@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
September 12, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
September 12, 2019 - Vol. 19, Num. 37
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Sept. 5 - 12
============================================================
TOP VULNERABILITY THIS WEEK: Microsoft releases monthly security updates
******************** Sponsored By SANS *******************
Attend SANS SIEM Summit | Chicago, IL | Oct 7-8
Hear from the experts and bring order to the chaos by learning how to use your data for tactical analysis and detection. http://www.sans.org/info/214185
============================================================
TRAINING UPDATE
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019
-- SANS DFIR Europe Summit and Training 2019 | Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019
-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019
-- SANS OnDemand and vLive Training
Get an iPad, Samsung Galaxy Tab A, or Take $250 off through September 18 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Take the SANS survey 'Understanding Workforce Transformation and Risks' and tell us how your organization is supporting workforce trends. http://www.sans.org/info/214190
2) ICYMI Webcast: BloxOne(TM) Threat Defense: Strengthening and Optimizing Your Security Posture from the Foundation Up. http://www.sans.org/info/214195
3) Webcast September 19th at 10:30 AM ET: Listen to how micro-segmentation can be part of the equation in protecting your network. http://www.sans.org/info/214205
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft patches 19 critical bugs as part of security update Description: Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 85 vulnerabilities, 19 of which are rated "critical," 65 that are considered "important" and one "moderate." There is also a critical advisory relating to the latest update to Adobe Flash Player. This month's security update covers security issues in a variety of Microsoft services and software, including the Jet Database Engine and the Hyper-V hypervisor. Most notably, this release contains another round of vulnerabilities in remote desktop services, the latest in a line of RDP bugs that are considered "wormable." Talos has already outlined how Cisco Firepower users can stay protected from other series of RDP vulnerabilities known as "BlueKeep" and "DejaBlue."
Reference: https://blog.talosintelligence.com/2019/09/microsoft-patch-tuesday-sept-2019.html
Snort SIDs: 51436 - 51438, 51445, 51446, 51449 - 51452, 51454 - 51457, 51463 - 51465, 51479 - 51483
Title: Some NETGEAR routers vulnerable to DoS attacks Description: The NETGEAR N300 line of wireless routers contains two denial-of-service vulnerabilities. The N300 is a small and affordable wireless router that contains the basic features of a wireless router. An attacker could exploit these bugs by sending specific SOAP and HTTP requests to different functions of the router, causing it to crashentirely.
Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-Netgear-N300-routers-DoS-sept-2019.html
Snort SIDs: 50040 (Written by Dave McDaniel)
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Apple fired back at a report from Google's security arm that recently highlighted an exploit in their iOS mobile operating system, saying the company was "stoking fear."
https://www.theverge.com/2019/9/6/20853115/apple-google-iphone-security-flaw-uighur-community-fud
Some states' Departments of Motor Vehicles are selling drivers' personal information to private investigators and other businesses.
A set of Chromebooks mistakenly warned users that the devices' end-of-life was approaching, despite Google promising it will provide updates to the laptops for six-and-a-half years.
A new report exposed a cyber attack on a portion of the U.S. electric grid from earlier this year, the first disruptive cyber attack on the American energy grid ever recorded.
https://www.eenews.net/stories/1061111289
The popular Wikipedia service was intermittently unavailable across Europe after a string of denial-of-service attacks last week.
U.S. Senate Majority Leader Mitch McConnell continues to block a vote on a series of cyber security bills aimed at protecting American elections, and some believe it could be at the direction of the White House.
The U.S. filed criminal charges against a professor in Texas for allegedly stealing a startup company's technology on behalf of Chinese tech company Huawei. (Please note that this story is behind a paywall.)
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2017-1000119
Title: October CMS build 412 PHP code execution Vulnerability
Vendor: Multi-vendor
Description: October CMS build 412 is vulnerable to PHP code execution vulnerability in the file upload functionality resulting in site compromise and possibly other applications on the server. The vunerability allows an attacker to execute PHP code on a victim's website where the attacker is an authenticated administrator user with media or asset management permissions.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
ID: CVE-2019-15107
Title: LibreNMS Collectd Command Injection Vulnerability
Vendor: Multi-Vendor
Description: LibreNMS is exposed to a command injection vulnerability in html/includes/graphs/device/collectd.inc.php where user supplied parameters are filtered with the mysqli_escape_real_string function. This function is not the appropriate function to sanitize command arguments as it does not escape a number of command line syntax characters such as ` (backtick), allowing an attacker to inject commands into the variable $rrd_cmd, which gets executed via passthru(). An authenticated attacker can execute commands on the server.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
ID: CVE-2019-16118
Title: WordPress Plugin Photo Gallery Cross-Site Scripting Vulnerability
Vendor: Multi-Vendor
Description: WordPress Plugin Photo Gallery is exposed to a cross site scripting (XSS) vulnerability via via admin/controllers/Options.php. This vulnerability occurs whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. The vulnerability allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2019-15029
Title: FusionPBX Remote Code Execution Vulnerability
Vendor: Multi-Vendor
Description: FusionPBX allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request with the service id followed by the parameter a=start to execute the stored command.
CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
ID: CVE-2019-11539
Title: Pulse Secure SSL VPN Remote Code Execution Vulnerability
Vendor: Multi-Vendor
Description: In Pulse Secure Pulse Connect Secure and Pulse Policy Secure, the admin web interface allows an authenticated attacker to inject and execute commands. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, hijack an arbitrary session and gain unauthorized access, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, obtain sensitive information, inject and execute arbitrary commands and execute arbitrary code in the context of the application.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
ID: CVE-2019-10677
Title: DASAN Zhone ZNID GPON 2426A EU Device Multiple Cross-Site Scripting Vulnerabilities
Vendor: Zhone Technologies
Description: Multiple Cross-Site Scripting issues in the web interface on DASAN Zhone ZNID GPON 2426A EU devices allow a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameter: /zhndnsdisplay.cmd (name), /wlsecrefresh.wl (wlWscCfgMethod, wl_wsc_reg).
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
=========================================================
MOST PREVALENT MALWARE FILES Sept. 5 - 12:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13
MD5: c24315b0585b852110977dacafe6c8c1
VirusTotal: https://www.virustotal.com/gui/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/details
Typical Filename: puls.exe
Claimed Product: N/A
Detection Name: W32.DoublePulsar:WNCryLdrA.22is.1201
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256:46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload
Claimed Product: qmreportupload.exe
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
VirusTotal: https://www.virustotal.com/gui/file/093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7/details
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
