The Consensus Security Vulnerability Alert

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: 40 high-severity vulnerabilities included in June’s Patch Tuesday

Description: Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered "moderate." The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine. Microsoft SharePoint server contains a remote code execution vulnerability, CVE-2022-30157, with a severity score of 8.8.

References: https://blog.talosintelligence.com/2022/06/microsoft-patch-tuesday-for-june-2022.html

Snort SIDs: 59967, 59968, 59971 and 59972

Snort 3 SIDs: 300201 and 300202

Title: Symbiote malware can remain undetected on Linux machines

Description: A new Linux malware that can go undetected on infected machines is being used to target the financial sector in Latin America. Once the “Symbiote” malware infects the machine, it hides itself, making infections hard to detect. If successful, the malware provides a backdoor for the threat actor and allows them to log in as any user on the machine with a hardcoded password. They can also execute arbitrary code on the infected machine with the highest privileges. Because of its stealth, security researchers are unaware how widespread the campaign currently is and are unsure if it can even be detected by conventional security software.

References: https://therecord.media/linux-malware-symbiote-used-to-attack-latin-american-financial-sector/

Snort SIDs: 59957, 59958

A vulnerability in Tesla’s NFC cards could give an attacker their own personal key to affected cars through a Bluetooth LowEnergy attack.

https://arstechnica.com/information-technology/2022/06/hackers-out-to-steal-a-tesla-can-create-their-very-own-personal-key/

A proposed bill in Canada would give the country's federal government more power to compel companies in certain sectors to improve their cybersecurity capabilities.

https://www.cbc.ca/news/politics/cyberattacks-bill-1.6487826

iOS 16 for iPhone devices will include standalone, automatic security updates and will not require users to install a new version of the operating system to implement.

https://www.macrumors.com/2022/06/06/ios-16-security-fixes-automatic/

The recent Conti ransomware attack against the Costa Rican government highlights a new phase of ransomware campaigns targeting national governments.

https://www.wired.com/story/costa-rica-ransomware-conti/

Attackers are actively targeting Microsoft Exchange Servers to spread the BlackCat ransomware.

https://www.techradar.com/news/microsoft-exchange-servers-are-being-hacked-to-deploy-ransomware

Microsoft fixed the high-profile Follina vulnerability this month as part of its cumulative Windows Updates.

https://www.bleepingcomputer.com/news/security/microsoft-patches-actively-exploited-follina-windows-zero-day/

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-34079

Title: OS Command injection vulnerability in Mintzo Docker-Tester

Description: docker-tester is a Start a testing environment with a docker-compose file and verify it's up before running tests.

Affected versions of this package are vulnerable to Command Injection via shell meta-characters in the 'ports' entry of a crafted docker-compose.yml file.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-34080

Title: OS Command Injection vulnerability in es128 ssl-utils

Description: ssl-utils is a Node.js utility for SSL certificates using OpenSSL (generating, verifying, etc.).

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via unsanitized shell metacharacters provided to the createCertRequest() and the createCert() functions.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-34082

Title: OS Command Injection vulnerability in allenhwkim proctree

Description: proctree is a Retrieve or display process tree.

OS Command Injection vulnerability in es128 ssl-utils 1.0.0 for Node.js allows attackers to execute arbitrary commands via unsanitized shell metacharacters provided to the createCertRequest() and the createCert() functions.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-34084

Title: OS command injection vulnerability in Turistforeningen node-s3-uploader

Description: s3-uploader is a Flexible and efficient image resize, rename, and upload to Amazon S3 disk storage. Uses the official AWS Node SDK, im-resize, and im-metadata for image processing. OS command injection vulnerability in Turistforeningen node-s3-uploader through 2.0.3 for Node.js allows attackers to execute arbitrary commands via the metadata() function.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

VirusTotal: https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details

Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049

MD5: 067f9a24d630670f543d95a98cc199df

VirusTotal: https://www.virustotal.com/gui/file/b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049/details

Typical Filename: RzxDivert32.sys

Claimed Product: WinDivert 1.4 driver

Detection Name: W32.B2EF49A10D-95.SBX.TG

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

MD5: 8c69830a50fb85d8a794fa46643493b2

VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201