CONTENTS:

NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES September 12 - 19, 2019
TOP VULNERABILITY THIS WEEK: Some AMD graphics cards open to remote code execution attacks

NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Remote code execution vulnerability in some AMD Radeon cards
Description: A line of AMD Radeon cards contains a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine.
Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-AMD-Radeon-ATI-sept-19.html
Snort SIDs: 49978, 49979 (Written by Tim Muniz)

Title: Atlassian Jira service contains multiple vulnerabilities, including remote JavaScript execution
Description: Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and the disclosure of information inside of tasks created in Jira, including attached documents.
Reference: https://blog.talosintelligence.com/2019/09/vuln-spotlight-atlassian-jira-sept-19.html
Snort SIDs: 50110, 50111 (Written by Amit Raut), 50114 (Written by Josh Williams)

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

The U.S. Treasury Department announced a new round of sanctions targeting three North Korean state-sponsored threat groups.
https://home.treasury.gov/news/press-releases/sm774

States across the U.S. were critical of a cyber security “report card” that pointed out flaws in their election systems, saying that the company that wrote the reports had flawed methodology and is only after publicity.
https://www.propublica.org/article/report-on-election-security-gains-attention-and-a-sharp-rebuke

Windows’ new “health release dashboard” is designed to make updates easier, but security researchers have already discovered several bugs and design flaws.
https://www.zdnet.com/article/windows-10-has-microsoft-cleaned-up-its-update-mess-spoiler-maybe/

A vulnerability in the soon-to-be-released iOS 13 could allow a malicious user to bypass the phone’s lockscreen and view the owners’ contacts.
https://www.theverge.com/2019/9/13/20863993/ios-13-exploit-lockscreen-bypass-security

The LastPass password manager fixed a bug that could have exposed the credentials a user entered on previous websites they visited.
https://gizmodo.com/you-should-update-lastpass-right-now-1838142059

Attackers are impersonating organizations’ executives as a way of obtaining digital certificates.
https://blog.reversinglabs.com/blog/digital-certificates-impersonated-executives-as-certificate-identity-fronts

The new Wi-Fi 6 certifications rolled out this week, opening devices up to faster internet speeds than ever.
https://www.theverge.com/2019/9/16/20864338/wifi-6-alliance-tech-certification-program-launch

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2019-10669
Title: LibreNMS Collectd Command Injection Vulnerability |
Vendor: librenms
Description: A command injection vulnerability exists in html/includes/graphs/device/collectd.inc.php where user supplied parameters are filtered with the mysqli_escape_real_string function. This function is not the appropriate function to sanitize command arguments as it does not escape a number of command line syntax characters such as ` (backtick), allowing an attacker to inject commands into the variable $rrd_cmd, which gets executed via passthru().
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

ID: CVE-2019-1245
Title: Microsoft DirectWrite Information Disclosure Vulnerability
Vendor: Microsoft
Description: An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. Microsoft DirectWrite is a modern Windows API for high-quality text rendering. A majority of its code resides in the DWrite.dll user-mode library. It is used by a variety of widely used desktop programs (such as the Chrome, Firefox and Edge browsers) and constitutes an attack surface for memory corruption bugs, as it performs the processing of untrusted font files and is written in C/C++. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.
CVSS v2 Base Score: | 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

ID: CVE-2019-12922
Title: phpMyAdmin Cross Site Request Forgery Vulnerability
Vendor: phpMyAdmin
Description: A Cross site request forgery issue in phpMyAdmin allows deletion of any server in the Setup page. The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user,in this way making possible a CSRF attack due to the wrong use of HTTP method.
CVSS v2 Base Score: | 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)

ID: 2019-16173, 2019-16172
Title: LimeSurvey Cross-Site Scripting Vulnerability
Vendor: LimeSurvey
Description: LimeSurvey allows stored cross site scripting for escalating privileges from a low privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion. By exploiting this vulnerability an attacker could attack other users of the web application with JavaScript code, browser exploits or Trojan horses. An attacker could also perform unauthorized actions in the name of another logged-in user.
CVSS v2 Base Score: | 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

ID: CVE-2019-1253
Title: Microsoft Windows Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. AppXSvc improperly handles file hard links resulting in a low privileged user being able to take “Full Control” of an arbitrary file leading to elevation of privilege.
CVSS v2 Base Score: | 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2019-10149
Title: Symantec Advanced Secure Gateway Unrestricted File Upload Vulnerability
Vendor: Symantec
Description: An Unrestricted file upload vulnerability exists in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code.
CVSS v2 Base Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

MOST PREVALENT MALWARE FILES September 12 - 19, 2019
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
VirusTotal: https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 26da22347f1d91f6ca56b7c47644a776b72251d3de11c90d9fd77556d5236f5e
MD5: f6f6039fc64ad97895142dc99554e971
VirusTotal: https://www.virustotal.com/gui/file/26da22347f1d91f6ca56b7c47644a776b72251d3de11c90d9fd77556d5236f5e/details
Typical Filename: CSlast.gif
Claimed Product: N/A
Detection Name: W32.26DA22347F-100.SBX.TG

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
VirusTotal: https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG

SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
VirusTotal: https://www.virustotal.com/gui/file/093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7/details
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201