OpenSSL Multiple Vulnerabilities (Feb 10, 2017)

/in /by

OpenSSL is a widely-used software library in applications that need to secure communications over computer networks against eavesdropping or need to ascertain the identity of the party at the other end. It contains an open-source implementation of the SSL and TLS protocols. OpenSSL is available for most Unix and Unix-like operating systems (including Solaris, Linux, macOS, QNX, and the various open-source BSD operating systems), OpenVMS and Microsoft Windows.

Multiple vulnerabilities have been discovered in OpenSSL library. An advisory has been released by the vendor here. Among them CVE-2017-3731 is an integer underflow vulnerability leading to an out of bounds read of truncated packet, usually resulting in a crash. CVE-2017-3730 is a NULL pointer dereference vulnerability of bad parameters for a DHE or ECDHE key exchange from malicious server.

The vendor has patched the vulnerabilities. For OpenSSL 1.1.0, please upgrade to 1.1.0d. For Openssl 1.0.2, please upgrade to update to 1.0.2k.

SonicWall threat team has researched these vulnerabilities and released the following IPS signatures to protect their customers:

  • IPS:12606 OpenSSL ChaCha20-Poly1305 and RC4-MD5 Integer Underflow 1
  • IPS:12607 OpenSSL ChaCha20-Poly1305 and RC4-MD5 Integer Underflow 2
  • IPS:12608 OpenSSL DHE and ECDHE Parameters NULL Pointer Dereference 1
  • IPS:12609 OpenSSL DHE and ECDHE Parameters NULL Pointer Dereference 2

Announcing New and Enhanced SonicWall Email Security 9.0 with Capture ATP to Detect Zero-Day

/0 Comments/in /by

Ransomware attacks in 2016 grew by 167x year-over-year to 638 million. As today’s malware and ransomware pose ever evolving malicious, zero-day threats, organizations need to defend their network’s beyond their perimeters. SonicWall introduces a powerful defense: the new SonicWall Email Security 9.0 integrates with our award-winning Capture Advanced Threat Protection (ATP) Service. This unique combination delivers a cloud-based, multi-engine sandbox that not only inspects email traffic for suspicious code, but also blocks ransomware, zero-day and other malicious files from entering the network until a verdict is reached. This release is available in cool new SonicWALL hardware appliances, virtual appliances and Hosted Email Security service.

In his blog our President and CEO Bill Conner, highlighting SonicWall’s 2017 Annual Threat Report, points out that email is a highly vulnerable attack vector for cyber criminals. Employees fall victim all too often to ransomware, phishing and unknown threats. The enhanced SonicWall Email 9.0 with Capture cloud-based sandboxing technology detects these advanced threats. It scans a range of email attachment types, analyzes them in a multi-engine sandbox, blocks them until reviewed by an administrator, and rapidly deploys remediation signatures. Signatures for newly discovered malware are quickly generated and automatically distributed across the SonicWall GRID Threat Network, preventing further infiltration by the malware threat. We offer organizations a choice of administrative options ranging from removing an offending email attachment to blocking an entire message. The result is higher security effectiveness and faster response times.

Innovative features of SonicWall Email Security 9.0 include:

  • Advanced Threat Protection: Integrates Capture cloud-based sandboxing technology for detection of zero-day threats such as ransomware, for fine-grained inspection of SMTP traffic
  • Next-generation Email Protection: Incorporates anti-spam, anti-virus and anti-spoofing functionalities to not only detect and prevent spam and other unwanted email, but also scan email messages and attachments for ransomware, Trojan horses, worms and other types of malicious content.
  • Improved Office 365 Support: Enhances security for multi-tenant environments by providing a method for ensured, mapped delivery of emails for SonicWall Hosted Email Security environments
  • Updated Line of Appliances: Refreshes SonicWall’s line of Email Security hardware appliances, helping customers to better face threats delivered by email.
  • Encryption Protection: Supports not only SMTP Authentication, but also the encryption service feature enables any email containing protected data to be automatically encrypted, routed for approval or archived.
  • Policy and Compliance Management: Enables an administrator to enact policies that filter messages and their contents as they enter or exit the organization. This allows organizations to meet regulatory requirements based on government legislation, industry standards or corporate governance activities.

“As a loyal SonicWall channel partner, we at Napa Valley Networks were thrilled to see SonicWall resume operations as a standalone cybersecurity company and go back to its roots of driving a deeper focus on technological innovation,” said Julie Neely, founding partner of Napa Valley Networks. “SonicWall Email Security 9.0 with Capture Advanced Threat Protection Service is a clear demonstration of the company’s continued commitment to better serving its channel partners.”

“With the continued onslaught of ransomware, malware and other cyber-attacks, our customers are looking to us to provide them with solutions that allow them to spend more time conducting day-to-day business while staying abreast of the threat landscape. SonicWall allows our engineers, and most importantly our customers, to sleep at night! At Sterling Computers, our mission is to help government and education customers get the most out of their tech infrastructure,” said Steve Van Ginkel, Sterling Computers’ vice president of Business Development & Partner Alliances.

“KHIPU Networks Limited have been using the SonicWALL Email Security software/appliance for over 10 years,” said Andrew Brimson, Managing Director, KHIPU Networks Ltd. “Email Security has been instrumental in protecting our business interests from threats and attacks as well as protection against data leakage. We have found the SonicWALL Email Security software easy to configure, good for reporting and tailorable to our changing requirements.”

Learn more and download the SonicWall Email Security 9.0 data sheet and see all of the enhancements.

View Datasheet

SonicWall Annual Threat Report Reveals the State of the Cybersecurity Arms Race

/0 Comments/in /by

In the war against cyber crime, no one gets to avoid battle. That’s why it’s crucial that each of us is proactive in understanding the innovation and advancements being made on both sides of the cybersecurity arms race. To that end, today we introduced the 2017 SonicWall Annual Threat Report, offering clients, businesses, cybersecurity peers and industry media and analysts a detailed overview of the state of the cybersecurity landscape.

To map out the cybersecurity battlefield, we studied data gathered by the SonicWall Global Response Intelligence Defense (GRID) Threat Network throughout the year. Our findings supported what we already knew to be true – that 2016 was a highly innovative and successful year for both security teams and cyber criminals.

Security Industry Advances

Security teams claimed a solid share of victories in 2016. For the first time in years, our SonicWall GRID Threat Network detected a decline in the volume of unique malware samples and the number of malware attack attempts.  Unique samples collected in 2016 fell to 60 million compared with 64 million in 2015, whereas total attack attempts dropped to 7.87 billion from 8.19 billion in 2015. This is a strong indication that many security industry initiatives are helping protect companies from malicious breaches.  Below are some of the other areas where progress is clearly being made.

Decline of POS Malware Variants

Cybersecurity teams leveraged new technology and procedural improvements to gain important ground throughout the year. If you were one of the unlucky victims of the point-of-sale (POS) system attack crisis that shook the retail industry in 2014, you’ll be happy to learn that POS malware has waned enormously as a result of heightened security measures. The SonicWall GRID Threat Network saw the number of new POS malware variants decrease by 88 percent since 2015 and 93 percent since 2014. The primary difference between today’s security procedures and those that were common in 2014 is the addition of chip-and-PIN and chip-and-signature technology particularly in the United States, which undoubtedly played a big role in the positive shift.

Growth of SSL/TLS-Encrypted Traffic

The SonicWall GRID Threat Network observed that 62 percent of web traffic was Secure Sockets Layer/Transport Layer Security (SSL/TLS) encrypted in 2016, making consumers and businesses safer in terms of data privacy and integrity while on the web. This is a trend we expect to continue in 2017, based on Google’s announcement that it has a long-term plan to begin marking HTTP traffic in its Chrome browser as “not secure.” NSS Labs estimates that 75 percent of web interactions will be HTTPS by 2019.

Decline of Dominant Exploit Kits

We also saw the disappearance of major exploit kits Angler, Nuclear and Neutrino after cybersecurity investigations exposed the likely authors, leading to a series of arrests by local and international law enforcement agencies. The SonicWall GRID Threat Network observed some smaller exploit kits trying to rise to fill the void. By the third quarter of 2016, runner-up Rig had evolved into three versions employing a variety of obfuscation techniques. The blow that dominant exploit kit families experienced earlier in 2016 is a significant win for the security industry.

Cyber Criminal Advances

As with any arms race, advances made by the good guys are often offset by advances made by the bad guys. This is why it’s critical for companies to not become complacent and remain alert to new threats and learn how to counterattack. Below are some of the areas where cyber criminals showed their ability to innovate and exploit new ways to launch attacks.

Explosive Growth in Ransomware

Perhaps the area where cyber criminals advanced the most was in the deployment of ransomware. According the SonicWall GRID Threat Network, ransomware attacks grew 167 times since 2015, from 3.8 million in 2015 to 638 million in 2016. The reason for this increase was likely a perfect storm of factors, including the rise of ransomware-as-a-service (RaaS) and mainstream access to Bitcoin. Another reason might simply be that as cybersecurity teams made it difficult for cyber criminals to make money in other ways, they had to look for a new paycheck.

Exploited Vulnerabilities in SSL/TLS Encryption

While the growth of SSL/TLS encryption is overall a positive trend, we can’t forget that it also offers criminals a prime way to sneak malware through company firewalls, a vulnerability that was exploited 72 percent more often in 2016 than in 2015, according to NSS Labs. The reason this security measure can become an attack vector is that most companies still do not have the right infrastructure in place to perform deep packet inspection (DPI) in order to detect malware hidden inside of SSL/TLS-encrypted web sessions. Companies must protect their networks against this hidden threat by upgrading to next-generation firewalls (NGFWs) that can inspect SSL/TLS traffic without creating performance issues.

IoT Became a New Threat Network

Many people who enjoy using Reddit, Netflix, Twitter or Spotify experienced another of our top threat trends firsthand. In October 2016, cyber criminals turned a massive number of compromised IoT devices into a botnet called Mirai that they then leveraged to mount multiple record-setting distributed denial-of-service (DDoS) attacks. The SonicWall GRID Threat Network found that at the height of the Mirai botnet usage in November 2016, the United States was by far the most targeted, with 70 percent of DDoS attacks aimed at the region, followed by Brazil (14 percent) and India (10 percent). The root cause leading to the Mirai attacks was unquestionably the lax security standards rampant in IoT device manufacturing today. Specifically, these devices do not prompt their owners to change their passwords, which makes them uncommonly vulnerable.

Combatting the New Cyber Threats

It’s worth noting that the technology already exists today to solve many of the new challenges cyber criminals threw at victims in 2016.  SSL/TLS traffic can be inspected for encrypted malware by NGFWs with high-performance SSL/TLS DPI capabilities.  For any type of new advanced threat like ransomware, it’s important to understand that traditional sandboxing solutions will only detect potential threats, but not prevent them. In order to prevent potential breaches, any network sandbox should block traffic until it reaches a verdict before it passes potential malware through to its intended target.  SonicWall’s family of NGFWs with SSL/DPI inspection coupled with the SonicWall Capture multi-engine cloud sandbox service is one approach to provide real-time breach prevention for new threats that emerge in the cybersecurity arms race.

If you’re reading this blog, you’re already taking an important first step toward prevention, as knowledge has always been one of the greatest weapons in the cybersecurity arms race. Take that knowledge and share it by training every team member in your organization on security best practices for email and online usage. Implement the technology you need to protect your network. And most importantly, stay up-to-date on the latest threats and cybersecurity innovations shaping the landscape. If you know where your enemy has been, you have a much better shot of guessing where he’s going.

DOWNLOAD 2017 SONICWALL THREAT REPORT

RSA Conference 2017: Prevent Breaches, Stop Ransomware and Block IoT Hacks with SonicWall

/0 Comments/in /by

The 2017 RSA Conference opens at Moscone Center in San Francisco next week, February 13-17. One of the biggest cybersecurity events of the year, the conference allows thousands of industry professionals to interact with leading security experts to learn about the latest threats, strategies and techniques to combat increasingly more devastating cyber-attacks. As a gold sponsor, SonicWall will demonstrate cutting-edge security solutions that enable our customers to stay ahead of cybercriminals in the continually evolving cyber arms race. We will talk about the advances that both the cybersecurity industry and the cybercriminal organizations have made over the past year, as outlined in our 2017 Annual Threat Report. In the SonicWall booth #N3911, we will also demo solutions to prevent breaches, stop phishing attacks, block ransomware, uncover SSL encrypted threats and identify compromised IoT devices.

SonicWall’s presentations, demos and experts at the conference will empower you and your organization’s networks to overcome numerous crimes targeting weak spots in your network. You will definitely want to see a demo of our award-winning multi-engine sandbox, SonicWall Capture ATP, which scans network traffic to prevent zero-day and advanced threats. We will show how we can block unknown files until Capture reaches a verdict, which is made possible by a highly effective multi-engine sandbox. Near real-time verdicts are rendered by our highly efficient GRID cloud threat network. Our next-gen firewalls also detect malware using SSL or TLS encryption to cloak malicious behavior, C&C communication and exfiltration.

Because email is a constant target for attacks we will have a kiosk introducing our revolutionary technology for email security. SonicWall’s Email Security solutions allow you to deploy a next-gen solution for protecting email files, stop phishing and block ransomware. Talk to our experts and learn how you can block spoofed email and attacks with our hosted service for SMB or via our on premise enterprise email security solutions. We will be making an exciting announcement, be sure to stop by and find out!

Today’s ever-growing number of connected devices by mobile workers and vendors requires organizations to rethink their needs for IoT security. SonicWall’s access security and network segmentation delivers the right level of access to your mobile workers and reduces the threat surface. Right network segmentation is required for critical business apps and data to ensure better protection. With our Secure Mobile Access solutions, you can define granular access policies, enforce multi-factor authentication and monitor all activities for compliance.

Our goal is to help our customers stay protected and ahead of today’s, ever-changing cyber-attacks. Start your journey at booth N3911 on Monday night with the welcome reception and experience first-hand how SonicWall next-gen firewalls, access security and email security offer the power to be competitive and fearless. Tune in via Twitter #RSAC and follow @SonicWall. If you want a head start, you can play with our security solutions online by visiting our Live Demo site. You can get a Free Expo Pass: https://www.rsaconference.com/events/us17/register with the following code: XS7DELL.

LIVE DEMO

Exertis and SonicWall Pave the Way for KCSiE Guidance and Safer Internet Day

/0 Comments/in /by

Note: This is a guest blog by Dominic Ryles, Marketing Manager at Exertis Enterprise, SonicWall’s leading distributor in the United Kingdom. Exertis is committed to providing a range of channel focused services designed to enhance your current technical knowledge and expertise in the areas of IT Security, Unified Communications, Integrated Networks and Specialist Software.

The Internet is forever changing education. Opening up a world of opportunities and transforming how students learn. New technologies inspire children and young people to be creative, communicate and learn, but the Internet has a dark side, making them vulnerable with the potential to expose themselves to danger, knowingly or unknowingly.

On the 5th September 2016, the UK Government through the Department of Education (DfE) updated the Keeping Children Safe in Education (KCSiE) guidelines to include a dedicated section for online safety. This means that every school and college will need to consider and review its safeguarding policies and procedures, focusing particularly on how they protect students online. The guidance calls for effective online safeguarding mechanisms with a mandatory requirement for all schools and colleges to have an appropriate filtering and monitoring systems in place, striking a balance between safeguarding and ‘overblocking,’ and being conscious not to create unreasonable restrictions on the use of technology as part of the education process.

When we think of ‘inappropriate material’ on the internet we often think of pornographic images, or even access to illegal sites to download movies and music,  but due to the widespread access to social media and other available platforms, the Internet has become a darker place since it first opened its doors back in 1969. Physical danger from divulging too much personal information, illegal activity such as identity theft and participation in hate or cult websites can lead to cyber bullying, and radicalisation in the modern day school, thus making children and young people vulnerable.

Earlier this year, Exertis, in conjunction with SonicWall, set out on a mission to raise awareness of KCSiE through a series of online and offline activities to the channel. We first put together our comprehensive ‘Appropriate Web Filtering and Monitoring for Schools and Colleges’ guide, which to date has received an overwhelming response from our partner base. The guide provides our reseller partners with all the information they need to understand the statutory changes, and how the SonicWall and Fastvue security solutions can enable educational establishments to become compliant. Towards the latter part of 2016, we registered to support Safer Internet Day (SID) 2017, a day dedicated to raising awareness of online safety for children and young people. Already in its sixth year, Safer Internet Day is run by the UK Safer Internet Centre, a combination of three leading UK organisations: SWGfL, Childnet International and Internet Watch Foundation with one mission – to promote the safe and responsible use of technology for young people. It will be the first year both companies have supported Safer Internet Day and we have been busy raising awareness in our local community. We approached two schools; St Margaret Ward Catholic Academy and The Co-Operative Academy and commissioned them to produce a large canvas painting with the topic ‘What does the internet mean to you?’ Students and teachers from both schools will come together to create two canvas paintings depicting the good and the bad of the internet from their perspective. We have given the schools 4-weeks to complete the art project and will be revisiting both schools on Safer Internet Day, 7th February to meet with the students and teachers behind the project, provide a talk around e-Safety, and with it, hope to raise awareness of children and young becoming safe on the Internet.

About Safer Internet Centre.

The UK Safer Internet Centre are a partnership of three leading organisations: SWGfL, Childnet International and Internet Watch Foundation with one mission – to promote the safe and responsible use of technology for young people. The partnership was appointed by the European Commission as the Safer Internet Centre for the UK in January 2011 and last year reached 2.8 million children. To find out more. Please visit – https://www.saferinternet.org.uk/

About Exertis (UK) Ltd.

Exertis is one of Europe’s largest and fastest growing technology distribution and specialist service providers. We partner with 360 global technology brands and over 28,850 resellers, e-commerce operators and retailers across Europe. Our scale and knowledge, combined with our experience across the technology sector, enables us to continue innovate and deliver market leading services for our partners. To find out more, please visit our website – http://www.exertis.co.uk/

Rig Exploit Kit via EiTest delivers buggy CryptoShield Ransomware (Feb 3rd, 2017)

/in /by

The Sonicwall Threats Research team have received reports of ransomware known as CryptoShield that is being distributed through compromised websites using the Rig Exploit Kit. The copy of the ransomware that we obtained comes with a twist. Instead of encrypting files and offering their recovery after a ransom is paid it accidentally deletes them due to a bug.

Infection Cycle:

The Trojan has the following hardcoded IP address for the C&C server:

    45.76.81.110

The Trojan attempts to report the infection to the C&C server with a unique user ID. The server was not operating as desired by the operators at the time of writing:

The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Windows SmartScreen %APPDATA%MicroSoftWareSmartScreenSmartScreen.exe

The Trojan adds the following files to the system:

  • %APPDATA%MicroSoftWareSmartScreenSmartScreen.exe
  • {shared drives}Stop Ransomware Decrypts Tools.exe [Detected as GAV: CryptoShield.A (Trojan)]

It will then traverse all directories looking for files of predefined filetypes to encrypt. Due to not being able to communicate as expected with the C&C server the “encryption” process results in the files being deleted. The following 2 files are dropped in the directories containing the “encrypted” files:

      "# RESTORING FILES #.HTML"
      "# RESTORING FILES #.TXT"

The files contain the following data which are presented on-screen by the Trojan. It contains instructions for file retrieval which of course will not work for deleted files:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: CryptoShield.A (Trojan)

Simple Tips for Network Sanity: Patch Tuesday, Exploit Wednesday and Uninstall Thursday

/0 Comments/in /by

Today I’d like to talk a little bit about our partnership with Microsoft and patch management. In a previous life I was a network/sysadmin. A brief description of that role was “If it has a blinking light on it, I am responsible for it,” which meant on most days I felt like I was living in the middle of a sci-fi movie, surrounded by demanding technology.

When you live in a hair-on-fire environment like that, keeping up with Microsoft patches can be painful. You can set them to automatically download and install and you should be good, that is unless the patch breaks something or even worse – it breaks everything.

When you have business-critical applications that are legacy or just plain old, patching can break them. If that app in question is the bread and butter of the business, patching can bring down the entire company. On the other hand, not patching for known vulnerabilities can be just as bad, if not worse.

There is an old saying: Patch Tuesday, Exploit Wednesday, and Uninstall Thursday.  Microsoft normally releases patches on the second Tuesday of the month, so Exploit Wednesday is when the cyber criminals have analyzed the details from Tuesday and deliver code to exploit the systems that haven’t been updated. Uninstall Thursday is the day you finally figure out that it was the Tuesday patch that broke your mission-critical system and you need to uninstall it to get things back to normal.

To say it is a Catch-22 would be an understatement. How do you stop the insanity? We, SonicWall, have partnered with Microsoft in a program call MAPP. Microsoft gives us  advance knowledge of what will be patched prior to Tuesday so that we have signatures in place to protect our customers who just can’t patch on Tuesday.

Should you patch on Tuesday? Yes, you should absolutely patch on Tuesday or any other day Microsoft releases a patch. But if there are times you just can’t, we can help protect you until you can. Assisting with patches is one of the many little things we have been doing quietly in the background for years that most people are unaware of. Now you know we have you covered when you are stuck in this Catch-22. The biggest take away is that you should patch. I can’t stress that enough: patch, patch, patch! But if you can’t, know that we are already behind the scenes, helping to keep your network safe.

Visit SonicWall GRID Threat Network for MAPP bulletins.

For the Security Advisories for MAPP, you can click here.

Sandbox Security; Nothing to Play With

/0 Comments/in /by

Ransomware has forced organizations to rethink their security architecture.  Organizations are increasingly investing in security solutions that provide additional protection of sensitive data, as well as better visibility over network traffic and endpoint activity. According to IDC research, 60% of organizations surveyed indicated that modern endpoint and network security products such as network sandboxes were either a high priority or an extremely high priority over the next 12 months.

Network sandboxes are isolated environments where suspicious code can be examined and detonated to see what unidentified code wants to do on a potential system.  Over the past few years, sandboxing has become an integral part of the network security game plan but hackers have identified ways of evading detection which is something to consider in the evaluation process. In the video below, IDC’s Sean Pike, program vice president of IDC Security Products,  discusses network sandboxing and gives you key questions to ask when looking at this part of the network security equation.

Cisco WebEx URL Remote Command Execution vulnerability (Jan 24, 2017)

/in /by

As disclosed here Cisco’s WebEX plugin for chrome browser allows Remote Command Execution when the URL contains the magic pattern “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html”.
This “magic” pattern is used by the WebEx service to remotely start a meeting.This allows the attacker to execute malicious commands remotely.

Here the magic pattern is embedded in an iframe.

The exploit has the code to open the calculator application.

SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • IPS 12588:Cisco WebEx URL Remote Command Execution

Critical Vulnerabilities Reported on Samsung SmartCam (Jan 27, 2017)

/in /by

The SmartCam, originally developed by Samsung Techwin, is a security camera with cloud service support. It’s a popular IoT device that can monitor your house or baby.

In 8/14/2016, a remote code execution vulnerability was discovered on the SmartCam by PentestPartners, allowing remote attackers to get a root shell. Also several other vulnerabilities were reported, such as resetting the admin password, and insecure network communications.

Several months later in 1/17/2017, another batch of vulnerabilities was reported by exploitee.rs, all of which are critical vulnerability that could lead to total compromise of the device, as well as the users’ privacy.

All 3 vulnerabilities are caused by the insecure implementations of the PHP code in the firmware, which provides support for the camera’s web UI. An attacker can exploit those vulnerabilities by sending certain crafted HTTP requests. The exploitee.rs has provided the details:

The class_admin_privatekey.php Password Reset

The vulnerability allows the administrator password be changed without knowing the original. The vulnerability is triggered in the file /work/www/htdocs/classes/class_admin_privatekey.php in firmware “1.17_140507”, due to a logic error.

As is shown above, the code only checked if the POST parameter is “NEW” (creating new password during setup), but hasn’t check if the password has already been set.

To exploit this vulnerability, send the following request to the camera:

curl ‘http:///classes/class_admin_privatekey.php’ –data ‘data=NEW%3B

The iWatch install.php Remote Root Command Execution

This vulnerability allows remote command execution as the root user. In /mnt/custom/iwatch/web/install.php:

As is shown in the code above, the $tmpdir contains the path for temporary file upload, and will be passed to the system() function for execution. However, this variable is controllable by the user provided filename and not well-filtered. For example, the following filename could open a shell on port 9998:

;{busybox,telnetd,{echo,-l${HOME}bin${HOME}sh},-p9998};#1.bin

Wireless Network WEP Key Command Injection

In the procedures of setting a WEP Wifi Network, the “Password” field will be passed for commandline execution. That allows a privilege escalation after an attacker get access to the web UI.

SonicWALL Threat Research Team has released the following signatures to protect the customers.

  • IPS 12581: Samsung SmartCam iWatch install.php Remote Root Command Execution
  • IPS 12580: Samsung SmartCam Password Reset Vulnerability

References:

[1] https://www.exploitee.rs/index.php/Samsung_SmartCam%E2%80%8B#iWatch_install.php_Remote_Root_Command_Execution

[2] http://www.freebuf.com/vuls/125448.html