Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

August 16, 2013
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 13, Num. 33

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 8/6/2013 - 8/13/2013
============================================================

TOP VULNERABILITY THIS WEEK: A highly scriptable, trivially exploitable remote code execution bug in the popular Joomla content management system is being used in the wild, according to security firm Versafe. While a patch was released on June 31, experience with similar frameworks such as WordPress and Drupal indicate that unpatched systems will be falling victim to this exploit for the forseeable future, and likely used to host malware, exploit kits, and/or phishing sites.

******************** Sponsored By HP *********************

Tool Talk Webcast: Essential Tools for Testing and Securing a Mobile Applications Portfolio. Speakers: Jason Haddix, Director of Penetration Testing at HP and Daniel Miessler, Principal Security Architect with HP. This presentation will dive into the testing methodology behind HPs mobile app security testing solutions and discuss best practices for maintaining control over your mobile app security program with a combination of managed services and in-house tools that allow you to maintain complete control of mobile application risk management. Thursday, August 22, 2013 at 1:00 PM EDT.

http://www.sans.org/info/137397

============================================================

TRAINING UPDATE

- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013
10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013

- -- SANS Capital City 2013 Washington, DC September 3-8, 2013
6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers? http://www.sans.org/event/sans-capital-city-2013

- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013
50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013

-- SANS Seattle 2013 Seattle, WA October 7-14, 2013
8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013

- -- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013
9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013

- -- SANS Forensics Prague 2013Prague, Czech RepublicOctober 6-13 2013
SANS's European forensics summit and dedicated forensics training event. Four of SANS's most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013

- -- SANS Dubai 2013Dubai, UAEOctober 26th - November 7th 2013
SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013

- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org

- -- Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

********************** Sponsored Links: ********************

1) Wanted: Healthcare InfoSec Professionals to Take our Survey & Enter to Win an iPad!! http://www.sans.org/info/137402

2) Satisfied with your IPS? Tell us! Take our Survey and enter to win an iPad! http://www.sans.org/info/137407

============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Trivially exploitable Joomla remote command execution bug being exploited in the wild
Description: Attackers are actively exploiting a vulnerability patched two weeks ago in the core of the popular Joomla content management system, according to security firm Versafe. The bug - which allows attackers to bypass restrictions on the upload of PHP files by appending a "." to the end of the target filename - is trivially scriptable, and is likely being added to automated web scanning tools used by malicious actors to find victim servers on which to plant malware, phishing sites, etc. Administrators of Joomla systems are urged to apply the patch immediately.
Reference:
http://krebsonsecurity.com/2013/08/simple-hack-threatens-oudated-joomla-sites/
http://www.marketwire.com/press-release/versafe-identifies-significant-joomla-cms-vulnerability-corresponding-spike-phishing-1819933.htm
http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads
Snort SID: 27623
ClamAV: N/A

Title: Exploit code released for Java storeImageArray() vulnerability

Description: A bug patched in Oracle's last Java security update, which exploits the storeImageArray() function in the AWT library, had its first public exploit code release on Monday through the PacketStorm bug bounty program. While it is unclear which of the 40 CVEs from the last bulletin the exploit takes advantage of, the code reliably provides remote command execution, and can be trivially weaponized. System administrators should assume that active exploitation is already occurring in the wild, and ensure that patches are applied to all systems under their care.
Reference:
http://packetstormsecurity.com/files/122777/Oracle-Java-storeImageArray-Invalid-Array-Indexing-Code-Execution.html
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
Snort SID: 27621 27622
ClamAV: Java.Exploit.Agent

Title: Microsoft Tuesday patch release covers 23 CVEs in 8 bulletins
Description: Microsoft's monthly patch cycle comes in this time with a relatively tame set of vulnerabilities, spanning typical products such as Internet Explorer and the Windows kernel. No evidence of in-the-wild exploitation has been observed for any of the issues being resolved, though issues such as a pair of IPv6 denial of service attacks are simple enough that they are likely to be targeted in the future. Most notable is the fact that the final vulnerabilities from this year's Pwn2Own contest - held in March as part of the CanSecWest conference - are being addressed this cycle.
Reference:
http://technet.microsoft.com/en-us/security/bulletin
http://vrt-blog.snort.org/2013/08/microsoft-update-tuesday-august-2013.html
Snort SID: 27605 - 27616, 27618 - 27620, 27624
ClamAV: Html.Exploit.CVE_2013_3184, Html.Exploit.CVE_2013_3187,
Html.Exploit.CVE_2013_3189, Exploit.CVE_2013_3191,
Html.Exploit.CVE_2013_3193, Html.Exploit.CVE_2013_3194,
Html.Exploit.CVE_2013_3199, HTML.Exploit.CVE_2013_3188

Title: Flaw in Android random number generator leaves Bitcoin wallets open to theft
Description: The official maintainers of the Bitcoin protocol have warned this week that wallets generated by any Android-based application are insecure due to flaws in the platform's random number generation scheme, leaving owners of such wallets vulnerable to theft due to the ease of cracking private keys. While the advisory does not detail the precise nature of the flaw, and Google has at the time of writing not responded to the allegations, several major bitcoin wallet apps for Android have already issued patches that allow for the creation of new, secure wallets. Users of such apps are encouraged to migrate away from insecure wallets through any feasible mechanism as soon as possible.
Reference:
http://bitcoin.org/en/alert/2013-08-11-android
Snort SID: N/A
ClamAV: N/A

============================================================
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Fun with 'Active defense':
http://blog.spiderlabs.com/2013/08/having-fun-with-active-defense-in-practice.html#more

Why is notepad.exe connecting to the Internet?
http://blog.strategiccyber.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/

Perverting embedded devices:
http://blog.infobytesec.com/2013/08/perverting-embedded-devices-lexmark.html

Defending against the BREACH attack:
https://community.qualys.com/blogs/securitylabs/2013/08/07/defending-against-the-breach-attack

New banking trojan targets Linux users:
http://www.securityweek.com/new-banking-trojan-targets-linux-users

International Journal of PoC or GTFO, Volume 0x00:
http://aptfriendfinder.com/friends/pocorgtfo00.pdf

PSExec UAC bypass:
http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass

=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2013-2343
Title: HP LeftHand Virtual SAN Appliance LHNSessionManager Buffer Overflow Vulnerability
Vendor: HP
Description: Unspecified vulnerability on the HP LeftHand Virtual SAN Appliance hydra with software before 10.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1510.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2013-1690
Title: Mozilla Firefox JavaScript Runtime Vulnerability
Vendor: Mozilla
Description: Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2011-0922
Title: HP Data Protector CMD Install Service Vulnerability
Vendor: HP
Description: The client in HP Data Protector allows remote attackers to execute arbitrary programs via an EXEC_SETUP command that references a UNC share pathname.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2013-3174
Title: Microsoft DirectShow GIF Parsing Memory Corruption Vulnerability
Vendor: Microsoft
Description: DirectShow in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 allows remote attackers to execute arbitrary code via a crafted GIF file, aka "DirectShow Arbitrary Memory Overwrite Vulnerability."
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-2251
Title: Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Vendor: Apache
Description: Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-2460
Title: Java Applet ProviderSkeleton Insecure Invoke Method
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

=========================================================
MOST PREVALENT MALWARE FILES 8/6/2013 - 8/13/2013
COMPILED BY SOURCEFIRE

SHA256: 1dd140c8d5dd1c32294f31d1784ce3553af63a0d054a0bea9423b1978fcd693f
MD5:9e180cdfa4869b8dd15b7b06771c5838
VirusTotal: https://www.virustotal.com/file/1DD140C8D5DD1C32294F31D1784CE3553AF63A0D054A0BEA9423B1978FCD693F/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -

SHA256: 611a1be1c5637480b0b8decc45f959ade2d73aa26a28a0fc70c6de050ed8f5a7
MD5: a273babaefcff8f5fe61992a54e3ef1d
VirusTotal: https://www.virustotal.com/file/611A1BE1C5637480B0B8DECC45F959ADE2D73AA26A28A0FC70C6DE050ED8F5A7/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -

SHA256: a3a7b80ce839360b3f50206b7381827e6257c851010328ca8043e38ee970afbd
MD5: 4852bc9f12a0d9d4125ca3f91d93647b
VirusTotal: https://www.virustotal.com/file/A3A7B80CE839360B3F50206B7381827E6257C851010328CA8043E38EE970AFBD/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -

SHA 256: b7b28e855b8c6225c605330760ff4dc407efc83f72f1a04e974a72189d0f1d96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Typical Filename: winkgts.exe
Claimed Product: winkgts.exe
Claimed Publisher: winkgts.exe

SHA256: 04005e3b053e8f8465cf45fddf5856cd6ed67cbcaf908bd5eeaddd76785ca574
MD5: 0265A6D07D7D03E657B694ECEE310FA5
VirusTotal: https://www.virustotal.com/file/04005E3B053E8F8465CF45FDDF5856CD6ED67CBCAF908BD5EEADDD76785CA574/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -

=============================================================

(c) 2013. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

Additional