@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
November 19, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
November 19, 2020 - Vol. 20, Num. 47
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Nov. 12 - 19
============================================================
TOP VULNERABILITY THIS WEEK: Cisco discloses critical vulnerability in Security Manager software
****************** Sponsored By Cyberinc *********************
Take Back Control. We can't stop users from clicking, but we can stop bad things from happening when users click links. End-users represent the weakest links in any organization and internet access is the largest attack surface. See how to shrink the endpoint/end-user compromise. Watch Implementing Lessons Learned from Threat Patterns on the Endpoint.
| http://www.sans.org/info/218205
============================================================
TRAINING UPDATE
OnDemand and Live Online Training Special Offer
Best offers of the year! Get a 13" MacBook Air, a Microsoft Surface Pro 7, or take $350 Off with ANY qualifying SANS Training Course through December 9.
- www.sans.org/specials/north-america/
New & Updated Courses
MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
- https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/
SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment
- https://www.sans.org/cyber-security-courses/enterprise-cloud-threat-vulnerability-assessment/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
View all courses
- https://www.sans.org/cyber-security-courses/
Upcoming Live Online Events
SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST
35+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/cyber-defense-initiative-2020-live-online/
Cyber Threat Intelligence Summit & Training
FREE Summit: Jan 21-22 | Courses: Jan 25-30
- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america/
Free Resources
Tools, Posters, and more.
********************** Sponsored Links: ********************
1) Survey | If you work in the telecommunications, media, or technology industries and are involved in the budgeting process for security tools and services for their business, this survey is for you! Take this survey to share insight into your security spending and help other organizations (and individuals) develop strategies for justifying their security spending, and be entered to win a $100 Amazon gift card!
| http://www.sans.org/info/218210
2) Webcast | With Zero Trust, we always assume breach. In our upcoming webcast, "Assume Breach! How to implement Zero Trust" you will learn how to face challenging threats with speed and velocity, making you the hero in your organization! | December 1 @ 1:00 PM EST
| http://www.sans.org/info/218215
3) Webcast | SANS Director of Emerging Security Trends, John Pescatore hosts our upcoming webcasts titled, "The failures of static DLP and how to protect against tomorrow's email breaches" | December 2 @ 12:00 PM EST
| http://www.sans.org/info/218220
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Cisco Security Manager contains exploits that could allow attackers to execute remote code
Description: Cisco disclosed three significant vulnerabilities in its Security Manager software that the company urged users to patch immediately. An attacker could leverage these vulnerabilities to execute arbitrary code and download files on the victim's targeted device -- even without credentials. One of the bugs is considered to be critical while the others are high-severity. These vulnerabilities affect Cisco Security Manager releases 4.22 and earlier.
References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-path-trav-NgeRnqgR
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-java-rce-mWJEedcD
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-rce-8gjUz9fW
Snort SIDs: 56408 - 56423
Title: Vulnerabilities in Pixar OpenUSD affect some versions of macOS
Description: Pixar OpenUSD contains multiple vulnerabilities that attackers could exploit to carry out a variety of malicious actions. ixar uses this software for several types of animation tasks, including swapping arbitrary 3-D scenes that are composed of many different elements. Aimed at professional animation studios, the software is designed for scalability and speed as a pipeline connecting various aspects of the digital animation process. It is mostly expected to process trusted inputs in most use cases. By default, on macOS, both a thumbnail and a preview handler are registered for USD file formats through QuickLook. The default application to open USD files is the Preview application. On iOS, the AR application is the default handler. A USD file can be embedded in a web page or sent in a message and an AR application is opened when the file is clicked, which therefore opens some Mac operating systems to be vulnerable to these bugs.
References: https://blog.talosintelligence.com/2020/11/vuln-spotlight-pixar-open-usd-nov-2020.html
Snort SIDs: 54415, 54416, 54467 - 54472, 54488 - 54493, 54922, 54923
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Chris Krebs, the U.S.'s top cyber security official, could be fired any day, according to reports. As of Tuesday, he is still in his role, but President Donald Trump apparently wants him removed from his post.
https://www.politico.com/news/2020/11/12/cyber-official-chris-krebs-likely-out-436342
As if there aren't enough hurdles for schools to overcome this year, they're also facing an uptick in cyber attacks and threat actors who want to publicly expose student information.
Several state-sponsored threat actors continue to target COVID-19 vaccine research, with Microsoft identifying at least seven targeted countries.
The U.K. fined Ticketmaster the equivalent of $1.48 million for a data breach in 2018 that exposed customer's personal information and credit card data.
https://www.bbc.com/news/technology-54931873
COVID-19 tracing apps for countries and local governments around the world vary widely in how they handle and store user information, which presents a security minefield.
https://www.wired.com/story/covid-19-ios-apps-privacy/
More than 27 million drivers had their data mistakenly exposed by an insurance software company after they stored the information on an unprotected server.
https://www.zdnet.com/article/info-of-27-7-million-texas-drivers-exposed-in-vertafore-data-breach/
President Donald Trump used a video from the DEFCON conference demonstrating a vulnerability in a voting machine to erroneously claim voter fraud in this year's presidential election. However, the video merely showed a potential exploit, not an actual attack that took place during this year's voting.
A Delaware state government agency potentially exposed the information of 10,000 people who tested positive for COVID-19 over the summer after an unauthorized person received an unecrypted email with the data.
https://www.wgal.com/article/10000-peoples-files-leaked-in-covid-19-data-breach-in-delaware/34682398
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-16898
Title: Microsoft Windows TCP/IP Stack Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-15647
Title: Mozilla Firefox Arbitrary Local File Access Vulnerability
Vendor: Mozilla
Description: A Content Provider in Firefox for Android allowed local files accessible by the browser to be read by a remote webpage, leading to sensitive data disclosure, including cookies for other origins.
CVSS v3 Base Score: 7.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N)
ID: CVE-2020-14815
Title: Oracle Business Intelligence Unauthorized Access Vulnerability
Vendor: Oracle
Description: A vulnerability exists in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data.
CVSS v3 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
ID: CVE-2020-26217
Title: XStream Remote Code Execution Vulnerability
Vendor: Multi-vendor
Description: XStream is vulnerable to Remote Code Execution vulnerability that may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected.
CVSS v3 Base Score: 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)
ID: CVE-2020-14882
Title: Oracle WebLogic Server Remote Code Execution Vulnerability
Vendor: Oracle
Description: Oracle WebLogic Server (formerly known as BEA WebLogic Server) is an application server for building and deploying enterprise applications and services. A remote code execution vulnerability exists in the Oracle WebLogic Server product of Oracle Fusion Middleware
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-8271
Title: Citrix SD-WAN Center Remote Code Execution Vulnerability
Vendor: Citrix
Description: Multiple vulnerabilities have been discovered in Citrix SD-WAN Center that, if exploited, could allow an unauthenticated attacker with network access to SD-WAN Center to perform arbitrary code execution as root. A successful exploit could allow the attacker to perform arbitrary code execution as root.
CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-3471
Title: Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability
Vendor: Cisco
Description: A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to maintain bidirectional audio despite being expelled from an active Webex session. The vulnerability is due to a synchronization issue between meeting and media services on a vulnerable Webex site. A successful exploit could allow the attacker to maintain the audio connection of a Webex session despite being expelled.
CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
=========================================================
MOST PREVALENT MALWARE FILES Nov. 12 - 19:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD
MD5: dd726d5e223ca762dc2772f40cb921d3
Typical Filename: ww24.exe
Claimed Product: N/A
Detection Name: W32.TR:Attribute.23ln.1201
SHA 256: F059A5358C24CC362C2F74B362C75E02035FDF82F9FFAE8D553AFEE1A271AFD0
MD5: ce4395edbbf9869a5e276781af2e0fb5
VirusTotal: https://www.virustotal.com/gui/file/f059a5358c24cc362c2f74b362c75e02035fdf82f9ffae8d553afee1a271afd0/details
Typical Filename: wupxarch635.exe
Claimed Product: N/A
Detection Name: W32.Auto:f059a5358c.in03.Talos
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584
MD5: 920823d1c5cb5ce57a7c69c42b60959c
VirusTotal: https://www.virustotal.com/gui/file/100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Variant.23mj.1201
SHA 256: C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F
MD5: MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
