Get unparalleled cyber security training from real-world practitioners in Nashville. Save $200 thru 10/30.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

September 12, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            September 12, 2019 - Vol. 19, Num. 37


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Sept. 5 - 12

============================================================


TOP VULNERABILITY THIS WEEK: Microsoft releases monthly security updates


******************** Sponsored By SANS *******************


Attend SANS SIEM Summit | Chicago, IL | Oct 7-8

Hear from the experts and bring order to the chaos by learning how to use your data for tactical analysis and detection. http://www.sans.org/info/214185


============================================================

TRAINING UPDATE

 

-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019


-- SANS DFIR Europe Summit and Training 2019 | Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019


-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019


-- SANS OnDemand and vLive Training

Get an iPad, Samsung Galaxy Tab A, or Take $250 off through September 18 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Take the SANS survey 'Understanding Workforce Transformation and Risks' and tell us how your organization is supporting workforce trends. http://www.sans.org/info/214190


2) ICYMI Webcast: BloxOne(TM) Threat Defense: Strengthening and Optimizing Your Security Posture from the Foundation Up. http://www.sans.org/info/214195


3) Webcast September 19th at 10:30 AM ET: Listen to how micro-segmentation can be part of the equation in protecting your network. http://www.sans.org/info/214205


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft patches 19 critical bugs as part of security update Description: Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 85 vulnerabilities, 19 of which are rated "critical," 65 that are considered "important" and one "moderate." There is also a critical advisory relating to the latest update to Adobe Flash Player. This month's security update covers security issues in a variety of Microsoft services and software, including the Jet Database Engine and the Hyper-V hypervisor. Most notably, this release contains another round of vulnerabilities in remote desktop services, the latest in a line of RDP bugs that are considered "wormable." Talos has already outlined how Cisco Firepower users can stay protected from other series of RDP vulnerabilities known as "BlueKeep" and "DejaBlue."

Reference: https://blog.talosintelligence.com/2019/09/microsoft-patch-tuesday-sept-2019.html

Snort SIDs: 51436 - 51438, 51445, 51446, 51449 - 51452, 51454 - 51457, 51463 - 51465, 51479 - 51483


Title: Some NETGEAR routers vulnerable to DoS attacks Description: The NETGEAR N300 line of wireless routers contains two denial-of-service vulnerabilities. The N300 is a small and affordable wireless router that contains the basic features of a wireless router. An attacker could exploit these bugs by sending specific SOAP and HTTP requests to different functions of the router, causing it to crashentirely.

Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-Netgear-N300-routers-DoS-sept-2019.html

Snort SIDs: 50040 (Written by Dave McDaniel)


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Apple fired back at a report from Google's security arm that recently highlighted an exploit in their iOS mobile operating system, saying the company was "stoking fear."

https://www.theverge.com/2019/9/6/20853115/apple-google-iphone-security-flaw-uighur-community-fud


Some states' Departments of Motor Vehicles are selling drivers' personal information to private investigators and other businesses.

https://www.vice.com/en_us/article/43kxzq/dmvs-selling-data-private-investigators-making-millions-of-dollars


A set of Chromebooks mistakenly warned users that the devices' end-of-life was approaching, despite Google promising it will provide updates to the laptops for six-and-a-half years.

https://arstechnica.com/gadgets/2019/09/some-chromebooks-mistakenly-declared-themselves-end-of-life-last-week/


A new report exposed a cyber attack on a portion of the U.S. electric grid from earlier this year, the first disruptive cyber attack on the American energy grid ever recorded.

https://www.eenews.net/stories/1061111289


The popular Wikipedia service was intermittently unavailable across Europe after a string of denial-of-service attacks last week.

https://techcrunch.com/2019/09/07/wikipedia-blames-malicious-ddos-attack-after-site-goes-down-across-europe-middle-east/


U.S. Senate Majority Leader Mitch McConnell continues to block a vote on a series of cyber security bills aimed at protecting American elections, and some believe it could be at the direction of the White House.

https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/09/09/the-cybersecurity-202-here-s-why-mitch-mcconnell-s-blocking-election-security-bills/5d758b86602ff171a5d734b6/


The U.S. filed criminal charges against a professor in Texas for allegedly stealing a startup company's technology on behalf of Chinese tech company Huawei. (Please note that this story is behind a paywall.)

https://www.wsj.com/articles/u-s-files-criminal-charges-against-chinese-professor-linked-to-huawei-11568048700


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2017-1000119

Title:    October CMS build 412 PHP code execution Vulnerability

Vendor:    Multi-vendor

Description: October CMS build 412 is vulnerable to PHP code execution vulnerability in the file upload functionality resulting in site compromise and possibly other applications on the server. The vunerability allows an attacker to execute PHP code on a victim's website where the attacker is an authenticated administrator user with media or asset management permissions.

CVSS v2 Base Score:    6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)


ID:        CVE-2019-15107

Title:    LibreNMS Collectd Command Injection Vulnerability

Vendor:    Multi-Vendor

Description: LibreNMS is exposed to a command injection vulnerability in html/includes/graphs/device/collectd.inc.php where user supplied parameters are filtered with the mysqli_escape_real_string function. This function is not the appropriate function to sanitize command arguments as it does not escape a number of command line syntax characters such as ` (backtick), allowing an attacker to inject commands into the variable $rrd_cmd, which gets executed via passthru(). An authenticated attacker can execute commands on the server.

CVSS v2 Base Score:    6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)


ID:        CVE-2019-16118

Title:    WordPress Plugin Photo Gallery Cross-Site Scripting Vulnerability

Vendor:    Multi-Vendor

Description: WordPress Plugin Photo Gallery is exposed to a cross site scripting (XSS) vulnerability via via admin/controllers/Options.php. This vulnerability occurs whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. The vulnerability allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

CVSS v2 Base Score:    4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


ID:        CVE-2019-15029

Title:    FusionPBX Remote Code Execution Vulnerability

Vendor:    Multi-Vendor

Description: FusionPBX allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request with the service id followed by the parameter a=start to execute the stored command.

CVSS v2 Base Score:    9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)


ID:        CVE-2019-11539

Title:    Pulse Secure SSL VPN Remote Code Execution Vulnerability

Vendor:    Multi-Vendor

Description: In Pulse Secure Pulse Connect Secure and Pulse Policy Secure, the admin web interface allows an authenticated attacker to inject and execute commands. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, hijack an arbitrary session and gain unauthorized access, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, obtain sensitive information, inject and execute arbitrary commands and execute arbitrary code in the context of the application.

CVSS v2 Base Score:    6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)


ID:        CVE-2019-10677

Title:    DASAN Zhone ZNID GPON 2426A EU Device Multiple Cross-Site Scripting Vulnerabilities

Vendor:    Zhone Technologies

Description: Multiple Cross-Site Scripting issues in the web interface on DASAN Zhone ZNID GPON 2426A EU devices allow a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameter: /zhndnsdisplay.cmd (name), /wlsecrefresh.wl (wlWscCfgMethod, wl_wsc_reg).

CVSS v2 Base Score:    4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


=========================================================


MOST PREVALENT MALWARE FILES Sept. 5 - 12:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13

MD5: c24315b0585b852110977dacafe6c8c1

VirusTotal: https://www.virustotal.com/gui/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/details

Typical Filename: puls.exe

Claimed Product: N/A

Detection Name: W32.DoublePulsar:WNCryLdrA.22is.1201


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


SHA 256:46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08

MD5: db69eaaea4d49703f161c81e6fdd036f

VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details>

Typical Filename: xme32-2141-gcc.exe

Claimed Product: N/A

Detection Name: W32.46B241E3D3-95.SBX.TG


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload

Claimed Product: qmreportupload.exe

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7

MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f

VirusTotal: https://www.virustotal.com/gui/file/093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7/details

Typical Filename: sayext.gif

Claimed Product: N/A

Detection Name: W32.093CC39350-100.SBX.TG


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743