All versions of Samba from 4.0.0 onwards are vulnerable to a use after
free vulnerability, where a malicious SMB1 request can be used to
control the contents of heap memory via a deallocated heap pointer. It
is possible this may be used to compromise the SMB server.
The major Linux distributions (Red Hat, Ubuntu, Debian) has already rolled out security patches for this vulnerability, tracked as CVE-2017-14746, that affects all versions of SAMBA since 4.0.
According to the project’s advisory, an unauthenticated attacker could send specially-crafted SMB1 requests to cause the server to crash or execute arbitrary code.
Sysadms should to apply the fixes to their server, otherwise another possibility consists in turning off SAMBA 1:
Prevent SMB1 access to the server by setting the parameter:
server min protocol = SMB2
to the [global] section of your smb.conf and restart smbd. This
prevents and SMB1 access to the server. Note this could cause older
clients to be unable to connect to the server.
The vulnerability (CVE-2017–5638), firstly reported by the security researcher Nike Zheng, is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, as reported in this security advisory:
It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user.
The researchers have also seen malicious attacks which turn off firewall processes on the target and drop payloads:
“The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet”.
Technical analysis was released by the major security firms:
It is important to note that the presence of vulnerable code is enough to exploit the vulnerability. The web application doesn’t necessary need to implement file upload functionality to exploit this vulnerability.
If you receive any Facebook Message with an .SVG image file, just avoid clicking it: a malicious campaign is spreading a ransomware downloader (Nemucod) among Facebook users by taking advantage of innocent-looking SVG image file to infect computers.
Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook’s file extension filter
Why SVG file?
Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation.
If the victim installs the Chrome extension, the attack is spread further via Facebook Messenger to all user contacts.
I opened the link and installed the extension, how can I fix it?
Remove the malicious extension from your browser immediately:
Additionally, run a scan with your antivirus and change your Facebook password afterwards.
Notify your friends you sent a malicious file, or in the other case, let your friend know he/she is infected. If you keep receiving the same message from your friend, you may want to temporarily block their messages.
The security researcher Collin Mullinerhas discovered an exploitable vulnerability in Apple’s WebView that could allow phone calls to a number of the attacker’s choosing.
iOS WebViews can be used to automatically call an attacker controlled phone number. The attack can block the phone’s UI for a short amount of time and therefore prevent the victim from canceling the call. The bug is an application bug that likely is due to bad OS/framework defaults. One major issue with this vulnerability is that it is really easy to exploit. App developers have to fix their code as soon as possible.
Mulliner said the vulnerability is trivial to exploit, requiring at a minimum one line of HTML code and iOS developers who have embedded Apple’s WebView into mobile apps need to be aware.
The risks to the user include calls to to premium numbers or denial-of-service against telephone numbers of public services:
About a week agoI read an news post about a guy who got arrested for accidentally DoSing 911 by creating a web page that automatically dialed 911 when visited it from an iPhone. This was most likely due to a bug with the handling of TEL URI. I immediately thought about a bug I reported to Apple in late October 2008 . I couldn’t believe this bug has resurfaced so I investigated. The article said something about posting links on Twitter.
The researcher has also published two video demonstration of the exploit:
These vulnerabilities could be exploited in shared hosting environments to gain access to all databases
Some weeks ago i have reported about 2 critical 0Day vulnerabilities of MySQL (and his forks MariaDB e PerconaDB).
At that time, the security researcher Dawid Golunski published only technical details and proof-of-concept exploit code for the first bug.
Now Golunski has released a POC exploits for all two vulnerabilities:
One is the previously promised critical privilege escalation vulnerability (CVE-2016–6663) that can allow a low-privileged account (with CREATE/INSERT/SELECT grants) with access to the affected database to escalate their privileges and execute arbitrary code as the database system user.
The other is a new root privilege escalation bug (CVE-2016–6664) that could allow attackers with ‘MySQL system user’ privilege to further escalate their privileges to root user, allowing them to fully compromise the system.
Both the vulnerabilities affect MySQL version 5.5.51 and earlier, MySQL version 5.6.32 and earlier, and MySQL version 5.7.14 and earlier.
Patchs and Mitigations
MySQL has already fixed the vulnerabilities and you are strongly advised to apply patches as soon as possible.
If you are unable to immediately apply patches, you can apply a temporary mitigation disabling symbolic link support within your database server configuration to this setting in my.cnf:
Dawid Golunski, a Polish security researcher discovered several security issues in the MySQL DBMS, including a vulnerability flaw (CVE-2016–6662) that can be exploited by a remote attacker to inject malicious settings into my.cnf configuration files.
The vulnerability that affect all currently supported MySQL versions as well as MariaDB and PerconaDB.
The vulnerability can be exploited via SQL injection attack, or by an attacker with valid credentials either locally or over the Web via phpMyAdmin:
“A successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running”
The vulnerability was reported to Oracle on 29th of July 2016 and triaged
by the security team.
It was also reported to the other affected vendors including PerconaDB and MariaDB.
The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of
30th of August.
During the course of the patching by these vendors the patches went into
public repositories and the fixed security issues were also mentioned in the
new releases which could be noticed by malicious attackers.
As over 40 days have passed since reporting the issues and patches were already
mentioned publicly, a decision was made to start disclosing vulnerabilities
(with limited PoC) to inform users about the risks before the vendor's next
CPU update that only happens at the end of October.
No official patches or mitigations are available at this time from the vendor.
As temporary mitigations, users should ensure that no mysql config files are
owned by mysql user, and create root-owned dummy my.cnf files that are not in
These are by no means a complete solution and users should apply official vendor
patches as soon as they become available.