Everything you need to measure, manage, and reduce your cyber risk in one place
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Automate scanning in CI/CD environments with shift left DAST testing
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Everything you need to measure, manage, and reduce your cyber risk in one place
Contact us below to request a quote, or for any product-related questions
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software
Gain an attacker’s view of your external internet-facing assets and unauthorized software
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Consolidate & translate security & vulnerability findings from 3rd party tools
Discover, track, and continuously secure containers – from build to runtime
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Automate scanning in CI/CD environments with shift left DAST testing
Efficiently remediate vulnerabilities and patch systems
Quickly create custom scripts and controls for faster, more automated remediation
Address critical vulnerabilities with flexible, patchless solutions
Advanced endpoint threat protection, improved threat context, and alert prioritization
Extend detection and response beyond the endpoint to the enterprise
Reduce risk, and comply with internal policies and external regulations with ease
Reduce alert noise and safeguard files from nefarious actors and cyber threats
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Detect and remediate security issues within IaC templates
Manage your security posture and risk across your entire SaaS application stack
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Discover, track, and continuously secure containers – from build to runtime
Vol. 13, Num. 19
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 5/2/2013 - 5/7/2013
Explorer 8
Title: Vulnerability in Microsoft Internet Explorer (CVE-2013-1347)
Description:
The US Dept. of Labor was hit with the latest IE use after free
vulnerability last week. This vulnerability is triggered by clearing of
HTML markup of DOM elements in Javascript. It affects Microsoft Internet
Explorer 8 and there are public exploits available in the wild, and on
metasploit. Microsoft has published an advisory concerning this 0-day.
Reference:
http://technet.microsoft.com/en-us/security/advisory/2847140
Snort SID: 26569,26570,26571,26572
ClamAV: HTML.Exploit.CVE_2013_1347, Win.Trojan.PoisonIvy-262
Title: Cdorked malware
Description: A malicious Apache binary has been spotted on the Internet
replacing legitimate Apache servers forwarding unsuspecting clients to
be pointed to a Blackhole Exploit Kit.
Reference: http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html
Snort SID: 26527, 26528, 26529, 26530, 26531, 26532
ClamAV: Unix.Backdoor.Cdorked
Title: Ngnix stack-based buffer overflow (CVE-2013-2028)
Description: Greg MacManus, of iSIGHT Partners Labs, found a security
problem in several recent versions of nginx. A stack-based buffer
overflow might occur in a worker process while handling a specially
crafted request, potentially resulting in arbitrary code execution.
Reference: http://nginx.org/download/patch.2013.chunked.txt
http://seclists.org/oss-sec/2013/q2/291
https://bugzilla.redhat.com/show_bug.cgi?id=960605
Snort SID: 17340
ClamAV: N/A
OptiCode: Machine Code Deobfuscation for Malware Analysis
http://syscan.org/index.php/download/get/e44f19cf6c0d05ab0e1c11e9dfcdd6c0/ SyScan2013_DAY1_SPEAKER03_Nguyen_Anh_Quynh_Opticode.zip
Linux/Cdorked.A malware: Lighttpd and nginx web servers also affected
http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/
Revisiting Mac OS X Kernel Rootkits
http://syscan.org/index.php/download/get/9331ff8a03a7a472e8a3b46e63e9aa26/ SyScan2013_DAY2_SPEAKER10_Pedro_Vilaca_Revisiting_Mac_OSX_Kernel_Rootkits.zip
Inside Neshta C&C and botnet control panel
http://malware.dontneedcoffee.com/2013/05/inside-rdpxterm-bot-442-panel-51-aka.html
Autoit used to spread malware and toolsets
http://blog.trendmicro.com/trendlabs-security-intelligence/autoit-used-to-spread-malware-and-toolsets/
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2013-1347
Title: Microsoft Internet Explorer 8 Use-After-Free Memory Corruption
Vulnerability
Vendor: Microsoft
Description: Microsoft Internet Explorer 8 does not properly handle
objects in memory, which allows remote attackers to execute arbitrary
code by accessing an object that (1) was not properly allocated or (2)
is deleted, as exploited in the wild in May 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-3238
Title: phpMyAdmin preg_replace() Input Validation Error Script
Execution Vulnerability
Vendor: phpMyAdmin
Description: phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3
allows remote authenticated users to execute arbitrary code via a /e\x00
sequence, which is not properly handled before making a preg_replace
function call within the “Replace table prefix” feature.
CVSS v2 Base Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
ID: CVE-2013-2423
Title: Java Applet Reflection Type Confusion Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK
7, allows remote attackers to affect integrity via unknown vectors
related to HotSpot. NOTE: the previous information is from the April
2013 CPU. Oracle has not commented on claims from the original
researcher that this vulnerability allows remote attackers to bypass
permission checks by the MethodHandles method and modify arbitrary
public final fields using reflection and type confusion, as demonstrated
using integer and double fields to disable the security manager.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2013-0632
Title: Adobe ColdFusion APSB13-03 Remote Exploit
Vendor: Adobe
Description: Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote
attackers to bypass authentication and possibly execute arbitrary code
via unspecified vectors, as exploited in the wild in January 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-1493
Title: Oracle Java SE JVM 2D Subcomponent Remote Code Execution
Vulnerability (Oracle Security Alert for CVE-2013-1493)
Vendor: Oracle
Description: The color management (CMM) functionality in the 2D
component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and
earlier, and 5.0 Update 40 and earlier allows remote attackers to
execute arbitrary code or cause a denial of service (crash) via an image
with crafted raster parameters, which triggers (1) an out-of-bounds read
or (2) memory corruption in the JVM, as exploited in the wild in
February 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Typical Filename: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Product: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Publisher: 573b6cc513e1b7cd9e35b491eacc38f3
SHA 256: 9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F
MD5: 3ff52cee72b936c56b4fbb9f970ece74
VirusTotal: https://www.virustotal.com/file/9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F/analysis/
Typical Filename: wintdiyx.exe
Claimed Product: wintdiyx.exe
Claimed Publisher: wintdiyx.exe
SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal: https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/
Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe
SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Typical Filename: lmlkl.sys
Claimed Product: lmlkl.sys
Claimed Publisher: lmlkl.sys
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal: https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename: File_0_2.ok
Claimed Product: File_0_2.ok
Claimed Publisher: File_0_2.ok