@RISK: The Consensus Security Vulnerability Alert

April 1, 2021 - Vol. 21, Num. 12

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked

Archived issues may be found at http://www.sans.org/newsletters/at-risk

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: OpenSSL issues patches for critical denial-of-service vulnerability
Description: OpenSSL disclosed and patched a denial-of-service vulnerability last week that could allow adversaries to completely crash servers. An attacker could cause a null pointer dereference, and then send a specially crafted, malicious request to crash the targeted server. OpenSSL is one of the most popular software libraries on the internet. It is a toolkit for TLS or SSL and serves as a general cryptographic library. The maintainers behind the toolkit also fixed a separate vulnerability that could prevent apps from detecting and rejecting unsigned TLS certificates.
References: https://arstechnica.com/gadgets/2021/03/openssl-fixes-high-severity-flaw-that-allows-hackers-to-crash-servers/
Snort SID: 56942 – 56944, 56957 - 56963

Title: Critical vulnerabilities in Cisco Jabber for mobile, desktop devices
Description: Cisco fixed multiple vulnerabilities in the Jabber messaging software that affects versions for mobile devices, MacOS and Windows. An attacker could exploit any of these bugs to execute arbitrary programs on the underlying operating system with elevated privileges. They could also potentially access sensitive information, intercept protected network traffic or cause a denial of service. Adversaries only need to exploit one of the vulnerabilities disclosed this week to carry out these malicious actions. They also must be able to authenticate to an Extensible Messaging and Presence Protocol (XMPP) server that the affected software uses and be able to send XMPP messages to a targeted system.
Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-jabber-PWrTATTC
Snort SIDs: 55016 – 55018, 56572, 56573, 56575, 56576, 56588 – 56591, 57351 – 57354, 57359

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Google’s security team shut down a counter-terrorism operation, which has raised ethical questions both within the company and in the security community.
https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/

Facebook discovered a Chinese-backed campaign using fake accounts and groups to track Uyghur activists in the country.
https://www.npr.org/2021/03/24/981021257/chinese-hackers-made-fake-facebook-profiles-apps-to-spy-on-uyghur-activists

New Android malware is disguising itself as an operating system update that could give attackers total control of a device and the user’s data.
https://techcrunch.com/2021/03/26/android-malware-system-update/

CNA, one of the top providers of cyber insurance, had to disconnect many of its devices from the internet after a ransomware attack last week.
https://www.cyberscoop.com/cna-cyber-insurance-breach/

A United Nations working group has come to a tentative agreement outlining how nation-states should behave online.
https://blogs.microsoft.com/on-the-issues/2021/03/29/un-working-group-cybersecurity-report/

Though the news of a ship stuck in the Suez Canal dominated headlines over the past week, security experts are worried the next threat to the Suez Canal could be a cyber attack.
https://www.bloomberg.com/opinion/articles/2021-03-30/a-cyber-attack-could-be-the-next-big-suez-canal-threat

A cyberattack disrupted live broadcasts at a major broadcaster in Australia earlier this week, the same day the country’s parliament also reported an attack on its computer network.
https://www.cnn.com/2021/03/29/media/australia-cyber-attack-scli-intl/index.html

As non-fungible tokens (NFTs) take the internet by storm, uninformed users are being duped into scams or are finding their NFTs disappearing into thin air.
https://www.vice.com/en/article/pkdj79/peoples-expensive-nfts-keep-vanishing-this-is-why

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-21345 |
Title: Deserialization Vulnerability in XStream Library
Vendor: Xstream Project
Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. Users who followed the recommendation to setup XStream’s security framework with a whitelist limited to the minimal required types will not be impacted. If you rely on XStream’s default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-1411 |
Title: Arbitrary Code Execution Vulnerability in Cisco Jabber
Vendor: Cisco
Description: Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory.
CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-27452 |
Title: Weak Authentication Vulnerability in GE Mu Firmware
Vendor: GE
Description: The software contains a hard-coded password that could allow an attacker to take control of the merging unit using these hard-coded credentials on the MU320E (all firmware versions prior to v04A00.1).
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-27274 |
Title: Remote Code Execution Vulnerability in NetGear ProSafe
Vendor: Netgear
Description: This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MFileUploadController class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12124.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-26295 |
Title: Deserialization Vulnerability in Apache OFBiz
Vendor: Apache
Description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-21978 |
Title: Remote Code Execution in VMware View Planner
Vendor: VMware
Description: VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2021-3450
Title: Improper Certificate Authority (CA) certificate validation vulnerability
Vendor: Openssl
Description: The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a “purpose” has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named “purpose” values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
CVSS v3.1 Base Score: 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

MOST PREVALENT MALWARE FILES March 25-April 1, 2021
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd

SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2
MD5: 96f8e4e2d643568cf242ff40d537cd85
VirusTotal: https://www.virustotal.com/gui/file/17c4a85cdc339f525196d7f5da3a02e43c97513ff50b6bc17db4470ae3b182e2/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg