@RISK Newsletter for July 03, 2014
The consensus security vulnerability alert.
Vol. 14, Num. 26
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 6/25/2014 - 7/1/2014
TOP VULNERABILITY THIS WEEK: Microsoft Takes Legal Action to fight
Malware: Bladabindi and Jenxcus
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Microsoft Takes Legal Action to fight Malware: Bladabindi and
Jenxcus - impacting no-ip.org dyndns service
Description: On June 30, Microsoft positioned itself to receive all the
no-ip.org DNS requests; so that it could filter out DNS requests related
to the two malware families, Bladabindi and Jenxcus.
Reference:
http://blogs.technet.com/b/security/archive/2014/06/30/microsoft-takes-legal-action-to-fight-malware-bladabindi-and-jenxcus.aspx
Snort SID: 31287-31288, 29837-29858
ClamAV: Win.Trojan.Bladabindi
Title: Duo Security researchers uncover bypass of PayPal’s two-factor
authentication
Description: Researchers at Duo Security discovered the mobile
application for PayPal could bypass 2FA by using a token from an
undocumented API endpoint.
Reference:
https://www.duosecurity.com/blog/duo-security-researchers-uncover-bypass-of-paypal-s-two-factor-authentication
Title: Raising Lazarus - The 20 Year Old Bug that Went to Mars
Description: Security Mouse researchers discovered a 20 year old bug in
the LZO compression algorythm
Reference:
http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Apple releases security fixes for iOS, OS X, Safari and Apple TV
http://www.zdnet.com/apple-releases-security-fixes-for-ios-os-x-safari-and-apple-tv-7000031121/
DHS Sharing Classified Threat Information With Service Providers
http://www.crn.com/news/security/300073287/dhs-sharing-classified-threat-information-with-service-providers.htm
Exceptional behavior: the Windows 8.1 X64 SEH Implementation
http://sfi.re/TMZmqz
Isolated Heap for Internet Explorer Helps Mitigate UAF Exploits
http://blog.trendmicro.com/trendlabs-security-intelligence/isolated-heap-for-internet-explorer-helps-mitigate-uaf-exploits/
Threat Spotlight: A String of ‘Paerls’, Part One
http://sfi.re/1mRA5Hg
Android KeyStore Stack Buffer Overflow: To Keep Things Simple, Buffers
Are Always Larger Than Needed
http://securityintelligence.com/android-keystore-stack-buffer-overflow-to-keep-things-simple-buffers-are-always-larger-than-needed/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2013-6221
Title: HP Service Virtualization 3.0 Remote Code Execution Vulnerability
Vendor: HP
Description: Directory traversal vulnerability in CommunicationServlet
in HP Service Virtualization 3.x before 3.50.1, when the AutoPass
license server is enabled, allows remote attackers to create arbitrary
files and consequently execute arbitrary code via unspecified vectors,
aka ZDI-CAN-2031.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
ID: N/A
Title: Supermicro Server Motherboard Credential Disclosure Vulnerability
Vendor: Supermicro
Description: Supermicro motherboards store administrator passwords in
plain text, which is available to any attacker who can connect to TCP
port 49152.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
ID: CVE-2014-3120
Title: Elasticsearch Remote Code Execution
Vendor: Elasticsearch
Description: Elasticsearch has a flaw in its default configuration which
makes it possible for any webpage to execute arbitrary code on visitors
with Elasticsearch installed.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
ID: CVE-2014-0515
Title: Adobe Flash Player Shader Buffer Overflow
Vendor: Adobe
Description: Buffer overflow in Adobe Flash Player before 11.7.700.279
and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and
before 11.2.202.356 on Linux, allows remote attackers to execute
arbitrary code via unspecified vectors, as exploited in the wild in
April 2014.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
ID: CVE-2014-0094
Title: Apache Struts ClassLoader Manipulation Remote Code Execution
Vendor: Apache
Description: The ParametersInterceptor in Apache Struts before 2.3.16.1
allows remote attackers to “manipulate” the ClassLoader via the class
parameter, which is passed to the getClass method.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/AU:N/C:N/I:P/A:N)
ID: CVE-2014-1776
Title: Microsoft Internet Explorer Use-after-Free Vulnerability
Vendor: Microsoft
Description: Use-after-free vulnerability in VGX.DLL in Microsoft
Internet Explorer 6 through 11 allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption) via
unspecified vectors, as exploited in the wild in April 2014.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
ID: CVE-2014-0160
Title: OpenSSL TLS Heartbeat Extension Buffer Oveflow Information
Disclosure Vulnerability (Heartbleed)
Vendor: OpenSSL Project
Description: The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1
before 1.0.1g do not properly handle Heartbeart Extension packets, which
allows remote attackers to obtain sensitive information from process
memory via crafted packets that trigger a buffer over-read, as
demonstrated by reading private keys, related to d1_both.c and t1_lib.c.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
MOST PREVALENT MALWARE FILES 6/25/2014 - 7/1/2014 COMPILED BY SOURCEFIRE
SHA 256: 97667487392ACA1D94C0043FB725FE31855D5B65B1BDEBE58E0AC7E147D05BE4
MD5: 466af3fbfdd028b3d90238425c367b7e
VirusTotal:
https://www.virustotal.com/file/97667487392ACA1D94C0043FB725FE31855D5B65B1BDEBE58E0AC7E147D05BE4/analysis/#additional-info
Typical Filename: 8hsrchmn.exe
Claimed Product: Mindspark Toolbar Platform SearchScope Monitor
Detection Name: W32.MindsparkA.17hd.1201
SHA 256: 8679C8E6388FD3F927F7AC8ADCEB2CFECD0CEC3B95EA98F79D54119EFBD68034
MD5: 2b76e26f8314246c2a0f7968f73f00bb
VirusTotal:
https://www.virustotal.com/file/8679C8E6388FD3F927F7AC8ADCEB2CFECD0CEC3B95EA98F79D54119EFBD68034/analysis/#additional-info
Typical Filename: 39SrchMn.exe
Claimed Product: Mindspark Toolbar Platform SearchScope Monitor
Detection Name: W32.MindsparkA.17hd.1201
SHA 256: F8EA2EFA24813F1159ADCEF510EA33DCCEE50A5EF9F9C98EAE840AFAAB8DE8F8
MD5: 2c0a45683112082493b1fb3c09c60184
VirusTotal:
https://www.virustotal.com/file/F8EA2EFA24813F1159ADCEF510EA33DCCEE50A5EF9F9C98EAE840AFAAB8DE8F8/analysis/#additional-info
Typical Filename: 1cbrmon.exe
Claimed Product: Mindspark Toolbar Platform SearchScope Monitor
Detection Name: W32.MindsparkA.17hd.1201
SHA 256: CD9B0B4A981F04BBEFA37400F8EED1B5D5187BBD8E38A5861B80916EE8CC411A
MD5: 59e9664cfa40c96b449d69ef4aa457a1
VirusTotal:
https://www.virustotal.com/file/CD9B0B4A981F04BBEFA37400F8EED1B5D5187BBD8E38A5861B80916EE8CC411A/analysis/#additional-info
Typical Filename: cltmngsvc.exe
Claimed Product: Conduit Search Protect
Detection Name: W32.CD9B0B4A98-100.SBX.VIOC
SHA 256: A1186DE10C5C0DF1E5D25B1F3A8EA4EDBB24838D455E3ED28E28FA50D0FB02EA
MD5: 660d435be4a48b8d941e5dcf30ac1974
VirusTotal:
https://www.virustotal.com/file/A1186DE10C5C0DF1E5D25B1F3A8EA4EDBB24838D455E3ED28E28FA50D0FB02EA/analysis/#additional-info
Typical Filename: AppIntegrator64.exe
Claimed Product: Mindspark Toolbar Platform SearchScope Monitor
Detection Name: W32.MindsparkA.17hd.1201