Vol. 20, Num. 47
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES November 12 - 19, 2020
TOP VULNERABILITY THIS WEEK: Cisco discloses critical vulnerability in Security Manager software
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Cisco Security Manager contains exploits that could allow attackers to execute remote code
Description: Cisco disclosed three significant vulnerabilities in its Security Manager software that the company urged users to patch immediately. An attacker could leverage these vulnerabilities to execute arbitrary code and download files on the victim’s targeted device – even without credentials. One of the bugs is considered to be critical while the others are high-severity. These vulnerabilities affect Cisco Security Manager releases 4.22 and earlier.
References:
Snort SIDs: 56408 - 56423
Title: Vulnerabilities in Pixar OpenUSD affect some versions of macOS
Description: Pixar OpenUSD contains multiple vulnerabilities that attackers could exploit to carry out a variety of malicious actions. ixar uses this software for several types of animation tasks, including swapping arbitrary 3-D scenes that are composed of many different elements. Aimed at professional animation studios, the software is designed for scalability and speed as a pipeline connecting various aspects of the digital animation process. It is mostly expected to process trusted inputs in most use cases. By default, on macOS, both a thumbnail and a preview handler are registered for USD file formats through QuickLook. The default application to open USD files is the Preview application. On iOS, the AR application is the default handler. A USD file can be embedded in a web page or sent in a message and an AR application is opened when the file is clicked, which therefore opens some Mac operating systems to be vulnerable to these bugs.
References: https://blog.talosintelligence.com/2020/11/vuln-spotlight-pixar-open-usd-nov-2020.html
Snort SIDs: 54415, 54416, 54467 - 54472, 54488 - 54493, 54922, 54923
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Christopher Krebs, the U.S.’s top cyber security official, has been fired by President Trump.
https://www.politico.com/news/2020/11/17/trump-fires-dhs-cybersecurity-chief-who-led-election-defense-437174
As if there aren’t enough hurdles for schools to overcome this year, they’re also facing an uptick in cyber attacks and threat actors who want to publicly expose student information. (Please note that this story is behind a paywall.)
https://www.wsj.com/articles/my-information-is-out-there-hackers-escalate-ransomware-attacks-on-schools-11605279160
Several state-sponsored threat actors continue to target COVID-19 vaccine research, with Microsoft identifying at least seven targeted countries.
https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/
The U.K. fined Ticketmaster the equivalent of $1.48 million for a data breach in 2018 that exposed customer’s personal information and credit card data.
https://www.bbc.com/news/technology-54931873
COVID-19 tracing apps for countries and local governments around the world vary widely in how they handle and store user information, which presents a security minefield.
https://www.wired.com/story/covid-19-ios-apps-privacy/
More than 27 million Texas drivers had their data exposed after an insurance software company inadvertently stored the information on an unprotected server.
https://www.zdnet.com/article/info-of-27-7-million-texas-drivers-exposed-in-vertafore-data-breach/
President Donald Trump used a video from the DEFCON conference demonstrating a vulnerability in a voting machine to erroneously claim voter fraud in this year’s presidential election. However, the video merely showed a potential exploit, not an actual attack that took place during this year’s voting.
https://arstechnica.com/tech-policy/2020/11/voting-security-experts-refute-trump-claims-of-voting-machine-hacking/
A Delaware state government agency potentially exposed the information of 10,000 people who tested positive for COVID-19 over the summer after an unauthorized person received an unencrypted email that included the data.
https://www.wgal.com/article/10000-peoples-files-leaked-in-covid-19-data-breach-in-delaware/34682398
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2020-16898
Title: Microsoft Windows TCP/IP Stack Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-15647
Title: Mozilla Firefox Arbitrary Local File Access Vulnerability
Vendor: Mozilla
Description: A Content Provider in Firefox for Android allowed local files accessible by the browser to be read by a remote webpage, leading to sensitive data disclosure, including cookies for other origins.
CVSS v3 Base Score: 7.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N)
ID: CVE-2020-14815
Title: Oracle Business Intelligence Unauthorized Access Vulnerability
Vendor: Oracle
Description: A vulnerability exists in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data.
CVSS v3 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
ID: CVE-2020-26217
Title: XStream Remote Code Execution Vulnerability
Vendor: Multi-vendor
Description: XStream is vulnerable to Remote Code Execution vulnerability that may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected.
CVSS v3 Base Score: 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)
ID: CVE-2020-14882
Title: Oracle WebLogic Server Remote Code Execution Vulnerability
Vendor: Oracle
Description: Oracle WebLogic Server (formerly known as BEA WebLogic Server) is an application server for building and deploying enterprise applications and services. A remote code execution vulnerability exists in the Oracle WebLogic Server product of Oracle Fusion Middleware
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-8271
Title: Citrix SD-WAN Center Remote Code Execution Vulnerability
Vendor: Citrix
Description: Multiple vulnerabilities have been discovered in Citrix SD-WAN Center that, if exploited, could allow an unauthenticated attacker with network access to SD-WAN Center to perform arbitrary code execution as root. A successful exploit could allow the attacker to perform arbitrary code execution as root.
CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-3471
Title: Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability
Vendor: Cisco
Description: A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to maintain bidirectional audio despite being expelled from an active Webex session. The vulnerability is due to a synchronization issue between meeting and media services on a vulnerable Webex site. A successful exploit could allow the attacker to maintain the audio connection of a Webex session despite being expelled.
CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
MOST PREVALENT MALWARE FILES November 12 - 19, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD
MD5: dd726d5e223ca762dc2772f40cb921d3
VirusTotal: https://www.virustotal.com/gui/file/432fc2e3580e818fd315583527ae43a729586af5ee37f99f04b562d1eff2a1fd/detection
Typical Filename: ww24.exe
Claimed Product: N/A
Detection Name: W32.TR:Attribute.23ln.1201
SHA 256: F059A5358C24CC362C2F74B362C75E02035FDF82F9FFAE8D553AFEE1A271AFD0
MD5: ce4395edbbf9869a5e276781af2e0fb5
VirusTotal: https://www.virustotal.com/gui/file/f059a5358c24cc362c2f74b362c75e02035fdf82f9ffae8d553afee1a271afd0/details
Typical Filename: wupxarch635.exe
Claimed Product: N/A
Detection Name: W32.Auto:f059a5358c.in03.Talos
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584
MD5: 920823d1c5cb5ce57a7c69c42b60959c
VirusTotal: https://www.virustotal.com/gui/file/100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Variant.23mj.1201
SHA 256: C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F
MD5: MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
OVERVIEW
CAPABILITIES
PLATFORM APPS
Use Cases
Segments
Resources
Research
Enterprise TruRisk Platform
Free Services