Vol. 15, Num. 47
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 2015-11-17 - 2015-11-24
TOP VULNERABILITY THIS WEEK: Certain Dell Laptops Found to Ship with
Root Certificate, Private Key
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Certain Dell Laptops Found to Ship with Root Certificate, Private
Key
Description: Researchers have found that certain Dell Laptops ship with
a pre-installed root certificate and private key corresponding to the
certificate. The certificate can be identified by name as “eDellRoot”
in the certificate trust store within Windows. This issue could
potentially allow an attacker to man-in-the-middle a secure connection
and steal sensitive information. End users are advised to remove the
certificate from the trust store to reduce the risk of exposure.
Reference: https://threatpost.com/dell-computers-ship-with-root-cert-private-key/115455/
Snort SID: 36887
Title: ARRIS Cable Modems Found to Generate Passwords Deterministically
and Contain XSS and CSRF vulnerabilities
Description: A researcher has discovered that ARRIS cable modems contain
multiple vulnerabilities as well as a “backdoor in a backdoor”. Using a
publicly known algorithm, it’s possible to generate a “password of the
day” for various ARRIS cable modem models and login as a technician.
Once logged into the modem, an attacker could enable remote
administration, login to the cable modem, and obtain a BusyBox shell.
Reference: http://www.kb.cert.org/vuls/id/419568
Title: VMware Issues Advisory to Address Apache Flex BlazeDS
Vulnerability in Certain Products
Description: VMware has issued a security advisory for VMware vCenter
Server, vCloud Director, and Horizon View to address an XML eXternal
Entity (XXE) vulnerability in Apache Flex BlazeDS. Flex BlazeDS is a
software package used within several VMware products that has been
identified to contain this vulnerability. VMware has released updated
software packages to update Flex BlazeDS and correct the flaw.
Reference: http://www.vmware.com/security/advisories/VMSA-2015-0008.html
A $10 Tool Can Guess (and Steal) Your Next Credit Card Number
http://www.wired.com/2015/11/samy-kamkar-10-dollar-tool-can-guess-and-steal-your-next-credit-card-number/
Yahoo declares war on ad blockers, blocks email access
http://www.zdnet.com/article/yahoo-declares-war-on-ad-blockers-blocks-email-access/
Peering into GlassRAT
https://blogs.rsa.com/peering-into-glassrat/
VirusTotal += Mac OS X execution
http://blog.virustotal.com/2015/11/virustotal-mac-os-x-execution.html
Wireshark 2.0 Released!
https://www.wireshark.org/news/20151118.html
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2015-3628
Title: F5 Multiple Products iCall Privilege Escalation Vulnerability
Vendor: F5 Networks
Description: Multiple F5 Networks Inc. products could allow attackers
to gain escalated privileges on the targeted host due to a vulnerability
in the iCall SOAP Interface.
CVSS v2 Base Score: 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)
ID: CVE-2015-7007
Title: Apple OS X Input Validation Code Execution Vulnerability
Vendor: Apple
Description: Script Editor in Apple OS X before 10.11.1 allows remote
attackers to bypass an intended user-confirmation requirement for
AppleScript execution via unspecified vectors.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2015-7645
Title: Adobe Flash Player Code Execution Vulnerability (APSB15-27)
Vendor: Adobe
Description: Adobe Flash Player 18.x through 18.0.0.252 and 19.x through
19.0.0.207 on Windows and OS X and 11.x through 11.2.202.535 on Linux
allows remote attackers to execute arbitrary code via a crafted SWF
file, as exploited in the wild in October 2015.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2015-2342
Title: VMware vCenter JMX RMI Service Remote Code Execution Vulnerability
Vendor: VMware
Description: The JMX RMI service in VMware vCenter Server 5.0 before
u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict
registration of MBeans, which allows remote attackers to execute
arbitrary code via the RMI protocol.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2015-2509
Title: Microsoft Windows Media Center MCL Vulnerability (MS15-100)
Vendor: Microsoft
Description: Windows Media Center in Microsoft Windows Vista SP2,
Windows 7 SP1, Windows 8, and Windows 8.1 allows user-assisted remote
attackers to execute arbitrary code via a crafted Media Center link
(mcl) file, aka “Windows Media Center RCE Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2014-6332
Title: Microsoft Windows OLE Automation Array Memory Corruption Code
Execution Vulnerability (MS14-064)
Vendor: Microsoft
Description: OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2,
Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1,
Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT
Gold and 8.1 allows remote attackers to execute arbitrary code via a
crafted web site, as demonstrated by an array-redimensioning attempt
that triggers improper handling of a size value in the SafeArrayDimen
function, aka “Windows OLE Automation Array Remote Code Execution
Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES 2015-11-17 - 2015-11-24 COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 2E1224AEF20DA8473C55A425380A1441C44FC947A4E07E28710F55846C3BD947
MD5: a1a1993ad220737ca080d20f91446a8f
VirusTotal:
https://www.virustotal.com/file/2E1224AEF20DA8473C55A425380A1441C44FC947A4E07E28710F55846C3BD947/analysis/#additional-info
Typical Filename: ApplicationManager
Claimed Product: N/A
Detection Name: OSX.Variant:SpigotD.18mp.1201
SHA 256: 44E6A01E16B19F30573CD577D34DD3AE513A20D5658E9C8855C0A2FC5DE4BBF2
MD5: eae482ece750ca6e581f68c448052b41
VirusTotal:
https://www.virustotal.com/file/44E6A01E16B19F30573CD577D34DD3AE513A20D5658E9C8855C0A2FC5DE4BBF2/analysis/#additional-info
Typical Filename: ApplicationManager
Claimed Product: N/A
Detection Name: OSX.Variant:SpigotD.18lv.1201
SHA 256: 3B17689A486D68813C31BF2BA610BF36F4B1F5B0403B0316C9833348845306FC
MD5: 37ee9a5257102d876cfae15bccfbbf78
VirusTotal:
https://www.virustotal.com/file/3B17689A486D68813C31BF2BA610BF36F4B1F5B0403B0316C9833348845306FC/analysis/#additional-info
Typical Filename: WebSocketServerApp
Claimed Product: N/A
Detection Name: W32.Auto.3b1768.182243.in01
SHA 256: AD4EAFCC549BF58A1A9AABE1DE8DB52E170B891C3574021D3CA8497D13A83895
MD5: 2336b78d9627e1e82e7a3d84a05cba31
VirusTotal:
https://www.virustotal.com/file/AD4EAFCC549BF58A1A9AABE1DE8DB52E170B891C3574021D3CA8497D13A83895/analysis/#additional-info
Typical Filename: AppSO
Claimed Product: N/A
Detection Name: OSX.Variant:GenieoAQ.18ln.1201
SHA 256: AC59FB59BBD17C0DBED4A9B2AD12865E8A6C2E77EC88A6F426F8BE676C650CBC
MD5: 5e19f560eaac49ec518f8a8f1e644275
VirusTotal:
https://www.virustotal.com/file/AC59FB59BBD17C0DBED4A9B2AD12865E8A6C2E77EC88A6F426F8BE676C650CBC/analysis/#additional-info
Typical Filename: UpdatePlatform.exe
Claimed Product: Update Platform Application
Detection Name: W32.AC59FB59BB-100.SBX.VIOC
OVERVIEW
CAPABILITIES
PLATFORM APPS
Use Cases
Segments
Resources
Research
Enterprise TruRisk Platform
Free Services