Ending Soon! Get an iPad (32G), Galaxy Tab A, or $250 Off with OnDemand or vLive Training!

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

December 5, 2019

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

              December 05, 2019 - Vol. 19, Num. 49


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Nov. 28 - Dec. 5

============================================================


TOP VULNERABILITY THIS WEEK: SQL injection vulnerabilities in Forma Learning Management System


*************** Sponsored By AWS Marketplace ***************


SANS-AWS Education Series: Leveraging CASBs in AWS for Anywhere, Anytime Data Protection. In this webcast, AWS solutions architect David Aiken and SANS instructor Kyle Dickinson discuss deployment strategies for cloud access security brokers (CASBs) in AWS that protect data and support a distributed workforce utilizing a variety of endpoints. Dec. 12, 2 PM ET. http://www.sans.org/info/214930


============================================================

TRAINING UPDATE

 

-- SANS OnDemand and vLive Training

Get an iPad Air with Smart Keyboard, a Surface Go, or Take $300 Off through December 11 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020


-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020


-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020


-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020


-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020

    

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020


-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020


-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020


-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Webcast December 6th at 1 PM ET: Learn data sources you should collect to understand security-related activities on your network. http://www.sans.org/info/214935


2) Join us at SANS Open-Source Intelligence Summit | Alexandria, VA | February 18-24. http://www.sans.org/info/214940


3) Webcast: Why It's Time for a New Link Analysis Platform. Register for this webcast: http://www.sans.org/info/214945


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Forma LMS open-source program open to SQL injection attacks

Description: There are three SQL injection vulnerabilities in the authenticated portion of the Forma Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing model and now operates under the Forma organization. An attacker can send a web request with parameters containing SQL injection attacks to trigger these bugs.

Reference: https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-sql-injection-dec-19.html

Snort SIDs: 51611 - 51619 (By Marcos Rodriguez)

 

Title: Accusoft ImageGear PNG IHDR width code execution vulnerability

Description: Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. This vulnerability is present in the Accusoft ImageGear library, which is a document-imaging developer toolkit.

Reference: https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-accusoft-PNG-dec-19.html

Snort SIDs: 3132, 32889, 50806, 50807, 51530, 51531, 52033, 52034 (By Kristen Houser and Mike Bautista)


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


French officials say they are still considering a response to a cyber attack on a public hospital, including a possible "hack back."

https://www.bloomberg.com/news/articles/2019-11-28/france-not-ruling-out-response-to-cyber-attack-on-hospital


RCS, which is meant to be a replacement for SMS messages, is open to a series of attacks, including text message and call interception, and number spoofing.

https://www.vice.com/en_us/article/j5ywxb/rcs-rich-communications-services-text-call-interception


A popular website among hackers that sold spying tools was taken down after an international investigation. The British government says the site sold these tools to more than 14,500 people.

https://www.bbc.com/news/technology-50601905


A Canadian court is allowing convicted criminals to challenge their sentences if they were apprehended using a controversial cell phone tracking tool used by police.

https://nationalpost.com/news/canada/alberta-judge-allows-defence-lawyers-to-shine-a-light-on-police-use-of-stingray-technology


Popular spyware company Hacking Team is making a comeback under new ownership, with the aim of ensuring their tools aren't being abused.

https://www.technologyreview.com/s/614767/the-fall-and-rise-of-a-spyware-empire/


Louisiana is still recovering from a ransomware attack, with delays coming to the state's Medicaid program and workers scrambling to recover lost data.

https://arstechnica.com/information-technology/2019/11/hackers-paradise-louisianas-ransomware-disaster-far-from-over/


Hackers used credential-stuffing attacks immediately after the launch of the Disney+ streaming service to take over users' accounts, but Disney still maintains there was not a data breach.

https://www.cpomagazine.com/cyber-security/new-disney-plus-streaming-service-hit-by-credential-stuffing-cyber-attack/


A cyber security activist hopes a new lawsuit will make public a list of electric companies that have failed to meet security standards in the past and have paid fines for their lack of protections.

https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/12/03/the-cybersecurity-202-activist-wants-court-to-name-and-shame-electric-utilities-for-violating-cybersecurity-rules/5de550bf88e0fa652bbbdb18/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-5434

Title:    Revive Adserver Remote Code Execution Vulnerability

Vendor: revive-sas

Description: An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-11932

Title:    Android-Gif-Drawable Whatsapp Double Free Vulnerability

Vendor: WhatsApp

Description: A double free vulnerability exists in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif, as used in WhatsApp for Android. The vulnerability allows remote attackers to execute arbitrary code or cause a denial of service.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-10092

Title:    Apache Httpd mod_proxy Error Page Cross-Site Scripting Vulnerability

Vendor: Multi-Vendor

Description: A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.

CVSS v2 Base Score:    4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)


ID:        CVE-2019-11539

Title:    Pulse Secure VPN Arbitrary Command Execution Vulnerability

Vendor: Pulse Secure

Description: Pulse Secure VPN with admin web interface allows an authenticated attacker to inject and execute commands. An attacker can exploit these issues to access arbitrary files in the context of the application, write arbitrary files, hijack an arbitrary session and gain unauthorized access, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, obtain sensitive information, inject and execute arbitrary commands and execute arbitrary code in the context of the application.

CVSS v2 Base Score:    6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)


ID:        CVE-2019-3568

Title:    WhatsApp VOIP stack buffer overflow vulnerability

Vendor:    WhatsApp

Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploits will result in denial of service condition.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

=========================================================


MOST PREVALENT MALWARE FILES Nov. 28 - Dec. 5:

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc

MD5: c5608e40f6f47ad84e2985804957c342

VirusTotal: https://www.virustotal.com/gui/file/f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA:2144FlashPlayer-tpd


SHA 256: a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1

MD5: ef048c07855b3ef98bd991c413bc73b1

VirusTotal: https://www.virustotal.com/gui/file/a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1/details

Typical Filename: xme64-501.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Razy::tpd


SHA 256: 49b9736191fdb2eb62b48e8a093418a2947e8d288f39b98d65a903c2ae6eb8f5

MD5: df432f05996cdd0973b3ceb48992c5ce

VirusTotal: https://www.virustotal.com/gui/file/49b9736191fdb2eb62b48e8a093418a2947e8d288f39b98d65a903c2ae6eb8f5/details

Typical Filename: xme32-501-gcc.exe

Claimed Product: N/A

Detection Name: W32.49B9736191-100.SBX.TG


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6

MD5: f7145b132e23e3a55d2269a008395034

VirusTotal: https://www.virustotal.com/gui/file/8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6/details

Typical Filename: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6.bin

Claimed Product: N/A

Detection Name: Unix.Exploit.Lotoor::other.talos


=============================================================


(c) 2019.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743