8 min
Vulnerability Disclosure
Shoring Up the Defenses Together: 2018Q2 and Q3 Wrap-Up
Today (October 29, 2018) we are sharing several vulnerabilities that have been fixed in Rapid7 products and supporting services.
3 min
Vulnerability Disclosure
R7-2018-15 | CVE-2018-5553: Crestron DGE-100 Console Command Injection (FIXED)
This post describes CVE-2018-5553, a vulnerability in the Crestron Console
service that is preinstalled on the DGE-100. Due to a lack of input
sanitization, this service is vulnerable to command injection that can be used
to gain root-level access. DGE-100 devices running firmware versions
1.3384.00049.001 and lower with default configuration are vulnerable to
CVE-2018-5553.
CVE-2018-5553 is categorized as CWE-78 (Improper Neutralization of Special
Elements used in an OS Command) [https://cwe.m
7 min
Vulnerability Disclosure
Shoring Up the Defenses Together: 2018Q1 Wrap-Up
Today (April 10, 2018) we are sharing six vulnerabilities that have been fixed
in Rapid7 products and supporting services. You won’t need to take any actions:
all of the issues have been addressed. We are disclosing these vulnerabilities
in order to be transparent, to thank those that take the time to report security
issues responsibly, and to provide a few reminders of security concerns that you
should audit for in your own organization.
Dynamically-generated web server access policies
Generat
4 min
Vulnerability Disclosure
R7-2018-01 (CVE-2018-5551, CVE-2018-5552): DocuTrac Office Therapy Installer Hard-Coded Credentials and Cryptographic Salt
DocuTrac QuickDoc & Office Therapy ships with a number of static accounts which are not disclosed to the end user.
3 min
Public Policy
NIST Cyber Framework Updated With Coordinated Vuln Disclosure Processes
A key guideline for cybersecurity risk management now includes coordinated vulnerability disclosure and handling processes. This revision will help boost adoption of processes for receiving and analyzing vulnerabilities disclosed from external sources, such as researchers.
18 min
Vulnerability Disclosure
R7-2017-25: Cambium ePMP and cnPilot Multiple Vulnerabilities
Summary of Issues
Multiple vulnerabilities in Cambium Networks’ ePMP and cnPilot product lines
were discovered by independent researcher Karn Ganeshen
[https://ipositivesecurity.com/], which have, in turn, been addressed by the
vendor. The affected devices are in use all over the world to provide wireless
network connectivity in a variety of contexts, including schools, hotels,
municipalities, and industrial sites, according to the vendor
[https://www.cambiumnetworks.com/industry/].
These issue
2 min
Public Policy
Welcome transparency on US government's process for disclosing vulnerabilities
The White House recently released details on the US government's process for disclosing - or retaining - zero-day vulnerabilities. The new VEP charter provides answers to several key questions, but it remains to be seen how it will operate in practice.
5 min
Metasploit
Testing Developer Security with Metasploit Pro Task Chains
In this modern age, technology continues to make inroads into all sorts of
industries. Everything from smartphones to late-model automobiles to
internet-connected toasters requires software to operate, and this proliferation
of software has brought along gaggles of software developers with their
tools-of-the-trade. All this technology —not to mention the people utilizing it—
can result in an increased attack surface for organizations doing software
development.
In this blog post, we’ll explore
4 min
Vulnerability Disclosure
R7-2017-08: BPC SmartVista SQL Injection Vulnerability
Important update: 2018/01/25
BPC informed Rapid7 that this vulnerability only impacted the specified version
of SmartVista Front-End (2.2.10, revision 287921), which had very limited
distribution. Once the vulnerability described below was discovered, BPC
released a patch on Jul 19, 2017, before the issuance of the public disclosure
by Rapid7 on Oct 17, 2017. We have no reason to believe that any other versions
of SmartVista Front-End are vulnerable to this issue. Rapid7 believed the issue
to st
8 min
Vulnerability Management
No-Priority, Post-Auth Vulnerabilities
In the course of collecting and disclosing vulnerabilities, I occasionally come
across an issue that walks like a vuln, quacks like a vuln, but… it’s not
exactly a vuln. As per our usual vulnerability disclosure process
[https://www.rapid7.com/security/disclosure/], we still report these issues to
vendors. The behavior observed is nearly always a bug of some sort, but it’s not
immediately exploitable, or the “exploit” is merely exercising the expected
level of privilege, but in an unexpected con
6 min
Vulnerability Disclosure
Vulnerabilities Affecting Four Rapid7 Products (FIXED)
Today we are announcing four fixed vulnerabilities in four Rapid7 products,
summarized in the table below. These issues are low to medium severity (mostly
due to the high exploitation requirements), but we want to make sure that our
customers have all the information they need to make informed security
decisions. This article includes detailed descriptions of the vulnerabilities,
as well as how to ensure they are mitigated in your environment. Some of the
updates are automatic, but some may requ
8 min
Vulnerability Disclosure
Multiple vulnerabilities in Wink and Insteon smart home systems
Today we are announcing four issues affecting two popular home automation
solutions: Wink's Hub 2 and Insteon's Hub. Neither vendor stored sensitive
credentials securely on their associated Android apps. In addition, the Wink
cloud-based management API does not properly expire and revoke authentication
tokens, and the Insteon Hub uses an unencrypted radio transmission protocol for
potentially sensitive security controls such as garage door locks.
As most of these issues have not yet been addres
7 min
Research
Cisco Smart Install Exposure
Cisco Smart Install (SMI) provides configuration and image management
capabilities for Cisco switches. Cisco’s SMI documentation
[http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html]
goes into more detail than we’ll be touching on in this post, but the short
version is that SMI leverages a combination of DHCP, TFTP and a proprietary TCP
protocol to allow organizations to deploy and manage Cisco switches. Using SMI
yields a number of be
5 min
Authentication
R7-2017-07: Multiple Fuze TPN Handset Portal vulnerabilities (FIXED)
This post describes three security vulnerabilities related to access controls
and authentication in the TPN Handset Portal, part of the Fuze platform. Fuze
fixed all three issues by May 6, 2017, and user action is not required to
remediate. Rapid7 thanks Fuze for their quick and thoughtful response to these
vulnerabilities:
* R7-2017-07.1, CWE-284 (Improper Access Control)
[https://cwe.mitre.org/data/definitions/284.html]: An unauthenticated remote
attacker can enumerate through MAC addr
2 min
Vulnerability Disclosure
R7-2017-06 | CVE-2017-5241: Biscom SFT XSS (FIXED)
Summary
The Workspaces component of Biscom Secure File Transfer (SFT) version 5.1.1015
is vulnerable to stored cross-site scripting in two fields. An attacker would
need to have the ability to create a Workspace and entice a victim to visit the
malicious page in order to run malicious Javascript in the context of the
victim's browser. Since the victim is necessarily authenticated, this can allow
the attacker to perform actions on the Biscom Secure File Transfer instance on
the victim's behalf.