@RISK Newsletter for December 03, 2015
The consensus security vulnerability alert.
Vol. 15, Num. 48
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 2015-11-24 - 2015-12-01
TOP VULNERABILITY THIS WEEK: Microsoft Revokes Trust for eDellRoot
Certificates As A Preventive Measure
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Lenovo Addresses Pair of Critical Vulnerabilities in Lenovo
System Update Service Password
Description: Researchers at IOActive have found a pair of
vulnerabilities within the Lenovo System Update Service. One of the two
vulnerabilities addressed is a weak random password generator that is
used by the service to create a temporary administrator account when
fetching updates from Lenovo support. The other vulnerability addressed
is a privilege escalation vulnerability that could allow a user to
download arbitrary executables on the targeted system with administrator
privileges. Lenovo System Update versions 5.07.0013 and earlier have
been identified to be vulnerable. Lenovo has released updates to address
the pair of vulnerabilities.
Reference: http://www.ioactive.com/pdfs/IOActive_Advisory_Lenovo_SystemUpdate-Insecure-Random-Admin-Password.pdf
Title: RSI Video Technologies Videofied Security System Found to
Contains Software Using an Insecure Custom Protocol
Description: Researchers have discovered that RSI Video Technologies’
Videofied security system contains software that utilizes an insecure
custom protocol. These security systems utilize Frontel, a software
package that is used to monitor alarm status. One of the vulnerabilities
is the use of a hard-coded cryptographic key that is derived from the
serial number of the device. Other vulnerabilities that were discovered
are the transmissions of messages and videos unencrypted after the AES
handshake and insufficient verification of data authenticity. RSI Video
Technologies has responded by releasing an update for Frontel to address
these issues.
Reference: http://www.kb.cert.org/vuls/id/792004
Snort SID: Detection pending release of vulnerability information
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Shields up on potentially unwanted applications in your enterprise
http://blogs.technet.com/b/mmpc/archive/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise.aspx
Exploiting F5 ICall::Script Privilege Escalation (CVE-2015-3628)
http://blog.gdssecurity.com/labs/2015/11/25/exploiting-f5-icallscript-privilege-escalation-cve-2015-3628.html
Hilton Acknowledges Credit Card Breach
http://krebsonsecurity.com/2015/11/hilton-acknowledges-credit-card-breach/?
Feds don’t need a warrant to read your emails. Congress wants that to change
http://www.zdnet.com/article/every-email-you-opened-last-year-can-be-read-by-the-fbi-without-a-warrant/
Cutting the Lights: Vulnerabilities in a Billboard Lighting System
http://randywestergren.com/cutting-the-lights-vulnerabilities-in-a-billboard-lighting-system/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2015-3628
Title: F5 Multiple Products iCall Privilege Escalation Vulnerability
Vendor: F5 Networks
Description: Multiple F5 Networks Inc. products could allow attackers
to gain escalated privileges on the targeted host due to a vulnerability
in the iCall SOAP Interface.
CVSS v2 Base Score: 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)
ID: CVE-2015-7007
Title: Apple OS X Input Validation Code Execution Vulnerability
Vendor: Apple
Description: Script Editor in Apple OS X before 10.11.1 allows remote
attackers to bypass an intended user-confirmation requirement for
AppleScript execution via unspecified vectors.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2015-7645
Title: Adobe Flash Player Code Execution Vulnerability (APSB15-27)
Vendor: Adobe
Description: Adobe Flash Player 18.x through 18.0.0.252 and 19.x through
19.0.0.207 on Windows and OS X and 11.x through 11.2.202.535 on Linux
allows remote attackers to execute arbitrary code via a crafted SWF
file, as exploited in the wild in October 2015.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2015-2342
Title: VMware vCenter JMX RMI Service Remote Code Execution Vulnerability
Vendor: VMware
Description: The JMX RMI service in VMware vCenter Server 5.0 before
u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict
registration of MBeans, which allows remote attackers to execute
arbitrary code via the RMI protocol.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2015-2509
Title: Microsoft Windows Media Center MCL Vulnerability (MS15-100)
Vendor: Microsoft
Description: Windows Media Center in Microsoft Windows Vista SP2,
Windows 7 SP1, Windows 8, and Windows 8.1 allows user-assisted remote
attackers to execute arbitrary code via a crafted Media Center link
(mcl) file, aka “Windows Media Center RCE Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2014-6332
Title: Microsoft Windows OLE Automation Array Memory Corruption Code
Execution Vulnerability (MS14-064)
Vendor: Microsoft
Description: OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2,
Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1,
Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT
Gold and 8.1 allows remote attackers to execute arbitrary code via a
crafted web site, as demonstrated by an array-redimensioning attempt
that triggers improper handling of a size value in the SafeArrayDimen
function, aka “Windows OLE Automation Array Remote Code Execution
Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES 2015-11-24 - 2015-12-01 COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 818C7383DDA31C34688F471E80FAE70211F121C0BE29BA75107E0D289DADEC7A
MD5: c19e483b61044a4e82adf8aa571859b8
VirusTotal:
https://www.virustotal.com/file/818C7383DDA31C34688F471E80FAE70211F121C0BE29BA75107E0D289DADEC7A/analysis/#additional-info
Typical Filename: ApplicationManager
Claimed Product: N/A
Detection Name: OSX.Variant:SpigotD.18mx.1201
SHA 256: 2E1224AEF20DA8473C55A425380A1441C44FC947A4E07E28710F55846C3BD947
MD5: a1a1993ad220737ca080d20f91446a8f
VirusTotal:
https://www.virustotal.com/file/2E1224AEF20DA8473C55A425380A1441C44FC947A4E07E28710F55846C3BD947/analysis/#additional-info
Typical Filename: ApplicationManager
Claimed Product: N/A
Detection Name: OSX.Variant:SpigotD.18mp.1201
SHA 256: 3B17689A486D68813C31BF2BA610BF36F4B1F5B0403B0316C9833348845306FC
MD5: 37ee9a5257102d876cfae15bccfbbf78
VirusTotal:
https://www.virustotal.com/file/3B17689A486D68813C31BF2BA610BF36F4B1F5B0403B0316C9833348845306FC/analysis/#additional-info
Typical Filename: WebSocketServerApp
Claimed Product: N/A
Detection Name: W32.Auto.3b1768.182243.in01
SHA 256: D40150753966BEAA1D23D5CC929E9965ADE8A963D813B946E59E279ED79FAA26
MD5: 5f08355a1355c58664ae895849570457
VirusTotal:
https://www.virustotal.com/file/D40150753966BEAA1D23D5CC929E9965ADE8A963D813B946E59E279ED79FAA26/analysis/#additional-info
Typical Filename: ApplicationManager
Claimed Product: N/A
Detection Name: OSX.Variant:SpigotD.18la.1201
SHA 256: F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55
MD5: 51e63633487f9180ec8031980684bf86
VirusTotal:
https://www.virustotal.com/file/F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55/analysis/#additional-info
Typical Filename: xcfu.exe
Claimed Product: N/A
Detection Name: W32.Malware:Pramro.18jn.1201