@RISK Newsletter for August 15, 2013
The consensus security vulnerability alert.
Vol. 13, Num. 33
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 8/6/2013 - 8/13/2013
TOP VULNERABILITY THIS WEEK: A highly scriptable, trivially exploitable
remote code execution bug in the popular Joomla content management
system is being used in the wild, according to security firm Versafe.
While a patch was released on June 31, experience with similar
frameworks such as WordPress and Drupal indicate that unpatched systems
will be falling victim to this exploit for the forseeable future, and
likely used to host malware, exploit kits, and/or phishing sites.
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Trivially exploitable Joomla remote command execution bug being exploited in the wild
Description: Attackers are actively exploiting a vulnerability patched
two weeks ago in the core of the popular Joomla content management
system, according to security firm Versafe. The bug - which allows
attackers to bypass restrictions on the upload of PHP files by appending
a “.” to the end of the target filename - is trivially scriptable, and
is likely being added to automated web scanning tools used by malicious
actors to find victim servers on which to plant malware, phishing sites,
etc. Administrators of Joomla systems are urged to apply the patch
immediately.
Reference:
http://krebsonsecurity.com/2013/08/simple-hack-threatens-oudated-joomla-sites/
http://www.marketwire.com/press-release/versafe-identifies-significant-joomla-cms-vulnerability-corresponding-spike-phishing-1819933.htm
http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads
Snort SID: 27623
ClamAV: N/A
Title: Exploit code released for Java storeImageArray() vulnerability
Description: A bug patched in Oracle’s last Java security update, which
exploits the storeImageArray() function in the AWT library, had its
first public exploit code release on Monday through the PacketStorm bug
bounty program. While it is unclear which of the 40 CVEs from the last
bulletin the exploit takes advantage of, the code reliably provides
remote command execution, and can be trivially weaponized. System
administrators should assume that active exploitation is already
occurring in the wild, and ensure that patches are applied to all
systems under their care.
Reference:
http://packetstormsecurity.com/files/122777/Oracle-Java-storeImageArray-Invalid-Array-Indexing-Code-Execution.html
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
Snort SID: 27621 27622
ClamAV: Java.Exploit.Agent
Title: Microsoft Tuesday patch release covers 23 CVEs in 8 bulletins
Description: Microsoft’s monthly patch cycle comes in this time with a
relatively tame set of vulnerabilities, spanning typical products such
as Internet Explorer and the Windows kernel. No evidence of in-the-wild
exploitation has been observed for any of the issues being resolved,
though issues such as a pair of IPv6 denial of service attacks are
simple enough that they are likely to be targeted in the future. Most
notable is the fact that the final vulnerabilities from this year’s
Pwn2Own contest - held in March as part of the CanSecWest conference -
are being addressed this cycle.
Reference:
http://technet.microsoft.com/en-us/security/bulletin
http://vrt-blog.snort.org/2013/08/microsoft-update-tuesday-august-2013.html
Snort SID: 27605 - 27616, 27618 - 27620, 27624
ClamAV: Html.Exploit.CVE_2013_3184, Html.Exploit.CVE_2013_3187,
Html.Exploit.CVE_2013_3189, Exploit.CVE_2013_3191,
Html.Exploit.CVE_2013_3193, Html.Exploit.CVE_2013_3194,
Html.Exploit.CVE_2013_3199, HTML.Exploit.CVE_2013_3188
Title: Flaw in Android random number generator leaves Bitcoin wallets
open to theft
Description: The official maintainers of the Bitcoin protocol have
warned this week that wallets generated by any Android-based application
are insecure due to flaws in the platform’s random number generation
scheme, leaving owners of such wallets vulnerable to theft due to the
ease of cracking private keys. While the advisory does not detail the
precise nature of the flaw, and Google has at the time of writing not
responded to the allegations, several major bitcoin wallet apps for
Android have already issued patches that allow for the creation of new,
secure wallets. Users of such apps are encouraged to migrate away from
insecure wallets through any feasible mechanism as soon as possible.
Reference:
http://bitcoin.org/en/alert/2013-08-11-android
Snort SID: N/A
ClamAV: N/A
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Fun with ‘Active defense’:
http://blog.spiderlabs.com/2013/08/having-fun-with-active-defense-in-practice.html#more
Why is notepad.exe connecting to the Internet?
http://blog.strategiccyber.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/
Perverting embedded devices:
http://blog.infobytesec.com/2013/08/perverting-embedded-devices-lexmark.html
Defending against the BREACH attack:
https://community.qualys.com/blogs/securitylabs/2013/08/07/defending-against-the-breach-attack
New banking trojan targets Linux users:
http://www.securityweek.com/new-banking-trojan-targets-linux-users
International Journal of PoC or GTFO, Volume 0x00:
http://aptfriendfinder.com/friends/pocorgtfo00.pdf
PSExec UAC bypass:
http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2013-2343
Title: HP LeftHand Virtual SAN Appliance LHNSessionManager Buffer
Overflow Vulnerability
Vendor: HP
Description: Unspecified vulnerability on the HP LeftHand Virtual SAN
Appliance hydra with software before 10.0 allows remote attackers to
execute arbitrary code via unknown vectors, aka ZDI-CAN-1510.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-1690
Title: Mozilla Firefox JavaScript Runtime Vulnerability
Vendor: Mozilla
Description: Mozilla Firefox before 22.0, Firefox ESR 17.x before
17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before
17.0.7 do not properly handle onreadystatechange events in conjunction
with page reloading, which allows remote attackers to cause a denial of
service (application crash) or possibly execute arbitrary code via a
crafted web site that triggers an attempt to execute data at an unmapped
memory location.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2011-0922
Title: HP Data Protector CMD Install Service Vulnerability
Vendor: HP
Description: The client in HP Data Protector allows remote attackers to
execute arbitrary programs via an EXEC_SETUP command that references a
UNC share pathname.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-3174
Title: Microsoft DirectShow GIF Parsing Memory Corruption Vulnerability
Vendor: Microsoft
Description: DirectShow in Microsoft Windows XP SP2 and SP3, Windows
Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1,
Windows 7 SP1, Windows 8, and Windows Server 2012 allows remote
attackers to execute arbitrary code via a crafted GIF file, aka
“DirectShow Arbitrary Memory Overwrite Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-2251
Title: Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Vendor: Apache
Description: Apache Struts 2.0.0 through 2.3.15 allows remote attackers
to execute arbitrary OGNL expressions via a parameter with a crafted (1)
action: , (2) redirect:, or (3) redirectAction: prefix.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-2460
Title: Java Applet ProviderSkeleton Insecure Invoke Method
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK
7, allows remote attackers to affect confidentiality, integrity, and
availability via unknown vectors related to Serviceability. NOTE: the
previous information is from the June 2013 CPU. Oracle has not commented
on claims from another vendor that this issue allows remote attackers
to bypass the Java sandbox via vectors related to “insufficient access
checks” in the tracing component.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES 8/6/2013 - 8/13/2013 COMPILED BY SOURCEFIRE
SHA256: 1dd140c8d5dd1c32294f31d1784ce3553af63a0d054a0bea9423b1978fcd693f
MD5: 9e180cdfa4869b8dd15b7b06771c5838
VirusTotal: https://www.virustotal.com/file/1DD140C8D5DD1C32294F31D1784CE3553AF63A0D054A0BEA9423B1978FCD693F/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -
SHA256: 611a1be1c5637480b0b8decc45f959ade2d73aa26a28a0fc70c6de050ed8f5a7
MD5: a273babaefcff8f5fe61992a54e3ef1d
VirusTotal: https://www.virustotal.com/ file/611A1BE1C5637480B0B8DECC45F959ADE2D73AA26A28A0FC70C6DE050ED8F5A7/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -
SHA256: a3a7b80ce839360b3f50206b7381827e6257c851010328ca8043e38ee970afbd
MD5: 4852bc9f12a0d9d4125ca3f91d93647b
VirusTotal: https://www.virustotal.com/file/A3A7B80CE839360B3F50206B7381827E6257C851010328CA8043E38EE970AFBD/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -
SHA 256: b7b28e855b8c6225c605330760ff4dc407efc83f72f1a04e974a72189d0f1d96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Typical Filename: winkgts.exe
Claimed Product: winkgts.exe
Claimed Publisher: winkgts.exe
SHA256: 04005e3b053e8f8465cf45fddf5856cd6ed67cbcaf908bd5eeaddd76785ca574
MD5: 0265A6D07D7D03E657B694ECEE310FA5
VirusTotal: https://www.virustotal.com/file/04005E3B053E8F8465CF45FDDF5856CD6ED67CBCAF908BD5EEADDD76785CA574/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -