ID CVE-2020-27130 Type cve Reporter cve@mitre.org Modified 2020-11-30T19:09:00
Description
A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to download arbitrary files from the affected device.
{"id": "CVE-2020-27130", "bulletinFamily": "NVD", "title": "CVE-2020-27130", "description": "A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to download arbitrary files from the affected device.", "published": "2020-11-17T04:15:00", "modified": "2020-11-30T19:09:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27130", "reporter": "cve@mitre.org", "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-path-trav-NgeRnqgR"], "cvelist": ["CVE-2020-27130"], "type": "cve", "lastseen": "2020-12-09T22:03:11", "edition": 4, "viewCount": 41, "enchantments": {"dependencies": {"references": [{"type": "cisco", "idList": ["CISCO-SA-CSM-PATH-TRAV-NGERNQGR"]}, {"type": "nessus", "idList": ["CISCO-SA-CSM-PATH-TRAV-NGERNQGR.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:F499FA7121782ED3385983D16DC7D743", "THREATPOST:278458B8B7AD1BAD24FB2C2C5F0B1441", "THREATPOST:A9437435DAA03AED786FCFF49E8C8E15", "THREATPOST:8A5B77A578DFAA9ED756B8B13294B030", "THREATPOST:ED28E58EE0A6B2DB315B73298AD3C34A", "THREATPOST:09B5423D2CCF69E5E3DC9409EB575216"]}], "modified": "2020-12-09T22:03:11", "rev": 2}, "score": {"value": 4.9, "vector": "NONE", "modified": "2020-12-09T22:03:11", "rev": 2}, "twitter": {"counter": 1, "posts": ["Cisco Security Manager Path Traversal Vulnerability [CVE-2020-27130]"], "modified": "2020-12-09T22:03:11"}, "vulnersScore": 4.9}, "cpe": ["cpe:/a:cisco:security_manager:4.21"], "affectedSoftware": [{"cpeName": "cisco:security_manager", "name": "cisco security manager", "operator": "le", "version": "4.21"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:cisco:security_manager:4.21:*:*:*:*:*:*:*", "versionEndIncluding": "4.21", "vulnerable": true}], "operator": "OR"}]}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2}, "cpe23": ["cpe:2.3:a:cisco:security_manager:4.21:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "scheme": null}
{"threatpost": [{"lastseen": "2020-11-24T13:50:42", "bulletinFamily": "info", "cvelist": ["CVE-2020-27130"], "description": "Researchers have demonstrated for the third time how hacking into the key fob of a Tesla can allow someone to access and steal the car in minutes. The new attack again shows a security vulnerability in the keyless entry system of one of the most expensive electric vehicles (EVs) on the market.\n\nResearchers from the Computer Security and Industrial Cryptography (COIC), an [Imec](<https://www.imec-int.com/en>) research group at the University of Leuven in Belgium, have \u201cdiscovered major security flaws\u201d in the key fob of the Tesla Model X, the small device that allows someone to automatically unlock the car by approaching the vehicle or pressing a button.\n\nThe research team includes PhD student Lennert Wouters, who already has demonstrated two attacks on the [keyless entry technology](<https://www.esat.kuleuven.be/cosic/news/hackers-could-steal-a-tesla-model-s-by-cloning-its-key-fob-again/>) of the Tesla Model S that succeeded in unlocking and starting vehicles. Tesla sells some of the most state-of-the-art EVs available, ranging in cost from about $40,000 for the most basic models to more than $100,000 for a top-of-the-line Tesla Model X. \n[](<https://threatpost.com/newsletter-sign/>)The key fob for the Model X key uses Bluetooth Low Energy (BLE) to interface with a smartphone app to allow for keyless entry, which is where the vulnerabilities lie, researchers said in a [press release published online](<https://www.imec-int.com/en/press/belgian-security-researchers-ku-leuven-and-imec-demonstrate-serious-flaws-tesla-model-x>) about the hack. Indeed, the use of BLE is becoming more \u201cprevalent\u201d in key fobs so that the devices can communicate with people\u2019s smartphones, researchers noted.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/11/24075337/Tesla_Model-X_key_fob_sm.jpg>)The team detailed the two-stage proof-of-concept attack they staged using a self-made device built from widely available and fairly inexpensive equipment: a Raspberry Pi computer that they purchased for $35 accompanied by a $30 CAN shield; a modified key fob and Electronic Control Unit (ECU) from a salvage vehicle that they bought for $100 on eBay; and a LiPo battery that cost $30. Tesla has already released an over-the-air software update to mitigate the flaws, researchers said.\n\nIn the attack\u2019s first step, researchers used the ECU to force the key fobs to make themselves available as Bluetooth devices wirelessly, an action that can be achieved at up to five meters distance, Wouters said.\n\n\u201cBy reverse engineering the Tesla Model X key fob we discovered that the BLE interface allows for remote updates of the software running on the BLE chip,\u201d he said in the release. \u201cAs this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it.\u201d\n\nIt then took researchers about a minute and a half at a range of more than 30 meters to gain access to the key fob. Once it was compromised, researchers obtained valid commands to unlock the target vehicle and then gain access to the diagnostic connector inside the car, they said.\n\n\u201cBy connecting to the diagnostic connector, we can pair a modified key fob to the car,\u201d said Professor Benedikt Gierlichs, who led the research team. \u201cThe newly paired key fob allows us to then start the car and drive off. By exploiting these two weaknesses in the Tesla Model X keyless entry system we are thus able to steal the car in a few minutes.\u201d\n\nThe hack is not the first time this team of researchers demonstrated how Tesla key fobs can be hacked to access and steal a car. They previously [hacked](<https://www.esat.kuleuven.be/cosic/news/fast-furious-and-insecure-passive-keyless-entry-and-start-in-modern-supercars/>) into the key fob of a Passive Keyless Entry and Start (PKES) system of a Tesla Model S, and then [devised another attack](<https://www.esat.kuleuven.be/cosic/news/hackers-could-steal-a-tesla-model-s-by-cloning-its-key-fob-again/>) that was successful on the same model after Tesla updated the key fob to fix the flaw that allowed earlier access.\n\nTesla cars also have shown other security issues in the past. In 2016, Chinese researchers [hacked](<https://threatpost.com/tesla-fixes-critical-remote-hack-vulnerability/120719/>) into several models of the Tesla S series, demonstrating how they could remotely brake the cars as well as freeze control panels, open the trunk while driving, and remotely turn on and off the windshield wipers.\n\nTeslas aren\u2019t the only cars with key fobs vulnerable to takeover that would allow someone to steal vehicles. In 2016, [researchers claimed](<https://threatpost.com/key-fob-hack-allows-attackers-to-unlock-millions-of-cars/119846/>) that Volkswagen\u2019s keyless entry system left millions of Volkswagen, Ford and Chevrolet vehicles vulnerable to attack and theft.\n", "modified": "2020-11-24T12:59:12", "published": "2020-11-24T12:59:12", "id": "THREATPOST:09B5423D2CCF69E5E3DC9409EB575216", "href": "https://threatpost.com/tesla-hacked-stolen-key-fob/161530/", "type": "threatpost", "title": "Tesla Hacked and Stolen Again Using Key Fob", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-11-20T06:06:02", "bulletinFamily": "info", "cvelist": ["CVE-2020-27130"], "description": "A security weakness discovered in the GO SMS Pro Android app can be exploited to publicly expose media sent using the app, according to researchers.\n\nThe GO SMS Pro application is a popular messenger app with more than 100 million downloads from the [Google Play store](<https://play.google.com/store/apps/details?id=com.jb.gosms&hl=en_US&gl=US>). Researchers at Trustwave SpiderLabs said that private voice messages, videos messages and photos are all at risk of being compromised by a trivially exploitable flaw in version 7.91.\n\nWhen a user sends a multimedia message, the recipient can receive it even if they don\u2019t themselves have GO SMS Pro installed. In that case, the media file is sent to the recipient as a URL via SMS, so the person can click on the link to view the media file in a browser window.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cSpiderLabs found that accessing the link was possible without any authentication or authorization, meaning that any user with the link is able to view the content,\u201d researchers explained in a [Thursday posting](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/go-sms-pro-vulnerable-to-media-file-theft/>).\n\nIn and of itself, this could be exploitable via a piece of SMS-parsing malware or a browser-based info-stealer. But the researchers also found that the URLs used for media are sequential and predictable.\n\nSo, by predicting the next URL in the hexadecimal sequence, a malicious user could view any number of users\u2019 media without consent.\n\n\u201c[They could ] potentially access any media files sent via this service and also any that are sent in the future,\u201d researchers noted. \u201cBy incrementing the value in the URL, it is possible to view or listen to other media messages shared between other users.\u201d\n\nA simple bash script could be used to generate a sample list of URLs using the predictable changes in the addresses, they added, which can simply be pasted into the multi-tab extension on Chrome or Firefox for easy viewing.\n\nThe saving grace is that an attacker would not be able to link the media back to a specific user, unless the media file itself leaks a person\u2019s identity.\n\n\u201cFor instance, a profile picture can be searched for using reverse image search, a driver\u2019s license image or legal documents will have personally identifiable information (PII) that can be used to tie the image to specific people, etc.,\u201d Karl Sigler, senior security research manager at SpiderLabs, told Threatpost. \u201cHowever, a random picture of a sunset will likely not be easily traced back to a person.\u201d\n\nIt is nonetheless a concerning bug, Sigler added. He said that because an attacker can\u2019t directly target specific users, \u201cI wouldn\u2019t consider this a critical severity\u2026but the wide net that can be thrown around potentially sensitive data certainly justifies a high severity.\u201d\n\nThis weakness was confirmed in GO SMS Pro v7.91, as mentioned \u2014 but the developer released a new version (v.7.93) on Wednesday. SpiderLabs has not yet tested this new iteration of the app (but Sigler said he plans to), nor did the developer ever acknowledge the bug despite multiple attempts at contact starting in mid-August, researchers said.\n\nA fix would include adding proper access controls in the cloud instance, implementing longer unique IDs in the URL that will prevent sequential walking through the data, or simply taking down the cloud instance entirely until the issue can be addressed, according to Sigler.\n\nUsers should upgrade to the latest version in case it addresses the bug, but to ensure that content remains private, \u201cit is highly recommended to avoid sending media files via the app that you expect to remain private or that may contain sensitive data using this popular messenger app, at least until the vendor acknowledges this vulnerability and remediates it,\u201d according to SpiderLabs.\n\nThreatpost reached out to the developer for more information on whether the new version patches the issue \u2014 all mailboxes were full.\n\n\u201cThis should not be common and but inexperienced developers could easily let something like this slip,\u201d Sigler said. \u201cThis is why it\u2019s important to add in security testing to any application development lifecycle.\u201d\n", "modified": "2020-11-19T19:52:25", "published": "2020-11-19T19:52:25", "id": "THREATPOST:A9437435DAA03AED786FCFF49E8C8E15", "href": "https://threatpost.com/go-sms-pro-android-app-exposes-private-photos/161407/", "type": "threatpost", "title": "GO SMS Pro Android App Exposes Private Photos, Videos and Messages", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-12-15T06:10:00", "bulletinFamily": "info", "cvelist": ["CVE-2020-27130"], "description": "A man has been sentenced to two years in jail after being convicted of hacking Cisco\u2019s Webex collaboration platform in an insider-threat case brought to the U.S. District Court in California.\n\nSudhish Kasaba Ramesh, 31, admitted that he broke into Cisco\u2019s cloud infrastructure in 2018, hosted on Amazon Web Services, about four months after he resigned from the company. From there, he said in his plea agreement that he deployed a code from his Google Cloud Project account, which automatically deleted 456 virtual machines that host the WebEx Teams application.\n\nAs a result, 16,000 WebEx Teams accounts were shut down for up to two weeks; and, the incident cost Cisco about $1.4 million in remediation costs, including refunding $1 million to affected customers, according to a [court announcement](<https://www.justice.gov/usao-ndca/pr/san-jose-man-sentenced-two-years-imprisonment-damaging-cisco-s-network>).\n\n[](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar/>)\n\nClick to register.\n\nThe defendant was further sentenced to serve a one-year period of supervised release following the 24 months in prison. And, in addition to jail time, the court ordered Ramesh to pay a $15,000 fine for intentionally accessing a protected computer without authorization and recklessly causing damage to Cisco.\n\nHe will begin serving the sentence on February 10, 2021.\n\nIt\u2019s unclear why Ramesh mounted the attack or how he was able to access Cisco\u2019s infrastructure after he was no longer working for the company.\n\nInsider threats \u2013 be they disgruntled former employees, rogue employees or clueless workers who accidentally create risk \u2013 are an ongoing top danger for companies. Often, employees are groomed by outsiders. According to A [2019 study](<https://threatpost.com/insider-threats-cybercriminal-favorite/150128/>) from OpenText, between 25 to 30 percent of data breaches involved an external actor working with an internal person in an organization.\n\n\u201cWe used to focus on external threat actors, but now, when compromising the network, many have someone on the inside, whether it\u2019s because they bribed them or blackmailed them,\u201d Paul Shomo, senior security architect with OpenText, said at the time.\n\nThe insider-threat issue has been exacerbated by the transition to remote work. In the past, insider threats from employees and others given access to the network were more easily monitored because they were inside the network perimeter, and so malicious activity could be more easily detected.\n\n\u201cEven while employees continue to work from home, they still require access to corporate assets to do their jobs well,\u201d said Justin Jett, director of compliance and audit at Plixer, in a recent [Threatpost column](<https://threatpost.com/defining-policies-manage-remote-insider-threats/161327/>). \u201cWithout access, some employees can\u2019t perform their duties at all. Organizations must define long-term policies for how employees access company-owned assets, especially if they intend to allow employees to work from home indefinitely. Such policies should include restricting access by role, as well as other security measures like requiring employees to be connected to the corporate VPN.\u201d\n\n**_Put Ransomware on the Run: Save your spot for \u201cWhat\u2019s Next for Ransomware,\u201d a _**[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ on Dec. 16 at 2 p.m. ET. Find out what\u2019s coming in the ransomware world and how to fight back. _**\n\n**_Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _**[**_Register here_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ for the Wed., Dec. 16 for this LIVE webinar._**\n", "modified": "2020-12-14T19:50:14", "published": "2020-12-14T19:50:14", "id": "THREATPOST:ED28E58EE0A6B2DB315B73298AD3C34A", "href": "https://threatpost.com/cisco-employee-convicted-deleting-webex-accounts/162246/", "type": "threatpost", "title": "Ex-Cisco Employee Convicted for Deleting 16K Webex Accounts", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-11-18T03:42:41", "bulletinFamily": "info", "cvelist": ["CVE-2020-27125", "CVE-2020-27130", "CVE-2020-27131"], "description": "A day after proof-of-concept (PoC) exploit code was published for a critical flaw in Cisco Security Manager, Cisco has hurried out a patch.\n\nCisco Security Manager is an end-to-end security management application for enterprise administrators, which gives them the ability to enforce various security policies, troubleshoot security events and manage a wide range of devices. The application has a vulnerability that could allow remote, unauthenticated attackers to access sensitive data on affected systems. The flaw ([CVE-2020-27130](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27130>)) has a CVSS score of 9.1 out of 10, making it critical.\n\n\u201cAn attacker could exploit this vulnerability by sending a crafted request to the affected device,\u201d according to Cisco, [in a Tuesday analysis](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-path-trav-NgeRnqgR>). \u201cA successful exploit could allow the attacker to download arbitrary files from the affected device.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAccording to Cisco, the flaw stems from the improper validation of directory traversal character sequences within requests to an affected device. A path-traversal attack aims to access files and directories that are stored outside the web root folder. If an attacker manipulates variables referencing files (with \u201cdot-dot-slash (../)\u201d sequences), it is possible to access arbitrary files and directories stored on file system, such as application source code, or configuration and critical system files.\n\nPoC exploits for the flaw \u2013 as well as 11 other issues in Cisco Security Manager \u2013 were published online Monday by security researcher Florian Hauser. Hauser [said in a Monday tweet](<https://twitter.com/frycos/status/1328412045092548609?>) that he had previously reported the flaws 120 days ago \u2013 however, Cisco \u201cbecame unresponsive and the published release 4.22 still doesn\u2019t mention any of the vulnerabilities.\u201d\n\n> Since Cisco PSIRT became unresponsive and the published release 4.22 still doesn't mention any of the vulnerabilities, here are 12 PoCs in 1 gist:<https://t.co/h31QO5rmde> <https://t.co/xyFxyp7cJr>\n> \n> \u2014 frycos (@frycos) [November 16, 2020](<https://twitter.com/frycos/status/1328412045092548609?ref_src=twsrc%5Etfw>)\n\nIn a [follow-up tweet on Tuesday](<https://twitter.com/frycos/status/1328712681067581441>), Hauser said: \u201cJust had a good call with Cisco! The missing vulnerability fixes were indeed implemented as well but need some further testing. SP1 will be released in the next few weeks. We found a good mode of collaboration now.\u201d\n\nThe flaw affects Cisco Security Manager releases 4.21 and earlier; the issue is fixed in Cisco Security Manager Release 4.22.\n\n## Other Security Manager Bugs\n\nCisco on Tuesday also disclosed two high-severity vulnerabilities in Cisco Security Manager. One of these ([CVE-2020-27125](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-rce-8gjUz9fW>)) stems from insufficient protection of static credentials in the affected software. This flaw could allow a remote, unauthenticated attacker to access sensitive information on an affected system, according to Cisco.\n\n\u201cAn attacker could exploit this vulnerability by viewing source code,\u201d according to Cisco. \u201cA successful exploit could allow the attacker to view static credentials, which the attacker could use to carry out further attacks.\u201d\n\nThe other flaw exists in the Java deserialization function that is used by Cisco Security Manager, and could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.\n\nThat flaw ([CVE-2020-27131](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-java-rce-mWJEedcD>)) stems from insecure deserialization of user-supplied content by the affected software, according to Cisco.\n\n\u201cAn attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system,\u201d said Cisco\u2019s advisory. \u201cA successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\\SYSTEM on the Windows target host.\u201d\n\nCisco has recently dealt with various flaws across its product line. Last week, the networking giant [warned of a high-severity flaw](<https://threatpost.com/high-severity-cisco-dos-flaw-asr-routers/161115/>) in Cisco\u2019s IOS XR software that could allow unauthenticated, remote attackers to cripple Cisco Aggregation Services Routers (ASR). Cisco also recently disclosed a [zero-day vulnerability](<https://threatpost.com/cisco-zero-day-anyconnect-secure-patch/160988/>) in the Windows, macOS and Linux versions of its AnyConnect Secure Mobility Client Software.\n\n[](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART-Bottom-Image&utm_campaign=Nov_webinar>)\n\n**Hackers Put Bullseye on Healthcare: **[**On Nov. 18 at 2 p.m. EDT**](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)** find out why hospitals are getting hammered by ransomware attacks in 2020. **[**Save your spot for this FREE webinar**](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)** on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this **[**LIVE**](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)**, limited-engagement webinar.**\n", "modified": "2020-11-17T15:17:12", "published": "2020-11-17T15:17:12", "id": "THREATPOST:F499FA7121782ED3385983D16DC7D743", "href": "https://threatpost.com/critical-cisco-flaw-sensitive-data/161305/", "type": "threatpost", "title": "Cisco Patches Critical Flaw After PoC Exploit Code Release", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-11-18T23:07:19", "bulletinFamily": "info", "cvelist": ["CVE-2020-27130", "CVE-2020-3419", "CVE-2020-3441", "CVE-2020-3471"], "description": "A vulnerability in Cisco\u2019s Webex conferencing application could allow an attendee to act as a \u201cghost\u201d in the meeting \u2013 allowing them to spy in on potentially sensitive company secrets.\n\nTo [exploit the flaw](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-auth-token-3vg57A5r>) (CVE-2020-3419), attackers can be remote \u2013 however, they would need access to join the Webex meetings, including applicable meeting \u201cjoin\u201d links and passwords. For this reason, the flaw is only considered medium severity by Cisco, ranking 6.5 out of 10 on the CVSS scale. However, the practical implications are significant when considering information a \u201cghost\u201d could obtain in a meeting that assumed he or she was absent from.\n\nOnce they have meeting access, an attacker could exploit the flaw by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. The bad actor could then exploit this vulnerability to join meetings \u2013 without appearing in the participant list \u2013 giving them full access to audio, video, chat and screen sharing capabilities.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWith this flaw, a ghost could stay in a meeting while not being seen by others, even after being expelled by the host, which makes this practice especially problematic,\u201d said researchers with IBM [in a Wednesday analysis](<https://securityintelligence.com/posts/ibm-works-with-cisco-exorcise-ghosts-webex-meetings/>). \u201cWe identified that we could maintain the working bidirectional audio communication while a server thought the connection from an attendee dropped \u2014 meaning the attendee disappeared from the participants panel and became a ghost.\u201d\n\nThis vulnerability is due to improper handling of authentication tokens by a vulnerable Webex site. It affected all Cisco Webex Meetings sites prior to November 17, 2020; and all Cisco Webex Meetings apps releases 40.10.9 and earlier for iOS and Android.\n\nThe flaw also impacts Cisco Webex Meetings Server releases 3.0MR Security Patch 4 and earlier, and 4.0MR3 Security Patch 3 and earlier.\n\n\u201cCisco addressed this vulnerability on November 17, 2020, in Cisco Webex Meetings sites, which are cloud based,\u201d according to Cisco. \u201cNo user action is required.\u201d\n\nCisco said it\u2019s aware of public announcements of the vulnerability \u2013 but so far it has yet to spot any exploits in the wild. The flaws come as collaboration tools \u2013 [like Webex](<https://threatpost.com/beyond-zoom-safe-slack-collaboration-apps/154446/>), as well as [Zoom and Skype](<https://threatpost.com/zoom-bombers-ftc-settlement/161312/>) \u2013 face explosive utilization due to the coronavirus pandemic.\n\nTwo other flaws in Cisco Webex were also discovered by IBM researchers \u2013 including one ([CVE-2020-3441](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-infodisc-4tvQzn4>)) allowing an unauthenticated, remote attacker to view sensitive Webex information from the meeting room lobby, and another ([CVE-2020-3471](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-info-leak-PhpzB3sG>)) enabling bad actors to maintain the audio connection of a Webex session despite being expelled.\n\n## **Critical Cisco Flaws**\n\nCisco on Wednesday also plugged up three critical-severity vulnerabilities. One of these is an issue in the [API subsystem of Cisco Integrated Management Controller](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-api-rce-UXwpeDHd>) (IMC) that could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges.\n\nCisco IMC is a baseboard management controller that provides embedded server management for Cisco UCS C-Series Rack Servers and Cisco UCS S-Series Storage Servers \u2013 allowing system management in the data center and across distributed branch-office locations.\n\n\u201cAn attacker could exploit these vulnerabilities by sending a crafted HTTP request to the API subsystem of an affected system,\u201d according to Cisco. \u201cWhen this request is processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the underlying operating system (OS).\u201d\n\nThe [second critical flaw exists](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dna-cmd-injection-rrAYzOwc>) in the web-based management interface of Cisco DNA Spaces Connector, and could enable an unauthenticated, remote attacker to execute arbitrary commands on an affected device.\n\nCisco DNA Spaces is a location aware, task management cloud-based application. The connector helps users connect DNA Spaces in their environment.\n\n\u201cA successful exploit could allow the attacker to execute arbitrary commands on the underling operating system with privileges of the web-based management application, which is running as a restricted user,\u201d according to Cisco.\n\nFinally, Cisco [fixed a glitch](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-BCK-GHkPNZ5F>) in the REST API of Cisco IoT Field Network Director (FND) \u2013 its network management system for FAN deployment at scale \u2013 which could allow an unauthenticated, remote attacker to access the back-end database of an affected system. A successful exploit could allow the attacker to access the back-end database of the affected device and read, alter, or drop information, according to Cisco.\n\nThe newest slew of patches comes after Cisco rushed out a [patch for a critical vulnerability](<https://threatpost.com/critical-cisco-flaw-sensitive-data/161305/>) in its Security Manager, after proof-of-concept (PoC) exploit code was published. And, last week, the networking giant [warned of a high-severity flaw](<https://threatpost.com/high-severity-cisco-dos-flaw-asr-routers/161115/>) in Cisco\u2019s IOS XR software that could allow unauthenticated, remote attackers to cripple Cisco Aggregation Services Routers (ASR). Cisco also recently disclosed a [zero-day vulnerability](<https://threatpost.com/cisco-zero-day-anyconnect-secure-patch/160988/>) in the Windows, macOS and Linux versions of its AnyConnect Secure Mobility Client Software.\n", "modified": "2020-11-18T18:58:08", "published": "2020-11-18T18:58:08", "id": "THREATPOST:8A5B77A578DFAA9ED756B8B13294B030", "href": "https://threatpost.com/cisco-webex-flaw-snooping/161355/", "type": "threatpost", "title": "Cisco Webex 'Ghost' Flaw Opens Meetings to Snooping", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-12-10T14:11:35", "bulletinFamily": "info", "cvelist": ["CVE-2020-27130", "CVE-2020-6016", "CVE-2020-6017", "CVE-2020-6018", "CVE-2020-6019"], "description": "Game developer Valve has fixed critical four bugs in its popular Steam online game platform. If exploited, the flaws could allow a remote attacker to crash an opponent\u2019s game client, take over the computer \u2013 and hijack all computers connected to a third-party game server.\n\nSteam is utilized by more than 25 million users, and serves as a platform for a number of wildly popular video games, including [Counter Strike: Global Offensive](<https://threatpost.com/valve-confirms-csgo-team-fortress-2-source-code-leak/155092/>), Dota2 and [Half Life](<https://threatpost.com/valve-source-engine-fortnite-servers-crippled-by-gafgyt-variant/149719/>). The vulnerabilities, which were disclosed on Thursday, were discovered in the network library of Steam, which is known as Steam Sockets. This library is part of a toolkit for third-party game developers.\n\n\u201cVideo games have reached an all-time-high during the coronavirus pandemic,\u201d Eyal Itkin, security researcher at Check Point, said in a Thursday analysis. \u201cWith millions of people currently playing online games, even the slightest security issue can be a serious concern for gaming companies and gamer privacy. Through the vulnerabilities we found, an attacker could have taken over hundreds of thousands of gamer computers every day, with the victims being completely blind to it.\u201d\n\n[](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar/>)\n\nClick to register.\n\nResearchers disclosed the flaws to Valve in September; the vendor rolled out fixes after three weeks to different Steam games. Researchers said that in order to apply the patches, Steam gamers were required to install the update before they could launch a game.\n\nThe four flaws (CVE-2020-6016, CVE-2020-6017, CVE-2020-6018 and CVE-2020-6019) exist in Steam Sockets prior to version v1.2.0. The first three CVEs score 9.8 out of 10 on the CVSS scale, making them critical in severity, while the fourth ranks 7.5 out of 10, making it high-severity.\n\nCVE-2020-6016 exists because Steam Sockets improperly handles \u201cunreliable segments\u201d in the function SNP_ReceiveUnreliableSegment(). This can lead to a heap-based buffer underflow, where the input data is (or appears to be) shorter than the reserved space.\n\nThe flaw tied to CVE-2020-6017 is due to SNP_ReceiveUnreliableSegment() improperly handling long unreliable segments when configured to support plain-text messages, leading to a heap-based buffer overflow (where the input data is longer than the reserved space).\n\nThe bug tied to CVE-2020-6018 meanwhile is due to the improper handling of long encrypted messages in the function AES_GCM_DecryptContext::Decrypt(), leading to a stack-based buffer overflow.\n\nAnd finally, the flaw relating to CVE-2020-6019 stems from the function CConnectionTransportUDPBase::Received_Data() improperly handling inlined statistic messages.\n\nIn order to exploit the flaws, an attacker would need to connect to a target game server. Then, the attacker could launch the exploit by sending bursts of malicious packets to opponent gamers or target servers. No interaction is needed from the target gamer or server.\n\n\u201cFrom this point, the attacker could deploy the same vulnerability, as both the game clients and game servers are vulnerable, to force the server to take over all connected clients, without any of them noticing,\u201d said researchers.\n\nThat could open up various attack scenarios. One such scenario would include sabotaging online games, in which an attacker is able to crash the server at any time they please, forcing the game to stop for all gamers at once.\n\nResearchers suggest that Valve gamers should make sure that they don\u2019t have a notification about a pending update that they should install, though they should already protected through the fix. And, they should check that their games have indeed updated.\n\n\u201cGamers of third-party games should check that their game clients received an update in recent months,\u201d they said. \u201cIf not, they will need to contact the game developers to check when will an update be released.\u201d\n\nSteam has dealt with security issues before. In 2019, a researcher dropped a zero-day vulnerability that [affected the Steam game client](<https://threatpost.com/gamers-zero-day-steam-client-affects-windows/147225/>) for Windows, after Valve said it wouldn\u2019t fix it. Valve then published a patch, that the same researcher said can be bypassed and dropped [a second zero day](<https://threatpost.com/researcher-discloses-second-steam-zero-day-after-valve-bug-bounty-ban/147593/>).\n\n**_Put Ransomware on the Run: Save your spot for \u201cWhat\u2019s Next for Ransomware,\u201d a _**[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ on Dec. 16 at 2 p.m. ET. Find out what\u2019s coming in the ransomware world and how to fight back. _**\n\n**_Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _**[**_Register here_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ for the Wed., Dec. 16 for this LIVE webinar._**\n", "modified": "2020-12-10T11:00:46", "published": "2020-12-10T11:00:46", "id": "THREATPOST:278458B8B7AD1BAD24FB2C2C5F0B1441", "href": "https://threatpost.com/critical-steam-flaws-crash-opponents-computers/162100/", "type": "threatpost", "title": "Critical Steam Flaws Could Let Gamers Crash Opponents\u2019 Computers", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2020-12-24T11:40:23", "bulletinFamily": "software", "cvelist": ["CVE-2020-27130"], "description": "A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to and modify sensitive information on the affected device.\n\nThe vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to read or write arbitrary files on the affected device.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-path-trav-NgeRnqgR [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-path-trav-NgeRnqgR\"]", "modified": "2020-11-20T17:49:26", "published": "2020-11-16T23:00:00", "id": "CISCO-SA-CSM-PATH-TRAV-NGERNQGR", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-path-trav-NgeRnqgR", "type": "cisco", "title": "Cisco Security Manager Path Traversal Vulnerability", "cvss": {"score": 9.1, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}}], "nessus": [{"lastseen": "2020-12-02T09:35:33", "description": "The version of Cisco Security Manager running on the remote web server is prior to 4.22. It is, therefore, affected \na path traversal vulnerability. An unauthenticated, remote attacker can exploit this, by sending a URI that \ncontains directory traversal characters, to disclose the contents of files located outside of the server's restricted \npath.\n\nPlease see the included Cisco BID and Cisco Security Advisory for more information", "edition": 3, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2020-11-17T00:00:00", "title": "Cisco Security Manager < 4.22 Path Traversal (cisco-sa-csm-path-trav-NgeRnqgR)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-27130"], "modified": "2020-11-17T00:00:00", "cpe": ["cpe:/a:cisco:security_manager"], "id": "CISCO-SA-CSM-PATH-TRAV-NGERNQGR.NASL", "href": "https://www.tenable.com/plugins/nessus/142908", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142908);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/01\");\n\n script_cve_id(\"CVE-2020-27130\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-csm-path-trav-NgeRnqgR\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu99995\");\n script_xref(name:\"IAVA\", value:\"2020-A-0535\");\n\n script_name(english:\"Cisco Security Manager < 4.22 Path Traversal (cisco-sa-csm-path-trav-NgeRnqgR)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The web application running on the remote web server is affected by a path traversal vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Cisco Security Manager running on the remote web server is prior to 4.22. It is, therefore, affected \na path traversal vulnerability. An unauthenticated, remote attacker can exploit this, by sending a URI that \ncontains directory traversal characters, to disclose the contents of files located outside of the server's restricted \npath.\n\nPlease see the included Cisco BID and Cisco Security Advisory for more information\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-path-trav-NgeRnqgR\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c337be85\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu99995\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Cisco Security Manager version 4.22 or later\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27130\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:security_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_security_manager_http_detect.nbin\");\n script_require_keys(\"installed_sw/Cisco Security Manager\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nport = get_http_port(default:443);\napp_info = vcf::get_app_info(app:'Cisco Security Manager', port:port);\nconstraints = [{'fixed_version':'4.22'}];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}]}
