@RISK Newsletter for August 29, 2019
The consensus security vulnerability alert.
Vol. 19, Num. 35
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES August 22 - 29, 2019
TOP VULNERABILITY THIS WEEK: Cisco 220 smart switches open to data leak
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Nest Cam IQ camera open to takeover, data disclosure
Description: Two vulnerabilities in Cisco’s 220 series of smart switches for small businesses could allow an attacker to leak sensitive information or inject malicious code. CVE-2019-1912 could allow an attacker to bypass security checks on the switch and upload arbitrary files. And CVE-2019-1913 opens the switches to a buffer overflow attack, which could be used to gain the ability to remotely execute code on the machine with root privileges.
Reference:
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-auth_bypass
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-rce
Snort SIDs: 51293 - 51295 (Written by John Levy), 51298 - 51300 (Written by Amit Raut), 51306 - 51307 (Written by Tim Muniz)
Title: Aspose APIs contain bugs that could lead to remote code execution
Description: Attackers are actively exploiting vulnerabilities in the Fortigate and Pulse VPN services to steal encryption keys, passwords and other sensitive data. These campaigns, which started last week, target the Webmin utility for managing Linux and *NIX systems. These are devices in enterprise networks, and the vulnerabilities involved could allow an attacker to take complete control of a system.
Reference: https://www.zdnet.com/article/hackers-mount-attacks-on-webmin-servers-pulse-secure-and-fortinet-vpns/
Snort SIDs: 51240 - 51243 (Written by John Levyu), 51288, 51289 (Written by Joanne Kim)
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Apple repatched a vulnerability in iOS that could allow users to jailbreak their devices – a week after a hacker discovered an older patch had been undone.
https://www.cnet.com/news/apple-releases-ios-12-4-1-to-reportedly-fix-iphone-jailbreak/
The U.S. is close to launching a program to focus on protecting the 2020 U.S. presidential election from a ransomware attack.
https://www.cnbc.com/2019/08/26/us-officials-fear-ransomware-attack-against-2020-election.html
An independent security researcher dropped a zero-day vulnerability in Valve’s Steam video game launcher after Valve banned him from the company’s bug bounty program.
https://www.vice.com/en_us/article/wjwd8n/hacker-drops-steam-zero-day-after-being-banned-from-valve-bug-bounty-program
New emails uncovered between Facebook employees show that the social media giant may have known earlier than initially disclosed about Cambridge Analytica’s mishandling of users’ data.
https://techcrunch.com/2019/08/23/facebook-really-doesnt-want-you-to-read-these-emails/
Mobile carriers say an agreement with the U.S. government will start cutting down on robocalls, but researchers are skeptical of how effective the rules will be.
https://arstechnica.com/tech-policy/2019/08/us-phone-carriers-make-empty-unenforceable-promises-to-fight-robocalls/
Spammers have started using Google calendar invites as a new form of social engineering.
https://www.cbsnews.com/news/google-calendar-spam-is-on-the-rise-heres-how-to-stop-the-calendar-invite-spam/
Courthouses in Georgia are still using paper records to keep track of criminal cases and traffic citations months after a ransomware attack.
https://www.ajc.com/news/local/courts-across-georgia-struggling-keep-since-cyberattack/ZpresJoKsiNqPWNiQwoTCO/
A recent round of ransomware attacks on cities in Texas could encourage attackers to carry out similar campaigns in the future.
https://www.cnbc.com/2019/08/22/texas-ransomware-attacks-tell-the-us-cybersecurity-story.html
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2019-11510
Title: Pulse Secure Arbitrary File Disclosure Vulnerability
Vendor: Pulse Secure
Description: Pulse Connect Secure is exposed to arbitrary file disclosure vulnerability. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, or can send a specially crafted URI to perform an arbitrary file reading vulnerability .
CVSS v2 Base Score: | 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
ID: CVE-2019-8605
Title: Apple MacOS Information Disclosure Vulnerability
Vendor: Apple
Description: A remote attacker could exploit this vulnerability to cause disclosure of information, unauthorized modification and arbitrary code execution with system privileges. A malicious application may be able to execute arbitrary code with system privileges,” reads the advisory published by Apple. “A use after free issue was addressed with improved memory management.” The vulnerability was initially reported by Google Project Zero white hacker Ned Williamson, who also published an exploit for iOS 12.2, dubbed “SockPuppet,” after the first patch was released.
CVSS v2 Base Score: | 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2019-12527
Title: Squid Buffer Overflow Vulnerability
Vendor: Squid
Description: Squid is exposed to a heap based buffer overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer.When checking Basic Authentication with HttpHeader, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length is not greater than the buffer, leading to a heap-based buffer overflow with user controlled data. Successfully exploiting this issue allow attackers to execute arbitrary code in the context of the affected application.
CVSS v2 Base Score: | 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2019-15107
Title: Webmin Unauhenticated Remote Command Execution Vulnerability
Vendor: Webmin
Description: Webmin is exposed to a vulnerability that allows remote command execution. The parameter old in password_change.cgi contains a command injection vulnerability. Webmin versions are only vulnerable if changing of expired passwords is enabled. Successful exploitation may allow remote attacker to execute arbitrary commands on target system.
CVSS v2 Base Score: | 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-15092
Title: Wordpress Plugin Remote code Execution Vulnerability
Vendor: WordPress
Description: Wordpress Plugin is exposed to CSV injection vulnerability. This allows any application user to inject commands as part of the fields of his profile and these commands are executed when a user with greater privilege exports the data in CSV and opens that file on his machine. The webtoffee “WordPress Users & WooCommerce Customers Import Export” plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.
CVSS v2 Base Score: | 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-11013
Title: Nimble Streamer Directory Traversal Vulnerability
Vendor: Nimble Streamer
Description: Nimble Streamer is exposed to a “../“” directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server.
CVSS v2 Base Score: | 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
ID: CVE-2019-10149
Title: Exim Local Privilege Escalation Vulnerability
Vendor: Exim
Description: Exim is affected by remote command execution vulnerability. The vulnerability is exploitable instantly by a local attacker, remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes), faster methods may exist. Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
CVSS v2 Base Score: | 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
MOST PREVALENT MALWARE FILES August 22 - 29, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c
MD5: c785a8b0be77a216a5223c41d8dd937f
VirusTotal: https://www.virustotal.com/gui/file/1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c/details
Typical Filename: cslast.gif
Claimed Product: N/A
Detection Name: W32.1755C179F0-100.SBX.TG
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details
Typical Filename: invoice.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
VirusTotal: https://www.virustotal.com/gui/file/093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7/details
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG