The CERT advises system admins on two important recommendations
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
June 20, 2017
The CERT Coordination Centre at Carnegie Mellon University has just recommended two important items on storage admins to-do lists.
Item one-- go get version 5.1 of Samsung Magician, stat. The application lets users manage the company's solid state disk drives by doing things like updating firmware, performing secure erasure or perusing SMART data.
The software is offered for Samsung's consumer and enterprise drives, but “checks for and retrieves various updates over HTTP” and then “uses HTTPS to perform update operations, however it does not validate SSL certificates.”
The CERT says that act of omission means “An attacker on the same network as, or who can otherwise affect network traffic from, a Samsung Magician user can cause the Magician update process to execute arbitrary code with system administrator privileges.”
Item two-- find Settings dialog for Acronis True Image, because the CERT says “versions through and including 2017 build 8053 performs various update operations over unprotected HTTP channels.”
Downloaded updates are therefore “not validated beyond verifying the server-provided MD5 hash.”
“The direct impact could be that an attacker on the same network as, or who can otherwise affect network traffic from, an Acronis True Image user could potentially cause the True Image update process to execute arbitrary code with system administrator privileges.”
The CERT recommends turning off True Image's auto-update features and manually downloading the updates with your browser. We'll keep you posted.
Source: The CERT.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.