Two Days Left to Get an iPad (32G), Galaxy Tab A, or $250 Off Online Training!

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

November 28, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

              November 28, 2019 - Vol. 19, Num. 48


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Nov. 21 - 28

============================================================


TOP VULNERABILITY THIS WEEK: Old Apache Solr vulnerability raises eyebrows with new POC


******************** Sponsored By AWS Marketplace *******************


Convenient and Secure: Leveraging CASBs in AWS, featuring SANS instructor Kyle Dickinson and AWS solutions architect David Aiken. In this webcast, learn how to leverage the convenience of cloud access security brokers (CASBs) to integrate modern technologies and a suite of data protection, auditing and other tools in AWS. Dec. 12, 2 PM ET. http://www.sans.org/info/214885



============================================================

TRAINING UPDATE

 

-- SANS OnDemand and vLive Training

Get an 11" iPad Pro, a 12.3" Surface Pro, or Take $350 Off through December 4 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020


-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020


-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020


-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020


-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020


-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020


-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020


-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Webcast December 5th at 1 PM ET: Why Its Time for a New Link Analysis Platform. Register: http://www.sans.org/info/214890


2) ICYMI Webcast: Maximize Threat Hunting Efficiency with Automated Queries. View here: http://www.sans.org/info/214895


3) Take the SANS Network Visibility and Threat Detection Survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/214900


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Severity of Apache Solr vulnerability rises after new code emerges

Description: A months-old vulnerability in Apache Solr was recently reclassified as being more serious than initially thought. It was initially believed that this bug would only allow an adversary to access monitoring data on any site utilizing Solr. However, new proof-of-concept code shows it could allow an attacker to remotely execute code on a Solr server. This bug could be exploited by any adversary who has network access to a Solr server and Java Management Extensions. Windows users are reportedly not affected.

Reference: https://securityintelligence.com/news/exploit-code-escalates-apache-solr-vulnerability-to-high-risk-status/

Snort SIDs: 52324, 52325 (By John Levy)

 

Title: Command injection bug in popular, affordable wireless router

Description: Cisco Talos recently discovered a command injection vulnerability in the Tenda AC9 router. The Tenda AC9 is one of the most popular and affordable dual-band gigabit WiFi routers available online, especially on Amazon. A command injection vulnerability exists in the `/goform/WanParameterSetting` resource. A locally authenticated attacker can execute arbitrary commands to post parameters to execute commands on the router. The attacker can get reverse shell running as root using this command injection.

Reference: https://blog.talosintelligence.com/2019/11/vulnerability-spotlight-tenda-ac9-command-nov-2019.html

Snort SIDs: 50295, 50296 (By Amit Raut)


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


The lights used to help guide airplanes to the runway at airports were exposed to the open internet at several airports across the U.S.

https://www.vice.com/en_us/article/7x5nkg/airplane-warning-lights-hacked


American security experts are starting to worry about a new wave of state-sponsored adversaries from countries like Vietnam and Qatar, a pivot from the usual cyber powers like Russia and China.

https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/11/26/the-cybersecurity-202-u-s-officials-fret-about-hacking-by-a-new-generation-of-nations/5ddc808588e0fa652bbbda37/


The FBI sent a warning to auto manufacturers, warning that adversaries are targeting sensitive data.

https://www.bleepingcomputer.com/news/security/fbi-warns-of-cyber-attacks-targeting-us-automotive-industry/


Jeanette Manfra, one of the longest-tenured officials in U.S. cyber policy, is leaving the public sector for a private job, leaving a massive hole at the Cybersecurity and Infrastructure Security Agency.

https://techcrunch.com/2019/11/21/jeanette-manfra/


Manfra's departure is just the latest loss for cyber security leadership in Washington. An exodus of election officials have experts worried about the security of the 2020 elections.

https://www.npr.org/2019/11/26/782680291/as-2020-approaches-some-experienced-election-officials-head-to-the-exits


California's Department of Motor Vehicles makes roughly $50 million a year selling citizens' drivers license and personal information.

https://www.vice.com/en_us/article/evjekz/the-california-dmv-is-making-dollar50m-a-year-selling-drivers-personal-information


Adversaries are hijacking Docker systems that still have their API endpoints exposed to the internet.

https://www.zdnet.com/article/a-hacking-group-is-hijacking-docker-systems-with-exposed-api-endpoints/


Twitter added new two-factor authentication features, allowing users to register for the extra security step without having to provide their phone number to the social media site.

https://www.theverge.com/2019/11/22/20977436/twitter-2fa-phone-number-authentication-app-security-key


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-1429

Title:    Microsoft Windows Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Description: An information disclosure vulnerability exists when Microsoft Edge based on Edge HTML improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability.

CVSS v2 Base Score:    7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-18862

Title:    GNU Mailutils Privilege Escalation Vulnerability

Vendor: GNU

Description: The --url parameter included in the GNU Mailutils maidag utility can be used to write to arbitrary files on the host operating

system.  By default, maidag is set to execute with setuid root permissions, which can lead to local privilege escalation through code/command execution by writing to the system's crontab or by writing to other root owned files on the operating system.

CVSS v2 Base Score:    4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2018-14665

Title:    Xorg X11 Server Local Privilege Escalation Vulnerability

Vendor: Multi-Vendor

Description: A flaw was found in xorg-x11-server where an incorrect permission check for -modulepath and -logfile options are set when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.

CVSS v2 Base Score:    7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-11539

Title:    Pulse Secure VPN Arbitrary Command Execution Vulnerability

Vendor: Pulse Secure

Description: Pulse Secure VPN with admin web interface allows an authenticated attacker to inject and execute commands. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, hijack an arbitrary session and gain unauthorized access, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, obtain sensitive information, inject and execute arbitrary commands and execute arbitrary code in the context of the application.

CVSS v2 Base Score:    6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)


ID:        CVE-2019-16113

Title:    Bludit Directory Traversal Image File Upload Vulnerability

Vendor:    Bludit

Description: Bludit allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.

CVSS v2 Base Score:    6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)


ID:        CVE-2019-11409

Title:    FusionPBX Operator Panel exec.php Command Execution Vulnerability

Vendor:    FusionPBX

Description: app/operator_panel/exec.php in the Operator Panel module in FusionPBX suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module.

CVSS v2 Base Score:    6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)


ID:        CVE-2019-17671

Title:    WordPress Unauthenticated View Posts Vulnerability

Vendor:    WordPress

Description: Wordpress versions allows unauthenticated view of private/draft posts. Unauthenticated viewing of certain content is possible because the static query property is mishandled. This vulnerability could allow an unauthenticated user to view private or draft posts due to an issue within WP_Query.

CVSS v2 Base Score:    5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)


=========================================================


MOST PREVALENT MALWARE FILES Nov. 21 - 28:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc

MD5: c5608e40f6f47ad84e2985804957c342

VirusTotal: https://www.virustotal.com/gui/file/f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA:2144FlashPlayer-tpd


SHA 256: a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1

MD5: ef048c07855b3ef98bd991c413bc73b1

VirusTotal: https://www.virustotal.com/gui/file/a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1/details

Typical Filename: xme64-501.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Razy::tpd


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: c29da492e7e7decebff09ee531f01fc3c3de45e805947093ac0aa7c113b592dc

MD5: b77c0c1ed4cff895bf862cf46b601c84

VirusTotal: https://www.virustotal.com/gui/file/c29da492e7e7decebff09ee531f01fc3c3de45e805947093ac0aa7c113b592dc/details

Typical Filename: opCS.gif

Claimed Product: N/A

Detection Name: W32.C29DA492E7-100.SBX.TG


SHA 256: 4dac88a67bc3f755c0ef3ceea5515a3e3310820978ef249d1813c9982dc6aadf

MD5: 718d579ea6ea48f95225cc9c794f9703

VirusTotal: https://www.virustotal.com/gui/file/4dac88a67bc3f755c0ef3ceea5515a3e3310820978ef249d1813c9982dc6aadf/details

Typical Filename: opext.gif

Claimed Product: N/A

Detection Name: W32.4DAC88A67B-100.SBX.TG


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743