuse bounty program, Facebook Monday said it has also separately invited a select group of security researchers to test the recent Checkout on Instagram feature for security vulnerabilities. The feature allows Instagram users to directly buy and pay for products that they might see in an ad within the app itself.

The security researchers will receive special access to the Instagram checkout feature and will receive bounties for any new bugs that they might discover. All of the researchers that have been invited to participate in the bug bounty program have previously found high-impact security issues on Facebook, the company said.

Facebook conducted a similar bug bounty exercise before rolling out FB5, its new design for the social media platform earlier this year. One of the researchers invited to test the new design later discovered a security issue in it would have allowed an attacker to remove another individual’s profile picture.

“Our bug bounty program has been instrumental in helping us quickly detect new bugs, spot trends, and engage the best security talent outside of Facebook to help us keep the platform safe,” a Facebook spokesperson said. “The lessons learned from each report feed back into our larger security effort, making us better and faster at finding, fixing, and preventing bugs.”

So far, Facebook has paid independent bug hunters and third-party security firms over $7.5 million in rewards for finding bugs on its platform. “Our mission is to stay ahead and work both internally and with our external industry and security partners to catch any instance of these bugs across our platform,” the spokeswoman said.

Related Content:

• Third Parties in Spotlight as More Facebook Data Leaks
• FTC Reportedly Ready to Sock Facebook with Record $5 Billion Fine
• Facebook: Most Profiles Likely Scraped by Third Parties
• 6 Actions That Made GDPR Real in 2019

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: Modern Technology, Modern Mistakes. 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/instagram-added-to-facebook-data-abuse-bounty-program/d/d-id/1335569?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security researchers have reviewed security advisories for Apache Struts and found that two dozen of them inaccurately listed affected versions for the open-source development framework.

The advisories have since been updated to reflect vulnerabilities in an additional 61 unique versions of Struts that were affected by at least one previously disclosed vulnerability but left off the security advisories for those vulnerabilities.

The extensive analysis was done by the Black Duck Security Research (BDSR) team of Synopsys’ Cybersecurity Research Center (CyRC), which investigated 115 distinct releases for Apache Struts and correlated those releases against 57 existing Apache Struts Security Advisories covering 64 vulnerabilities.

Synopsys’ Tim Mackey said in a blog post on Thursday that the danger isn’t that developers and users may have upgraded needlessly. Rather, the real danger is that needed updates may not have happened:

While our findings included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missed in the original assessment. Given that development teams often cache ‘known good’ versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.

Case in point: Equifax

Promptly patching security vulnerabilities in Apache Struts is a vital task: you can ask Equifax all about possible ramifications of failing to do so. Equifax blamed a nasty server-side remote code execution (RCE) bug (CVE-2017-5638) for the massive data breach of 2017. The patch had been available for months before the breach, it turned out, but Equifax hadn’t applied it.

Synopsys’ BDSR explored questions such as whether successful exploitation of the versions that got left out of previous security advisories would yield RCE or leave a system vulnerable to a denial-of-service (DoS) attack.

Moderate risk, but still, update!

BDSR determined that the maximum security rating for the incorrectly listed version ranges of affected releases is moderate. The researchers disclosed the newly discovered affected versions to the Apache Struts team through responsible disclosure procedures.

Mackey pointed out that the Apache Struts team has announced that Struts 2.3 is nearing its end of life:

Users of Struts 2.3 should be actively developing and executing plans to migrate to Struts 2.5 in a prudent manner.

The recommendation: upgrade to Struts 2.3.35 or Struts 2.5.17.

Who to blame?

This is open-source. You can’t easily lay blame for a gaffe like this or figure out if you’ve correctly patched security issues in a given component, Mackey pointed out in his post:

It’s well understood that security information for open source projects often operates quite differently than that of commercial software. This is in large part due to the community aspect of open source development wherein consumers of open source components download and use a component, often without the knowledge or awareness of the open source developers or leadership for the component. When it comes to security information, this anonymity presents a challenge for those wishing to ensure they’ve correctly patched any security defects in their environment.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Nh2-u40y6Ec/