Critical Remotely Exploitable Bugs Found in Schneider Electric ProClima Software
2014-12-18T10:58:00
ID CRITICAL-REMOTELY-EXPLOITABLE-BUGS-FOUND-IN-SCHNEIDER-ELECTRIC-PROCLIMA-SOFTWARE/109961 Type threatpost Reporter Dennis Fisher Modified 2014-12-18T15:58:29
Description
There are a number of critical, remotely exploitable command injection vulnerabilities in Schneider Electric’s ProClima software, which is used in manufacturing and energy facilities.
The ProClima application is a utility that customers use to design control panel enclosures in industrial facilities to help manage the heat from enclosed electrical devices. The bugs affect ProClima versions 6.0.1 and earlier, according to an advisory released by ICS-CERT. The flaws exists in two separate components of the ProClia software, MDraw30.ocx and Atx45.ocx.
“MDraw30.ocx control can be initialized and called by malicious scripts potentially causing buffer overflows, which may allow an attacker to execute code remotely,” the advisory says.
The same scenario is true for the vulnerabilities in Atx45.ocx. All of the vulnerabilities can be exploited remotely, and ICS-CERT said that an attacker with relatively low skills would be able to exploit the bugs. There aren’t any known exploits for the vulnerabilities at this point, however.
The vendor has pushed out a new version of the ProClima package that contains fixes for the vulnerabilities.
“Schneider Electric has released an updated version of the ProClima software, Version 6.1.7, which mitigates these vulnerabilities. Customers are encouraged to download the new version and update their installations. It is important that customers first uninstall the current version,” the ICS-CERT advisory says.
The vulnerabilities were reported to Schneider Electric by Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc through the Zero Day Initiative.
{"enchantments": {"vulnersScore": 7.5}, "reporter": "Dennis Fisher", "id": "CRITICAL-REMOTELY-EXPLOITABLE-BUGS-FOUND-IN-SCHNEIDER-ELECTRIC-PROCLIMA-SOFTWARE/109961", "modified": "2014-12-18T15:58:29", "published": "2014-12-18T10:58:00", "threatPostCategory": "Critical Infrastructure", "history": [], "bulletinFamily": "info", "viewCount": 2, "cvelist": [], "type": "threatpost", "hash": "0b85c735b29d0f294969a0d56c5ec28ddc056c4eb53cda8292ca19f2b56cdcbf", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01"], "description": "There are a number of critical, remotely exploitable command injection vulnerabilities in Schneider Electric\u2019s ProClima software, which is used in manufacturing and energy facilities.\n\nThe ProClima application is a utility that customers use to design control panel enclosures in industrial facilities to help manage the heat from enclosed electrical devices. The bugs affect ProClima versions 6.0.1 and earlier, according to an advisory released by ICS-CERT. The flaws exists in two separate components of the ProClia software, MDraw30.ocx and Atx45.ocx.\n\n\u201cMDraw30.ocx control can be initialized and called by malicious scripts potentially causing buffer overflows, which may allow an attacker to execute code remotely,\u201d the [advisory](<https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01>) says.\n\nThe same scenario is true for the vulnerabilities in Atx45.ocx. All of the vulnerabilities can be exploited remotely, and ICS-CERT said that an attacker with relatively low skills would be able to exploit the bugs. There aren\u2019t any known exploits for the vulnerabilities at this point, however.\n\nThe vendor has pushed out a new version of the ProClima package that contains fixes for the vulnerabilities.\n\n\u201cSchneider Electric has released an updated version of the ProClima software, Version 6.1.7, which mitigates these vulnerabilities. Customers are encouraged to download the new version and update their installations. It is important that customers first uninstall the current version,\u201d the ICS-CERT advisory says.\n\nThe vulnerabilities were reported to Schneider Electric by Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc through the Zero Day Initiative.", "title": "Critical Remotely Exploitable Bugs Found in Schneider Electric ProClima Software", "href": "https://threatpost.com/critical-remotely-exploitable-bugs-found-in-schneider-electric-proclima-software/109961/", "lastseen": "2016-09-04T20:45:10", "edition": 1, "objectVersion": "1.2", "cvss": {"score": 0.0, "vector": "NONE"}}
{"result": {"f5": [{"lastseen": "2018-07-18T17:53:40", "references": [], "description": "\nF5 Product Development has assigned IDs 734177 and 734181 (BIG-IP), ID 725898 (BIG-IQ and iWorkflow), ID 734257 (Enterprise Manager), and CPF-24939 and CPF-24940 (Traffix SDC) to this vulnerability.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) | 13.x | 13.0.0 - 13.1.0 | None | Medium | [5.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H>) | TMOS (Linux kernel) \n12.x | 12.1.0 - 12.1.3 | None \n11.x | 11.2.1 - 11.6.3 | None \nARX | 6.x | None | Not applicable | Not vulnerable | None | None \nEnterprise Manager | 3.x | 3.1.1 | None | Medium | [5.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H>) | TMOS (Linux kernel) \nBIG-IQ Centralized Management | 6.x | 6.0.0 | None | Medium | [5.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H>) | TMOS (Linux kernel) \n5.x | 5.0.0 - 5.4.0 \n | None \n4.x | 4.6.0 | None \nBIG-IQ Cloud and Orchestration | 1.x | 1.0.0 | None | Medium | [5.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H>) | TMOS (Linux kernel) \nF5 iWorkflow | 2.x | 2.1.0 - 2.3.0 | None | Medium | [5.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H>) | TMOS (Linux kernel) \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Medium | [5.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H>) | TMOS (Linux kernel) \n4.x | 4.4.0 | None \n \n1 The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix matrix](<https://support.f5.com/csp/article/K15113>)\n * [K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later)](<https://support.f5.com/csp/article/K48955220>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>)\n", "edition": 1, "reporter": "f5", "published": "2018-07-18T17:14:00", "title": "Linux kernel vulnerability CVE-2017-15121", "type": "f5", "enchantments": {"score": {"modified": "2018-07-18T17:53:40", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2017-15121"], "modified": "2018-07-18T17:14:00", "id": "F5:K42142782", "href": "https://support.f5.com/csp/article/K42142782", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "lenovo": [{"lastseen": "2018-07-18T21:31:33", "references": [], "description": "**Lenovo Security Advisory**: LEN-17297\n\n**Potential Impact: **An attacker could load and execute arbitrary code outside the visibility of the user, operating system, and hypervisor/virtualization platform; resulting in exfiltration of secrets, subtle manipulation of system operation, or denial of service.\n\n**Severity:** High\n\n**Scope of Impact:** Industry-wide\n\n**CVE Identifier: **CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2017-5708, CVE-2017-5709, CVE-2017-5710, CVE-2017-5711, CVE-2017-5712\n\n**Summary Description:**\n\nIntel chipsets use a separate embedded processor and execution environment to provide various systems management and security functions. In response to a vulnerability recently found by external researchers, Intel performed an in-depth security review of three major components of this environment: Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE). Eight vulnerabilities were found in these firmware versions:\n\nME: 11.0.x.x, 11.5.x.x, 11.6.x.x, 11.7.x.x, 11.10.x.x, 11.20.x.x\n\nUpdate 12/14/2017: 8.x, 9.x, 10.x are affected by CVE-2017-5711, CVE-2017-5712\n\nUpdate 12/21/2017: 6.x/7.x are also affected by CVE-2017-5711, CVE-2017-5712\n\nSPS: 4.0.x.x\n\nTXE: 3.0.x.x\n\n(Refer to [Intel's Security Advisory](<https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr>) for affected Intel\u00ae Core\u2122 and Intel\u00ae Processor families)\n\nTo remediate these vulnerabilities, apply appropriate the BIOS/UEFI update or ME/SPS/TXE firmware update listed in the product impact section. For some products, the Intel ME Driver may also need to be updated. \n\nIf desired, these component firmware versions can be confirmed in the BIOS/UEFI setup utility (press the \u201cF1\u201d key at system power-on). Note that any given system will likely have only one of the components present. ME is generally found on client systems and low-end servers without a dedicated systems management controller. SPS is found on servers with dedicated controllers, and TXE is found primarily on tablets and other low-power devices.\n\n**Mitigation Strategy for Customers (what you should do to protect yourself):**\n\nRefer to the Product Impact section below and update to the appropriate BIOS/UEFI or ME/SPS/TXE firmware and, where applicable, ME driver version for your model. \n\nBecause required software may be Operating System specific or there may be more than one package to update, some links provided below may point to the product\u2019s software download page. Under Operating System, you should confirm the selection is correct. Then select Chipset under the Components section.\n\n**Product Impact:**\n", "edition": 5, "reporter": "Lenovo", "published": "2018-07-18T17:05:00", "title": "Intel ME 6.x/7.x/8.x/9.x/10.x./11.x, SPS 4.0, and TXE 3.0 Cumulative Security Update - us", "type": "lenovo", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2017-5709", "CVE-2017-5708", "CVE-2017-5710", "CVE-2017-5706", "CVE-2017-5711", "CVE-2017-5705", "CVE-2017-5712", "CVE-2017-5707"], "modified": "2018-07-18T17:05:00", "id": "LENOVO:PS500146-NOSID", "href": "https://support.lenovo.com/us/en/solutions/len-17297", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mssecure": [{"lastseen": "2018-07-18T16:22:13", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "The Microsoft Graph Security API, which [launched](<https://aka.ms/graphsecurityannounce>) this spring, is a unified REST API for integrating data and intelligence from Microsoft products, services, and partners. Using Microsoft Graph, developers can easily build applications that consolidate and correlate security alerts from multiple sources, unlock contextual data to inform investigations, and automate security operations for greater efficiency.\n\nWe just launched a new sample app that makes it easier than ever for developers to get started. Similar to the [Python sample](<https://aka.ms/graphsecuritypython>) and [C# sample](<https://aka.ms/graphsecurityaspnet>), currently available, the new [JavaScript sample](<https://aka.ms/graphsecuritynodejs>) app provides ready-to-run code to:\n\n * Display a list of all security alerts for a tenant. Filter by top alerts, category, provider, and severity, or alerts related to a particular user or device.\n * View rich alert details in JSON.\n * Show additional information from Microsoft Graph about a user or device.\n * Update the status of an alert, provide feedback, and add comments.\n * Subscribe to notifications of all new and updated alerts that meet your filters.\n\nGet started with the [JavaScript sample app](<https://aka.ms/graphsecuritynodejs>) today!", "reporter": "toddvanderark", "published": "2018-07-18T16:00:22", "type": "mssecure", "title": "Jumpstart your Microsoft Graph Security API integration with the new JavaScript sample app", "enchantments": {"score": {"modified": "2018-07-18T16:22:13", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-07-18T16:00:22", "id": "MSSECURE:72420F62870DD262CF25EF660E433AF8", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/18/jumpstart-your-microsoft-graph-security-api-integration-with-the-new-javascript-sample-app/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-18T16:22:13", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "_This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 Security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog, _**[Assessing Microsoft 365 Security solutions using the NIST Cybersecurity Framework](<https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/assessing-microsoft-365-security-solutions-using-the-nist-cybersecurity-framework/>)**.\n\nYour users expect technology to help them be productive, yet you need to keep your organizations data safe. This blog will show you how Microsoft 365 Security solutions can help you achieve this fine balance between productivity and security. We recommend an integrated solution that incorporates managing identities, managing devices, then securing applications, email, and data.\n\nFirst, well start with the question that we often hear from customers: **How can I make sure my employees are working securely when they are working remotely?** With digital technology changing how people work, users need to be productive on a variety of devices, regardless if they are company-provided or bring your own device (BYOD). The vital foundation to your in-depth security strategy is strong, integrated identity protection.\n\n## Securing identities to protect at the front door\n\nIdentity management in [Azure Active Directory (Azure AD)](<https://azure.microsoft.com/en-us/services/active-directory/>) is your first step. Once user identities are managed in Azure AD, you can enable Azure AD [single sign-on (SSO)](<https://azure.microsoft.com/en-us/resources/videos/overview-of-single-sign-on/>) to manage authentication across devices, cloud apps, and on-premises apps. Then layer Multi-factor Authentication (MFA) with Azure AD Conditional Access (see Figure 1). These security tools work together to reauthenticate high-risk users and to take automated action to secure your network.\n\n_Figure 1. Set user policies using Azure AD Conditional Access._\n\n### Security across devices\n\nFrom identity, we move to devices. Microsoft Intune lets you manage both company-owned and BYOD from the cloud. Once you [set up your Intune subscription](<https://docs.microsoft.com/en-us/intune/setup-steps>), you can add users and groups, assign licenses, deploy and protect apps, and set up device enrollment.\n\nThrough Azure AD, you can then create conditional access policies according to user, device, application, and risk.\n\nTo strengthen employee sign-in on Windows 10 PCs, [Windows Hello for Business](<https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification>) replaces passwords with strong MFA consisting of a user credential and biometric or PIN.\n\n### Security across apps\n\n[Microsoft Cloud App Security](<https://www.microsoft.com/en-us/cloud-platform/cloud-app-security>) gives you visibility and control over the cloud apps that your employees are using. You can see the overall picture of cloud apps across your network, including any unsanctioned apps your employees may be using. Discovering shadow IT apps can help you prevent unmonitored avenues into or out of your network.\n\n### Security across email\n\nOnce you have secured your organizations devices and applications, its equally important to safeguard your organizations flow of information. Sending and receiving email is one of the weakest spots for IT security. [Azure Information Protection](<https://docs.microsoft.com/en-us/azure/information-protection/understand-explore/what-is-information-protection>) allows you to configure policies to classify, label, and protect data based on sensitivity. Then you can track activities on shared data and revoke user access if necessary.\n\nFor security against malicious emails, Office 365 Advanced Threat Protection (ATP) lets you set up [anti-phishing protections](<https://support.office.com/en-us/article/Set-up-Office-365-ATP-anti-phishing-policies-5a6f2d7f-d998-4f31-b4f5-f7cbf6f38578>) to protect your employees from increasingly sophisticated phishing attacks.\n\n### Security across data\n\nOnce you have secured how employees access data, its equally important to safeguard the data itself. [Microsoft BitLocker Drive Encryption technology](<https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview>) prevents others from accessing your disk drives and flash drives without authorization, even if theyre lost or stolen. [Windows Information Protection](<https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/introducing-windows-information-protection/>) helps protect against accidental data leaks, with protection and policies that travel with the data wherever it goes.\n\n## Deployment tips from our experts\n\nNow that you know more about how Microsoft 365 security solutions can protect your people and data in a mobile world, here are three proven tips to put it all into action:\n\n 1. **Be proactive, not reactive.** Proactively provision identities through [Azure AD](<https://azure.microsoft.com/en-us/features/azure-portal/>), enroll devices through [Microsoft Intune](<https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps>), and set up [Intune App Protection](<https://blogs.technet.microsoft.com/ukprodandcomms/?p=1465>). Enrolling devices can help keep your companys data safe by preventing threats or data breaches before they happen.\n 2. **Keep your company data safe.** Managing employee identities is a fundamental part of information security. Enable SSO and MFA, set up [conditional access](<https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal>) policies, and then deploy [Azure Information Protection](<https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-information-protection>) for classification and protection of sensitive data.\n 3. **Plan for success with Microsoft FastTrack**. This valuable service comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. [Get started at FastTrack for Microsoft 365](<https://fasttrack.microsoft.com/microsoft365/journey>).\n\n## Want to learn more?\n\nFor more information and guidance on this topic, stay tuned for the white paper Work securely from anywhere, anytime, across all your devices coming soon!\n\n* * *\n\n_More blog posts from this series:_\n\n * [Tips for getting started on your security deployment](<https://cloudblogs.microsoft.com/microsoftsecure/2018/03/06/tips-for-getting-started-on-your-security-deployment/>)\n * [Accelerate your security deployment with FastTrack for Microsoft 365](<https://cloudblogs.microsoft.com/microsoftsecure/2018/03/20/accelerate-your-security-deployment-with-fasttrack-for-microsoft-365/>)\n * [First things first: Envisioning your security deployment](<https://cloudblogs.microsoft.com/microsoftsecure/2018/05/01/first-things-first-envisioning-your-security-deployment/>)\n * [Now that you have a plan, its time to start deploying](<https://cloudblogs.microsoft.com/microsoftsecure/2018/05/17/now-that-you-have-a-plan-its-time-to-start-deploying/>)\n * [New FastTrack benefit: Deployment support for Co-management on Windows 10 devices](<https://cloudblogs.microsoft.com/microsoftsecure/2018/06/18/new-fasttrack-benefit-deployment-support-for-co-management-on-windows-10-devices/>)\n * [Assessing Microsoft 365 security solutions using the NIST Cybersecurity Framework](<https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/assessing-microsoft-365-security-solutions-using-the-nist-cybersecurity-framework/>)", "reporter": "toddvanderark", "published": "2018-07-18T16:00:11", "type": "mssecure", "title": "Enable your users to work securely from anywhere, anytime, across all of their devices", "enchantments": {"score": {"modified": "2018-07-18T16:22:13", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-07-18T16:00:11", "id": "MSSECURE:096E8E91E504FDB63E618F1F89EB8BED", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/18/enable-your-users-to-work-securely-from-anywhere-anytime-across-all-of-their-devices/", "cvss": {"score": 0.0, "vector": "NONE"}}], "impervablog": [{"lastseen": "2018-07-18T16:36:36", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "It\u2019s a well-known fact that security solutions must quickly adapt to new attack methods. There are several ways to achieve this goal, regularly applying security patches and updates, relying on threat intelligence and more.\n\nAt [Imperva](<https://www.imperva.com/>), we use pattern anomaly detection as one of the tools to identify emerging threats and build new defenses. Our security researchers analyze the detected patterns from time to time, and this is how we learned about the existence of the Ash botnet. \n\nThe pattern that arose from our anomaly detection engine was http://xxx.xxx.xxx.xxx/a.sh. The pattern indicates a resource name, from multiple remote servers, that is being used as a payload in numerous attacks including the now infamous [Drupalgeddon2 ](<https://www.imperva.com/blog/2018/04/drupalgeddon-2-0-are-hackers-slacking-off/>)exploit\n\n**It\u2019s not so often that we get to see the full life-cycle of a botnet**, from creation to demise. When we do get the opportunity, however, it gives us a unique perspective on how botnets operate and how to stop them.\n\n# Detecting the botnet\n\n## By common payload\n\nWhile investigating attempts to attack our customers -- close to 1000 Imperva-protected sites were attacked but successfully guarded by the Imperva Incapsula [WAF](<https://www.imperva.com/app-security/app-security-101/what-is-waf/>). It turned out that the payload was being delivered from a group of several hundred IPs belonging to a large group of sites protected by Incapsula, over a period spanning more than 30 days. The specificity and distinctiveness of this payload, as well as the fact that it was being delivered by the same hacking tool, strongly suggests that all these IPs were part of a single botnet.\n\n### Payload description\n\nThe initial a.sh file bash script is a simple downloader bash script. It downloads a compressed archive, extracts and runs one executable file named \u201ci\u201d. The archive contains 21 different files - text, bash script, executable, static libraries, and Python. \u201ci\u201d is a 64 bit ELF executable file which surprisingly isn\u2019t detected by any of the virus detection engines in Virus Total.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/07/Ash1.png>)\n\nThe purpose of \u201ci\u201d is twofold: propagation of the malware and crypto-mining. The propagation is done through a central C&C server using both known vulnerabilities (Drupalgedon) and [phishing emails](<https://www.imperva.com/data-security/threatglossary/phishing/>). A detailed analysis is available [here](<https://github.com/carbreal/Malware_Analysis/tree/master/Drupal_Exploi>). The crypto-mining part is achieved by running four (!) different types of crypto-mining software, [xmrig](<https://github.com/xmrig/xmrig>), [jce_cn_cpu_miner,](<https://github.com/jceminer/cn_cpu_miner>) [xmr_stack](<https://github.com/fireice-uk/xmr-stak>), and [luk-cpu](<http://www.lukminer.net/releases/>).\n\nOut of these miners, we were able to track two wallets that currently hold ~200 XMR which is the equivalent of 28K$:\n\n * 48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9VetWzYGzKt52XU5xvqgzYnDK9URnRoJMk1j8nLwEVsaSWJ4fhdUyZijBGUicoD\n * 45Pw3bWFJXQiR1hN97huM6BbNPpnYdPytWnTUbkEm6KS9MExU7Gtr3nBsVoZA746qhCEwqVsFuPdwfXVtZwXxHQ6LDyfBaL\n\n## By other common behavioral patterns\n\nIdentifying behavioral correlations over time between different attackers is a powerful way to single out botnets. A similar payload used by multiple IPs, as found here, is an easily detectable common behavior pattern; however, when the payload is not known or is not consistent or distinctive enough, more subtle behavior correlations can be used.\n\nOne such pattern is the sites visited by source IPs as a function of time. By defining a measure that reflects whether or not two different IPs visited similar sets of sites at the same time, one can cluster attacking IPs into groups representing potential botnets.\n\nIt turns out that such behavioral correlations are present here too, allowing us to calibrate the similarity measure used in our clustering method. The combination of both methods allowed us to successfully identify additional botnets in our data.\n\n# Botnet structure and life-cycle\n\n## Attack distribution\n\nInterestingly, the attack was led by a single \u201cmaster\u201d IP, which on peak days was responsible for the majority of attacks on hundreds of target sites while the remaining multitude of \u201cminion\u201d IPs each performed a much smaller portion of the attack, typically attacking about a dozen sites per day. Another noteworthy feature was that the master IP changed four times during the analyzed 60-day period such that there was always exactly one IP taking this role at any given time, as shown in the figure below, where each colored curve represents a different IP.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/07/Ash2.png>)\n\nThe master IPs are likely to have belonged to a machine or machines owned by the attacker while the remaining IPs probably belonged to infected application servers that joined the attack in turn, making up the minion botnet.\n\nAmusingly, the master IP active between May 8- 22 (red curve), suddenly became idle between the dates May 15-18, the onset of the FIFA World Cup, which may imply that the attacker is a football fan, and in keeping with the hypothesis that the activity of the master IP is not initiated by a bot but by a human, being the actual attacker\u2019s machine.\n\n## Creation\n\nAs you can see from the above graph, the peak of the attack, starting around the 20th of May, was preceded by a period in which only one IP was attacking - using the same payloads. The same sites that would later be attacked by the other IPs in the network. The hacking tool used by this IP was different from that used during the peak days of the attack.\n\nThe period during which only this IP was active in the network can be seen as one of reconnaissance activity by the attacker, who was probably looking for vulnerable points in the sites which the botnet later targeted.\n\n## Duration\n\nApart from the master IPs, each of which attacked multiple sites daily over long durations, most IPs dropped out of the botnet after a few days, with 998 of 2034 (close to 50%) being observed for up to two days:\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/07/Ash3.png>)\n\nThere is more than one possible factor that may explain the brief appearance of most of the IPs:\n\n * Fast detection and removal of the infection from many infected machines\n * Sparing usage of the infected IP by the attacker to avoid their being detected\n\n## Volatility\n\nThe participation of IPs in the botnet\u2019s activity had an interesting dynamic. The IP turnover rate in the botnet was relatively high: as shown in the graph below. On average, approximately 25% of IPs that were active (marked in orange) in the botnet on a given day were not active (marked in blue) on the next day, being replaced by a similar number of new IPs.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/07/Ash4.png>)\n\nWe can see that the overall activity of the Ash botnet dramatically declined between June 15-18. We couldn\u2019t find a technical explanation for this phenomenon. However, it is important to note that those were the opening days of the FIFA World Cup event. It is not unlikely that the botnet operators took a break from their nefarious activity to enjoy a few soccer matches \n\nTaken as a whole, the total activity of the botnet peaked between May 20- 28 and started declining thenceforth. \n\nIn the figure below we can see each attacked site marked in a different color and the number of IPs attacking it.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/07/Ash5.png>)\n\n# The victim\u2019s perspective\n\nIf a site happened to be compromised, it would have started mining cryptocurrencies for the attacker. This can potentially lead to denial of service if the attacker utilizes all of the CPU power for mining. Additionally, a compromised server would continue to spread malware to more victims, potentially gaining a bad reputation for the server and the possibility of it being blacklisted by security vendors.\n\nThe many-to-many relation between attacked sites and attacking IPs of the Ash botnet leads to a commonly encountered situation where, from the attacked site\u2019s perspective, it\u2019s difficult to recognize that a high-volume attack is taking place, since each IP delivers a handful of requests per day to each site and then moves on to the next site. \n\nThe figure below shows the number of requests sent by a single attacking IP to a single application in a single day. As can be seen, in the vast majority of cases (84%), a single attacking IP performed a single request to a single site in the same day.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/07/Ash6.png>)\n\nThus, by simply decorrelating the attacking IPs from their targets, the attacker can avoid detection by the site based on volumetric measures per source IP. \n\nSuch an asymmetry between the complexity of the attacker\u2019s and defender\u2019s respective tasks is typical of the cybersecurity domain.\n\n# Mitigation\n\nAs mentioned in the previous section, unless the payload is blocked by existing security rules - which is not the case in zero-day attacks - the victim has a hard time detecting such a distributed attack campaign. A wider perspective encompassing multiple target sites - like that of a cloud-based security provider - is required.\n\nFrom such a viewpoint, behavioral correlations between IPs across different target sites become evident, and it can serve to identify synchronized attacks such as those performed by the Ash botnet. Moreover, in subsequent attacks by the botnet, mitigation can be achieved by blocking requests from IPs belonging to the botnet whenever synchronic and correlated activity is detected among the botnet\u2019s IPs. Additionally, we recommend that you:\n\n 1. Stay up to date with the latest security patches\n 2. Deploy a security solution that has a global view to detect and block such malicious activities that are not visible from a single application point of view\n\nNote that up-front blocking of all requests from the IPs that participated in the attack would jeopardize legitimate activity originating from machines belonging to legitimate users which have been unknowingly infected. Hence, additional indications for blocking, such as detection of an automated tool, should be used to separate legitimate from malicious activity originating from the same IPs.", "reporter": "Nadav Avital", "published": "2018-07-18T16:00:14", "type": "impervablog", "title": "Drupal, Phishing and A New Cryptomining Botnet", "enchantments": {"score": {"modified": "2018-07-18T16:36:36", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-07-18T16:00:14", "id": "IMPERVABLOG:6FD1CE5D8A5D5CBBB4A98397FEC0AF08", "href": "https://www.imperva.com/blog/2018/07/drupal-phishing-and-the-ash-cryptomining-botnet/", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisco": [{"lastseen": "2018-07-18T16:59:27", "_object_types": ["robots.models.cisco.CiscoBulletin", "robots.models.base.Bulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-DOM-xss"], "description": "A vulnerability in the web framework of Cisco Webex could allow an unauthenticated, remote attacker to conduct a Document Object Model-based (DOM-based) cross-site scripting (XSS) attack against the user of the web interface of an affected system.\n\nThe vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software by using the HTTP POST method. An attacker who can submit malicious scripts to the affected user interface element could execute arbitrary script or HTML code in the user’s browser in the context of the affected site.\n\nA vulnerability in the web framework of Cisco Webex could allow an unauthenticated, remote attacker to conduct a Document Object Model-based (DOM-based) cross-site scripting (XSS) attack against the user of the web interface of an affected system.\n\nThe vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software by using the HTTP POST method. An attacker who can submit malicious scripts to the affected user interface element could execute arbitrary script or HTML code in the user\u2019s browser in the context of the affected site.\n\nThere are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-DOM-xss [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-DOM-xss\"]", "reporter": "Cisco", "published": "2018-07-18T16:00:00", "type": "cisco", "title": "Cisco Webex DOM-Based Cross-Site Scripting Vulnerability", "enchantments": {"score": {"modified": "2018-07-18T16:59:27", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Cisco WebEx Personal Meeting Room", "version": "any", "operator": "eq"}], "cvelist": ["CVE-2018-0390"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2018-07-18T13:03:47", "id": "CISCO-SA-20180718-WEBEX-DOM-XSS", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-DOM-xss", "cvss": {"score": 6.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}, {"lastseen": "2018-07-18T16:59:27", "_object_types": ["robots.models.cisco.CiscoBulletin", "robots.models.base.Bulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-code-ex"], "description": "A vulnerability in the configuration and management service of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to execute arbitrary code with vmanage user privileges or cause a denial of service (DoS) condition on an affected system.\n\nThe vulnerability is due to insufficient access restrictions to the HTTP management interface of the affected solution. An attacker could exploit this vulnerability by sending a malicious HTTP request to the affected management service through an authenticated device. A successful exploit could allow the attacker to execute arbitrary code with vmanage user privileges or stop HTTP services on an affected system.\n\nThere are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-code-ex [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-code-ex\"]", "reporter": "Cisco", "published": "2018-07-18T16:00:00", "type": "cisco", "title": "Cisco SD-WAN Solution Remote Code Execution Vulnerability", "enchantments": {"score": {"modified": "2018-07-18T16:59:27", "vector": "NONE", "value": 10.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Cisco SD-WAN Solution", "version": "any", "operator": "eq"}], "cvelist": ["CVE-2018-0343"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2018-07-18T13:03:42", "id": "CISCO-SA-20180718-SD-WAN-CODE-EX", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-code-ex", "cvss": {"score": 6.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}, {"lastseen": "2018-07-18T16:59:27", "_object_types": ["robots.models.cisco.CiscoBulletin", "robots.models.base.Bulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cmdinj"], "description": "A vulnerability in the VPN subsystem configuration in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.\n\nThe vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected parameter in a web page.\n\nThe attacker must be authenticated to access the affected parameter. A successful exploit could allow the attacker to execute commands with root privileges.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cmdinj [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cmdinj\"]", "reporter": "Cisco", "published": "2018-07-18T16:00:00", "type": "cisco", "title": "Cisco SD-WAN Solution VPN Subsystem Command Injection Vulnerability", "enchantments": {"score": {"modified": "2018-07-18T16:59:27", "vector": "NONE", "value": 10.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Cisco SD-WAN Solution", "version": "any", "operator": "eq"}], "cvelist": ["CVE-2018-0350"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2018-07-18T14:43:23", "id": "CISCO-SA-20180718-SDWAN-CMDINJ", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-cmdinj", "cvss": {"score": 7.2, "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}, {"lastseen": "2018-07-18T16:59:27", "_object_types": ["robots.models.cisco.CiscoBulletin", "robots.models.base.Bulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-rce"], "description": "Multiple vulnerabilities exist in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious .arf or .wrf file via email or URL and convincing the user to launch the file in the Webex recording players. Exploitation of these vulnerabilities could allow arbitrary code execution on the system of a targeted user. There is no risk when a .arf player that is stored on a Webex site is played in the Webex Network Recording Player.\n\nThe Cisco Webex players are applications that are used to play back Webex meetings that have been recorded by an online meeting attendee. The Webex Network Recording Player for .arf files can be automatically installed when the user accesses a recording that is hosted on a Webex server. The Webex Player for .wrf files can be downloaded manually.\n\nCisco has updated affected versions of the ARF and WRF recording players on Cisco Webex Meetings Suite sites, Cisco Webex Meetings Online sites, and Cisco Webex Meetings Server. There are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-rce [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-rce\"]", "reporter": "Cisco", "published": "2018-07-18T16:00:00", "type": "cisco", "title": "Cisco Webex Network Recording Players Remote Code Execution Vulnerabilities", "enchantments": {"score": {"modified": "2018-07-18T16:59:27", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2018-0379"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2018-07-18T14:37:16", "id": "CISCO-SA-20180718-WEBEX-RCE", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-rce", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-18T16:59:27", "_object_types": ["robots.models.cisco.CiscoBulletin", "robots.models.base.Bulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-cmd-inject"], "description": "A vulnerability in the vManage dashboard for the configuration and management service of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system.\n\nThe vulnerability is due to insufficient input validation of data parameters for certain fields in the affected solution. An attacker could exploit this vulnerability by configuring a malicious username on the login page of the affected solution. A successful exploit could allow the attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system.\n\nThere are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-cmd-inject [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-cmd-inject\"]", "reporter": "Cisco", "published": "2018-07-18T16:00:00", "type": "cisco", "title": "Cisco SD-WAN Solution Command Injection Vulnerability", "enchantments": {"score": {"modified": "2018-07-18T16:59:27", "vector": "NONE", "value": 10.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Cisco SD-WAN Solution", "version": "any", "operator": "eq"}], "cvelist": ["CVE-2018-0344"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2018-07-18T13:03:44", "id": "CISCO-SA-20180718-SD-WAN-CMD-INJECT", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-cmd-inject", "cvss": {"score": 4.7, "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"}}, {"lastseen": "2018-07-18T16:59:27", "_object_types": ["robots.models.cisco.CiscoBulletin", "robots.models.base.Bulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ps-osgi-unauth-access"], "description": "A vulnerability in the Open Systems Gateway initiative (OSGi) interface of Cisco Policy Suite could allow an unauthenticated, remote attacker to directly connect to the OSGi interface.\n\nThe vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by directly connecting to the OSGi interface. An exploit could allow the attacker to access or change any files that are accessible by the OSGi process.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ps-osgi-unauth-access [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ps-osgi-unauth-access\"]", "reporter": "Cisco", "published": "2018-07-18T16:00:00", "type": "cisco", "title": "Cisco Policy Suite OSGi Interface Unauthenticated Access Vulnerability", "enchantments": {"score": {"modified": "2018-07-18T16:59:27", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Cisco Policy Suite (CPS) Software", "version": "any", "operator": "eq"}], "cvelist": ["CVE-2018-0377"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2018-07-18T14:38:04", "id": "CISCO-SA-20180718-PS-OSGI-UNAUTH-ACCESS", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ps-osgi-unauth-access", "cvss": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"lastseen": "2018-07-18T16:59:27", "_object_types": ["robots.models.cisco.CiscoBulletin", "robots.models.base.Bulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-dos"], "description": "Multiple vulnerabilities exist in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious .arf or .wrf file via email or URL and convincing the user to launch the file in the Webex recording players. Exploitation of these vulnerabilities could cause an affected player to crash, resulting in a denial of service (DoS) condition.\n\nThe Cisco Webex players are applications that are used to play back Webex meetings that have been recorded by an online meeting attendee. The Webex Network Recording Player for .arf files can be automatically installed when the user accesses a recording that is hosted on a Webex server. The Webex Player for .wrf files can be downloaded manually.\n\nThere are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-dos [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-dos\"]", "reporter": "Cisco", "published": "2018-07-18T16:00:00", "type": "cisco", "title": "Cisco Webex Network Recording Players Denial of Service Vulnerabilities", "enchantments": {"score": {"modified": "2018-07-18T16:59:27", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2018-0380"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2018-07-18T13:03:30", "id": "CISCO-SA-20180718-WEBEX-DOS", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-dos", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-18T16:59:27", "_object_types": ["robots.models.cisco.CiscoBulletin", "robots.models.base.Bulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-finesse"], "description": "A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to cause a Cisco Finesse server to submit an HTTP request to an arbitrary host. This type of attack is commonly referred to as a server-side request forgery (SSRF) attack.\n\nThe vulnerability is due to insufficient access controls for the Cisco Finesse API that supports gadgets integration. An attacker could exploit this vulnerability by submitting a maliciously crafted HTTP request to a Cisco Finesse server.\n\nA vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to retrieve a cleartext password from an affected system.\n\nThe vulnerability exists because the affected software prefills the Password field of the login form for the web-based management interface with a password that was previously saved and is stored in an internal database for the affected software. An attacker could exploit this vulnerability by viewing the HTML source of a login form for the web-based management interface of the affected software. A successful exploit could allow the attacker to view and retrieve a cleartext password from an affected system.\n\nMultiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack or retrieve a cleartext password from an affected system.\n\nFor more information about these vulnerabilities, see the Details [\"#details\"] section of this security advisory.\n\nThere are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-finesse [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-finesse\"]", "reporter": "Cisco", "published": "2018-07-18T16:00:00", "type": "cisco", "title": "Multiple Vulnerabilities in Cisco Finesse", "enchantments": {"score": {"modified": "2018-07-18T16:59:27", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Cisco Finesse", "version": "any", "operator": "eq"}], "cvelist": ["CVE-2018-0398", "CVE-2018-0399"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2018-07-18T13:03:40", "id": "CISCO-SA-20180718-FINESSE", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-finesse", "cvss": {"score": 5.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"}}, {"lastseen": "2018-07-18T16:59:27", "_object_types": ["robots.models.cisco.CiscoBulletin", "robots.models.base.Bulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ucmim-ps-xss"], "description": "A vulnerability in the web framework of the Cisco Unified Communications Manager IM and Presence Service software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system.\n\nThe vulnerability is due to insufficient input validation of certain parameters passed to the web server. An attacker could exploit this vulnerability by convincing the user to access a malicious link or by intercepting the user request and injecting certain malicious code. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information.\n\nThere are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ucmim-ps-xss [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ucmim-ps-xss\"]", "reporter": "Cisco", "published": "2018-07-18T16:00:00", "type": "cisco", "title": "Cisco Unified Communications Manager IM And Presence Service Cross-Site Scripting Vulnerability", "enchantments": {"score": {"modified": "2018-07-18T16:59:27", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Cisco Unified Communications Manager IM and Presence Service", "version": "any", "operator": "eq"}], "cvelist": ["CVE-2018-0396"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2018-07-18T13:03:52", "id": "CISCO-SA-20180718-UCMIM-PS-XSS", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ucmim-ps-xss", "cvss": {"score": 6.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}, {"lastseen": "2018-07-18T16:59:27", "_object_types": ["robots.models.cisco.CiscoBulletin", "robots.models.base.Bulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-dos"], "description": "A vulnerability in the Zero Touch Provisioning service of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.\n\nThe vulnerability is due to incorrect bounds checks for certain values in packets that are sent to the Zero Touch Provisioning service of the affected software. An attacker could exploit this vulnerability by sending malicious packets to the affected software for processing. When the software processes the packets, a buffer overflow condition could occur and cause an affected device to reload. A successful exploit could allow the attacker to cause a temporary DoS condition while the device reloads.\n\nThis vulnerability can be exploited only by traffic that is destined for an affected device. It cannot be exploited by traffic that is transiting a device.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-dos [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-dos\"]", "reporter": "Cisco", "published": "2018-07-18T16:00:00", "type": "cisco", "title": "Cisco SD-WAN Solution Zero Touch Provisioning Denial of Service Vulnerability", "enchantments": {"score": {"modified": "2018-07-18T16:59:27", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Cisco SD-WAN Solution", "version": "any", "operator": "eq"}], "cvelist": ["CVE-2018-0346"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2018-07-18T14:46:35", "id": "CISCO-SA-20180718-SDWAN-DOS", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sdwan-dos", "cvss": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}]}}
