The U.S. Department of Defense has disclosed details of four vulnerabilities in its infrastructure, two high severity rating issues and other two critical flaws.
The vulnerabilities could be exploited by threat actors to hijack a subdomain, execute arbitrary code remotely, or view files on the vulnerable system.
The vulnerabilities were reported in August and July through the Department’s bug bounty program operated via HackerOne.
One of the critical issues is a subdomain takeover due to an unclaimed Amazon S3 bucket.
The ethical hacker chron0x who reported the flaw discovered that the subdomain was referencing an Amazon S3 bucket in the US East region that did no longer exists. The hackers claimed this bucket and successfully took over the subdomain.
“This is extremely vulnerable to attacks as a malicious user could create any web page with any content and host it on the deployedmedicine.com domain.” reads the advisory. “This would allow them to post malicious content which would be mistaken for a valid site. They could:
An attacker could exploit the issue to target visitors of the website with phishing and cross-site scripting attacks.
The second critical flaw is a remote code execution on a DoD server running Apache Solr that had been left unpatched since August 2019.
The vulnerability was reported by the ethical hacker Hzllaga on August 19.
The expert discovered that the server was vulnerable to CVE-2019-0192 and CVE-2019-0193, he successfully exploited CVE-2019-0193 and successfully remotely executed arbitrary code.
One of the high-severity issues disclosed by the Department is an unpatched read-only path traversal in a Cisco product used by the agency. The issue could be exploited to access arbitrary sensitive files on the system.
The DoD quickly addressed all the vulnerabilities.
Since the DoD launched a bug bounty program on HackerOne in November 2016, it addressed a total of 9555 security issues.
(SecurityAffairs – hacking, U.S. Department of Defense)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.