Hong Kong Universities: Anybody home doing IT security?

Post date: Mar 23, 2013 5:47:13 PM

Basic Vulnerability Disclosure for ALL Hong Kong Universities:

I am now going to disclose some level-0 but very serious vulnerabilities among universities, it is free.

There is a 2-year vulnerability and fix windows for them like for CVE-2010-0425, what the hell are those IT security administrators and managers doing? Playing facebook at office or Candy Crush?

It comes to the most exciting moment.

Congratulations to the following universities!

  • HKUST (Apache 2.2.6)
  • HKIET (Apache 2.2.14)
  • OUHK (Apache/1.3.26 (Unix) mod_jk/1.1.0 mod_ssl/2.8.9 OpenSSL/0.9.6b)
  • HKSYU (Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 PHP/5.3.16)

Finding:

The above four universities (Except OUHK) are vulnerable to:

- CVE-2010-0425 (which allows execute remote arbitrary code)

http://www.cvedetails.com/cve/CVE-2010-0425/

The above four universities are vulnerable to:

- CVE-2011-3125 (which allows Denial of Service)

http://www.cvedetails.com/cve/CVE-2011-3192

Please check the following figures:

Vulnerability Rewards:

The laziest university is: OUHK:

Apache 1.3.26 is still deployed - It is understandable as I feel doubtful whether they have any security team. It is a real classic! Dinosaur-version of Apache!

The most advanced university but with vulnerable server: HKUST

It is a real interesting finding as they have got ITSC, security team and they have incident response team and expertise to investigate the latest incident against the US companies (i.e. btw, they have not discovered their network has abused for two years to attack others), however, they do not even update the apache web server, it is a real fun, man.

Be frank, it is unforgivable.

Vulnerable OpenSSL reward given to: HKSYU

The same as OUHK, I feel doubtful whether they have resources.

http://www.cvedetails.com/vulnerability-list/vendor_id-217/product_id-383/version_id-46690/Openssl-Openssl-0.9.8e.html

* Remarks: HKBU (Not confirmed, you are lucky but it doesn't mean you are not in the party ;-))

Final quote for those universities:

"We disclose because we care; You did't work it out because you are a dumb." - Darkfloyd, VXRL