Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Cisco Security Manager contains exploits that could allow attackers to execute remote code

Description: Cisco disclosed three significant vulnerabilities in its Security Manager software that the company urged users to patch immediately. An attacker could leverage these vulnerabilities to execute arbitrary code and download files on the victim's targeted device -- even without credentials. One of the bugs is considered to be critical while the others are high-severity. These vulnerabilities affect Cisco Security Manager releases 4.22 and earlier.

References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-path-trav-NgeRnqgR

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-java-rce-mWJEedcD

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-rce-8gjUz9fW

Snort SIDs: 56408 - 56423


Title: Vulnerabilities in Pixar OpenUSD affect some versions of macOS

Description: Pixar OpenUSD contains multiple vulnerabilities that attackers could exploit to carry out a variety of malicious actions. ixar uses this software for several types of animation tasks, including swapping arbitrary 3-D scenes that are composed of many different elements. Aimed at professional animation studios, the software is designed for scalability and speed as a pipeline connecting various aspects of the digital animation process. It is mostly expected to process trusted inputs in most use cases. By default, on macOS, both a thumbnail and a preview handler are registered for USD file formats through QuickLook. The default application to open USD files is the Preview application. On iOS, the AR application is the default handler. A USD file can be embedded in a web page or sent in a message and an AR application is opened when the file is clicked, which therefore opens some Mac operating systems to be vulnerable to these bugs.

References: https://blog.talosintelligence.com/2020/11/vuln-spotlight-pixar-open-usd-nov-2020.html

Snort SIDs: 54415, 54416, 54467 - 54472, 54488 - 54493, 54922, 54923


Security News


Chris Krebs, the U.S.'s top cyber security official, could be fired any day, according to reports. As of Tuesday, he is still in his role, but President Donald Trump apparently wants him removed from his post.

https://www.politico.com/news/2020/11/12/cyber-official-chris-krebs-likely-out-436342


As if there aren't enough hurdles for schools to overcome this year, they're also facing an uptick in cyber attacks and threat actors who want to publicly expose student information.

https://www.wsj.com/articles/my-information-is-out-there-hackers-escalate-ransomware-attacks-on-schools-11605279160


Several state-sponsored threat actors continue to target COVID-19 vaccine research, with Microsoft identifying at least seven targeted countries.

https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/


The U.K. fined Ticketmaster the equivalent of $1.48 million for a data breach in 2018 that exposed customer's personal information and credit card data.

https://www.bbc.com/news/technology-54931873


COVID-19 tracing apps for countries and local governments around the world vary widely in how they handle and store user information, which presents a security minefield.

https://www.wired.com/story/covid-19-ios-apps-privacy/


More than 27 million drivers had their data mistakenly exposed by an insurance software company after they stored the information on an unprotected server.

https://www.zdnet.com/article/info-of-27-7-million-texas-drivers-exposed-in-vertafore-data-breach/


President Donald Trump used a video from the DEFCON conference demonstrating a vulnerability in a voting machine to erroneously claim voter fraud in this year's presidential election. However, the video merely showed a potential exploit, not an actual attack that took place during this year's voting.

https://arstechnica.com/tech-policy/2020/11/voting-security-experts-refute-trump-claims-of-voting-machine-hacking/


A Delaware state government agency potentially exposed the information of 10,000 people who tested positive for COVID-19 over the summer after an unauthorized person received an unecrypted email with the data.

https://www.wgal.com/article/10000-peoples-files-leaked-in-covid-19-data-breach-in-delaware/34682398


Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID: CVE-2020-16898

Title: Microsoft Windows TCP/IP Stack Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-15647

Title: Mozilla Firefox Arbitrary Local File Access Vulnerability

Vendor: Mozilla

Description: A Content Provider in Firefox for Android allowed local files accessible by the browser to be read by a remote webpage, leading to sensitive data disclosure, including cookies for other origins.

CVSS v3 Base Score: 7.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N)


ID: CVE-2020-14815

Title: Oracle Business Intelligence Unauthorized Access Vulnerability

Vendor: Oracle

Description: A vulnerability exists in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data.

CVSS v3 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)


ID: CVE-2020-26217

Title: XStream Remote Code Execution Vulnerability

Vendor: Multi-vendor

Description: XStream is vulnerable to Remote Code Execution vulnerability that may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected.

CVSS v3 Base Score: 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)


ID: CVE-2020-14882

Title: Oracle WebLogic Server Remote Code Execution Vulnerability

Vendor: Oracle

Description: Oracle WebLogic Server (formerly known as BEA WebLogic Server) is an application server for building and deploying enterprise applications and services. A remote code execution vulnerability exists in the Oracle WebLogic Server product of Oracle Fusion Middleware

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-1472

Title: Microsoft Netlogon Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2020-8271

Title: Citrix SD-WAN Center Remote Code Execution Vulnerability

Vendor: Citrix

Description: Multiple vulnerabilities have been discovered in Citrix SD-WAN Center that, if exploited, could allow an unauthenticated attacker with network access to SD-WAN Center to perform arbitrary code execution as root. A successful exploit could allow the attacker to perform arbitrary code execution as root.

CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2020-3471

Title: Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability

Vendor: Cisco

Description: A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to maintain bidirectional audio despite being expelled from an active Webex session. The vulnerability is due to a synchronization issue between meeting and media services on a vulnerable Webex site. A successful exploit could allow the attacker to maintain the audio connection of a Webex session despite being expelled.

CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)


Prevalent Malware Files


COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD

MD5: dd726d5e223ca762dc2772f40cb921d3

VirusTotal: https://www.virustotal.com/gui/file/432fc2e3580e818fd315583527ae43a729586af5ee37f99f04b562d1eff2a1fd/detection

Typical Filename: ww24.exe

Claimed Product: N/A

Detection Name: W32.TR:Attribute.23ln.1201


SHA 256: F059A5358C24CC362C2F74B362C75E02035FDF82F9FFAE8D553AFEE1A271AFD0

MD5: ce4395edbbf9869a5e276781af2e0fb5

VirusTotal: https://www.virustotal.com/gui/file/f059a5358c24cc362c2f74b362c75e02035fdf82f9ffae8d553afee1a271afd0/details

Typical Filename: wupxarch635.exe

Claimed Product: N/A

Detection Name: W32.Auto:f059a5358c.in03.Talos


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584

MD5: 920823d1c5cb5ce57a7c69c42b60959c

VirusTotal: https://www.virustotal.com/gui/file/100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584/details

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Variant.23mj.1201


SHA 256: C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F

MD5: MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201