@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
November 28, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
November 28, 2019 - Vol. 19, Num. 48
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Nov. 21 - 28
============================================================
TOP VULNERABILITY THIS WEEK: Old Apache Solr vulnerability raises eyebrows with new POC
******************** Sponsored By AWS Marketplace *******************
Convenient and Secure: Leveraging CASBs in AWS, featuring SANS instructor Kyle Dickinson and AWS solutions architect David Aiken. In this webcast, learn how to leverage the convenience of cloud access security brokers (CASBs) to integrate modern technologies and a suite of data protection, auditing and other tools in AWS. Dec. 12, 2 PM ET. http://www.sans.org/info/214885
============================================================
TRAINING UPDATE
-- SANS OnDemand and vLive Training
Get an 11" iPad Pro, a 12.3" Surface Pro, or Take $350 Off through December 4 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Webcast December 5th at 1 PM ET: Why Its Time for a New Link Analysis Platform. Register: http://www.sans.org/info/214890
2) ICYMI Webcast: Maximize Threat Hunting Efficiency with Automated Queries. View here: http://www.sans.org/info/214895
3) Take the SANS Network Visibility and Threat Detection Survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/214900
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Severity of Apache Solr vulnerability rises after new code emerges
Description: A months-old vulnerability in Apache Solr was recently reclassified as being more serious than initially thought. It was initially believed that this bug would only allow an adversary to access monitoring data on any site utilizing Solr. However, new proof-of-concept code shows it could allow an attacker to remotely execute code on a Solr server. This bug could be exploited by any adversary who has network access to a Solr server and Java Management Extensions. Windows users are reportedly not affected.
Snort SIDs: 52324, 52325 (By John Levy)
Title: Command injection bug in popular, affordable wireless router
Description: Cisco Talos recently discovered a command injection vulnerability in the Tenda AC9 router. The Tenda AC9 is one of the most popular and affordable dual-band gigabit WiFi routers available online, especially on Amazon. A command injection vulnerability exists in the `/goform/WanParameterSetting` resource. A locally authenticated attacker can execute arbitrary commands to post parameters to execute commands on the router. The attacker can get reverse shell running as root using this command injection.
Reference: https://blog.talosintelligence.com/2019/11/vulnerability-spotlight-tenda-ac9-command-nov-2019.html
Snort SIDs: 50295, 50296 (By Amit Raut)
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The lights used to help guide airplanes to the runway at airports were exposed to the open internet at several airports across the U.S.
https://www.vice.com/en_us/article/7x5nkg/airplane-warning-lights-hacked
American security experts are starting to worry about a new wave of state-sponsored adversaries from countries like Vietnam and Qatar, a pivot from the usual cyber powers like Russia and China.
The FBI sent a warning to auto manufacturers, warning that adversaries are targeting sensitive data.
Jeanette Manfra, one of the longest-tenured officials in U.S. cyber policy, is leaving the public sector for a private job, leaving a massive hole at the Cybersecurity and Infrastructure Security Agency.
https://techcrunch.com/2019/11/21/jeanette-manfra/
Manfra's departure is just the latest loss for cyber security leadership in Washington. An exodus of election officials have experts worried about the security of the 2020 elections.
California's Department of Motor Vehicles makes roughly $50 million a year selling citizens' drivers license and personal information.
Adversaries are hijacking Docker systems that still have their API endpoints exposed to the internet.
Twitter added new two-factor authentication features, allowing users to register for the extra security step without having to provide their phone number to the social media site.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2019-1429
Title: Microsoft Windows Scripting Engine Memory Corruption Vulnerability
Vendor: Microsoft
Description: An information disclosure vulnerability exists when Microsoft Edge based on Edge HTML improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability.
CVSS v2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
ID: CVE-2019-18862
Title: GNU Mailutils Privilege Escalation Vulnerability
Vendor: GNU
Description: The --url parameter included in the GNU Mailutils maidag utility can be used to write to arbitrary files on the host operating
system. By default, maidag is set to execute with setuid root permissions, which can lead to local privilege escalation through code/command execution by writing to the system's crontab or by writing to other root owned files on the operating system.
CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2018-14665
Title: Xorg X11 Server Local Privilege Escalation Vulnerability
Vendor: Multi-Vendor
Description: A flaw was found in xorg-x11-server where an incorrect permission check for -modulepath and -logfile options are set when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.
CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-11539
Title: Pulse Secure VPN Arbitrary Command Execution Vulnerability
Vendor: Pulse Secure
Description: Pulse Secure VPN with admin web interface allows an authenticated attacker to inject and execute commands. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, hijack an arbitrary session and gain unauthorized access, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, obtain sensitive information, inject and execute arbitrary commands and execute arbitrary code in the context of the application.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
ID: CVE-2019-16113
Title: Bludit Directory Traversal Image File Upload Vulnerability
Vendor: Bludit
Description: Bludit allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
ID: CVE-2019-11409
Title: FusionPBX Operator Panel exec.php Command Execution Vulnerability
Vendor: FusionPBX
Description: app/operator_panel/exec.php in the Operator Panel module in FusionPBX suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
ID: CVE-2019-17671
Title: WordPress Unauthenticated View Posts Vulnerability
Vendor: WordPress
Description: Wordpress versions allows unauthenticated view of private/draft posts. Unauthenticated viewing of certain content is possible because the static query property is mishandled. This vulnerability could allow an unauthenticated user to view private or draft posts due to an issue within WP_Query.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
=========================================================
MOST PREVALENT MALWARE FILES Nov. 21 - 28:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
MD5: c5608e40f6f47ad84e2985804957c342
VirusTotal: https://www.virustotal.com/gui/file/f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd
SHA 256: a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1
MD5: ef048c07855b3ef98bd991c413bc73b1
VirusTotal: https://www.virustotal.com/gui/file/a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1/details
Typical Filename: xme64-501.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Razy::tpd
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: c29da492e7e7decebff09ee531f01fc3c3de45e805947093ac0aa7c113b592dc
MD5: b77c0c1ed4cff895bf862cf46b601c84
VirusTotal: https://www.virustotal.com/gui/file/c29da492e7e7decebff09ee531f01fc3c3de45e805947093ac0aa7c113b592dc/details
Typical Filename: opCS.gif
Claimed Product: N/A
Detection Name: W32.C29DA492E7-100.SBX.TG
SHA 256: 4dac88a67bc3f755c0ef3ceea5515a3e3310820978ef249d1813c9982dc6aadf
MD5: 718d579ea6ea48f95225cc9c794f9703
VirusTotal: https://www.virustotal.com/gui/file/4dac88a67bc3f755c0ef3ceea5515a3e3310820978ef249d1813c9982dc6aadf/details
Typical Filename: opext.gif
Claimed Product: N/A
Detection Name: W32.4DAC88A67B-100.SBX.TG
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
