CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES March 14 - 21, 2019
TOP VULNERABILITY THIS WEEK: Malicious WordPress comments could lead to complete site takeovers

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Latest WordPress version fixes critical vulnerability
Description: The latest update from WordPress fixes a critical vulnerability that could allow an attacker to completely take over a site. The bug opened sites to be attacked via malicious comments that contain cross-site scripting if sites had the comments module enabled. Around 20,000 sites have already been impacted by this exploit.
Reference: https://www.bleepingcomputer.com/news/security/wordpress-511-fixes-xss-vulnerability-leading-to-website-takeovers/
Snort SIDs: 49448

Title: Multiple vulnerabilities in CUJO Smart Firewall, Das U-Boot, OCTEON SDK, Webroot BrightCloud
Description: Cisco Talos recently discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account, or by uploading and executing unsigned kernels on affected systems.
Reference: https://blog.talosintelligence.com/2019/03/vuln-spotlight-cujo.html
Snort SIDs: 47234, 47663, 47809, 47811, 47842, 48261, 48262

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Several high-profile companies may have issued 1 million digital certificates that do not actually meet industry requirements.
https://arstechnica.com/information-technology/2019/03/godaddy-apple-and-google-goof-results-in-1-million-misissued-certificates/

U.S. immigration agents have access to a database of American citizens’ location based on their license plate number.
https://www.aclunc.org/blog/documents-reveal-ice-using-driver-location-data-local-police-deportations

The U.S. Department of Defense is working on a $10 million open-source voting system that would deter attacks and also allow voters to check that their votes were counted correctly.
https://motherboard.vice.com/en_us/article/yw84q7/darpa-is-building-a-dollar10-million-open-source-secure-voting-system

Norwegian aluminum company Norsk Hydro had their operations interrupted in the U.S. and Europe due to a ransomware attack.
https://www.bloomberg.com/news/articles/2019-03-19/norsk-hydro-ransomware-attack-is-severe-but-all-too-common

Germany is considering legislation that would impose harsh punishment on people who provided digital infrastructure for illegal online activities.
https://www.zdnet.com/article/dark-web-crackdown-germans-want-to-criminalize-anyone-providing-a-platform/

Google made its Sandboxed API open-source to help developers create more secure software.
https://www.securityweek.com/google-open-sources-sandboxed-api

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2018-1335
Title: Apache Tika-server Command Injection Vulnerability
Vendor: Apache
Description: Apache Tika is prone to a remote command-injection vulnerability, where clients could send carefully crafted headers that could be used to inject commands into the command line of the server running tika-server. An attacker may exploit this issue to inject and execute arbitrary code within the context of the affected application; this may aid in further attacks.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2019-0541
Title: Microsoft Windows MSHTML Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the MSHTML engine improperly validates input. Successful exploitation of the vulnerability can lead to arbitrary code execution within the context of the current user. This affects Microsoft Office, Microsoft Office Word Viewer, Internet Explorer 9, Internet Explorer 11, Microsoft Excel Viewer, Internet Explorer 10, Office 365 ProPlus.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2019-9787
Title: WordPress Remote Code Execution Vulnerability
Vendor: WordPress
Description: WordPress is exposed to a remote code execution vulnerability where it does not properly filter comment content. This occurs because CSRF protection is mishandled, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. Attackers can exploit this issue to execute arbitrary code in the context of the affected application.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

ID: CVE-2019-9740
Title: Python CRLF Injection Vulnerability
Vendor: Python
Description: An issue exists in urllib and urllib2 in Python where CRLF injection is possible if the attacker controls a url parameter. An attacker can exploit this issue to add arbitrary headers to a webpage.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

ID: CVE-2019-9741
Title: Golang Go HTTP response-splitting vulnerability
Vendor: Golang
Description: Golang Go is exposed to an HTTP response-splitting vulnerability. An issue exists in net/http where CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

ID: CVE-2019-9020, CVE-2019-9021, CVE-2019-9023, CVE-2019-9024
Title: PHP Information Disclosure and Heap Buffer Overflow Vulnerabilities
Vendor: PHP
Description: PHP is exposed to information disclosure and heap buffer overflow vulnearbilities due to invalid input to the function xmlrpc_decode(). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c. Successful exploitation allows attackers to execute arbitrary code in the context of the affected application or obtain sensitive information.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

ID: CVE-2019-5511, CVE-2019-5512
Title: VMware Workstation Multiple Privilege Escalation Vulnerabilities
Vendor: VMWare
Description: VMware Workstation is exposed to multiple privilege-escalation vulnerabilities. Successful exploitation of this issue may allow the path to the VMX executable, on a Windows host, to be hijacked by a non-administrator leading to elevation of privilege.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

ID: CVE-2019-5418, CVE-2019-5419, CVE-2019-5420
Title: Ruby on Rails Multiple Security Vulnerabilities
Vendor: Ruby on Rails
Description: Ruby on Rails is exposed to file content disclosure vulnerability in Action View caused by specially crafted accept headers. It is also exposed to a denial of service vulnerability in action view caused by specially crafted accept headers. It is possible to execute remote code execution vulnerability in Rails when in development mode.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

MOST PREVALENT MALWARE FILES March 14 - 21, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: aae728ffb953cfcc573c82b63eef7603c9b29c95f42bb032b790d6d51813f7c3
MD5: ee445f9fa6296b611c72bc81d8f6c19a
VirusTotal: https://www.virustotal.com/#/file/aae728ffb953cfcc573c82b63eef7603c9b29c95f42bb032b790d6d51813f7c3/details
Typical Filename: wusa.exe
Claimed Product: Microsoft® Windows® Operating System
Detection Name: W32.aae728ffb9.Malspam.MRT.Talos

SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
MD5: b89b37a90d0a080c34bbba0d53bd66df
VirusTotal: https://www.virustotal.com/#/file/46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044/details
Typical Filename: ups.rar
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201

SHA 256: fea935d2d0fb1abadb900f009b4c40bb8a91fd9e25cc76ed4f9dae08960566d5
MD5: bc7fc83ce9762eb97dc28ed1b79a0a10
VirusTotal: https://www.virustotal.com/#/file/fea935d2d0fb1abadb900f009b4c40bb8a91fd9e25cc76ed4f9dae08960566d5/details
Typical Filename: max.exe
Claimed Product: WPS Office
Detection Name: W32.Agent:Malwaregen.22em.1201

SHA 256: dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b
MD5: f22a024b4c98534e8ba7a1c03b0b6132
VirusTotal: https://www.virustotal.com/#/file/dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b/details
Typical Filename: unpacknw.zip
Claimed Product: N/A
Detection Name: Osx.Malware.Bpbw::agent.tht.talos

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201