Devil’s Ivy results in remote code execution, and was found in an open source third-party code library from gSOAP. When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Genivia, the company behind gSOAP, has released a patch.
Bad Taste is a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that could allow hackers to execute malicious code on targeted Linux machines. Both the GNOME Project and the Debian Project have patched the vulnerability in the gnome-exe-thumbnailer file. If you run a Linux OS with the GNOME desktop, check for updates immediately before you become affected by this critical vulnerability.
More open source security and cybersecurity news below, including a new SambaCry vulnerability capable of exploiting NAS devices.
via DevOps Digest: The world's appetite for open source software is voracious. In the last year, businesses around the globe significantly increased their use of open source and although they readily acknowledge growing concerns about open source-related security and operational risks, the effective management of open source is not keeping pace with the increase in use.
Those are among the key takeaways from the 2017 Open Source 360° Survey results from Black Duck's Center for Open Source Research and Innovation (COSRI).
via Senrio: After about a day of analysis, we discovered a stack buffer overflow vulnerability (CVE-2017-9765), which we’re calling Devil’s Ivy*. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP (more on that later). When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.
* We named the vulnerability Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse. Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate.
via ZDNet: Devil's Ivy is likely to remain unpatched for a long time: "code reuse is vulnerability reuse."
via Black Duck blog (Damon Weinstein): As open source development has become mainstream, developers have been able to benefit from a growing number of application development and security solutions that help them build secure, high-quality software fast. Several new open source vulnerability management (a.k.a. software composition analysis) solutions have emerged, and at first glance, it can be hard to determine what differentiates them — at some level, they all claim to help you catalog your open source and show you information about the current known vulnerabilities.
via the Washington post: The true strength of our society will lie in how we educate, train and empower our citizens through creative solutions from the public-private partnerships formed to tackle the cybersecurity problems of today.
Collaboration Integrates Black Duck Hub and Pivotal Cloud Foundry to Deliver a Secure DevOps Process and User Experience
via DarkReading: This is the first open source-focused security management integration with Pivotal Cloud Foundry, enabling enterprise customers to embrace open source in their applications with automated visibility, intelligence, and control.
via SC Media: Cisco offered this forecast in its 2017 Midyear Cybersecurity Report where it cited the destructive nature of the NotPetya attacks, that appeared to be traditional ransomware, but were in fact something designed to wipe a target's system destroying its ability to operate as a model that will be used more often and on a greater scale going forward. A type of attack Cisco labeled “destruction of service” (DeOS).
via Bank Info Security: A global, major attack on cloud computing services could cost an average of $53 billion, according to the report, which was co-written with Cyence, a firm that helps the insurance industry evaluate cyber-related risks.
via The Merkle: Computers are no longer the only devices susceptible to attacks. We have seen various types of malware targeting Internet of Things devices in recent months. It now appears that there is a new SambaCry vulnerability, capable of exploiting NAS devices. These devices can easily be backdoored by this exploit.
via The Hacker News: A security researcher has discovered a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that could allow hackers to execute malicious code on targeted Linux machines.