Learn How to Thwart Cyber Attackers with Training in San Antonio. Save $200 thru 4/24.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

March 21, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                March 21, 2019 - Vol. 19, Num. 12


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES March 14 - 21

============================================================


TOP VULNERABILITY THIS WEEK: Malicious WordPress comments could lead to complete site takeovers


**************** Sponsored By AWS Marketplace **************


AWS Webcast Series: Building a Visibility Strategy in the AWS Cloud, featuring SANS instructor Dave Shackleford. Achieving visibility in the cloud is different than doing so on-prem. In this webcast, learn how to achieve full visibility into your AWS environment using AWS native services and third-party options. March 29, 1 PM ET. Register here: http://www.sans.org/info/211127


============================================================

TRAINING UPDATE

 

-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019


-- SANS London April 2019 | April 8-13 | https://www.sans.org/event/london-april-2019


-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019


-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019


-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019


-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019


-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS OnDemand and vLive Training

Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive course. Offer ends April 3.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Check out the SANS Reading Room where more than 75,000 unique visitors read papers every month.  http://www.sans.org/info/211152


2) SURVEY: Are you involved with operational technology and ICS? Take 10 minutes to complete the State of OT/ICS Cybersecurity Survey and enter for a chance to win a $400 Amazon gift card http://www.sans.org/info/211157


3) What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card.

http://www.sans.org/info/211162


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Latest WordPress version fixes critical vulnerability

Description: The latest update from WordPress fixes a critical vulnerability that could allow an attacker to completely take over a site. The bug opened sites to be attacked via malicious comments that contain cross-site scripting if sites had the comments module enabled. Around 20,000 sites have already been impacted by this exploit.

Reference: https://www.bleepingcomputer.com/news/security/wordpress-511-fixes-xss-vulnerability-leading-to-website-takeovers/

Snort SIDs: 49448


Title: Multiple vulnerabilities in CUJO Smart Firewall, Das U-Boot, OCTEON SDK, Webroot BrightCloud

Description: Cisco Talos recently discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account, or by uploading and executing unsigned kernels on affected systems.

Reference: https://blog.talosintelligence.com/2019/03/vuln-spotlight-cujo.html

Snort SIDs: 47234, 47663, 47809, 47811, 47842, 48261, 48262


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Several high-profile companies may have issued 1 million digital certificates that do not actually meet industry requirements.

https://arstechnica.com/information-technology/2019/03/godaddy-apple-and-google-goof-results-in-1-million-misissued-certificates/


U.S. immigration agents have access to a database of American citizens location based on their license plate number.

https://www.aclunc.org/blog/documents-reveal-ice-using-driver-location-data-local-police-deportations


The U.S. Department of Defense is working on a $10 million open-source voting system that would deter attacks and also allow voters to check that their votes were counted correctly.

https://motherboard.vice.com/en_us/article/yw84q7/darpa-is-building-a-dollar10-million-open-source-secure-voting-system


Norwegian aluminum company Norsk Hydro had their operations interrupted in the U.S. and Europe due to a ransomware attack.

https://www.bloomberg.com/news/articles/2019-03-19/norsk-hydro-ransomware-attack-is-severe-but-all-too-common


Germany is considering legislation that would impose harsh punishment on people who provided digital infrastructure for illegal online activities.

https://www.zdnet.com/article/dark-web-crackdown-germans-want-to-criminalize-anyone-providing-a-platform/


Google made its Sandboxed API open-source to help developers create more secure software.

https://www.securityweek.com/google-open-sources-sandboxed-api


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:     CVE-2018-1335

Title:     Apache Tika-server Command Injection Vulnerability

Vendor: Apache

Description:  Apache Tika is prone to a remote command-injection vulnerability, where clients could send carefully crafted headers that could be used to inject commands into the command line of the server running tika-server. An attacker may exploit this issue to inject and execute arbitrary code within the context of the affected application; this may aid in further attacks.

CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


ID:     CVE-2019-0541

Title:     Microsoft Windows MSHTML Remote Code Execution Vulnerability

Vendor: Microsoft

Description:  A remote code execution vulnerability exists in the way that the MSHTML engine improperly validates input.

Successful exploitation of the vulnerability can lead to arbitrary code execution within the context of the current user. This affects Microsoft Office, Microsoft Office Word Viewer, Internet Explorer 9, Internet Explorer 11, Microsoft Excel Viewer, Internet Explorer 10, Office 365 ProPlus.

CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


ID:     CVE-2019-9787

Title:     WordPress Remote Code Execution Vulnerability

Vendor: WordPress

Description:  WordPress is exposed to a remote code execution vulnerability where it does not properly filter comment content. This occurs because CSRF protection is mishandled, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. Attackers can exploit this issue to execute arbitrary code in the context of the affected application.

CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:     CVE-2019-9740

Title:     Python CRLF Injection Vulnerability

Vendor: Python

Description:  An issue exists in urllib and urllib2 in Python where CRLF injection is possible if the attacker controls a url parameter. An attacker can exploit this issue to add arbitrary headers to a webpage.

CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


ID:     CVE-2019-9741

Title:     Golang Go HTTP response-splitting vulnerability

Vendor: Golang

Description:  Golang Go is exposed to an HTTP response-splitting vulnerability. An issue exists in net/http where CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with rn followed by an HTTP header or a Redis command.

CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


ID:     CVE-2019-9020, CVE-2019-9021, CVE-2019-9023, CVE-2019-9024

Title:     PHP Information Disclosure and Heap Buffer Overflow Vulnerabilities

Vendor: PHP

Description:  PHP is exposed to information disclosure and heap buffer overflow vulnerabilities due to invalid input to the function xmlrpc_decode(). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c. Successful exploitation allows attackers to execute arbitrary code in the context of the affected application or obtain sensitive information.

CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:     CVE-2019-5511, CVE-2019-5512

Title:     VMware Workstation Multiple Privilege Escalation Vulnerabilities

Vendor: VMWare

Description:  VMware Workstation is exposed to multiple privilege-escalation vulnerabilities. Successful exploitation of this issue may allow the path to the VMX executable, on a Windows host, to be hijacked by a non-administrator leading to elevation of privilege.

CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:     CVE-2019-5418, CVE-2019-5419, CVE-2019-5420

Title:     Ruby on Rails Multiple Security Vulnerabilities

Vendor: Ruby on Rails

Description: Ruby on Rails is exposed to file content disclosure vulnerability in Action View caused by specially crafted accept headers. It is also exposed to a denial of service vulnerability in action view caused by specially crafted accept headers. It is possible to execute remote code execution vulnerability in Rails when in development mode.

CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


=========================================================


MOST PREVALENT MALWARE FILES March 14 - 21:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: aae728ffb953cfcc573c82b63eef7603c9b29c95f42bb032b790d6d51813f7c3

MD5: ee445f9fa6296b611c72bc81d8f6c19a

VirusTotal: https://www.virustotal.com/#/file/aae728ffb953cfcc573c82b63eef7603c9b29c95f42bb032b790d6d51813f7c3/details

Typical Filename: wusa.exe

Claimed Product: Microsoft Windows Operating System

Detection Name: W32.aae728ffb9.Malspam.MRT.Talos


SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044

MD5: b89b37a90d0a080c34bbba0d53bd66df

VirusTotal: https://www.virustotal.com/#/file/46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044/details

Typical Filename: ups.rar

Claimed Product: Orgs ps

Detection Name: W32.GenericKD:Trojangen.22ek.1201


SHA 256: fea935d2d0fb1abadb900f009b4c40bb8a91fd9e25cc76ed4f9dae08960566d5

MD5: bc7fc83ce9762eb97dc28ed1b79a0a10

VirusTotal: https://www.virustotal.com/#/file/fea935d2d0fb1abadb900f009b4c40bb8a91fd9e25cc76ed4f9dae08960566d5/details

Typical Filename: max.exe

Claimed Product: WPS Office

Detection Name: W32.Agent:Malwaregen.22em.1201


SHA 256: dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b

MD5: f22a024b4c98534e8ba7a1c03b0b6132

VirusTotal: https://www.virustotal.com/#/file/dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b/details

Typical Filename: unpacknw.zip

Claimed Product: N/A

Detection Name: Osx.Malware.Bpbw::agent.tht.talos


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir

Claimed Product: N/A

Detection Name: W32.Generic:Gen.21ij.1201


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743