U.S. Department of Defense Discloses Critical And High Severity Bugs
The U.S. Department of Defense has disclosed today details about four security vulnerabilities on its infrastructure. Two of them have a severity high severity rating while the other two received a critical score.
The flaws were reported in August and July. They could allow attackers to hijack a subdomain, execute arbitrary code remotely, or view files on the affected machine.
Unclaimed bucket, unpatched server
All issues were reported through the Department’s vulnerability disclosure on the HackerOne bug bounty platform by distinct ethical hackers.
One of the critical vulnerabilities is a subdomain takeover because of an unclaimed Amazon S3 bucket. Ethical hacker chron0x who found the issue says it could be exploited to host malicious content on a legitimate domain.
Visitors of the website could then be targeted with phishing and cross-site scripting attacks. The flaw would also allow an attacker to bypass domain security and to steal sensitive user data.
The second glitch with a critical severity rating was reported by Hzllaga on August 19. It is a remote code execution on a DoD server running Apache Solr that had been left unpatched since August 2019.
The server was vulnerable to CVE-2019-0192 and CVE-2019-0193, but only the latter was enough for the hacker to get a shell on the server. Exploit code for both of them is available.
Also read: What Is A Governance Framework? The Importance And How It Works
High-severity bugs
Another flaw stemming from unpatched software, discovered by IT security analyst Dan (U.S. Navy and Coast Guard veteran), is a read-only path traversal that could have given an attacker access to arbitrary sensitive files on the system; it’s in a Cisco product, described in detail here.
The second less severe bug, but an obvious risk, nonetheless, is a code injection on a DoD host that may lead to arbitrary code execution, according to the report from e3xpl0it, a penetration tester at cybersecurity company Positive Technologies.
Although the nature of the bugs is no secret for the DoD, some information has been redacted in the bug reports.
In all cases, the DoD was quick to validate and fix the reported problems. According to statistics from the HackerOne platform, the Department takes about eight hours on average to triage the bugs and deals with all of them.
Since the DoD started the vulnerability disclosure program on HackerOne in November 2016, it addressed 9555 security issues. An interesting detail is that the Department dealt with more than a third of them in the past three months.
Also read: Data Centre Regulations Singapore: Does It Help To Progress?
0 Comments