Along this year, we had a lot of good and also bad news for our customers, Applications, servers and services were attacked. And also some of bugs, vulnerabilities and services exploits were detected by certain teams of developers during this year.
Remember that if you own or manage a Linux server, always remove the access to of these features to the public and fix the High Risk ones.
Here we enlist you the top 5 risky vulnerabilities of 2014:
Heartbleed Bug
Earlier in April, a big hole into the OpenSSL software library was disclosed. This bug could cause an attacker to steal the information of the customer from the protection of a SSL certificate if it was a vulnerable version.
It is important to understand that Heartbleed is not a virus, but rather a mistake written into OpenSSL—a security standard encrypting communications between you, the user, and the servers provided by a majority of online services. The bug makes it viable for hackers to extract data from massive databases containing usernames, passwords and other sensitive information and critical data.
Here is the official site of information for the heartbleed bug. And here you can scan your site for the bug.
Information about the vulnerability: CVE-2014-0160
Poodle Vulnerability
The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.
While SSL 3.0 is an old encryption standard and has generally been replaced by TLS, most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack.
Information about the vulnerability: CVE-2014-3566 and here on ClickIT
Shellshock Vulnerability
On September 24th, a GNU Bash vulnerability, referred to as Shellshock or the “Bash Bug”, was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments. Because of Bash’s ubiquitous status amongst Linux, BSD, and Mac OS X distributions, many computers are vulnerable to Shellshock; all unpatched Bash versions between 1.14 through 4.3 are at risk.
Information about the vulnerability: CVE-2014-6271
Xmlrpc Exploit
A part of the standard WordPress package, Pingbacks allow remote blogs to notify your site when they have linked to your content. Unfortunately, hackers have found a way to exploit this in order to cause a Distributed Denial of Service (DDOS) attack against other websites and servers. If you’re a version of running WordPress older than 3.8.2, it means that your website could potentially be used in a DDOS attack.
Preventing Access
To prevent access to the xmlrpc.php file, the easiest way is to edit your .htaccess. You can do this via the Plesk File Manager or edit locally and FTP the file back to the server. Add the following:
# XMLRPC Pingback DDOS Prevention Order Deny,Allow Deny from all
This will block all access to the XML-RPC for WordPress as soon as the file is saved.
Versions affected: WordPress older than 3.8.2.
Drupal 7 – Vulnerability Disclosed
Back on October 15th, Drupal team disclosed a really bad SQL injection vulnerability in Drupal and warned that unless you patched within seven hours, you’d be hacked.
The SQL injection could provide all of these items and many more:
- Inject a Backdoor into Drupal’s menu_router
- Provide the attacker full shell access to the hacked site
- List all users passwords
- Inject a new admin user
Drupal claims a million users on its project site drupal.org, and over 30,000 developers. Many prominent sites, including the whitehouse.gov, use Drupal.
Information about the vulnerability: CVE-2014-3704
Versions affected: Drupal core 7.x versions prior to 7.32.
Remember that you must always check latests versions of your system and upgrade them because attackers will always find ways to exploit older versions in order to get vulnerable servers or systems.
To reduce the risk to be impacted by these type of vulnerabilities you should follow the OWASP top 10 requirements, PCI/HIPAA regulations and keep hardened your entire environment with Clickit