Security Incidents Logbook-EN

Ressources and Feeds (TLP:WHITE)

  • critical CVE/CVSS-Definition: AttackVector == Network AND PrivilegesRequired == None AND UserInteraction == None AND (privilege escalation OR RCE)


2020-10-16 [+]


2020-09-30 [+]

  • WebSphere: ZDI published a blog on CVE-2020-4464: SOAP Deserialization of Untrusted Data where it states that Auth can easily bypassed by <LoginMethod>TokenBased</LoginMethod><token>foo</token> for that attack, lifting the CVSS from 8.8 to 9.8, because PR:L changes to PR:N; expect PoCs and Exploits soon; this also gives an explanation to an answer from july

  • RoundCube-Webmail has RCE and path-traversal - vulns ( CVE-2020-12640, CVE-2020-12641)

  • Rails: multiple PoCs and new details have emerged for the Rails-RCE reported in June (CVE-2020-8165), please see the following links: PoC, Details, there are also a couple of more noteworthy CVEs: (CVE-2020-8162, CVE-2020-8164, CVE-2020-8165, CVE-2020-8166, CVE-2020-8167, CVE-2020-15169

  • Zoho ManageEngine Applications Manager has multiple critical RCE-vulns ( CVE-2020-14008, CVE-2020-24786)

  • Zoho ManageEngine Exchage Reporter has a critical RCE CVE-2020-15394,

  • Kubernetes: if you run public clusters, you might want to look into CVE-2020-8559, Details; a PoC is available

  • re:Zerologon (CVE-20202-1472): for those who need to find and check more than one DomainController in their networks, we released an article (Zerologon (CVE-2020-1472) finding and checking ) with instructions how to find and scan DC for the Zerologon in larger networks


2020-09-14 [+]


2020-08-31 [+]


2020-08-27 [+]

  • Talos reported a DOS in ISC-BIND (CVE-2020-8620), affecting versions 9.16.x - 9.17.x, 13000 installtions found online, CVSS 7.5
  • Path-Traversal was reported in Icinga-Web (successor of nagios2), CVE-202-24368 / CVSS 7.5 since availability-monitoring is crucial for datacenters, this could allow to read sensitive information on the monitoring-host
  • ZDI reported 2 vulnerabilities on Schneider Electric APC (CVE-2020-7521, CVE-2020-7522) that allows remote attackers to execute arbitrary code on affected installations of Schneider Electric APC UPS Online. Authentication is not required to exploit this vulnerability, both rated with CVSS of 9.8 ZDI-20-1006 | ZDI-20-1007
  • SNMPTT before 1.4.2 allows attackers to execute shell code via EXEC, PREXEC, or unknown_trap_exec (CVE-2020-24361, CVSS 9.8


2020-08-20 [+]

  • Nexus Repository Manager from Sonatype has an Auth-Bypass (CVE-2020-15868, CVSS 7.5); Advisory | NIST
  • Zoho ManageEngine ADSelfService has a priviledge Escalation again CVE-2020-11552, CVSS 9.8, and POCs already circulating

  • Horde, a popular Webmail-Frontend, had a RCE-0day published as well, with Advisory on ZDI and a working-POC

  • the Microsoft- Netlogon-Vuln (CVE-2020-1472) is still in discussion, see here

  • Cisco released multiple Advisories

    • Cisco vWAAS for Cisco ENCS 5400-W Series and CSP 5000-W Series Default Credentials Vulnerability | CVE-2020-3446
    • Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution | CVE-2020-3507
    • Cisco Smart Software Manager On-Prem Privilege Escalation Vulnerability | CVE-2020-3443
  • Blackberry QNX Software Development Platform version 6.4 to 6.6 has an RCE (see Advisory or NIST CVE-2020-6932), CVSS 9.8


2020-08-11 [+]

  • Citrix again []https://www.bleepingcomputer.com/news/security/citrix-fixes-critical-bugs-allowing-takeover-of-xenmobile-servers/

  • vbulletin had a 0day-published, obviously a non-complete patch for CVE-2019-16759, Update: CVE-2020-17496 was assigned a week later with a CVSS - Score of 9.8


2020-08-05 [+]

  • a hacker has leaked access for 900+ enterprise VPN servers


2020-07-31 [+]


2020-07-24 [+]

  • Cisco ASA WebVPN FileRead - Vulnerability (CVE-2020-3452) lets attackers read sensitive files on a targeted system. currently not 100% sure about the sensivity of these files (VPN-session info or not), but expect the worst
    various POCs had been put out immediatly after release of the advisory, so better patch


2020-07-20 [+]

Oracle July Patchday cummulated summary

  • Multiple CVSS 10.0 und countless 9.8 across all Oracle - Products, check yourself if you are affected, this covers only the most widespread aplications and implementations
  • Oracle WebLogic Application-Server has multiple serious vulns with CVSS 9.8 in 3rd-party-libs and the Core (CVE-2020-9546, CVE-2018-11058, CVE-2020-14625, CVE-2020-14644, CVE-2020-14645, CVE-2020-14687, CVE-2017-5645, CVE-2017-5645), 15.000 IPs affected CVE-2020-14645 is likely to be exploited soon as it is just another try from oracle to circumvent old vulnerabilities that we followed since long time: CVE-2020-2555 bypass > CVE-2020-2883 bypass > CVE-2020-14645

  • Oracle WebCenter Portal has an easy to abuse XML/XE-vuln in a 3rd-party-lib ( CVE-2019-17531)

  • Oracle SD-WAN has 2 x 10.0 CVE-2020-14701 and CVE-2020-14606


2020-07-15 [+] (cummulated Summary)

Windows Server DNS RCE (CVE-2020-1350


Oracle Cummulative Summary Jul 2020

not good SNR:

  • CVE-2020-14606 / 10.0 RCE Oracle SD-WAN
  • CVE-2020-14701 / 10.0 RCE Oracle SD-WAN
  • CVE-2020-14705 / 9.6 RCE in Oracle GoldenGate


2020-07-09 [+]


2020-07-08 [+]


2020-07-03 [+]


2020-06-24 [+]


2020-06-10 [+]


2020-06-04 [+]

Update:


2020-05-26 [+]

  • some new critical CVEs
  • MariaDB has a possible RCE (CVE-2020-13249, see our Bulletin here); we expect a PoC very soon
  • RangeAMP: a new DDoS-Attack against CDNs had been published that leverages HTTP Reflection AND Amplification, misusing CDNs; we are looking into that, since our DDoS-Team already has some CDN-Reflection-Attacks in use (mostly successfull)


2020-05-20 [+]

  • some new critical CVEs
  • a new attackvector against DNS-Servers has been published as NXNSAttack, tl;dr: easy way to take down DNS-resolvers by spamming with many NXDOMAIN entries, this amplifies and stresses existing nameservers
    updates for existing popular resolvers are distributed (ISC Bind, Unbound, PowerDNS)
  • RubyOnRails' "actionpack_page-caching", which was per default included in Rails-Core until 4.0, has a critical vuln that allows an attacker to write arbitrary files to a web server, leading to potential RCE;
    CVSS 9.8, CVE-2020-8159
  • proxygen by facebook: A use-after-free is possible due to an error in lifetime management in the request adaptor when a malicious client invokes request error handling in a specific sequence;
    CVSS 9.8, CVE-2020-1897
  • we are waiting for some serious vulns with CVSS 9.8 from centos webpanel that are announced on ZDI for 2020-05-27


2020-05-14 [+]

ms-github


2020-05-07 [+]

ms-github


2020-05-06 [+]


2020-05-05 [+]


2020-05-04 [+]


2020-04-29 [+]

  • 51 new CVEs, none critical
  • Fortinet finally released PSIRT-Note and CVE-Details for the vuln/issue we mentioned last week; still no CVSS though, but expect this >= 9.0, given the overhasty release


2020-04-28 [+]

  • 51 new CVEs, none critical
  • Fortinet finally released PSIRT-Note and CVE-Details for the vuln/issue we mentioned last week; still no CVSS though, but expect this >= 9.0, given the overhasty release


2020-04-27 [+]

  • 121 new CVEs since last Thursday, 2 critical
  • Sophos reported and investigated an issue/unathorized data_access with their firewalls:
    The data ... may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts, but no LDPA/AD-Credentials
  • HP reported an issue with HPE UIoT, we are still investigating a possible AttackSurface


2020-04-24 [+]

  • 92 new CVEs, 1 critical
  • FortiMail/FortiVoice seems to have a serious issue; please check our Bulletin SB 20.13

reddit


2020-04-23 [+]


2020-04-22 [+]

drm 0day


frotimail


zecops


drm poc2


2020-04-21 [+]


2020-04-20 [+]


2020-04-18 [+]

  • uncounted new CVEs since 2020-04-14, due to Patchdays from Microsoft, Oracle and Cisco, multiple critical, so this summary is splitted into various parts
  • re: VMware vCenter: POC-Code has emerged that allows access to /creation of Admin-Users in vCenter

  • Oracle has a couple of critical Vulns (CVSS 9.8) in the following products
    • MySQL Server
    • Fusion Middleware
    • WebLogic Applicationserver
    • JD Edwards Enterprise Tools

oracle cumulativ


  • re: Oracle -> Cisco: hold my beer and releases advisories with critical RCE-Vulns (both CVSS: 9.8) for UCS Director (CVE-2020-3240) and Cisco IP - Phones (CVE-2016-1421) (yes, that Bug lived for 4 years)
  • a POC already exists for the UCS-Vuln so DONT PANIC

ucs

ucs


2020-04-14 [+]

  • 40 new CVEs since 2020-04-11, none critical
  • for those who may have skipped some messages due to easter-holidays, there was a serious VMWare vCenter-Vuln, allowing sensitive information disclosure late last Thursdays, with approx ~85.000 installations to be found online


2020-04-11 [+]

  • 15 new CVEs, some critical
  • VMWare vCenter published CVE-2020-3952 with CVSS - 10; operators of VMWare vCenter or PSC should upgrade ASAP
  • someone goes around and whipes all ElasticSearch - Servers (again); approx. 34.000 found accessible online


2020-04-10 [+]

  • 109 new CVEs, some critical
  • Juniper releases a huge number of Security-Advisories for different products that everyone using Juniper should study
  • that mentioned Symantec-Case is not so terrible anymore (EOL-Product, according to a Notice in a tweet)
    Symantec Secure Web Gateay seems to have a PreAuth and PostAuth - 0day, leading both to RCE


2020-04-08 [+]


2020-04-06 [+]

  • 12 new CVEs, some new Critical
  • CVE-2020-11527 + CVE-2020-11518 Zoho ManageEngine RCE and arbitrary file read
  • CVE-2020-10199 Nexus Repository Manager RCE
  • we will issue an alert later today and publish lists to the Github-Repo for easier access
  • a russian telco highjacked some juicy AS over the weekend: Rostelecom involved in BGP hijacking incident this week impacting more than 200 CDNs and cloud providers.


2020-04-04 [+]

haproxy


2020-04-03 [+]

  • 124 new CVEs, 1 Critical HAPROXY, (CVE-2020-11100)
    Link to Advisory
  • we are investigating the HAPROXY-case (460.000 Installations to be found online) and will inform NAT-Certs accordingly

haproxy


2020-04-02 [+]

  • 31 new CVEs, none critical
  • Bad Guys started targetting RDP and Company-Access for Ransomware and stuff, due to:
    "Sadly we have seen some orgs drop "domain users" into their VPN groups to scale up WFH. We're discovering more valid creds during brute forcing with generic usernames such as meeting-room, conference, vendor, and other dormant but not disabled accounts."


2020-04-01 [+]

draytek2 cve-2020-8515


2020-03-31 [+]

draytek cve-2020-8515


2020-03-30 [+]

  • 43 new CVEs, none critical (over the Weekend)


2020-03-26 [+]


2020-03-25 [+]

  • 134 new CVEs, none critical
  • a little hickup with DNSSEC due to old BIND9-Installations ( =< 9.11.2 ) and a legacy validation, method (DLV, fixed after 6hrs)
    Link to short analysis


2020-03-24 [+]

  • 120 new CVEs, none critical
  • an issue with memcached DOS, possible RCE, but only a handfull affected (v1.6.[0,1])
    Twitter-Link


2020-03-23 [+]


2020-03-22 [+]

  • 20 new CVEs, none critical
  • background-noise of covid-related Malware/Scam/Spam/phishing still very high, see here


2020-03-21 [+]

  • 3 new CVEs, none critical
  • COVID related Malware/Scam/Phishing on the rise (via RiskIQ)


2020-03-20 [+]


2020-03-19 [+]


2020-03-18 [+]

COVID-19 additionals

Volunteer-Groups and Help:





Fragen? Kontakt: info@zero.bs