Cybersecurity training without home or office distractions: 11 courses | San Francisco | Dec 2-7

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

September 19, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            September 19, 2019 - Vol. 19, Num. 38


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Sept. 12 - 19

============================================================


TOP VULNERABILITY THIS WEEK: Some AMD graphics cards open to remote code execution attacks


*************** Sponsored By AWS Marketplace ****************


Securing the App Pipeline in AWS. Current DevOps practices of deploying containers and microservices across data centers and in AWS have specific security challenges. SANS instructor Dave Shackleford and AWS specialist solutions architect Nam Lee explain how and where security ties into all stages of the cloud-oriented development pipeline in the Sept. 26 webcast, 2 PM ET. http://www.sans.org/info/214250


============================================================

TRAINING UPDATE

 

-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019


-- SANS DFIR Europe Summit and Training 2019 | Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS Amsterdam October 2019 | October 28-November 2 | https://www.sans.org/event/amsterdam-october-2019


-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019


-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, an ASUS Chromebook, or Take $250 off through October 2 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap



********************** Sponsored Links: ********************


1) Webcast September 23rd at 1 PM ET: Join Matt Bromiley as he reviews the Fidelis Cybersecurity Elevate platform. Register: http://www.sans.org/info/214255


2) Tune in for this upcoming webcast: A Principal Control Engineer's Perspective on Defending Energy Utilities from IoT/ICS Attacks. http://www.sans.org/info/214260


3) Take the Workforce Transformation and Risks survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/214265


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Remote code execution vulnerability in some AMD Radeon cards

Description: A line of AMD Radeon cards contains a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine.

Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-AMD-Radeon-ATI-sept-19.html

Snort SIDs: 49978, 49979 (Written by Tim Muniz)

 

Title: Atlassian Jira service contains multiple vulnerabilities, including remote JavaScript execution

Description: Atlassian's Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and the disclosure of information inside of tasks created in Jira, including attached documents.

Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-atlassian-jira-sept-19.html

Snort SIDs: 50110, 50111 (Written by Amit Raut), 50114 (Written by Josh Williams)


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


The U.S. Treasury Department announced a new round of sanctions targeting three North Korean state-sponsored threat groups.

https://home.treasury.gov/news/press-releases/sm774


States across the U.S. were critical of a cyber security "report card" that pointed out flaws in their election systems, saying that the company that wrote the reports had flawed methodology and were only after publicity.

https://www.propublica.org/article/report-on-election-security-gains-attention-and-a-sharp-rebuke


Windows' new "health release dashboard" is designed to make updates easier, but security researchers have already discovered several bugs and design flaws.

https://www.zdnet.com/article/windows-10-has-microsoft-cleaned-up-its-update-mess-spoiler-maybe/


A vulnerability in the soon-to-be-released iOS 13 could allow a malicious user to bypass the phone's lockscreen and view the owners' contacts.

https://www.theverge.com/2019/9/13/20863993/ios-13-exploit-lockscreen-bypass-security


The LastPass password manager fixed a bug that could have exposed the credentials a user entered on previous websites they visited.

https://gizmodo.com/you-should-update-lastpass-right-now-1838142059


Attackers are impersonating organizations' executives as a way of obtaining digital certificates.

https://blog.reversinglabs.com/blog/digital-certificates-impersonated-executives-as-certificate-identity-fronts


The new Wi-Fi 6 certifications rolled out this week, opening devices up to faster internet speeds than ever.

https://www.theverge.com/2019/9/16/20864338/wifi-6-alliance-tech-certification-program-launch


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-10669

Title:    LibreNMS Collectd Command Injection Vulnerability   

Vendor:    librenms

Description: A command injection vulnerability exists in html/includes/graphs/device/collectd.inc.php where user supplied parameters are filtered with the mysqli_escape_real_string function. This function is not the appropriate function to sanitize command arguments as it does not escape a number of command line syntax characters such as ` (backtick), allowing an attacker to inject commands into the variable $rrd_cmd, which gets executed via passthru().

CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)


ID:        CVE-2019-1245

Title:    Microsoft DirectWrite Information Disclosure Vulnerability

Vendor:    Microsoft

Description: An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. Microsoft DirectWrite is a modern Windows API for high-quality text rendering. A majority of its code resides in the DWrite.dll user-mode library. It is used by a variety of widely used desktop programs (such as the Chrome, Firefox and Edge browsers) and constitutes an attack surface for memory corruption bugs, as it performs the processing of untrusted font files and is written in C/C++. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

CVSS v2 Base Score:    4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)


ID:        CVE-2019-12922

Title:    phpMyAdmin Cross Site Request Forgery Vulnerability

Vendor:    phpMyAdmin

Description: A Cross site request forgery issue in phpMyAdmin allows deletion of any server in the Setup page. The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user,in this way making possible a CSRF attack due to the wrong use of HTTP method.

CVSS v2 Base Score:    5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)


ID:        2019-16173, 2019-16172

Title:    LimeSurvey Cross-Site Scripting Vulnerability

Vendor:    LimeSurvey

Description: LimeSurvey allows stored cross site scripting for escalating privileges from a low privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion. By exploiting this vulnerability an attacker could attack other users of the web application with JavaScript code, browser exploits or Trojan horses. An attacker could also perform unauthorized actions in the name of another logged-in user.

CVSS v2 Base Score:    3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)


ID:        CVE-2019-1253

Title:    Microsoft Windows Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. AppXSvc improperly handles file hard links resulting in a low privileged user being able to take "Full Control" of an arbitrary file leading to elevation of privilege.

CVSS v2 Base Score:    7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-10149

Title:    Symantec Advanced Secure Gateway Unrestricted File Upload Vulnerability

Vendor:    Symantec

Description: An Unrestricted file upload vulnerability exists in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code.

CVSS v2 Base Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)


=========================================================


MOST PREVALENT MALWARE FILES Sept. 12 - 19:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510

MD5: 4a50780ddb3db16ebab57b0ca42da0fb

VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details

Typical Filename: xme64-2141.exe

Claimed Product: N/A

Detection Name: W32.7ACF71AFA8-95.SBX.TG


SHA 256: 26da22347f1d91f6ca56b7c47644a776b72251d3de11c90d9fd77556d5236f5e

MD5: f6f6039fc64ad97895142dc99554e971

VirusTotal: https://www.virustotal.com/gui/file/26da22347f1d91f6ca56b7c47644a776b72251d3de11c90d9fd77556d5236f5e/details

Typical Filename: CSlast.gif

Claimed Product: N/A

Detection Name: W32.26DA22347F-100.SBX.TG


SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08

MD5: db69eaaea4d49703f161c81e6fdd036f

VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details

Typical Filename: xme32-2141-gcc.exe

Claimed Product: N/A

Detection Name: W32.46B241E3D3-95.SBX.TG


SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7

MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f

VirusTotal: https://www.virustotal.com/gui/file/093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7/details

Typical Filename: sayext.gif

Claimed Product: N/A

Detection Name: W32.093CC39350-100.SBX.TG


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743