@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
March 21, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
March 21, 2019 - Vol. 19, Num. 12
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES March 14 - 21
============================================================
TOP VULNERABILITY THIS WEEK: Malicious WordPress comments could lead to complete site takeovers
**************** Sponsored By AWS Marketplace **************
AWS Webcast Series: Building a Visibility Strategy in the AWS Cloud, featuring SANS instructor Dave Shackleford. Achieving visibility in the cloud is different than doing so on-prem. In this webcast, learn how to achieve full visibility into your AWS environment using AWS native services and third-party options. March 29, 1 PM ET. Register here: http://www.sans.org/info/211127
============================================================
TRAINING UPDATE
-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019
-- SANS London April 2019 | April 8-13 | https://www.sans.org/event/london-april-2019
-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019
-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019
-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019
-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019
-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS OnDemand and vLive Training
Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive course. Offer ends April 3.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Check out the SANS Reading Room where more than 75,000 unique visitors read papers every month. http://www.sans.org/info/211152
2) SURVEY: Are you involved with operational technology and ICS? Take 10 minutes to complete the State of OT/ICS Cybersecurity Survey and enter for a chance to win a $400 Amazon gift card http://www.sans.org/info/211157
3) What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card.
http://www.sans.org/info/211162
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Latest WordPress version fixes critical vulnerability
Description: The latest update from WordPress fixes a critical vulnerability that could allow an attacker to completely take over a site. The bug opened sites to be attacked via malicious comments that contain cross-site scripting if sites had the comments module enabled. Around 20,000 sites have already been impacted by this exploit.
Snort SIDs: 49448
Title: Multiple vulnerabilities in CUJO Smart Firewall, Das U-Boot, OCTEON SDK, Webroot BrightCloud
Description: Cisco Talos recently discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account, or by uploading and executing unsigned kernels on affected systems.
Reference: https://blog.talosintelligence.com/2019/03/vuln-spotlight-cujo.html
Snort SIDs: 47234, 47663, 47809, 47811, 47842, 48261, 48262
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Several high-profile companies may have issued 1 million digital certificates that do not actually meet industry requirements.
U.S. immigration agents have access to a database of American citizens location based on their license plate number.
The U.S. Department of Defense is working on a $10 million open-source voting system that would deter attacks and also allow voters to check that their votes were counted correctly.
Norwegian aluminum company Norsk Hydro had their operations interrupted in the U.S. and Europe due to a ransomware attack.
Germany is considering legislation that would impose harsh punishment on people who provided digital infrastructure for illegal online activities.
Google made its Sandboxed API open-source to help developers create more secure software.
https://www.securityweek.com/google-open-sources-sandboxed-api
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2018-1335
Title: Apache Tika-server Command Injection Vulnerability
Vendor: Apache
Description: Apache Tika is prone to a remote command-injection vulnerability, where clients could send carefully crafted headers that could be used to inject commands into the command line of the server running tika-server. An attacker may exploit this issue to inject and execute arbitrary code within the context of the affected application; this may aid in further attacks.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2019-0541
Title: Microsoft Windows MSHTML Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the MSHTML engine improperly validates input.
Successful exploitation of the vulnerability can lead to arbitrary code execution within the context of the current user. This affects Microsoft Office, Microsoft Office Word Viewer, Internet Explorer 9, Internet Explorer 11, Microsoft Excel Viewer, Internet Explorer 10, Office 365 ProPlus.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2019-9787
Title: WordPress Remote Code Execution Vulnerability
Vendor: WordPress
Description: WordPress is exposed to a remote code execution vulnerability where it does not properly filter comment content. This occurs because CSRF protection is mishandled, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. Attackers can exploit this issue to execute arbitrary code in the context of the affected application.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2019-9740
Title: Python CRLF Injection Vulnerability
Vendor: Python
Description: An issue exists in urllib and urllib2 in Python where CRLF injection is possible if the attacker controls a url parameter. An attacker can exploit this issue to add arbitrary headers to a webpage.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2019-9741
Title: Golang Go HTTP response-splitting vulnerability
Vendor: Golang
Description: Golang Go is exposed to an HTTP response-splitting vulnerability. An issue exists in net/http where CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with rn followed by an HTTP header or a Redis command.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2019-9020, CVE-2019-9021, CVE-2019-9023, CVE-2019-9024
Title: PHP Information Disclosure and Heap Buffer Overflow Vulnerabilities
Vendor: PHP
Description: PHP is exposed to information disclosure and heap buffer overflow vulnerabilities due to invalid input to the function xmlrpc_decode(). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c. Successful exploitation allows attackers to execute arbitrary code in the context of the affected application or obtain sensitive information.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2019-5511, CVE-2019-5512
Title: VMware Workstation Multiple Privilege Escalation Vulnerabilities
Vendor: VMWare
Description: VMware Workstation is exposed to multiple privilege-escalation vulnerabilities. Successful exploitation of this issue may allow the path to the VMX executable, on a Windows host, to be hijacked by a non-administrator leading to elevation of privilege.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2019-5418, CVE-2019-5419, CVE-2019-5420
Title: Ruby on Rails Multiple Security Vulnerabilities
Vendor: Ruby on Rails
Description: Ruby on Rails is exposed to file content disclosure vulnerability in Action View caused by specially crafted accept headers. It is also exposed to a denial of service vulnerability in action view caused by specially crafted accept headers. It is possible to execute remote code execution vulnerability in Rails when in development mode.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
=========================================================
MOST PREVALENT MALWARE FILES March 14 - 21:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: aae728ffb953cfcc573c82b63eef7603c9b29c95f42bb032b790d6d51813f7c3
MD5: ee445f9fa6296b611c72bc81d8f6c19a
VirusTotal: https://www.virustotal.com/#/file/aae728ffb953cfcc573c82b63eef7603c9b29c95f42bb032b790d6d51813f7c3/details
Typical Filename: wusa.exe
Claimed Product: Microsoft Windows Operating System
Detection Name: W32.aae728ffb9.Malspam.MRT.Talos
SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
MD5: b89b37a90d0a080c34bbba0d53bd66df
VirusTotal: https://www.virustotal.com/#/file/46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044/details
Typical Filename: ups.rar
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201
SHA 256: fea935d2d0fb1abadb900f009b4c40bb8a91fd9e25cc76ed4f9dae08960566d5
MD5: bc7fc83ce9762eb97dc28ed1b79a0a10
VirusTotal: https://www.virustotal.com/#/file/fea935d2d0fb1abadb900f009b4c40bb8a91fd9e25cc76ed4f9dae08960566d5/details
Typical Filename: max.exe
Claimed Product: WPS Office
Detection Name: W32.Agent:Malwaregen.22em.1201
SHA 256: dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b
MD5: f22a024b4c98534e8ba7a1c03b0b6132
VirusTotal: https://www.virustotal.com/#/file/dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b/details
Typical Filename: unpacknw.zip
Claimed Product: N/A
Detection Name: Osx.Malware.Bpbw::agent.tht.talos
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
