NetSarang Multiple Products Backdoor Vulnerability (ShadowPad)

漏洞类别:Local

漏洞等级:

漏洞信息

NetSarang Computer, Inc. develops, markets and supports secure connectivity solution in the global market. The company develops a family of PC X server and SSH client software for PC-to-Unix and PC-to-Linux, and is expanding its TCP/IP network technologies to other Internet businesses.

It was found that NetSarang’s update mechanism was recently hijacked and a backdoor was inserted silently in the software update, so that the malicious code would silently deliver to all of its clients with NetSarang’s legitimate signed certificate.

Affected Version:
Xmanager Enterprise 5 Build 1232
Xmanager 5 Build 1045
Xshell 5 Build 1322
Xftp 5 Build 1218
Xlpd 5 Build 1220

Detection Logic:
This QID checks for affected product’s build version in the registry and its associated executable.

漏洞危害

An unauthenticated, remote attacker could exploit compromised targets.

解决方案

Customers are advised to download latest packages from NetSarang Product Downloads

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Downloads

0daybank

Backdoors and trojan horses 2017-08-16 10:45:05 Mamba Ransomware Detected (Pre-Reboot)

漏洞类别:Backdoors and trojan horses

漏洞等级:

漏洞信息

Mamba is an ransomware, which post infection overwrites the existing Master Boot Record on a Windows installation, with a custom MBR and encrypts the hard drive leveraging an open source full disk encryption utility called DiskCryptor. It is unclear if the malware contains a propagation mechanism. However, it seems that a malware group exploit a network and after they gain access to an organizations network they use the psexec utility to execute the ransomware in the network.

QID Detection Logic:
This authenticated detection works by checking for the presence of a few files such as %SYSTEMDRIVE%\DC22\dcinst.exe, %SYSTEMDRIVE%\DC22\log_file.txt, %SYSTEMDRIVE%\xampp\http\dcinst.exe, %SYSTEMDRIVE%\xampp\http\log_file.txt that are found on an infected pre-reboot system.

漏洞危害

Systems infected by this ransomware will have their files encrypted and rendered unusable until they pay a price to an anonymous party.

解决方案

To Protect your systems:
– Use the Windows AppLocker feature to disable the execution of PSExec.exe.
– Disable WMI
– Disable SMBv1
– Make sure systems are running up to date anti-malware.
– Block ADMIN$ access via GPO.
– Maintain good back-ups so that if an infection occurs, you can restore your data.

Cleaning up Infected systems:
– Contact your Anti-Malware vendor to remove the infection.

0daybank

Fedora Security Update for knot-resolver (FEDORA-2017-b9433ad88e)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for knot-resolver to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-b9433ad88e: Fedora 25

0daybank

Fedora Security Update for php-horde-Horde-Core (FEDORA-2017-b812362f61)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for php-horde-horde-core to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-b812362f61: Fedora 25

0daybank

Fedora Security Update for php-horde-Horde-Form (FEDORA-2017-26f9e09c8a)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for php-horde-horde-form to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-26f9e09c8a: Fedora 25

0daybank

Fedora Security Update for php-horde-turba (FEDORA-2017-449b22158f)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for php-horde-turba to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-449b22158f: Fedora 25

0daybank

Amazon Linux Security Advisory for aws-cfn-bootstrap: ALAS-2017-866

漏洞类别:Amazon Linux

漏洞等级:

漏洞信息

A vulnerability was reported in the CloudFormation bootstrap tools, different from the one in CVE-2017-9450 , where default behavior in the handling of cfn-init metadata can provide escalated privileges to an attacker with local access to the system

QID Detection Logic:
This authenticated QID verifies if the version of the following files is lesser than 1.4-20.12.amzn1: aws-cfn-bootstrap

漏洞危害

Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.

解决方案

Please refer to Amazon advisory ALAS-2017-866 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ALAS-2017-866: Amazon Linux

0daybank

Fedora Security Update for seamonkey (FEDORA-2017-cd5d8cac23)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for seamonkey to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-cd5d8cac23: Fedora 25

0daybank

Web server Serviio Media Server Multiple Security Vulnerabilities

漏洞类别:Web server

漏洞等级:

漏洞信息

Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.

The vulnerabilities found in Serviio Media Server are:
– Remote Code Execution
– Local Privilege Escalation
– Unauthenticated Password Modification
– Information Disclosure
– DOM-Based Cross-Site Scripting (XSS)
Affected versions:
Serviio Media Server 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1.

QID Detection Logic (Unauthenticated):
This QID matches directory information in the response by sending a crafted HTTP GET request to target.

漏洞危害

Successful exploitation could allow an attacker to compromise the targeted system.

解决方案

The vendor has not confirmed the vulnerability and no patch has been released to specifically fix the vulnerability , however a newer version of software is available for download.

0daybank

GitHub Enterprise Management Console Remote Code Execution

漏洞类别:General remote services

漏洞等级:

漏洞信息

GitHub is a web-based Git or version control repository and Internet hosting service.
There is a bug that resulted in a static value being used as the Ruby on Rails session secret for GitHub Enterprise’s management console.

漏洞危害

A static session secret could allow an attacker to sign arbitrary session cookies and exploitation could result in remote code execution on the server.

解决方案

This issue has been fixed in GitHub Enterprise 2.8.7 or later versions.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

GitHub: GitHub (GitHub Enterprise management console)

0daybank

SUSE Enterprise Linux Security Update for tcmu-runner (SUSE-SU-2017:2109-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

SUSE has released security update for tcmu-runner to fix the vulnerabilities.

Affected Products:
SUSE Linux Enterprise Software Development Kit 12-SP3
SUSE Linux Enterprise Server 12-SP3

漏洞危害

This vulnerability can be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to SUSE security advisory SUSE-SU-2017:2109-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SUSE-SU-2017:2109-1: SUSE Enterprise Linux

0daybank

Backdoors and trojan horses Adylkuzz Cryptocurrency Mining Malware Detected

漏洞类别:Backdoors and trojan horses

漏洞等级:

漏洞信息

Adylkuzz is a cryptocurrency mining malware that is reportedly spreading by exploiting a flaw in SMB. The spreading mechanism is designed on the ETERNALBLUE exploit that was released by the Shadow Brokers.
Microsoft addressed this vulnerability under MS17-010.

QID Detection Logic (Authentication):
This authenticated detection works by checking for the presence of services and a few files that are found on an infected system.

漏洞危害

Systems infected by this cryptocurrency mining malware will have their systems employed for mining the Monero cryptocurrency for the malware creator, consuming computing excessive resources.

解决方案

Cleaning up Infected systems:
– Contact your Anti-Malware vendor to remove the infection.

Workaround:
– Apply MS17-010 and KB4012598 Microsoft patches for affected systems.
– Disable SMBv1.
– Block TCP Port 445 at the perimeter.

0day

Web Application Data URI Discovered Over Non-HTTPS Links

漏洞类别:Web Application

漏洞等级:

漏洞信息

The Data URIs are discovered in target Web Application on Non-HTTPS pages. These links are provided in the Results section along with their parent links. If same Data URI is present on multiple parent links, then only one parent link is reported.

漏洞危害

1. Bypassing blacklisting based XSS filters. 2. Phishing 3. Some application use firewall proxies to block retrieval of certain media type. Data URI does support dynamic MIME type creation. It will be difficult for those proxies to filter such data uris.

解决方案

It’s recommended to do detail review of the code related to these data URIs.

0day

WordPress Prior to 4.7.5 Multiple Security Vulnerabilities

漏洞类别:CGI

漏洞等级:

漏洞信息

WordPress is an open source blogging tool and content management system based on PHP and MySQL. It has many features including a plug-in architecture and a template system.

WordPress versions prior to 4.7.5 contain the following unauthorized HTTP redirection, cross-site request forgery and cross-site scripting vulnerabilities:
Insufficient redirect validation in the HTTP class.
Improper handling of post meta data values in the XML-RPC API.
Lack of capability checks for post meta data in the XML-RPC API.
A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog.
A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files.
A cross-site scripting (XSS) vulnerability was discovered related to the Customizer.

Affected Versions:
WordPress prior to 4.7.5

QID Detection Logic:
This QID depends on BlindElephant engine to detect the version of the WordPress installation as active attacks could potentially harm live installations.

漏洞危害

Depending on the vulnerability being exploited, a remote attacker could conduct CSRF, XSS attacks, gain access to sensitive meta data information or redirect users to malicious resources.

解决方案

Customers are advised to install WordPress 4.7.5 or later versions to remediate the vulnerabilities.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

WordPress 4.7.5 or later

0day

Security Policy 2017-05-15 22:28:08 EOL/Obsolete Software: Apache Tomcat 6.0.x Detected

漏洞类别:Security Policy

漏洞等级:

漏洞信息

Apache Tomcat software is a web server.

Support for Apache Tomcat 6.0.x ended on December, 31 2016. No further bug fixes, enhancements, security updates or technical support is available for this version.

漏洞危害

The system is at high risk of being exposed to security vulnerabilities. Because the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks.

解决方案

Upgrade to the latest version of Apache Tomcat. Please refer to Apache Tomcat Website.

0day

CVE-2015-0701 Cisco UCS Central Software Arbitrary Command Execution Vulnerability (cisco-sa-20150506-ucsc)

漏洞类别:Cisco

漏洞等级:

漏洞信息

A vulnerability in the web framework of Cisco UCS Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.
The vulnerability is due to improper input validation.

QID Detection Logic (Authenticated):
This QID reviews the Cisco UCS central version via “show version”.
The QID is posted if Cisco UCS central software version less than or equal to “1.2” is found.

漏洞危害

An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user.

解决方案

The vendor has released fixes to resolve this issue. Refer to cisco-sa-20150506-ucsc to obtain additional details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

cisco-sa-20150506-ucsc: Cisco UCSC

0day

CVE-2017-5068 Red Hat Update for chromium-browser (RHSA-2017-1228)

漏洞类别:RedHat

漏洞等级:

漏洞信息

Chromium is an open-source web browser, powered by WebKit (Blink).

A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. (CVE-2017-5068)

Affected Products
Red Hat Enterprise Linux Server 6 x86_64
Red Hat Enterprise Linux Server 6 i386
Red Hat Enterprise Linux Workstation 6 x86_64
Red Hat Enterprise Linux Workstation 6 i386
Red Hat Enterprise Linux Desktop 6 x86_64
Red Hat Enterprise Linux Desktop 6 i386

漏洞危害

A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. (CVE-2017-5068)

解决方案

Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

Refer to Red Hat security advisory RHSA-2017:1228 to address this issue and obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

RHSA-2017:1228: Red Hat Enterprise Linux

0day

CVE-2016-9840 Red Hat Update for java-1.7.1-ibm (RHSA-2017-1221)

漏洞类别:RedHat

漏洞等级:

漏洞信息

IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security Vulnerabilities page, listed in the References section. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-1289, CVE-2017-3509, CVE-2017-3511, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544)

Affected Products
Red Hat Enterprise Linux Server 7 x86_64
Red Hat Enterprise Linux Server 6 x86_64
Red Hat Enterprise Linux Server 6 i386
Red Hat Enterprise Linux Workstation 7 x86_64
Red Hat Enterprise Linux Workstation 6 x86_64
Red Hat Enterprise Linux Workstation 6 i386
Red Hat Enterprise Linux Desktop 7 x86_64
Red Hat Enterprise Linux Desktop 6 x86_64
Red Hat Enterprise Linux Desktop 6 i386
Red Hat Enterprise Linux for IBM z Systems 7 s390x
Red Hat Enterprise Linux for IBM z Systems 6 s390x
Red Hat Enterprise Linux for Power, big endian 7 ppc64
Red Hat Enterprise Linux for Power, big endian 6 ppc64
Red Hat Enterprise Linux for Scientific Computing 7 x86_64
Red Hat Enterprise Linux for Power, little endian 7 ppc64le
Red Hat Enterprise Linux for Scientific Computing 6 x86_64

漏洞危害

On successful exploitation it allows unauthenticated attacker with network access via SMTP to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data.

解决方案

Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

Refer to Red Hat security advisory RHSA-2017:1221 to address this issue and obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

RHSA-2017:1221: Red Hat Enterprise Linux

0day