Enterprise Security Enterprise Common Services Vulnerability Detection & Repair Finishing

1. Kernel-level vulnerability

Dirty COW dirty cow loopholes, the COW mechanism of the Linux kernel memory subsystem is competing in handling memory writes, causing read-only memory pages to be tampered with.

Impact: Linux kernel> = 2.6.22

Impact of Vulnerability: Low privilege users can use this vulnerability to write read-only memory pages for themselves (including read-only files on the writable file system for this user) and to root

PoC Reference:

https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

Vulnerability Details & Fix Reference:

http://sanwen8.cn/p/53d08S6.html

http://www.freebuf.com/vuls/117331.html

This loophole for the use of the Linux system, the company must be repaired, take web services, for example, we use a low-privileged user to open the web service when the web was attacked hung the shell you can use exp directly to the root user. At present, some cloud vendors have fixed this problem in the basic image but need to manually repair the previously created hosts. For specific repair solutions, you can refer to Changting's article.

2. Application Vulnerability

Nginx

Nginx is one of the most frequently occurring services in the enterprise and is commonly used for web or anti-substitution functionality. On November 15, Dawid Golunski, a foreign security researcher, released a new Nginx Vulnerability (CVE-2016-1247) that can affect Debian series-based distributions.

Sphere of influence:

Debian: Nginx1.6.2-5 + deb8u3

Ubuntu 16.04: Nginx1.10.0-0ubuntu0.16.04.3

Ubuntu 14.04: Nginx1.4.6-1ubuntu3.6

Ubuntu 16.10: Nginx1.10.1-0ubuntu1.1

Vulnerability Details & Fix Reference:

https://www.seebug.org/vuldb/ssvid-92538

This vulnerability requires access to the host operating authority, an attacker can soft-link any file to replace the log file, in order to achieve the right to obtain the server's root privileges. For enterprises, if nginx is deployed on Ubuntu or Debian, you need to see if there is a problem with the distribution, even if you have patched it, and you do not need any fixes for the RedHat distribution.

Tomcat

Tomcat on October 1 exposed a local vulnerability Elevation of Privileges CVE-2016-1240. Only Tomcat users with low privileges, an attacker can exploit this vulnerability to get the system ROOT permissions.

Sphere of influence:

Tomcat 8 <= 8.0.36-2

Tomcat 7 <= 7.0.70-2

Tomcat 6 <= 6.0.45 + dfsg-1 ~ deb8u1

Affected systems include Debian, Ubuntu, other systems that use the corresponding deb package may also be affected

Vulnerability Details & Fix Reference:

http://www.freebuf.com/vuls/115862.html

CVE-2016-4438 This vulnerability is a problem in Tomcat's deb package so that the Tomcat installation of the deb package will automatically install a startup script for the administrator: /etc/init.d/tocat* Using this script can lead to Attackers gain root access to the system through low-privileged Tomcat users.

To achieve this loophole tomcat service must be restarted as a business server login permissions control, upgrade the risk of service to avoid the problem.

Of course, there are a lot of deployment problems in the enterprise, which lead to the existence of Tomcat security risks. After the operation and maintenance deployment environment is delivered to the development students, if you do not delete the default folder of Tomcat, it is open to the public network. The attacker can deploy the WAR package Way to get the machine permissions.

Glassfish

Glassfish is the name of an open source development project for building Java EE 5 application servers. It is based on the source code of Sun Java System Application Server PE 9 provided by Sun Microsystems and TopLink's persistence code contributed by Oracle. There is any file read vulnerability in earlier versions.

Impact: Glassfish 4.0 to 4.1

Repair reference: upgrade to 4.11 or later

PoC Reference:

http://1.2.3.4:4848/theme/META-INF/%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0. / domains / domain1 / config / admin-keyfile

Because the company was using Glassfish service, PoC was also tested on dark clouds and tested for any file reading problems under 4.0. Fixes were also upgraded to version 4.11 and above.

Gitlab

Gitlab is an open source project for warehouse management systems. Meaning Using Git as a code management tool, more and more companies are gradually moving from SVN to Gitlab, and data security is of particular importance due to the company code.

Sphere of influence:

Arbitrary File Read Vulnerability - CVE-2016-9086: GitLab CE / EEversions 8.9, 8.10, 8.11, 8.12, and 8.13

Any user authentication_token disclosure vulnerability: Gitlab CE / EE versions 8.10.3-8.10.5

Vulnerability Details & Fix Reference:

http://blog.knownsec.com/2016/11/gitlab-file-read-vulnerability-cve-2016-9086-and-access-all-user-authentication-token/

There are many companies on the Internet code warehouse public network can be directly accessed, some historical reasons some did not take into account the security risks for the case has been deployed in the public network, you can force Gitlab to open secondary authentication to prevent brute force is recommended Google's authentication, modify the default access port, acl only allow the specified IP to access.