CVE-2020-1938 – Apache Tomcat AJP Request Injection and potential Remote Code Execution

Published by Apache: 2020-02-24
MITRE CVE-2020-3158

“When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising.”

There is not enough details available yet, but the vulnerability has at least a CVSS Base score of 8.1, High. This depends on how hard it is to exploit, etc.

There is proof of concept published, but as of writing no known public exploitation of this vulnerability.

Basefarm customers will be upgraded as part of normal patching routines.

CVE-2020-3158 – Cisco Smart Software Manager On-Prem Static Default Credential Vulnerability

Published by Cisco: 2020-02-19
MITRE CVE-2020-3158

“A vulnerability in the High Availability (HA) service of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to access a sensitive part of the system with a high-privileged account.”

The vulnerability has a CVSS Base score of 9.8, Critical.

Basefarm has triaged this vulnerability and found that we are not using the Cisco Smart Software Manager On-Prem software. Basefarm will not track this vulnerability further.

VMSA-2020-0003 vRealize Operations for Horizon Adapter updates address multiple security vulnerabilities (CVE-2020-3943, CVE-2020-3944, CVE-2020-3945)

Published by VMware: 2020-02-18
MITRE CVE-2020-3943

“vRealize Operations for Horizon Adapter uses a JMX RMI service which is not securely configured. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.0.”

“vRealize Operations for Horizon Adapter has an improper trust store configuration leading to authentication bypass. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.”

“vRealize Operations for Horizon Adapter contains an information disclosure vulnerability due to incorrect pairing implementation between the vRealize Operations for Horizon Adapter and Horizon View. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.”

The issue has been evaluated by our VMware technicians and Basefarm has concluded that we do not use Horizon Adapter and our systems are therefor not affected by these vulnerabilities.

ThemeREX Addons – Remote Code Execution (0day, Being Exploited)

Published by Wordfence: 2020-02-18
No known CVE

“This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts.
This vulnerability has not yet been patched. We are only trying to get the word out so people can remove the plugin temporarily as the vulnerability is being actively exploited. ”

Basefarm considers this a Base CVSS Score: 9.8 (Critical) – there is no fix and it is currently being actively exploited.

Basefarm has done some initial investigations regarding the use of this WordPress Theme, but has not identified any customers or internal usage. Basefarm has decided not to track this vulnerability further internally, but want to make it visible by posting this vulnerability bulletin.

CVE-2020-0618 | Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability

Published by Microsoft: 02/11/2020
MITRE CVE-2020-0618

“A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account.”

There exists a proof of concept and write-up.

Basefarm considers this a Base CVSS Score: 9.8 (Critical) – but there exists an official fix from Microsoft, bringing the Temporal CVSS Score down to a 9.4 (Critical).

And we consider most of our users do not expose Microsoft SQL Server Reporting Service directly to the internet, so this CVSS Environmental Score can be lowered down to a 7.6 (High).

Per Basefarm Vulnerability process we still consider this a priority 1 (of 3) issue, and we will not wait until normal patch window to mitigate this issue. Internally we are tracking this progress in BF-VLN-1990987, registered 2020-02-18.

The State of Breach Protection 2020

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

“What are the key considerations security decision makers should take into account when designing their 2020 breach protection?”
1,536 cybersecurity professionals has been asked that question and many other security related questions in Cynet’s “The State of Breach Protection 2020″ survey.
The survey report will give a great insight into common practices, prioritizations and preferences of organization today in how their are protecting themselves from breaches.

Download the full survey report here

 

Top 5 Security News

EU privacy fines near £100m, but regulators are hungry for more

Iran-Linked PupyRAT backdoor used in recent attacks on European energy sector

250 Million Microsoft Customer Support Records Exposed Online

NIST’s new privacy rules – what you need to know

Cisco Warns of Critical Network Security Tool Flaw

Windows update

New year, new vulnerabilities

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

The year 2020 started of by throwing out a bunch of new vulnerabilities that needed fixing.
First it was the Citrix vulnerability in Application Delivery Controller and Gateway products, formerly known as netscaler. The vulnerability was technically was released in 2019 as CVE-2019-19781; and allowed an attacker to get arbitrary remote code execution trough a directory traversal. The exploit was really easy to pull of and only needed two web-requests to the gateway, and multiple POC was released early January leading to active exploitation in the wild. Citrix has not yet released a patch for the vulnerability, but instead released a way to mitigate the vulnerability by means of configuration. A patch is expected next week.

Then on Tuesday, 14th of January Microsoft released its monthly patches fixing a bunch of bugs and security issues. In this patch there were two critical vulnerabilities that warranted extra atention. One was dubbed “curveball” and is tracked as CVE-2020-0601. Curveball is a bug in the Windows crypto API(Crypt32.dll) and how Windows Elliptic Curve Cryptography (ECC). The vulnerability allows anyone to present a certificate, and windows will happily acknowledge it as a valid certificate even when it is no. This could let an attacker launch Man-in-the-middle attacks against HTTPS connections, present fake certificates for phishing pages and allow fake signed executables to be launched. The vulnerability affects Windows 10, and Windows server 20016 and later.

Another big one from this patch was the Microsoft RD gateway vulnerability tracked as CVE-2020-0609 allowing arbitrary remote code execution by sending a specially crafted request to the server over the RDP connection. By using this exploit an attacker could get full access to the server by means of installing software, create users with full access rights etc.

There were also multiple other other vulnerabilities fixed, such as CVE-2020-0603 is a critical remote code execution bug in ASP.NET Core allowing an attacker to execute code by getting a user to open a file, and CVE-2020-0636 (Windows Subsystem for Linux (WSL)) allowing a user to run commands with elevated privileges.

In other news, SHA-1 is a Shambles after the first chosen prefix collision for sha1 was done. This means that sha1 is considered unsafe to use for integrity checking as you can create two documents that are completely different, add extra data to make them the same length and then add some specific data to generate the same sha1-sum for both documents. SHA1 should now be avoided for integrity checking of data.

A total of 334 vulnerabilities was patched by Oracle this week, covering many widely used applications like MySQL, VirtualBox, Java and Oracle Database.

On a different note, Windows 7 and windows server 2008(r2) is now end of life as of January 14, and will not get any more security updates. Microsoft wil also up the fees for running these operation systems, so both from a economical and security standpoint it makes sense to upgrade now sooner than later.

To sum up this weeks security news, stay up to date with patching at all times. There is no excuse not to.

Security Software & Tools Tips – December 2019

In this monthly post, we try to make you aware of five different security-related products.
This is a repost from my personal website Ulyaoth

This month we have chosen for the following:
* Azure Arc
* CloudGuard Dome9
* Flan Scan
* Lynis
* Wapiti

Azure Arc

Information from the Azure Arc website:

Azure Arc extends management & security to any infrastructure.

Website:

https://azure.microsoft.com/en-us/services/azure-arc/

CloudGuard Dome9

Information from the CloudGuard Dome9 website:

The Dome9 Arc agentless SaaS platform delivers full visibility and control of security and compliance in AWS, Azure and Google Cloud environments. Minimize your attack surface and protect against vulnerabilities, identify theft and data loss.

Website:

https://dome9.com/

Flan Scan

Information from the Flan Scan website:

Flan Scan is a lightweight network vulnerability scanner. With Flan Scan you can easily find open ports on your network, identify services and their version, and get a list of relevant CVEs affecting your network.

Website:

https://github.com/cloudflare/flan

Lynis

Information from the Lynis website:

Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing.

Website:

https://cisofy.com/lynis/

Wapiti

Information from the Wapiti website:

Wapiti is a vulnerability scanner for web applications. It currently search vulnerabilities like XSS, SQL and XPath injections, file inclusions, command execution, XXE injections, CRLF injections, Server Side Request Forgery, Open Redirects…

Website:

https://sourceforge.net/projects/wapiti/

Image by MasterTux from Pixabay

Ransomware

Threat Hunting or Efficiency: Pick Your EDR Path?

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Cybersecurity teams face a lot of conflicting objectives—both within their teams and from upper management. But a May 2019 commissioned study conducted by Forrester Consulting on behalf of McAfee really puts a fine point on it: When decision makers were asked which endpoint security goals and initiatives they’re prioritizing for the coming year, the top two responses were “improve security detection capabilities” (87%) and “increase efficiency in the SOC” (76%).

Read more

 

Top 5 Security News

5 scams to watch out for this shopping season

Dexphot Malware Hijacked 80K+ Devices to Mine Cryptocurrency

It’s Way Too Easy to Get a .gov Domain Name

A Cause You Care About Needs Your Cybersecurity Help

Google caught a state hacker crew uploading badness to the Play Store

white printing paper with numbers

Data leaks and breaches

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Today I want to take a look at data leaks and breaches as the last week has had quite a few of those. Unicef Norway had a database exposed to the internet (Paywall) without any form of authentication. Most of the data here was public data about people, but certain sensitive information such as address and phone numbers for people living in hiding, prominent people in the public and young children could be found. Singapore Accountancy Commission (SAC) had a folder containing 6,541 accountants data in sent to multiple parties in a security mishap, that was not discovered until months later.
T-mobile in the United states also suffered a data-breach towards some of its prepaid customers. According to T-mobile no sensitive data was stolen, but they still urged affected customers to change their PIN number and account passwords.

 

Top 5 Security News

Thousands of hacked Disney+ accounts are already for sale on hacking forums

Google Discloses Android Camera Hijack Hack

Twitter will finally let users disable SMS as default 2FA method

French hospital contracts 6,000 PC-locking ransomware infection

AccorHotels subsidiary Gekko Group exposes hotels and travelers data in massive data leak