Devil’s Ivy, Bad Taste, & New SambaCry Vulnerability

Devil’s Ivy, Bad Taste, & New SambaCry Vulnerability

We have two CVEs of the week this week, CVE-2017-9765, better-known as “Devil’s Ivy,” and CVE-2017-11421, dubbed “Bad Taste” by its discoverer.

Devil’s Ivy results in remote code execution, and was found in an open source third-party code library from gSOAP. When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Genivia, the company behind gSOAP, has released a patch.

Bad Taste is a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that could allow hackers to execute malicious code on targeted Linux machines. Both the GNOME Project and the Debian Project have patched the vulnerability in the gnome-exe-thumbnailer file. If you run a Linux OS with the GNOME desktop, check for updates immediately before you become affected by this critical vulnerability.

More open source security and cybersecurity news below, including a new SambaCry vulnerability capable of exploiting NAS devices.

Increased Reliance on Open Source Means More Risk

via DevOps Digest: The world's appetite for open source software is voracious. In the last year, businesses around the globe significantly increased their use of open source and although they readily acknowledge growing concerns about open source-related security and operational risks, the effective management of open source is not keeping pace with the increase in use.

Those are among the key takeaways from the 2017 Open Source 360° Survey results from Black Duck's Center for Open Source Research and Innovation (COSRI). 

Devil's Ivy: Flaw in Widely Used Third-party Code Impacts Millions

via Senrio: After about a day of analysis, we discovered a stack buffer overflow vulnerability (CVE-2017-9765), which we’re calling Devil’s Ivy*. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP (more on that later). When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.

* We named the vulnerability Devil’s Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse. Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate.

Millions of IoT Devices Hit by 'Devil's Ivy' Bug in Open Source Code Library

via ZDNet: Devil's Ivy is likely to remain unpatched for a long time: "code reuse is vulnerability reuse."

Pandora’s Box – Exploits Show Package Manager Blind Spots

via Black Duck blog (Damon Weinstein): As open source development has become mainstream, developers have been able to benefit from a growing number of application development and security solutions that help them build secure, high-quality software fast. Several new open source vulnerability management (a.k.a. software composition analysis) solutions have emerged, and at first glance, it can be hard to determine what differentiates them — at some level, they all claim to help you catalog your open source and show you information about the current known vulnerabilities.

Watch a 3 Minute Demo of the Black Duck Hub

Cybersecurity Is Too Important to Be Bogged Down in Government Bureaucracy

via the Washington post: The true strength of our society will lie in how we educate, train and empower our citizens through creative solutions from the public-private partnerships formed to tackle the cybersecurity problems of today.

Collaboration Integrates Black Duck Hub and Pivotal Cloud Foundry to Deliver a Secure DevOps Process and User Experience

via DarkReading: This is the first open source-focused security management integration with Pivotal Cloud Foundry, enabling enterprise customers to embrace open source in their applications with automated visibility, intelligence, and control.

Cisco Predicts a Major Increase in Cyberattacks Designed to Destroy Systems

via SC Media: Cisco offered this forecast in its 2017 Midyear Cybersecurity Report where it cited the destructive nature of the NotPetya attacks, that appeared to be traditional ransomware, but were in fact something designed to wipe a target's system destroying its ability to operate as a model that will be used more often and on a greater scale going forward. A type of attack Cisco labeled “destruction of service” (DeOS).

Report: Major Cloud Services Attack Could Cost $53 Billion

via Bank Info Security: A global, major attack on cloud computing services could cost an average of $53 billion, according to the report, which was co-written with Cyence, a firm that helps the insurance industry evaluate cyber-related risks.

Criminals Leverage SambaCry Vulnerability to Gain Backdoor Access to NAS Devices

via The Merkle: Computers are no longer the only devices susceptible to attacks. We have seen various types of malware targeting Internet of Things devices in recent months. It now appears that there is a new SambaCry vulnerability, capable of exploiting NAS devices. These devices can easily be backdoored by this exploit.

Critical Code Injection Flaw In Gnome File Manager Leaves Linux Users Open to Hacking

via The Hacker News: A security researcher has discovered a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that could allow hackers to execute malicious code on targeted Linux machines.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Paraskevidekatriaphobia, Web APIs, Jeep Hacking, More Equifax Woes

| Oct 13, 2017

On this Friday the 13th, the paraskevidekatriaphobia edition of Open Source Insight delves into scary software exploits like jeep hacking and data breaches. October is Cybersecurity Awareness Month, but how aware and cybersecure are the businesses holding our personal data? Black Duck joins forces

| MORE >

GDPR Best Practices, Struts RCE Vulns, SAST, DAST & Equifax

| Oct 6, 2017

COSRI research director Chris Fearon makes the case that Equifax was either unaware of or slow to respond to reports of known critical vulnerabilities in their system, and as a result had not upgraded to safer versions. That opinion was later proven out by Congressional hearings into the breach,

| MORE >

Did SAST and DAST Fail Equifax?

| Oct 4, 2017

On March 8, 2017, the U.S. Department of Homeland Security, Computer Emergency Readiness Team (“U.S. CERT”) sent Equifax and many others a notice of the need to patch a particular vulnerability in certain versions of software…. Equifax used that software, which is called “Apache Struts,” in its

| MORE >