Learn cyber security skills you can implement immediately! Seven courses offered Jan. 20-25 in Anaheim, CA

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

August 29, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

              August 29, 2019 - Vol. 19, Num. 35


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Aug. 22 - 29

============================================================


TOP VULNERABILITY THIS WEEK: Cisco 220 smart switches open to data leak


*************** Sponsored By AWS Marketplace ***************


Securing Applications in AWS. Experts from SANS, AWS and Fortinet explain the differences and similarities between securing cloud-based apps and hosting apps in-house. Learn how to assess your AppSec needs with consideration to AWS Marketplace offerings. Also, find out which tools and best practices you can use to improve the security of your applications. Webcast: Sept. 11, 2:00 PM ET. http://www.sans.org/info/214040

============================================================


TRAINING UPDATE

 

-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019


-- SANS DFIR Europe Summit and Training 2019 | Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019


-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019


-- SANS OnDemand and vLive Training

Get free GIAC Cert Attempt or Take $350 off with OnDemand or vLive training through September 4.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap



********************** Sponsored Links: ********************


1) What are the key processes, skills and technologies required for an effective supply chain security program? Register for this webcast: http://www.sans.org/info/214050


2) Take the SANS 2019 Endpoint Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/214055


3) Webcast September 3rd at 1 PM ET: Getting the Knack of ATT&CK(TM). http://www.sans.org/info/214060


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Nest Cam IQ camera open to takeover, data disclosure

Description: Two vulnerabilities in Cisco's 220 series of smart switches for small businesses could allow an attacker to leak sensitive information or inject malicious code. CVE-2019-1912 could allow an attacker to bypass security checks on the switch and upload arbitrary files. And CVE-2019-1913 opens the switches to a buffer overflow attack, which could be used to gain the ability to remotely execute code on the machine with root privileges.

Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-auth_bypass

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-rce

Snort SIDs: 51293 - 51295 (Written by John Levy), 51298 - 51300 (Written by Amit Raut), 51306 - 51307 (Written by Tim Muniz)

 

Title: Aspose APIs contain bugs that could lead to remote code execution

Description: Attackers are actively exploiting vulnerabilities in the Fortigate and Pulse VPN services to steal encryption keys, passwords and other sensitive data. These campaigns, which started last week, target the Webmin utility for managing Linux and *NIX systems. These are devices in enterprise networks, and the vulnerabilities involved could allow an attacker to take complete control of a system.

Reference: https://www.zdnet.com/article/hackers-mount-attacks-on-webmin-servers-pulse-secure-and-fortinet-vpns/

Snort SIDs: 51240 - 51243 (Written by John Levyu), 51288, 51289 (Written by Joanne Kim)


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Apple repatched a vulnerability in iOS that could allow iPhone users to jailbreak their devices -- a week after a hacker discovered an older patch had been undone.

https://www.cnet.com/news/apple-releases-ios-12-4-1-to-reportedly-fix-iphone-jailbreak/


The U.S. is close to launching a program to focus on protecting the 2020 U.S. presidential election from a ransomware attack.

https://www.cnbc.com/2019/08/26/us-officials-fear-ransomware-attack-against-2020-election.html


An independent security researcher dropped a zero-day vulnerability in Valve's Steam video game launcher after Valve banned him from the company's bug bounty program.

https://www.vice.com/en_us/article/wjwd8n/hacker-drops-steam-zero-day-after-being-banned-from-valve-bug-bounty-program


New emails uncovered between Facebook employees show that the social media giant may have known earlier than initially disclosed about Cambridge Analytica's mishandling of users' data.

https://techcrunch.com/2019/08/23/facebook-really-doesnt-want-you-to-read-these-emails/


Mobile carriers say an agreement with the U.S. government will start cutting down on robocalls, but researchers are skeptical of how effective the rules will be.

https://arstechnica.com/tech-policy/2019/08/us-phone-carriers-make-empty-unenforceable-promises-to-fight-robocalls/


Spammers have started using Google calendar invites as a new form of social engineering.

https://www.cbsnews.com/news/google-calendar-spam-is-on-the-rise-heres-how-to-stop-the-calendar-invite-spam/


Courthouses in Georgia are still using paper records to keep track of criminal cases and traffic citations months after a ransomware attack.

https://www.ajc.com/news/local/courts-across-georgia-struggling-keep-since-cyberattack/ZpresJoKsiNqPWNiQwoTCO/


A recent round of ransomware attacks on cities in Texas could encourage attackers to carry out similar campaigns in the future.

https://www.cnbc.com/2019/08/22/texas-ransomware-attacks-tell-the-us-cybersecurity-story.html

=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-11510

Title:    Pulse Secure Arbitrary File Disclosure Vulnerability

Vendor:    Pulse Secure

Description: Pulse Connect Secure is exposed to arbitrary file disclosure vulnerability. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, or can send a specially crafted URI to perform an arbitrary file reading vulnerability .

CVSS v2 Base Score:    6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)


ID:        CVE-2019-8605

Title:    Apple MacOS Information Disclosure Vulnerability

Vendor:    Apple

Description: A remote attacker could exploit this vulnerability to cause disclosure of information, unauthorized modification and arbitrary code execution  with system privileges. A malicious application may be able to execute arbitrary code with system privileges," reads the advisory published by Apple. "A use after free issue was addressed with improved memory management." The vulnerability was initially reported by Google Project Zero white hacker Ned Williamson, who also published an exploit for iOS 12.2, dubbed "SockPuppet," after the first patch was released.

CVSS v2 Base Score:    9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-12527

Title:    Squid Buffer Overflow Vulnerability

Vendor:    Squid

Description: Squid is exposed to a heap based buffer overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer.When checking Basic Authentication with HttpHeader, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length is not greater than the buffer, leading to a heap-based buffer overflow with user controlled data. Successfully exploiting this issue allow attackers to execute arbitrary code in the context of the affected application.

CVSS v2 Base Score:    6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-15107

Title:    Webmin Unauhenticated Remote Command Execution Vulnerability

Vendor:    Webmin

Description: Webmin is exposed to a vulnerability that allows remote command execution. The parameter old in password_change.cgi contains a command injection vulnerability. Webmin versions are only vulnerable if changing of expired passwords is enabled. Successful exploitation may allow remote attacker to execute arbitrary commands on target system.

CVSS v2 Base Score:    10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-15092

Title:    Wordpress Plugin Remote code Execution Vulnerability

Vendor:    WordPress

Description: Wordpress Plugin is exposed to CSV injection vulnerability. This allows any application user to inject commands as part of the fields of his profile and these commands are executed when a user with greater privilege exports the data in CSV and opens that file on his machine. The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.

CVSS v2 Base Score:    7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-11013

Title:    Nimble Streamer Directory Traversal Vulnerability

Vendor:    Nimble Streamer

Description: Nimble Streamer is exposed to a "../"" directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server.

CVSS v2 Base Score:    4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)


ID:        CVE-2019-10149

Title:    Exim Local Privilege Escalation Vulnerability

Vendor:    Exim

Description: Exim is affected by remote command execution vulnerability. The vulnerability is exploitable instantly by a local attacker, remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes), faster methods may exist. Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


=========================================================


MOST PREVALENT MALWARE FILES Aug. 22 - 29:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


SHA 256: 1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c

MD5: c785a8b0be77a216a5223c41d8dd937f

VirusTotal: https://www.virustotal.com/gui/file/1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c/details

Typical Filename: cslast.gif

Claimed Product: N/A

Detection Name: W32.1755C179F0-100.SBX.TG


SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08

MD5: db69eaaea4d49703f161c81e6fdd036f

VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details

Typical Filename: invoice.exe

Claimed Product: N/A

Detection Name: W32.46B241E3D3-95.SBX.TG


SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7

MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f

VirusTotal: https://www.virustotal.com/gui/file/093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7/details

Typical Filename: sayext.gif

Claimed Product: N/A

Detection Name: W32.093CC39350-100.SBX.TG


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743