Recent Security Issues


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft fixes wormable remote code execution vulnerability in HTTP protocol stack

Description: Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities across its suite of products, the fewest in any month since January 2020. There are only three critical vulnerabilities patched in this month, while two are of “moderate” severity and the rest are “important.” All three critical vulnerabilities, however, are considered "more likely” to be exploited, according to Microsoft. This month’s security update provides patches for several major pieces of software, including Microsoft Office, SharePoint and Windows’ wireless networking. The most serious vulnerability exists in the HTTP protocol stack. An unauthenticated attacker could exploit CVE-2021-31166 by sending a specially crafted packet to a targeted server utilizing the stack. If successful, the adversary could gain the ability to execute remote code on the targeted server. According to Microsoft, the vulnerability is wormable and the company “recommends prioritizing the patching of affected servers.” It has a CVSS severity score of 9.8 out of 10.

Reference: https://blog.talosintelligence.com/2021/05/microsoft-patch-tuesday-for-may-2021.html

Snort SIDs: 57539, 57540, 57542 – 57545, 57548 - 57550


Title: Cisco discloses critical vulnerabilities that expose corporate networks

Description: Cisco recently patched three critical security vulnerabilities between the SD-WAN vManage software and the HyperFlex HX platform. These vulnerabilities, if left unpatched, could allow an attacker to completely take over corporate networks that are using this software. vManage is a network management system that allows users to monitor and configure any devices and links they have in the broader SD-WAN. The most serious vulnerability in this group is CVE-2021-1468, which has a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability by submitting a specially crafted input to the service, eventually allowing them to call privileged actions on the affected systems. The adversary could then also create new administrative-level accounts.

Reference: https://threatpost.com/critical-cisco-sd-wan-hyperflex-bugs/165923/

Snort SIDs: 57527 – 57530, 57535 - 57538

Security News


On Friday, Colonial Pipeline shut down 5,500 miles of fuel pipeline after its systems were hit with a ransomware attack.

https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html


The FBI has confirmed that the Russian-linked threat group Darkside is responsible for the Colonial Pipeline attack.

https://www.cnet.com/news/fbi-says-darkside-hacking-group-responsible-for-pipeline-cyberattack/


The Department of Transportation's Federal Motor Carrier Safety Administration issued a regional emergency declaration to provide emergency transportation for fuel.

https://www.axios.com/fuel-pipeline-cyberattack-us-state-of-emergency-dda2e776-f0f0-45cc-ae38-4fea47e014ec.html


Just 4 percent of iPhone users have reportedly opted into app tracking after new security settings rolled out in the latest iOS update.

https://www.engadget.com/ios-14-5-users-reject-app-tracking-165309407.html


A joint advisory from the FBI, NSA, CISA, and the UK’s National Cyber Security Centre “provides further details of Tactics, Techniques and Procedures (TTPs) associated with SVR cyber actors. SVR cyber actors are known and tracked in open source as APT29, Cozy Bear, and the Dukes."

https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf


New details released as part of an ongoing lawsuit between video game maker Epic and Apple disclosed that 128 million iPhone users have downloaded malicious apps containing malware known as XCodeGhost.

https://www.vice.com/en/article/n7bbmz/the-fortnite-trial-is-exposing-details-about-the-biggest-iphone-hack-of-all-time


A recently discovered vulnerability in Qualcomm chips affects nearly 30 percent of all mobile phones and could allow an attacker to snoop on users’ phone calls and text messages.

https://gizmodo.com/qualcomm-chip-flaw-could-leave-30-percent-of-the-worlds-1846837667


A security researcher successfully jailbroke one of the new Apple AirTags, raising potential questions about the devices’ security.

https://arstechnica.com/information-technology/2021/05/security-researcher-successfully-jailbreaks-an-apple-airtag/

Vulnerabilities with Exploits


COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM 

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2020-17510

Title: Authentication Bypass Vulnerability in Apache Shiro

Vendor: Apache

Description: Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-13942

Title: Code Injection Vulnerability in Apache Unomi

Vendor: Apache

Description: It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-24636

Title: Remote Code Execution Vulnerability in Aruba IAP

Vendor: Aruba Networks

Description A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-30642

Title: Input Validation Vulnerability in Symantec Security Analytics

Vendor: Symantec

Description: An input validation flaw in the Symantec Security Analytics web UI 7.2 prior 7.2.7, 8.1, prior to 8.1.3-NSR3, 8.2, prior to 8.2.1-NSR2 or 8.2.2 allows a remote, unauthenticated attacker to execute arbitrary OS commands on the target with elevated privileges.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2020-18020

Title: SQL Injection Vulnerability in PHPSHE Mail System

Vendor: PHPSHE

Description: SQL Injection in PHPSHE Mall System v1.7 allows remote attackers to execute arbitrary code by injecting SQL commands into the "user phone" parameter of a crafted HTTP request to the "admin.php" component.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-29145

Title: SSRF RCE in Aruba Policy Manager

Vendor: Aruba Networks

Description: A remote server-side request forgery (SSRF) remote code execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID: CVE-2021-21507

Title: Weak Authentication Vulnerability in Dell EMC Firmware

Vendor: Dell

Description: Dell EMC Networking X-Series firmware versions prior to 3.0.1.8 and Dell EMC PowerEdge VRTX Switch Module firmware versions prior to 2.0.0.82 contain a Weak Password Encryption Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable system with privileges of the compromised account.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

MD5: 9a4b7b0849a274f6f7ac13c7577daad8

VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details

Typical Filename: ww31.exe

Claimed Product: N/A

Detection Name: W32.GenericKD:Attribute.24ch.1201


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af

MD5: 0a13d106fa3997a0c911edd5aa0e147a

VirusTotal: https://www.virustotal.com/gui/file/5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af/details

Typical Filename: mg20201223-1.exe

Claimed Product: N/A

Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos