Embedded Files
Name : Divya Dipak Mali
Class : BE - computer
Roll No : 58
Subject : Cyber - Security Lab Aim: Study of recent Cyber Incidents / Vulnerability
1. Latest Security Alerts, Virus Alerts
SECURITY ALTERS
Alert Regarding Vulnerability (CVE-2020-9484) in Apache Tomcat
Alert Regarding Vulnerability (CVE-2020-9484) in Apache Tomcat
On May 20, 2020 (Local Time), Apache Software Foundation has released information regarding a vulnerability (CVE-2020-9484) in Apache Tomcat. The vulnerability is due to improper validation of the deserialized data. A remote attacker leveraging this vulnerability,if being able to control the contents and name of a file on the server,may execute arbitrary code via deserialization of the file under their control by sending a specifically crafted request.
For more information on the vulnerability, please refer to the information provided by Apache Software Foundation.
Alert Regarding Vulnerabilities in Adobe Acrobat and Reader (APSB21-29)
Alert Regarding Vulnerabilities in Adobe Acrobat and Reader (APSB21-29)
Vulnerabilities exist in Adobe Acrobat, a PDF file creation and conversion software, and Adobe Acrobat Reader, a PDF file viewing software. As a result, an attacker may execute arbitrary code by convincing a user to open contents leveraging the vulnerabilities.For more information, please refer to the Adobe's website.
According to Adobe, among these vulnerabilities, a Use After Free vulnerability (CVE-2021-28550) has been exploited in attacks targeting Adobe Reader users on Windows.
Alert Regarding Vulnerabilities in VMware vRealize Operations
Alert Regarding Vulnerabilities in VMware vRealize Operations
On March 30, 2021 (US Time), VMware has released advisory(VMSA-2021-0004) regarding vulnerabilities in VMware vRealize Operations. The vRealize Operations Manager API contains a Server Side Request Forgery vulnerability (CVE-2021-21975) and an arbitrary file write vulnerability (CVE-2021-21983). A remote attacker may steal administrative credentials and write files to arbitrary locations by leveraging these vulnerabilities
In addition, JPCERT/CC has confirmed the information that appear to be the Proof-of-concept code and scanner to search for affected system for the SSRF vulnerability (CVE-2021-21975). Also, the reporting organization of these vulnerabilities pointed out that the vulnerabilities can lead to an unauthenticated remote code execution in vRealize Operations when chained together.
Alert Regarding Cross Site Scripting Vulnerability (CVE-2021-20717) in EC-CUBE
Alert Regarding Cross Site Scripting Vulnerability (CVE-2021-20717) in EC-CUBE
On May 7, 2021, EC-CUBE CO.,LTD. has released an alert regarding a cross site scripting vulnerability (CVE-2021-20717) in EC-CUBE. By leveraging the vulnerability, a remote attacker may execute arbitrary script on the site administrator's web browser, resulting in unauthorized access to the vulnerable site or personal information leakage. EC-CUBE CO.,LTD. has confirmed attacks that exploit this vulnerability.
Since attacks that exploit the vulnerability have already been confirmed,users of the affected products are recommended to take measures such as applying patches as soon as possible. For more information, please refer to the information provided by EC-CUBE CO.,LTD..For countermeasures, please consider contacting the contractor in charge of construction of the site as responding to the vulnerability.
VIRUS ALTERS
SILOSCAPE
A new malware has been discovered that is active for more than a year and compromising Windows containers to target Kubernetes clusters. The malware is named Siloscape because of its end goal to plant a backdoor and make way for attackers to abuse Windows containers via server silos.
Siloscape is one of the first malware to target Windows-based containers. In addition, it is found to be heavily obfuscated, making it challenging for security analysts to reverse its binary.
Once it infects the web servers, it uses multiple container escape tactics to achieve code execution on the underlying Kubernetes node. Compromised nodes are probed for credentials.
SARBLOH RANSOMWARE
A new ransomware known as Sarbloh encrypts your files while at the same time delivering a message supporting the protests of Indian farmers.
As detailed by numerous security firms, including Malwarebytes, Cyble, and QuickHeal, a new ransomware known as 'Sarbloh' is being distributed through malicious Word documents that contain a political message in support of Indian farmers.
ADROZEK
Microsoft has raised the alarm today about a new malware strain that infects users' devices and then proceeds to modify browsers and their settings in order to inject ads into search results pages.
Named Adrozek, the malware has been active since at least May 2020 and reached its absolute peak in August this year when it controlled more than 30,000 browsers each day.
Microsoft says that, currently, the malware is distributed via classic drive-by download schemes. Users are typically redirected from legitimate sites to shady domains where they are tricked into installing malicious software.
The boobytrapped software installs the Androzek malware, which then proceeds to obtain reboot persistence with the help of a registry key.
Once persistence is assured, the malware will look for locally installed browsers such as Microsoft Edge, Google Chrome, Mozilla Firefox, or the Yandex Browser.
2. VULNERABILITY NOTES (Vulnerability Notes of the year 2021, 2020, 2019)
CHECKBOX SURVEY INSECURELY DESERIALIZES ASP.NET VIEW STATE DATA(2021)
CVE-2021-27852 Checkbox Survey insecurely deserializes ASP.NET View State data.
Checkbox Survey is an ASP.NET application that can add survey functionality to a website. Prior to version 7.0, Checkbox Survey implements its own View State functionality by accepting a _VSTATE argument, which it then deserializes using LosFormatter. Because this data is manually handled by the Checkbox Survey code, the ASP.NET ViewState Message Authentication Code (MAC) setting on the server is ignored. Without MAC, an attacker can create arbitrary data that will be deserialized, resulting in arbitrary code execution.
PULSE CONNECT SECURE SAMBA BUFFER OVERFLOW(2021)
PCS includes the ability to connect to Windows file shares (SMB). This capability is provided by a number of CGI scripts, which in turn use libraries and helper applications based on Samba 4.5.10. When specifying a long server name for some SMB operations, the smbclt application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified.
DEVICES SUPPORTING BLUETOOTH CORE AND MESH SPECIFICATIONS ARE VULNERABLE TO IMPERSONATION ATTACKS AND AUTHVALUE DISCLOSURE(2021)
DEVICES SUPPORTING BLUETOOTH CORE AND MESH SPECIFICATIONS ARE VULNERABLE TO IMPERSONATION ATTACKS AND AUTHVALUE DISCLOSURE(2021)
The Bluetooth Core Specification and Mesh Profile Specification are two specifications used to define the technical and policy requirements for devices that want to operate over Bluetooth connections. Researchers at the Agence nationale de la sécurité des systèmes d'information (ANSSI) have identified a number of vulnerabilities in each specification that allow impersonation attacks and AuthValue disclosures.
MYSQL FOR WINDOWS IS VULNERABLE TO PRIVILEGE ESCALATION DUE TO OPENSSLDIR LOCATION(2021)
MYSQL FOR WINDOWS IS VULNERABLE TO PRIVILEGE ESCALATION DUE TO OPENSSLDIR LOCATION(2021)
MySQL includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory of /build_area/. On the Windows platform, this path is interpreted as C:\build_area. MySQL contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
PULSE CONNECT SECURE CONTAINS A USE-AFTER-FREE VULNERABILITY(2021)
PULSE CONNECT SECURE CONTAINS A USE-AFTER-FREE VULNERABILITY(2021)
A use-after-free vulnerability that can be reached via a license server handling endpoint may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Pulse Connect Secure gateway system.
Every system that is running PCS 9.0R3 or higher or 9.1R1 through 9.2R11.3 is affected. Having the license server configuration enabled is NOT a prerequisite to being vulnerable. The vulnerable endpoints are present regardless of whether the system is an actual license server or not.
MICROSOFT INTERNET EXPLORER SCRIPTING ENGINE MEMORY CORRUPTION VULNERABILITY(2020)
MICROSOFT INTERNET EXPLORER SCRIPTING ENGINE MEMORY CORRUPTION VULNERABILITY(2020)
Microsoft Internet Explorer contains a scripting engine, which handles execution of scripting languages such as VBScript and JScript. The scripting engine JScript component contains an unspecified memory corruption vulnerability. Any application that supports embedding Internet Explorer or its scripting engine component may be used as an attack vector for this vulnerability.
This vulnerability was detected in exploits in the wild.
CONTENT DELIVERY NETWORKS HANDLE HTTP HEADERS IN DIFFERENT AND UNEXPECTED WAYS(2020)
A Content Delivery Network (CDN) is a distributed network of proxy servers that deliver web content collected from a back end web server using a temporary local storage called a cache. HTTP cache poisoning is a type of attack that allows a remote attacker to inject arbitrary content using unsanitized HTTP headers to poison the remote cache of a CDN. Once an attacker has successfully injected malicious content, future visitors accessing the compromised website will collect and execute the attacker’s injected scripts
MICROSOFT WINDOWS REMOTE DESKTOP GATEWAY ALLOWS FOR UNAUTHENTICATED REMOTE CODE EXECUTION(2020)
MICROSOFT WINDOWS REMOTE DESKTOP GATEWAY ALLOWS FOR UNAUTHENTICATED REMOTE CODE EXECUTION(2020)
Microsoft Windows Remote Desktop Gateway (RD Gateway) is a Windows Server component that provides access to Remote Desktop services without requiring the client system to be present on the same network as the target system. Originally launched as Terminal Services Gateway (TS Gateway) with Windows Server 2008, RD Gateway is a recommended way to provide Remote Desktop connectivity to cloud-based systems. For example, guidance has been provided for using RD Gateway with AWS, and also with Azure. The use of RD Gateway is recommended to reduce the attack surface of Windows-based hosts.
CITRIX APPLICATION DELIVERY CONTROLLER, CITRIX GATEWAY, AND CITRIX SD-WAN WANOP WEB SERVER VULNERABILITY(2020)
CITRIX APPLICATION DELIVERY CONTROLLER, CITRIX GATEWAY, AND CITRIX SD-WAN WANOP WEB SERVER VULNERABILITY(2020)
A vulnerability been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, Citrix Gateway formerly known as NetScaler Gateway, and Citrix SDWAN WANOP that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.
MICROSOFT WINDOWS CRYPTOAPI FAILS TO PROPERLY VALIDATE ECC CERTIFICATE CHAINS(2020)
MICROSOFT WINDOWS CRYPTOAPI FAILS TO PROPERLY VALIDATE ECC CERTIFICATE CHAINS(2020)
The Microsoft Windows CryptoAPI, which is provided by Crypt32.dll, fails to validate ECC certificates in a way that properly leverages the protections that ECC cryptography should provide. As a result, an attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority.
TELOS AUTOMATED MESSAGE HANDLING SYSTEM CONTAINS MULTIPLE VULNERABILITIES(2019)
TELOS AUTOMATED MESSAGE HANDLING SYSTEM CONTAINS MULTIPLE VULNERABILITIES(2019)
Telos is a web-based messaging system that supports DoD and Intelligence Community (IC) security marking requirements. AMHS versions prior to version 4.1.5.5 contain multiple XSS vulnerabilities and also fail to properly restrict access to information about other users on the system.
APPLE DEVICES VULNERABLE TO ARBITRARY CODE EXECUTION IN SECUREROM(2019)
SecureROM of some Apple devices can be exploited by an unauthenticated local attacker to execute arbitrary code upon booting those devices. SecureROM, which is located within the processor, contains the first code executed by the processor upon booting the device. Because SecureROM is read-only, it cannot be patched with a firmware update.
MICROSOFT OFFICE FOR MAC CANNOT PROPERLY DISABLE XLM MACROS
MICROSOFT OFFICE FOR MAC CANNOT PROPERLY DISABLE XLM MACROS
XLM macros(2019)
Up to and including Microsoft Excel 4.0, a macro format called XLM was available. XLM macros predate the VBA macros that are more common with modern Microsoft Office systems, however current Microsoft Office versions still support XLM macros.
MULTIPLE D-LINK ROUTERS VULNERABLE TO REMOTE COMMAND EXECUTION(2019)
MULTIPLE D-LINK ROUTERS VULNERABLE TO REMOTE COMMAND EXECUTION(2019)
Several D-Link routers contain CGI capability that is exposed to users as / apply_sec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws:
The /apply_sec.cgi code is exposed to unauthenticated users.
The ping_ipaddr argument of the ping_test action fails to properly handle newline characters.
PULSE SECURE VPN CONTAINS MULTIPLE VULNERABILITIES(2019)
PULSE SECURE VPN CONTAINS MULTIPLE VULNERABILITIES(2019)
Pulse Secure released an out-of-cycle advisory along with software patches for the various affected products on April 24, 2019. This addressed a number of vulnerabilities including a Remote Code Execution (RCE) vulnerability with pre-authentication access. This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates.
3. Reporting of Security Incident and Vulnerability
Security Incident
Vulnerability
4. National Cyber Crime Reporting Portal
Page updated
Google Sites
Report abuse