@RISK Newsletter for March 07, 2019
The consensus security vulnerability alert.
Vol. 19, Num. 10
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES March 1 - 7
TOP VULNERABILITY THIS WEEK: Attacks pick up on vulnerable Cisco SOHO routers
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Cisco patches critical vulnerabilities in RV series of routers
Description: Attackers are carrying out attacks on Cisco small and home office routers after the company patched a critical bug in its RV line of routers. The vulnerability bypasses authentication procedures, allowing attackers to go after routers remotely over the internet. Affected models include the Cisco RV110, RV130 and RV215.
Reference: https://www.zdnet.com/article/hackers-have-started-attacks-on-cisco-rv110-rv130-and-rv215-routers/
Snort SIDs: 49296
Title: 19-year-old WinRAR vulnerability finally patched
Description: A micropatch released last week fixes a 19-year-old vulnerability in WinRAR that could allow an attacker to obtain remote code execution privileges. The bug, CVE-2018-20250, could allow an attacker to completely take over a target machine by tricking a user into opening a specially crafted, malicious archive. The latest WinRAR update completely removes support for ACE archives to protect users from this vulnerability.
Snort SIDs: 49289 - 49292
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Dow Jones list of 2.4 million people who are considered high-risk leaked after a company left the list on a database without a password.
https://techcrunch.com/2019/02/27/dow-jones-watchlist-leak/
New reporting pulled the curtain back on Facebooks massive effort to sway privacy policies across the world by influencing politicians.
Thailand passed a new law that many are considering martial law on the internet and could allow the countrys military to make its own cyber laws in urgent cases.
The popular cryptocurrency miner Coinhive is shutting downbut not over security concerns.
The Chinese hacking group APT40 repotedly carried out multiple cyber attacks on different countries in an effort to bolster their Navy.
https://www.infosecurity-magazine.com/news/chinas-apt40-group-stole-navy-1-1/
U.S. Cyber Command carried out an offensive cyber attack against a well-known Russian troll farm on the day of the 2018 midterm elections in the U.S.
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: | CVE-2018-1999002
Title: | Jenkins Arbitrary File Access Vulnerability
Vendor: Jenkins
Description: A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework’s org/kohsuke/stapler/Stapler.java. Successful exploitation of this issue could lead to read or write arbitrary files on the affected device’s filesystem, which may aid in further attacks.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
ID: | CVE-2018-19519
Title: | Tcpdump Buffer Overflow Vulnerability
Vendor: Tcpdump
Description: A stack-based buffer overflow vulnerability exists in the print_prefix function of print-hncp.c via crafted packet data. An attacker can exploit this issue to execute arbitrary code in the context of an affected system.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
ID: | CVE-2019-6340
Title: | Drupal Remote Code Execution Vulnerability (SA-CORE-2019-003)
Vendor: Drupal
Description: A arbitrary PHP code execution is possible due to a lack of data sensitization in certain field types linked to non-form sources. Successful exploitation of this vulnerability will lead to arbitrary PHP code execution.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: | CVE-2018-19107
Title: | Exiv2 Denial of Service Vulnerability
Vendor: Exiv2
Description: A vulnerability was found in Exiv2 0.26 (Image Processing Software). This affects the function Exiv2::IptcParser::decode of the file iptc.cpp (called from psdimage.cpp in the PSD image reader). A heap based buffer over-read caused by an integer overflow could result in a denial of service via a crafted file.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
ID: | CVE-2018-20122
Title: | Fastweb Fastgate Remote Code Execution Vulnerability
Vendor: Fastweb
Description: A remote code execution vulnerability exists in the executable “status.cgi” binary that is vulnerable to a command injection vulnerability that can be exploited to achieve remote code execution with root privileges.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: | CVE-2019-7238
Title: | Nexus Repository Manager3 Remote Code Execution Vulnerablility
Vendor: Nexus Repository
Description: The Nexus Repository Manager fails to implement Access Controls properly which leads to remote code execution vulnerability. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary Java code on the system.
ID: | CVE-2018-20250
Title: | WinRAR Arbitrary Code Execution Vulnerability
Vendor: RARLAB
Description: RARLAB WinRAR is prone to a Arbitrary Code Execution Vulnerability. This issue arises due to parsing of crafted ACE and RAR archive formats. Successful exploitation could allow an attacker to arbitrary code execution in the context of the current user.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: | CVE-2018-20250
Title: | Cisco Routers Management Interface Remote Command Execution Vulnerability - (cisco-sa-20190227-rmi-cmd-ex)
Vendor: Cisco
Description: A vulnerability exists in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
PS - Exploit for this vulnerability is not available yet.
MOST PREVALENT MALWARE FILES March 1 - 7:
COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: dfe2fcb006df972edf4f8e721bab26cfec809768a0bfbccf5fc661b6ea85dba9
MD5: b860cf8c4cb5dc676ef4893a704c9f8d
VirusTotal: https://www.virustotal.com/#/file/dfe2fcb006df972edf4f8e721bab26cfec809768a0bfbccf5fc661b6ea85dba9/details
Typical Filename: MyMapDirections-14900991.exe
Claimed Product: IEInstaller
Detection Name: W32.Auto:dfe2fc.in03.Talos
SHA 256: 3573bf742920655ec2c28c9ec4ac04194e38096f54c63f0ceb02d366c1034f56
MD5: b6ca0e72b072f40f5544b9fd054d6ed1
VirusTotal: https://www.virustotal.com/#/file/3573bf742920655ec2c28c9ec4ac04194e38096f54c63f0ceb02d366c1034f56/details
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: Auto.3573BF7429.Sbmt.tht.Talos
SHA 256: d7d80bf3f32c20298cad1d59ca8cb4508bad43a9be5e027579d7fc77a8e47be0
MD5: d8461f2978de84045e7ad6bea7a60418
VirusTotal: https://www.virustotal.com/#/file/d7d80bf3f32c20298cad1d59ca8cb4508bad43a9be5e027579d7fc77a8e47be0/details
Typical Filename: Window.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
MD5: 147ba798e448eb3caa7e477e7fb3a959
VirusTotal: https://www.virustotal.com/#/file/790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd/details
Typical Filename: ups.exe
Claimed Product: TODO: <产åå>
Detection Name: W32.Variant:Malwaregen.22d1.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: 799b30f47060ca05d80ece53866e01cc
.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201