@RISK Newsletter for February 04, 2021
The consensus security vulnerability alert.
Vol. 21, Num. 05
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES February 4-11, 2021
TOP VULNERABILITY THIS WEEK: Microsoft Patch Tuesday
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft discloses fewest vulnerabilities in a month since Jan. 2020
Description: Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities across its suite of products. This is the smallest amount of vulnerabilities Microsoft has disclosed in a month since January 2020. There are only 11 critical vulnerabilities as part of this release, while there are three moderate-severity exploits, and the remainder are considered “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products and services, including the Microsoft Office suite of products, the Windows DNS server and the SharePoint file-sharing service.
References: https://blog.talosintelligence.com/2021/02/microsoft-patch-tuesday-for-feb-2021.html
Snort SIDs: 57103, 57104, 57106 - 57108, 57123, 57128
Title: Cisco VPN routers open to remote attacks
Description: Cisco disclosed multiple vulnerabilities in some of its RV series routers designed for use as small business VPNs. An adversary could exploit any of these flaws to view or manipulate data on the targeted device and perform other unauthorized actions. These routers have a VPN function built into them and are purpose-built for small and medium-sized businesses or as a way for users to access their office’s network remotely. The vulnerabilities exist in the way the routers validate HTTP requests in its management interface. An attacker could exploit these vulnerabilities by sending a specially crafted HTTP request to the targeted device and then gain the ability to execute arbitrary code as a root user.
Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv160-260-rce-XZeFkNHf
Snort SIDs: 57065, 57068 - 57070, 57072 - 57095
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Instagram is cracking down on a group of users known for using a variety of tactics to steal high-profile usernames on the social media app.
https://www.vice.com/en/article/g5b3y4/instagram-unmasks-ogusers-cease-and-desist
Canada’s privacy commissioners say that Clearview AI facial recognition technology amounts to mass surveillance and has asked the company to remove all images of Canadians from its database.
https://www.theverge.com/2021/2/4/22266055/clearview-facial-recognition-illegal-mass-surveillance-canada-privacy
Minneapolis police have obtained a warrant ordering Google to provide them with account data to identify individuals who were in the vicinity of vandalism and violence during May 2020 protests in that city.
https://techcrunch.com/2021/02/06/minneapolis-protests-geofence-warrant/
A threat actor published extensive patient data stolen from two major U.S. hospital chains.
https://www.scmagazine.com/home/security-news/ransomware/conti-ransomware-gang-tied-to-latest-attacks-on-hospitals-in-florida-and-texas/
Polish video game developer CD Projekt Red suffered a ransomware attack, with attackers stealing company data and the source code for two popular games, “Witcher 3” and “Cyberpunk 2077.”
https://www.ign.com/articles/cd-project-red-hack-cyberpunk-2077-witcher-3-source-code-ransomware
Microsoft warned users that even though the Emotet botnet has been severely hampered by a recent international law enforcement campaign, they should keep protections in place to defend against the infamous threat.
https://www.bleepingcomputer.com/news/security/microsoft-keep-your-guard-up-even-after-emotet-s-disruption/
Google blocked a popular tab-saving extension from its store after it was found to contain malware.
https://gizmodo.com/chrome-delisted-the-great-suspender-extension-but-dont-1846202554
French network security company Stormshield says it was recently the victim of a breach, which included the theft of some of the company’s source code.
https://www.zdnet.com/article/security-firm-stormshield-discloses-data-breach-theft-of-source-code/
A United Nations panel says North Korea is still relying on cyber attacks to fund the development and updates of its nuclear and ballistic weapons programs.
https://apnews.com/article/technology-global-trade-nuclear-weapons-north-korea-coronavirus-pandemic-19f536cac4a84780f54a3279ef707b33
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2021-3156
Title: Heap-Based Buffer Overflow in Sudo
Vendor: sudo_project and Multiple Vendors
Description: Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via “sudoedit -s” and a command-line argument that ends with a single backslash character.
CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-26843
Title: Denial of Service Vulnerability in shttpd
Vendor: sthttpd_project
Description: This is an issue in sthttpd through 2.27.1. On systems where the strcpy function is implemented with memcpy, the de_dotdot function may cause a Denial-of-Service (daemon crash) due to overlapping memory ranges being passed to memcpy. This can be triggered with an HTTP GET request for a crafted filename.
CVSS v3.1 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
ID: CVE-2021-3378
Title: Arbitrary File Upload Vulnerability in Fortilogger
Vendor: Fortilogger
Description: FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a “Content-Type: image/png” header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-25274
Title: Remote Code Execution Vulnerability in SolarWinds
Vendor: Solarwinds
Description: The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn’t set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-25646
Title: Remote Code Execution Vulnerability in Apache Druid
Vendor: Apache
Description: Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-21261
Title: Arbitrary Code Execution Vulnerability in Flatpak
Vendor: Flatpak
Description: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. This vulnerability in the flatpak-portal
service can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (flatpak-portal
, also known by its D-Bus service name org.freedesktop.portal.Flatpak
) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the flatpak run
command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the flatpak run
command, and use them to execute arbitrary code that is not in a sandbox.
CVSS v3.1 Base Score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2021-23926
Title: XML Entity Expansion Vulnerability in Apache XMLBeans
Vendor: Apache
Description: This vulnerability exists in XML parsers used by XMLBeans up to version 2.6.0. The XML parsers did not set the properties needed to protect the user from malicious XML input. Hence, the resulting vulnerabilities include possibilities for XML Entity Expansion attacks.
CVSS v3.1 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
ID: CVE-2020-6779
Title: Weak Authentication Vulnerability in Bosch Products Database
Vendor: Bosch
Description: Use of Hard-coded Credentials in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows an unauthenticated remote attacker to log into the database with admin-privileges. This may result in complete compromise of the confidentiality and integrity of the stored data as well as a high availability impact on the database itself. In addition, an attacker may execute arbitrary commands on the underlying operating system.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES February 4-11, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b
MD5: f37167c1e62e78b0a222b8cc18c20ba7
VirusTotal: https://www.virustotal.com/gui/file/4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b/details
Typical Filename: flashhelperservice.exe
Claimed Product: Flash Helper Service
Detection Name: W32.4647F1A085.in12.Talos
SHA 256: 1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f
MD5: 88781be104a4dcb13846189a2b1ea055
VirusTotal: https://www.virustotal.com/gui/file/1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f/details
Typical Filename: ActivityElement.dp
Claimed Product: N/A
Detection Name: Win.Trojan.Generic::sso.talos