Malware Devil: July 2020

Friday, July 31, 2020

IDA colonoscopy

One of the most annoying things I come across during analysis are … function names. It’s great to have many of them resolved either via flirt of symbols, but the length of some of these function names is making it really hard to read code.

It is especially important with ‘basic’ string functions that hide behind constructs like:

std::basic_string,std::allocator,_STL70>::assign
(std::basic_string,std::allocator,_STL70> const &,uint,uint)

std::basic_string,std::allocator,_STL70>::operator=(ushort const *)

Why not simple ‘assign’ and ‘operator’?

It’s because it’s puristic and accurate, that’s why

Reading code listings relying on these functions is difficult, and it involves a lot of mental processing to find the actual method name in these long strings.

I got bored doing so and coded a very badly written idapython script that replaces these names with a shorter version. Again, this is a blasphemy to both IDA and IDAPython so you have been warned.

import idaapi
import idc
import types
import os
import pprint
import random

mask = idc.GetLongPrm(idc.INF_SHORT_DN)

for func_ea in idautils.Functions():
    function_name = idc.GetFunctionName(func_ea)
    function_name_dem = idc.Demangle(function_name, mask)
    if function_name_dem != None:
       function_name = function_name_dem
    m=re.search(r'hex_',function_name,re.IGNORECASE) 
    if not m:
       print function_name 
       m=re.search(r'basic_string.*?::([^:=]+)(',function_name,re.IGNORECASE) 
       if m: 
          short_fun = m.group(1) 
          short_fun1 = re.sub('[(=< ~'"+`-].+$','',short_fun) 
          cnt=0 
          while True: 
             short_fun = 'hex_string_' + short_fun1 + "_" + str(cnt) 
             res = MakeName(func_ea,short_fun) 
             if res: 
                print short_fun 
                break 
             cnt = cnt + 1 
             if cnt>1000: 
                break

The result:

before

after

https://www.malwaredevil.com/2020/07/31/ida-colonoscopy/?utm_source=rss&utm_medium=rss&utm_campaign=ida-colonoscopy

Three Charged in July 15 Twitter Compromise

Three individuals have been charged for their alleged roles in the July 15 hack on Twitter, an incident that resulted in Twitter profiles for some of the world’s most recognizable celebrities, executives and public figures sending out tweets advertising a bitcoin scam.

Amazon CEO Jeff Bezos’s Twitter account on the afternoon of July 15.

Nima “Rolex” Fazeli, a 22-year-old from Orlando, Fla., was charged in a criminal complaint in Northern California with aiding and abetting intentional access to a protected computer.

Mason “Chaewon” Sheppard, a 19-year-old from Bognor Regis, U.K., also was charged in California with conspiracy to commit wire fraud, money laundering and unauthorized access to a computer.

A U.S. Justice Department statement on the matter does not name the third defendant charged in the case, saying juvenile proceedings in federal court are sealed to protect the identity of the youth. But an NBC News affiliate in Tampa reported today that authorities had arrested 17-year-old Graham Clark as the alleged mastermind of the hack.

17-year-old Graham Clark of Tampa, Fla. was among those charged in the July 15 Twitter hack. Image: Hillsborough County Sheriff’s Office.

Wfla.com said Clark was hit with 30 felony charges, including organized fraud, communications fraud, one count of fraudulent use of personal information with over $100,000 or 30 or more victims, 10 counts of fraudulent use of personal information and one count of access to a computer or electronic device without authority. Clark’s arrest report is available here (PDF).

On Thursday, Twitter released more details about how the hack went down, saying the intruders “targeted a small number of employees through a phone spear phishing attack,” that “relies on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”

By targeting specific Twitter employees, the perpetrators were able to gain access to internal Twitter tools. From there, Twitter said, the attackers targeted 130 Twitter accounts, tweeting from 45 of them, accessing the direct messages of 36 accounts, and downloading the Twitter data of seven.

Among the accounts compromised were democratic presidential candidate Joe Biden, Amazon CEO Jeff Bezos, President Barack Obama, Tesla CEO Elon Musk, former New York Mayor Michael Bloomberg and investment mogul Warren Buffett.

The hacked Twitter accounts were made to send tweets suggesting they were giving away bitcoin, and that anyone who sent bitcoin to a specified account would be sent back double the amount they gave. All told, the bitcoin accounts associated with the scam received more than 400 transfers totaling more than $100,000.

Sheppard’s alleged alias Chaewon was mentioned twice in stories here since the July 15 incident. On July 16, KrebsOnSecurity wrote that just before the Twitter hack took place, a member of the social media account hacking forum OGUsers advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece.

The OGUsers forum user “Chaewon” taking requests to modify the email address tied to any twitter account.

On July 17, The New York Times ran a story that featured interviews with several people involved in the attack, who told The Times they weren’t responsible for the Twitter bitcoin scam and had only purchased accounts from the Twitter hacker — who they referred to only as “Kirk.”

One of the people interviewed by The Times used the alias “Ever So Anxious,” and said he was a 19-year from the U.K. In my follow-up story on July 22, it emerged that Ever So Anxious was in fact Chaewon.

The person who shared that information was the principal subject of my July 16 post, which followed clues from tweets sent from one of the accounts claimed during the Twitter compromise back to a 21-year-old from the U.K. who uses the nickname PlugWalkJoe.

That individual shared a series of screenshots showing he had been in communications with Chaewon/Ever So Anxious just prior to the Twitter hack, and had asked him to secure several desirable Twitter usernames from the Twitter hacker. He added that Chaewon/Ever So Anxious also was known as “Mason.”

The negotiations over highly-prized Twitter usernames took place just prior to the hijacked celebrity accounts tweeting out bitcoin scams. PlugWalkJoe is pictured here chatting with Ever So Anxious/Chaewon/Mason using his Discord username “Beyond Insane.”

On July 22, KrebsOnSecurity interviewed Sheppard/Mason/Chaewon, who confirmed that PlugWalkJoe had indeed asked him to ask Kirk to change the profile picture and display name for a specific Twitter account on July 15. He acknowledged that while he did act as a “middleman” between Kirk and others seeking to claim desirable Twitter usernames, he had nothing to do with the hijacking of the VIP Twitter accounts for the bitcoin scam that same day.

“Encountering Kirk was the worst mistake I’ve ever made due to the fact it has put me in issues I had nothing to do with,” he said. “If I knew Kirk was going to do what he did, or if even from the start if I knew he was a hacker posing as a rep I would not have wanted to be a middleman.”

https://www.malwaredevil.com/2020/07/31/three-charged-in-july-15-twitter-compromise/?utm_source=rss&utm_medium=rss&utm_campaign=three-charged-in-july-15-twitter-compromise

IndieFlix streaming service leaves thousands of confidential agreements, filmmaker SSNs, videos exposed on public server

The data bucket discovered by CyberNews contains over 90,000 files related to the IndieFlix streaming service.
Read More

https://www.malwaredevil.com/2020/07/31/indieflix-streaming-service-leaves-thousands-of-confidential-agreements-filmmaker-ssns-videos-exposed-on-public-server-2/?utm_source=rss&utm_medium=rss&utm_campaign=indieflix-streaming-service-leaves-thousands-of-confidential-agreements-filmmaker-ssns-videos-exposed-on-public-server-2

Bypassing Windows 10 UAC with mock folders and DLL hijacking

A new technique uses a simplified process of DLL hijacking and mock directories to bypass Windows 10’s UAC security feature and run elevated commands without alerting a user.
Read More

https://www.malwaredevil.com/2020/07/31/bypassing-windows-10-uac-with-mock-folders-and-dll-hijacking/?utm_source=rss&utm_medium=rss&utm_campaign=bypassing-windows-10-uac-with-mock-folders-and-dll-hijacking

Phishing Email Uses Google Ad Redirect to Steal Microsoft Credentials

Security researchers came across a phishing email that used a Google Ad redirect as a part of its efforts to steal victims’ Microsoft credentials.
Read More

https://www.malwaredevil.com/2020/07/31/phishing-email-uses-google-ad-redirect-to-steal-microsoft-credentials/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-email-uses-google-ad-redirect-to-steal-microsoft-credentials

WastedLocker: A Technical Analysis

The use of crypto-ransomware in targeted attacks has become an ordinary occurrence lately: new incidents are being reported every month, sometimes even more often.
Read More

https://www.malwaredevil.com/2020/07/31/wastedlocker-a-technical-analysis/?utm_source=rss&utm_medium=rss&utm_campaign=wastedlocker-a-technical-analysis

4 Unpatched Bugs Plague Grandstream ATAs for VoIP Users

Multiple high-severity vulnerabilities in the Grandstream HT800 series of Analog Telephone Adaptors threaten home office and midrange users alike, with outages, eavesdropping and device takeover.
Read More

https://www.malwaredevil.com/2020/07/31/4-unpatched-bugs-plague-grandstream-atas-for-voip-users/?utm_source=rss&utm_medium=rss&utm_campaign=4-unpatched-bugs-plague-grandstream-atas-for-voip-users

Microsoft issues security update for Azure Sphere

Cisco Talos researchers recently discovered seven vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected SoC platform designed specifically with IoT application security in mind.
Read More

https://www.malwaredevil.com/2020/07/31/microsoft-issues-security-update-for-azure-sphere/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-issues-security-update-for-azure-sphere

Mimecast acquires communication security provider MessageControl

Mimecast has acquired MessageControl to enhance the firm’s defensive capabilities against phishing attacks.
Read More

https://www.malwaredevil.com/2020/07/31/mimecast-acquires-communication-security-provider-messagecontrol/?utm_source=rss&utm_medium=rss&utm_campaign=mimecast-acquires-communication-security-provider-messagecontrol

EU sanctions hackers from China, Russia, North Korea who’re wanted by the FBI

The Council of the European Union has imposed its first-ever sanctions against persons or entities involved in various cyber-attacks targeting European citizens, and its member states.
Read More

https://www.malwaredevil.com/2020/07/31/eu-sanctions-hackers-from-china-russia-north-korea-whore-wanted-by-the-fbi-2/?utm_source=rss&utm_medium=rss&utm_campaign=eu-sanctions-hackers-from-china-russia-north-korea-whore-wanted-by-the-fbi-2

BootHole fixes causing boot problems across multiple Linux distros

Patches for the BootHole vulnerability in the GRUB2 bootloader that is used by all major Linux distributions are causing problems and preventing some users from booting their systems.
Read More

https://www.malwaredevil.com/2020/07/31/boothole-fixes-causing-boot-problems-across-multiple-linux-distros/?utm_source=rss&utm_medium=rss&utm_campaign=boothole-fixes-causing-boot-problems-across-multiple-linux-distros

3 Arrested for Massive Twitter Breach

Three individuals aged 17, 19, and 22 have been charged for their alleged roles in the massive July 15 Twitter attack.

Three individuals were charged today for their roles in the July 15 Twitter breach that hijacked 130 accounts and spread a Bitcoin scam that led to the theft of more than $100,000.

Twitter has confirmed the attackers targeted a small number of its employees with a phone spear-phishing attack. The perpetrators were able to use their stolen credentials to tweet from celebrity accounts, access direct message inboxes, and download data from Twitter accounts. A Department of Justice release describes the attack as a combination of technical breaches and social engineering.

The release states the alleged attackers include Mason Sheppard, 19, a UK citizen charged with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer. Nima Fazeli, 22, is from Orlando, Fla., and charged with aiding and abetting the intentional access of a protected computer.

Their alleged co-conspirator is a 17-year-old who was arrested this morning in Tampa and is charged with 30 felony charges, including a count of organized fraud (over $50,000), 17 counts of communications fraud (over $300), 10 counts of fraudulent use of personal information, one count of fraudulent use of personal information (over $100,000 or 30 or more victims), and one count of access to a computer or electronic device without authority (scheme to defraud).

Law enforcement is charging the 17-year-old as an adult, as Florida law allows minors to be tried as adults in financial fraud cases where appropriate, according to a press release.

“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” Hillsborough State Attorney Andrew Warren said in a statement. This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that.”

The release describes the 17-year-old as the “mastermind” behind the attack that took over the Twitter accounts of Joe Biden, Barack Obama, Bill Gates, Elon Musk, Kanye West, and several other accounts with millions of followers. Attackers posted messages from these accounts urging users to sent Bitcoin to a wallet linked to in the tweet, promising the amount would be doubled in return. More than 400 Bitcoin transfers were made to attackers, the DoJ reports.

These arrests follow a complex investigation by the FBI, IRS, US Secret Service, Santa Clara County Sheriff’s Office, and Florida law enforcement.

Twitter has issued a brief statement: “We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses. For our part, we are focused on being transparent and providing updates regularly.”

17-Year-Old ‘Mastermind’, 2 Others Behind the Biggest Twitter Hack Arrested

A 17-year-old teen and two other 19 and 22-year-old individuals have reportedly been arrested for being the alleged mastermind behind the recent Twitter hack that simultaneously targeted several high-profile accounts within minutes as part of a massive bitcoin scam.According to the U.S. Department of Justice, Mason Sheppard, aka “Chaewon,” 19, from the United Kingdom, Nima Fazeli, aka “Rolex,” 22, from Florida and an unnamed juvenile was charged this week with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer.

Florida news channel WFLA has identified a 17-year-old teen named Graham Clark of Tampa Bay this week in connection with the Twitter hack, who probably is the juvenile that U.S. Department of Justice mentioned in its press release.

Graham Clark has reportedly been charged with 30 felonies of communications and organized fraud for scamming hundreds of people using compromised accounts.

On July 15, Twitter faced the biggest security lapse in its history after an attacker managed to hijack nearly 130 high-profile twitter accounts, including Barack Obama, Kanye West, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Warren Buffett, Uber, and Apple.

The broadly targeted hack posted similarly worded messages urging millions of followers of each profile to send money to a specific bitcoin wallet address in return for larger payback.

bitcoin scan and twitter hacker graham clark

“Everyone is asking me to give back, and now is the time,” a tweet from Mr. Gates’ account said. “You send $1,000; I send you back $2,000.”

The targeted profiles were also include some popular cryptocurrency-focused accounts, such as Bitcoin, Ripple, CoinDesk, Gemini, Coinbase, and Binance.

The fraud scheme helped the attackers reap more than $100,000 in Bitcoin from several victims within just a few hours after the tweets were posted.

As suspected on the day of the attack, Twitter later admitted that the attackers compromised its employees’ accounts with access to the internal tools and gained unauthorized access to the targeted profiles.

In its statement, Twitter also revealed that some of its employees were targeted using a spear-phishing attack through a phone, misleading “certain employees and exploit human vulnerabilities to gain access to our internal systems.”

Twitter said a total of 130 user accounts were targeted in the latest attack, out of which only 45 verified accounts were exploited to publish scam tweets. It also mentioned that the attackers accessed Direct Message inboxes of at least 36 accounts, whereas only eight accounts’ information was downloaded using the “Your Twitter Data” archive tool.

“There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” said U.S. Attorney Anderson.

“Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived. Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it. In particular, I want to say to would-be offenders, break the law, and we will find you.”

“We’ve significantly limited access to our internal tools and systems. Until we can safely resume normal operations, our response times to some support needs and reports will be slower,” Twitter added.

This is a developing story and will be updated as additional details become available.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

https://www.malwaredevil.com/2020/07/31/17-year-old-mastermind-2-others-behind-the-biggest-twitter-hack-arrested/?utm_source=rss&utm_medium=rss&utm_campaign=17-year-old-mastermind-2-others-behind-the-biggest-twitter-hack-arrested

Authorities Arrest Alleged 17-Year-Old ‘Mastermind’ Behind Twitter Hack

Three have been charged in alleged connection with the recent high-profile Twitter hack – including a 17-year-old teen from Florida who is the reported “mastermind” behind the attack.
Read More

https://www.malwaredevil.com/2020/07/31/authorities-arrest-alleged-17-year-old-mastermind-behind-twitter-hack/?utm_source=rss&utm_medium=rss&utm_campaign=authorities-arrest-alleged-17-year-old-mastermind-behind-twitter-hack

ESB-2020.2624 – [Appliance] Mitsubishi Electric Factory Automation Products: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2624
           Multiple Mitsubishi Electric Factory vulnerabilities
                               31 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Mitsubishi Electric Factory Automation Engineering Products
                   Mitsubishi Electric Factory Automation Products
                   Mitsubishi Electric Multiple Factory Automation Engineering Products
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-14523 CVE-2020-14521 CVE-2020-14496

Original Bulletin: 
   https://us-cert.cisa.gov/ics/advisories/icsa-20-212-02
   https://us-cert.cisa.gov/ics/advisories/icsa-20-212-03
   https://us-cert.cisa.gov/ics/advisories/icsa-20-212-04

Comment: This bulletin contains three (3) ICS-CERT security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS Advisory (ICSA-20-212-02)

Mitsubishi Electric Multiple Factory Automation Engineering Software Products

Original release date: July 30, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 8.3
  o ATTENTION: Exploitable remotely
  o Vendor: Mitsubishi Electric
  o Equipment: Mitsubishi Electric, Multiple Factory Automation Engineering
    Software products
  o Vulnerability: Permission Issues

2. RISK EVALUATION

Successful exploitation of this vulnerability may enable the reading of
arbitrary files, cause a denial-of-service condition, and allow execution of a
malicious binary.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products and versions are affected:

  o CPU Module Logging Configuration Tool, versions 1.100E and prior
  o CW Configurator, versions 1.010L and prior
  o Data Transfer, versions 3.40S and prior
  o EZSocket, versions 4.5 and prior
  o FR Configurator2, versions 1.22Y and prior
  o GT Designer3 Version1 (GOT2000), versions 1.235V and prior
  o GT SoftGOT1000 Version3, all versions
  o GT SoftGOT2000 Version1, versions 1.235V and prior
  o GX LogViewer, versions 1.100E and prior
  o GX Works2, versions 1.592S and prior
  o GX Works3, versions 1.063R and prior
  o M_CommDTM-HART, version 1.00A
  o M_CommDTM-IO-Link, all versions
  o MELFA-Works, versions 4.3 and prior
  o MELSEC WinCPU Setting Utility, all versions
  o MELSOFT EM Software Development Kit (EM Configurator), versions 1.010L and
    prior
  o MELSOFT FieldDeviceConfigurator, versions 1.03D and prior
  o MELSOFT Navigator, versions 2.62Q and prior
  o MH11 SettingTool Version2, versions 2.002C and prior
  o MI Configurator, all versions
  o Motorizer, versions 1.005F and prior
  o MR Configurator2, versions 1.105K and prior
  o MT Works2, versions 1.156N and prior
  o MX Component, versions 4.19V and prior
  o Network Interface Board CC IE Control utility, all versions
  o Network Interface Board CC IE Field Utility, all versions
  o Network Interface Board CC-Link Ver.2 Utility, all versions
  o Network Interface Board MNETH utility, all versions
  o PX Developer, versions 1.52E and prior
  o RT ToolBox2, versions 3.72A and prior
  o RT ToolBox3, versions 1.70Y and prior
  o Setting/monitoring tools for the C Controller module, all versions

3.2 VULNERABILITY OVERVIEW

3.2.1 PERMISSION ISSUES CWE-275

Successful exploitation of this vulnerability could allow an attacker to
escalate privilege and execute malicious programs, which could cause a
denial-of-service condition, and allow information to be disclosed, tampered
with, and/or destroyed.

CVE-2020-14496 has been assigned to this vulnerability. A CVSS v3 base score of
8.3 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/
C:H/I:H/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Younes Dragoni of Nozomi Networks, the Applied Risk research team, and Mashav
Sapir of Claroty reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends the following mitigations:

Download the latest version of each software product and update it. Excluding
the following products:

  o EZSocket is a communication middleware product for Mitsubishi Electric
    partner companies. Mitsubishi Electric will directly provide the fixed
    version to the partner companies.
  o Download the latest FR Configurator2 fixed version and update it.

Mitsubishi Electric has provided firmware updates for the following products to
fix the vulnerability:

  o CPU Module Logging Configuration Tool, version 1.106K or later
  o CW Configurator, version 1.011M or later
  o Data Transfer, version 3.41T or later
  o EZSocket, version 4.6 or later
  o FR Configurator2, version 1.23Z or later
  o GT Designer3 Version1 (GOT2000), version 1.236W or later
  o GT SoftGOT2000 Version1, version 1.236W or later
  o GX LogViewer, version 1.106K or later
  o GX Works2, version 1.595V or later
  o GX Works3, version 1.065T or later
  o M_CommDTM-HART, version 1.01B or later
  o MELFA-Works, version 4.4 or later
  o MELSOFT EM Software Development Kit (EM Configurator), version 1.015R or
    later
  o MELSOFT FieldDeviceConfigurator, version 1.04E or later
  o MELSOFT Navigator, version 2.70Y or later
  o MH11 SettingTool Version2, version 2.003D or later
  o Motorizer, version 1.010L or later
  o MR Configurator2, version 1.106L or later
  o MT Works2, version 1.160S or later
  o MX Component, version 4.20W or later
  o PX Developer, version 1.53F or later
  o RT ToolBox2, version 3.73B or later
  o RT ToolBox3, version 1.80J or later

Refer to the manual for help to update your product.
For users who are using a product that has not released a fixed version or who
cannot immediately update the product, Mitsubishi Electric recommends taking
the following mitigation measures to minimize risk:

  o Install the fixed version GX Works2, GX Works3, or MELSOFT Navigator on the
    PC on which the product is installed. This is because these three products
    provide comprehensive countermeasures that give the same countermeasure
    effect to other products installed in the same folder (e.g. C:Program
    filesMELSOFT).
  o Operate the products under an account that does not have administrator's
    privileges.
  o Install an antivirus software in computers using the products.
  o Restrict network exposure for all control system devices or systems to the
    minimum necessary and ensure they are not accessible from untrusted
    networks and hosts.
  o Locate control system networks and remote devices behind firewalls and
    isolate them from the network.
  o Use virtual private network (VPN) when remote access is required.

Additional information about the vulnerability or the Mitsubishi Electric
compensating control is available by contacting a Mitsubishi Electric
representative .

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves
from social engineering attacks:

  o Do not click web links or open unsolicited attachments in email messages.
  o Refer to Recognizing and Avoiding Email Scams for more information on
    avoiding email scams.
  o Refer to Avoiding Social Engineering and Phishing Attacks for more
    information on social engineering attacks.

No known public exploits specifically target this vulnerability.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------------------------------------------------------------

ICS Advisory (ICSA-20-212-03)

Mitsubishi Electric Factory Automation Products Path Traversal

Original release date: July 30, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 8.3
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: Mitsubishi Electric
  o Equipment: Mitsubishi Electric, Factory Automation products
  o Vulnerability: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to obtain
unauthorized information, tamper the information, and cause a denial-of-service
condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products and versions are affected:

  o CW Configurator,Versions 1.010L and prior
  o FR Configurator2, Versions 1.22Y and prior
  o GX Works2, Versions 1.595V and prior
  o GX Works3, Versions 1.063R and prior
  o MELSEC iQ-R Series Motion Module, all versions
  o MELSOFT iQ AppPortal, all versions
  o MELSOFT Navigator, all versions
  o MI Configurator, all versions
  o MR Configurator2, all versions
  o MT Works2, Versions 1.156N and prior
  o MX Component, all versions
  o RT ToolBox3, Versions 1.70Y and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 PATH TRAVERSAL CWE-22

Multiple Mitsubishi Electric Factory Automation products have a vulnerability
that allows an attacker to execute arbitrary code.

CVE-2020-14523 has been assigned to this vulnerability. A CVSS v3 base score of
8.3 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/
C:H/I:H/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mashav Sapir of Claroty reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends the following mitigations:

Download the latest version of each software product and update. The fixed
software products and versions are as follows:

  o CW Configurator, Version 1.011M or later
  o FR Configurator2, Version 1.23Z or later
  o GX Works2, Version 1.596W or later
  o GX Works3, Version 1.065T or later
  o MT Works2, Version 1.160S or later
  o RT ToolBox3, Version 1.80J or later

For users of a product that has not released a fixed version or who cannot
immediately update the product, Mitsubishi Electric recommends taking the
following mitigation measures to minimize risk:

  o Make sure the file is obtained from the correct acquisition route when
    receiving a project file or a configuration data file from another person
    via email, USB memory, file server, etc.; or check that there is no file of
    unknown source.
  o Operate the products under an account that does not have administrator
    privileges. Except for MELSEC iQ-R Series Motion Module.
  o Install an antivirus software in computers using the products. Except for
    MELSEC iQ-R Series Motion Module.
  o Restrict network exposure for all control system devices or systems to the
    minimum necessary and ensure they are not accessible from untrusted
    networks and hosts.
  o Locate control system networks and remote devices behind firewalls and
    isolate them from the business network.
  o Use virtual private network (VPN) when remote access is required.

Additional information about the vulnerability or Mitsubishi Electric's
compensating control is available by contacting a Mitsubishi Electric
representative .

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves
from social engineering attacks:

  o Do not click web links or open unsolicited attachments in email messages.
  o Refer to Recognizing and Avoiding Email Scams for more information on
    avoiding email scams.
  o Refer to Avoiding Social Engineering and Phishing Attacks for more
    information on social engineering attacks.

No known public exploits specifically target this vulnerability.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------------------------------------------------------------

ICS Advisory (ICSA-20-212-04)

Mitsubishi Electric Factory Automation Engineering Products

Original release date: July 30, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 8.3
  o ATTENTION: Low skill level to exploit
  o Vendor: Mitsubishi Electric
  o Equipment: Mitsubishi Electric, Factory Automation Engineering products
  o Vulnerability: Unquoted Search Path or Element

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to obtain
unauthorized information, modify information, and cause a denial-of-service
condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products and versions are affected:

  o C Controller Interface Module Utility, all versions
  o C Controller Module Setting and Monitoring Tool, all versions
  o CC-Link IE Control Network Data Collector, all versions
  o CC-Link IE Field Network Data Collector, all versions
  o CPU Module Logging Configuration Tool, Versions 1.100E and prior
  o CW Configurator, Versions 1.010L and prior
  o Data Transfer, all versions
  o EZSocket, all versions
  o FR Configurator SW3, all versions
  o FR Configurator2, all versions
  o GT Designer2 Classic, all versions
  o GT Designer3 Version1 (GOT1000), all versions
  o GT Designer3 Version1 (GOT2000), all versions
  o GT SoftGOT1000 Version3, all versions
  o GT SoftGOT2000 Version1, all versions
  o GX Developer, Versions 8.504A and prior
  o GX LogViewer, Versions 1.100E and prior
  o GX Works2, all versions
  o GX Works3, Versions 1.063R and prior
  o M_CommDTM-IO-Link, all versions
  o MELFA-Works, all versions
  o MELSEC WinCPU Setting Utility, all versions
  o MELSOFT Complete Clean Up Tool, all versions
  o MELSOFT EM Software Development Kit, all versions
  o MELSOFT iQ AppPortal, all versions
  o MELSOFT Navigator, all versions
  o MI Configurator, all versions
  o Motion Control Setting, Versions 1.005F and prior
  o Motorizer, Versions 1.005F and prior
  o MR Configurator2, all versions
  o MT Works2, all versions
  o MTConnect Data Collector, all versions
  o MX Component, all versions
  o MX MESInterface, all versions
  o MX MESInterface-R, all versions
  o MX Sheet, all versions
  o Network Interface Board CC IE Control Utility, all versions
  o Network Interface Board CC IE Field Utility, all versions
  o Network Interface Board CC-Link Ver.2 Utility, all versions
  o Network Interface Board MNETH Utility, all versions
  o Position Board utility 2, all versions
  o PX Developer, all versions
  o RT ToolBox2, all versions
  o RT ToolBox3, all versions
  o Setting/monitoring tools for the C Controller module, all versions
  o SLMP Data Collector, all versions

3.2 VULNERABILITY OVERVIEW

3.2.1 UNQUOTED SEARCH PATH OR ELEMENT CWE-428

Multiple Mitsubishi Electric Factory Automation engineering software products
have a malicious code execution vulnerability. A malicious attacker could use
this vulnerability to obtain information, modify information, and cause a
denial-of-service condition.

CVE-2020-14521 has been assigned to this vulnerability. A CVSS v3 base score of
8.3 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/
C:H/I:H/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mashav Sapir of Claroty reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends the following mitigations:

Download the latest version of each software product and update it. The fixed
software products and versions are as follows:

  o CPU Module Logging Configuration Tool, Version 1.106K or later
  o CW Configurator, Version 1.011M or later
  o GX Developer, Version 8.505B or later
  o GX LogViewer, Version 1.106K or later
  o GX Works3, Version 1.065T or later
  o Motion Control Setting, Version 1.006G or later
  o Motorizer, Version 1.010L or later

Refer to the manual for help to update your product.

For users of a product that has not released a fixed version or who cannot
immediately update the product, Mitsubishi Electric recommends taking the
following mitigation measures to minimize risk:

  o If a "File Name Warning" message is displayed when starting Windows, take
    appropriate measures according to the instructions in the message (such as
    changing a file name) and then install or operate the products.
  o Operate the products under an account that does not have administrator
    privileges.
  o Install an antivirus software in computers using the products.
  o Restrict network exposure for all control system devices or systems to the
    minimum necessary and ensure they are not accessible from untrusted
    networks and hosts.
  o Locate control system networks and remote devices behind firewalls and
    isolate them from the network.
  o Use virtual private network (VPN) when remote access is required.

Additional information about the vulnerabilities or Mitsubishi Electric's
compensating control is available by contacting a Mitsubishi Electric
representative .

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves
from social engineering attacks:

  o Do not click web links or open unsolicited attachments in email messages.
  o Refer to Recognizing and Avoiding Email Scams for more information on
    avoiding email scams.
  o Refer to Avoiding Social Engineering and Phishing Attacks for more
    information on social engineering attacks.

No known public exploits specifically target this vulnerability.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXyO35+NLKJtyKPYoAQg9zBAAjRxWcWAYQUnaJmPOwxDZJoukUftpFw7G
N12l3N/cZIX/8OvnVm2VgxEqzs9gsb6rBhbd5Pu+D63g+DTe2yagfKJQBM160709
R0510V3wOWFFTSX9srsMCwsxHmFu1lIzP/Ugedh0L706sBk9ciXSwoiYO6fx0pK0
Ks6qTQIiOEtlIEGyLb7k69JpqIOIOzT3KN7NQKBhrsFRb8xaE5MJgMpPRmy/D1Zh
WMZLLF75jMQ5KKP4BG7OdJniExd7OnXBUGuQPfTbbTAKZpE4SQRlDrbHdHb4cC6T
Enbs1tdx145f68ez+/QndEYXta4Vpe4x4J+alG6ubTuCXy/m1RCLncMNgrdyQm/i
PdcgBS9IhxKgWPQE3KdPfIuvHCLTndw4wLRSMUNAcxp00pGcnhE+9yV0PsfbNiNq
fXKm4OCayuLCNK71kRoafRQvlxC+PqjdCnD3Ik+aQLfL+DI6tp7rC72TUVBsQl3K
bmGIhZjVuL63sGKig3PhqVx9vPPe7A8Ge2JfP0C8727NbFOQExMn/pact7yxVlds
uzbLPbAg8HbPissj1Aqm1+yuDPGmnYzMJ26zS44FTls6MqtoZNBD6/KvTGomkNwb
VdWeUPxHsHxJo8n4GTRue4wbb2gsiex7Mcc91qvCoXw2zqOSO9fHjhBax24jQfch
U+OBoc4iXe4=
=AJ1I
-----END PGP SIGNATURE-----

https://www.malwaredevil.com/2020/07/31/esb-2020-2624-appliance-mitsubishi-electric-factory-automation-products-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2624-appliance-mitsubishi-electric-factory-automation-products-multiple-vulnerabilities

MIDAS – Siddharth Bhatia – PSW #660

MIDAS uses unsupervised learning to detect anomalies in a streaming manner in real-time and has become a new baseline. It was designed keeping in mind the way recent sophisticated attacks occur. MIDAS can be used to detect intrusions, Denial of Service (DoS), Distributed Denial of Service (DDoS) attacks, financial fraud and fake ratings. MIDAS combines a chi-squared goodness-of-fit test with the Count-Min-Sketch (CMS) streaming data structures to get an anomaly score for each edge. It then incorporates temporal and spatial relations to achieve better performance. MIDAS provides theoretical guarantees on the false positives and is three orders of magnitude faster than existing state of the art solutions.

Check out MIDAS at https://github.com/Stream-AD/MIDAS
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://wiki.securityweekly.com/psw660

https://www.malwaredevil.com/2020/07/31/midas-siddharth-bhatia-psw-660/?utm_source=rss&utm_medium=rss&utm_campaign=midas-siddharth-bhatia-psw-660

Gravwell Big Bang Release – Corey Thuen – PSW #660

The Gravwell Data Fusion platform is releasing a major update this week. New features make analyzing logs and network data much easier for new users while still keeping the raw power of a unix-like search query pipeline for power users. Gravwell is free for community use and during launch week if you sign up for CE we’re bumping the data cap up to 4 GB/day. This segment is sponsored by Gravwell.

Visit https://securityweekly.com/gravwell to learn more about them!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://wiki.securityweekly.com/psw660

https://www.malwaredevil.com/2020/07/31/gravwell-big-bang-release-corey-thuen-psw-660/?utm_source=rss&utm_medium=rss&utm_campaign=gravwell-big-bang-release-corey-thuen-psw-660

ESB-2020.2623 – [Win][UNIX/Linux] Thunderbird 68.11: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2623
     MFSA 2020-35 Security Vulnerabilities fixed in Thunderbird 68.11
                               31 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Thunderbird 68.11
Publisher:         Mozilla
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-15659 CVE-2020-15652 CVE-2020-6514
                   CVE-2020-6463  

Reference:         ESB-2020.2605
                   ESB-2020.2580
                   ESB-2020.2579
                   ESB-2020.2578

Original Bulletin: 
   https://www.mozilla.org/en-US/security/advisories/mfsa2020-35/

- --------------------------BEGIN INCLUDED TEXT--------------------

Mozilla Foundation Security Advisory 2020-35

Security Vulnerabilities fixed in Thunderbird 68.11

Announced
    July 30, 2020
Impact
    high
Products
    Thunderbird
Fixed in
       Thunderbird 68.11

In general, these flaws cannot be exploited through email in the Thunderbird
product because scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts.

# CVE-2020-15652: Potential leak of redirect targets when loading scripts in a
worker

Reporter
    Mikhail Oblozhikhin
Impact
    high

Description

By observing the stack trace for JavaScript errors in web workers, it was
possible to leak the result of a cross-origin redirect. This applied only to
content that can be parsed as script.

References

  o Bug 1634872

# CVE-2020-6514: WebRTC data channel leaks internal address to peer

Reporter
    Natalie Silvanovich of Google Project Zero
Impact
    high

Description

WebRTC used the memory address of a class instance as a connection identifier.
Unfortunately, this value is often transmitted to the peer, which allows
bypassing ASLR.

References

  o Bug 1642792

# CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture

Reporter
    Reported by Pawel Wylecial of REDTEAM.PL
Impact
    moderate

Description

Crafted media files could lead to a race in texture caches, resulting in a
use-after-free, memory corruption, and a potentially exploitable crash.

References

  o Bug 1635293

# CVE-2020-15659: Memory safety bugs fixed in Thunderbird 68.11

Reporter
    Mozilla developers
Impact
    high

Description

Mozilla developers Jason Kratzer and Luke Wagner reported memory safety bugs
present in Thunderbird 68.10. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code.

References

  o Memory safety bugs fixed in Thunderbird 68.11

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXyO3r+NLKJtyKPYoAQiuyg/7BS85JmPthGqwv3cgjwXCIbVxeILIpOcm
aRQztWaL4/m5Up1VOn/ZiVc3rr5RMpowcImILy2ThSft2+VV/JvmLdSJ3enu/mlh
41FoccbdL2ZS0x1lsACKNpU6Cet6ogBTa/nywLVMseEKUvWy2fvGBEHriJLclb1O
9fQ3mkUUT4DJ9ngzouPeFKTdTSTj2CXaUOuUgCg0In9AZPbZenaS72jst/DJ3Xnh
P2ZxUFNLFK57DF6pGmg5wTrZvUiop9eNIEZ3Lj1zdlS8AIV0XXGBMiOvVCEbKxwf
gNq7wJcWoepox51NqAkakf0S8ZhPVdD0JcAu7DJ6BuvRBcjnS5/8SnV7OJ52hNXA
ntN/T4x8/9u6yc5uIA7yNyKmScncwS8P3diVJshlkO8svbkbmQ6zy87k2G1wMVlx
PB9S/Ykeqwy0lCwmRsde6lVf+pyHgzhMJT6aFPOKVHXhkljhMNJOirEWN+GNpndO
wWQ0kIvg480kA+tOR7SeFV9slB4hMQ+bk2P2MxCkLgUgrgPQDzJ/BH/+8wzsUuMe
Xdg7yHXXoa8olqlaDkSU6NWkVsJw0Ee8Q6JA02d6TEl/4bI4t934LqAKoXptJ/ug
0RYN8CJkBUsZshR6UqpX3CEsWQ+zwYW8BKfjSlokMqVq3/upc9udV1bv79NAi/Ht
ZVpH/R77YqM=
=XB8k
-----END PGP SIGNATURE-----

https://www.malwaredevil.com/2020/07/31/esb-2020-2623-winunix-linux-thunderbird-68-11-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2623-winunix-linux-thunderbird-68-11-multiple-vulnerabilities

ASB-2020.0137 – [Win] Microsoft Edge: Multiple vulnerabilities

Member only content. Please view on site after logging in.
Read More

https://www.malwaredevil.com/2020/07/31/asb-2020-0137-win-microsoft-edge-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=asb-2020-0137-win-microsoft-edge-multiple-vulnerabilities

ESB-2020.2622 – [Linux] WebSphere Application Server: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2622
 Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application
               Server for IBM Cloud Private VM Quickstarter
                               31 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           WebSphere Application Server
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-4329 CVE-2020-2830 CVE-2020-2805
                   CVE-2020-2803 CVE-2020-2800 CVE-2020-2781
                   CVE-2020-2757 CVE-2020-2756 CVE-2020-2755
                   CVE-2020-2754 CVE-2020-2654 CVE-2019-4720
                   CVE-2019-2949  

Reference:         ASB-2020.0076
                   ASB-2020.0028
                   ESB-2020.2300
                   ESB-2020.2113

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6254704

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple vulnerabilities in IBM WebSphere Application Server for IBM Cloud
Private VM Quickstarter

Document Information

More support for: WebSphere Application Server in IBM Cloud
Software version: Version Independent
Operating system(s): Linux
Document number: 6254704
Modified date: 30 July 2020


Security Bulletin

Summary

There are multiple vulnerabiltities in WebSphere Application Server Liberty
that is shipped with IBM WebSphere Application for IBM Cloud Private VM
Quickstarter. Information disclosure in WebSphere Application Server. There is
a denial of service vulnerablility in WebSphere Application Server.
CVE-2020-2654 was disclosed as part of the Oracle January 2020 Critical Patch
Update. CVE-2019-2949 may affect IBM SDK, Java Technology Edition. Multiple
Vulnerabilities in IBM Java SDK affect WebSphere Application Server April 2020
CPU.

Vulnerability Details

CVEID: CVE-2019-2949
DESCRIPTION: An unspecified vulnerability in Java SE related to the Kerberos
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a high confidentiality impact using unknown attack
vectors.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169254 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2020-4329
DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty
17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to
obtain sensitive information, caused by improper parameter checking. This could
be exploited to conduct spoofing attacks. IBM X-Force ID: 177841.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177841 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-4720
DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is
vulnerable to a denial of service, caused by sending a specially-crafted
request. A remote attacker could exploit this vulnerability to cause the server
to consume all available memory. IBM X-Force ID: 172125.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
172125 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2020-2805
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Libraries component could allow an unauthenticated attacker to take control of
the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179703 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2020-2803
DESCRIPTION: An unspecified vulnerability in multiple Oracle products could
allow an unauthenticated attacker to take control of the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179701 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2020-2830
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Concurrency component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179728 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2020-2781
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
JSSE component could allow an unauthenticated attacker to cause a denial of
service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179681 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2020-2800
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Lightweight HTTP Server component could allow an unauthenticated attacker to
cause low confidentiality impact, low integrity impact, and no availability
impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2020-2757
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Serialization component could allow an unauthenticated attacker to cause a
denial of service resulting in a low availability impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179657 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2020-2756
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Serialization component could allow an unauthenticated attacker to cause a
denial of service resulting in a low availability impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179656 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2020-2755
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Scripting component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179655 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2020-2754
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Scripting component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179654 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2020-2654
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Libraries component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
174601 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

These vulnerabilities affect the following versions and releases of IBM
WebSphere Application Server for IBM Cloud Private VM Quickstarter

  o 3.0
  o 3.1

Remediation/Fixes

For details on the vulnerabilities refer to the security bulletins listed
below:

  o WebSphere Application Server is vulnerable to a denial of service
    (CVE-2019-4720)
  o Information disclosure in WebSphere Application Server (CVE-2020-4329)
  o CVE-2020-2654 may affect IBM SDK, Java Technology Edition
  o CVE-2019-2949 may affect IBM SDK, Java Technology Edition
  o Multiple Vulnerabilities in IBM Java SDK affect WebSphere Application
    Server April 2020 CPU plus deferred CVE-2019-2949 and CVE-2020-2654

To obtain these changes for your installation, upgrade IBM WebSphere
Application Server for IBM Cloud Private VM Quickstarter to version 3.1.1 or
higher. The service procedure can be found here:

  o Upgrading your installation

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXyO16ONLKJtyKPYoAQgDHw/6AzPa3NN1Ox1mw/i1wKQzChrC1TAV/O8V
vjdzGDntVXR4CgJi5+XVd1nvruq+SnqqGHXFOdP9iU4BKc/Edu0BePIh6prnWoaa
l5n7SacVZyldmFNveYDP01GqSTuyLkI21ZnWhyCOXAQJTLQZ5pDNR0VzEifcDNiG
fR22hDPhkOBkoa3KXJORRkKJsgqNtLSBe2XzJKBPID/FXWL4EazxemRrBpFR6fWw
8XpYmvYBikVBqjoMS91tp/pPK+c6DW0JJnEEbsdqiTEwMMSIN0UAfac+/m1Nphsf
cRiJtRnL6o7rckldLsPFKb1nNzepl5jD1vGWjaENjNDXw2N21aGIG7G/6V4yWgMs
M7NDVKKPLsyyj3I6f7GRdjG3RgPPEPXMXlPGNBlpCTUKjfDnqmqP/WdZU1x1mxFE
TFl4OX6Yvz7pvTCLGck8a03Adpel1i5gvI/zZ7Gj576QoaS1D7PWLpnvq3tp5wxJ
2Z5GdRr6y5rJ8CR9974TxOdw2WyQ48ZvuZDjM6YMairN/9j3/2uwoy9hz4tRmhr1
Suc65P09HxYGvnPNSsfe3cULHIHN6tq3kCTA/9+yR+DMcEivysQB6d61VI2I5DFP
UUbZWRixZFrKFNWvcgtwHG7mX5P3d8s34owg9Vl4xsnh7Q6KMeOijDmOdtr9wQKV
qmOxZqVkqBY=
=a8A5
-----END PGP SIGNATURE-----

https://www.malwaredevil.com/2020/07/31/esb-2020-2622-linux-websphere-application-server-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2622-linux-websphere-application-server-multiple-vulnerabilities

Malware Devil