One More Day to Get a MacBook Air, Surface Pro 7, or $350 Off with OnDemand Training

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

April 20, 2017

@RISK: The Consensus Security Vulnerability Alert

Vol. 17, Num. 16

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked

Archived issues may be found at



MOST PREVALENT MALWARE FILES 2017-04-11 - 2017-04-18


TOP VULNERABILITY THIS WEEK: VMware Releases Security Advisories for Various Critical Vulnerabilities in vCenter, Workstation, and more

***************** Sponsored By Cisco Systems *****************

How can you embrace mobile devices for employees while still protecting them from evolving mobile threats? The answer lies in threat defense that enables mobility with unmatched visibility, security analytics, and network controls. Register for the webcast to learn more:


-- SANS Automotive Cybersecurity Summit & Training | Detroit, MI | May 1-8, 2017 | Cybersecurity in the plant and on the road. Two days of in-depth Summit talks, four world-class SANS courses, and community-building opportunities.

-- SANS Security West 2017 | San Diego, CA | May 9-18 |

-- SANS San Francisco Summer 2017 | June 5-10 |

-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 |
Build more effective security operations. Two days of in-depth Summit talks, 5 SANS courses, exclusive networking opportunities, & more!

-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 |

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 |

-- SANS London July 2017 | July 3-8 |

-- SANS Cyber Defence Singapore | July 10-15 |

-- SANSFIRE 2017 | Washington, DC | July 22-29 |

-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - and Evening (vLive - courses available!

-- Special Offer! Register by March 15 and receive an iPad Air 2, Samsung Galaxy Tab S2 or $350 Off your On Demand or vLive course!

-- OnDemand

-- vLive

-- Multi-week Live SANS training
Mentor -

-- Looking for training in your own community?
Community -

-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more:

Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days.
For a list of all upcoming events, on-line and live:

********************** Sponsored Links: ********************

1) Don't Miss: "WikiLeaks' Release of CIA Hacking Tools: What Security Professionals Need to Know." Register:

2) Register now to learn how illusive networks' tools and services can aid early detection and response, as well as hide the deceptive actions from the enemy.

3) Take the Threat Landscape Survey and enter to win a $400 Amazon gift card:



Title: VMware Releases Security Advisories for Various Critical Vulnerabilities in vCenter, Workstation, and more
Description: VMware has releases two security advisories addressing eight vulnerabilities across vCenter Server, Unified Access Gateway, Horizon View, and Workstation. The first advisory details CVE-2017-5641, a remote code execution flaw in vCenter Server manifesting via BlazeDS. The second advisory addresses a vulnerability in Unified Access Gateway and Horizon View that could allow an attacker to execute code on the security gateway. The second advisory also addresses various flaws in Cortado ThinPrint that could allow a guest to execute code or perform a denial of service attack on the host operating system. VMware has released software updates that address these vulnerabilities.
Snort SID: Detection pending release of vulnerability information

Title: Shadow Brokers Release Tools, Exploits For Compromising Windows-based Systems
Description: The Shadow Brokers have released a new bunch of information detailing various tools and exploits that target Windows-based hosts. Preliminary analysis of the exploits by members of the information security community suggested that some of the exploits released were zero-day vulnerabilities. However, Microsoft has published a blog post stating that most of the exploits were previously patched or were unable to be reproduced on currently supported platforms.
- (Warning: May contain classifed information.)
Snort SID: 14782, 14783, 14896, 15015, 15930, 26643, 41978, 42110, 42255, 42256



The Line of Death

Google Infrastructure Security Design Overview

Buggy Domain Validation Forces GoDaddy to Revoke Certs

Facebook ImageTragick Story

Hardening Windows 10 with zero-day exploit mitigations

Practical Android Debugging Via KGDB



This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2017-3881
Title: Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability
Vendor: Cisco
Description: A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2017-7269
Title: Microsoft IIS 6.0 ScStoragePathFromUrl Buffer Overflow Vulnerability
Vendor: Microsoft
Description: Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: