ESB-2020.3143 – [Appliance] HMS Networks Ewon Flexy and Cosy: Access confidential data – Existing account

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3143
        Advisory (icsa-20-254-03) HMS Networks Ewon Flexy and Cosy
                             14 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           HMS Networks Ewon Flexy and Cosy
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-16230  

Original Bulletin: 
   https://us-cert.cisa.gov/ics/advisories/icsa-20-254-03

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS Advisory (ICSA-20-254-03)

HMS Networks Ewon Flexy and Cosy

Original release date: September 10, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 2.3
  o ATTENTION: Low skill level to exploit
  o Vendor: HMS Networks
  o Equipment: Ewon Flexy and Cosy
  o Vulnerability: Permissive Cross-domain Policy with Untrusted Domains

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow attackers to retrieve
limited confidential information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Ewon products are affected:

  o Flexy and Cosy: All versions prior to 14.1

3.2 VULNERABILITY OVERVIEW

3.2.1 PERMISSIVE CROSS-DOMAIN POLICY WITH UNTRUSTED DOMAINS CWE-942

Affected devices use wildcards such as (*) under which domains can request
resources. An attacker with local access and high privileges could inject
scripts into the Cross-origin Resource Sharing (CORS) configuration that could
abuse this vulnerability, allowing the attacker to retrieve limited
confidential information through sniffing.

CVE-2020-16230 has been assigned to this vulnerability. A CVSS v3 base score of
2.3 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:H/UI:N/S:U/
C:L/I:N/A:N ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical
    Manufacturing, Energy, and Water and Wastewater Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Sweden

3.4 RESEARCHER

Parth Srivastava of Protiviti India Member Private Limited reported this
vulnerability to HMS Networks.

4. MITIGATIONS

HMS Networks recommends the following mitigations:

  o Update firmware to the latest version available.
  o Use secure Talk2M cloud solutions to create a VPN tunnel connecting Ewon
    devices remotely.
  o Do not publicly expose the WAN IP of your devices on the internet.
  o Use the WAN firewall, which is built into all Ewon devices.

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Practice principles of least privilege .
  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as virtual private
    networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability. This
vulnerability is not exploitable remotely.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX189l+NLKJtyKPYoAQgACA/+KMC1vIlOEvh8johP9ZXJZrXt0I+SiUFy
CFg5jGSrOiw3/wx3Lx/0Rus+/QkGNBFsggJVLVedIF1uxT3P1NHgnBwHahzP/MGu
NfUzmabUxWPqSgjJgIfiYQz1AeFJ2lD7lrVqp0bqFVcfNypr0MSYfWng5nUUaPrn
21tmUfkGpyAu668AI4pWFCa8GyVUhtvQH6Bz8mBaneknA4WekuyrSOxxzepcGc/l
ZkNXErvwTDtH9VRuvRoIl3jLIx4kUG4esP31Dz/BY43hbIMiEVB5jNLNzAxG5YaG
yhPdSL+vlgaCKOrhU9wN+w+TPsflGVSpYcYaVFJ8fvDA31pqyXh1mOTgSIi6X8tJ
S8WSUC511Wlf6Pu/aEmCQhkb1mvWJzUf2GJp6PuruzYiwEtPzZg1i2K6aqYaYDsG
WQGm3cEeFST4lv0IvYz6fB+hxFBz1T8j/vNFzdNd0v/oZNT3texCzdgwy3BaCiVQ
O7UMOgLLRKoXyhHuym2QR/qUkio/5svroqJB+RyEx0IAs33EtnDcxjrxSQMMqoHU
S6HurMxSLsrat34aE3vPFNrm2kV985e0W7swE08x8EhmHI5sj8rXgg5E36f27Yl9
AXj4R/sOeEIOE4MoI5p6V2qePJS/+7kJZ0x1cckUBoNwMBI4qozMq3/gPQBI/ElG
7h183P0tauU=
=DAOh
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3143 – [Appliance] HMS Networks Ewon Flexy and Cosy: Access confidential data – Existing account appeared first on Malware Devil.

https://malwaredevil.com/2020/09/14/esb-2020-3143-appliance-hms-networks-ewon-flexy-and-cosy-access-confidential-data-existing-account/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3143-appliance-hms-networks-ewon-flexy-and-cosy-access-confidential-data-existing-account

ESB-2020.3144 – [Linux] QRadar Risk Manager: Reduced security – Unknown/unspecified

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3144
        QRadar Risk Manager: Adobe Flash end of life and changes to
                   Configuration Source Management (CSM)
                             14 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           QRadar Risk Manager
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Reduced Security -- Unknown/Unspecified
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6326009

Comment: QRadar Risk Manager changes related to Adobe Flash end of life

- --------------------------BEGIN INCLUDED TEXT--------------------

QRadar Risk Manager: Adobe Flash end of life and changes to Configuration
Source Management (CSM)


Document Information

More support for:     IBM Security QRadar Risk Manager
Component:            QRadar Risk and Vulnerability Manager
Software version:     7.3.3, 7.4.1
Operating system(s):  Linux
Document number:      6326009
Modified date:        11 September 2020


Administrators with QRadar Risk Manager appliances in their deployment are
being alerted to changes in Configuration Source Manager due to the approaching
end of life of Adobe Flash. Due to removal of Adobe Flash, the Configuration
Source Management (CSM) functionality is integrated in to the Configuration
Monitor. The updated Configuration Monitor interface is available to
administrators who upgrade their QRadar deployment in upcoming fix pack
releases.

QRadar Risk Manager administrators are being alerted to an upcoming user
interface change to the Configuration Source Management (CSM) component. Due to
the End of Life (EOL) announcement for Adobe Flash, QRadar Risk Manager has
deprecated the default Configuration Source Management interface and integrated
device backup and configuration functionality in to the Configuration Monitor.
The Configuration Monitor interface includes the same device backup
functionality, but was developed without Adobe Flash to ensure that
administrators can comply with Adobe's 31 December 2020 end of life
announcement. Administrators who are in corporate environments who are required
to remove Adobe Flash can discuss upgrades to a QRadar version that includes
the updates to the Configuration Monitor. All created schedules (Scheduled
Discovery, jobs) are automatically moved from the legacy Admin tab
Configuration Source Management interface to the Configuration Monitor on the
Risks tab after you upgrade.


Product versions

The following versions integrate scheduling and device configurations on the
Risks tab in to the Configuration Monitor:


  o QRadar Risk Manager 7.4.1 fix pack 1 (unreleased) and later
  o QRadar Risk Manager 7.3.3 fix pack 5 (unreleased) and later


How to identify the issue

A notice is displayed in the Configuration Source Management component to
advise administrators that the Configuration Source Management is deprecated.
Administrators who see this information message can upgrade to a QRadar version
that includes the Configuration Monitor to avoid interruptions with device
configurations after 31 December 2020 due to Adobe Flash end of life (EOL)
issues.

image 5858
Figure 1: Legacy Configuration Source Management user interface for Adobe
Flash.

image 5883
Figure 2: Browsers which block Adobe Flash by default do not display the
Configuration Source Management user interface.


Locating the Configuration Monitor

QRadar 7.4.1 fix pack 1 and QRadar 7.3.3 fix pack 5 updates move the
functionality of discovery, backups, credentials and scheduled to the Risks
tab. Administrators can use the Configuration Monitor to make changes to their
devices after an upgrade to the QRadar deployment. The functionality between
Configuration Source Manager and the Configuration Monitor is identical and the
Configuration Monitor does not include dependencies on Adobe Flash.

Procedure

 1. Log in to QRadar.
 2. Click the Risks tab.
 3. In the Risk Manager pane, click Configuration Monitor.
    image 5884
    Figure 3: Location of the Configuration Monitor on the Risks tab.
 4. Use the Configuration Monitor to manage your devices.


Schedules and device backups

Schedules Configuration for QRadar Risk Manager allows administrators to define
backup jobs or device discovery in the Configuration Monitor. Schedules are now
setup using the Configuration Monitor. Devices can be added to the schedule and
a trigger defines the time and recurrence for the backup or device discovery,
which can occur either once, daily, weekly, monthly, or defined as a cron job
expression.
image 5888Figure 4: Schedules are now defined in the Configuration Monitor for
the Risk Manager versions defined in this technical note.

Procedure

 1. Click the Risks tab.
 2. Expand the Configuration Monitor and select Schedules.
 3. On the Scheduled page, click Add to create a new schedule or select and
    existing schedule and click Edit.
 4. Type a unique Name for the schedule.
 5. Select a Group from the drop-down list or type a new Group name.
 6. Select a schedule type:
                              Select a schedule type to either backup or discover new devices
    +----------+-----------------------------------------------------------------------------------+
    |  Option  |                                               Description                         |
    +----------+-----------------------------------------------------------------------------------+
    |Backup    |Backup schedules allow users to collect device configuration changes from          |
    |          |discovered network devices.                                                        |
    +----------+-----------------------------------------------------------------------------------+
    |Discovery |Updates the telemetry (neighbor) information for devices and adds newly            |
    |          |discovered network devices.                                                        |
    +----------+-----------------------------------------------------------------------------------+
    Note: If a discovery schedule exists, you must select Backup. You cannot
    change the Type of an existing schedule.
 7. If you are creating a discovery schedule and want to add newly discovered
    devices to a product, select Crawl.
 8. If you are creating a backup schedule, click Edit and add or remove devices
    to be targeted for backup. Then perform one of the following actions
 9. Use the arrows to move devices from the Available Devices list to the
    Selected Devices list.
10. Select Search to configure a search to dynamically target devices based on
    IP address, operating system, model, or hostname.
    Tip: You can search for Admin or Interface IP addresses with a
    comma-separated list of IP addresses or CIDR ranges.
11. Select a Trigger to specify the frequency you want the schedule to run.
      o Once
      o Daily
      o Weekly
      o Monthly
      o Cron

        image 6055
        Note: Cron expressions that repeat more than once per hour are not
        accepted.
12. Click Save.

Device discovery

Device Discovery is now located in the Configuration Monitor on the Risks tab
for the QRadar Risk Manager versions discussed in this technical note. Device
Discovery streamlines adding network devices through network management
appliances, such as Check Point Management Servers, Palo Alto Panorama, Juniper
NSM, or by crawling the network with SNMP for discoverable IP addresses. The
Device Discovery functions in QRadar Risk Manager allow users to set up
multiple networks and run discovery to automatically add new firewalls, IPS,
and other network devices so they can be backed up and added to the Topology. 
It is important that administrators do not add overlapping address ranges or
CIDR addresses when discovering devices to prevent duplicates.
image 5885Figure 5: Device Discovery in the Configuration Monitor displays the
status or logs for added devices.


Credentials

Device credentials can be added to access and download the configuration of
devices such as firewalls, routers, switches, or IPSs in the Configuration
Monitor on the Risks tab. Administrators can add credentials for individual
devices or for multiple network devices that use the same credentials and
prioritize the credential order QRadar Risk Manager uses to back up network
device configurations.
image 5887
Figure 6: Device credentials can be added in the Configuration Monitor.

Configuring protocols

QRadar Risk Manager users can define the protocol, port, and other details
required to communicate to a set of network devices. You can assign devices to
network groups, which allows you to group together protocol sets and address
sets for your devices.

Procedure

 1. On the Risk tab, click Configuration Monitor.
 2. In the navigation menu, click Protocols.
 3. Select Add from the toolbar.
 4. Type a Name for the protocol set.
 5. In the Address Sets section, click Add.
 6. In the Add Address field, type the IP address or CIDR range that you want
    to apply to the network group, then click OK.
    Tip: You can use IP4 or IP6 address or CIDR ranges.
 7. Select the check box for each protocol you want to enable.
    Tip: Select a protocol and click Increase Priority or Decrease Priority to
    adjust the order you want the protocols to be used.
 8. Select a protocol to configure its relevant properties. You can configure
    the following values for the protocol parameters:
                                                 Table 1. Protocol parameters
    +--------+-------------------------------------------------------------------------------------------+
    |Protocol|                                             Parameter description                         |
    +--------+-------------------------------------------------------------------------------------------+
    |        |Configure the following parameters:                                                        |
    |        |                                                                                           |
    |        |  o Port- Type the port on which you want the SSH protocol to use when                     |
    |        |    communicating with and backing up network devices. The default SSH protocol            |
    |        |    port is 22.                                                                            |
    |SSH     |  o Version- Select the version of SSH that you want this network group to use             |
    |        |    when communicating with network devices. The available options are as                  |
    |        |    follows:                                                                               |
    |        |  o Auto- This option automatically detects the SSH version to use when                    |
    |        |    communicating with network devices.                                                    |
    |        |    1 - Use SSH-1 when communicating with network devices.                                 |
    |        |    2 - Use SSH-2 when communicating with network devices.                                 |
    +--------+-------------------------------------------------------------------------------------------+
    |Telnet  |Type the port number you want the Telnet protocol to use when communicating                |
    |        |with and backing up network devices. The default Telnet protocol port is 23.               |
    +--------+-------------------------------------------------------------------------------------------+
    |HTTPS   |Type the port number you want the HTTPS protocol to use when communicating with            |
    |        |and backing up network devices. The default HTTPS protocol port is 443                     |
    +--------+-------------------------------------------------------------------------------------------+
    |HTTP    |Type the port number you want the HTTP protocol to use when communicating with             |
    |        |and backing up network devices. The default HTTP protocol port is 80.                      |
    +--------+-------------------------------------------------------------------------------------------+
    |SCP     |Type the port number you want the SCP protocol to use when communicating with              |
    |        |and backing up network devices. The default SCP protocol port is 22.                       |
    +--------+-------------------------------------------------------------------------------------------+
    |SFTP    |Type the port number you want the SFTP protocol to use when communicating with             |
    |        |and backing up network devices. The default SFTP protocol port is 22.                      |
    +--------+-------------------------------------------------------------------------------------------+
    |FTP     |Type the port number you want the FTP protocol to use when communicating with              |
    |        |and backing up network devices. The default SFTP protocol port is 22.                      |
    +--------+-------------------------------------------------------------------------------------------+
    |TFTP    |The TFTP protocol does not have any configurable options.                                  |
    +--------+-------------------------------------------------------------------------------------------+
    |        |Configure the following parameters:                                                        |
    |        |                                                                                           |
    |        |  o Port - Type the port number you want the SNMP protocol to use when                     |
    |        |    communicate with and backing up network devices.                                       |
    |        |  o Timeout(ms) - Select the amount of time, in milliseconds, that you want to             |
    |        |    use to determine a communication timeout.                                              |
    |SNMP    |  o Retries - Select the number of times you want to attempt to retry                      |
    |        |    communications to a device.                                                            |
    |        |  o Version - Select the version of SNMP you want to use for communications.               |
    |        |    The options are v1, v2, or v3.                                                         |
    |        |      ? V3 Authentication - Select the algorithm you want to use to                        |
    |        |        authenticate SNMP traps.                                                           |
    |        |      ? V3 Encryption - Select the protocol you want to use to decrypt SNMP                |
    |        |        traps.                                                                             |
    +--------+-------------------------------------------------------------------------------------------+
 9. Click Save.
    Tip: After you create your protocol sets, select a protocol set and click
    Increase Priority or Decrease Priority to adjust the order you want the
    protocol sets to be checked.



Notice: Adobe, the Adobe logo, PostScript, and the PostScript logo are either
registered trademarks or trademarks of Adobe Systems Incorporated in the United
States, and/or other countries.


Cross-reference information

Product                Component                         Platform    Version
IBM Security QRadar    QRadar Risk and Vulnerability     Linux       7.3.3,
SIEM                   Manager                                       7.4.1

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX189/+NLKJtyKPYoAQgNNw/9HWqYEUU/P9m/uL0pZSRrlUJrgY8KK8HG
kWVqMhkMQuBfb+JjEkfrdUli7SEEdb0ctKl+3oqt0oO7XKvgChEeSHO0mVR0Bb4w
5Sj/Q34S6mePJsnbCB9FBFQmd45J3Q4Wx085YXY1c2OFmbzeoGpNvEzvi2X8Gb/c
jdhm/Edi6WOqKCuyk/axJ0eMOUcmK+VqOFrWWIEQdEt9P9gb12WNPMsuv5kWMIvT
H8DfqPFLwsr5qspDM8MdP4PbSTzMkRfVwtw0O11xde3T/tfGsNpa2dJ4g6CUKswZ
0MypeFIx+/1p+tvTmkqpWdTthS5/bgb100RdAf59eL6f8cYFiomb83XP/PShdODP
EzUD175+LRBJ1IAFPYjCLR1IF34zNYaMQ5HNwJo1QhaH87v6YqPKgT5KxCpuhsJy
lB1s2EhK60TsSCXIIc4a4ieyeYeI37z14K6ptiROZ4xeNo58g7PNuCziZw4P3Se3
5Ub71ah4olP6Sw6AkSYKSSKflKLVpsQm0h0Bz/kaElUKQCZ0WZ7dfpFmE1vTJGDs
fQLALzgCAimQZ9FkPUSZffGTkmYFuRrjMbcdmJ2rUDcSfe3BLIPpj2EsDhXQlICF
WVdf72A+v5FWoWKMcnrNMYGtTYOCrOa4NY8IN9nmD3GVmXAf+MPxWoS+MSVpMMfF
u2oJPh9IuAU=
=5OVL
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3144 – [Linux] QRadar Risk Manager: Reduced security – Unknown/unspecified appeared first on Malware Devil.

https://malwaredevil.com/2020/09/14/esb-2020-3144-linux-qradar-risk-manager-reduced-security-unknown-unspecified/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3144-linux-qradar-risk-manager-reduced-security-unknown-unspecified

ESB-2020.3142 – [Appliance] FATEK Automation PLC WinProladder: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3142
        Advisory (icsa-20-254-02) FATEK Automation PLC WinProladder
                             14 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           FATEK Automation PLC WinProladder
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Mitigation
CVE Names:         CVE-2020-10597  

Reference:         ESB-2020.2246
                   ESB-2020.1013

Original Bulletin: 
   https://us-cert.cisa.gov/ics/advisories/icsa-20-254-02

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS Advisory (ICSA-20-254-02)

FATEK Automation PLC WinProladder

Original release date: September 10, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 7.8
  o ATTENTION: Low skill level to exploit
  o Vendor: FATEK Automation
  o Equipment: PLC WinProladder
  o Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could crash the device being
accessed; a buffer overflow condition may cause a denial-of-service event and
remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PLC WinProladder are affected:

  o PLC WinProladder Version 3.28 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

A stack-based buffer overflow vulnerability can be exploited when a valid user
opens a specially crafted file, which may allow an attacker to remotely execute
arbitrary code.

CVE-2020-10597 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:H/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial
    Facilities
  o COUNTRIES/AREAS DEPLOYED: Europe, Asia
  o COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson (@NattiSamson), working with Trend Micro's Zero Day Initiative,
reported this vulnerability to CISA.

4. MITIGATIONS

FATEK has not responded to requests to work with CISA to mitigate this
vulnerability. Users of these affected products who would like to see more
responsible security are invited to contact Fatek customer support .

CISA recommends users take the following measures to protect themselves from
social engineering attacks:

  o Do not click web links or open unsolicited attachments in email messages.
  o Refer to Recognizing and Avoiding Email Scams for more information on
    avoiding email scams.
  o Refer to Avoiding Social Engineering and Phishing Attacks for more
    information on social engineering attacks.

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability. This
vulnerability is not exploitable remotely.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX1886+NLKJtyKPYoAQjRAA/+IFA67pvy1nUsidBwIoL/evc7RfXWSjKk
6cQqGmMO5ssk+fhB3ZJZMIR0naOcu3JqH3NIyTall4WvNTCdCOGF9plW4lL82r/E
qYGyj/i7zKnA7nb7u5qEfjjApfjcZBDoK5FhYjfjHNhaMEdTguOB4IQCjEgUpTlG
WeuZBKF2vRqE//ZZMnQt4tCXFsmCthTMJ0psP/6EIUqIYTvilyDDXZjsiku2Nq/j
yBjK8+BvPOQqV54yEEZOd6duqGexnXeG0HSQbOiOvek2Zg10QJHsqMjjDayIJKz1
5H+tFokJoKkZjXaT1ePXEfUNQPaPt5PylhYBJetUUZhIVqeRVH0KuM8ssVtdRxHg
Hb6inyP2YU3OkRPzUFmHCeMsnUvSgj9OHePhh2qEtsnZkQNnm0eh9oCTWApbsFs/
mY8SghhWJ0Dnd4PCogAxkobBrSJX7VloBQGjaPtGD9wnD5Kk6YEXqGqejMkYIMH5
MNQzIYM5yMPuA0uSHo+PkrJF3kYZ5E923ZwpGPyo3GoOPJ4UrwGXu6eotyohMCc2
9avHxUeDi9ULJly3S++aHj+UKjoW8mFz7FTGeB8FbpaLydWH7kTk8FVkvkeLrMTB
9eOpngaUnFJd1Wb3chu0ttguzN7UAPMZ8D4lPCTi1gCXenIyUCgjvmA8A6fFUdOX
j1AoCAVydkc=
=lZNe
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3142 – [Appliance] FATEK Automation PLC WinProladder: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/09/14/esb-2020-3142-appliance-fatek-automation-plc-winproladder-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3142-appliance-fatek-automation-plc-winproladder-multiple-vulnerabilities

ESB-2020.3141 – [Win] AVEVA Enterprise Data Management Web: Execute arbitrary code/commands – Remote/unauthenticated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3141
      Advisory (icsa-20-254-01) AVEVA Enterprise Data Management Web
                             14 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           AVEVA Enterprise Data Management Web
Publisher:         ICS-CERT
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-13501 CVE-2020-13500 CVE-2020-13499

Original Bulletin: 
   https://us-cert.cisa.gov/ics/advisories/icsa-20-254-01

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS Advisory (ICSA-20-254-01)

AVEVA Enterprise Data Management Web

Original release date: September 10, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 9.6
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: AVEVA
  o Equipment: Enterprise Data Management Web
  o Vulnerability: SQL Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to
execute arbitrary SQL commands on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Enterprise Data Management Web (formerly eDNA Web), a
data management platform, are affected:

  o Enterprise Data Management Web v2019 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL
INJECTION') CWE-89

The affected product is vulnerable to SQL injection, which may allow a
malicious attacker to execute arbitrary SQL commands under the privileges of
the account configured in eDNA Web for SQL access. If eDNA Web is not
installed, the deployment is not vulnerable.

CVE-2020-13499 , CVE-2020-13500 , and CVE-2020-13501 have been assigned to this
vulnerability.

A CVSS v3 base score of 9.6 has been assigned for versions prior to 2017; the
CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H ).

A CVSS v3 base score of 9.0 has been assigned for versions 2017-2019; the CVSS
vector string is ( AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Information
    Technology
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

Yuri Kramarz of Cisco Talos reported this vulnerability to AVEVA.

4. MITIGATIONS

AVEVA reports that affected users are recommended to upgrade to AVEVA
Enterprise Data Management Web v2019 SP1 as soon as possible. If an upgrade to
v2019 SP1 is not possible, users can contact AVEVA Global Customer Support, and
a hot-fix can be made available for eDNA Web v2018 SP2. Other versions will not
be hot-fixed and must be upgraded. For help with applying upgrades and
hot-fixes, please contact AVEVA Global Customer Support.

For more information see the AVEVA security bulletin here .

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
    be updated to the most current version available. Also recognize that VPN
    is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX188DeNLKJtyKPYoAQiqiw//WoGwGMeVqfAefig2BvG+Sq1UFZMhevL3
hpzeIECbgkHuLur6ytAIyksa9jfHt79BSnKj/rn8sk5CLSIrVgfa6KO5vUpPImXW
mColtryppcNfrTtGDG8mB2Mcel8zVeeuL7QCE/Gxth0SK6Qmkv/9SlRYEQVzvb+m
sZP5IMxiL3L2bpyTdDnuMXhIS8Rkxv4hshRjZyXfC/djgv8EoUB5VW6dv9f3fY8n
j2RIxtjRDgIgN4JsEDkUly4ThwiIEPrQfNqR/cW9loDh7VD/lbW/dss7tNuRZ1O3
TvbMYV/j7xF2xBWSAnoACfa95sv16x49JMgpNgPWSPnOe1nb/3xI9bZrpLs+QJxB
T2brbw02myL4zc/Ctsc906fuPCSq4OhQI06mX4gi5bBpm2FuHnLhi4hQTOGH2VuU
LuB8d9DtpjtggSunXfp/3jfsX2LdO7VoufG1Pqib4BGEEZjPHo02afBvyykCR4GV
h1KYJ4s04n1LrLwqLQS2VIwWZ0f8VEOG+mde7Ymw1894YFBSaZk2wLtz2Db2CJqq
nN8AGLVvVO8GiH81qHxMWIzOHoQ+7/SUE+Sd40VrijAmLjGpeQxueSa3FdQBsX8T
Mgnujc4PXbnDlb/EcKXh2zB1TZD/1LimytmlpFIeIX/FVBlWDiHvayApm+pRt/RS
yDNOkSTjyRM=
=oHKa
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3141 – [Win] AVEVA Enterprise Data Management Web: Execute arbitrary code/commands – Remote/unauthenticated appeared first on Malware Devil.

https://malwaredevil.com/2020/09/14/esb-2020-3141-win-aveva-enterprise-data-management-web-execute-arbitrary-code-commands-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3141-win-aveva-enterprise-data-management-web-execute-arbitrary-code-commands-remote-unauthenticated

Creating patched binaries for pentesting purposes, (Sun, Sep 13th)

When doing pentestings, the establishment of backdoors is vital to be able to carry out lateral movements in the network or to reach the stage of action on objectives. This is usually accomplished by inviting someone to click on a commonly used executable on the computer using social engineering techniques.

In this diary we will work on the Backdoor Factory tool, which can be found at https://github.com/secretsquirrel/the-backdoor-factory. We will use two machines: A linux ubuntu 18.04 and a Windows 10 2004. Kali Linux 2020.3 default installation does not work with this tool as it uses python3 libraries.

Backdoor-factory will be installed on Ubuntu 18.04. Github repository will be cloned and then capstone and pefile will be installed:

Cygwin was used to create the PE binary. Simple hello world application compiled with gcc:

Next, PE binary is uploaded to the linux VM and backdoor-factory will assess it and then show the supported payloads:

Linux IP address will be used to create a reverse tcp shell payload:

Now the tool will be used to create a reverse TCP shell to ip address 192.168.127.141 and TCP port 10000 using the testapplication binary:

The tool ask to pick the cave where the backdoor will be placed. Cave 4 will be used:

Backdoored binary is now available to be transfered to the Windows VM.

Next, a netcat listener is setup to TCP port 10000 in the linux VM:

Patched binary is transferred to the Windows machine and executed:

Now we can see how the reverse shell got connected to the netcat listener:

Manuel Humberto Santander Pelaez
SANS Internet Storm Center – Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post Creating patched binaries for pentesting purposes, (Sun, Sep 13th) appeared first on Malware Devil.

https://malwaredevil.com/2020/09/14/creating-patched-binaries-for-pentesting-purposes-sun-sep-13th/?utm_source=rss&utm_medium=rss&utm_campaign=creating-patched-binaries-for-pentesting-purposes-sun-sep-13th

ISC Stormcast For Monday, September 14th 2020 https://isc.sans.edu/podcastdetail.html?id=7164, (Mon, Sep 14th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post ISC Stormcast For Monday, September 14th 2020 https://isc.sans.edu/podcastdetail.html?id=7164, (Mon, Sep 14th) appeared first on Malware Devil.

https://malwaredevil.com/2020/09/14/isc-stormcast-for-monday-september-14th-2020-https-isc-sans-edu-podcastdetail-htmlid7164-mon-sep-14th/?utm_source=rss&utm_medium=rss&utm_campaign=isc-stormcast-for-monday-september-14th-2020-https-isc-sans-edu-podcastdetail-htmlid7164-mon-sep-14th

ESB-2020.3140 – [Win][Appliance] Philips Patient Monitoring Devices: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3140
       Advisory (icsma-20-254-01) Philips Patient Monitoring Devices
                             14 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Philips Patient Monitoring Devices
Publisher:         ICS-CERT
Operating System:  Network Appliance
                   Windows
Impact/Access:     Increased Privileges     -- Console/Physical      
                   Denial of Service        -- Remote/Unauthenticated
                   Unauthorised Access      -- Remote/Unauthenticated
                   Access Confidential Data -- Existing Account      
                   Reduced Security         -- Existing Account      
Resolution:        Mitigation
CVE Names:         CVE-2020-16228 CVE-2020-16224 CVE-2020-16222
                   CVE-2020-16220 CVE-2020-16218 CVE-2020-16216
                   CVE-2020-16214 CVE-2020-16212 

Original Bulletin: 
   https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS Medical Advisory (ICSMA-20-254-01)

Philips Patient Monitoring Devices

Original release date: September 10, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 6.8
  o ATTENTION: Low skill level to exploit
  o Vendor: Philips
  o Equipment: Patient Information Center iX (PICiX); PerformanceBridge Focal
    Point; IntelliVue Patient Monitors MX100, MX400-MX850, and MP2-MP90; and
    IntelliVue X2, and X3
  o Vulnerabilities: Improper Neutralization of Formula Elements in a CSV File,
    Cross-site Scripting, Improper Authentication, Improper Check for
    Certificate Revocation, Improper Handling of Length Parameter
    Inconsistency, Improper Validation of Syntactic Correctness of Input,
    Improper Input Validation, Exposure of Resource to Wrong Sphere

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in unauthorized
access, interrupted monitoring, and collection of access information and/or
patient data.

Note : To successfully exploit these vulnerabilities, an attacker would need to
gain either physical access to surveillance stations and patient monitors or
access to the medical device network.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of the patient monitoring devices are affected:

  o Patient Information Center iX (PICiX) Versions B.02, C.02, C.03
  o PerformanceBridge Focal Point Version A.01
  o IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and
    prior
  o IntelliVue X3 and X2 Versions N and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236

The software saves user-provided information into a comma-separated value (CSV)
file, but it does not neutralize or incorrectly neutralizes special elements
that could be interpreted as a command when the file is opened by spreadsheet
software.

CVE-2020-16214 has been assigned to this vulnerability. A CVSS v3 base score of
4.2 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:H/UI:R/S:C/
C:L/I:L/A:N ).

Affects the following products: Patient Information Center iX (PICiX) Versions
B.02, C.02, C.03.

3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79

The software does not neutralize or incorrectly neutralizes user-controllable
input before it is placed in output that is then used as a webpage and served
to other users. Successful exploitation could lead to unauthorized access to
patient data via a read-only web application.

CVE-2020-16218 has been assigned to this vulnerability. A CVSS v3 base score of
3.5 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:L/UI:N/S:U/
C:L/I:N/A:N ).

Affects the following products: Patient Information Center iX (PICiX) Versions
B.02, C.02, C.03.

3.2.3 IMPROPER AUTHENTICATION CWE-287

When an actor claims to have a given identity, the software does not prove or
insufficiently proves the claim is correct.

CVE-2020-16222 has been assigned to this vulnerability. A CVSS v3 base score of
5.0 has been calculated; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/
C:L/I:L/A:L ).

Affects the following products: Patient Information Center iX (PICiX) Version
B.02, C.02, C.03, and PerformanceBridge Focal Point Version A.01.

3.2.4 IMPROPER CHECK FOR CERTIFICATE REVOCATION CWE-299

The software does not check or incorrectly checks the revocation status of a
certificate, which may cause it to use a compromised certificate.

CVE-2020-16228 has been assigned to this vulnerability. A CVSS v3 base score of
6.0 has been calculated; the CVSS vector string is ( AV:A/AC:H/PR:H/UI:N/S:U/
C:H/I:H/A:L ).

Affects the following products: Patient Information Center iX (PICiX) Versions
C.02 and C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient
monitors MX100, MX400-MX550, MX750, MX850, and IntelliVue X3 Versions N and
prior.

3.2.5 IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130

The software parses a formatted message or structure but does not handle or
incorrectly handles a length field that is inconsistent with the actual length
of the associated data, causing the application on the surveillance station to
restart.

CVE-2020-16224 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).

Affects the following products: Patient Information Center iX (PICiX) Versions
C.02, C.03.

3.2.6 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286

The product receives input that is expected to be well-formed (i.e., to comply
with a certain syntax) but it does not validate or incorrectly validates that
the input complies with the syntax, causing the certificate enrollment service
to crash. It does not impact monitoring but prevents new devices from
enrolling.

CVE-2020-16220 has been assigned to this vulnerability. A CVSS v3 base score of
3.5 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:R/S:U/
C:N/I:N/A:L ).

Affects the following products: Patient Information Center iX (PICiX) Versions
C.02, C.03, PerformanceBridge Focal Point Version A.01.

3.2.7 IMPROPER INPUT VALIDATION CWE-20

The product receives input or data but does not validate or incorrectly
validates that the input has the properties required to process the data safely
and correctly, which can induce a denial-of-service condition through a system
restart.

CVE-2020-16216 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).

Affects the following products: IntelliVue patient monitors MX100, MX400-550,
MX600, MX700, MX750, MX800, MX850, MP2-MP90, and IntelliVue X2 and X3 Versions
N and prior.

3.2.8 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668

The product exposes a resource to the wrong control sphere, providing
unintended actors with inappropriate access to the resource. The application on
the surveillance station operates in kiosk mode, which is vulnerable to local
breakouts that could allow an attacker with physical access to escape the
restricted environment with limited privileges.

CVE-2020-16212 has been assigned to this vulnerability. A CVSS v3 base score of
6.8 has been calculated; the CVSS vector string is ( AV:P/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).

Affects the following products: Patient Information Center iX (PICiX) Versions
B.02, C.02, C.03.

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Netherlands

3.4 RESEARCHER

Julian Suleder, Nils Emmerich, Birk Kauer of ERNW Research GmbH, Dr. Oliver
Matula of ERNW Enno, and Rey Netzwerke GmbH reported these vulnerabilities to
the Federal Office for Information Security (BSI), Germany, in the context of
the BSI project ManiMed (Manipulation of medical devices), which reported these
to Philips.

4. MITIGATIONS

Philips plans a new release to remediate all reported vulnerabilities:

  o Patient Information Center iX (PICiX) Version C.03 by end of 2020
  o PerformanceBridge Focal Point by Q2 of 2021
  o IntelliVue Patient Monitors Versions N.00 and N.01 in Q1 of 2021
  o IntelliVue Patient Monitors Version M.04 by end of 2021
  o Certificate revocation within the system will be implemented in 2023

As a mitigation to these vulnerabilities, Philips recommends the following:

  o The Philips patient monitoring network is required to be physically or
    logically isolated from the hospital local area network (LAN). Philips
    recommends using a firewall or routers that can implement access control
    lists restricting access in and out of the patient monitoring network for
    only necessary ports and IP addresses. Refer to the Philips Patient
    Monitoring System Security for Clinical Networks guide for additional
    information on InCenter .
  o By default, the simple certificate enrollment protocol (SCEP) service is
    not running. When needed, the service is configured to run based on the
    duration or the number of certificates to be assigned. One certificate is
    default, but if a certificate is not issued, the service will continue to
    run. Limit exposure by ensuring the SCEP service is not running unless it
    is actively being used to enroll new devices.
  o When enrolling new devices using SCEP, enter a unique challenge password of
    8-12 unpredictable and randomized digits.
  o Implement physical security controls to prevent unauthorized login attempts
    on the PIC iX application. Servers should be kept in controlled locked data
    centers. Access to equipment at nurses' stations should be controlled and
    monitored.
  o Only grant remote access to PIC iX servers on a must-have basis.
  o Grant login privileges to the bedside monitor and PIC iX application on a
    role-based, least-privilege basis, and only to trusted users.

Users with questions regarding their specific Philips Patient Information
Center (PIC iX) and/or IntelliVue patient monitor installations and new release
eligibility should contact their local Philips service support team, or
regional service support, or call 1-800-722-9377.

Please see the Philips product security website for the Philips advisory and
the latest security information for Philips products.

CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:

  o Implement physical security measures to limit or control access to critical
    systems.
  o Restrict system access to authorized personnel only and follow a least
    privilege approach.
  o Apply defense-in-depth strategies.
  o Disable unnecessary accounts and services.
  o Where additional information is needed, refer to existing cybersecurity in
    medical device guidance issued by the FDA .

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves
from social engineering attacks:

  o Do not click web links or open unsolicited attachments in email messages.
  o Refer to Recognizing and Avoiding Email Scams for more information on
    avoiding email scams.
  o Refer to Avoiding Social Engineering and Phishing Attacks for more
    information on social engineering attacks.

No known public exploits specifically target these vulnerabilities. These
vulnerabilities are not exploitable remotely.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX17Lm+NLKJtyKPYoAQj90Q/7B0JckJCRWLi2dWbv4zWUPDmpoxhTMdvy
u5a3EgNKJVdszkAijDpQ8zhstZq0ax7j7eKFFNd3zD7WtHASrzLDFKABitCYrSRT
GDci3baG+jJG87ooCy5r/59e8ehcmMBwLJdGB827egXiPK+/0xtTtpA7CERmMks6
9tGGvrxO4qPu7DlAGSXNNLw//21eYATKnqST85l0kLXuVUWciKdsMQ+Z7B9DuUvc
BDJbd2I+3ltDf34m13sH73KqaQ1JN0ctuIN9uWj0x8tArP+0W1yvQegLzuNC5fZ/
sp9aeSl83SnyxvHhijSXy2oKKrU0JM7pjRZFoWb9GQEQyA9l9EO4mxI3G2KFm+jU
YcJkrbqQ3kayxIpkh4XY90BuRYVUnb4B7opwMTE9AK5lWMd7TAUrYzmrGQSKBnlf
EGQlBVtr2hABiB5oUfVEoIaODv7wBhTWxfNFxjY71yXPfThF+IUjmOrCYdKgx053
7UZRVlr6mHUZ66MN6nVNhOm+aXmDU+Pt8vsYYuvkgC9THo7T8nXu9pWukOOvHqqC
iKtZZhbb1+9fMlA0GrFm/sQ4WB9wP3csEbvQAI0RHDC89Xry/ILUaEAoQGCHbRt7
6nCwt3UXRfOycQjEdmgWhkbbq2JJx1TqyllFZdOAaPvAMmcgxF5nTHjcJKENTmZ+
Zh9pceBvO6s=
=nrby
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3140 – [Win][Appliance] Philips Patient Monitoring Devices: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/09/14/esb-2020-3140-winappliance-philips-patient-monitoring-devices-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3140-winappliance-philips-patient-monitoring-devices-multiple-vulnerabilities

ESB-2020.3139 – [Debian] wordpress: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3139
                         wordpress security update
                             14 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           wordpress
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Increased Privileges -- Existing Account      
                   Cross-site Scripting -- Existing Account      
                   Reduced Security     -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-4050 CVE-2020-4049 CVE-2020-4048
                   CVE-2020-4047 CVE-2019-17670 

Reference:         ESB-2020.2279
                   ESB-2020.2188
                   ESB-2019.4095

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2371

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2371-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                                     
September 11, 2020                            https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : wordpress
Version        : 4.7.18+dfsg-1+deb9u1
CVE ID         : CVE-2019-17670 CVE-2020-4047 CVE-2020-4048 CVE-2020-4049 
                 CVE-2020-4050
Debian Bug     : 942459 962685

Multiple vulnerabilities were discovered in WordPress, a popular
content management framework.

CVE-2019-17670

    WordPress has a Server Side Request Forgery (SSRF) vulnerability
    because Windows paths are mishandled during certain validation of
    relative URLs.

CVE-2020-4047

    Authenticated users with upload permissions (like authors) are
    able to inject JavaScript into some media file attachment pages in
    a certain way. This can lead to script execution in the context of
    a higher privileged user when the file is viewed by them.

CVE-2020-4048

    Due to an issue in wp_validate_redirect() and URL sanitization, an
    arbitrary external link can be crafted leading to unintended/open
    redirect when clicked.

CVE-2020-4049

    When uploading themes, the name of the theme folder can be crafted
    in a way that could lead to JavaScript execution in /wp-admin on
    the themes page.

CVE-2020-4050

    Misuse of the `set-screen-option` filter's return value allows
    arbitrary user meta fields to be saved. It does require an admin
    to install a plugin that would misuse the filter. Once installed,
    it can be leveraged by low privileged users.

Additionally, this upload ensures latest comments can only be viewed
from public posts, and fixes back the user activation procedure.

For Debian 9 stretch, these problems have been fixed in version
4.7.18+dfsg-1+deb9u1.

We recommend that you upgrade your wordpress packages.

For the detailed security status of wordpress please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wordpress

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl9biOsACgkQj/HLbo2J
BZ8V4wf/X3WmFd55W0aOBFGIa9thn9+cxH1jPeuZZV7rpV62m4ink1em5exVhTTq
uJxnGLYUJtI/EZJKgC9J5mdHcDK4gewIJhe7qG+8hqpT4eWK2P4CQnRCR79VT/y0
J/s37C1BSXSgIz+XS2DuvCKT0fH65GU6zn4icICT2D479JOc4szX2tpLJGn45COC
+3xfiVLZeGRzy8oHBmDgQGb31mvWccNHYMEn/Hj5jt5zZ97b6q5UVQpO7N+b2GiQ
7aminxrxru8Uwm1gE6J0o9ay1tcawQjlbU08OQRt5K1Nw2BqmlaBTiODUNVO7AVz
iPxnc5bTdl7vr0j4dGubmepB0z2DEg==
=YoV6
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX17JruNLKJtyKPYoAQi08g/+N8BsPkn6o6rrF+FRwIECgkwVrQy1g0jK
yPAcVozKYfDaJ0eBF5S4QnA3q4ZP5M5prPTtLwYu34hbYVsIcP+0980sxM6gE/j3
Yp3rS4AxKA/q7GL9T1UhhLB+aIInPc7+f9mrqkOmidDMasEeYObPEsM0zvvhSys9
3qeBVN6WWtDfFhpu9k112rr5+Pcvu/V9ZWZ9PRFmTtBcjE87fx5Pvby7/LILiGBa
wiXa3XT78TxveUwiW76PXL7k72Ss+LX4dPJGyqYxL3f0O+Qz8MroIaeC6wQ3k049
08ekEZLUVyPaoBIZIJjPAzbjSQs1WxbajtsVQfHU1qnzgOEGNtom+9/fo1DhT2Ih
+yi/DH/smkY5mNhbQ2YVCmgZ7nsm+kYVYqzi0snAz1Td3FNoGv3FUqJ4O/O/5GkI
vcsv0TshYbjvcSRcYB6QSowiO/WnzupAWoKXDpynf9J9Lfhrcg8Z1zTHo5Paph9e
yRxq7yhA5o1RiUXC76lsXD6W6KMFREO4a4ZZZRK1hxiPlJe8MqzpGR+CCEZp/IPn
XoXxZnNMiUTt6SP2YghC6coilOh+NW4dkNlqGh2RZf7bdb4o6qsmulEpdfjWBUm9
kXsg2kzrhhxduo0W1GlfEMkrplGL94pE/dMb9Lim/PHJcGUzg1DH/DZKENSbE35g
/OVsp34O0dI=
=Iu1v
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3139 – [Debian] wordpress: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/09/14/esb-2020-3139-debian-wordpress-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3139-debian-wordpress-multiple-vulnerabilities

ESB-2020.2935.2 – UPDATE [Appliance] BIG-IP: Overwrite arbitrary files – Existing account

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.2935.2
               BIG-IP restjavad vulnerability CVE-2020-5912
                             14 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BIG-IP
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Overwrite Arbitrary Files -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-5912  

Original Bulletin: 
   https://support.f5.com/csp/article/K12936322

Revision History:  September 14 2020: Vendor updated advisory
                   August    26 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K12936322:BIG-IP restjavad vulnerability CVE-2020-5912

Security Advisory

Original Publication Date: 26 Aug, 2020

Latest   Publication Date: 12 Sep, 2020

Security Advisory Description

The restjavad process dump command does not follow current best coding
practices and may overwrite arbitrary files. (CVE-2020-5912)

Impact

A locally authenticated attacker may exploit this vulnerability by overwriting
arbitrary files on the file system.

Security Advisory Status

F5 Product Development has assigned ID 837773 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.

+----------------+------+-------------+----------+----------+------+----------+
|                |      |Versions     |Fixes     |          |CVSSv3|Vulnerable|
|Product         |Branch|known to be  |introduced|Severity  |score^|component |
|                |      |vulnerable   |in        |          |1     |or feature|
+----------------+------+-------------+----------+----------+------+----------+
|                |16.x  |None         |16.0.0    |          |      |          |
|                +------+-------------+----------+          |      |          |
|                |15.x  |15.1.0       |15.1.0.5  |          |      |          |
|                |      |15.0.0-15.0.1|15.0.1.4  |          |      |          |
|BIG-IP (LTM,    +------+-------------+----------+          |      |          |
|AAM, Advanced   |14.x  |14.1.0 -     |14.1.2.5  |          |      |          |
|WAF, AFM,       |      |14.1.2       |          |          |      |          |
|Analytics, APM, +------+-------------+----------+High      |7.1   |restjavad |
|ASM, DDHD, DNS, |13.x  |13.1.0 -     |13.1.3.4  |          |      |          |
|FPS, GTM, Link  |      |13.1.3       |          |          |      |          |
|Controller, PEM,+------+-------------+----------+          |      |          |
|SSLO)           |12.x  |12.1.0 -     |12.1.5.2  |          |      |          |
|                |      |12.1.5       |          |          |      |          |
|                +------+-------------+----------+          |      |          |
|                |11.x  |11.6.1 -     |11.6.5.2  |          |      |          |
|                |      |11.6.5       |          |          |      |          |
+----------------+------+-------------+----------+----------+------+----------+
|                |7.x   |None         |Not       |          |      |          |
|                |      |             |applicable|          |      |          |
|BIG-IQ          +------+-------------+----------+          |      |          |
|Centralized     |6.x   |None         |Not       |Not       |None  |None      |
|Management      |      |             |applicable|vulnerable|      |          |
|                +------+-------------+----------+          |      |          |
|                |5.x   |None         |Not       |          |      |          |
|                |      |             |applicable|          |      |          |
+----------------+------+-------------+----------+----------+------+----------+
|Traffix SDC     |5.x   |None         |Not       |Not       |None  |None      |
|                |      |             |applicable|vulnerable|      |          |
+----------------+------+-------------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability for the BIG-IP system, you should permit
management access to F5 products only over a secure network and limit shell
access to trusted users. For more information, refer to K13309: Restricting
access to the Configuration utility by source IP address (11.x - 16.x) and
K13092: Overview of securing access to the BIG-IP system.

Supplemental Information

o K41942608: Overview of security advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents
  o K13092: Overview of securing access to the BIG-IP system

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX17HTeNLKJtyKPYoAQjcDRAAhRLhLagVLuhIPFM8g5lCHUNNsja0jDsu
c854OUyFxJfF12lMR5bAgOJddCGOh4a1tWf2VIsDwxHets2p+s1qZuDWPXlCOpPF
jiFqdS/+6ZbOY6rX04NG8YQ2no9k92EpmTqYakNcmNX6DnJYa8jqGBlSU3ne0weZ
3yOrgHbELrug1wYePdqpbM6EjRbBoyUO+EdNdz8PsrnEiBMq1QsEyYN/nbalH4cb
DHdUtq+fj109JG0evdG2+RnCe3mwrDnzj5GUDvYSaDHNuZqSC8T34dEQpcEEEqtc
mdE7+o3/SkqAHdQw70g0W0m2TdNUf9Qb+bcFqmLTqA9Jv85c7xzA0yHNIfCNSpPV
kPz/oN+KdyEqkiJioUtLGwvyIqmzjSYAspMkN3CSF9AXEO9IMvw1oKv2iT1BlNOc
c6pRLNSnu6N+bMJ2wfGk/TClVKQaA0e3naR8Et0Ln43kb/OcdtNTgwNg17PFXgL0
hFOg7rxABAyivCZQjl3aYEhjdPWstvnzGexF3RFJ/nyAca3IxCORYgFsbvZWs8md
Z0ovqosHwdRwEF68XmULQRu5c4Ox4VRWBft/lXh04W7L8tnV2bENRI3bXdztQXMs
ynS5pgZlcSN7m99Ct7YAndIhCBo4CN3iyenY9SxaB1mP2Yg1Cdqo5V8b3zKK/K7W
nbBBQidMIjo=
=S4Yw
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.2935.2 – UPDATE [Appliance] BIG-IP: Overwrite arbitrary files – Existing account appeared first on Malware Devil.

https://malwaredevil.com/2020/09/14/esb-2020-2935-2-update-appliance-big-ip-overwrite-arbitrary-files-existing-account/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2935-2-update-appliance-big-ip-overwrite-arbitrary-files-existing-account

ESB-2020.3092.2 – UPDATE [Appliance] F5 Products: Denial of service – Remote/unauthenticated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.3092.2
                    NTP vulnerabilities CVE-2020-13187
                             14 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 Products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-13187  

Original Bulletin: 
   https://support.f5.com/csp/article/K55376430

Revision History:  September 14 2020: Vendor updated advisory
                   September  9 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K55376430:NTP vulnerabilities CVE-2020-13817

Security Advisory

Original Publication Date: 09 Sep, 2020

Latest   Publication Date: 13 Sep, 2020

Security Advisory Description

The ntpd in the network time protocol (NTP) before 4.2.8p14, and in 4.3.x
before 4.3.100, allows remote attackers to cause a denial-of-service (DoS),
either daemon exit or system time change, by predicting transmit timestamps for
use in spoofed packets. The victim must be relying on unauthenticated IPv4 time
sources. There must be an off-path attacker who can query time from the
victim's ntpd instance. (CVE-2020-13817)

Impact

An attacker who can send a large number of packets with the spoofed IPv4
address of the upstream server can use this flaw to modify the victim's clock
by a limited amount or cause ntpd to exit.

BIG-IP

Your BIG-IP system is affected only when you configure it as an NTP server, and
sources for the BIG-IP system's time are unreliable, unauthenticated, upstream
NTP servers.

BIG-IQ

The BIG-IQ system is not directly affected by this vulnerability, but it
inherits the vulnerability from the BIG-IP system.

Security Advisory Status

F5 Product Development has assigned ID 931837 (BIG-IP), ID 934609 (BIG-IQ), and
CPF-25203 and CPF-25204 (Traffix) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.

+---------------------+------+----------+----------+--------+------+----------+
|                     |      |Versions  |Fixes     |        |CVSSv3|Vulnerable|
|Product              |Branch|known to  |introduced|Severity|score^|component |
|                     |      |be        |in        |        |1     |or feature|
|                     |      |vulnerable|          |        |      |          |
+---------------------+------+----------+----------+--------+------+----------+
|                     |16.x  |16.0.0    |Not       |        |      |          |
|                     |      |          |applicable|        |      |          |
|                     +------+----------+----------+        |      |          |
|                     |15.x  |15.1.0    |Not       |        |      |          |
|                     |      |          |applicable|        |      |          |
|BIG-IP (LTM, AAM,    +------+----------+----------+        |      |          |
|Advanced WAF, AFM,   |14.x  |14.1.0 -  |Not       |        |      |          |
|Analytics, APM, ASM, |      |14.1.2    |applicable|        |      |          |
|DDHD, DNS, FPS, GTM, +------+----------+----------+Medium  |6.5   |ntpd      |
|Link Controller, PEM,|13.x  |13.1.0 -  |Not       |        |      |          |
|SSLO)                |      |13.1.3    |applicable|        |      |          |
|                     +------+----------+----------+        |      |          |
|                     |12.x  |12.1.0 -  |Not       |        |      |          |
|                     |      |12.1.5    |applicable|        |      |          |
|                     +------+----------+----------+        |      |          |
|                     |11.x  |11.6.1 -  |Not       |        |      |          |
|                     |      |11.6.5    |applicable|        |      |          |
+---------------------+------+----------+----------+--------+------+----------+
|                     |7.x   |7.0.0 -   |Not       |        |      |          |
|                     |      |7.1.0     |applicable|        |      |          |
|                     +------+----------+----------+        |      |          |
|BIG-IQ Centralized   |6.x   |6.0.0 -   |Not       |Medium  |6.5   |ntpd      |
|Management           |      |6.1.0     |applicable|        |      |          |
|                     +------+----------+----------+        |      |          |
|                     |5.x   |5.4.0     |Not       |        |      |          |
|                     |      |          |applicable|        |      |          |
+---------------------+------+----------+----------+--------+------+----------+
|Traffix SDC          |5.x   |5.1.0     |Not       |High    |7.4   |ntpd      |
|                     |      |          |applicable|        |      |          |
+---------------------+------+----------+----------+--------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you should perform the following recommended
modifications to the NTP service on your BIG-IP system:

 1. Configure the BIG-IP system to use only authenticated time sources.
 2. Configure NTP packet authentication with symmetric keys.
 3. Configure the NTP service to use multiple time sources to reduce the risk
    of the vulnerability.
 4. If your NTP client must get unauthenticated time over IPv4 on a hostile
    network, configure the BIG-IP system as an NTP server to use restrict
    no-serve-packets to block time service to the specified network to prevent
    this attack (note that this is a heavy-handed protection).
 5. Monitor log messages in /var/log/ltm and /var/log/daemon from the ntpd 
    daemon.

Procedures

  o Configuring the BIG-IP system to use only authenticated time sources
  o Configuring NTP packet authentication with symmetric keys
  o Configuring the NTP service to use multiple time sources
  o Configuring the BIG-IP system as an NTP server to use restrict
    no-serve-packets

Configuring the BIG-IP system to use only authenticated time sources

To configure the BIG-IP system to use only authenticated time sources, refer to
the Configuring the BIG-IP system to synchronize with an NTP server only if
authentication is successful section in K14120: Defining advanced NTP
configurations on the BIG-IP system (11.x - 15.x).

Configuring NTP packet authentication with symmetric keys

To configure NTP packet authentication on the BIG-IP system, refer to the 
Symmetric key authentication section in K14120: Defining advanced NTP
configurations on the BIG-IP system (11.x - 15.x).

Configuring the NTP service to use multiple time sources

To mitigate the risk of the vulnerability, you can add multiple time sources
for the NTP service.

To add multiple time sources on the BIG-IP system, do the following:

Impact of action: Performing the following procedure should not have a negative
impact on your system.

 1. Log in to the Configuration utility.
 2. Navigate to System > Configuration > Device > NTP.
 3. In Address, enter the IP address of the NTP server you want, and then click
    Add.

    The IP address displays in the Time Server List.

 4. Repeat step 3 for each NTP server you want.
 5. Select Update.

Configuring the BIG-IP system as an NTP server to use restrict no-serve-packets

To configure the BIG-IP system as an NTP server that does not serve time to a
subnet/host, use the restrict no-serve-packets option.

To use the restrict no-serve-packets option, do the following:

Impact of procedure: Performing the following procedure should not have a
negative impact on your system.

 1. Ensure that the self IP on which you want to listen for NTP requests is
    configured to accept User Datagram Protocol (UDP) traffic on port 123.

    If you need to adjust the Port Lockdown setting of the self IP, do the
    following:

     1. Go to Network > Self IPs
     2. Select the IP you want.
     3. In the Port Lockdown list, select the setting you want.
     4. Select Update.

    Note: For more information, refer to K13250: Overview of port lockdown
    behavior (10.x - 11.x) or K17333: Overview of port lockdown behavior (12.x
    - 16.x).

 2. Log in to tmsh by entering the following command:

    tmsh

 3. To configure an access restriction to not serve time to a subnet/host, use
    the following command syntax:

    modify sys ntp restrict add {  { address  mask 
    no-serve-packets enabled } }

    For example, to configure an access restriction named ntp_restriction for
    the 192.168.1.0/24 subnet with no-trap, no-serve-packets, and no-modify
    enabled, enter the following command:

    modify sys ntp restrict add { ntp_restriction { address 192.168.1.0 mask
    255.255.255.0 no-trap enabled no-serve-packets enabled no-modify enabled }
    }

 4. Save the configuration to memory by entering the following command:

    save sys config

Supplemental Information

o K41942608: Overview of security advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
  o K15106: Managing BIG-IQ product hotfixes
  o K15113: BIG-IQ hotfix and point release matrix
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX17HXeNLKJtyKPYoAQgw9Q/+PVAGa4OUicOWkrp/3R7I9HroUzO152Ae
f0K+s4IbVoOeO7802GdOTxeZjXv6G9nLfmRykyf4qzvULR8bCIwiV1u5Frz4t1aD
VA/CtmapGHkOBiJbC2HDLS96b5m0I1NwYD36hRRfp7CRUtN22AV+xkTV9ZHIY9qK
VbYU580hKM53v0oCwYh/VeyZuMo2x/9Kk+tGo2FEjF0mQ7jqhr8DE9SRjV0gr4NF
eQ7Snl3uxsKCmkTqiLyuqAGN1H6PwDD8f2eS7LX7wXn+GBUtiu+dWtdWVfZ7+FcB
EdUv5b1FkhVC/4T2f+IJZ158DmC6lo//qmNyw2NTbuPG69FZZ1IwrlyGWc9HBg2G
HJi/DKJgW6H6l6hVIsz1q1IFfsVJO1fMt/ufisoUXVfjdpEATHKqLxNccBznT85+
+TrmzAlKZ7ifq3JWaiCyzBVHZmTaTg9Bv1S2DU1ST1sC+zAQTtrwjkf9FluWIi7J
0bqjjof0dRfQRY09n+fzq8QQFK0O/JYtpPIQ+JSgOeOuUQ+aIqSbK/ut4/38YkoZ
kFElmol2aP7o62L264Vn/G5DE8b5hvOt9XsZU7VvcrAok+iyK6r3HbtfCXffyHi3
Toi6u+hsEqo+vtyXfn2gZv9hROLNqzT740CDz8n3vyC1FnrytVla8b+kf4zM1c7w
32NONyDq7pk=
=n6r8
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3092.2 – UPDATE [Appliance] F5 Products: Denial of service – Remote/unauthenticated appeared first on Malware Devil.

https://malwaredevil.com/2020/09/14/esb-2020-3092-2-update-appliance-f5-products-denial-of-service-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3092-2-update-appliance-f5-products-denial-of-service-remote-unauthenticated