Everything you need to measure, manage, and reduce your cyber risk in one place
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Automate scanning in CI/CD environments with shift left DAST testing
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Everything you need to measure, manage, and reduce your cyber risk in one place
Contact us below to request a quote, or for any product-related questions
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Discover, track, and continuously secure containers – from build to runtime
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Automate scanning in CI/CD environments with shift left DAST testing
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Vol. 12, Num. 51
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 12/13/2012 - 12/19/2012
certain Samsung chipset drivers has been demonstrated in the wild, with
easy-to-use source code available for exploit generation. Attacks are
presumed to be commencing; Cyanogenmod has released a patch, but
mainstream Samsung device users have not yet received one, despite
claims that Samsung has a patch tested and available.
Title: Samsung device driver arbitrary memory overwrite vulnerability
Description: A user by the name of alephzain posted details of a major
memory access vulnerability in devices using certain Samsung chipsets
and kernels, which allows Android applications being installed on a
device the ability to overwrite arbitrary system memory as root via the
/dev/exynos “System on a Chip” devices. The device is available in many
popular Samsung hardware platforms, including the Galaxy SII and SIII.
MEIZU MX, etc. Full details, including system libraries, sample exploit
code, etc. were published along with the writeup, and exploits are
presumed to be starting to circulate in the wild at this point. Multiple
users on XDA-Developers have posted patches, and Cyanogenmod has already
committed a fix for its users. Meanwhile, other users of the popular
Android development forum have charged that Samsung has had a patch for
this known “open source” issue for weeks and have not released a fix for
it, despite other updates having been pushed to their customers in the
interim, highlighting the serious issue of vendors’ and carriers’
reluctance to patch rapidly for mobile devices.
Reference:
http://forum.xda-developers.com/showthread.php?t=2048511
http://en.wikipedia.org/wiki/Exynos_(system_on_chip)
http://www.androidauthority.com/xda-developer-patches-samsung-exynos-chip-vulnerability-140742/
Snort SID:
ClamAV:
Title: FBI report says SCADA “Niagara” backdoor exploited in the US this year
Description: Using nothing more than the popular web device search
service Shodan, attackers in the wild have been exploiting an
authentication bypass vulnerability in the Niagara AX Framework, made
by Richmond, VA-based firm Tridium. The web interface for the framework,
by default, does not require a password, and provides full
administrative access to systems controlling HVAC in offices around the
world. The system was typically set up with floor plans, personnel and
departmental names, etc., providing a wealth of useful data for spear
phishers, social engineers, and the like. As of Wednesday, Dec. 19, no
notice was posted on the vendor’s site discussing a patch or any
mitigations for this vulnerability. Potentially impacted users are urged
to shut down unnecessary web services, and restrict access to any others
to only authorized, known IP addresses.
Reference:
http://www.wired.com/images_blogs/threatlevel/2012/12/FBI-AntisecICS.pdf
http://www.shodanhq.com/search?q=niagara_audit+-login
http://arstechnica.com/security/2012/12/intruders-hack-industrial-control-system-using-backdoor-exploit/
http://www.tridium.com/cs/products_/_services/niagaraax
Snort SID: 25057
ClamAV: N/A
Title: Anonymous Doxes the WBC
Description: Members of the Anonymous collective posted personal and
professional contact details for members of the Westboro Baptist Church
online on Pastebin Sunday morning, apparently in response to the WBC’s
announcement that it would be protesting the funerals of those taken in
the recent tragedy in Newton, CT last week. Details of how the private
information was found were not detailed by Anonymous, and little
speculation has been put forward within the information security
community. The move coincided with other political moves surrounding the
group, such as a White House online petition that has gathered close to
200,000 signatures asking that the WBC be legally recognized as a hate
group.
Reference:
http://pastebin.com/2PmbBm8f
https://petitions.whitehouse.gov/petition/legally-recognize-westboro-baptist-church-hate-group/DYf3pH2d
Snort SID: N/A
ClamAV: N/A
Setting HoneyTraps with ModSecurity: Unused Web Ports:
http://blog.spiderlabs.com/2012/12/setting-honeytraps-with-modsecurity-unused-web-ports.html
Why Google Maps is better than Apple Maps:
http://www.theatlantic.com/technology/archive/2012/12/why-google-maps-is-better-than-apple-maps/266218/
Has WWII carrier pigeon message been cracked?
http://www.bbc.co.uk/news/uk-20749632
Mercury Android malware system releases new version:
http://labs.mwrinfosecurity.com/blog/2012/12/14/whats-new-in-mercury-v2/
Scientific study of malware obfuscation techniques:
http://www.xors.me/?p=6126
Inside Impact Exploit Kit:
http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html
The Dexter malware: getting your hands dirty:
http://blog.spiderlabs.com/2012/12/the-dexter-malware-getting-your-hands-dirty.html
Lessons learned from US financial services DDoS attacks:
http://ddos.arbornetworks.com/2012/12/lessons-learned-from-the-u-s-financial-services-ddos-attacks/
https://pentesterlab.com/from_sqli_to_shell_pg_edition.html
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: : CVE-2012-4959
Title: Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability
Vendor: Novell
Description: Directory traversal vulnerability in NFRAgent.exe in Novell
File Reporter 1.0.2 allows remote attackers to upload and execute files
via a 130 /FSF/CMD request with a .. (dot dot) in a FILE element of an
FSFUI record.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: : CVE-2010-2590
Title: SAP Crystal Reports Print ActiveX “PrintControl.dll” Heap Buffer Overflow Vulnerability
Vendor: SAP
Description: Heap-based buffer overflow in the
CrystalReports12.CrystalPrintControl.1 ActiveX control in
PrintControl.dll 12.3.2.753 in SAP Crystal Reports 2008 SP3 Fix Pack 3.2
allows remote attackers to execute arbitrary code via a long
ServerResourceVersion property value.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-5975
Title: SSH Tectia Authentication Bypass Remote
Vendor: SSH Communications
Description: A remote authentication bypass vulnerability was disclosed
which affects the current Unix/Linux versions of Tectia SSH Server. The
vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST
function.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: : CVE-2012-6066
Title: FreeFTPD /FreeSSHD Remote Authentication Security Bypass Vulnerability
Vendor: freesshd
Description: freeSSHd.exe in freeSSHd through 1.2.6 allows remote
attackers to bypass authentication via a crafted session, as
demonstrated by an OpenSSH client with modified versions of ssh.c and
sshconnect2.c.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-5611
Title: Oracle MySQL Server Command Processing Buffer Overflow Vulnerability
Vendor: Oracle
Description: Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and
possibly other versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x
before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows
remote authenticated users to execute arbitrary code via a long argument
to the GRANT FILE command.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
(Virustotal links that are not found mean that the file that Sourcefire
is detecting has not yet been analyzed by Virustotal)
SHA 256: 806E83820EABE18D28FA4080F20189EE160F43AFB3E51B99CDA23CF4EF73F9C8
MD5:
VirusTotal: https://www.virustotal.com/file/806E83820EABE18D28FA4080F20189EE160F43AFB3E51B99CDA23CF4EF73F9C8/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:
SHA 256: 1B8C2FC3E7324DE7D88A5A481F5FA9FC7A1CA6EA3EEEE6056ACFB749FCA4E046
MD5:
VirusTotal: https://www.virustotal.com/ file/1B8C2FC3E7324DE7D88A5A481F5FA9FC7A1CA6EA3EEEE6056ACFB749FCA4E046/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:
SHA 256: 7413CF9F448EC6845EA5FF00B07C73D8E4869C85DEB7DE1224CA27D4AF6F0DD3
MD5:
VirusTotal: https://www.virustotal.com/file/7413CF9F448EC6845EA5FF00B07C73D8E4869C85DEB7DE1224CA27D4AF6F0DD3/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:
SHA 256: CA3BBC97310150AA85AEB15AB85F63A7D1B0CDB4BE2C3565A71FB5FB3EA1AB33
MD5:
VirusTotal: https://www.virustotal.com/file/CA3BBC97310150AA85AEB15AB85F63A7D1B0CDB4BE2C3565A71FB5FB3EA1AB33/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher:
SHA 256: 883FC048EA0FDC044601EF84A93AB90FA1181E9D2E8E544FA6119D35D5B2A94F
MD5:
VirusTotal: https://www.virustotal.com/file/883FC048EA0FDC044601EF84A93AB90FA1181E9D2E8E544FA6119D35D5B2A94F/analysis/
Typical Filename:
Claimed Product:
Claimed Publisher: