[NHDOE-ETNews] MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in Schoolwires Could Allow for Sensitive Information Disclosure - PATCH: NOW - TLP: WHITE

Freeda, Stanley Stanley.Freeda at doe.nh.gov
Wed Mar 16 14:37:18 EDT 2016


Today on the ETNews Listserv
ITEM:  MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in Schoolwires Could Allow for Sensitive Information Disclosure - PATCH: NOW - TLP: WHITE

FYI.
This came out on the NHSTE Tech Coordinators listserv, but in case some of you are not on that, FYI:

TLP: WHITE
MS-ISAC CYBERSECURITY ADVISORY

MS-ISAC ADVISORY NUMBER:
2016-051

DATE(S) ISSUED:
03/16/2016

SUBJECT:
Multiple Vulnerabilities in Schoolwires Could Allow for Sensitive Information Disclosure

OVERVIEW:
Multiple vulnerabilities have been discovered in Schoolwires, which could result in sensitive information disclosure. Schoolwires is a content management system designed specifically for schools to manage web design and  content. These vulnerabilities can be exploited remotely by an attacker with access to a website running Schoolwires.  Successful exploitation of these vulnerabilities could allow an attacker to list all files in a user-supplied directory, download arbitrary files, obtain sensitive information of Schoolwires users, or deface the school's website.

It is worth noting that most Schoolwires installations are automatically updated as part of their default configuration settings. The MS-ISAC recommends that this setting be verified to ensure these critical updates are applied.

THREAT INTELLIGENCE:
There is evidence of these vulnerabilities being exploited in the wild.

SYSTEM AFFECTED:
All Schoolwires versions prior to 2.13 are affected.

RISK:
Government:

  *   Large and medium government entities: Medium
  *   Small government entities: Medium
Businesses:

  *   Large and medium business entities: Low
  *   Small business entities: Low
Home users: N/A

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Schoolwires. These vulnerabilities exist due to a failure to sanitize user supplied input in the URL, which could allow exploitation by a non-authenticated remote attacker with access to an affected website.

Successful exploitation of these vulnerabilities could allow an attacker to list all files in a user-supplied directory, download arbitrary files, obtain sensitive information, disclose usernames, email addresses and additional information of Schoolwires users, or deface the school's website.

RECOMMENDATIONS:
We recommend the following actions be taken:

  *   Verify no unauthorized access or changes have occurred on the system.
  *   If not utilizing SchoolWires Automatic Updates, apply appropriate patches provided by Schoolwires immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
1-866-787-4722 (7x24 SOC)
Email: soc at cisecurity.org<mailto:soc at cisecurity.org>
www.cisecurity.org<http://www.cisecurity.org/>
Follow us @CISecurity
TLP: WHITE
Traffic Light Protocol (TLP): WHITE information may be distributed without restriction, subject to copyright controls.
http://www.us-cert.gov/tlp/


Get even more ET News on the ET News blog<http://nhoetnews.wordpress.com/>.
Find and Like the NH Office of Educational Technology on Facebook!

ET News is a service of the Office of Educational Technology
NH Department of Education    101 Pleasant Street    Concord, NH    03301
For more information, contact
Stan Freeda
603.271.5132       Stanley.Freeda at doe.nh.gov<mailto:sfreeda at ed.state.nh.us>     www.education.nh.gov/instruction/ed_tech/<http://www.education.nh.gov/instruction/ed_tech/index.htm>      www.opennh.org<http://www.opennh.org/>        www.nheon.org<http://www.nheon.org/>

"The need to know the capital of Florida died when my phone learned the answer." ~ Anthony Chivetta, high school student in Missouri
The contents of this message are confidential. Any unauthorized disclosure, reproduction, use or dissemination (either whole or in part) is prohibited. If you are not the intended recipient of this message, please notify the sender immediately and delete the message and any attachments from your system.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://maillist2.nh.gov/pipermail/nhdoe-etnews/attachments/20160316/32fd5d24/attachment-0001.html>


More information about the NHDOE-ETNews mailing list