Devil’s Ivy, Bad Taste, & New SambaCry Vulnerability

Devil’s Ivy, Bad Taste, & New SambaCry Vulnerability

We have two CVEs of the week this week, CVE-2017-9765, better-known as “Devil’s Ivy,” and CVE-2017-11421, dubbed “Bad Taste” by its discoverer.

Devil’s Ivy results in remote code execution, and was found in an open source third-party code library from gSOAP. When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Genivia, the company behind gSOAP, has released a patch.

Bad Taste is a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that could allow hackers to execute malicious code on targeted Linux machines. Both the GNOME Project and the Debian Project have patched the vulnerability in the gnome-exe-thumbnailer file. If you run a Linux OS with the GNOME desktop, check for updates immediately before you become affected by this critical vulnerability.

More open source security and cybersecurity news below, including a new SambaCry vulnerability capable of exploiting NAS devices.

Increased Reliance on Open Source Means More Risk

via DevOps Digest: The world's appetite for open source software is voracious. In the last year, businesses around the globe significantly increased their use of open source and although they readily acknowledge growing concerns about open source-related security and operational risks, the effective management of open source is not keeping pace with the increase in use.

Those are among the key takeaways from the 2017 Open Source 360° Survey results from Black Duck's Center for Open Source Research and Innovation (COSRI). 

Devil's Ivy: Flaw in Widely Used Third-party Code Impacts Millions

via Senrio: After about a day of analysis, we discovered a stack buffer overflow vulnerability (CVE-2017-9765), which we’re calling Devil’s Ivy*. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP (more on that later). When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.

* We named the vulnerability Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse. Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate.

Millions of IoT Devices Hit by 'Devil's Ivy' Bug in Open Source Code Library

via ZDNet: Devil's Ivy is likely to remain unpatched for a long time: "code reuse is vulnerability reuse."

Pandora’s Box – Exploits Show Package Manager Blind Spots

via Black Duck blog (Damon Weinstein): As open source development has become mainstream, developers have been able to benefit from a growing number of application development and security solutions that help them build secure, high-quality software fast. Several new open source vulnerability management (a.k.a. software composition analysis) solutions have emerged, and at first glance, it can be hard to determine what differentiates them — at some level, they all claim to help you catalog your open source and show you information about the current known vulnerabilities.

Watch a 3 Minute Demo of the Black Duck Hub

Cybersecurity Is Too Important to Be Bogged Down in Government Bureaucracy

via the Washington post: The true strength of our society will lie in how we educate, train and empower our citizens through creative solutions from the public-private partnerships formed to tackle the cybersecurity problems of today.

Collaboration Integrates Black Duck Hub and Pivotal Cloud Foundry to Deliver a Secure DevOps Process and User Experience

via DarkReading: This is the first open source-focused security management integration with Pivotal Cloud Foundry, enabling enterprise customers to embrace open source in their applications with automated visibility, intelligence, and control.

Cisco Predicts a Major Increase in Cyberattacks Designed to Destroy Systems

via SC Media: Cisco offered this forecast in its 2017 Midyear Cybersecurity Report where it cited the destructive nature of the NotPetya attacks, that appeared to be traditional ransomware, but were in fact something designed to wipe a target's system destroying its ability to operate as a model that will be used more often and on a greater scale going forward. A type of attack Cisco labeled “destruction of service” (DeOS).

Report: Major Cloud Services Attack Could Cost $53 Billion

via Bank Info Security: A global, major attack on cloud computing services could cost an average of $53 billion, according to the report, which was co-written with Cyence, a firm that helps the insurance industry evaluate cyber-related risks.

Criminals Leverage SambaCry Vulnerability to Gain Backdoor Access to NAS Devices

via The Merkle: Computers are no longer the only devices susceptible to attacks. We have seen various types of malware targeting Internet of Things devices in recent months. It now appears that there is a new SambaCry vulnerability, capable of exploiting NAS devices. These devices can easily be backdoored by this exploit.

Critical Code Injection Flaw In Gnome File Manager Leaves Linux Users Open to Hacking

via The Hacker News: A security researcher has discovered a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that could allow hackers to execute malicious code on targeted Linux machines.

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Hub Detect & DevOps, OSS for Cars & 1.8 M Voter Info Leaked

| Aug 18, 2017

Black Duck releases Hub Detect, a new feature which allows Black Duck Hub to run seamlessly within any DevOps toolchain regardless of the tools used, and shares its growth plans in an exclusive interview with Xconomy. Black Duck vice president and general manager Phil Odence shares his thoughts on

| MORE >

Open Source & Secure Voting, GDPR & Compliancy, & #NUGATE

| Aug 11, 2017

  Our vulnerability of the week is over five years old. But CVE-2011-4109, a high-severity vulnerability in OpenSSL, was back in the news again, as a hacker used the vulnerability to crack a voting machine at DEF CON 25.  Is open source the magic bullet to secure voting?  You’ll find contrasting

| MORE >

Can Open Source Software Secure Voting?

| Aug 10, 2017

“If you’re wondering about my opinion, I think we should stick to paper ballots.” ~ DEFCON 25 “Voting Village” hacker Voting machine software security needs to be improved dramatically, and as soon as possible. U.S. voting machines are frighteningly easy targets for hackers. At this year’s DEF CON

| MORE >