Welcome back to this week's Security Bulletins!
Cisco has published several guidelines on performing forensic analysis on its devices. The four guides published by Cisco covers ASA, Firepower, IOS, and IOS XE in detail. These documents provide guidance in collecting forensic evidence from those Cisco devices, which are suspected to be tampered or even compromised, by analysing log files, verifying the integrity of the firmware using hash values and creating memory dumps for future analysis.
Earlier we talked about Cylab's article on the risks associated with the usage of public sandbox sites for analysis of confidential documents. Sans ISC Infosec Forums has posted another analysis of such files. Upon reviewing the files which contains IP address in VirusTotal, they have discovered some private IP addresses in the 192.168.x.x or 10.x.x.x networks from samples which are administrative scripts rather than malware. Leaking such important files to public could expose the internal networking of the infrastructure.
We have some security patches released by popular open-source software Samba, which fixes a vulnerability that allows an attacker to escape from the shared root directory. Although it is a critical vulnerability, it does require some configuration options to be enabled in order to be exploited. As per the Samba announcement, it is reproducible if "the 'wide links' option is explicitly set to 'yes' and either 'Unix extensions = no' or 'allow insecure wide links = yes' is set in addition." All versions of Samba from 4.9.0 onwards are reported to be vulnerable to this and Samba has released patches for versions 4.9.13, 4.10.8 and 4.11.0rc3 has been deployed as security releases.
A few months after releasing patches for the critical RCE vulnerability, which affected most of the hosting industry, Exim is back in the news with another vulnerability which allows a local or remote attacker to execute commands with root privileges. This affects all versions of Exim upto 4.92.1. Exim later updated that it is a vulnerability in the TLS handshake, specifically the Server Name Indication feature, which is used to indicate what hostname a user would like to connect to. In order to be vulnerable, the Exim server should accept TLS connections using GNUTLS or OpenSSL libraries. Currently, there are no known cases of exploitation of this vulnerability but Exim has released a patch against this with the version 4.92.2 and all are advised to upgrade to the latest version to stay protected.
DNS over HTTPS has been getting increasing amount of traction over the course of the past year. Mozilla has released an important update that will set DoH to default in the US region, starting from this September. They will be gradually rolling out these changes to other regions as well and is more directed towards home users. Typically DNS queries are sent to our ISP unencrypted and by using DoH, DNS queries are sent to Cloudflare while keeping the queries encrypted during transit. Notably, Firefox has been working on the DoH protocol since 2017.