@RISK Newsletter for March 18, 2021
The consensus security vulnerability alert.
Vol. 21, Num. 11
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES March 18-25, 2021
TOP VULNERABILITY THIS WEEK: NETGEAR discloses critical vulnerabilities in some switches
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Vulnerabilities in line of NETGEAR switches could lead to remote code execution
Description: NETGEAR disclosed multiple vulnerabilities, some of them considered critical, in two of its ProSAFE Plus networking switches. An adversary could exploit these vulnerabilities to execute unauthenticated code on the affected devices. NETGEAR could not fix five high-risk vulnerabilities due to “system-on-chip CPU and memory limitations of the switches.” However, an attacker could only exploit these vulnerabilities if the switches have Plus Utility enabled — a feature that’s been disabled by default since 2019. One of the most serious vulnerabilities, CVE-2020-35231, allows an attacker to bypass NSDP authentication, potentially allowing them to execute management actions on the device or wipe its configuration via a factory reset.
References: https://kb.netgear.com/000062993/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-ProSAFE-Plus-Switches
Snort SID: 57332 - 57334
Title: Attacks spike against F5 BIG-IP and BIG-IQ vulnerabilities
Description: Attackers are actively exploiting a critical vulnerability in F5 devices that could lead to remote code execution. F5 disclosed and patched the flaws earlier this month, but many devices remain unpatched. The unauthenticated remote command execution vulnerability exists in in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure. An attacker could exploit this flaw to fully take over a vulnerable system. Proof-of-concept exploit code made its way onto GitHub shortly after the vulnerability was disclosed, and security researchers say attackers are scanning for unpatched targets. The U.S. Cybersecurity and Infrastructure Security Agency also released a warning over the weekend urging users to patch as soon as possible.
Reference: https://threatpost.com/critical-f5-big-ip-flaw-now-under-active-attack/164940/
Snort SIDs: 57336, 57337
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
A security researcher discovered multiple vulnerabilities that could be chained together on the TikTok app for Android that could give an attacker remote code execution privileges.
https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce-240266e78105
An attempt to poison a town’s water system in Florida in February is just the tip of the iceberg when it comes to the potential threats American public utilities face from potential cyber attacks.
https://www.propublica.org/article/hacking-water-systems
The CEOs of Facebook, Twitter and Google are scheduled to testify on Thursday, March 24, in front of the U.S. House subcommittees to discuss their efforts to combat disinformation.
https://news.bloomberglaw.com/tech-and-telecom-law/house-to-confront-tech-ceos-over-online-spread-of-false-info
Several tech CEOs, government officials and security experts are working on various solutions to combat ransomware gangs.
https://www.cyberscoop.com/ransomware-attacks-global-hacks-diplomacy/
A Russian man has pleaded guilty to trying to recruit a Tesla employee to place malware on the company’s networks.
https://therecord.media/russian-who-tried-to-hack-tesla-last-summer-pleads-guilty/
Email giant Mimecast says attackers stole source code, certificates, and customer server connection datasets as part of the recent massive SolarWinds supply chain attack.
https://www.zdnet.com/article/mimecast-reveals-source-code-theft-in-solarwinds-hack/
Michigan’s Flagstar bank is now warning some customers that it lost their Social Security numbers and other personal information in a recent ransomware attack; Flagstar had previously revealing that employees’ information was compromised.
https://www.vice.com/en/article/xgznxw/ransomwared-bank-tells-customers-it-lost-their-ssns
Attackers are trying to infect iOS developers’ computers with malware by hiding it in a maliciously crafted Xcode project.
https://arstechnica.com/gadgets/2021/03/attackers-are-trying-awfully-hard-to-backdoor-ios-developers-macs/
The U.K.’s top cybersecurity office has issued an alert warning of an increase in ransomware attacks targeting the education sector and offering advice for protecting networks.
https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2021-27185 |
Title: Command Injection Vulnerability in Samba Client
Vendor: Samba
Description: The samba-client package before 4.0.0 for Node.js allows command injection because of the use of process.exec.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-26987 |
Title: Remote Code Execution in SpringBoot Framework
Vendor: Netapp, Pivotal Software
Description: Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1.3.2 are susceptible to a vulnerability which when successfully exploited could lead to Remote Code Execution. All versions of Element Plug-in for vCenter Server, Management Services versions prior to 2.17.56 and Management Node versions through 12.2 contain vulnerable versions of SpringBoot Framework.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-24148 |
Title: Authentication Bypass Vulnerability in WP Plugin
Vendor: Inspireui
Description: A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-22848 |
Title: SQL Injection Vulnerability in HGiga Mail
Vendor: Hgiga
Description: HGiga MailSherlock contains a SQL Injection. Remote attackers can inject SQL syntax and execute SQL commands in a URL parameter of email pages without privilege.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-13576 |
Title: Remote Code Execution Vulnerability in Genivia gSOAP
Vendor: Genivia
Description: A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-21150 |
Title: Improper Memory Read Vulnerability in Google Chrome
Vendor: Google
Description: Use after free in Downloads in Google Chrome on Windows prior to 88.0.4324.182 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVSS v3.1 Base Score: 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
ID: CVE-2021-20218 |
Title: Unrestricted Path Traversal Vulnerability in Kubernetes Client
Vendor: Redhat
Description: A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client copy
command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2
CVSS v3.1 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
ID: CVE-2020-27861
Title: Arbitrary Code Execution Vulnerability in Netgear Orbi Routers
Vendor: Netgear
Description: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UA_Parser utility. A crafted Host Name option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root.
CVSS v3.1 Base Score: 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
MOST PREVALENT MALWARE FILES March 18-25, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 5901ce0f36a875e03e4d5e13e728a2724b8eff3c61cc24eb810be3df7508997f
MD5: b8a582da0ad22721a8f66db0a7845bed
VirusTotal: https://www.virustotal.com/gui/file/5901ce0f36a875e03e4d5e13e728a2724b8eff3c61cc24eb810be3df7508997f/details
Typical Filename: flashhelperservice.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Auto:5901ce0f36.in03.Talos