@RISK Newsletter for May 20, 2021
The consensus security vulnerability alert.
Vol. 21, Num. 20
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES May 20-27, 2021
TOP VULNERABILITY THIS WEEK: Wormable Microsoft vulnerability could also affect Windows Remote Management
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Researchers find POC for wormable vulnerability in Microsoft Windows HTTP protocol stack
Description: A recently discovered wormable vulnerability in the Windows HTTP protocol stack could also be used to target unpatched Windows 10 and Server systems publicly exposing the Windows Remote Management service. A security researcher released POC code for the vulnerability, patched in this month’s Microsoft security update, last week. The vulnerability only affects WinRM if a user manually enables it on their Windows 10 systems, though enterprise Windows Server endpoints have it toggled on by default. This potentially increases the attack surface for any adversaries that uses the vulnerability to spread a ransomware attack, as they could move quickly across the targeted environment. Microsoft has urged users to update their affected products as soon as possible.
Reference: https://www.bleepingcomputer.com/news/security/wormable-windows-http-vulnerability-also-affects-winrm-servers/
Snort SIDs: 57605
Title: Heap-based buffer overflow in Google Chrome could lead to code execution
Description: Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Google Chrome. CVE-2021-21160 is a buffer overflow vulnerability in Chrome’s AudioDelay function that could allow an adversary to execute remote code. An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted HTML page in Chrome. Proper heap grooming can give the attacker full control of this heap overflow vulnerability, and as a result, could allow it to be turned into arbitrary code execution.
Reference: https://blog.talosintelligence.com/2021/05/vuln-spotlight-google-chrome-heap.html
Snort SIDs: 57057, 57058
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Apple released iOS 14.6 to address more than 40 security issues affecting iPhone, Pads, and iPod Touch.
https://gizmodo.com/update-your-iphone-to-ios-14-6-now-for-major-security-f-1846958391
Apple also released an update for macOS that addresses several vulnerabilities that are being actively exploited.
https://techcrunch.com/2021/05/24/malware-xcsset-macos/
Ireland’s health care system is still recovering from a massive ransomware attack that has prevented access to patient records and resulted in cancellations of routine appointments.
https://abcnews.go.com/International/10-days-ransomware-attack-irish-health-system-struggling/story?id=77876092
A bill introduced in the US Senate would grant users greater control over their data online.
https://www.theverge.com/2021/5/20/22444515/amy-klobuchar-data-privacy-protection-facebook-state-laws
Air India says that personal information belonging to more than 4.5 million customers was compromised in a data breach affecting the airline’s data processor, SITA.
https://www.reuters.com/world/india/air-india-says-februarys-data-breach-affected-45-mln-passengers-2021-05-21/
Global insurance company AXA’s decision to stop writing policies that cover ransomware payments for clients in France may be an indication the insurance industry is acknowledging that paying ransomware demands fuels more attacks.
https://www.darkreading.com/risk/cyber-insurance-firms-start-tapping-out-as-ransomware-continues-to-rise/d/d-id/1341109
The SolarWinds CEO recently said the company saw evidence of a potential intrusion into its networks as early as January 2019, eight months before the previously disclosed date of September 2019.
https://www.cyberscoop.com/solarwinds-ceo-reveals-much-earlier-hack-timeline-regrets-company-blaming-intern/
Microsoft announced it will retire its Internet Explorer web browser in June 2022.
https://techcrunch.com/2021/05/20/so-long-internet-explorer-and-your-decades-of-security-bugs/
Newly detected disk-wiping malware is disguising itself as ransomware and infecting Israeli targets.
https://arstechnica.com/gadgets/2021/05/disk-wiping-malware-with-irananian-fingerprints-is-striking-israeli-targets/
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2021-33509 |
Title: Privilege Escalation Vulnerability in Plone
Vendor: Plone
Description: Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.
CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2017-10818 |
Title: Weak Authentication Vulnerability in MaLion
Vendor: Intercom
Description: MaLion for Windows and Mac versions 3.2.1 to 5.2.1 uses a hardcoded cryptographic key which may allow an attacker to alter the connection settings of Terminal Agent and spoof the Relay Service.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2018-14718 |
Title: Remote Code Execution Vulnerability in FasterXML Data Bind
Vendor: Oracle, Redhat, NetApp, FasterXML, Debian
Description FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-27135 |
Title: Denial of Service Vulnerability in xTerm
Vendor: Debian, Fedora Project, Invisible-Island
Description: xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-36326 |
Title: Object Injection Vulnerability in PHPMailer
Vendor: PHPmailer_project
Description: PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-26583 |
Title: Remote Code Execution Vulnerability in HP Amplifier Pack
Vendor: HP
Description: A potential security vulnerability was identified in HPE iLO Amplifier Pack. The vulnerabilities could be remotely exploited to allow remote code execution.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-13873 |
Title: SQL Injection Vulnerability in Codologic
Vendor: Codologic
Description: A SQL Injection vulnerability in get_topic_info() in sys/CODOF/Forum/Topic.php in Codoforum before 4.9 allows remote attackers (pre-authentication) to bypass the admin page via a leaked password-reset token of the admin. (As an admin, an attacker can upload a PHP shell and execute remote code on the operating system.)
MOST PREVALENT MALWARE FILES May 20-27, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 7263ec6afa49dcb11ab9e3ee7e453e26b9ba91c3f8a440bcab3b92048175eb33
MD5: 29c8ba0d89a9265c270985b02572e693
VirusTotal: https://www.virustotal.com/gui/file/7263ec6afa49dcb11ab9e3ee7e453e26b9ba91c3f8a440bcab3b92048175eb33/details
Typical Filename: 29C8BA0D89A9265C270985B02572E693
.mlw
Claimed Product: N/A
Detection Name: W32.7263EC6AFA.smokeloader.in11.Talos
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: d88b26b3699c3b02f8be712552185533d77d7866f1a9a723c1fbc40cdfc2287d
MD5: 4dd358e4af31fb9bf83c2078cd874ff4
VirusTotal: https://www.virustotal.com/gui/file/d88b26b3699c3b02f8be712552185533d77d7866f1a9a723c1fbc40cdfc2287d/details
Typical Filename: smbscanlocal1805.exe
Claimed Product: N/A
Detection Name: Auto.D88B26B369.241855.in07.Talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd