Search the Community

Two critical bugs in the commonly used Apache ActiveMQ open source messaging and Integration Patterns server are leaving businesses open to denial-of-service (DoS) and brute force cyber attacks. Researchers at MWR InfoSecurity Labs reported identifying the bugs, warning they affect Apache ActiveMQ versions 5.0.0 to 5.10.0 and Apache ActiveMQ Apollo versions 1.0 to 1.7. The flaws reportedly stem from the way Apache ActiveMQ performs Lightweight Directory Access Protocol (LDAP) authentication. "A vulnerability was identified in ActiveMQ in the way it handles content-based subscriptions, which allows an adversary to trigger processing of XML external entities (XXE)," read the advisory. "Apache ActiveMQ Apollo, which is another MQ implementation built for reliability and performance and originally based on ActiveMQ, was also found to be affected by this vulnerability." The researchers added the flaws are dangerous as they could be exploited for a variety of purposes. "In order to successfully exploit this vulnerability, an attacker has to act on behalf of both a publisher and a consumer," read the advisory. "An attacker who is able to push and pull from a message queue can use this flaw to perform DTD-based DoS attacks, server-side request forgery or read local files, accessible to the user running the MQ broker, from the server." It is currently unclear whether hackers are actively exploiting the flaw. MWE InfoSecurity had not responded to V3's request for comment at the time of publishing. The flaw is dangerous as Apache ActiveMQ is a commonly used open source message broker service. Written in Java, Apache ActiveMQ is designed to facilitate communications between multiple clients or servers. The news follows the discovery of several critical flaws affecting other commonly used open source tools and services. Researchers reported uncovering the notorious Heartbleed flaw in April 2014. Heartbleed is a flaw in the OpenSSL implementation of the Transport Layer Security protocol used by open source web servers such as Apache and Nginx, which host around 66 percent of all sites. In a recent interview with V3, Maarten Ectors, Canonical's vice president of next-generation networks and proximity cloud, argued the nature of open source software development means further Heartbleed-level flaws will be discovered in the very near future. Source

Amnesia strikes as hacker discloses remote code exec flaws Domestic router Daddy D-Link is patching dangerous remote access flaws in several models of its networking gear. The patches follow a round of zero-day disclosures by Canadian researcher Peter Adkins early this week, after D-Link allegedly cut communication while he quietly disclosed the flaws. The most severe flaw allowed attackers to hijack the devices including changing DNS settings by creating malicious sites which exploit cross-site request forgeries. D-Link issued an advisory in which it warns DIR models 626L; 636L; 808L; 810L; 820L; 826L; 830, and 836L are open to remote code execution. D-Link says attackers can upload and run files without authentication from the LAN-side of the device or over the internet if the "external connections" box was taken off default and ticked. "A second vulnerability reportedly relates to the device’s ping utility that might permit command injection without authentication," the company says of Adkin's work. "A third vulnerability reportedly may exploit certain chipset utilities in firmware to potentially permit a malicious user an attack disclosing information about the devices configuration." Adkins told El Reg ,many of the security failings in home routers could be put down to expansive feature sets. "The platforms the devices are build upon may be solid - such as OpenWRT - but then additional services are 'bolted in' to provide value-add, and that security seems to go straight out of the window," Adkin says. Other routers may be affected due to the location of ncc and ncc2 binaries Fellow router hackers Stefan Viehböck and Jeremy Richards found further flaws in five TRENDnet offerings since patched, plus another D-Link mess. Adkins reports contact between D-Link and himself ceased around February 23 when D-Link, after confirming receipt of the vulnerability reports on 11 January, said they had no knowledge of the holes and directed him to the company security reporting guide. The company recommends users run encrypted wireless to prevent the low chance that passing hackers would break into the networks. Only the DIR-820L was patched. Source