ICS Advisory (ICSA-19-283-01)

#Siemens Industrial Real-Time ( #IRT ) Devices

#RCE

1. EXECUTIVE SUMMARY
CVSS v3 7.5
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Siemens
Equipment: Industrial Real-Time (IRT) Devices
Vulnerability: Improper Input Validation

2. RISK EVALUATION
Successful exploitation of this vulnerability could cause a denial-of-service condition.

https://www.us-cert.gov/ics/advisories/icsa-19-283-01

ICS Advisory (ICSA-19-283-02)

#Siemens PROFINET Devices

1. EXECUTIVE SUMMARY
CVSS v3 7.5
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Siemens
Equipment: PROFINET Devices
Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION
Successful exploitation of this vulnerability could cause a denial-of-service condition.

https://www.us-cert.gov/ics/advisories/icsa-19-283-02

ICS Medical Advisory (ICSMA-18-123-01)

Philips Brilliance Computed Tomography (CT) System (Update A)


1. EXECUTIVE SUMMARY
CVSS v3 8.4
ATTENTION: Low skill level to exploit
Vendor: Philips
--------- Begin Update A Part 1 of 3 ----------
Equipment: Brilliance CT Scanners and MX8000 Dual EXP
--------- End Update A Part 1 of 3 ----------
Vulnerabilities: Execution with Unnecessary Privileges, Exposure of Resource to Wrong Sphere, Use of Hard-coded Credentials

https://www.us-cert.gov/ics/advisories/ICSMA-18-123-01

ICS Advisory (ICSA-16-313-02)

Siemens Industrial Products Local Privilege Escalation Vulnerability (Update I)

1. EXECUTIVE SUMMARY
CVSS v3 6.4
ATTENTION: Exploitable locally
Vendor: Siemens
Equipment: Industrial Products
Vulnerability: Improper privilege management

2. UPDATE INFORMATION
This updated advisory is a follow-up to the updated advisory titled ICSA-16-313-02 Siemens Industrial Products Local Privilege Escalation Vulnerability (Update H) that was published June 14, 2018, on the ICS webpage on us-cert.gov.

https://www.us-cert.gov/ics/advisories/ICSA-16-313-02

Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques

During several recent incident response engagements, FireEye Mandiant investigators uncovered new tools in FIN7’s malware arsenal and kept pace as the global criminal operators attempted new evasion techniques. In this blog, we reveal two of FIN7’s new tools that we have called BOOSTWRITE and RDFSNIFFER.

https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html

Vulnerabilidad de tipo XXE en múltiples productos de Dell EMC

Fecha de publicación: 11/10/2019
Importancia: 4 - Alta

Recursos afectados: 
Dell EMC Avamar Server, versiones 7.4.1, 7.5.0, 7.5.1, 18.2 y 19.1;
Dell EMC Integrated Data Protection Appliance (IDPA), versiones 2.0, 2.1, 2.2, 2.3 y 2.4.

Descripción: 
Múltiples productos de Dell EMC contienen una vulnerabilidad, clasificada con severidad alta, de inyección de Entidad Externa XML (XXE).

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/vulnerabilidad-tipo-xxe-multiples-productos-dell-emc

New #IDAPro plugin provides #TileGX support

Overview

Cisco Talos has a new plugin available for IDA Pro that provides a new disassembler for TileGX binaries. This tool should assist researchers in reverse-engineering threats in IDA Pro that target TileGX.

https://blog.talosintelligence.com/2019/10/new-ida-pro-plugin-provides-tilegx.html

Bypass #McAfee with McAfee

Introduction

I wasn’t actually planning on writing this blog. Not because it’s super secretive or anything, but because I’m super lazy. Unfortunately, @fsdominguez and @_dirkjan forced me.

So here we are.. ¯\(ツ)/¯.

This is a story about how I used McAfee tools to bypass McAfee Endpoint Security during a (very TIBER-y) Red Team assignment we (aforementioned people and myself) were running. Let’s go.

https://dmaasland.github.io/posts/mcafee.html

#Debian Security Advisory

DSA-4543-1 #sudo -- security update

Date Reported:14 Oct 2019
Affected Packages:sudo
Vulnerable:Yes
Security database references:In the Debian bugtracking system: Bug 942322.
In Mitre's CVE dictionary: CVE-2019-14287.

https://www.debian.org/security/2019/dsa-4543

Potential bypass of Runas user restrictions

Release Date:October 14, 2019

Summary:
When #sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.

This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.

Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.

Sudo versions affected:
Sudo versions prior to 1.8.28 are affected.

https://www.sudo.ws/alerts/minus_1_uid.html

Actualización de seguridad 5.2.4 para WordPress

Fecha de publicación: 15/10/2019
Importancia: 3 - Media

Recursos afectados: 
WordPress, versiones 5.2.3 y anteriores.

Descripción: 
Se ha publicado la última versión de WordPress, que corrige 6 problemas de seguridad.

Solución: 
Actualizar a la versión 5.2.4.
Las versiones actualizadas de WordPress 5.1 y anteriores también están disponibles para cualquier usuario que aún no haya actualizado a la versión 5.2.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-524-wordpress

Evasión de restricciones de Runas en sudo

Fecha de publicación: 15/10/2019
Importancia: 4 - Alta

Recursos afectados: 
Sudo, versiones anteriores a la 1.8.28.

Descripción: 
Una vulnerabildiad de criticidad alta en sudo podría permitir a un atacante evadir las restricciones Runas y ejecutar comandos como root.

Solución: 
Actualizar a la versión 1.8.28.

Detalle: 
Cuando sudo es configurado para permitir a los usuarios ejecutar comandos arbitrarios mediante el parámetro ALL en Runas, es posible ejecutar comandos como root empleando los ID de usuario -1 o 4294967295. Un atacante local, autenticado, con privilegios de sudo, podría ejecutar comandos como root evadiendo las restricciones de usuario de Runas en el sistema. Se ha reservado el identificador CVE-2019-14287 para esta vulnerabilidad.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/evasion-restricciones-runas-sudo

VMware Releases Security Update for Harbor Container Registry for PCF

VMware has released a security update to address a vulnerability affecting Harbor Container Registry for Pivotal Cloud Foundry (PCF). An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2019-0016 and apply the necessary update.

https://www.us-cert.gov/ncas/current-activity/2019/10/16/vmware-releases-security-update-harbor-container-registry-pcf

“Puss in Boots” APT campaign


Have you ever thought about what your answer would be if your precocious child asked, “What’s a politically motivated APT attack?” In fact, it’s straightforward. Just dust off your copy of Charles Perrault’s Puss in Boots and read it together with an eye on the cybersecurity aspects. After all, if we ignore the artistic liberties, such as a talking cat and ogres, the tale represents a marvelous example of a complex multivector APT attack against a (fictional) government. Let’s unpick this cybercrime together.

https://www.kaspersky.com/blog/operation-puss-in-boots/28963/

Actualizaciones críticas en Oracle (octubre 2019)

Fecha de publicación: 16/10/2019
Importancia: 5 - Crítica

Descripción: 
Oracle ha publicado una actualización crítica con parches para corregir vulnerabilidades que afectan a múltiples productos.

Solución: 
Aplicar los parches correspondientes según los productos afectados. La información para descargar las actualizaciones puede obtenerse del boletín de seguridad publicado por Oracle.

Detalle: 
Esta actualización resuelve un total de 219 vulnerabilidades, algunas de las cuales son críticas. El detalle de las vulnerabilidades resueltas se puede consultar en el enlace de Oracle de la sección de Referencias.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizaciones-criticas-oracle-octubre-2019

Vulnerabilidad en Workload Scheduler de IBM

Fecha de publicación: 16/10/2019
Importancia: 4 - Alta

Recursos afectados: 
Tivoli Workload Scheduler Distributed, versión 9.2.0 FP03 y anteriores.
IBM Workload Scheduler Distributed:
versión 9.3.0 FP03 y anteriores,
versión 9.4.0 FP05 y anteriores,
versión 9.5.0 GA.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/vulnerabilidad-workload-scheduler-ibm

Adobe Releases Security Updates for Multiple Products

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates:
Experience Manager APSB19-48
Acrobat and Reader APSB19-49
Experience Manager Forms APSB19-50
Download Manager APSB19-51

https://www.us-cert.gov/ncas/current-activity/2019/10/15/adobe-releases-security-updates-multiple-products

Múltiples vulnerabilidades en productos Cisco

Fecha de publicación: 17/10/2019
Importancia: 5 - Crítica

Recursos afectados: 
Prodcutos de Cisco que estén ejecutando una versión vulnerable de:
Aironet 1540 Series APs,
Aironet 1560 Series APs,
Aironet 1800 Series APs,
Aironet 1810 Series APs,
Aironet 1830 Series APs,
Aironet 1850 Series APs,
Aironet 2800 Series APs,
Aironet 3800 Series APs,
Aironet 4800 APs,
Catalyst 9100 APs (la versión 8.9.100.0 es la primera versión soportada).
Cisco WLC Software, versión 8.5.140.0 y anteriores;
Cisco SPA112 2-Port Phone Adapter y SPA122 ATA con Router, versión de firmware 1.4.1 SR4 y anteriores, con la interfaz de gestión basada en web habilitada;
Cisco 250 Series Smart Switches;
Cisco 350 Series Managed Switches;
Cisco 550X Series Stackable Managed Switches.

Descripción: 
Cisco ha publicado 18 vulnerabilidades, 1 de severidad crítica y 17 de severidad alta, que afectan a sus productos.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-productos-cisco-57

ISC Releases Security Advisories for #BIND

The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ISC advisories for CVE-2019-6475 and CVE-2019-6476 for more information and to apply the necessary updates and workarounds.

https://www.us-cert.gov/ncas/current-activity/2019/10/17/isc-releases-security-advisories-bind

[SECURITY] [DLA 1960-1] #wordpress security update

Package : wordpress
Version : 4.1.27+dfsg-0+deb8u1
CVE ID : CVE-2019-16217 CVE-2019-16218 CVE-2019-16219 CVE-2019-16220 CVE-2019-16221 CVE-2019-16222 CVE-2019-16223
Debian Bug : 939543

Several cross-site scripting (XSS) vulnerabilities were discovered in Wordpress, a popular content management framework. An attacker can use these flaws to send malicious scripts to an unsuspecting user.
For Debian 8 "Jessie", these problems have been fixed in version 4.1.27+dfsg-0+deb8u1.
We recommend that you upgrade your wordpress packages.

https://lists.debian.org/debian-lts-announce/2019/10/msg00023.html

Four-Year-Old Critical #Linux Wi-Fi Bug Allows System Compromise

A patch is currently under revision but has not yet been incorporated into the Linux kernel.

A critical Linux bug has been discovered that could allow attackers to fully compromise vulnerable machines. A fix has been proposed but has not yet been incorporated into the Linux kernel.

The flaw (CVE-2019-17666), which was classified as critical in severity, exists in the “rtlwifi” driver, which is a software component used to allow certain #Realtek Wi-Fi modules, used in Linux devices, to communicate with the Linux operating system.

https://threatpost.com/critical-linux-wi-fi-bug-system-compromise/149325/