Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: OpenSSL issues patches for critical denial-of-service vulnerability

Description: OpenSSL disclosed and patched a denial-of-service vulnerability last week that could allow adversaries to completely crash servers. An attacker could cause a null pointer dereference, and then send a specially crafted, malicious request to crash the targeted server. OpenSSL is one of the most popular software libraries on the internet. It is a toolkit for TLS or SSL and serves as a general cryptographic library. The maintainers behind the toolkit also fixed a separate vulnerability that could prevent apps from detecting and rejecting unsigned TLS certificates.

References: https://arstechnica.com/gadgets/2021/03/openssl-fixes-high-severity-flaw-that-allows-hackers-to-crash-servers/

Snort SID: 56942 – 56944, 56957 - 56963


Title: Critical vulnerabilities in Cisco Jabber for mobile, desktop devices

Description: Cisco fixed multiple vulnerabilities in the Jabber messaging software that affects versions for mobile devices, MacOS and Windows. An attacker could exploit any of these bugs to execute arbitrary programs on the underlying operating system with elevated privileges. They could also potentially access sensitive information, intercept protected network traffic or cause a denial of service. Adversaries only need to exploit one of the vulnerabilities disclosed this week to carry out these malicious actions. They also must be able to authenticate to an Extensible Messaging and Presence Protocol (XMPP) server that the affected software uses and be able to send XMPP messages to a targeted system.

Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-jabber-PWrTATTC

Snort SIDs: 55016 – 55018, 56572, 56573, 56575, 56576, 56588 – 56591, 57351 – 57354, 57359

Security News


Google’s security team shut down a counter-terrorism operation, which has raised ethical questions both within the company and in the security community.

https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/


Facebook discovered a Chinese-backed campaign using fake accounts and groups to track Uyghur activists in the country.

https://www.npr.org/2021/03/24/981021257/chinese-hackers-made-fake-facebook-profiles-apps-to-spy-on-uyghur-activists


New Android malware is disguising itself as an operating system update that could give attackers total control of a device and the user’s data.

https://techcrunch.com/2021/03/26/android-malware-system-update/


CNA, one of the top providers of cyber insurance, had to disconnect many of its devices from the internet after a ransomware attack last week.

https://www.cyberscoop.com/cna-cyber-insurance-breach/


A United Nations working group has come to a tentative agreement outlining how nation-states should behave online.

https://blogs.microsoft.com/on-the-issues/2021/03/29/un-working-group-cybersecurity-report/


Though the news of a ship stuck in the Suez Canal dominated headlines over the past week, security experts are worried the next threat to the Suez Canal could be a cyber attack.

https://www.bloomberg.com/opinion/articles/2021-03-30/a-cyber-attack-could-be-the-next-big-suez-canal-threat


A cyberattack disrupted live broadcasts at a major broadcaster in Australia earlier this week, the same day the country’s parliament also reported an attack on its computer network.

https://www.cnn.com/2021/03/29/media/australia-cyber-attack-scli-intl/index.html


As non-fungible tokens (NFTs) take the internet by storm, uninformed users are being duped into scams or are finding their NFTs disappearing into thin air.

https://www.vice.com/en/article/pkdj79/peoples-expensive-nfts-keep-vanishing-this-is-why

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID: CVE-2021-21345

Title: Deserialization Vulnerability in XStream Library

Vendor: Xstream Project

Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types will not be impacted. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-1411

Title: Arbitrary Code Execution Vulnerability in Cisco Jabber

Vendor: Cisco

Description: Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2021-27452

Title: Weak Authentication Vulnerability in GE Mu Firmware

Vendor: GE

Description: The software contains a hard-coded password that could allow an attacker to take control of the merging unit using these hard-coded credentials on the MU320E (all firmware versions prior to v04A00.1).

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-27274

Title: Remote Code Execution Vulnerability in NetGear ProSafe

Vendor: Netgear

Description: This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MFileUploadController class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12124.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-26295

Title: Deserialization Vulnerability in Apache OFBiz

Vendor: Apache

Description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-21978

Title: Remote Code Execution in VMware View Planner

Vendor: VMware

Description: VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-3450

Title: Improper Certificate Authority (CA) certificate validation vulnerability

Vendor: Openssl

Description: The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).

CVSS v3.1 Base Score: 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2

MD5: 96f8e4e2d643568cf242ff40d537cd85

VirusTotal: https://www.virustotal.com/gui/file/17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.File.Segurazo::95.sbx.tg