Ajay Verma 09:29
Severity Rating: HIGH

Software Affected

Microsoft Lync Server 2013
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2019
Skype for Business Server 2015 CU 8
Skype for Business Server 2019 CU2
Overview

Elevation of privilege vulnerability has been reported in Microsoft
SharePoint Server and Skype for Business Server, which could allow an
attacker to gain elevated privileges, bypass security restrictions and
execute arbitrary code on the targeted system.

Description

This vulnerability exists in Microsoft SharePoint Server and Skype for
Business Server due to improper handling of the OAuth token validation. A
remote attacker could exploit this vulnerability by alter the token.  

Successful exploitation of this vulnerability could allow the attacker to
gain elevated privileges and bypass authentication of the targeted system.

Solution

Apply appropriate fix as mentioned in Microsoft Security Advisory 


Vendor Information

Microsoft

References

Microsoft
- -1025

CVE Name
CVE-2020-1025

Read more [..]

Ajay Verma 09:28
Virus Type: Ransomware

It is reported that the ransomware named "CLOP" is active in attacking
organizations/institutions across the globe. Post compromise this
ransomware leaks information if negotiation deal of ransom fails. Recently
the threat actors behind Clop have stolen and encrypted the sensitive
information of various organizations and after failure of ransom payment,
the stolen information was leaked on their "CL0P^_- LEAKS" data leak
site, hosted on dark web. The leaked information includes data backups,
financial records, thousands of emails and vouchers etc. 

After encryption CLOP ransomware appends ".Clop" extension in each file
and generates a text file "ClopReadMe.txt" containing ransom note in each
folder. CLOP ransomware uses RSA (Rivest-Shamir-Adleman) encryption
algorithm and generated keys are stored on a remote server controlled by
Clop operators.


Updated versions of Clop have tried to expand their attack vectors through
disabling and removing local security solutions such as Windows Defender
and Microsoft Security Essentials etc. This ransomware has capability of
installing additional password stealing Trojans and other malware
infections.


In most cases, Clop is distributed via fake software updates, trojans,
cracks, unofficial software download sources, and spam emails. In the
recent attack on an Indian conglomerate, it is suspected that the bug
(CVE-2019-19781) in the Citrix Netscaler ADC VPN gateway was utilized to
carry out the attack. Unfortunately, as of now no decryptor tool is
available for Clop ransomware. 

Indicators of compromise: 

Hashes:

6d115ae4c32d01a073185df95d3441d51065340ead1eada0efda6975214d1920
6d8d5aac7ffda33caa1addcdc0d4e801de40cb437cf45cface5350710cde2a74
70f42cc9fca43dc1fdfa584b37ecbc81761fb996cb358b6f569d734fa8cce4e3
a5f82f3ad0800bfb9d00a90770c852fb34c82ecb80627be2d950e198d0ad6e8b
85b71784734705f6119cdb59b1122ce721895662a6d98bb01e82de7a4f37a188 (unpacked)
2ceeedd2f389c6118b4e0a02a535ebb142d81d35f38cab9a3099b915b5c274cb
00e815ade8f3ad89a7726da8edd168df13f96ccb6c3daaf995aa9428bfb9ecf1
0d19f60423cb2128555e831dc340152f9588c99f3e47d64f0bb4206a6213d579
408af0af7419f67d396f754f01d4757ea89355ad19f71942f8d44c0d5515eec8
7e91ff12d3f26982473c38a3ae99bfaf0b2966e85046ebed09709b6af797ef66
a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02
Emails:

servicedigilogos@protonmail[d0t]com
managersmaers@tutanota[d0t]com
unlock@eqaltech[d0t]su
unlock@royalmail[d0t]su
unlock@goldenbay[d0t]su
unlock@graylegion[d0t]su
kensgilbomet@protonmail[d0t]com
Files Detection/aliases:

Ransom.Win32.CLOP.D
Ransom.Win32.CLOP.D
Ransom.Win32.CLOP.F
Ransom.Win32.CLOP.F.note
Ransom.Win32.CLOP.M
Ransom.Win32.CLOP.THBAAAI
Trojan.BAT.CLOP.A
Trojan.BAT.CLOP.A.component
Trojan.Win32.CLOP.A.note
For detailed IOC (Hashes, Files etc), please refer the links provide in
references.

Countermeasures and Best practices for prevention:

Do not download and install applications from untrusted sources [offered
via unknown websites/ links on unscrupulous messages]. Install applications
downloaded from reputed application market only.
Update software and operating systems with the latest patches. Outdated
applications and operating systems are the targets of most attacks.
Don't open attachments in unsolicited e-mails, even if they come from
people in your contact list, and never click on a URL contained in an
unsolicited e-mail, even if the link seems benign. In cases of genuine URLs
close out the e-mail and go to the organization's website directly through
browser.
Install ad blockers to combat exploit kits such as Fallout that are
distributed via malicious advertising.
Prohibit external FTP connections and blacklist downloads of known
offensive security tools.
All operating systems and applications should be kept updated on a regular
basis. Virtual patching can be considered for protecting legacy systems and
networks. This measure hinders cybercriminals from gaining easy access to
any system through vulnerabilities in outdated applications and software.
Avoid applying updates / patches available in any unofficial channel.
Restrict execution of Power shell /WSCRIPT in an enterprise environment.
Ensure installation and use of the latest version of PowerShell, with
enhanced logging enabled. Script block logging and transcription enabled.
Send the associated logs to a centralized log repository for monitoring and
analysis.
ml
Establish a Sender Policy Framework (SPF) for your domain, which is an
email validation system designed to prevent spam by detecting email
spoofing by which most of the ransomware samples successfully reaches the
corporate email boxes.
Application whitelisting/Strict implementation of Software Restriction
Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths.
Ransomware sample drops and executes generally from these locations.
Users are advised to disable their RDP if not in use, if required, it
should be placed behind the firewall and users are to bind with proper
policies while using the RDP.
Block the attachments of file types,
exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
Consider encrypting the confidential data as the ransomware generally
targets common file types.
Perform regular backups of all critical information to limit the impact of
data or system loss and to help expedite the recovery process. Ideally,
this data should be kept on a separate device, and backups should be stored
offline.
Network segmentation and segregation into security zones - help protect
sensitive information and critical services. Separate administrative
network from business processes with physical controls and Virtual Local
Area Networks.
References

on
dian-conglomerate-fbecf72a
p.md
Read more [..]

Ajay Verma 09:28
Severity Rating: HIGH

Software Affected

WebSphere Application Server 9.0
WebSphere Application Server 8.5
WebSphere Application Server 8.0
WebSphere Application Server 7.0
Overview

A Remote code execution vulnerability was reported in IBM Web Sphere
Application Server which could allow a remote attacker to execute arbitrary
code on the target system.

Description

The vulnerability exists in IBM Web Sphere Application Server due to
improper validation of user-supplied input. A remote attacker could exploit
this vulnerability by executing a specially-crafted sequence of serialized
objects over the SOAP connector. 

Successful exploitation of this vulnerability could allow the attacker to
execute arbitrary code on the target system.

Solution

Apply appropriate patches as mentioned in the below link: 


Vendor Information

IBM

References

IBM
erver-vulnerable-remote-code-execution-vulnerability-cve-2020-4464

CVE Name
CVE-2020-4464
Read more [..]

Ajay Verma 09:27
Severity Rating: HIGH

Software Affected

Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core
installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server, version 2004 (Server Core installation)
Overview

A remote code execution vulnerability has been reported in Microsoft
Windows, which could allow an attacker to gain the same user rights as the
local user.

Description

This vulnerability exists in Microsoft Windows due to incorrect processing
of the ".LNK" file. An attacker could exploit this vulnerability by
presenting to the user a removable drive, or remote share, that contains a
malicious ".LNK" file and an associated malicious binary. When the user
opens this removable drive (or remote share) in Windows Explorer, or any
other application that parses the ".LNK" file, the malicious code will be
executed by the associated binary on the target system. 

Successful exploitation of this vulnerability would allow to gain same user
rights as the local user.

Solution

Apply appropriate fix as mentioned in Microsoft Security Advisory 


Vendor Information

Microsoft

References

Microsoft
- -1421

CVE Name
CVE-2020-1421
Read more [..]

Ajay Verma 09:27
Virus Type: Ransomware

It has been reported that a new ransomware, named "Conti ransomware" is
spreading. In its infection stages, threat actors breach the corporate
networks and spread laterally to acquire domain administration privilege
for deploying ransomware. The coding pattern of Conti appears similar to
erstwhile "Ryuk ransomware" version 2 and ransomware note used is also same
as Ryuk had dropped in its earlier attacks. Moreover, the same TrickBot
infrastructure is utilized by both Ryuk and Conti threat actors as part
attacking mechanism. Conti is a human-operated ransomware designed to be
directly controlled by its operator rather than execute automatically by
itself. 

Infection mechanism: 

When starts, Conti executes 146 commands focused on stopping potential
Windows services related to security, backup, database and email solutions.
Then it deletes the Volume Shadow Copies in a unique way and begins
encryption. The ransomware appends the .CONTI extension to encrypted files
and drop a ransom note named CONTI_README.txt in each folder.


When encrypting data, the ransomware uses a unique AES-256 encryption key
per file, which is then encrypted with a bundled RSA-4096 public encryption
key (unique per victim).


Conti ransomware is also special in its selection of encryption targets
that could be local hard drive or network shares, even specific, targeted,
IP addresses via a command-line client. It can be configured to skip
encrypting files on local drives and encrypt data on networked SMB shares.
This may lead to targeted damage and may cause destruction limited to
shares of a server that has no internet capability making it likely
unnoticeable for days or weeks. 

It also supports an "--encrypt_mode" argument to upgrade its encryption
strength. When using "-encrypt_mode local," only the local drives are
encrypted, and when using the "-encrypt_mode network," only the network
shares are encrypted. 

Another notable feature of Conti ransomware is that it utilizes a large no.
of concurrent CPU thread, namely 32 threads for encrypting different files
simultaneously with a very fast speed. However due to this, CPU and disk
utilization goes up causing of machine become sluggish and may serve as an
alarming situation for a user.


Another feature observed that its code abusing "Windows Restart Manager" -
the Windows component that unlocks files before performing an OS restart.
Conti utilizes this component to unlock and shut down app processes so it
can encrypt their respective data. This technique can be phenomenal on
Windows servers where sensitive data is usually managed by a database and
almost always up and running. 

IOC: 

Associated emails:

flapalinta1950@protonmail[dot]com
xersami@protonmail[dot]com
For Metadata for the Conti malware sample, AES-256 public key used for
encryption and another detailed IOC please refer the URL:

Countermeasures and Best practices for prevention:

Users are advised to disable their RDP if not in use, if required, it
should be placed behind the firewall and users are to bind with proper
policies while using the RDP.
All operating systems and applications should be kept updated on a regular
basis. Virtual patching can be considered for protecting legacy systems and
networks. This measure hinders cybercriminals from gaining easy access to
any system through vulnerabilities in outdated applications and software.
Avoid applying updates / patches available in any unofficial channel.
Restrict execution of Power shell /WSCRIPT in an enterprise environment.
Ensure installation and use of the latest version of PowerShell, with
enhanced logging enabled. Script block logging and transcription enabled.
Send the associated logs to a centralized log repository for monitoring and
analysis.
ml
Establish a Sender Policy Framework (SPF) for your domain, which is an
email validation system designed to prevent spam by detecting email
spoofing by which most of the ransomware samples successfully reaches the
corporate email boxes.
Application whitelisting/Strict implementation of Software Restriction
Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths.
Ransomware sample drops and executes generally from these locations.
Don't open attachments in unsolicited e-mails, even if they come from
people in your contact list, and never click on a URL contained in an
unsolicited e-mail, even if the link seems benign. In cases of genuine URLs
close out the e-mail and go to the organization's website directly through
browser.
Block the attachments of file types,
exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
Consider encrypting the confidential data as the ransomware generally
targets common file types.
Perform regular backups of all critical information to limit the impact of
data or system loss and to help expedite the recovery process. Ideally,
this data should be kept on a separate device, and backups should be stored
offline.
Network segmentation and segregation into security zones - help protect
sensitive information and critical services. Separate administrative
network from business processes with physical controls and Virtual Local
Area Networks.
Install ad blockers to combat exploit kits such as Fallout that are
distributed via malicious advertising.
References

- -of-being-ryuks-successor/
eads-for-blazing-fast-encryption/
Read more [..]

Ajay Verma 09:26
Severity Rating: High

Software Affected

·         JBoss Enterprise Application Platform 7.3 for RHEL 8 x86_64

·         JBoss Enterprise Application Platform 7.3 for RHEL 7 x86_64

·         JBoss Enterprise Application Platform 7.3 for RHEL 6 x86_64

·         JBoss Enterprise Application Platform 6.4 for RHEL 7 x86_64

·         JBoss Enterprise Application Platform 6.4 for RHEL 6 x86_64

·         JBoss Enterprise Application Platform 6 for RHEL 7 x86_64

·         JBoss Enterprise Application Platform 6 for RHEL 6 x86_64

·         Keycloak versions prior to 11.0.0



Overview

A vulnerability has been reported in Red Hat JBoss Enterprise Application
Platform which could be exploited by a remote attacker to execute arbitrary
code on the target system.

Description

This vulnerability exists in Keycloak in Red Hat JBoss Enterprise
Application Platform due to lack of checks in ObjectInputStream, A remote
attacker could exploit this vulnerability by injecting crafted serialized
Java Objects resulting in deserialization in a privileged context.



Successful exploitation of this vulnerability could allow the attacker to
execute arbitrary code on the target system.



Solution

Apply appropriate updates as mentioned in the vendor advisory




Vendor Information

Red Hat





References

Red Hat





CVE Name

CVE-2020-1714
Read more [..]

Ajay Verma 09:26
Severity Rating: High

Software Affected

·         Apple iOS and iPadOS versions prior to 13.6

Overview

Multiple vulnerabilities have been reported in Apple iOS and iPadOS which
could allow a remote attacker to execute arbitrary code with kernel
privileges, cause denial of service conditions, access sensitive
information, bypass security restrictions, hijack VPN connections or
perform cross site scripting attacks on a targeted system.

Description

Multiple vulnerabilities exist in Apple iOS and iPadOS due to out-of-bounds
read and write errors, multiple memory corruption issues, improper input
validation, improper state management, improper access restrictions,
insufficient verification and checks, buffer overflow error, use after free
error, improper escaping and other logical errors in Audio,
AVEVideoEncoder, Bluetooth, CoreFoundation, Crash Reporter, GeoServices,
iAP, ImageIO, Kernel, Mail, Messages, Model I/O, Safari Login AutoFill,
Safari Reader, WebKit, WebKit Page Loading, WebKit Web Inspector and Wi-Fi
components of the software.

Successful exploitation of these vulnerabilities could allow the attacker
to execute arbitrary code with kernel privileges, cause denial of service
conditions, access sensitive information, bypass security restrictions,
hijack VPN connections or perform cross site scripting attacks on the
targeted system. 


Solution          

Apply appropriate updates mentioned in the Apple security updates

Vendor Information

Apple


References

CISecurity

cts-could-allow-for-arbitrary-code-execution_2020-098/



CVE Name

CVE-2020-9888
CVE-2020-9889
CVE-2020-9890

CVE-2020-9891

CVE-2020-9907

CVE-2020-9931

CVE-2020-9934

CVE-2020-9865

CVE-2020-9933

CVE-2020-9914

CVE-2020-9936

CVE-2020-9923

CVE-2019-14899

CVE-2020-9909

CVE-2019-19906

CVE-2020-9885

CVE-2020-9878

CVE-2020-9903

CVE-2020-9911

CVE-2020-9894

CVE-2020-9915

CVE-2020-9893

CVE-2020-9895

CVE-2020-9925

CVE-2020-9910

CVE-2020-9916

CVE-2020-9862

CVE-2020-9918

CVE-2020-9917

Read more [..]

Ajay Verma 09:25
Severity Rating: High



Software Affected

·         Mozilla Thunderbird versions prior to 78



Overview



Multiple vulnerabilities have been reported in Mozilla Thunderbird which
could allow a remote attacker to execute arbitrary code, access sensitive
information, bypass security restrictions or perform other unauthorized
activities on a targeted system.



Description



AppCache manifest poisoning ( CVE-2020-12415 )



This vulnerability exists in Mozilla Thunderbird due to improper processing
of AppCache manifest URL.

Successful exploitation of this vulnerability could cause the AppCache to
be used for servicing requests for the top level directory.



Use after free errors ( CVE-2020-12416  CVE-2020-12419  CVE-2020-12420 )

These vulnerabilities exist in Mozilla Thunderbird due to use-after free
errors in WebRTC VideoBroadcaster, nsGlobalWindowInner and when attempting
connection to a STUN server.

Successful exploitation of these vulnerabilities could allow a remote
attacker to execute arbitrary code on a targeted system.



Memory corruption ( CVE-2020-12417 )

This vulnerability exists in Mozilla Thunderbird due to missing
sign-extension for ValueTags on ARM64.

Successful exploitation of this vulnerability could allow a remote attacker
to execute arbitrary code on a targeted system.



Information disclosure ( CVE-2020-12418 )

This vulnerability exists in Mozilla Thunderbird due improper processing of
crafted URL object.

Successful exploitation of this vulnerability could allow a remote attacker
to disclose process memory on a targeted system by causing an out-of-bounds
read.



X-Frame-Options bypass ( CVE-2020-15648 )

This vulnerability exists in Mozilla Thunderbird due to a logical error
related to X-Frame-Options.

Successful exploitation of this vulnerability could allow bypassing of
X-Frame-Options restrictions.



Side channel attack ( CVE-2020-12402 )

This vulnerability exists in Mozilla Thunderbird due to improper algorithm
implementation for RSA key generation.

Successful exploitation of this vulnerability could allow a remote attacker
to obtain sensitive information on a targeted system by performing side
channel attacks



Improper Certificate Validation ( CVE-2020-12421 )



This vulnerability exists in Mozilla Thunderbird due to a logical error
related to certificate trust rules.

The vulnerability could cause add-ons to become out-of-date silently
without notification to the user.



Integer Overflow ( CVE-2020-12422 )



This vulnerability exists in Mozilla Thunderbird due to an Integer overflow
error in nsJPEGEncoder::emptyOutputBuffer.

Successful exploitation of this vulnerability could allow a remote attacker
to execute arbitrary code on a targeted system.



DLL Hijacking ( CVE-2020-12423 )



This vulnerability exists in Mozilla Thunderbird due to potential loading
of "webauthn.dll" from non-default path.

Successful exploitation of this vulnerability could allow a local attacker
to execute arbitrary code on a targeted system.



Security Control Bypass ( CVE-2020-12424 )



This vulnerability exists in Mozilla Thunderbird due to a logical error
related to permission prompt for WebRTC.

Successful exploitation of this vulnerability could allow a remote attacker
to bypass security controls on a targeted system.



Out-of-bounds read ( CVE-2020-12425 )



This vulnerability exists in Mozilla Thunderbird due to a one byte
Out-of-bounds read error in Date.parse().

Successful exploitation of this vulnerability could allow a remote attacker
to obtain sensitive information on a targeted system.



Memory Corruption ( CVE-2020-12426 )



This vulnerability exists in Mozilla Thunderbird due to memory safety bugs.

Successful exploitation of this vulnerability could allow a remote attacker
to execute arbitrary code on a targeted system.





Solution



Update to Mozilla Thunderbird version 78





Vendor Information



Mozilla






References



Vulmon



















CVE Name



CVE-2020-12415

CVE-2020-12416

CVE-2020-12417

CVE-2020-12418

CVE-2020-12419

CVE-2020-12420

CVE-2020-15648

CVE-2020-12402

CVE-2020-12421

CVE-2020-12422

CVE-2020-12423

CVE-2020-12424

CVE-2020-12425

CVE-2020-12426

Read more [..]

Ajay Verma 09:25
Severity Rating: Critical

Software Affected

•    Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Systems

•    Microsoft Office 2019 for 32-bit and 64-bit editions

•    Microsoft Outlook 2010 Service Pack 2 (32-bit and 64-bit editions)

•    Microsoft Outlook 2013 RT Service Pack 1

•    Microsoft Outlook 2013 Service Pack 1 (32-bit and 64-bit editions)

•    Microsoft Outlook 2016 (32-bit and 64- bit edition)

•    Microsoft SharePoint Enterprise Server 2013 Service Pack 1

•    Microsoft SharePoint Enterprise Server 2016

•    Microsoft SharePoint Foundation 2013 Service Pack 1

•    Microsoft SharePoint Server 2010 Service Pack 2

•    Microsoft SharePoint Server 2019





Overview

Multiple vulnerabilities have been reported in Microsoft products, which
could allow an attacker to execute arbitrary code remotely,



Description



1.     Microsoft Outlook Remote Code Execution Vulnerability
(CVE-2020-1349)



This vulnerability exists in Microsoft Outlook software due to improper
handling of objects in memory. An attacker could exploit this vulnerability
by convincing the user to open a specially crafted file.



Successful exploitation of this vulnerability could allow the attacker to
execute a process with the same permissions as the current user.



2.     PerformancePoint Services Remote Code Execution Vulnerability
(CVE-2020-1439)



This vulnerability exists in PerformancePoint Services for SharePoint
Server due to its failure to check the source markup of XML file input. An
attacker could exploit this vulnerability by uploading a specially crafted
document to the victim server.



Successful exploitation of these vulnerability could allow the attacker to
execute arbitrary code in the context of the process responsible for
deserialization of the XML content on the vulnerable system.







Solution

Apply appropriate fix as mentioned in Microsoft Security Advisory






Vendor Information

Microsoft




References



Microsoft



- -1349 
- -1439



CVE Name



CVE-2020-1349

CVE-2020-1439

Read more [..]

Ajay Verma 09:24
Severity Rating: High

Software Affected

·         RV110W Wireless-N VPN Firewall: 1.2.2.8 and prior

·         RV130 VPN Router

·         RV130W Wireless-N Multifunction VPN Router

·         RV215W Wireless-N VPN Router: 1.3.1.7 and prior

·         Cisco PLM: 10.5(2)SU9 and prior

·         Cisco PLM: 11.5(1)SU6 and prior



Overview

Multiple vulnerabilities have been reported in Cisco Small Business RV110W
, RV130, RV130W Wireless-N Multifunction VPN Router, RV215W Wireless-N VPN
Firewall Routers and Cisco Prime License Manager could allow a remote
attacker to execute arbitrary code, bypass authentication and gain full
access control on the targeted system.

Description

1.   Default Credential Vulnerability (CVE-2020-3330)



This Vulnerability exists in the Cisco Small Business RV110W Wireless-N VPN
Firewall Routers due to system account has a default and static password.
An attacker could exploit this vulnerability using this default account to
connect to the affected system by using this default account to connect to
an affected device.

Successful exploitation of this vulnerability could allow the attacker to
gain full control of the affected device.



2.   Remote Command Execution Vulnerability (CVE-2020-3323)



This Vulnerability exists in the Cisco Small Business RV110W, RV130,
RV130W, and RV215W Routers due to improper validation of user-supplied
input in the web-based management interface. An attacker could exploit this
vulnerability by sending crafted HTTP requests to an affected device.

Successful exploitation of this vulnerability could allow the attacker to
execute arbitrary code as the root user on the affected device.



3.       Authentication Bypass Vulnerability (CVE-2020-3144)



This Vulnerability exists in the Cisco RV110W Wireless-N VPN Firewall,
RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W
Wireless-N VPN Router due to improper session management on the affected
devices. An attacker could exploit this vulnerability by sending a crafted
HTTP request to an affected device.

Successful exploitation of this vulnerability could allow the attacker to
gain administrative access of the affected device.



4.   Arbitrary Code Execution Vulnerability (CVE-2020-3331)



This Vulnerability exists in the Cisco RV110W Wireless-N VPN Firewall and
Cisco RV215W Wireless-N VPN Router due to improper validation of
user-supplied input data by the web-based management interface. An attacker
could exploit this vulnerability by sending crafted requests to an affected
device.

Successful exploitation of this vulnerability could allow the attacker to
execute arbitrary code with the privileges of the affected device.



5.       Privilege Escalation Vulnerability (CVE-2020-3140)



This Vulnerability exists in the Cisco Prime License Manager (PLM) Software
due to insufficient validation of user input on the web management
interface. An attacker could exploit this vulnerability by submitting a
malicious request to an affected system.


Successful exploitation of this vulnerability could allow the attacker to
gain administrative-level privileges on the system.



Solution

Apply appropriate updates as mentioned in:

- -sa-rv110w-static-cred-BMTWBWTy

- -sa-rv-rce-AQKREqp

- -sa-rv-auth-bypass-cGv9EruZ

- -sa-code-exec-wH3BNFb

- -sa-cisco-prime-priv-esc-HyhwdzBA



Vendor Information

Cisco

- -sa-rv110w-static-cred-BMTWBWTy

- -sa-rv-rce-AQKREqp

- -sa-rv-auth-bypass-cGv9EruZ

- -sa-code-exec-wH3BNFb

- -sa-cisco-prime-priv-esc-HyhwdzBA

References

Cisco

- -sa-rv110w-static-cred-BMTWBWTy

- -sa-rv-rce-AQKREqp

- -sa-rv-auth-bypass-cGv9EruZ

- -sa-code-exec-wH3BNFb

- -sa-cisco-prime-priv-esc-HyhwdzBA



CVE Name

CVE-2020-3140

CVE-2020-3144

CVE-2020-3323

CVE-2020-3330

CVE-2020-3331
Read more [..]

Ajay Verma 09:24
Severity Rating: HIGH

Software Affected

Google Chrome versions prior to 84.0.4147.89
Overview

Multiple vulnerabilities have been reported in Google Chrome could allow a
remote attacker to execute arbitrary code, bypass security restrictions,
access sensitive information, conduct spoofing attack and denial of
service(DoS) on the targeted system.

Description

These vulnerabilities exist in Google Chrome due to heap buffer overflow,
side-channel information leakage, type confusion, inappropriate
implementation in WebRTC, use after free, policy bypass, out of bounds
write, insufficient policy enforcement, incorrect security UI, out of
bounds memory access and insufficient data validation. A remote attacker
could exploit these vulnerabilities by creating a specially crafted webpage
on the targeted system. 

Successful exploitation of these vulnerabilities could allow the attacker
to execute arbitrary code, bypass security restrictions, access sensitive
information, conduct spoofing attack and denial of service(DoS) on the
targeted system.

Solution

Upgrade to Google Chrome 84.0.4147.89
Vendor Information

Google Chrome
ktop.html

References

Google Chrome
ktop.html

CVE Name
CVE-2020-6510
CVE-2020-6511
CVE-2020-6512
CVE-2020-6513
CVE-2020-6514
CVE-2020-6515
CVE-2020-6516
CVE-2020-6517
CVE-2020-6518
CVE-2020-6519
CVE-2020-6520
CVE-2020-6521
CVE-2020-6522
CVE-2020-6523
CVE-2020-6524
CVE-2020-6525
CVE-2020-6526
CVE-2020-6527
CVE-2020-6528
CVE-2020-6529
CVE-2020-6530
CVE-2020-6531
CVE-2020-6533
CVE-2020-6534
CVE-2020-6535
CVE-2020-6536

Read more [..]

Ajay Verma 09:20
It has been reported that Fireeye Inc! has reportedly been targeted by a
cyber-attack which has resulted in the theft of their red-team /
penetration testing tools.The attack campaign is reportedly attributed to a
highly sophisticated actor employing novel techniques to gain
access.Details of tools stolen in this cyber breach are provided below:-

AdPassHunt:- credential stealer tool that hunts Active Directory
credentials.

590bd7609edf9ea8dab0b5fbc38393a870b329de
29385446751ddbca27c26c43015be7ab0d548b895531fba9b03d612e53bd9ff0
Beacon:- used for several goals, such as persistence, execution, privilege
escalation, credential dumping, lateral movement etc.

03a8efce7fcd5b459adf3426166b8bda56f8d8439c070b620bccb85a283295f4
e4dd5fc22ff3e9b0fa1f5b7b65fb5dfeac24aab741eee8a7af93f397b5720f4a
d011a846badec24a48a50d1ab50f57d356b9dd520408cbb3361182f6f0489a1e
0a566a0ddbaf9975221fe842b9b77c4a8b5d71bb2c33e0a46da26deec90dcbea
61cd1311d2e4663b86b5a70c2aafd5af6b247a6ebf407170296e37aaf8c69392
Beltalowda:- used for conducting variety of security-oriented checks on
victim machine.

d80b7a31d68b5f483073ff7af0984c1090f6a493f84db7d3a301e3e35fdb4a56
7b7cbb1a62faf7e7a9ee1d0254c5681779b61abd3c9763b6588857c14cccdd9b
8f991317f1473fa8af3c3d6ade2551ddac01425db6e7b0c718b81c324c43730d
1d841ff51f8b5b08d7b4752cd498108d4b3f82864257dbd8e35b097c766f9e24
29054e2cad080a61db11a61791206ea939cbf79abee71c44fa0e7603dd168840
dea11a5bc6ff271e40e477d1645bdeb19454bdd8eac077e598ca56ee885fc06e
b89158aeac0e98f7cc2a6c3040ad2f57093bdb9064eab2c585c1250d5efa850e
00d1726e2ba77c4bed66a6c5c7f1a743cf7bb480deff15f034d67cf72d558c83
5cacbf4e84027cb3c0ec55940dddee6f4d368aae778d635003cb3013b547ede0
bb939544ac109ca674ee9de4d8b292f9b117c9c676ddab61d15a6e219ad3986c
Rubeus, Fluffy:- used to Steal or Forge Kerberos Tickets.

8bebf19d54c749560301eaada2e92eb240501b8c
a729d51f3deff5065e4978df2f88517d26e0d5db542c9cf8501a4206d8d2432c
9758688dd18db6ec86c4835d9ba67b5e209c32c81981dc69d705670f8b95d5e6
0340043481091d92dcfb2c498aad3c0afca2fd208ef896f65af790cc147f8891
76faeb790d1c1aa5fd3473f86f602b371682415368ddd553ebc60eb3c7683f7f
0097d59dc02cbac14df25ef05fc6d75f835d1db68f760d71fa4a0a57d9960606
c74352729dd49829f5e398a7fc7dd033d9e4aba3d93162c4fbcbe394cc31c3d4
9c6a910a047e29e07b4015866dc05e00829b888a86d1d357ed49652a9b73f1b6
6c1829be1c49c04b956b431386c389a6bf83327a5e7e68ff453103820ad4464d
817867c23a7bf47e99c93201f99f5eb805396327765aa76338c5f9e0c89eac4a
65044ea9fea1e34042adf3ff5e5fb17fc021ba4b0775415fad2465558a782c5e
G2JS:- used for automating Microsoft Windows Script Host (WSH) scripts
weaponization.

dcce258cc818febe2b888c8eee42aa95393b2fb4f1f2406330840ab8ad5c7d50
A3a8dedf82741a1997b17a44fbb1e5712ba3a5db11146519cf39281def9329a7
eed9402cb6fdc047b12f67493ba10970155a00086918eaad9542ab24096cc715
398afc4c33e00b26466abb87668e33be766dbbf4c493fe04d180a14d14a32fa3
da3bdb6b9348a8d9328e669c744d0f21a83937c31894245e3157121342efe52c
cdabbe815b7aafa94469b97fa3665137c4d5b2da4fdd7648ba2851cf2df214fc
f8c8bb2ac03cc2a037ddde4ad175aa05aa80277483fcdac42627fbdcc36f64ba
fd2e546faed7426c448d1a11d8e1d4b8a06b5148c9c8dfa780338fac2ab53c5b
0b8eab0a1961c52c141ac058c11e070d724d600cf903f2457c8ed189e7aae047
117b9c9127beaf2e3ce7837c5e313084fd3926f1ebf1a77563149e08347cb029


InveighZero:- used for man in middle attack like LLMNR/NBT-NS Poisoning and
SMB Relay.

78fafeb22bf31de02a4b56114e86dcc3394e382658a5c95b1a302d3d8794718d
2728c46f4fcf62f3faee72be30f1dd75528391b0d70da302544f5282 d58c931b
715b415647f33937b39aa072001bfb9857a4bea884d009cbe0c27f1422b9f55b
452c6651e79d9f69a55e711c0b4d70eb2b1aaac206b8a274e45d22f9d7cafd2c
50c4f46e43d30c9520be35e294ef98d81f81d60602cd659367bbcf6a91766c0f
a66f3a9ddf9343aeed40276c1abfc485f089050074a03801cd9a16787a39c6bf
0c080548e15e7f377baed2a550d48a555e6150d969f7f4b8244c3b3a50afb858
KeeFarce:- used for extracting password from memory.

5ea9a04284157081bd5999e8be96dda8fac594ba72955adacb6fa48bdf866434
PuppyHound:- used as data collector.

23490f7ac40b6b15c228ed8f8e9122d460469aa4025ed7008660e4310ef7e70f
a7240d8a7aee872c08b915a58976a1ddee2ff5a8a679f78ec1c7 cf528f40deed
5fabe36fb1da700a1c418e184c2e5332fe2f8c575c6148bdac360f69f91be6c2
7b0a7e5d344f8ffa1a097cd9e658ecaa551fd84cfcc92a5fe46f9965661662cc
e9e646a9dba31a8e3debf4202ed34b0b22c483f1aca75ffa43e684cb417837fa
a07002c5d7712e751dfbcab1f05190793eb417b693b61f8ba0750fa15f88f61b
0d9fbc16c6f316d8ee1b9ff47b300c24a1964fdfc3990b680d05dab5e1905d9f
ee72671628902e2cd75fde74b7926355b39d1ab50be0aa8bc06e8f06344fc22c
36d4e69106bc8530d7923442d1929558b876f7f10545316623ae3db1b93ec584
e333444d815055181402f5fdbf60a62c4545e64f3e382c7685b47b7b5a6c27e8
SafetyKatz:- used for credential dumping.

2b3cab071ca6f104377a7684eb586150fdec11df2dc8cebcb468f57a82f10c73
89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed35 8c1a3b6ba9
3547d857af012c643a75bd3c1d3226c98e8181dc6e92872eb0746b26f6cc1a09
d1d3b00e8be37b30abfe2ff2aca90073ae517a27635a9fbb2e222981cf1ae817
796f70f7e01257c5b79e398851c836e915f6518e1e3ecd07bcd29233cf78f13d
bcf1857fe1eb566c0dbd032f7ec186bc1a31895861ac36887ad034501794fd00
4542ebba83ef6e16db6dc30383614bf52cb7c3f2fbd1577de10f02d6bf7dfc50
291a6968a3f7f2092c656d0275c604182d6f7ee7b813460aeb8b28c06d804b5e
b0a55532654bbfd0aafa59dfe26b576a095d9ac4a4af2f99bca442a1d87ce29b
27dd261ad7f3ad7d782625c2a459caf6ae81109ffe8f830b68b154f02d578658
Dtrim:- used as credential dumping, Process injection.

SharpZeroLogon:- used the exploit for the Zero logon vulnerability
(CVE-2020-1472) 

NoAmci:- used to bypass AMSI (Windows Antimalware Scan Interface)
detection. 

NetAssemblyInject:- used to inject C# .NET assemblies into arbitrary
Windows process. 

ImpacketObf:- used for working with network protocols. 

In addition to the red-team tools, the leaked list contains payload
exploits leveraging the listed below vulnerabilities:- 
CVE-2014-1812:- Privilege escalation in Microsoft Windows Vista SP2,
Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1,
and Windows Server 2012
CVE-2016-0167:- Privilege escalation in Microsoft Windows
CVE-2017-11774: Remote Code Execution in Microsoft Outlook 
CVE-2018- 13379:- Pre-authorization Arbitrary File Read in Fortigate SSL
VPN 
CVE-2018-15961:- Remote Code Execution in Adobe ColdFusion
CVE-2019-0604:- Remote Code Execution in Microsoft Share point
CVE-2019-0708:- Remote Code Execution in Windows Remote Desktop Services
(RDS)
CVE-2019-11580:- Remote Code Execution in Atlassian Crowd 
CVE-2019-19781:- Remote Code Execution in Citrix Application Delivery
Controller and Citrix Gateway
CVE-2019-3398:- Authenticated Remote Code Execution in Confluence
CVE-2019-8394:- Pre-authorization Arbitrary File Upload in ZoHo Manage
Engine Service Desk Plus
CVE-2020-0688:- Remote Code Execution in Microsoft Exchange
CVE-2020-1472:- Privilege Escalation in Microsoft Active Directory
CVE-2018-8581:- Privilege Escalation in Microsoft Exchange Server
CVE-2020-10189:- Remote Code Execution in ZoHo Manage Engine Desktop
Central

Recommendations and Countermeasures

Assess systems against aforementioned vulnerabilities [using vulnerability
scanning and monitoring tools] and apply appropriate patches / upgrade to
recent stable versions.
FireEye also released a repository of signatures/rules designed to detect
the use of these tools across a variety of detection technologies-
including snort YARA, Open IOCs, ClamAV which could be used for assessing
the compromise system[s]. 
Best practices

Practice good cyber hygiene; backup, update, whitelist applications, limit
privilege, and use multifactor authentication. Routinely audit
configuration and patch management programs
Deploy endpoint security tools on all endpoints; ensure they work and are
up to date. Systems and installed applications being fully patched and
updated
Deploy web and email filters on the network. Configure these devices to
scan for known bad domains, sources, and addresses; block these before
receiving and downloading messages. Scan all emails, attachments, and
downloads both on the host and at the mail gateway with a reputable
antivirus solution
Scan for and remove suspicious e-mail attachments; ensure the scanned
attachment is its "true file type" (i.e., the extension matches the file
header). Block attachments of file types: 

[exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf]
Exercise caution when using removable media (e.g., USB thumb drives,
external drives, CDs, etc.). Ensure to Scan all software downloaded from
the Internet prior to executing.
Monitor network traffic for unexpected and unapproved protocols, especially
outbound to the internet (e.g., SSH, SMB, RDP).
Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure
installation and use of latest version of PowerShell, with enhanced logging
enabled. Script block logging, and transcription enabled. Send the
associated logs to a centralized log repository for monitoring and analysis
Enable Exploit Protection [Successor to EMET] that includes several client
side mitigation steps. Detailed configuration steps can be seen in
ft-defender-atp/enable-exploit-protection. Turn on attack surface reduction
rules, including rules that block credential theft, ransomware activity,
and suspicious use of PsExec and WMI.
To address malicious activity initiated through weaponized Office
documents, use rules that block advanced macro activity, executable
content, process creation, and process injection initiated by Office
applications. [To assess the impact of these rules, deploy them in audit
mode.]Turn on AMSI for Office VBA on Office 36
Utilize the Windows Defender Firewall and your network firewall to prevent
RPC and SMB communication among endpoints whenever possible. This limits
lateral movement as well as other attack activities.
References

- -fireeye-red-team-tools.html

- -team-tools

tilized-by-fireeye-red-team-tools
Read more [..]

Ajay Verma 09:19
Severity Rating: HIGH

Software Affected

Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server 2016
Windows Server 2019
Windows Server 2016 (Server Core installation)
Windows Server, version 2004 (Server Core installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server 2019 (Server Core installation)
Windows Server, version 20H2 (Server Core Installation)
Overview

A remote code execution vulnerability has been reported in Microsoft
Windows Hyper-V which could allow a remote attacker to execute arbitrary
code on the target system.

Description

This vulnerability exists in Hyper-V host server due to insufficient
validation of input (vSMB packet data) supplied from an authenticated user
on a guest operating system. An attacker could exploit the vulnerability by
executing specially crafted application on guest operating system. 

Successful exploitation of the vulnerability could allow an attacker
execute arbitrary code on the Hyper-V host leading to complete compromise
of the target system.

Solution

Apply appropriate patches as mentioned in Microsoft Security Advisory 


Vendor Information

Microsoft

References

Microsoft

CVE Name
CVE-2020-17095

Read more [..]

Ajay Verma 09:19
Severity Rating: HIGH

Software Affected

Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Foundation 2010 Service Pack 2
Microsoft SharePoint Server 2019
Microsoft SharePoint Enterprise Server 2016
Overview

Multiple vulnerabilities exist in Microsoft SharePoint which could allow a
remote attacker to execute arbitrary code on a targeted system.

Description

These vulnerabilities exist due to improper input validation in Microsoft
SharePoint. A remote attacker can send a specially crafted request and
execute arbitrary code on the targeted system.  

Successful exploitation of these vulnerabilities may result in complete
compromise of vulnerable system.

Solution

Apply appropriate patches as mentioned by vendor 


Vendor Information

Microsoft

References

Microsoft

CVE Name
CVE-2020-17118
CVE-2020-17121

Read more [..]

Ajay Verma 09:19
Severity Rating: HIGH

Systems Affected

Microsoft Edge
Overview

A remote code execution vulnerability have been reported in Microsoft Edge
and ChakraCore scripting engine which could be exploited by an
unauthenticated remote attacker to execute arbitrary code on a targeted
system.

Description

This remote code execution vulnerabilities exist in Microsoft Edge and
ChakraCore scripting engine due to improper handling of memory objects. An
attacker could exploit this vulnerability by creating a specially crafted
web page and lure the user into viewing the webpage. 

Successful exploitation of this vulnerability could allow a remote attacker
to execute arbitrary code on targeted system.

Solution

Apply appropriate patch as mentioned in Microsoft Security Guidance 


Vendor Information

Microsoft

References

Microsoft

CVE Name
CVE-2020-17131
Read more [..]

Ajay Verma 09:18
Severity Rating: HIGH

Software Affected

Cisco Jabber for Windows, Jabber for MacOS and Jabber for mobile platforms.
Overview

Multiple Vulnerabilities have been reported in Cisco Jabber for Windows,
Jabber for MacOS, and Jabber for mobile platforms could allow an attacker
to execute arbitrary programs on the underlying operating system (OS) with
elevated privileges or gain access to sensitive information.

Description

Multiple vulnerabilities exist in Cisco Jabber for Windows, Jabber for
MacOS, and Jabber for mobile platforms  due to improper validation of
message contents and handling of input to the application protocol handlers
that could allow the attacker to execute arbitrary programs on the
underlying operating system (OS) with elevated privileges. An attacker
could exploit these vulnerabilities by sending specially crafted messages
to end-user systems running Cisco Jabber. 

Successful exploitation of these vulnerabilities could allow the attacker
to cause the application on MacOS , Windows and mobile platforms to execute
arbitrary programs on the targeted system with the privileges of the user
account that is running the Cisco Jabber client software.

Solution

Apply appropriate updates as mentioned in: 
- -sa-jabber-ZktzjpgO


Vendor Information

CISCO
- -sa-jabber-ZktzjpgO

References

CISCO
- -sa-jabber-ZktzjpgO

CVE Name
CVE-2020-26085
CVE-2020-27127
CVE-2020-27132
CVE-2020-27133
CVE-2020-27134

Read more [..]

Ajay Verma 09:18
Severity Rating: High

Systems Affected

SolrWindsOrion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or
with 2020.2 HF 1, including:

Application Centric Monitor (ACM)
Database Performance Analyzer Integration Module (DPAIM)
Enterprise Operations Console (EOC)
High Availability (HA)
IP Address Manager (IPAM)
Log Analyzer (LA)
Network Automation Manager (NAM)
Network Configuration Manager (NCM)
Network Operations Manager (NOM)
Network Performance Monitor (NPM)
NetFlow Traffic Analyzer (NTA)
Server & Application Monitor (SAM)
Server Configuration Monitor (SCM)
Storage Resource Monitor (SCM)
User Device Tracker (UDT)
Virtualization Manager (VMAN)
VoIP & Network Quality Manager (VNQM)
Web Performance Monitor (WPM)
Overview

A highly sophisticated supply chain attack has been reported on the
SolarWinds' Orion IT monitoring and management software, resulted in
backdoor remote code execution and may further lead to lateral movement and
data theft.

Description

SolarWinds Orion Platform software builds have been reported to be part of
a sophisticated manual supply chain attack.

In this sophisticated supply chain attack, adversaries compromised updates
to the SolarWinds' Orion IT monitoring and management software,
specifically a component called 'SolarWinds.Orion.Core.BusinessLayer.dll'
in versions 2019.4 HF 5 through 2020.2.1. The digitally signed updates were
posted on the SolarWinds' website from March to May 2020. This backdoor can
communicate to third party servers using HTTP and is able to execute
commands to transfer and execute files, profile the system, reboot the
machine, and disable system services. 

Note: It is reported that exploitation of this vulnerability is in the
wild.



Solution

Users with Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 need to
upgrade to Orion Platform version 2020.2.1 HF 1.
Users with Orion Platform v2019.4 HF 5 need to update to Orion Platform
version 2019.4 HF 6.   

Recommendations
Organisations are strongly advised to take additional measure like:

changing passwords of all accounts accessible to Orion servers
analysing all configuration for network devices managed by the Orion
platform for alteration.
Organisations should consider the impacts and applicability of these steps
on their specific network operations prior to implementing these
mitigations.



Vendor Information



References

SolarWinds
t/core-secure-configuration.htm

US CERT
on-solarwinds-software

FireEye
ages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- -fireeye-red-team-tools.html

Microsoft
p-based-kerberoasting-with-azure-atp/ba-p/462448
on-state-cyber-attacks/
Read more [..]

Ajay Verma 09:17
Severity Rating: High

Software Affected

Apple iOS versions prior to iOS 12.5 (iPhone 5s, iPhone 6, iPhone 6 Plus,
iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation))
Apple iOS versions prior to iOS 14.3 (for iPhone 5s, iPhone 6, iPhone 6
Plus, iPhone 6s and later, iPod touch (6th generation and 7th generation))
Apple iPadOS versions prior to 14.3 (for iPad Air, iPad mini 2, iPad mini
3, iPad Air 2 and later, iPad mini 4 and later)
Overview

Multiple vulnerabilities have been reported in Apple iOS and iPadOS which
could be exploited by an attacker to execute arbitrary code, disclose
sensitive information, bypass security restrictions or display wrong domain
on a targeted system.

Description

These vulnerabilities exist due to improper input validation, improper
state management, improper bound checking or improper memory management
issues in Security, App Store, CoreAudio, FontParser, ImageIO andWebRTC
components of Apple iOS and iPadOS.


Successful exploitation of these vulnerabilities could allow the attacker
to execute arbitrary code, disclose sensitive information, bypass security
restrictions or display wrong domain on a targeted system.



Solution

Apply appropriate updates as mentioned in the Apple Security Updates   

Vendor Information

Apple

References

Apple

CVE Name
CVE-2020-27951
CVE-2020-29613
CVE-2020-27948
CVE-2020-27946
CVE-2020-27943
CVE-2020-27944
CVE-2020-29617
CVE-2020-29619
CVE-2020-29618
CVE-2020-29611
CVE-2020-15969

Read more [..]

Ajay Verma 09:17
Severity Rating: MEDIUM

Software Affected

OpENer: 2.3
OpENer development commit 8c73bf3
Overview

Vulnerability has been reported in the Ethernet/IP server functionality
which could allow the remote attacker to perform a denial of service (DoS)
attack.

Description

A Vulnerability exists in the Ethernet/IP server functionality of the EIP
Stack Group OpENer 2.3 and development commit 8c73bf3due to insufficient
validation of user-supplied input in the Ethernet/IP server functionality.
An attacker could exploit this vulnerability by sending a specially crafted
request to an affected device. 

Successful exploitation of this vulnerability could allow the attacker to
impact operations, leading to a denial of service (DoS) condition.

Solution

Apply appropriate updates as mentioned in: 


Vendor Information

Cisco 

References

Cisco 

CVE Name
CVE-2020-13530
Read more [..]

Ajay Verma 09:17
Severity Rating: HIGH

Software Affected

Acrobat DC version 2020.013.20066 and earlier versions for Windows
&macOS
Acrobat Reader DC version 2020.013.20066 and earlier versions for
Windows &macOS
Acrobat 2020 version 2020.001.30010 and earlier versions for Windows &macOS
Acrobat Reader 2020 version 2020.001.30010 and earlier versions for Windows
&macOS
Acrobat 2017 version 2017.011.30180  and earlier versions for Windows
&macOS
Acrobat Reader 2017 version 2017.011.30180  and earlier versions for
Windows &macOS
Overview

A vulnerability has been reported in Adobe Acrobat Reader which could allow
a remote attacker to access sensitive information of the targeted system.

Description

A remote attacker could exploit this vulnerability by sending a specially
crafted PDF file.  

Successful exploitation of this vulnerability could allow remote attacker
to gain access sensitive information in the context of the current user.

Solution

Update to latest versions as available at the following URLs: 


Vendor Information

Adobe

References

Adobe

CVE Name
CVE-2020-29075

Read more [..]

Ajay Verma 09:16
Severity Rating: HIGH

Systems Affected

HPE Systems Insight Manager (SIM) version 7.6.x
Overview

A remote code execution vulnerability has been reported in Hewlett Packard
Enterprise Systems Insight Manager (SIM) which could allow a remote
attacker to execute arbitrary code on the target system.

Description

This vulnerability exists in the Hewlett Packard Enterprise Systems Insight
Manager (SIM) due to improper validation of user supplied input. A remote
attacker could exploit this vulnerability by executing a specially crafted
input which could result in deserialization of untrusted data. 

Successful exploitation of this vulnerability could allow the attacker to
execute arbitrary code on the target system.

Workaround

Users will be unable to use the federated search feature once the
simsearch.war file is removed from the install path. 

For existing installations, the following steps are to be taken to remove
the "Federated Search" & "Federated CMS Configuration" feature which
allowed the vulnerability.

Stop HPE SIM Service
Delete file from sim installed path del /Q /F C:\Program Files\HP\Systems
Insight Manager\jboss\server\hpsim\deploy\simsearch.war
Restart HPE SIM Service
Wait for HPE SIM web page "https://SIM_IP:50000" to be accessible and
execute the following command from command prompt. mxtool -r -f
tools\multi-cms-search.xml 1>nul 2>nul
Vendor Information

Hewlett Packard
gn04068en_us

References

Hewlett Packard
gn04068en_us

IBM X-Force Exchange

Bleeping Computer
day-in-server-management-software/

CVE Name
CVE-2020-7200
Read more [..]

Ajay Verma 09:16
Severity Rating: High

Software Affected

Apple Safari versions prior to Safari 14.0.2
Overview

A vulnerability has been reported in Apple Safari which could allow a
remote attacker to execute arbitrary code on the target system.

Description

This vulnerability exist in Apple Safari due to improper memory management
issue which trigger use-after-free error in macOS Catalina and macOS
Mojave. A remote attacker could exploit the vulnerability by executing
specially crafted application. 

Successful exploitation of this vulnerability could allow the attacker to
execute arbitrary code on the target system.



Solution

Apply appropriate patches as mentioned in the   Apple Security Updates

Vendor Information

Apple

References

Apple

CVE Name
CVE-2020-15969

Read more [..]

Ajay Verma 09:15
Severity Rating: HIGH

Software Affected

Apple macOS server version prior to 5.10
Overview

A vulnerability has been reported in Apple macOS server which could allow a
remote attacker to obtain sensitive information and execute arbitrary code
on the targeted system.

Description

This vulnerability exist in Apple macOS server due to insufficient
sanitization of user-supplied data. A remote attacker could exploit this
vulnerability by sending a specially crafted HTML link.  

Successful exploitation of this vulnerability could allow a remote attacker
to gain access sensitive information, change appearance of the web page and
perform phishing attacks on the targeted system.

Solution

Apply appropriate updates as mentioned in Apple Security Advisory HT211932 


Vendor Information

Apple

References

Apple

CVE Name
CVE-2020-9995

Read more [..]

Ajay Verma 09:15
Severity Rating: MEDIUM

Software Affected

Foxit Reader 10.1.0.37527 and earlier
Foxit PhantomPDF 10.1.0.37527 and earlier
Overview

Multiple vulnerabilities has been reported in Foxit Reader and Foxit
Phantom PDF for windows where a null pointer access/dereference while
opening a crafted PDF file lead to application crash and DoS.

Description

The application could be exposed to Denial of Service vulnerability and
crash when opening certain PDF files that contained illegal value in the
/Size entry of the Trail dictionary. This occurs due to the array overflow
as the illegal value in the /Size entry causes an error in initializing the
array size for storing the compression object streams, and an object number
which is larger than the initialization value is used as the array index
while parsing the cross-reference streams. 

Successful exploitation of this vulnerability could allow the attacker to
cause denial-of-service in Foxit Reader and Foxit Phantom PDF.

Solution

Apply appropriate fix as mentioned in Foxit Advisory 


Vendor Information

Foxit

References

Foxit

CVE Name
CVE-2020-28203

Read more [..]

Ajay Verma 09:14
Severity Rating: MEDIUM

Software Affected

OpenSSL versions 1.1.1 and 1.0.2
Overview

A NULL pointer dereference vulnerability has been found in Open SSL which
may lead to a possible denial of service(DoS) attack on a server or client
application running OpenSSL.

Description

This vulnerability is due to a NULL pointer de-reference error. A remote
attacker can trigger denial of service conditions via the API functions viz
TS_RESP_verify_response and TS_RESP_verify_token. An attacker could exploit
this vulnerability by controlling both items being compared. For example if
the attacker can trick a client or server into checking a malicious
certificate against a malicious CRL then this may occur. 

Successful exploitation of this vulnerability could allow the attacker to
perform a denial of service (DoS) attack.

Solution

Upgrade to OpenSSL version 1.1.1i 
OpenSSL 1.0.2 and 1.1.0 are out of support and no longer receiving updates.
Users of these versions are recommended to upgrade to OpenSSL 1.1.1i.

Vendor Information

OpenSSL

References

OpenSSL

Security Tracker

CVE Name
CVE-2020-1971

Read more [..]
Subscribe to: Posts ( Atom )

© Copyright 2020. Designed By Templateify

© Copyright 2020. Ud64

Scroll to Top