Author: jay f

Netgear Router Vulnerabilities

National Cyber Awareness System:

06/29/2020 03:44 PM EDT
Original
release date: June 29, 2020

    Multiple Netgear router models contain vulnerabilities that a remote
attacker can exploit to take control of an affected device.

    The Cybersecurity and Infrastructure Security Agency (CISA) encourages users
and administrators to update to the most recent firmware version and to replace
end-of-life devices that are no longer supported with security patches. Given
the increase in telework, CISA
recommends that CISOs consider the risk that these vulnerabilities present to
business networks.
See the following products for additional information.

DNS Vulnerability – CVSS – Score of 10

Microsoft has released a
critical patch impacting
all Windows Server Operating System Versions with the DNS role installed. The
included affected operating systems are: 2003 – 2019.

This patch has a significant risk of being exploited, and if an attacker
successfully exploited the vulnerability, they could run arbitrary code in the
context of the Local System Account. As most organizations install the DNS
Server role on their Domain Controller, the attacker would gain full control of
a Domain Controller. Once the attacker has full control of the domain
controller, lateral movement to any Domain joined system is possible.
https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/
There are no known uses in the wild of this. It is highly recommended you patch
all windows DNS servers (internal and external) that you may own as soon as
possible.

WHAT YOU NEED TO DO

In order to secure your environment as soon as possible, you should complete
the following steps as soon as possible.
 

  1. IDENTIFY –  ALL WINDOWS DNS
    servers in your environment – both internal and external. – You can use
    PowerShell to help
  2. TEST – The applicable monthly
    servicing stack, and cumulative update for the server operating system.
  3. DEPLOY – The applicable patch to all DNS
    servers in your environment as soon as possible.

NIST Releases Draft SP 800-181 Revision 1 for Comment

The National
Initiative for Cybersecurity Education (NICE) has released Draft NIST Special Publication (SP)
800-181 Revision 1, Workforce Framework for Cybersecurity (NICE Framework).
The NICE Framework is a fundamental reference for describing and sharing
information about cybersecurity work in the form of Task Statements and as Work
Roles that perform those tasks. In this revision, several updates have been
made, including:

  • an updated title to be more
    inclusive of the variety of workers who perform cybersecurity work, 
  • definition and normalization of
    key terms,
  • principles that facilitate
    agility, flexibility, interoperability, and modularity,
  • introduction of competencies,
  • and more!

The
public comment period is open through August 28, 2020. See the publication
details for a copy of the document and instructions for submitting
comments

Outlook Crashing on Launch

Active Investigation into Outlook Crashing on Launch

There is a new symptom of Outlook is crashing on launch starting 7/15.   A fix has been published but will take time to propagate to worldwide availability.   Outlook will automatically look for the fix on launch, so if this issue persists through multiple launches please use Outlook Web Access for an hour then try again.   
If this issue persists beyond four hours please contact Microsoft Support by whichever means works best for you.
  1. You may see an error such as:
    “Outlook couldn’t start last time. Safe mode could help you troubleshoot the problem, but some features might not be available in this mode.
    Do you want to start in Safe Mode?”
  2. In the event viewer you will see a crash event like:
    1. Faulting application name: OUTLOOK.EXE, version: 16.0.13102.20002, time stamp: 0x5efe7a9e
      Faulting module name: OUTLOOK.EXE, version: 16.0.13102.20002, time stamp: 0x5efe7a9e
      Exception code: 0xc0000005
      Fault offset: 0x00000000001a40fa
      Faulting process id: 0x3f60
      Faulting application start time: 0x01d65ac2602949dd
      Faulting application path: C:Program FilesMicrosoft OfficerootOffice16OUTLOOK.EXE
      Faulting module path: C:Program FilesMicrosoft OfficerootOffice16OUTLOOK.EXE
      Report Id: 81a20cc2-6c7f-4635-90ba-54319c3fce75
      Faulting package full name:
      Faulting package-relative application ID:
       Microsoft suggests users use web and mobile clients until the issue is resolved.
      Title: Users experiencing Outlook connection issues and crashes
      User Impact: Users may experience crashes or may be unable to access Exchange Online via Outlook.
      More info: Our analysis indicates that Outlook on the web and mobile clients are unaffected. Users may be able to leverage those protocols as an alternative means to access email and service features while we remediate this problem.
      Current status: Our initial review of the available data indicates that recently deployed updates are the likely source of the problem. We’re performing an analysis of all recent service updates to isolate the underlying cause of the problem and to determine the most expedient means to restore service.
      Scope of impact: This issue may potentially affect any of your users attempting to use Outlook.
       you could try 

      Open cmd, run:
      cd “Program FilesCommon Filesmicrosoft
      sharedClickToRun”
      then:
      officec2rclient.exe /update user
      updatetoversion=16.0.12827.20470

Targeting U.S. Banking Customers QBOT back

    Sometimes malware can be a one-hit wonder:
show up on the scene, cause chaos, and then never be troublesome again after
exploits are patched and antivirus scanners are updated to help protect against
it. Sometimes, however, a piece of malware just keeps reappearing with
alterations that make it relevant again. One such program, Qbot, has
been around for over 12 years and has now popped back up to attack customers
who use a multitude of U.S. financial institutions.

    Qbot, also known as Quakbot, Qakbot, and Pinkslipbot, is a
Windows-based malware that first appeared around 2008 and has always been
focused on gathering browsing data and financial information from victims.
There are gaps where Qbot would seem to disappear for a while, but then
it would come back with some new functionality such as improved detection
evasion or worm-like spreading capabilities. New Qbot campaigns have
been uncovered in October 2014, April 2016, and May 2017, as well as being used
by the Emotet gang last year as the payload malware. The latest strain was
first seen in January of this year and is now targeting banking portals for
Bank of America, Capital One, Citibank, Citizen’s Bank, J.P. Morgan, Sun Bank,
TD Bank, Wells Fargo, and more.

   Researchers at F5, an
application threat intelligence research lab, discovered this variant and
worked out how the new infection process works. The malware is delivered to the
target computer through one of a variety of sources: phishing attempts, web
exploits that drop the malware as the payload, or through malicious file
sharing activities. Once the malware is on the system, the executable loads Qbot
into the running explorer.exe application. Next, the malware copies itself
into the application folder’s default location and the registry key
HKCUSoftwareMicrosoftWindowsCurrentVersionRun so that it will run up-on
system reboots. Qbot then creates a .dat file with system information and
the botnet name, executes from the %APPDATA% folder, and replaces the original
infection file to cover its tracks. Finally, the malware injects itself into a
new-ly created explorer.exe instance for use for updates from external C2
servers.

    The newest variant of Qbot includes
a packing layer that scrambles the code to evade Antivirus scanners and
signature-based tools, as well as anti-virtual ma-chine techniques to keep
people from easily examining how the malware operates. Researchers suggest
keeping antivirus software updated and staying up to date on critical patches
for other software as well. User awareness training to spot phishing attempts
can also be helpful in preventing victimization.

Ripple20 Vulnerabilities Affecting Treck IP Stacks

Treck TCP/IP Stack
(Update A)

Legal Notice

All information products included in https://us-cert.gov/ics are
provided “as is” for informational purposes only. The Department
of Homeland Security (DHS) does not provide any warranties of any kind
regarding any information contained within. DHS does not endorse any commercial
product or service, referenced in this product or otherwise. Further
dissemination of this product is governed by the Traffic Light Protocol (TLP)
marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/.

1. EXECUTIVE SUMMARY

  • CVSS v3 10.0
  • ATTENTION: Exploitable remotely
  • Vendor: Treck Inc.
  • Equipment: TCP/IP
  • Vulnerabilities: Improper Handling
    of Length Parameter Inconsistency, Improper Input Validation, Double Free,
    Out-of-bounds Read, Integer Overflow or Wraparound, Improper Null
    Termination, Improper Access Control
CISA is aware of a public report, known as “Ripple20” that
details vulnerabilities found in the Treck TCP/IP stack. CISA is issuing this
advisory to provide early notice of the reported vulnerabilities and identify
baseline mitigations for reducing risks to these and other cybersecurity
attacks.

2. UPDATE INFORMATION

This updated advisory is a follow-up to the original advisory
titled ICSA-20-168-01 Treck TCP/IP Stack that was published June 16, 2020, to
the ICS webpage on us-cert.gov. 

3. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow
remote code execution or exposure of sensitive information.

4. TECHNICAL DETAILS

4.1 AFFECTED
PRODUCTS

The Treck TCP/IP stack is affected including:
  • IPv4
  • IPv6
  • UDP
  • DNS
  • DHCP
  • TCP
  • ICMPv4
  • ARP

Please go to ICS Cert page for more details

Cisco has disclosed four critical security

   
The critical flaws are part of Cisco’s June 3
semi-annual advisory bundle for
IOS XE and IOS networking software, which includes 23 advisories describing 25
vulnerabilities. 

     The 9.8 out of 10
severity bug, CVE-2020-3227, concerns the authorization controls for the Cisco
IOx application hosting infrastructure in Cisco IOS XE Software, which allows a
remote attacker without credentials to execute Cisco IOx API commands without
proper authorization.

    
CVE-2020-3205 is a command-injection vulnerability
in Cisco’s implementation of the inter-VM channel of Cisco IOS Software for
Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and
Cisco 1000 Series Connected Grid Routers (CGR1000).  The software doesn’t
adequately validate signaling packets directed to the Virtual Device Server
(VDS), which could allow an attacker to send malicious packets to an affected
device, gain control of VDS and then completely compromise the system,
including the IOS VM and guest VM.  VDS handles access to devices that are
shared by IOS and the guest OS, such as flash memory, USB ports, and the
console.  “A successful exploit could allow the attacker to execute
arbitrary commands in the context of the Linux shell of VDS with the privileges
of the root user,” Cisco said. “Because the device is designed on a hypervisor
architecture, exploitation of a vulnerability that affects the inter-VM channel
may lead to a complete system compromise.”

    CVE-2020-3198
and CVE-2020-3258 are part of the same advisory and concern a remote code
execution vulnerability in the same industrial Cisco routers.
    The
flaw CVE-2020-3198 allows an unauthenticated, remote attacker to execute
arbitrary code on affected systems or cause it to crash and reload.  An
attacker could exploit the vulnerability by sending malicious UDP packets over
IPv4 or IPv6 to an affected device. Cisco notes that the bug can be mitigated
by implementing an access control list that restricts inbound traffic to UDP
port 9700 of the device. It has a severity score of 9.8 out of 10. 
    
The second bug, CVE-2020-3258, is less severe with a score of 5.7 out of
10 and could allow an unauthenticated local attacker to execute arbitrary code
on the device. However, the attacker also must have valid user credentials at
privilege level 15, the highest level in Cisco’s scheme. The vulnerability
allows an attacker to modify the device’s run-time memory, overwrite system
memory locations and execute arbitrary code on the affected device. 
To learn more go here.

New ransomware targeting Windows and Linux systems

    Named Tycoon after references in the code, this
ransomware has been active since December 2019 and looks to be the work of
cyber criminals who are highly selective in their targeting. The malware also
uses an uncommon deployment technique that helps stay hidden on compromised
networks. 
   
Tycoon is a multi-platform Java ransomware targeting Windows® and Linux® that
has been observed in-the-wild since at least December 2019[1].
It is deployed in the form of a Trojanized Java Runtime Environment (JRE) and
leverages an obscure Java image format to fly under the radar.
  
   
The threat actors behind Tycoon were observed using highly targeted delivery
mechanisms to infiltrate small to medium sized companies and institutions in
education and software industries, where they would proceed to encrypt file
servers and demand a ransom. However, due to the reuse of a common RSA private
key it may be possible to recover data without the need for payment in earlier
variants.
To read
more go here

NIST Digital Identity Guidelines: Pre-Draft Call for Comments

    NIST
is issuing a Call for Comments
on the four-volume set of Digital Identity Guideline documents,
including: Special Publication (SP) 800-63-3 Digital Identity Guidelines, SP 800-63A Enrollment and Identity Proofing,
SP 800-63B Authentication and
Lifecycle Management, and SP 800-63C Federation and Assertions. This document set
presents the controls and technical requirements to meet the digital identity
management assurance levels specified in each volume.

    The public comment period ends August 10, 2020.  
See the Call for Comments,
which describes the background for this request and a Note to Reviewers
section for some specific topics about which NIST is seeking your feedback.  

    Please submit your comments to [email protected].

Call
for Comments on Digital Identity Guidelines:
https://csrc.nist.gov/publications/detail/sp/800-63/4/draft