Posts Tagged ‘Found’
Software Update Site For Hospital Respirators Found Riddled With Malware
Last Updated on Saturday, 14 July 2012 05:47 Written by Celframe Security Team Thursday, 8 November 2012 08:05
UPDATE: A Web site used to distribute software updates for a wide range medical equipment, including ventilators has been blocked by Google after it was found to be riddled with malware and serving up attacks. The U.S. Department of Homeland Security is looking into the compromise, Threatpost has learned.
The site belongs to San Diego-based CareFusion Inc., a hospital equipment supplier. The infected Web sites, which use a number of different domains, distribute firmware updates for a range of ventilators and respiratory products. Scans by Google’s Safe Browsing program in May and June found the sites were rife with malware. For example, about six percent of the 347 Web pages hosted at Viasyshealthcare.com, a CareFusion Web site that is used to distribute software updates for the company’s AVEA brand ventilators, were found to be infected and pushing malicious software to visitors’ systems.
CareFusion Support SiteThe software downloaded from Viasyshealthcare.com included 48 separate Trojan horse programs and two scripting exploits, according to a review of the Google Safe Browsing report by Threatpost. Another domain, sensormedics.com, which supports CareFusion’s VELA brand ventilators, was also found to be serving “content that resulted in malicious software being downloaded and installed without user consent,” according to a June 13 scan by Google’s Safe Browsing crawler.
A CareFusion did not respond to a request for comment spokeswoman said the company is “looking into the matter” and has removed the software updates from its website in the meantime.
The company makes a range of hospital equipment including the Alaris-brand infusion pumps and AVEA, AirLife and LTV series ventilation and respiratory products. CareFusion employs 14,000 people worldwide reported revenue of $2.63 billion for the first nine months of its fiscal year.
After being contacted by Threatpost on Thursday, CareFusion removed links to the infected Web sites hosting software updates for the respirators from its Product Support page. However, the company still offered links for parts and supplies for CareFusion’s 3100A High Frequency Oscillatory Ventilator (HFOV) and LTV series ventilators that were likewise infected, according to Google.
Google Safe Browsing Warning
The infections first caught the attention of Kevin Fu, a professor and security researcher at the University of Massachusetts, Amherst who is a recognized expert in the security of medical devices. Fu discovered the infections when trying to download an update for the AVEA ventilators. Fu said the infections pose a major risk for hospitals that use CareFusion products.
“Vendors routinely install software updates for medical devices from the Internet or USB keys. I’ve seen medical sales engineers download pacemaker-related software from the Internet,” he wrote on his blog, Medical Device Security Center.
Fu notes that CareFusion advises customers to simply “click run” when the “file download security warning” dialog box appears – potentially tragic advice on a Web site that is serving up malicious programs such as Trojan horse programs.
Fu said an e-mail sent to an e-mail address “security@carefusion.com” bounced back. He reported the incident to the U.S. Federal Food and Drug Administration (FDA) but that the agency lacks a way to track and respond to cyber security reports for medical devices. “The reports get mixed in with general adverse event reports, and incidents with known injuries or deaths usually receive more swift attention,” Fu wrote.
Little is known about the source of the infections at CareFusion. However, an analysis by the Department of Homeland Security found that some of CareFusion’s Web sites were relying on six year old versions of ASP.NET and Microsoft Internet Information Services (IIS) version 6.0, which was released with Windows Server 2003. Both platforms are highly susceptible to compromise. DHS is continuing to investigate the incident and may refer it to its ICS-CERT division, which focuses on threats to critical infrastructure.
It is also unclear whether the attackers knew that the compromised sites hosted software for running life-saving medical devices. Attacks that leverage legitimate Web sites are common online. Recent months have brought reports of prominent Web sites and hosting firms that were hacked and reconfigured to serve up malicious programs. In April, Google warned 20,000 Webmasters about sites that may be compromised and redirecting visitors to malicious Web sites.
Fu said the warnings from Google should give CareFusion’s many customers pause before downloading updates from the company’s Web sites.
“I find it difficult to establish trust in the safety of software affiliated with reports of “malicious software being downloaded and installed without user consent.”
View the original article here
Tags: Found, Hospital, Malware, Respirators, Riddled, Software, Update | Posted under Celframe Security | No Comments
Critical Flaw Found In Security Pros’ Favorite: Backtrack Linux
Last Updated on Thursday, 12 April 2012 07:19 Written by Celframe Security Team Tuesday, 2 October 2012 03:08
UPDATE: A critical security flaw has been identified in the latest version of Backtrack, a popular version of Linux that is used by security professionals for penetration testing.
The previously undiscovered privilege escalation hole was disclosed in a post on the Web site of the Infosec Institute. It was discovered by a student taking part in an InfoSec Instutite Ethical Hacking class, according to the post.
“The student in our ethical hacking class that found the 0day was using backtrack and decided to fuzz the program, as well as look through the source code,” wrote Jack Koziol, the Security Program Manager at the InfoSec Institute. “He found that he could overwrite config settings and gain a root shell.”
The security flaw was discovered in a Backtrack component known as the Wireless Interface Connection Daemon (or WICD). The latest version of Backtrack does a poor job ”sanitizing” (or filtering) inputs to the WICD DBUS (Desktop Bus) interface – a component that allows different applications to communicate with each other. That means that attackers can push invalid configuration options to DBUS, which are then written to a WICD wireless settings configuration file. The improper settings could include scripts or executables that would be run when certain events occur – such as the user connecting to a wireless network, according to the post, whose author asked to remain anonymous.
Any scripts or executables would run with the privileges of the root user, which could lead to arbitrary code or command execution by an attacker with access to the WICD DBUS interface, the Infosec Institute warned.
Backtrack Linux is an open source project that is maintained by the Backtrack Community. It is widely used by security professionals for penetration testing of networks. Rather than powering laptops or servers, Backtrack is a platform for running a wide range of pen testing tools and is often loaded from an external sources, such as a DVD or thumbdrive. Backtrack 5 R2 was released on March 1, 2012. The previous version, Backtrack 4, was downloaded over four million times, according to the Backtrack Web site.
However, Koziol says that the rapid evolution of the platform has also created more opportunity for attackers to break the operating system.
“It is a very popular OS for security people, and is really a great package. They do have a lot of programs installed on the OS now though, with quite a big attack surface, including the vulnerable wireless network card manager, wicd,” Koziol wrote in an e-mail.
InfoSec Institute has created a patch for the privilege escalation hole, as well as a proof of concept exploit. Both are available on the group’s Web site.
Koziol advised Backtrack users or those using other Linux distributions that are vulnerable to the wicd 0day in a multi-user environment to apply the InfoSec Institute use our patch.
“It is an open source patch, you can see exactly what is being patched, and clearly extremely low risk using our patch.”
Users who aren’t using it in a multi user environment could wait for an official patch, which is expected shortly.
View the original article here
Tags: Backtrack, Critical, Favorite, Found, Linux, security | Posted under Celframe Security | No Comments
MS12-020 RDP Exploit Found, Researchers Say Code May Have Leaked From Security Vendor
Last Updated on Sunday, 18 March 2012 02:26 Written by Celframe Security Team Tuesday, 25 September 2012 11:14
There is a confirmed legitimate working exploit for the MS12-020 RDP vulnerability in Windows circulating already and researchers say it is capable of either crashing or causing a denial-of-service condition on vulnerable machines. Microsoft has warned customers about the possibility of the exploit surfacing quickly and advised them to patch the flaw immediately. The researcher who discovered the vulnerability said that the packet he included in his original advisory was found in the exploit, raising the specter of a data leak somewhere in the pipeline.
The exploit surfaced on a Chinese download site in the last couple of days and researchers have been able to confirm that it causes a blue screen of death on some systems and a DoS condition on other versions of Windows. Experts have said that the RDP bug, which was discovered by Luigi Auriemma, has the potential to be used as the basis for a large-scale worm and the existence of a working exploit is the first step down that road. The exploit will produce a BSOD on Windows 7 and a DoS on Windows XP.
The security research community was buzzing on Friday morning with the news that the exploit from the Chinese site contained an exact copy of the information Microsoft sent out to the members of its Microsoft Active Protection Program (MAPP). That program grants early access to vulnerability and patch information to a select, vetted group of security and antimalware companies, allowing them to prepare defenses for the bugs that Microsoft will patch each month. When the MAPP program began four years ago, Microsoft said that it would take precautions to guard against the possibility of a leak of that valuable information, but didn’t spell out what those measures might be.
“The amount of time between the release of a patch and the release of the exploit code [for that patch] continues to shorten and customers have been asking for information to react to this,” Mike Reavey of the Microsoft Security Response Center told Threatpost editor Ryan Naraine in 2008.
Listen Digital Underground podcast: Ryan Naraine on Exploit Mitigations and the MS12-020 RDP Bug
That window now appears to be as small as ever. Microsoft released its patch on Tuesday and the exploit code was found on the Chinese site that same day. MAPP members get the data on soon-to-be-patched flaws a day or more before the patches are released to the public. This month, the MAPP info went out about 24 hours before the patch release.
Microsoft officials were unavailable for comment on Friday morning.
Auriemma said that the exploit code found on the Chinese site contains the exact packet that he sent to TippingPoint’s Zero Day Initiative in his original advisory on the vulnerability. ZDI engineers typically confirm the bug, work up a protection signature for TippingPoint’s appliances and then send the data on to the affected company, in this case Microsoft.
“The packet stored in the ‘chinese’ rdpclient.exe PoC is the EXACT ONE I gave to ZDI!!! @thezdi? @microsoft? who leaked?,” Auriemma said in a message on Twitter early Friday.
In an email interview, Auriemma said he had no doubts that the code in the exploit was his and that the code leak came from Microsoft.
“The packet I gave to ZDI was unique because I modified it by hand. There are no doubts on this thing,” he said. “Microsoft is the source of the leak, probably during the distribution to MAPP partners, but I still have some doubts.”
In addition to the code from Auriemma, researchers said that there was additional information in the exploit found on the Chinese site that was only available to MAPP members. One researcher said that he was positive that there had been a leak somewhere along the chain, but wasn’t sure where it had occurred.
Auriemma said on his Web site that once he discovered that the proof-of-concept code that was available contained his packet, he decided to release his original advisory with the full information in it.
“Now that my proof-of-concept is out (yeah rdpclient.exe is the poc written by Microsoft in November 2011 using the example packet I sent to ZDI) I have decided to release my original advisory and proof-of-concept packet written the 16 May 2011,” he said.
Note: Kaspersky Lab is a member of the MAPP program, but Threatpost editors do not have access to the MAPP data provided by Microsoft.
View the original article here
Tags: Exploit, Found, Leaked, MS12020, Researchers, security, Vendor | Posted under Celframe Security | No Comments