@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
August 22, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
August 22, 2019 - Vol. 19, Num. 34
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Aug. 15 - 22
============================================================
TOP VULNERABILITY THIS WEEK: Vulnerabilities in Google Nest cameras could allow attacker to leak data
*************** Sponsored By AWS Marketplace ***************
Which AWS native tools are most beneficial for continuous monitoring, detection and event management in the AWS cloud? Join SANS Analyst David Szili and AWS Solutions Architect Manager David Aiken to learn how to enhance visibility for threat detection in AWS by employing native tools such as Amazon VPC Traffic Mirroring. August 22, 2 PM ET. http://www.sans.org/info/213980
============================================================
TRAINING UPDATE
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019
-- SANS DFIR Europe Summit and Training 2019 | Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019
-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019
-- SANS OnDemand and vLive Training
Get free GIAC Cert Attempt or Take $350 off with OnDemand or vLive training through September 4.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Webcast August 27 at 1 PM ET: Brush up on your DNS security fundamentals and see how it can help you block threats before they reach your users. http://www.sans.org/info/213985
2) Webcast: BloxOne(TM) Threat Defense: Strengthening and Optimizing Your Security Posture from the Foundation Up. http://www.sans.org/info/213990
3) Take the SANS 2019 Endpoint Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/213995
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Nest Cam IQ camera open to takeover, data disclosure
Description: Cisco Talos recently discovered multiple vulnerabilities in the Nest Cam IQ Indoor camera. One of Nest Labs' most advanced internet-of-things devices, the Nest Cam IQ Indoor integrates Security-Enhanced Linux in Android, Google Assistant, and even facial recognition all into a compact security camera. It primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth and 6lowpan. Most of these vulnerabilities lie in the weave binary of the camera, however, there are some that also apply to the weave-tool binary. It is important to note that while the weave-tool binary also lives on the camera and is vulnerable, it is not normally exploitable as it requires a local attack vector (i.e. an attacker-controlled file) and the vulnerable commands are never directly run by the camera.
Reference: https://blog.talosintelligence.com/2019/08/vuln-spotlight-nest-camera-openweave-aug-2019.html
Snort SIDs: 49843 - 49855, 49797, 49798, 49801 - 49804, 49856, 49857, 49813 - 49816, 49912 (Written by Josh Williams)
Title: Aspose APIs contain bugs that could lead to remote code execution
Description: Cisco Talos recently discovered multiple remote code execution vulnerabilities in various Aspose APIs. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs, Microsoft Word files and more. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API.
Reference: https://blog.talosintelligence.com/2019/08/aspose-APIs-RCE-vulns-aug-2019.html
Snort SIDs: 49756, 49757, 49760, 49761, 49852, 49853 (Written by Cisco Talos analysts)
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
A new vulnerability in Bluetooth could allow an attacker to intercept keystrokes on mobile devices and potentially steal sensitive information.
Bernie Sanders became the first 2020 presidential candidate to publicly call for an end to the use of facial recognition technology by law enforcement agencies.
https://www.vox.com/recode/2019/8/19/20812594/bernie-sanders-ban-facial-recognition-tech-police
Instagram is expanding its bug bounty program to reward researchers who discover third-party apps that inappropriately disclose user data.
https://www.engadget.com/2019/08/19/facebook-data-abuse-bounty-program-instagram-checkout/
Apple mistakenly unpatched a vulnerability that could allow users to jailbreak the iPhone, and hackers quickly went public with a way to break into a fully up-to-date device.
https://www.vice.com/en_us/article/qvgp77/hacker-releases-first-public-iphone-jailbreak-in-years
Security researchers discovered an unpatchable vulnerability in a line of SoC boards manufactured by American manufacturer Xilinx.
https://www.zdnet.com/article/unpatchable-security-flaw-found-in-popular-soc-boards/
Twenty-three cities in Texas have been hit with a ransomware attack believed to originate from a single threat actor.
The United States gave Chinese tech company Huawei another 90-day import agreement that will allow the company to use American-made parts as the two sides continue to discuss security concerns.
https://www.reuters.com/article/us-huawei-tech-usa-license-exclusive-idUSKCN1V701U?
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2019-9512,CVE-2019-9514
Title: Kubernetes Denial of Service Vulnerability
Vendor: Kubernetes
Description: A security issue has been found in the net/http library of the Go language that affects all versions and all components of Kubernetes. The vulnerabilities can result in a DoS against any process with an HTTP or HTTPS listener. These vulnerabilities allow untrusted clients to allocate an unlimited amount of memory, until the server crashes leading to Denial of Service.
CVSS v2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
ID: CVE-2019-15107
Title: Webmin Remote Code Execution Vulnerability
Vendor: Multi-Vendor
Description: Webmin is a web-based interface for system administration for Unix,although recent versions can also be installed and run on Windows. Webmin contains a vulnerability that allows remote command execution.The parameter "old" in password_change.cgi contains a command injection vulnerability. Webmin versions are only vulnerable if changing of expired passwords is enabled. Successful exploitation may allow remote attacker to execute arbitrary commands on target system.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2019-15107
Title: Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)
Vendor: PulseSecure
Description: Pulse Connect Secure provides secure, authenticated access for remote and mobile users from any web-enabled device to corporate resources anytime, anywhere. Pulse Connect Secure is the most widely deployed SSL VPN for organizations of any size, across every major industry. Successful exploitation of this vulnerability can lead to to remote code execution, arbitrary local file modification, session hijacking, SAML authentication leak, command injection, stack buffer overflow, Cross-site Scripting etc.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
ID: CVE-2019-8045
Title: Adobe Security Update for Adobe Acrobat and Reader (APSB19-41)
Vendor: Adobe
Description: Adobe Acrobat and Reader versions have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution. An attacker could exploit this vulnerability to compromise Confidentiality, Integrity and/or Availability.
CVSS v2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2018-13379
Title: Fortinet FortiOS Credentials Disclosure Vulnerability
Vendor: Fortinet
Description: Fortinet FortiOS is exposed to a directory traversal vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue using directory-traversal characters ('../') to access or read arbitrary files that contain sensitive information or to access files outside of the restricted directory to obtain sensitive information and allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
ID: CVE-2019-14430
Title: YouPHPTube SQL Injection Vulnerability
Vendor: YouPHPTube
Description: The parameters "User" as well as "pass" of the user registration function in YouPHPTube are vulnerable to SQL injection vulnerabilities. By submitting an HTTP POST request to the URL "/objects/userCreate.json.php" an attacker can access the database and read the hashed credentials of an administrator. Successful exploitation allows an unauthenticated, remote attacker to manipulate SQL queries by injecting arbitrary SQL code or further exploit latent vulnerabilities in the underlying database.
CVSS v2 Base Score: 6.8 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
=========================================================
MOST PREVALENT MALWARE FILES Aug. 15 - 22:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: b22eaa5c51f0128d5e63a67ddf44285010c05717e421142a3e59bba82ba1325a
MD5: 125ef5dc3115bda09d2cef1c50869205
VirusTotal: https://www.virustotal.com/gui/file/b22eaa5c51f0128d5e63a67ddf44285010c05717e421142a3e59bba82ba1325a/details
Typical Filename: helpermcp
Claimed Product: N/A
Detection Name: PUA.Osx.Trojan.Amcleaner::sbmt.talos
SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6
MD5: f7145b132e23e3a55d2269a008395034
VirusTotal: https://www.virustotal.com/gui/file/8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6/details
Typical Filename: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6.bin
Claimed Product: N/A
Detection Name: Unix.Exploit.Lotoor::other.talos
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details
Typical Filename: invoice.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743