Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the cybersecurity community. CVE Numbering Authorities (CNAs) are major OS vendors,
security researchers, and research organizations that assign CVE Identifiers to newly
discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments:
cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/August 4, 2016
-------------------------------------------------------
Contents:
1. CVE Mentioned in Article about Unpatched Vulnerabilities in Smart Lightbulbs on
ThreatPost
2. CVE Mentioned in Article about Apple Patching OS X and iOS Vulnerabilities that Could
Allow Remote Execution via Image Files on ZDNet
3. Minutes from CVE Editorial Board Teleconference Meeting on July 14 Now Available
4. CVE Mentioned in Article about High Percentage of Vulnerabilities Found Unpatched in
Industrial Control Systems (ICS) on Softpedia
5. Also in this Issue
6. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Mentioned in Article about Unpatched Vulnerabilities in Smart Lightbulbs on
ThreatPost
CVE is mentioned in a July 26, 2016 article entitled "Unpatched Smart Lighting Flaws
Pose IoT Risk to Businesses" on ThreatPost.
The main topic of the article is that several "web-based vulnerabilities in Osram
Lightify smart lighting products remain unpatched, despite private notification to the
vendor in late May and CVEs assigned to the issues in June by CERT/CC. Researchers at
Rapid7 today publicly disclosed some of the details on each of the nine vulnerabilities
with temporary mitigation advice users can deploy until a fix is available."
CVE is mentioned when the author states: "Osram Lightify products are indoor and outdoor
lighting products that can be managed over the web or through a mobile application. The
products are used commercially and in homes, and the vulnerabilities are just the latest
to affect connected devices." ". a weak default WPA2 pre-shared key on the Pro solution
(CVE-2016-5056) is the most critical of the nine flaws. The keys use only eight
characters from a limited set of numerals and letters, making it possible to capture a
WPA2 authentication handshake and crack the PSK offline in fewer than six hours."
In addition, CERT/CC is a CVE Numbering Authority (CNA). CNAs are major OS vendors,
security researchers, and research organizations that assign CVE IDs to newly discovered
issues without directly involving MITRE in the details of the specific vulnerabilities,
and include the CVE ID numbers in the first public disclosure of the vulnerabilities.
Visit the CVE Identifier page for CVE-2016-5056 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5056 to learn more about this
issue.
LINKS:
Threatpost article -
https://threatpost.com/unpatched-smart-lighting-flaws-pose-iot-risk-to-businesses/119479
/
CVE IDs -
https://cve.mitre.org/cve
CNAs -
https://cve.mitre.org/cve/cna.html
CVE News page article -
https://cve.mitre.org/news/index.html#august022016_CVE_Mentioned_in_Article_about_Unpatc
hed_Vulnerabilities_in_Smart_Lightbulbs_on_ThreatPost
---------------------------------------------------------------
CVE Mentioned in Article about Apple Patching OS X and iOS Vulnerabilities that Could
Allow Remote Execution via Image Files on ZDNet
CVE is mentioned in a July 22, 2016 article entitled "iOS, Mac vulnerabilities allow
remote code execution through a single image" on ZDNet. The main topic of the article is
that "Security flaws which affect both Apple iOS and Mac devices permit attackers to
grab your passwords and data, researchers claim. . a set of five vulnerabilities, if
exploited, could lead to data theft and remote code execution -- which in its worst
state may result in device hijacking."
CVE is mentioned when the author states: "The set of bugs, CVE-2016-4631, CVE-2016-4629,
CVE-2016-4630, CVE-2016-1850, and CVE-2016-4637, are all caused by how Apple processes
image formats. Apple offers APIs as interfaces for accessing image data, and . there are
five remote code execution flaws related to this system. The image files which place Mac
and iOS users at risk are .tiff, often used in publishing, OpenEXR, Digital Asset
Exchange file format XML files, and BMP images." "The malware avoids detection due to
the processing weaknesses, and if exploited, this leads to a heap buffer flow issue
which extends to remote code execution."
In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE IDs for Apple
issues. CNAs are major OS vendors, security researchers, and research organizations that
assign CVE IDs to newly discovered issues without directly involving MITRE in the
details of the specific vulnerabilities, and include the CVE ID numbers in the first
public disclosure of the vulnerabilities.
Visit the CVE Identifier pages for CVE-2016-4631 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4631; CVE-2016-4629 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4629; CVE-2016-4630 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4630; CVE-2016-1850 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1850; and CVE-2016-4637 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4637 to learn more about these
issues.
LINKS:
ZDNet article -
http://www.zdnet.com/article/ios-mac-flaw-exposes-your-password-with-one-image-file/
CVE IDs -
https://cve.mitre.org/cve
CNAs -
https://cve.mitre.org/cve/cna.html
CVE News page article -
https://cve.mitre.org/news/index.html#august022016_CVE_Mentioned_in_Article_about_Apple_
Patching_OS_X_and_iOS_Vulnerabilities_that_Could_Allow_Remote_Execution_via_Image_Files_
on_ZDNet
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on July 14 Now Available
The CVE Editorial Board held a teleconference meeting on July 14, 2016. Read the meeting
minutes at
https://cve.mitre.org/data/board/archives/2016-07/msg00005.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/index.html#august022016_Minutes_from_CVE_Editorial_Board_Tele
conference_Meeting_on_July_14_Now_Available
---------------------------------------------------------------
CVE Mentioned in Article about High Percentage of Vulnerabilities Found Unpatched in
Industrial Control Systems (ICS) on Softpedia
CVE is mentioned in a July 11, 2016 article entitled "92 Percent of Internet-Available
ICS Hosts Have Vulnerabilities" on Softpedia. The main topic of the article is
discussion of a July 2016 report by Kapersky Lab that ".following an Internet-wide scan,
[Kapersky] found 188,019 hosts connected to ICS equipment, in 170 countries around the
globe. Over 170,000 Internet-available ICS devices have vulnerabilities. Of these, 92
percent, or 172,982, contained vulnerabilities that can be exploited to attack, take
over, or even harm devices and their normal mode of operation."
CVE is mentioned when the author states: "According to Kaspersky, most of the vulnerable
devices are located in the US (57,417), followed at a long distance by Germany (26,142),
Spain (11,264), France (10,578), and Canada (5,413). Most of these devices are available
to external connections via the HTTP protocol (116,900), Telnet (29,586), Niagara Fox
(20,622), SNMP (16,752), or Modbux (16,233) . The vulnerability encountered by far in
ICS/SCADA equipment was Sunny WebBox Hard-Coded Credentials (CVE-2015-3964), found in
11,904 devices."
Visit the CVE Identifier page for CVE-2015-3964 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3964 to learn more about this
issue.
LINKS:
Softpedia article -
http://news.softpedia.com/news/92-percent-of-internet-available-ics-hosts-have-vulnerabi
lities-506204.shtml
CVE IDs -
https://cve.mitre.org/cve
CVE News page article -
https://cve.mitre.org/news/index.html#july132016_CVE_Mentioned_in_Article_about_High_Per
centage_of_Vulnerabilities_Found_Unpatched_in_Industrial_Control_Systems_ICS_on_Softpedi
a
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Oracle's Quarterly Critical Patch Update for 276
Vulnerabilities on ADTMag
* CVE Mentioned in Article about Two Critical Windows Printer Spooler Vulnerabilities on
Threatpost
Read these stories and more news at
https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (
www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (
www.us-cert.gov) in the office of
Cybersecurity and Communications (
www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (
www.dhs.gov).
For more information about CVE, visit the CVE website at
https://cve.mitre.org or send
an email to
cve@mitre.org.
