Security Incidents Logbook-EN

Ressources and Feeds (german version)

  • critical CVE/CVSS-Definition: AttackVector == Network AND PrivilegesRequired == None AND UserInteraction == None AND (privilege escalation OR RCE)


2020-06-24 [+]


2020-06-10 [+]


2020-06-04 [+]


2020-05-26 [+]

  • some new critical CVEs
  • MariaDB has a possible RCE (CVE-2020-13249, see our Bulletin here); we expect a PoC very soon
  • RangeAMP: a new DDoS-Attack against CDNs had been published that leverages HTTP Reflection AND Amplification, misusing CDNs; we are looking into that, since our DDoS-Team already has some CDN-Reflection-Attacks in use (mostly successfull)


2020-05-20 [+]

  • some new critical CVEs
  • a new attackvector against DNS-Servers has been published as NXNSAttack, tl;dr: easy way to take down DNS-resolvers by spamming with many NXDOMAIN entries, this amplifies and stresses existing nameservers
    updates for existing popular resolvers are distributed (ISC Bind, Unbound, PowerDNS)
  • RubyOnRails' "actionpack_page-caching", which was per default included in Rails-Core until 4.0, has a critical vuln that allows an attacker to write arbitrary files to a web server, leading to potential RCE;
    CVSS 9.8, CVE-2020-8159
  • proxygen by facebook: A use-after-free is possible due to an error in lifetime management in the request adaptor when a malicious client invokes request error handling in a specific sequence;
    CVSS 9.8, CVE-2020-1897
  • we are waiting for some serious vulns with CVSS 9.8 from centos webpanel that are announced on ZDI for 2020-05-27


2020-05-14 [+]

ms-github


2020-05-07 [+]

ms-github


2020-05-06 [+]


2020-05-05 [+]


2020-05-04 [+]


2020-04-29 [+]

  • 51 new CVEs, none critical
  • Fortinet finally released PSIRT-Note and CVE-Details for the vuln/issue we mentioned last week; still no CVSS though, but expect this >= 9.0, given the overhasty release


2020-04-28 [+]

  • 51 new CVEs, none critical
  • Fortinet finally released PSIRT-Note and CVE-Details for the vuln/issue we mentioned last week; still no CVSS though, but expect this >= 9.0, given the overhasty release


2020-04-27 [+]

  • 121 new CVEs since last Thursday, 2 critical
  • Sophos reported and investigated an issue/unathorized data_access with their firewalls:
    The data ... may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts, but no LDPA/AD-Credentials
  • HP reported an issue with HPE UIoT, we are still investigating a possible AttackSurface


2020-04-24 [+]

  • 92 new CVEs, 1 critical
  • FortiMail/FortiVoice seems to have a serious issue; please check our Bulletin SB 20.13

reddit


2020-04-23 [+]


2020-04-22 [+]

drm 0day


frotimail


zecops


drm poc2


2020-04-21 [+]


2020-04-20 [+]


2020-04-18 [+]

  • uncounted new CVEs since 2020-04-14, due to Patchdays from Microsoft, Oracle and Cisco, multiple critical, so this summary is splitted into various parts
  • re: VMware vCenter: POC-Code has emerged that allows access to /creation of Admin-Users in vCenter

  • Oracle has a couple of critical Vulns (CVSS 9.8) in the following products
    • MySQL Server
    • Fusion Middleware
    • WebLogic Applicationserver
    • JD Edwards Enterprise Tools

oracle cumulativ


  • re: Oracle -> Cisco: hold my beer and releases advisories with critical RCE-Vulns (both CVSS: 9.8) for UCS Director (CVE-2020-3240) and Cisco IP - Phones (CVE-2016-1421) (yes, that Bug lived for 4 years)
  • a POC already exists for the UCS-Vuln so DONT PANIC

ucs

ucs


2020-04-14 [+]

  • 40 new CVEs since 2020-04-11, none critical
  • for those who may have skipped some messages due to easter-holidays, there was a serious VMWare vCenter-Vuln, allowing sensitive information disclosure late last Thursdays, with approx ~85.000 installations to be found online


2020-04-11 [+]

  • 15 new CVEs, some critical
  • VMWare vCenter published CVE-2020-3952 with CVSS - 10; operators of VMWare vCenter or PSC should upgrade ASAP
  • someone goes around and whipes all ElasticSearch - Servers (again); approx. 34.000 found accessible online


2020-04-10 [+]

  • 109 new CVEs, some critical
  • Juniper releases a huge number of Security-Advisories for different products that everyone using Juniper should study
  • that mentioned Symantec-Case is not so terrible anymore (EOL-Product, according to a Notice in a tweet)
    Symantec Secure Web Gateay seems to have a PreAuth and PostAuth - 0day, leading both to RCE


2020-04-08 [+]


2020-04-06 [+]

  • 12 new CVEs, some new Critical
  • CVE-2020-11527 + CVE-2020-11518 Zoho ManageEngine RCE and arbitrary file read
  • CVE-2020-10199 Nexus Repository Manager RCE
  • we will issue an alert later today and publish lists to the Github-Repo for easier access
  • a russian telco highjacked some juicy AS over the weekend: Rostelecom involved in BGP hijacking incident this week impacting more than 200 CDNs and cloud providers.


2020-04-04 [+]

haproxy


2020-04-03 [+]

  • 124 new CVEs, 1 Critical HAPROXY, (CVE-2020-11100)
    Link to Advisory
  • we are investigating the HAPROXY-case (460.000 Installations to be found online) and will inform NAT-Certs accordingly

haproxy


2020-04-02 [+]

  • 31 new CVEs, none critical
  • Bad Guys started targetting RDP and Company-Access for Ransomware and stuff, due to:
    "Sadly we have seen some orgs drop "domain users" into their VPN groups to scale up WFH. We're discovering more valid creds during brute forcing with generic usernames such as meeting-room, conference, vendor, and other dormant but not disabled accounts."


2020-04-01 [+]

draytek2 cve-2020-8515


2020-03-31 [+]

draytek cve-2020-8515


2020-03-30 [+]

  • 43 new CVEs, none critical (over the Weekend)


2020-03-26 [+]


2020-03-25 [+]

  • 134 new CVEs, none critical
  • a little hickup with DNSSEC due to old BIND9-Installations ( =< 9.11.2 ) and a legacy validation, method (DLV, fixed after 6hrs)
    Link to short analysis


2020-03-24 [+]

  • 120 new CVEs, none critical
  • an issue with memcached DOS, possible RCE, but only a handfull affected (v1.6.[0,1])
    Twitter-Link


2020-03-23 [+]


2020-03-22 [+]

  • 20 new CVEs, none critical
  • background-noise of covid-related Malware/Scam/Spam/phishing still very high, see here


2020-03-21 [+]

  • 3 new CVEs, none critical
  • COVID related Malware/Scam/Phishing on the rise (via RiskIQ)


2020-03-20 [+]


2020-03-19 [+]


2020-03-18 [+]

COVID-19 additionals

Volunteer-Groups and Help:





Fragen? Kontakt: info@zero.bs