The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Critical remote code execution vulnerability in F5 BIG-IP

Description: BIG-IP is one of the most popular networking products on the modern market. This product is used to shape web traffic, access gateways, limit rates and much more. F5 disclosed a remote code execution over the weekend that was assigned a maximum 10 out of 10 severity score. CVE-2020-5902 is a remote code execution vulnerability in BIG-IP's configuration interface. Users are urged to make their interfaces inaccessible to the internet and patch as soon as possible.

Reference: https://www.helpnetsecurity.com/2020/07/06/exploit-cve-2020-5902/

Snort SIDs: 54462

Title: Google Chrome PDFium memory corruption vulnerability

Description: The PDF renderer inside Google Chrome, known as PDFium, contains a memory corruption vulnerability that could be exploited by an adversary. PDFium is open-source software that is utilized in the Chrome browser and other applications. The software supports the use of JavaScript embedded inside PDFs and other specially crafted documents could corrupt the memory of the application, allowing an adversary to achieve arbitrary code execution inside the browser.

Reference: https://blog.talosintelligence.com/2020/07/vuln-spotlight-chrome-pdfium-corruption-july-2020.html

Snort SIDs: 53599, 53600

Law enforcement officials in Europe recently dismantled a network of encrypted messages and cell phones where criminals used code names to discuss drug deals and other illicit transactions.

https://www.vice.com/en_us/article/3aza95/how-police-took-over-encrochat-hacked

The US Senate Judiciary Committee approved a revamped version of the EARN IT bill, maintaining that the bill's primary focus is to protect children from exploitation online and not to weaken encryption.

https://www.theverge.com/2020/7/2/21311464/earn-it-act-section-230-child-abuse-imagery-facebook-youtube-lindsey-graham

Researchers say they have found a vulnerability in several popular cryptocurrency wallets that could cause them to display incorrect balances.

https://techcrunch.com/2020/07/01/a-vulnerability-in-some-bitcoin-wallets-leads-to-double-spend-attacks-and-inflated-balance/

Iran blamed state-sponsored attackers for a cyber attack it says led to a fire at its Natanz uranium-enrichment facility and promised retaliation for any future attacks.

https://www.reuters.com/article/us-iran-nuclear-natanz/iran-threatens-retaliation-after-what-it-calls-possible-cyber-attack-on-nuclear-site-idUSKBN2441VY

The years-old Android malware FakeSpy is back infecting users, this time disguising itself as official postal service apps.

https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world

A recent study from German researchers discovered that many home wireless routers had not received a security update in more than a year, and others contained still-unpatched bugs.

https://www.zdnet.com/article/home-router-warning-theyre-riddled-with-known-flaws-and-run-ancient-unpatched-linux/

A new Mac ransomware called "ThiefQuest" steals users' credit card information and login credentials, and lurks in the background as a backdoor for other malware.

https://arstechnica.com/information-technology/2020/07/new-mac-ransomware-is-even-more-sinister-than-it-appears/

A state-sponsored threat actor known as "Cosmic Lynx" is targeting high-profile executives across the globe in business email compromise (BEC) campaigns.

https://www.wired.com/story/russian-hackers-email-scams/

The Lazarus Group APT has added card-skimming to its inventory of attack vectors.

https://threatpost.com/lazarus-group-adds-magecart/157167/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.

ID: CVE-2020-5902

Title: F5 BIG-IP Remote Code Execution Vulnerability

Vendor: F5

Description: F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2019-19781

Title: Citrix Application Delivery Controller and Gateway Directory Traversal Vulnerability

Vendor: Citrix

Description: A vulnerability exists in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. This vulnerability exploits a directory traversal to execute an arbitrary command payload.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-2021

Title: Palo Alto Networks PAN-OS Authentication Bypass in SAML Authentication Vulnerability

Vendor: Palo Alto Networks

Description: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-12828

Title: AnchorFree OpenVPN SDK Privilege Escalation Vulnerability

Vendor: Pango

Description: An issue was discovered in AnchorFree VPN SDK. The VPN SDK service takes certain executable locations over a socket bound to localhost. Binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2020-2012

Title: Palo Alto Networks PAN-OS XML External Entity Reference Vulnerability

Vendor: Palo Alto Networks

Description: Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

ID: CVE-2020-0796

Title: Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2020-9497

Title: Apache Guacamole Information Disclosure Vulnerability

Vendor: Apache

Description: Apache Guacamole do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.

CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188

MD5: a10a6d9dfc0328a391a3fdb1a9fb18db

VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAntivirusService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::95.sbx.tg