============================================================= =============================================================

Transcription

1 Stephan Lantos Subject: The Consensus Security Vulnerability Alert: Vol. 13, Num. 23 In partnership with SANS and Sourcefire, Qualys is pleased to provide you with Newsletter. This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straight forward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter. The Consensus Security Vulnerability Alert Vol. 13, Num. 23 Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked = CONTENTS: NOTABLE RECENT SECURITY ISSUES USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE MOST PREVALENT MALWARE FILES 5/30/13-6/4/13 TOP VULNERABILITY THIS WEEK: Google researcher Tavis Ormandy provided exploit code for an unpatched local kernel vulnerability in Windows this week, after having first published details on the Full-Disclosure mailing list in mid-may. The release coincides with Google's shift from giving vendors 60 days on actively exploited vulnerabilities to 7 days before Google will release details. NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM Title: Google Shifts Policy, Will Release 0-days After A Week; Researcher Provides 0-day PoC Description: In a major policy announcement made last week, Google stated that it will publicly disclose details of new vulnerabilities in other vendors' products 7 days after discovery, if those issues are being actively exploited in the wild. This is a major shift from its previous policy of giving vendors 60 days before disclosure. While acknowledging that this new policy may be too short of a time frame for vendors to develop a patch, Google stated that vendors should at least make users aware of the situation and offer any possible mitigations while a patch is being developed. Meanwhile, Google researcher Tavis Ormandy has released exploit code for a local kernel vulnerability in Windows ahead of a patch by Microsoft, after having released initial details in mid-may. Microsoft claims that no active exploitation was taking place prior to the release of the exploit code, although it is likely that will change in the face of publicly available PoC. 1

2 Snort SID: N/A ClamAV: N/A Title: RFI Botnet Compromising WordPress, Joomla Sites Worldwide Description: Researchers at the Deep End Research group released an in-depth report this week on a major botnet that has been responsible for compromising hundreds of thousands of WordPress and Joomla web sites across the planet over the past year. The report, which is designed to raise awareness among administrators of these notoriously vulnerable web services, corresponds to attack techniques seen by Sourcefire since September of System administrators are urged to check their systems for signs of compromise by this botnet, and to ensure that their systems have all of the latest available security patches and recommended settings applied. Snort SID: ClamAV: Trojan.Dapato-* Title: Black Revolution DDoS Trojan In The Wild Description: DDoS continues to be a favorite activity of attackers worldwide, with recent attacks on financial institutions in particular reaching 100+ Gbps levels. Researchers at Arbor Networks this week profiled a particularly advanced DDoS trojan by the name of "Black Revolution" they have been observing in the wild lately, with different variants of the malware showing its creators' progress at evading detection over time. Snort SID: , ClamAV: Win.Trojan.BlackRev Title: German Torrent Contains Source For 309 Bots Description: The authors of the well-respected "Malware Must Die" blog this week published information on a huge dump of botnet source code they discovered on a German torrent, which has since been shut down. While most of the source is several years old, it provides valuable insight into multiple important families of malware, including Zeus, Skype-based bots, SDbot, and others. The source code is being shared with security researchers, and should provide useful information for network defenders worldwide. Snort SID: Various ClamAV: Various USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK Shellcodecs - a huge collection of shellcode, loaders, etc.: Ruby's $SAFE may go away: Phishing as a service: 2

3 Cisco in the sky with diamonds: How to search encrypted text in SQL server 2005/2008: Trawling for Tor hidden services - detection, measurement, deanonymization: Microsoft releases new mitigation guidance for Active Directory: NSA official mitigations for DDoS: ========================================================= RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity. ID: CVE Title: IBM SPSS SamplePower C1Tab ActiveX Heap Overflow Vendor: IBM Description: Buffer overflow in the c1sizer ActiveX control in C1sizer.ocx in IBM SPSS SamplePower 3.0 before FP1 allows remote attackers to execute arbitrary code via a long TabCaption string. CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) ID: CVE Title: Nginx HTTP Server Chuncked Encoding Stack Buffer Overflow Vendor: nginx.org Description: Remote exploitation of an integer overflow vulnerability in version of nginx, as included in various vendors' operating system distributions, could allow attackers to execute arbitrary code on the targeted host. ID: CVE Title: Microsoft Internet Explorer 8 Use-After-Free Memory Corruption Vulnerability Vendor: Microsoft Description: Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly allocated or (2) is deleted, as exploited in the wild in May ID: CVE Title: Adobe ColdFusion Information Disclosure Vulnerability (APSB13-13) Vendor: Adobe Description: Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors. 3

4 CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) ID: CVE Title: Java Applet Reflection Type Confusion Remote Code Execution Vendor: Oracle Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager. CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) ID: CVE Title: Oracle Java SE JVM 2D Subcomponent Remote Code Execution Vulnerability (Oracle Security Alert for CVE ) Vendor: Oracle Description: The color management (CMM) functionality in the 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (crash) via an image with crafted raster parameters, which triggers (1) an out-of-bounds read or (2) memory corruption in the JVM, as exploited in the wild in February ========================================================= MOST PREVALENT MALWARE FILES 5/30/13-6/4/13: COMPILED BY SOURCEFIRE SHA 256: 94A1A26F61B015C2CED2FD50BDBA4070B6C9AEC7D2938FBF7EB9E99960D3B7A9 MD5: bfacf78644ca41fd6d4b23976e7574a1 Typical Filename: RemoveWAT.exe Claimed Product: RemoveWAT.exe Claimed Publisher: RemoveWAT.exe SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615 MD5: 3291e c47a23b60a8bf2ca73db Typical Filename: 01.tmp Claimed Product: 01.tmp Claimed Publisher: 01.tmp SHA 256: 7BB7125EC5ECF99F975D7CB127009E615847D3FF05FA9F2F79F92CB480B28DC5 MD5: 2f0550df2d7e b44aeb ysis/ Typical Filename: pricepeep_130001_0101.exe Claimed Product: pricepeep_130001_0101.exe 4

5 Claimed Publisher: pricepeep_130001_0101.exe SHA 256: A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03 MD5: 8ac1e580cf274b3ca e Typical Filename: Virus.Win32.Sality.ab Claimed Product: Virus.Win32.Sality.ab Claimed Publisher: Virus.Win32.Sality.ab SHA 256: DF83A0D E4C4954F4874FCD4DD73E781E6690C3BF56F51C A3C MD5: 25aa9bb549ecc7bb6100f8d ysis/ Typical Filename: ygrqpx.exe Claimed Product: ygrqpx.exe Claimed Publisher: ygrqpx.exe = All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner. --END-- You are receiving this because you indicated that you wanted to receive information from Qualys about industry news, product updates, security alerts and other information that may be of interest to you. To manage your subscriptions, visit our communication preferences page. Click here to report this as spam. 5