@RISK Newsletter for April 17, 2014
The consensus security vulnerability alert.
Vol. 14, Num. 15
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 4/8/2014 - 4/15/2014
TOP VULNERABILITY THIS WEEK: OpenSSL TLS Heartbeat Extension Buffer
Oveflow Information Disclosure Vulnerability (Heartbleed)
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Bundled OpenSSL Library Also Makes Apps and Android 4.1.1
Vulnerable to Heartbleed
Description: TrendLabs discovered that Android version 4.1.1 is
vulnerable to Heartbleed, because the vulnerable version of OpenSSL is
bundled with the OS and some android applications.
Reference:
http://blog.trendmicro.com/trendlabs-security-intelligence/bundled-openssl-library-also-makes-apps-and-android-411-vulnerable-to-heartbleed/
SID: 30510-30517, 30520-30525
Title: Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach
Description: Computer hard drive maker LaCie has acknowledged that a
hacker break-in at its online store exposed credit card numbers and
contact information on customers for the better part of the past year.
The disclosure comes almost a month after the breach was first disclosed
by KrebsOnSecurity
Reference:
http://www.krebsonsecurity.com/2014/04/hardware-giant-lacie-acknowledges-year-long-credit-card-breach/
Title: iSEC Completes TrueCrypt Audit
Description: iSEC Partners kicked off the engagement to audit the
following portions of TrueCrypt: the Windows kernel code, the
bootloader, the filesystem driver, and the areas around this code. The
scope was kept narrowly focused to avoid stretching resources too thin
and ensure that the review conducted was thorough and robust.
Reference:
https://isecpartners.github.io/news/2014/04/14/iSEC-Completes-Truecrypt-Audit.html
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Global Phishing Survey: Trends and Domain Name Use in 2H2013
http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf
ZeusVM and steganography
http://www.xylibox.com/2014/04/zeusvm-and-steganography.html
Running Heartbleed Health Checks May be Illegal
http://www.tripwire.com/state-of-security/top-security-stories/running-heartbleed-health-checks-may-be-illegal/
Heartbleed bug exploited to steal taxpayer data
http://arstechnica.com/security/2014/04/heartbleed-bug-exploited-to-steal-taxpayer-data/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2014-0160
Title: OpenSSL TLS Heartbeat Extension Buffer Oveflow Information
Disclosure Vulnerability (Heartbleed)
Vendor: OpenSSL Project
Description: The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1
before 1.0.1g do not properly handle Heartbeart Extension packets, which
allows remote attackers to obtain sensitive information from process
memory via crafted packets that trigger a buffer over-read, as
demonstrated by reading private keys, related to d1_both.c and t1_lib.c.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
ID: CVE-2014-2850
Title: Sophos Web Protection Appliance Interface Authenticated
Arbitrary Command Execution
Vendor: Sophos
Description: The network interface configuration page (netinterface) in
Sophos Web Appliance before 3.8.2 allows remote administrators to
execute arbitrary commands via shell metacharacters in the address
parameter.
CVSS v2 Base Score: 8.5 (AV:N/AC:M/AU:S/C:C/I:C/A:C)
ID: CVE-2014-2314
Title: JIRA Issues Collector Directory Traversal
Vendor: Atlassian
Description: Directory traversal vulnerability in the Issue Collector
plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create
arbitrary files via unspecified vectors.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2014-1761
Title: Microsoft Word Remote Memory Corruption Vulnerability
Vendor: Microsoft
Description: Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013,
and 2013 RT; Word Viewer; Office Compatibility Pack SP3; Office for Mac
2011; Word Automation Services on SharePoint Server 2010 SP1 and SP2 and
2013; Office Web Apps 2010 SP1 and SP2; and Office Web Apps Server 2013
allow remote attackers to execute arbitrary code or cause a denial of
service (memory corruption) via crafted RTF data, as exploited in the
wild in March 2014.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2014-0307
Title: Internet Explorer TextRange Use-After-Free Vulnerability (MS14-012)
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
9 allows remote attackers to execute arbitrary code or cause a denial
of service (memory corruption) via a certain sequence of manipulations
of a TextRange element, aka “Internet Explorer Memory Corruption
Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2014-0502
Title: Adobe Flash Player 12.0.0.44 Memory Corruption Vulnerability
Vendor: Adobe
Description: Double free vulnerability in Adobe Flash Player before
11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and
Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628
on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK &
Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary
code via unspecified vectors, as exploited in the wild in February 2014.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES 4/8/2014 - 4/15/2014 COMPILED BY SOURCEFIRE
SHA 256: A1A212E0B59ABBB2F520F1D35E68AE00944931A5A0A514947555359CCEF2366F
MD5: 09b8de9389103831a84bb1711ebef153
VirusTotal:
https://www.virustotal.com/file/A1A212E0B59ABBB2F520F1D35E68AE00944931A5A0A514947555359CCEF2366F/analysis/#additional-info
Typical Filename: wajam_update.exe
Claimed Product: Wajam Internet Technologies Inc
Detection Name: W32.A1A212E0B5-100.SBX.VIOC
SHA 256: 180C6035CA44C270B8E1556A7B2E9FAF442D1B4323EF6D8E93B7E759AF169C96
MD5: 44e5b5dc6a27ea109b8a234e640bb5fd
VirusTotal:
https://www.virustotal.com/file/180C6035CA44C270B8E1556A7B2E9FAF442D1B4323EF6D8E93B7E759AF169C96/analysis/#additional-info
Typical Filename: BitGuard.exe
Claimed Product: BitGuard BitProtect
Detection Name: W32.Generic:BProtectF.17ex.1201
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal:
https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/#additional-info
Typical Filename: wincdgja.exe
Claimed Product: Sality
Detection Name: W32.Sality:StubOfSalityTrj.17co.1201
SHA 256: 745614F97750E72A0972C8DFD2B5D738AE4E657214A2F5CC57DDA4A595B5CA53
MD5: 70ba56eb47b072b6688148d0be1e2e26
VirusTotal:
https://www.virustotal.com/file/745614F97750E72A0972C8DFD2B5D738AE4E657214A2F5CC57DDA4A595B5CA53/analysis/#additional-info
Typical Filename: winubyxq.exe
Claimed Product: Unknown
Detection Name: W32.Malware:SalityGR.17eu.1201
SHA 256: 6B0892E9B2AF395DF5B0D250A4A6F41C9D837D1C03D3AC68DAB8F847EC9F54BD
MD5: ced4ec6766d5152ec63892ad2c7d2f47
VirusTotal:
https://www.virustotal.com/file/6B0892E9B2AF395DF5B0D250A4A6F41C9D837D1C03D3AC68DAB8F847EC9F54BD/analysis/#additional-info
Typical Filename: winjrenr.exe
Claimed Product: unknown
Detection Name: W32.Malware:Downloader.17fa.1201