Advisories & Alerts

  • [SingCERT] Alert on Critical Microsoft Vulnerabilities CVE-2018-8174 & CVE-2018-8120 10 May 2018

    Microsoft has released multiple security patches to address vulnerabilities affecting its Operating System and other products, including two zero-days that have been observed to be actively exploited.

    The first, CVE-2018-8174, is a critical Remote Code Execution (RCE) vulnerability. Also dubbed as "Double Kill", which is a violated attempt to access memory after it has been freed. The issue resides in the way the VBScript Engine (included in all currently supported versions of Windows) handles objects in computer memory, corrupting memory in such a way that an attacker could execute arbitrary code in the context of the current user. This flaw allows an attacker to remotely take control of an affected system. The exploit could be delivered through malicious Office documents or links in emails that force the URL contents to be loaded in Internet Explorer.

    The second, CVE-2018-8120 is a privilege-escalation flaw that occurred in the Win32k component of Windows when it fails to properly handle objects in computer memory. To exploit this vulnerability, an attacker would first have to gain access to the system. This could be achieved by tricking the recipient to open malicious Office documents sent via email, allowing an attacker to remotely take control of an affected system.

  • [SingCERT] Alert on Vulnerability in Oracle WebLogic Server (CVE-2018-2628) 20 April 2018

    Oracle WebLogic Server (WLS) is a Java Enterprise Edition Application server by Oracle Corporation.

    On 17 April 2018, Oracle announced a critical patch update to address a Deserialization Remote Command Execution Vulnerability (CVE-2018-2628) found in its WebLogic Server, after security researchers reported the flaw.

    This vulnerability (CVE-2018-2628) has a Common Vulnerability Score System (CVSS) severity base score of 9.8 out of the maximum 10.

  • [SingCERT] Technical Advisory for Network Administrators to Guard Against Recent Network Malicious Activities 20 April 2018

    US-CERT has released an advisory (TA18-106A) with regard to threat actors targeting Network Infrastructure Devices. The advisory contains mitigation strategies for various stakeholders to identify and reduce their exposure to malicious activities.

    Threat actors can exploit network equipment without the need for zero-day vulnerabilities or the need to install malware to the device. They take advantage of the vulnerabilities in devices that:
    • have legacy unencrypted protocols or unauthenticated services,
    • are insufficiently hardened before installation, and
    • are no longer supported with security patches by manufacturers or vendors (end-of-life devices).

  • [SingCERT] Alert on Microsoft Information Disclosure Vulnerability (CVE-2018-0950) 13 April 2018

    Object Linking & Embedding (OLE) is a technology developed by Microsoft for its Windows Operating System to allow contents to be embedded and linked to documents and other objects. On 10 April 2018, a vulnerability analyst from the United States’ Computer Emergency Response Team/Coordination Center (CERT/CC) reported the discovery of an information disclosure vulnerability when Microsoft Office renders Rich Text Format (RTF) email messages containing OLE objects.

  • [SingCERT] Advisory on Critical Microsoft Graphics Component Vulnerabilities 13 April 2018

    Microsoft has announced the release of several security patches to address vulnerabilities affecting its Operating System and other products. Five of these vulnerabilities with a severity rating of critical in Windows Graphics Component (CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018-1015, CVE-2018-1016) could allow an attacker to hack a user's computer by tricking the user to visit a malicious website. These vulnerabilities exist due to improper handling of specially crafted embedded fonts by the Windows font library. Attackers could take advantage of these vulnerabilities that require no special privileges or user interaction to gain full control of the system, including creating new user accounts or even Remote Code Execution (RCE).

    An attacker can exploit these issues by tricking an unsuspecting user to open a specially crafted malicious file sent through email or a website with the malicious font by clicking on a link in an email or through an instant message. These files or links, if opened by the user, would execute arbitrary code on the user's system and hand over control of the affected system to the attacker.

  • [SingCERT] Advisory on Distrust of Symantec-issued Certificates 09 April 2018

    A Secure Socket Layer (SSL) certificate binds the website owner's details to a cryptographic key and is used as a proof of trust for secure communication between a browser and web server. Certificates are issued by Certificates Authorities (CA), and Symantec was previously one such CA that issues certificates to verify a digital entity’s identity on the Internet [1].

    Two major browsers, Google Chrome and Mozilla Firefox, announced last year that they would gradually distrust these issued certificates as they had failed to comply with the industry standards set by the Certification Authority Browser Forum. Symantec-issued certificates issued before 1 June 2016 will be distrusted in later versions of Chrome 66 and Firefox 60 onwards. Updated versions of Chrome 66 and Firefox 60 are scheduled for release on 17 April 2018 and 9 May 2018 respectively.

  • [SingCERT] Alert on Cyber Attacks Leveraging Cisco Critical Vulnerabilities (CVE-2018-0171) 08 April 2018

    On 8th April, it was reported that there had been cyber attacks on Cisco equipment, causing network outages in several countries including the US, Russia and Iran. The attacks exploited the CVE-2018-0171 Cisco Smart Install vulnerability which has a Common Vulnerability Score System (CVSS) severity base score of 9.8 out of 10.

    A remote attacker could exploit this vulnerability by sending a crafted message to an unpatched Cisco equipment on TCP port 4786. This would trigger a reload of affected devices, resulting in a denial of service (DoS) condition, or the execution of arbitrary codes on affected devices.

    The Cisco Smart Install feature provides zero-touch deployment for new equipment, similar to a "plug-and-play" model. It allows a customer to deploy the network device to any location and install it into a network for immediate use without additional configuration required.

  • [SingCERT] Alert on Microsoft Malware Protection Engine Critical Vulnerability (CVE-2018-0986) 06 April 2018

    Microsoft Malware Protection Engine (MMPE) is a component used in Microsoft Anti-Malware products to automatically scan all incoming files.

    On 3 April 2018, Microsoft released an out-of-band security update to address a critical security vulnerability (CVE-2018-0986) in MMPE that allows an attacker to perform remote code execution.

    An attacker can exploit this vulnerability through several methods such as sending a specially crafted malicious file as an email attachment or file sharing over instant messaging. The vulnerable MMPE scans this malicious file, leading to memory corruption thereby allowing the attacker to execute arbitrary code on the system.

  • [SingCERT] Alert on Debian Beep Package Local Privilege Escalation Vulnerability (CVE-2018-0492) 06 April 2018

    Debian's beep package is a command-line tool that causes PC speakers to make a beep sound when an error occurs for troubleshooting purposes. It is estimated that approximately 130 million users have this package installed on their computer.

    On 4 April 2018, a security researcher disclosed a vulnerability (CVE-2018-0492) in Debian beep packages that allows local privilege escalation. This vulnerability allows an attacker to gain unauthorised elevated access to system configuration files and perform other malicious activities.

  • [SingCERT] Alert on Drupal Critical Vulnerability (CVE-2018-7600) 03 April 2018

    Drupal is a content management software that is used by numerous companies around the world to create content and host websites. There are over one million sites using Drupal including popular websites such as NBC, Fox, The Economist, Twitter, and Pinterest.

    On 28 March 2018, Drupal announced a highly critical vulnerability CVE-2018-7600 in their system that leads to remote code execution. This vulnerability potentially allows attackers to exploit multiple attack vectors, which could result in the site being completely compromised.