A critical week with critical security flaws! But then again, which security issue isn’t critical? The silliest breach can open a huge window for attackers.
GOT(IT) #18. As we said, this recap of the latest IT security ‘oh-noes’ packs quite a week of urgent patches and innocent mistakes that ended up, well, revealing secret US army bases.
Cisco VPN Bug Requires Immediate Patch
Are you a Cisco Adaptive Security Appliance (ASA) user? Then patch up, because the OS for network security device suffered a double-free vulnerability in its SSL VPN layer that could be exploited to cause a reload of the system, or to execute code remotely.
Cisco will reveal in the following days, after most systems get patched, how this exploit can be done. However they did detail that XML packets could be tinkered to give the attacker full control of the system.
The simplicity of this exploits won it a score of 10 out of 10 in the Common Vulnerability Score System.
Strava Fitness App Accidentally Reveals Secret US bases
After a good year, the fitness tracking app Strava wanted to translate its user’s activity in a global heat map, however the map with more than 3 trillion GPS data points ended up breaching the US Army’s secrecy with quite a basic privacy leak.
The map was released during last year’s November, with the info of trackers like smartphones, Fitbit bands, and other fitness devices. What military analyst noticed was that the detail in the map’s routes had basically traced and routed worldwide military bases, by unknowingly active soldiers who trained with the app.
Locations like Afghanistan and Syria, there’s little to no users that are not part of a foreign military force, thus their routes and bases stand out like bright lights in a basically black map.
The accidental leak might set a precedent for both the military force’s use of global applications, and for developers and their use of user generated data.
Flaw in Oracle Micros puts 300.000 Payment Systems at Risk
Last but not least, Oracle’s micros POS vulnerability. Last year we had the huge breach that affected Sonic restaurant’s payment points, now ERPScan has discovered a flaw in the point-of-sale payment terminals provided by ORACLE.
The CVSS vulnerability score for this exploit wasn’t low at all with an urgent 8.1! It’s certainly well-deserved, since the vulnerability allows attackers to snatch DB usernames, credential hashes, and eventually gives them all resources necessary to brute-force their way into all business data in the POS systems.
The issue addressed by Oracle in their latest January patch impacted Oracle’s EGateway Application Service. If the attacker found their way to the gateway’s vulnerable address, he could execute malicious requests to, for example, read all of SeviceHost.xml contents.
Lets look at the bright side… Fitness tracking apps can provide free cartography! All jokes aside, and as tracking-app developers, we stress the need of transparency in data handling and privacy awareness. Something as sensitive as GPS routes shouldn’t be taken lightly.