Friday, September 10, 2010

Splunk releases 4.1.5 to address SPL-31061 and SPL-31094

Splunk 4.1.5 addresses XXE and CSRF issues

Splunk was really cool to coordinate with by being responsive, communicative, and open.  I was really impressed with their professionalism.

About the bugs:

1.  XXE

XXE bugs are fun.  For a good example of how XXE bugs work, I'd point at the following advisory by Chris Evans:


Note that in the above bug the XXE existed on the client, allowing an attacker to access the client's local files.  In this case the XXE occurs on the server side, so your external entity can point at a resource accessible to Spunk. (Steal files off the server.)

2.  CSRF (because it feels dirty to use Fortify's term "Javascript Hijacking")

Certain requests returned Javascript containing the Splunk session key.  Attackers could include that script in a malicious page, and obtain the user's session key.

Their advisory is available at: 

Wednesday, September 8, 2010

Apple fixes CVE-2010-1810 in iOS 4.1

Apple's description from http://support.apple.com/kb/HT4334 :

FaceTime
CVE-ID:  CVE-2010-1810
Available for:  iOS 2.0 through 4.0.2 for iPhone 3G and later,
iOS 2.1 through 4.0.2 for iPod touch (2nd generation) and later
Impact:  An attacker in a privileged network position may be able to
redirect FaceTime calls
Description:  An issue in the handling of invalid certificates may
allow an attacker in a privileged network position to redirect
FaceTime calls. This issue is addressed through improved handling of
certificates. Credit to Aaron Sigel of vtty.com for reporting this
issue.
The difference between redirecting and fully Man-in-the-middle attacking FaceTime is kind of big gigantic, but this still leaves room for certain attacks.  As a side note, I wonder if those guys from packetstan.com are planning on issuing any retractions from their FaceTime analysis.