@RISK Newsletter for December 05, 2019
The consensus security vulnerability alert.
Vol. 19, Num. 49
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES November 28 - December 5, 2019
TOP VULNERABILITY THIS WEEK: SQL injection vulnerabilities in Forma Learning Management System
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Forma LMS open-source program open to SQL injection attacks
Description: There are three SQL injection vulnerabilities in the authenticated portion of the Forma Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing model and now operates under the Forma organization. An attacker can send a web request with parameters containing SQL injection attacks to trigger these bugs.
Reference: https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-sql-injection-dec-19.html
Snort SIDs: 51611 - 51619 (By Marcos Rodriguez)
Title: Accusoft ImageGear PNG IHDR width code execution vulnerability
Description: Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. This vulnerability is present in the Accusoft ImageGear library, which is a document-imaging developer toolkit.
Reference: https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-accusoft-PNG-dec-19.html
Snort SIDs: 3132, 32889, 50806, 50807, 51530, 51531, 52033, 52034 (By Kristen Houser and Mike Bautista)
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
French officials say they are still considering a response to a cyber attack on a public hospital, including a possible “hack back.”
https://www.bloomberg.com/news/articles/2019-11-28/france-not-ruling-out-response-to-cyber-attack-on-hospital
RCS, which is meant to be a replacement for SMS messages, is open to a series of attacks, including text message and call interception, and number spoofing.
https://www.vice.com/en_us/article/j5ywxb/rcs-rich-communications-services-text-call-interception
A popular website among hackers that sold spying tools was taken down after an international investigation. The British government says the site sold these tools to more than 14,500 people.
https://www.bbc.com/news/technology-50601905
A Canadian court is allowing convicted criminals to challenge their sentences if they were apprehended using a controversial cell phone tracking tool used by police.
https://nationalpost.com/news/canada/alberta-judge-allows-defence-lawyers-to-shine-a-light-on-police-use-of-stingray-technology
Popular spyware company Hacking Team is making a comeback under new ownership, with the aim of ensuring their tools aren’t being abused.
https://www.technologyreview.com/s/614767/the-fall-and-rise-of-a-spyware-empire/
Louisiana is still recovering from a ransomware attack, with delays coming to the state’s Medicaid program and workers scrambling to recover lost data.
https://arstechnica.com/information-technology/2019/11/hackers-paradise-louisianas-ransomware-disaster-far-from-over/
Hackers used credential-stuffing attacks immediately after the launch of the Disney+ streaming service to take over users’ accounts, but Disney still maintains there was not a data breach.
https://www.cpomagazine.com/cyber-security/new-disney-plus-streaming-service-hit-by-credential-stuffing-cyber-attack/
A cyber security activist hopes a new lawsuit will make public a list of electric companies that have failed to meet security standards in the past and have paid fines for their lack of protections.
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/12/03/the-cybersecurity-202-activist-wants-court-to-name-and-shame-electric-utilities-for-violating-cybersecurity-rules/5de550bf88e0fa652bbbdb18/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2019-5434
Title: Revive Adserver Remote Code Execution Vulnerability
Vendor: revive-sas
Description: An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the “what” parameter in the “openads.spc” RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection.
CVSS v2 Base Score: | 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2019-11932
Title: Android-Gif-Drawable Whatsapp Double Free Vulnerability
Vendor: WhatsApp
Description: A double free vulnerability exists in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif, as used in WhatsApp for Android. The vulnerability allows remote attackers to execute arbitrary code or cause a denial of service.
CVSS v2 Base Score: | 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2019-10092
Title: Apache Httpd mod_proxy Error Page Cross-Site Scripting Vulnerability
Vendor: Multi-Vendor
Description: A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
CVSS v2 Base Score: | 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
ID: CVE-2019-11539
Title: Pulse Secure VPN Arbitrary Command Execution Vulnerability
Vendor: Pulse Secure
Description: Pulse Secure VPN with admin web interface allows an authenticated attacker to inject and execute commands. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, hijack an arbitrary session and gain unauthorized access, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, obtain sensitive information, inject and execute arbitrary commands and execute arbitrary code in the context of the application.
CVSS v2 Base Score: | 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
ID: CVE-2019-3568
Title: WhatsApp VOIP stack buffer overflow vulnerability
Vendor: WhatsApp
Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploits will result in denial of service condition.
CVSS v2 Base Score: | 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
MOST PREVALENT MALWARE FILES November 28 - December 5, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
MD5: c5608e40f6f47ad84e2985804957c342
VirusTotal: https://www.virustotal.com/gui/file/f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd
SHA 256: a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1
MD5: ef048c07855b3ef98bd991c413bc73b1
VirusTotal: https://www.virustotal.com/gui/file/a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1/details
Typical Filename: xme64-501.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Razy::tpd
SHA 256: 49b9736191fdb2eb62b48e8a093418a2947e8d288f39b98d65a903c2ae6eb8f5
MD5: df432f05996cdd0973b3ceb48992c5ce
VirusTotal: https://www.virustotal.com/gui/file/49b9736191fdb2eb62b48e8a093418a2947e8d288f39b98d65a903c2ae6eb8f5/details
Typical Filename: xme32-501-gcc.exe
Claimed Product: N/A
Detection Name: W32.49B9736191-100.SBX.TG
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6
MD5: f7145b132e23e3a55d2269a008395034
VirusTotal: https://www.virustotal.com/gui/file/8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6/details
Typical Filename: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6
.bin
Claimed Product: N/A
Detection Name: Unix.Exploit.Lotoor::other.talos