Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft Patch Tuesday

Description: Microsoft released its monthly security update Tuesday, disclosing just over 110 vulnerabilities across its products. This is a slight jump from last month, when Microsoft disclosed one of their lowest vulnerability totals in months. Eighteen of the vulnerabilities are considered "critical" while the vast remainder are ranked as "important," with two also considered of "low" importance. Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products and services, including the HEVC video file extension, the Azure Sphere platform and Microsoft Exchange servers.

References: https://blog.talosintelligence.com/2020/11/microsoft-patch-tuesday-for-nov-2020.html

Snort SIDs: 56161 - 56264, 56230, 56231, 56254, 56255, 56286 - 56289, 56295, 56296, 56309, 56301 - 56305, 56310 and 56312


Title: Adobe issues security updates for Acrobat Reader

Description: Adobe recently disclosed multiple vulnerabilities in its Acrobat PDF Reader, including for both desktop and Android versions. Among them are a heap buffer overflow and use-after-free vulnerability that Cisco Talos researchers discovered. Acrobat reader integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger these vulnerabilities. There is also a bug that's considered "important" in all Android versions of Acrobat that could allow an adversary to disclose sensitive information on an affected device.

References: https://helpx.adobe.com/security/products/reader-mobile/apsb20-71.html


https://blog.talosintelligence.com/2020/11/vulnerability-spotlight-multiple.html


Snort SIDs: 53563, 53564, 55842, 55843

Security News


While election week in the U.S. seemed to drag on, the good news is that polls closed and counting finished in most states without any major signs of a cyber disruption.

https://www.nbcnews.com/tech/security/polls-close-election-day-no-apparent-cyber-interference-n1246277


The FBI released a warning that international threat actors are using misconfigured SonarQube applications to steal source code repositories from U.S. government agencies and private businesses.

https://www.zdnet.com/article/fbi-hackers-stole-source-code-from-us-government-agencies-and-private-companies/


Voters in Portland, Maine approved a ban on facial recognition technology and are now eligible for up to $1,000 in payments if they are scanned in violation of the new order.

https://www.theverge.com/2020/11/4/21536892/portland-maine-facial-recognition-ban-passed-surveillance


Storied video game production company Capcom says it was the victim of a cyber attack last week, the latest in a string of targeted attacks on video game companies.

https://www.bbc.com/news/technology-54840768


Disinformation written in Spanish largely dodged efforts by social media platforms to remove fake or misleading posts, leading to an increase in fake news in the days leaking up to the U.S. election.

https://www.reuters.com/article/us-usa-election-disinformation-spanish/spanish-language-misinformation-dogged-democrats-in-u-s-election-idUSKBN27N0ED


It's believed that President-elect Joe Biden's future administration will come down tougher on Russia on cyber security and take greater steps to bolster American election security.

https://www.washingtonpost.com/politics/2020/11/09/cybersecurity-202-biden-will-get-tougher-russia-boost-election-security-here-what-expect/


Google Chrome will join Safari and Firefox as blocking so-called "tab-nabbing" attacks in web browsers with an upcoming security release.

https://www.zdnet.com/article/chrome-to-block-tab-nabbing-attacks/


Several key details remain unknown regarding some serious vulnerabilities Google recently disclosed and patched in its Android operating system.

https://www.vice.com/en/article/xgzxmk/google-project-zero-bugs-used-to-hack-iphones-and-android-phones

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-14882

Title: Oracle WebLogic Server Remote Code Execution Vulnerability

Vendor: Oracle

Description: Oracle Weblogic server is exposed to a critical vulnerability. The vulnerability could be exploited by an unauthenticated attacked with a single HTTP request. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2019-5544

Title: VMware Horizon DaaS OpenSLP Remote Code Execution Vulnerability

Vendor: VMware

Description: OpenSLP as used in Horizon DaaS is exposed to heap overwrite issue. A malicious actor with network access to port 427 on an ESXi host may be able to overwrite the heap of the OpenSLP service resulting in remote code execution.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-14871

Title: Oracle Solaris Remote Code Execution Vulnerability

Vendor: Oracle

Description: Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2020-27955

Title: Git for Windows Large File Storage Remote Code Execution Vulnerability

Vendor: Git

Description: On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program is executed, permitting the attacker to execute arbitrary code. Successful exploitation allows attacker to execute remote code and compromise the system.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-17087

Title: Microsoft Windows Kernel Privilege Escalation Vulnerability

Vendor: Microsoft

Description: Security researchers from Google's Project Zero have disclosed a zero-day vulnerability in the Windows operating system which is currently being exploited in the wild. The Google Project Zero team notified Microsoft last week and gave the company seven days to patch the bug.

CVSS v3 Base Score: 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-15999

Title: Google Chrome Freetype Heap Buffer Overflow Vulnerability

Vendor: Google

Description: Google Chrome issued an update announcement for the browser across all platforms. Google confirmed that the "stable channel" desktop Chrome browser is being updated across Windows, Mac, and Linux platforms. As per Google's official sources, this urgent update will start rolling out over the coming few days or weeks.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID: CVE-2020-14750

Title: Oracle WebLogic Server Unauthenticated Remote Code Execution Vulnerability

Vendor: Oracle

Description: Oracle released critical October update to patch CVE-2020-14882 earlier in October. Oracle WebLogic Server has now observed that attackers can now bypass this patch exposing an unauthenticated Remote Code Execution vulnerability. Unauthorized attackers can continue to bypass the WebLogic background login restrictions and control the server even after WebLogic is patched for CVE-2020-14882.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-1472

Title: Microsoft Netlogon Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2020-27930

Title: Apple iOS Memory Corruption Vulnerability

Vendor: Apple

Description: A memory corruption vulnerability exists in Apple iOS that may lead to arbitrary code execution when processing a maliciously crafted font. The vulnerability leads to memory corruption due to lack of proper input validation.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: F059A5358C24CC362C2F74B362C75E02035FDF82F9FFAE8D553AFEE1A271AFD0

MD5: ce4395edbbf9869a5e276781af2e0fb5

VirusTotal: https://www.virustotal.com/gui/file/f059a5358c24cc362c2f74b362c75e02035fdf82f9ffae8d553afee1a271afd0/details

Typical Filename: wupxarch635.exe

Claimed Product: N/A

Detection Name: W32.Auto:f059a5358c.in03.Talos


SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD

MD5: dd726d5e223ca762dc2772f40cb921d3

VirusTotal: https://www.virustotal.com/gui/file/432fc2e3580e818fd315583527ae43a729586af5ee37f99f04b562d1eff2a1fd/detection

Typical Filename: ww24.exe

Claimed Product: N/A

Detection Name: W32.TR:Attribute.23ln.1201


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 97511b671c29a6c04c9c80658428b4ce55010d9dfe6ee5d813595d37fbe5500a

MD5: 0cd267df5b55552a6589f4e67164fd3d

VirusTotal: https://www.virustotal.com/gui/file/97511b671c29a6c04c9c80658428b4ce55010d9dfe6ee5d813595d37fbe5500a/details

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: Auto.97511B.232354.in02


SHA 256: C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F

MD5: MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201