Weekly IT Security News Bulletin, 2017-W40 2 October – 8 October 2017

Headlines

Seven vulnerabilities found in Dnsmasq

Dnsmasq is a software package commonly pre-installed in -based routers, servers and IoT devices for providing DNS, DHCP, router advertisement and network boot functions. It is also widely used for tethering on Android smartphones. The Google Security Team recently found it vulnerable to remote code execution, denial of services and information disclosure.

The Google team discovered seven vulnerabilities that could be exploited when specially crafted DNS or DHCP packets are received by the systems running the vulnerable Dnsmasq. After the exploitations, attackers could gain further access to internal networks and bypass security protections. Proof-of-concept exploit code has been publicly available to demonstrate the flaws.

Linux operating systems with Dnsmasq version prior to 2.78 and Android systems with security level before 1st October 2017 are affected. Common Linux distributions, including CentOS, , , RedHat, SUSE and , have patches released for fixing the flaws. Android users have to wait for patches from the corresponding device manufacturers. De-supported devices may however never be patched.

Advice Apply patches to the Linux and Android operating systems whenever they are available.

Replace end-of-support devices to avoid the security risk of using systems without update patches available.

Disable tethering on Android smartphones before they have been patched.

Disable the Dnsmasq service on Linux systems if its functions are not necessary for the systems.

Sources Google Bleeping Computer Threatpost

GovCERT.HK Weekly IT Security News Bulletin 2017-W40 1

Top mobile apps blacklisted by enterprises

A US-based mobile security company published the top 10 Android and iOS applications (apps) that are blacklisted by enterprises.

The iOS app that tops the list is WhatsApp, which is rated high-risk because it sends the phone’s address book information to a remote server. What follows is Pokemon GO, which accesses a device’s address book, camera and geolocation. Winzip is the third common iOS app banned since it sends SMS messages out. Most blacklisted iOS apps are for social networking and entertainment. These apps’ behaviours are considered risky by enterprises for fear of data leakage.

On the other hand, the blacklisted Android apps are mostly software tools, such as Poot, which tops the list, is to root the Android device. The second and third places are AndroidSystemTheme and Where’s My Droid Pro, which are also utilities. Some banned Android apps track user locations or send data unencrypted while most even exhibit malicious behaviour and detected as carrying malware.

Advice Assess the associated risks carefully to formulate enterprise mobile device policies such as application whitelisting or Bring-Your-Own-Device (BYOD) and communicate the policies to all staff.

Install mobile apps only from trusted sources.

Check for unnecessary permission requests when installing or upgrading mobile apps; stop and uninstall those suspicious apps.

Install anti-malware apps on mobile devices and keep them update.

Avoid sending sensitive or personal information via social networking apps.

Sources SecurityWeek Bleeping Computer Appthority

GovCERT.HK Weekly IT Security News Bulletin 2017-W40 2

Product Vulnerability Notes & Security Updates

1. Apache Tomcat https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.23 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.1

2. Apple iOS and MacOS https://support.apple.com/kb/HT208164 https://support.apple.com/kb/HT208165 https://www.hkcert.org/my_url/en/alert/17100401

3. CentOS https://lists.centos.org/pipermail/centos-announce/2017-September/022550.html https://lists.centos.org/pipermail/centos-announce/2017-September/022551.html https://lists.centos.org/pipermail/centos-announce/2017-September/022552.html https://lists.centos.org/pipermail/centos-announce/2017-September/022553.html https://lists.centos.org/pipermail/centos-announce/2017-October/022554.html https://lists.centos.org/pipermail/centos-announce/2017-October/022555.html

4. Cisco Products https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-anam https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-asa https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-asa1 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-cma https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-cms https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-fpsnort https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-ftd https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-ncs https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-sprk https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-ucm https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-waas https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-waas1 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-wms

5. Debian https://www.debian.org/security/2017/dsa-3986 https://www.debian.org/security/2017/dsa-3987 https://www.debian.org/security/2017/dsa-3988 https://www.debian.org/security/2017/dsa-3989 https://www.debian.org/security/2017/dsa-3990 https://www.debian.org/security/2017/dsa-3991

6. F5 Traffix SDC https://support.f5.com/csp/article/K62178133 https://support.f5.com/csp/article/K71796229

7. GE CIMPLICITY https://ics-cert.us-cert.gov/advisories/ICSA-17-278-01

8. IBM Products http://www-01.ibm.com/support/docview.wss?uid=swg22008547

GovCERT.HK Weekly IT Security News Bulletin 2017-W40 3

http://www-01.ibm.com/support/docview.wss?uid=swg22009232 http://www-01.ibm.com/support/docview.wss?uid=swg22009253

9. http://advisories.mageia.org/MGASA-2017-0354.html http://advisories.mageia.org/MGASA-2017-0355.html http://advisories.mageia.org/MGASA-2017-0356.html http://advisories.mageia.org/MGASA-2017-0357.html http://advisories.mageia.org/MGASA-2017-0358.html http://advisories.mageia.org/MGASA-2017-0359.html http://advisories.mageia.org/MGASA-2017-0360.html http://advisories.mageia.org/MGASA-2017-0361.html

10. openSUSE https://lists.opensuse.org/opensuse-security-announce/2017-09/msg00084.html https://lists.opensuse.org/opensuse-security-announce/2017-10/msg00002.html https://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.html

11. Oracle Linux https://linux.oracle.com/errata/ELSA-2017-2836.html https://linux.oracle.com/errata/ELSA-2017-2838.html https://linux.oracle.com/errata/ELSA-2017-2840.html https://linux.oracle.com/errata/ELSA-2017-2860.html

12. Red Hat https://access.redhat.com/errata/RHSA-2017:2836 https://access.redhat.com/errata/RHSA-2017:2837 https://access.redhat.com/errata/RHSA-2017:2838 https://access.redhat.com/errata/RHSA-2017:2839 https://access.redhat.com/errata/RHSA-2017:2840 https://access.redhat.com/errata/RHSA-2017:2841 https://access.redhat.com/errata/RHSA-2017:2858 https://access.redhat.com/errata/RHSA-2017:2860 https://access.redhat.com/errata/RHSA-2017:2863

13. Siemens 7KT PAC1200 data manager https://ics-cert.us-cert.gov/advisories/ICSA-17-278-02

14. http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware- security.375371 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware- security.601472

15. SUSE https://www.suse.com/support/update/announcement/2017/suse-su-20172598-1/ https://www.suse.com/support/update/announcement/2017/suse-su-20172601-1/ https://www.suse.com/support/update/announcement/2017/suse-su-20172616-1/ https://www.suse.com/support/update/announcement/2017/suse-su-20172617-1/ https://www.suse.com/support/update/announcement/2017/suse-su-20172618-1/ https://www.suse.com/support/update/announcement/2017/suse-su-20172619-1/ https://www.suse.com/support/update/announcement/2017/suse-su-20172627-1/ https://www.suse.com/support/update/announcement/2017/suse-su-20172628-1/

GovCERT.HK Weekly IT Security News Bulletin 2017-W40 4

https://www.suse.com/support/update/announcement/2017/suse-su-20172649-1/ https://www.suse.com/support/update/announcement/2017/suse-su-20172650-1/

16. Ubuntu https://usn.ubuntu.com/usn/usn-3430-1/ https://usn.ubuntu.com/usn/usn-3430-2/ https://usn.ubuntu.com/usn/usn-3431-1/ https://usn.ubuntu.com/usn/usn-3432-1/ https://usn.ubuntu.com/usn/usn-3433-1/ https://usn.ubuntu.com/usn/usn-3434-1/ https://usn.ubuntu.com/usn/usn-3435-1/ https://usn.ubuntu.com/usn/usn-3435-2/ https://usn.ubuntu.com/usn/usn-3437-1/ https://usn.ubuntu.com/usn/usn-3438-1/ https://usn.ubuntu.com/usn/usn-3439-1/

Sources of product vulnerability information: Apache Tomcat Apple CentOS Cisco Debian F5 HKCERT IBM ICS-CERT Mageia openSUSE Oracle Linux Red Hat Slackware SUSE Ubuntu

Contacts: [email protected]

GovCERT.HK Weekly IT Security News Bulletin 2017-W40 5