Advisories & Alerts

  • [SingCERT] Alert on Misconfigured Geth Ethereum Client 19 June 2018

    On 11 June 2018, Qihoo 360 reported that a group of hackers had stolen over $20 million worth of Ethereum, which is a form of cryptocurrency. The cause of these thefts is due to a misconfiguration of the Geth Ethereum client, exposing a Remote Procedure Call (RPC) interface on port 8545. This interface grants access to sensitive functions, allowing hackers to obtain private keys, move funds and retrieve owner's personal details.

  • [SingCERT] Alert on "SigSpoof" Email Encryption and Digital Signature Vulnerability (CVE-2018-12020) 19 June 2018

    A security researcher discovered a vulnerability affecting email clients that use GnuPG (Gnu Privacy Guard) for email encryption and digital signature. GnuPG (aka. GPG) is a complete and free implementation of the OpenPGP (Open Pretty Good Privacy) security standard. It enables users to secure their data communication with strong encryption and digital signatures.

    Dubbed as "SigSpoof" by the researcher, the improper sanitisation of filenames allows an attacker to insert fake GnuPG status messages into the application parser to imitate signature verification and message decryption results. The resultant spoof signed and/or encrypted messages are able to bypass application verifications.

  • [SingCERT] Alert on Critical Microsoft Vulnerabilities CVE-2018-8267, CVE-2018-8225 & CVE-2018-8231 14 June 2018

    Microsoft has announced the release of several security patches to address vulnerabilities affecting its Operating System and other products.

    Three critical vulnerabilities were identified and require immediate attention.

    CVE-2018-8267 is a memory corruption vulnerability affecting Microsoft Internet Explorer. This vulnerability can be triggered when it fails to properly handle errors, allowing an attacker to execute arbitrary code.

    CVE-2018-8225 is a critical Windows Domain Name Server API (DNSAPI) remote code execution vulnerability that exists in Windows DNS. The vulnerability can be exploited by sending a corrupted DNS response to a targeted system.

    CVE-2018-8231 is a critical Hypertext Transfer Protocol (HTTP) stack memory vulnerability that can be exploited by sending a malicious packet to a targeted system, allowing an attacker to execute arbitrary code.

  • [SingCERT] Alert on Zip Slip Vulnerability for Archive Files 08 June 2018

    On 5 June 2018, Snyk Security team disclosed a critical archive extraction vulnerability dubbed Zip Slip. This vulnerability allows attackers to perform arbitrary remote command execution on affected systems. As a result, thousands of projects, including projects by HP, Amazon, Apache, Pivotal and many more, are affected.

    The Zip Slip vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central software library for unpacking archive files. The lack of such a library led to vulnerable code snippets being crafted and shared among developer communities such as StackOverflow.

  • [SingCERT] Alert on "VPNFilter" Malware Infecting Networking Devices Worldwide 07 June 2018

    On 23 May 2018, security researchers from Cisco revealed a new malware, “VPNFilter”, launched by an APT (Advanced Persistent Threat) group with the capacity to collect intelligence and launch destructive cyber-attacks on intended victims. The multi-stage malware targets networking devices in small and home office (SOHO) spaces, including routers from Linksys, MikroTik, NETGEAR, QNAP NAS and TP-Link. According to Cisco, it is estimated that at least 500,000 networking devices in at least 54 countries, including Singapore, have been infected with the malware. The number of infected devices detected in Singapore is low at nearly 30.

  • [SingCERT] Alert on Critical Cisco Vulnerabilities CVE-2018-0222, 0268, 0271 18 May 2018

    Cisco Digital Network Architecture (DNA) is an open, software-driven platform that integrates several advanced networking capabilities such as virtualisation, automation, analytics, and cloud capabilities into one solution, making it easy for network administrators to design and apply policies across multiple networks.

    On 16 May 2018, Cisco released multiple software patches to address vulnerabilities found in its products and they include three vulnerabilities discovered in the Cisco DNA Center which are categorised as “critical”. They are tracked as CVE-2018-0222, CVE-2018-0268 and CVE-2018-0271, and have scored the maximum Common Vulnerability Score System (CVSS) severity base score of 10 out of 10.

  • [SingCERT] Alert on Red Hat DHCP Client Critical Vulnerability (CVE-2018-1111) 18 May 2018

    The Dynamic Host Configuration Protocol (DHCP) is used to configure network settings of a computer system from a DHCP server. When a system joins the network, its DHCP client application is programmed to automatically request for network configuration information such as Internet Protocol (IP) address, IP routes, default IP gateway, and Domain Name System (DNS) servers from the nearest, or the first, DHCP server.

    On 15 May 2018, Red Hat published a security alert advising users to immediately patch a critical vulnerability found in the NetworkManager integration script included in its DHCP client packages. NetworkManager is a program that uses DHCP.

    The flawed script executes with administrative privileges on a system whenever the NetworkManager receives a DHCP response from a DHCP server. When successfully exploited, the vulnerability allows an attacker to execute arbitrary commands, resulting in a complete compromise of the system.

    The vulnerability tracked as CVE-2018-1111 is rated "Critical" with the maximum Common Vulnerability Score System (CVSS) severity base score of 10 out of 10.

  • [SingCERT] Alert on NagiosXI Security Vulnerabilities - CVE-2018-8733 through CVE-2018-8736 15 May 2018

    NagiosXI is a monitoring solution, designed by Nagios Enterprises, for many mission-critical infrastructure components in a system or organisation, including applications, web services, operating systems, network protocols, systems metrics, and network infrastructure.

    On 10 May 2018, Nagios Enterprises published a security alert on its website advising its users to immediately update to the latest version of NagiosXI, which addresses several vulnerabilities to ensure that a user’s system is not susceptible to security breach.

  • [SingCERT] Alert on Critical Microsoft Vulnerabilities CVE-2018-8174 & CVE-2018-8120 10 May 2018

    Microsoft has released multiple security patches to address vulnerabilities affecting its Operating System and other products, including two zero-days that have been observed to be actively exploited.

    The first, CVE-2018-8174, is a critical Remote Code Execution (RCE) vulnerability. Also dubbed as "Double Kill", which is a violated attempt to access memory after it has been freed. The issue resides in the way the VBScript Engine (included in all currently supported versions of Windows) handles objects in computer memory, corrupting memory in such a way that an attacker could execute arbitrary code in the context of the current user. This flaw allows an attacker to remotely take control of an affected system. The exploit could be delivered through malicious Office documents or links in emails that force the URL contents to be loaded in Internet Explorer.

    The second, CVE-2018-8120 is a privilege-escalation flaw that occurred in the Win32k component of Windows when it fails to properly handle objects in computer memory. To exploit this vulnerability, an attacker would first have to gain access to the system. This could be achieved by tricking the recipient to open malicious Office documents sent via email, allowing an attacker to remotely take control of an affected system.

  • [SingCERT] Alert on Vulnerability in Oracle WebLogic Server (CVE-2018-2628) 20 April 2018

    Oracle WebLogic Server (WLS) is a Java Enterprise Edition Application server by Oracle Corporation.

    On 17 April 2018, Oracle announced a critical patch update to address a Deserialization Remote Command Execution Vulnerability (CVE-2018-2628) found in its WebLogic Server, after security researchers reported the flaw.

    This vulnerability (CVE-2018-2628) has a Common Vulnerability Score System (CVSS) severity base score of 9.8 out of the maximum 10.