@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
December 5, 2019=============================================================
@RISK: The Consensus Security Vulnerability Alert
December 05, 2019 - Vol. 19, Num. 49
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Nov. 28 - Dec. 5
============================================================
TOP VULNERABILITY THIS WEEK: SQL injection vulnerabilities in Forma Learning Management System
*************** Sponsored By AWS Marketplace ***************
SANS-AWS Education Series: Leveraging CASBs in AWS for Anywhere, Anytime Data Protection. In this webcast, AWS solutions architect David Aiken and SANS instructor Kyle Dickinson discuss deployment strategies for cloud access security brokers (CASBs) in AWS that protect data and support a distributed workforce utilizing a variety of endpoints. Dec. 12, 2 PM ET. http://www.sans.org/info/214930
============================================================
TRAINING UPDATE
-- SANS OnDemand and vLive Training
Get an iPad Air with Smart Keyboard, a Surface Go, or Take $300 Off through December 11 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020
-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Webcast December 6th at 1 PM ET: Learn data sources you should collect to understand security-related activities on your network. http://www.sans.org/info/214935
2) Join us at SANS Open-Source Intelligence Summit | Alexandria, VA | February 18-24. http://www.sans.org/info/214940
3) Webcast: Why It's Time for a New Link Analysis Platform. Register for this webcast: http://www.sans.org/info/214945
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Forma LMS open-source program open to SQL injection attacks
Description: There are three SQL injection vulnerabilities in the authenticated portion of the Forma Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing model and now operates under the Forma organization. An attacker can send a web request with parameters containing SQL injection attacks to trigger these bugs.
Reference: https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-sql-injection-dec-19.html
Snort SIDs: 51611 - 51619 (By Marcos Rodriguez)
Title: Accusoft ImageGear PNG IHDR width code execution vulnerability
Description: Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. This vulnerability is present in the Accusoft ImageGear library, which is a document-imaging developer toolkit.
Reference: https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-accusoft-PNG-dec-19.html
Snort SIDs: 3132, 32889, 50806, 50807, 51530, 51531, 52033, 52034 (By Kristen Houser and Mike Bautista)
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
French officials say they are still considering a response to a cyber attack on a public hospital, including a possible "hack back."
RCS, which is meant to be a replacement for SMS messages, is open to a series of attacks, including text message and call interception, and number spoofing.
https://www.vice.com/en_us/article/j5ywxb/rcs-rich-communications-services-text-call-interception
A popular website among hackers that sold spying tools was taken down after an international investigation. The British government says the site sold these tools to more than 14,500 people.
https://www.bbc.com/news/technology-50601905
A Canadian court is allowing convicted criminals to challenge their sentences if they were apprehended using a controversial cell phone tracking tool used by police.
Popular spyware company Hacking Team is making a comeback under new ownership, with the aim of ensuring their tools aren't being abused.
https://www.technologyreview.com/s/614767/the-fall-and-rise-of-a-spyware-empire/
Louisiana is still recovering from a ransomware attack, with delays coming to the state's Medicaid program and workers scrambling to recover lost data.
Hackers used credential-stuffing attacks immediately after the launch of the Disney+ streaming service to take over users' accounts, but Disney still maintains there was not a data breach.
A cyber security activist hopes a new lawsuit will make public a list of electric companies that have failed to meet security standards in the past and have paid fines for their lack of protections.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2019-5434
Title: Revive Adserver Remote Code Execution Vulnerability
Vendor: revive-sas
Description: An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2019-11932
Title: Android-Gif-Drawable Whatsapp Double Free Vulnerability
Vendor: WhatsApp
Description: A double free vulnerability exists in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif, as used in WhatsApp for Android. The vulnerability allows remote attackers to execute arbitrary code or cause a denial of service.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2019-10092
Title: Apache Httpd mod_proxy Error Page Cross-Site Scripting Vulnerability
Vendor: Multi-Vendor
Description: A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2019-11539
Title: Pulse Secure VPN Arbitrary Command Execution Vulnerability
Vendor: Pulse Secure
Description: Pulse Secure VPN with admin web interface allows an authenticated attacker to inject and execute commands. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, hijack an arbitrary session and gain unauthorized access, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, obtain sensitive information, inject and execute arbitrary commands and execute arbitrary code in the context of the application.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
ID: CVE-2019-3568
Title: WhatsApp VOIP stack buffer overflow vulnerability
Vendor: WhatsApp
Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploits will result in denial of service condition.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
=========================================================
MOST PREVALENT MALWARE FILES Nov. 28 - Dec. 5:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
MD5: c5608e40f6f47ad84e2985804957c342
VirusTotal: https://www.virustotal.com/gui/file/f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd
SHA 256: a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1
MD5: ef048c07855b3ef98bd991c413bc73b1
VirusTotal: https://www.virustotal.com/gui/file/a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1/details
Typical Filename: xme64-501.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Razy::tpd
SHA 256: 49b9736191fdb2eb62b48e8a093418a2947e8d288f39b98d65a903c2ae6eb8f5
MD5: df432f05996cdd0973b3ceb48992c5ce
VirusTotal: https://www.virustotal.com/gui/file/49b9736191fdb2eb62b48e8a093418a2947e8d288f39b98d65a903c2ae6eb8f5/details
Typical Filename: xme32-501-gcc.exe
Claimed Product: N/A
Detection Name: W32.49B9736191-100.SBX.TG
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6
MD5: f7145b132e23e3a55d2269a008395034
VirusTotal: https://www.virustotal.com/gui/file/8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6/details
Typical Filename: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6.bin
Claimed Product: N/A
Detection Name: Unix.Exploit.Lotoor::other.talos
=============================================================
(c) 2019. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
