ESB-2020.3901 – [RedHat] freerdp and vinagre: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3901
       freerdp and vinagre security, bug fix, and enhancement update
                              6 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           freerdp
                   vinagre
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service        -- Existing Account
                   Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-13397 CVE-2020-13396 CVE-2020-11526
                   CVE-2020-11525 CVE-2020-11522 CVE-2020-11089
                   CVE-2020-11088 CVE-2020-11087 CVE-2020-11086
                   CVE-2020-11085 CVE-2020-11058 CVE-2020-11049
                   CVE-2020-11048 CVE-2020-11047 CVE-2020-11046
                   CVE-2020-11045 CVE-2020-11044 CVE-2020-11043
                   CVE-2020-11042 CVE-2020-11041 CVE-2020-11040
                   CVE-2020-11039 CVE-2020-11038 CVE-2020-11019
                   CVE-2020-11018  

Reference:         ESB-2020.3398
                   ESB-2020.2979
                   ESB-2020.2847
                   ESB-2020.2611

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:4647

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: freerdp and vinagre security, bug fix, and enhancement update
Advisory ID:       RHSA-2020:4647-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4647
Issue date:        2020-11-03
CVE Names:         CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 
                   CVE-2020-11039 CVE-2020-11040 CVE-2020-11041 
                   CVE-2020-11042 CVE-2020-11043 CVE-2020-11044 
                   CVE-2020-11045 CVE-2020-11046 CVE-2020-11047 
                   CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 
                   CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 
                   CVE-2020-11088 CVE-2020-11089 CVE-2020-11522 
                   CVE-2020-11525 CVE-2020-11526 CVE-2020-13396 
                   CVE-2020-13397 
=====================================================================

1. Summary:

An update for freerdp and vinagre is now available for Red Hat Enterprise
Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP),
released under the Apache license. The xfreerdp client can connect to RDP
servers such as Microsoft Windows machines, xrdp, and VirtualBox.

The vinagre packages provide the Vinagre remote desktop viewer for the
GNOME desktop.

The following packages have been upgraded to a later upstream version:
freerdp (2.1.1). (BZ#1834287)

Security Fix(es):

* freerdp: Out of bound read in cliprdr_server_receive_capabilities
(CVE-2020-11018)

* freerdp: Out of bound read/write in usb redirection channel
(CVE-2020-11039)

* freerdp: out-of-bounds read in update_read_icon_info function
(CVE-2020-11042)

* freerdp: out-of-bounds read in autodetect_recv_bandwidth_measure_results
function (CVE-2020-11047)

* freerdp: Out-of-bounds read in ntlm_read_ChallengeMessage in
winpr/libwinpr/sspi/NTLM/ntlm_message.c. (CVE-2020-13396)

* freerdp: Out-of-bounds read in security_fips_decrypt in
libfreerdp/core/security.c (CVE-2020-13397)

* freerdp: Out of bound read in update_recv could result in a crash
(CVE-2020-11019)

* freerdp: Integer overflow in VIDEO channel (CVE-2020-11038)

* freerdp: Out of bound access in clear_decompress_subcode_rlex
(CVE-2020-11040)

* freerdp: Unchecked read of array offset in rdpsnd_recv_wave2_pdu
(CVE-2020-11041)

* freerdp: out of bound read in rfx_process_message_tileset
(CVE-2020-11043)

* freerdp: double free in update_read_cache_bitmap_v3_order function
(CVE-2020-11044)

* freerdp: out of bounds read in update_read_bitmap_data function
(CVE-2020-11045)

* freerdp: out of bounds seek in update_read_synchronize function could
lead out of bounds read (CVE-2020-11046)

* freerdp: out-of-bounds read could result in aborting the session
(CVE-2020-11048)

* freerdp: out-of-bound read of client memory that is then passed on to the
protocol parser (CVE-2020-11049)

* freerdp: stream out-of-bounds seek in rdp_read_font_capability_set could
lead to out-of-bounds read (CVE-2020-11058)

* freerdp: out-of-bounds read in cliprdr_read_format_list function
(CVE-2020-11085)

* freerdp: out-of-bounds read in ntlm_read_ntlm_v2_client_challenge
function (CVE-2020-11086)

* freerdp: out-of-bounds read in ntlm_read_AuthenticateMessage
(CVE-2020-11087)

* freerdp: out-of-bounds read in ntlm_read_NegotiateMessage
(CVE-2020-11088)

* freerdp: out-of-bounds read in irp functions (CVE-2020-11089)

* freerdp: out-of-bounds read in gdi.c (CVE-2020-11522)

* freerdp: out-of-bounds read in bitmap.c (CVE-2020-11525)

* freerdp: Stream pointer out of bounds in update_recv_secondary_order
could lead out of bounds read later (CVE-2020-11526)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.3 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1761144 - Remove unsupported options from xfreerdp /help
1803054 - SCARD_INSUFFICIENT_BUFFER error when connecting to Windows 10 system
1834287 - Update freerdp to 2.1.1
1835382 - CVE-2020-11042 freerdp: out-of-bounds read in update_read_icon_info function
1835391 - CVE-2020-11044 freerdp: double free in update_read_cache_bitmap_v3_order function
1835399 - CVE-2020-11045 freerdp: out of bounds read in update_read_bitmap_data function
1835403 - CVE-2020-11046 freerdp: out of bounds seek in update_read_synchronize function could lead out of bounds read
1835762 - CVE-2020-11047 freerdp: out-of-bounds read in autodetect_recv_bandwidth_measure_results function
1835766 - CVE-2020-11048 freerdp: out-of-bounds read could result in aborting the session
1835772 - CVE-2020-11049 freerdp: out-of-bound read of client memory that is then passed on to the protocol parser
1835779 - CVE-2020-11058 freerdp: stream out-of-bounds seek in rdp_read_font_capability_set could lead to out-of-bounds read
1836223 - CVE-2020-11522 freerdp: out-of-bounds read in gdi.c
1836239 - CVE-2020-11525 freerdp: out-of-bounds read in bitmap.c
1836247 - CVE-2020-11526 freerdp: Stream pointer out of bounds in update_recv_secondary_order could lead out of bounds read later
1839744 - Rebuild vinagre against new freerdp
1841189 - CVE-2020-13396 freerdp: Out-of-bounds read in ntlm_read_ChallengeMessage in winpr/libwinpr/sspi/NTLM/ntlm_message.c.
1841196 - CVE-2020-13397 freerdp: Out-of-bounds read in security_fips_decrypt in libfreerdp/core/security.c
1844161 - CVE-2020-11085 freerdp: out-of-bounds read in cliprdr_read_format_list function
1844166 - CVE-2020-11086 freerdp: out-of-bounds read in ntlm_read_ntlm_v2_client_challenge function
1844171 - CVE-2020-11087 freerdp: out-of-bounds read in ntlm_read_AuthenticateMessage
1844177 - CVE-2020-11088 freerdp: out-of-bounds read in ntlm_read_NegotiateMessage
1844184 - CVE-2020-11089 freerdp: out-of-bounds read in irp functions
1848008 - CVE-2020-11018 freerdp: Out of bound read in cliprdr_server_receive_capabilities
1848012 - CVE-2020-11019 freerdp: Out of bound read in update_recv could result in a crash
1848018 - CVE-2020-11038 freerdp: Integer overflow in VIDEO channel
1848022 - CVE-2020-11039 freerdp: Out of bound read/write in usb redirection channel
1848029 - CVE-2020-11040 freerdp: Out of bound access in clear_decompress_subcode_rlex
1848034 - CVE-2020-11041 freerdp: Unchecked read of array offset in rdpsnd_recv_wave2_pdu
1848038 - CVE-2020-11043 freerdp: out of bound read in rfx_process_message_tileset

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
freerdp-2.1.1-1.el8.src.rpm
vinagre-3.22.0-23.el8.src.rpm

aarch64:
freerdp-2.1.1-1.el8.aarch64.rpm
freerdp-debuginfo-2.1.1-1.el8.aarch64.rpm
freerdp-debugsource-2.1.1-1.el8.aarch64.rpm
freerdp-libs-2.1.1-1.el8.aarch64.rpm
freerdp-libs-debuginfo-2.1.1-1.el8.aarch64.rpm
libwinpr-2.1.1-1.el8.aarch64.rpm
libwinpr-debuginfo-2.1.1-1.el8.aarch64.rpm
libwinpr-devel-2.1.1-1.el8.aarch64.rpm
vinagre-3.22.0-23.el8.aarch64.rpm
vinagre-debuginfo-3.22.0-23.el8.aarch64.rpm
vinagre-debugsource-3.22.0-23.el8.aarch64.rpm

ppc64le:
freerdp-2.1.1-1.el8.ppc64le.rpm
freerdp-debuginfo-2.1.1-1.el8.ppc64le.rpm
freerdp-debugsource-2.1.1-1.el8.ppc64le.rpm
freerdp-libs-2.1.1-1.el8.ppc64le.rpm
freerdp-libs-debuginfo-2.1.1-1.el8.ppc64le.rpm
libwinpr-2.1.1-1.el8.ppc64le.rpm
libwinpr-debuginfo-2.1.1-1.el8.ppc64le.rpm
libwinpr-devel-2.1.1-1.el8.ppc64le.rpm
vinagre-3.22.0-23.el8.ppc64le.rpm
vinagre-debuginfo-3.22.0-23.el8.ppc64le.rpm
vinagre-debugsource-3.22.0-23.el8.ppc64le.rpm

s390x:
freerdp-2.1.1-1.el8.s390x.rpm
freerdp-debuginfo-2.1.1-1.el8.s390x.rpm
freerdp-debugsource-2.1.1-1.el8.s390x.rpm
freerdp-libs-2.1.1-1.el8.s390x.rpm
freerdp-libs-debuginfo-2.1.1-1.el8.s390x.rpm
libwinpr-2.1.1-1.el8.s390x.rpm
libwinpr-debuginfo-2.1.1-1.el8.s390x.rpm
libwinpr-devel-2.1.1-1.el8.s390x.rpm
vinagre-3.22.0-23.el8.s390x.rpm
vinagre-debuginfo-3.22.0-23.el8.s390x.rpm
vinagre-debugsource-3.22.0-23.el8.s390x.rpm

x86_64:
freerdp-2.1.1-1.el8.x86_64.rpm
freerdp-debuginfo-2.1.1-1.el8.i686.rpm
freerdp-debuginfo-2.1.1-1.el8.x86_64.rpm
freerdp-debugsource-2.1.1-1.el8.i686.rpm
freerdp-debugsource-2.1.1-1.el8.x86_64.rpm
freerdp-libs-2.1.1-1.el8.i686.rpm
freerdp-libs-2.1.1-1.el8.x86_64.rpm
freerdp-libs-debuginfo-2.1.1-1.el8.i686.rpm
freerdp-libs-debuginfo-2.1.1-1.el8.x86_64.rpm
libwinpr-2.1.1-1.el8.i686.rpm
libwinpr-2.1.1-1.el8.x86_64.rpm
libwinpr-debuginfo-2.1.1-1.el8.i686.rpm
libwinpr-debuginfo-2.1.1-1.el8.x86_64.rpm
libwinpr-devel-2.1.1-1.el8.i686.rpm
libwinpr-devel-2.1.1-1.el8.x86_64.rpm
vinagre-3.22.0-23.el8.x86_64.rpm
vinagre-debuginfo-3.22.0-23.el8.x86_64.rpm
vinagre-debugsource-3.22.0-23.el8.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:
freerdp-debuginfo-2.1.1-1.el8.aarch64.rpm
freerdp-debugsource-2.1.1-1.el8.aarch64.rpm
freerdp-devel-2.1.1-1.el8.aarch64.rpm
freerdp-libs-debuginfo-2.1.1-1.el8.aarch64.rpm
libwinpr-debuginfo-2.1.1-1.el8.aarch64.rpm

ppc64le:
freerdp-debuginfo-2.1.1-1.el8.ppc64le.rpm
freerdp-debugsource-2.1.1-1.el8.ppc64le.rpm
freerdp-devel-2.1.1-1.el8.ppc64le.rpm
freerdp-libs-debuginfo-2.1.1-1.el8.ppc64le.rpm
libwinpr-debuginfo-2.1.1-1.el8.ppc64le.rpm

s390x:
freerdp-debuginfo-2.1.1-1.el8.s390x.rpm
freerdp-debugsource-2.1.1-1.el8.s390x.rpm
freerdp-devel-2.1.1-1.el8.s390x.rpm
freerdp-libs-debuginfo-2.1.1-1.el8.s390x.rpm
libwinpr-debuginfo-2.1.1-1.el8.s390x.rpm

x86_64:
freerdp-debuginfo-2.1.1-1.el8.i686.rpm
freerdp-debuginfo-2.1.1-1.el8.x86_64.rpm
freerdp-debugsource-2.1.1-1.el8.i686.rpm
freerdp-debugsource-2.1.1-1.el8.x86_64.rpm
freerdp-devel-2.1.1-1.el8.i686.rpm
freerdp-devel-2.1.1-1.el8.x86_64.rpm
freerdp-libs-debuginfo-2.1.1-1.el8.i686.rpm
freerdp-libs-debuginfo-2.1.1-1.el8.x86_64.rpm
libwinpr-debuginfo-2.1.1-1.el8.i686.rpm
libwinpr-debuginfo-2.1.1-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-11018
https://access.redhat.com/security/cve/CVE-2020-11019
https://access.redhat.com/security/cve/CVE-2020-11038
https://access.redhat.com/security/cve/CVE-2020-11039
https://access.redhat.com/security/cve/CVE-2020-11040
https://access.redhat.com/security/cve/CVE-2020-11041
https://access.redhat.com/security/cve/CVE-2020-11042
https://access.redhat.com/security/cve/CVE-2020-11043
https://access.redhat.com/security/cve/CVE-2020-11044
https://access.redhat.com/security/cve/CVE-2020-11045
https://access.redhat.com/security/cve/CVE-2020-11046
https://access.redhat.com/security/cve/CVE-2020-11047
https://access.redhat.com/security/cve/CVE-2020-11048
https://access.redhat.com/security/cve/CVE-2020-11049
https://access.redhat.com/security/cve/CVE-2020-11058
https://access.redhat.com/security/cve/CVE-2020-11085
https://access.redhat.com/security/cve/CVE-2020-11086
https://access.redhat.com/security/cve/CVE-2020-11087
https://access.redhat.com/security/cve/CVE-2020-11088
https://access.redhat.com/security/cve/CVE-2020-11089
https://access.redhat.com/security/cve/CVE-2020-11522
https://access.redhat.com/security/cve/CVE-2020-11525
https://access.redhat.com/security/cve/CVE-2020-11526
https://access.redhat.com/security/cve/CVE-2020-13396
https://access.redhat.com/security/cve/CVE-2020-13397
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX6I0INzjgjWX9erEAQh3aA//RtOjgT5U/N0RZODK/NW0Ie1HZFE1NIlA
P6lqlGko8xf7ojkAfzKYqsfipMmencaYrVc0dqCUd5WoJttkVQzWpsTZb8qDaCW8
Q7ps0gwyLYZnTCFc1j0NYV35E8tSoyRj+IkDTdpTiSQlr6+bczxhIILqi1hoM3fa
IJ91rqM4JzhXlFzOZMMi+xCHVxoszrbFf2ivJkCr9esJF+4N0R1ec31JhtxPEcc7
rG5eB1c3sIoKeIn4PYJ9duj6i+0AOcBuhbFArXqE1aPy/InfVaQltgwzR1ZF9HVS
SFompoeTPs6iEp0KpcoM7xNtGeUO50OhR3j2NRseiS72+TB+N3091wwHBWZ1n7Jb
SWCV1ZduvfQcnIWRMUjtgk5lPzuRTvotip/BwOaaKMOs7Xzh7Y6wvlIbFMDWt2YY
V5qbxKG32Zt53Sq9m8KJ15aRKJt5K1UdPDV6KnKzjHATcIazWyCWhy5c/T5zWcMq
qk+dmZv8/EA4pKaXYxkG836ZTccOftXAM3U6zUfB60Bm5ehXR45HRRuZub4C97to
+eP+HvgIR5+mCO62hEZfjnC8c4mJIryJaAWnb8hpaQgWXZnTdEl4oQAh/zIJl61X
BkYiCJ0fgTO6D7CGe72mORCx1FQ7Sjq1chhqpl8CZQKLaqJx1xbJ2ZZwuhg5OriJ
FwblVM9hMdA=
=mptC
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX6TFw+NLKJtyKPYoAQgLwBAApKDeLOTBCoFIQePJCGD7guuIekLeAcVP
3gq4wikveS8qkUzu3xV0SPbchksON0cJHmaiAj4GoxTO+RZbvqENgykcHGRj4AwI
AFsL6o5hZPtKMSCsENsEdW0NJT3lpn9erBEG+sNrNXcM/F9+7uzz0gf0n3iBjRPY
LdyZlJl47nFR5UB7c7iYwSSReL389/xe0D8CHJohiqYcSqyi5e+m7qY/fJLr5JQC
YXKQWZaotkG3UDEVigwWpye7P8dGKz6iSWkfY7HCzhQ5JpsoKeK/uo3VlQ4+P1cI
Moush+ybAOwME1i4ueWtFK5SZMvmhsVZpE23Cw1OpKnl+l2wgDowVTexZETMPf88
3Auh8MDJWru1WO4CixEPzu3ZqvAqWoTTGK36sHw2WnCeAwLuUQRMojqgosvw2Djf
/YBGIVl2kvgEzICQAovJYbmkv5vcr8o4hotcxE71x94dtAnOHQTl9OdUpjGJcGfK
AokzRn2HEGASaoDQ7G0WzKlVk7yBXtes5wykKc0aEL+Pfczku31iz/WeekefVb0U
Obk0dGCt8Qt6xfsDCinialw3u5+Z6H+YSq9wWn4108gR9CB2OrIhIKh696f40XGl
7lbr9l/miTnGyvjBpB00DzkLbQNgcuy8/8ObKx0+nmg3BmyAwk7sIIEHjTx95zPC
bPuhpPylT6g=
=d7Vt
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3901 – [RedHat] freerdp and vinagre: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/11/06/esb-2020-3901-redhat-freerdp-and-vinagre-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3901-redhat-freerdp-and-vinagre-multiple-vulnerabilities

ESB-2020.3900 – [RedHat] SDL: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3900
                            SDL security update
                              6 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           SDL
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-7638 CVE-2019-7637 CVE-2019-7636
                   CVE-2019-7635 CVE-2019-7578 CVE-2019-7577
                   CVE-2019-7576 CVE-2019-7575 CVE-2019-7574
                   CVE-2019-7573 CVE-2019-7572 

Reference:         ESB-2020.3383
                   ESB-2020.0169
                   ESB-2019.3862
                   ESB-2019.3857

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:4627

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: SDL security update
Advisory ID:       RHSA-2020:4627-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4627
Issue date:        2020-11-03
CVE Names:         CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 
                   CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 
                   CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 
                   CVE-2019-7637 CVE-2019-7638 
=====================================================================

1. Summary:

An update for SDL is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Simple DirectMedia Layer (SDL) is a cross-platform multimedia library
designed to provide fast access to the graphics frame buffer and audio
device.

Security Fix(es):

* SDL: buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c
(CVE-2019-7572)

* SDL: heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c
(CVE-2019-7575)

* SDL: heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c
(CVE-2019-7636)

* SDL: heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c
(CVE-2019-7637)

* SDL: heap-based buffer over-read in Map1toN in video/SDL_pixels.c
(CVE-2019-7638)

* SDL: heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c
(CVE-2019-7573)

* SDL: heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c
(CVE-2019-7574)

* SDL: heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c
(CVE-2019-7576)

* SDL: buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c
(CVE-2019-7577)

* SDL: heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c
(CVE-2019-7578)

* SDL: heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c
(CVE-2019-7635)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.3 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1676509 - CVE-2019-7577 SDL: buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c
1676743 - CVE-2019-7575 SDL: heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c
1676749 - CVE-2019-7574 SDL: heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c
1676751 - CVE-2019-7573 SDL: heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c
1676753 - CVE-2019-7572 SDL: buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c
1676755 - CVE-2019-7576 SDL: heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c
1676781 - CVE-2019-7578 SDL: heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c
1677143 - CVE-2019-7638 SDL: heap-based buffer over-read in Map1toN in video/SDL_pixels.c
1677151 - CVE-2019-7637 SDL: heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c
1677156 - CVE-2019-7636 SDL: heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c
1677158 - CVE-2019-7635 SDL: heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
SDL-1.2.15-38.el8.src.rpm

aarch64:
SDL-1.2.15-38.el8.aarch64.rpm
SDL-debuginfo-1.2.15-38.el8.aarch64.rpm
SDL-debugsource-1.2.15-38.el8.aarch64.rpm
SDL-devel-1.2.15-38.el8.aarch64.rpm

ppc64le:
SDL-1.2.15-38.el8.ppc64le.rpm
SDL-debuginfo-1.2.15-38.el8.ppc64le.rpm
SDL-debugsource-1.2.15-38.el8.ppc64le.rpm
SDL-devel-1.2.15-38.el8.ppc64le.rpm

s390x:
SDL-1.2.15-38.el8.s390x.rpm
SDL-debuginfo-1.2.15-38.el8.s390x.rpm
SDL-debugsource-1.2.15-38.el8.s390x.rpm
SDL-devel-1.2.15-38.el8.s390x.rpm

x86_64:
SDL-1.2.15-38.el8.i686.rpm
SDL-1.2.15-38.el8.x86_64.rpm
SDL-debuginfo-1.2.15-38.el8.i686.rpm
SDL-debuginfo-1.2.15-38.el8.x86_64.rpm
SDL-debugsource-1.2.15-38.el8.i686.rpm
SDL-debugsource-1.2.15-38.el8.x86_64.rpm
SDL-devel-1.2.15-38.el8.i686.rpm
SDL-devel-1.2.15-38.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-7572
https://access.redhat.com/security/cve/CVE-2019-7573
https://access.redhat.com/security/cve/CVE-2019-7574
https://access.redhat.com/security/cve/CVE-2019-7575
https://access.redhat.com/security/cve/CVE-2019-7576
https://access.redhat.com/security/cve/CVE-2019-7577
https://access.redhat.com/security/cve/CVE-2019-7578
https://access.redhat.com/security/cve/CVE-2019-7635
https://access.redhat.com/security/cve/CVE-2019-7636
https://access.redhat.com/security/cve/CVE-2019-7637
https://access.redhat.com/security/cve/CVE-2019-7638
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX6I2G9zjgjWX9erEAQjnCBAAnAeTnQGAIRZiwyhzOUN5vvtVQdIYif42
Ek4NaB4T8Yoq72s1Iae++8RGeI891Lp0GWLhcVpZT/1gwBRacrapPoQ2OG+29baJ
rxO5a00gYtPn7SVqNOpoViecP1BGq8M6M6Yn8btn7oXlfDDBwXhgz4L8fsGBoFdq
iiSafojwXT1jFECuMpNxB9/0DwaEkzjuVoGO40FsGSgklUB8NXTLWg0T+YP4gQQl
WgmCJ4Bu16pEm9e59DPUsGSvgj6ymMp1KGKy2XObaymIMcas9NtgkXsI6FZBc4aM
EKcDi+/Y8SIfdB0b4r/Ey9Y8mLLA5rvv2JrsNvg0JIn1Ym/Ah8CDUcnDZL2drkGy
S1nVQLgtQWL7o5JpubdiXoqKXH2xWKOfpIpjMvVxxPDwo5qztenVa5/Vb4eFsxWn
5f4/tfGVeCgW3w7dFRLqTFkIlHoRP7++lWarLbzgJrwYnQhAJuaMmMtQ2DkaKOxt
cw/izAzqNCJfiQxLkYMx0/oz9WbrCoYa1bgVAR/npWEoFt3K3THdlUz33e5UiV/O
YpZ3kjSiQJKl7dA2euUn0r3rfr6G8sj7RhLpkHfommBjbj3UBXQ78+7hvOfncOGz
BcremoCLJZl/9vHtBpd2ailN1YVbKnFJ8UfdbZdjzv+64dyJdONUb2SgJJhj/edW
V9y2K3/vRUo=
=vXxa
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX6TFtONLKJtyKPYoAQghdw//dk+szyMo82/2pBtjlSJi6wq14lOzkFZS
hQt6S5AyrTjFjTXm5uwCNEL6vPcrk7mdSBGLlv2thLuT9njvtj40MeTupzKTFULy
nJDLsJuDnp4ACZMnE5oyIKQvgTahZG7lpIhEigEYU8DqNwhjXAU6UXJWr2JqP2Bq
2CPE4kCcMEoW5/V2iMnnuUJNl4v9GsyFSk4QHni5qEX6bPLIhk9jRKmQlN4qO0T6
zTlCMWJlUAneg8WZMlXs+VH4h/FeTcnf+d1vgAxEFhueW9kjNlgnkhvXB18np/lt
fCh/11HJCHg6kXIiVUOZk7FOOcz1NFRdZltibq1BPYoU7SBNjp2K0bo0B5Ysm+ra
KvmNgOAsuZXVRldg1A0RBraWRFZMokc83OWsu/gC2NiqIRytLuUXMy7LQrpOwcd2
M+muKe7GaVl7hXhfeMwtY0tsOM7ngNsaCXNwinc95mIrQjxDMoNsqmAAQ4hoS1NE
ayywRqoYDYhbzPQoKF1c3zhZ+j5aJLWa9BQZuf2tol1rZK+q8QUxYLWwOXs9gK3a
VgQmawgb5OewiiwPlJMPRLrRETsGqmN9DFw6m87+uPkS3NHbi6f/GFb7Nb6H0m5N
YC4x1+ydj5gK8ikE337gG7kOqpqW3pddUyTrAsVPLf8RtCyQnvfrMTpqtylPfPXN
JHvoesfp+jk=
=DnuF
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3900 – [RedHat] SDL: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/11/06/esb-2020-3900-redhat-sdl-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3900-redhat-sdl-multiple-vulnerabilities

ESB-2020.3899 – [Debian] libonig: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3899
                          libonig security update
                              6 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libonig
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-26159 CVE-2019-19246 CVE-2019-19204
                   CVE-2019-19203 CVE-2019-19012 CVE-2019-16163
                   CVE-2019-13224  

Reference:         ESB-2020.3072
                   ESB-2020.2827
                   ESB-2019.4556
                   ESB-2019.3485

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/11/msg00006.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2431-1               debian-lts@lists.debian.org
https://www.debian.org/lts/security/                     Markus Koschany
November 05, 2020                            https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : libonig
Version        : 6.1.3-2+deb9u1
CVE ID         : CVE-2019-13224 CVE-2019-16163 CVE-2019-19012
                 CVE-2019-19203 CVE-2019-19204 CVE-2019-19246
                 CVE-2020-26159
Debian Bug     : 931878 939988 944959 945312 945313 946344 972113

Several vulnerabilities were discovered in the Oniguruma regular
expressions library, notably used in PHP mbstring.

CVE-2019-13224

   A use-after-free in onig_new_deluxe() in regext.c allows
   attackers to potentially cause information disclosure, denial of
   service, or possibly code execution by providing a crafted regular
   expression. The attacker provides a pair of a regex pattern and a
   string, with a multi-byte encoding that gets handled by
   onig_new_deluxe().

CVE-2019-16163

    Oniguruma allows Stack Exhaustion in regcomp.c because of recursion
    in regparse.c.

CVE-2019-19012

    An integer overflow in the search_in_range function in regexec.c in
    Onigurama leads to an out-of-bounds read, in which the offset of
    this read is under the control of an attacker. (This only affects
    the 32-bit compiled version). Remote attackers can cause a
    denial-of-service or information disclosure, or possibly have
    unspecified other impact, via a crafted regular expression.

CVE-2019-19203

    An issue was discovered in Oniguruma. In the function
    gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is
    dereferenced without checking if it passed the end of the matched
    string. This leads to a heap-based buffer over-read.

CVE-2019-19204

    An issue was discovered in Oniguruma. In the function
    fetch_interval_quantifier (formerly known as fetch_range_quantifier)
    in regparse.c, PFETCH is called without checking PEND. This leads to
    a heap-based buffer over-read.

CVE-2019-19246

    Oniguruma has a heap-based buffer over-read in str_lower_case_match
    in regexec.c.

CVE-2020-26159

    In Oniguruma an attacker able to supply a regular expression for
    compilation may be able to overflow a buffer by one byte in
    concat_opt_exact_str in src/regcomp.c

For Debian 9 stretch, these problems have been fixed in version
6.1.3-2+deb9u1.

We recommend that you upgrade your libonig packages.

For the detailed security status of libonig please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libonig

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl+jVXVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRyuA/8DsmKwP4PqQ7ud9HQ/jkpqF6EdEpYJKTWFLvpeNW5RKuwRwI0XVXEfaVE
IQKdtu17GUYJIWDvvvS0RLzlqoEeiHvEfKZBMHRid7sxn6ydu3w4NE4vL1j5joIo
aNSRXWwSe6a5Z17x9n6QJ9QRgKCtWCCnO7H4iYM7WUzcXQqcT+EIj3CPnBcz2Yz1
kd/1csK8JJms2quxFdI34I+fdr1lIhX+KPWzGxcBs5cmKQ/Tk8NV5pCt77dfyGzk
dFiu6UivaAvcwmi3edvLT+lFkZF05j27hIyt+RbMjDzQ0E4hYeYqGAVrJVUkZyFT
dB+7gGHxD2xYgox3G5AAIfBCxEe88VY+w1JsV51NztRYZLi2xJPwnjZnVv10ZaG1
mA47tbeiSrc6iOHXZgw/kr1LL0+5/LxvtOMhC5Z5VwTAdk8SvUGU/eN1vnhYw5Jw
G1tIssLYddKj9ttIbpm/gzC3fm4QyxjYETg3q7275eq1E2hCWqD81SCwszjVe+sV
IPn84OokjMo5SWkX6YSunGXCGYD9MIkGeHkFKoDhI2DKbbBJcdEbb5iFAkG/sZLf
U7hABzCVVE6ZSdwq20yjuHBpxqUZeKeog6O/L20TzsVvGNeHMJAyb8L+5kNDpoZU
EbG57R3WtwP5UbGUvGnLsIUBrKrpvNXdpq+4Fh1KKd2L8byQk1g=
=JaKD
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX6TFhONLKJtyKPYoAQjK/BAAqGwycn311v2rUn0BcnyejNxAtzhLxMrF
Y4DDXvRiL07dEx+utrVIni4kQVitV700Sqr3gTgFKiV1zxLKj353xd8zstfqkwYe
ynVxFiUKdcm0BYBEQc1UZx45ezbwIggNe/hQ3CQUiikw76bC0Uk8djVEmsAah2iR
PrbRbYOXmxbr9456nW2NvwGSsQ3l1YApljxZNpxOW5HzXQayg8a9Ra+/e0TvIwCH
1u/h9esAiRqO18ln5dmJFdNEK0sZl6ypFNRpc1utcawyVAn07AseCo2PYdNTSA/V
WLcABcEmZCa4fKZ9TaPp6WpxLu3Zha0JuNi6a9b0/Y3UzXuXLQKpAdCNgmus735x
xo6smGbXxkK//gA08sizBdcbPMU5rwJSjKB5ntqp/nSQWIo/sVAzBZuthutywihK
1c5q3grS0PeofWubRKyS013ZF5wZhmrXYvAf3+Rvs9pOLV9e4EM27iDZrHnU9IsU
Rc421RQtwtKwmsAnqO2Mrl80oTbbv73K5aHvBlaMNZxekU4RF/x/McdQdTEIiKyW
qZlxydFwkikDvh1BfwNRw08rAIJxVKGLWgFBuBZ9tSxhExORromIaMVqgfDGnXWF
MkUWORlxfNeINTJ5kYwKIM8qyfeZg5sw7yvhtPBUDJP5YnWeeLhnWe+O1epLRf6v
XiPFDbx1eCQ=
=dYWp
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.3899 – [Debian] libonig: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/11/06/esb-2020-3899-debian-libonig-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3899-debian-libonig-multiple-vulnerabilities

Abusing JWT (JSON Web Tokens) – Sven Morgenroth – PSW #673

Learn how JWTs are implemented, both the correct way and the insecure way. Spoiler alert, most implement them insecurely. Sven will also show you some of the common attacks against JWTs, for use in your next penetration test, bug bounty, or conversation with your developers!

This segment is sponsored by Netsparker.

Visit https://securityweekly.com/netsparker to learn more about them!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://wiki.securityweekly.com/psw673

The post Abusing JWT (JSON Web Tokens) – Sven Morgenroth – PSW #673 appeared first on Malware Devil.

https://malwaredevil.com/2020/11/06/abusing-jwt-json-web-tokens-sven-morgenroth-psw-673/?utm_source=rss&utm_medium=rss&utm_campaign=abusing-jwt-json-web-tokens-sven-morgenroth-psw-673

Quick Post: Spooky New PowerShell Obfuscation in Emotet Maldocs

Emotet is a modular malware delivery platform that has consistently dominated the commodity malware threat landscape over the past couple of years. It has evolved from a straightforward banking trojan into a full-fledged malware distribution service, delivering a variety of payloads for other threat actor groups. The U.S. Department of Homeland Security states that Emotet infections cost state and local governments up to $1 million to remediate. Emotet is operated by the threat group tracked as Mummy Spider.

Emotet is commonly delivered in phishing campaigns via a macro-enabled Word document. I recently had a newer Emotet maldoc, come across my desk. The part that interested my about this document was that the PowerShell obfuscation scheme had changed significantly for the first time in a few months. I thought it would be worthwhile to write a quick post with a few details about this new PowerShell script and provide a handy CyberChef recipe so that analysts and responders could quickly decode these PowerShell Scripts.

I won’t dig as deep as I usually do here as Brad Duncan has already done a nice writeup on this campaign over at the SANS ISC blog. If readers are interested in seeing more details regarding dynamic analysis, I highly recommend checking it out here.

The overall infection chain in this case remains pretty much the same: a malicious Word document that is weaponized with macros is opened, which invokes a WMI process call that spawns a PowerShell script. That script attempts to download the core binary from a septet of URL resources. 

The Document

This document was related to the spam runs from 10/29/20 and leveraged a Halloween Party-themed social engineering lure.

• filename: Party Invitation.doc
• SHA256: ed51269c3602786ff6ddef3a808d8178d26e4e5960f4ac7af765e4bd642128dd

I pulled the document down from VirusTotal. These campaigns still appear to using the “upgrade your edition of Microsoft Word” template in order to induce the victim into enabling macros. Much more about related campaigns is available thanks to the incredible work of the Cryptolaemus team here.

Emotet doc downloader template

The PowerShell script that is executed when macros are enabled is base64 encoded per usual. Peeling back the first layer of obfuscation reveals the following:

The URLs that are hosting the next stage payload, which is the Emotet loader are obfuscated with a string replacement operation. This is slightly more complex that in the recent techniques, but still leverages an empty string replacement for ‘[]w’ and ‘ jjkgS []’, while a character replacement is used to swap ‘][ 1’ for the slash ‘/’ character. At that point, an analyst would just need to split the the string at the “@” delimeter, use a regular expression to isolate URL patterns, and then defang for sharing.

hxxps[://]enjoymylifecheryl[.]com/wp-includes/FPNxoUiCz3/
hxxps[://]homewatchamelia[.]com/wp-admin/qmK/
hxxps[://]seramporemunicipality[.]org/replacement-vin/Ql4R/
hxxps[://]imperfectdream[.]com/wp-content/xb2csjPW6/
hxxps[://]mayxaycafe[.]net/wp-includes/UxdWFzYQj/
hxxps[://]420extracts[.]ca/cgi-bin/Ecv/
hxxps[://]casinopalacett[.]com/wp-admin/voZDArg/

Here is the code for the recipe in Chef format, which I also have on my GitHub:

From_Base64('A-Za-z0-9+/=',true)
Remove_null_bytes()
Find_/_Replace({'option':'Simple string','string':'+'},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'('},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':')'},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'''},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'[]w'},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':' jjkgS []'},'',true,false,true,false)
Find_/_Replace({'option':'Simple string','string':'][ 1'},'/',true,false,true,false)
Split('@','\n')
Remove_whitespace(true,false,false,false,false,false)
Regular_expression('URL','([A-Za-z]+://)([-\w]+(?:\.\w[-\w]*)+)(:\d+)?(/[^.!,?"<>\[\]{}\s\x7F-\xFF]*(?:[.!,?]+[^.!,?"<>\[\]{}\s\x7F-\xFF]+)*)?',true,true,false,false,false,false,'List matches')
Defang_URL(true,true,true,'Valid domains and full URLs')

This Direct Link has the recipe already preloaded in CyberChef.

Summary

So that’s it. Just a quick look at some new PowerShell obfuscation used by Mummy Spider in recent campaigns. These tactics used to change quite frequently but the cadence of updates has slowed considerably as of late. As always, CyberChef is my preferred tool for de-obfuscating these scripts to quickly extract the network indicators of compromise in order to increase velocity during and Incident Response investigation.

References

https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet
https://www.us-cert.gov/ncas/alerts/TA18-201A
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/
https://gchq.github.io/CyberChef/
https://isc.sans.edu/forums/diary/Emotet+Qakbot+more+Emotet/26750/
https://www.virustotal.com/gui/file/ed51269c3602786ff6ddef3a808d8178d26e4e5960f4ac7af765e4bd642128dd/detection
https://paste.cryptolaemus.com/emotet/2020/10/29/emotet-malware-IoCs_10-29-20.html
https://github.com/Sec-Soup/CyberChef-Recipes/blob/master/Emotet-Recipe_20200826

Read More

The post Quick Post: Spooky New PowerShell Obfuscation in Emotet Maldocs appeared first on Malware Devil.

https://malwaredevil.com/2020/11/06/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/?utm_source=rss&utm_medium=rss&utm_campaign=quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs

Network Security News Summary for Friday November 6 2020

A brief daily summary of what is important in cybersecurity. The podcast is published every weekday and designed to get you ready for the day with a brief, usually about 5 minutes long, summary of current network security-related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Storm Center. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .

The post Network Security News Summary for Friday November 6 2020 appeared first on Malware Devil.

https://malwaredevil.com/2020/11/06/network-security-news-summary-for-friday-november-6-2020/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-friday-november-6-2020

Balancing Autonomy and Control in API Security with Token Swapping

The question of how much control to retain versus how much to give up is something that occupies the minds of parents, management consultants, and often coaches. A high level of control helps achieve specific objectives, but, at the same time, it may lead to a complex bureaucracy that slows down self-initiative, entrepreneurship, and general productivity. A high level of empowerment, on the other hand, fosters creativity and ownership, but it may lead to unmanageable or risky outcomes. 

In the world of identity and security, organizations across all sectors also face this conundrum. Managing identity involves both controlled (stateful) and autonomous (stateless) security tokens. 

• Stateful tokens are opaque and can be de-referenced by a central authority only after request (token introspection). The authority manages the state of the token, including revocation. The token depends on the availability and performance of the authority.
• Stateless tokens are self-contained and can be “unpacked” by any party with the appropriate key material. Stateless tokens can be processed with or without the availability of an authoritative service. 

Knowing which to use is often straightforward, but sometimes what you really want to deploy is something in between.

A Closer Look at Token Swapping Use Cases

Exposing open services and APIs to external clients is a perfect use case for stateful tokens. Because external clients can be located anywhere and security tokens can travel over many networks, more control is needed. With stateful tokens, you can have opaque tokens that don’t carry sensitive content, always introspect tokens against a central authority, and revoke tokens as needed to provide a high level of control. 

However, for Zero Trust architectures that require security checks at every stage, including each microservice-to-microservice call, using stateless tokens makes more sense. That’s because they don’t depend on a central authority, which could impact the ability to scale and to continue operations if the authority is unreachable. 

Token swapping describes the ability to exchange one security token for another in a different, enriched, or restricted form. A gateway can function as the “token swapper.” It intercepts requests, validates tokens, and generates new tokens either by itself or in conjunction with other services. 

Let’s look at the example of a financial company exposing APIs to partner organizations. Such a scenario requires a higher level of control and the ability to revoke granted access, so, for these external clients, the financial institution issues stateful tokens. Token swapping allows the company to use those stateful tokens on the front end but then switch to stateless tokens for scalability and other benefits within their microservices environment. 

If you swap a stateful token for a stateless token in the right way and at the right time, you can achieve that delicate balance between control and autonomy to better suit your purposes.

In the aforementioned scenario, ForgeRock Identity Gateway, deployed as a north-south gateway, validates stateful OAuth2 tokens by introspection with ForgeRock Access Management, ForgeRock Identity Cloud, or any other OAuth2 authorization server. After validating the stateful token, Identity Gateway then generates a stateless JSON Web Token (JWT) containing the identity information the downstream services need to proceed autonomously.

Self-contained JWTs are a compelling token type for scenarios that require a high level of scaling, do not have a strong dependency on external services (such as the authority), and can tolerate the absence of token revocation capability. For many microservices scenarios, this is a very effective use case for token swapping. 

Local JWT validation can also be conducted by service meshes, such as Istio, or by ForgeRock Identity Gateway, deployed as an east-west gateway, or Microgateway with the JwtValidationFilter. Note, however, that service meshes support self-contained JWTs but do not integrate well with stateful OAuth2 and remote token introspection. Furthermore, JWTs consumed by service meshes like Istio need to have the appropriate content, which can be built using token swapping. The “token swapper” can aggregate the appropriate JWTs.

Token swapping is not limited to stateful OAuth2 to JWT token swapping. You can create transformations using other token types – such as OpenID Connect, SAML or SSO tokens – and services like the security token service (STS). You can also enrich tokens with user roles, entitlements, or attributes obtained from the authority. 

To learn more about balancing control and autonomy with token swapping, read about the following useful components: JwtBuilderFilter, JwtValidationFilter, IdTokenValidationFilter, OAuth2ResourceServerFilter, TokenTransformationFilter.

With token swapping, you can expand your options for obtaining the right balance in the control versus autonomy dilemma—at least in the identity and security realm. Parents, philosophers, and management will have to look elsewhere.

 

The post Balancing Autonomy and Control in API Security with Token Swapping appeared first on Security Boulevard.

Read More

The post Balancing Autonomy and Control in API Security with Token Swapping appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/balancing-autonomy-and-control-in-api-security-with-token-swapping/?utm_source=rss&utm_medium=rss&utm_campaign=balancing-autonomy-and-control-in-api-security-with-token-swapping

What’s in today’s cybercriminal’s toolbox? Let’s open it.

Cyber fraud is a catch-all term for endless schemes to fool users into giving assets access to their data […]

The post What’s in today’s cybercriminal’s toolbox? Let’s open it. appeared first on NuData Security.

The post What’s in today’s cybercriminal’s toolbox? Let’s open it. appeared first on Security Boulevard.

Read More

The post What’s in today’s cybercriminal’s toolbox? Let’s open it. appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/whats-in-todays-cybercriminals-toolbox-lets-open-it/?utm_source=rss&utm_medium=rss&utm_campaign=whats-in-todays-cybercriminals-toolbox-lets-open-it

US Seizes 27 More IRGC-Controlled Domain Names

The action follows last month’s seizure of 92 domain names used by Iran’s Islamic Revolutionary Guard Corps to spread disinformation.

The post US Seizes 27 More IRGC-Controlled Domain Names appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/us-seizes-27-more-irgc-controlled-domain-names/?utm_source=rss&utm_medium=rss&utm_campaign=us-seizes-27-more-irgc-controlled-domain-names

NSS Labs’ Abrupt Shutdown Leaves Many Unanswered Questions

Former execs and employees share some insights into the testing firm’s shutdown. What does it mean for the future of security product testing?

The post NSS Labs’ Abrupt Shutdown Leaves Many Unanswered Questions appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/nss-labs-abrupt-shutdown-leaves-many-unanswered-questions/?utm_source=rss&utm_medium=rss&utm_campaign=nss-labs-abrupt-shutdown-leaves-many-unanswered-questions

Bug Bounty Hunters’ Pro Tips on Chasing Vulns & Money

From meditation to the right mindset, seasoned vulnerability researchers give their advice on how to maximize bug bounty profits and avoid burnout.

The post Bug Bounty Hunters’ Pro Tips on Chasing Vulns & Money appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/bug-bounty-hunters-pro-tips-on-chasing-vulns-money/?utm_source=rss&utm_medium=rss&utm_campaign=bug-bounty-hunters-pro-tips-on-chasing-vulns-money

Gaming Giant Capcom Hit By Ragnar Locker Ransomware: Report

The Resident Evil creator reportedly been hit in a ransomware attack that stole 1TB of sensitive data.
Read More

The post Gaming Giant Capcom Hit By Ragnar Locker Ransomware: Report appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/gaming-giant-capcom-hit-by-ragnar-locker-ransomware-report/?utm_source=rss&utm_medium=rss&utm_campaign=gaming-giant-capcom-hit-by-ragnar-locker-ransomware-report

Zoom Snooping: How Body Language Can Spill Your Password

Researchers figure out how to read what people are typing during a Zoom call using shoulder movements.
Read More

The post Zoom Snooping: How Body Language Can Spill Your Password appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/zoom-snooping-how-body-language-can-spill-your-password/?utm_source=rss&utm_medium=rss&utm_campaign=zoom-snooping-how-body-language-can-spill-your-password

🔴 LIVE: Paul’s Security Weekly #673

This week, we welcome Sven Morgenroth from Netsparker, then we are joined by Dan DeCloss from PlexTrac, and we wrap with the Security News!

→Full Show Notes: https://wiki.securityweekly.com/psw673
→Join the Security Weekly Discord Server: https://discord.gg/pqSwWm4
→Visit our website: https://www.securityweekly.com
→Follow us on Twitter: https://www.twitter.com/securityweekly

The post 🔴 LIVE: Paul’s Security Weekly #673 appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/%f0%9f%94%b4-live-pauls-security-weekly-673/?utm_source=rss&utm_medium=rss&utm_campaign=%25f0%259f%2594%25b4-live-pauls-security-weekly-673

Agent Tesla: A Day in a Life of IR

Introduction

The Agent Tesla infostealer has been around since 2014. During the last two to three years, it’s also had a significant distribution growth factor partially due to the fact that cracked versions of it have been leaked.

The post Agent Tesla: A Day in a Life of IR appeared first on Security Boulevard.

Read More

The post Agent Tesla: A Day in a Life of IR appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/agent-tesla-a-day-in-a-life-of-ir/?utm_source=rss&utm_medium=rss&utm_campaign=agent-tesla-a-day-in-a-life-of-ir

North Korean Hackers Used ‘Torisma’ Spyware in Job Offers-based Attacks

A cyberespionage campaign aimed at aerospace and defense sectors in order to install data gathering implants on victims’ machines for purposes of surveillance and data exfiltration may have been more sophisticated than previously thought.
The attacks, which targeted IP-addresses belonging to internet service providers (ISPs) in Australia, Israel, Russia, and defense contractors based in Russia
Read More

The post North Korean Hackers Used ‘Torisma’ Spyware in Job Offers-based Attacks appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/north-korean-hackers-used-torisma-spyware-in-job-offers-based-attacks/?utm_source=rss&utm_medium=rss&utm_campaign=north-korean-hackers-used-torisma-spyware-in-job-offers-based-attacks

Digital Transformation Means Security Must Also Transform

Being successful in this moment requires the ability to evolve in terms of team management, visibility, and crisis management.

The post Digital Transformation Means Security Must Also Transform appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/digital-transformation-means-security-must-also-transform/?utm_source=rss&utm_medium=rss&utm_campaign=digital-transformation-means-security-must-also-transform

DEF CON 28 Safe Mode ICS Village – Marina Krotofi’s ‘Confessions Of An Offensive ICS Researcher’

Many thanks to DEF CON and Conference Speakers for publishing their outstanding presentations; of which, originally appeared at the organization’s DEFCON 28 SAFE MODE Conference, and on the DEF CON YouTube channel. Enjoy!

Permalink

The post DEF CON 28 Safe Mode ICS Village – Marina Krotofi’s ‘Confessions Of An Offensive ICS Researcher’ appeared first on Security Boulevard.

Read More

The post DEF CON 28 Safe Mode ICS Village – Marina Krotofi’s ‘Confessions Of An Offensive ICS Researcher’ appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/def-con-28-safe-mode-ics-village-marina-krotofis-confessions-of-an-offensive-ics-researcher/?utm_source=rss&utm_medium=rss&utm_campaign=def-con-28-safe-mode-ics-village-marina-krotofis-confessions-of-an-offensive-ics-researcher

Achieving Application Security in Today’s Complex Digital World

Application security is an essential part of the software development lifecycle, and getting it right should be a top priority in today’s ever-evolving and expanding digital ecosystem. Application security is the practice of protecting your applications from malicious attacks by detecting and fixing security weaknesses in your applications’ code. 

Organizations today invest a lot of time and money in tools and processes that help them secure their applications throughout the software development lifecycle. Achieving application security has become a major challenge for software engineers, security, and DevOps professionals as systems become more complex and hackers are continuously increasing their efforts to target the application layer. 

How can software development organizations make sure that they have all the tools and processes in place to effectively address the many threats to application security?

 

When It Comes to Security, Applications Remain the Weakest Link

Findings from top industry research reports show that attacking application weaknesses and software vulnerabilities remains the most common external attack method. For example, Verizon’s 2020 Data Breach Investigations Report recently found that web applications are a top hacking vector in breaches. The Verizon report asserts that “this trend of having web applications as the vector of these attacks is not going away.”

From: Verizon 2020 Data Breach Investigations Report 

Forrester’s 2020 State of Application Security Report also predicted that application vulnerabilities will continue to be the most common external attack method, and found that most external attacks target either software vulnerabilities or web applications. 

Based on Forrester’s The State Of Application Security 2020

Unfortunately, it appears that most organizations continue to invest in the protection of other attack vectors. Currently, the amount of investment in protecting certain areas like the network is often inconsistent with the level of risk associated with them in today’s threat landscape. 

According to the Ponemon Institute’s Research Report The Increasing Risk to Enterprise Applications, “Investment in application security is not commensurate with the risk.” The research report shows that “There is a significant gap between the level of application risk and what companies are spending to protect their applications,” while “the level of risk to networks is much lower than the investment in network security.”

 

From: The Increasing Risk to Enterprise Applications by Ponemon Institute

In order to ensure effective application security, organizations need to make sure that their application security practices evolve beyond the old methods of blocking traffic, and understand that investing heavily in network security is not enough.

 

The Main Application Security Technologies

When it comes to investing in application security tools, the market is full of a variety of new and old technologies and solutions to help organizations improve their application security and ensure it keeps up with the security challenges of the evolving threat landscape. 

Forrester’s market taxonomy for application security tools makes a distinction between two market segments: security scanning tools and runtime protection tools, and predicts that spending will continue to rise for both categories. 

   

from: Application Security Market Will Exceed $7B by 2023, Forrester

Each category of application security testing tools focuses on a different stage in the software development lifecycle. Security scanning tools are used to remediate vulnerabilities when applications are in development. Runtime protection is performed when applications are in production. It’s important to remember that runtime protection tools provide an extra layer of protection and are not an alternative to scanning. 

Security scanning tools are used primarily in development — applications are tested in the design and build stages. The goal of security scanning tools is prevention. They detect and remediate vulnerabilities in applications before they run in a production environment. Tools in this market include SAST (static application security testing), DAST (dynamic application security testing), IAST (interactive application security testing), and SCA (software composition analysis).

Runtime protection tools come in later in production. They are designed to protect against malicious players while an application is running in a production environment. These tools react in real-time to defend against attacks. This market is segmented into web application firewalls (WAF), bot management, and RASP (runtime application self-protection). 

Each one of these application security testing technologies has its own set of featureכs and functions, and its strong and weak points. No single tool can be used as a magic potion against malicious players. Organizations need to analyze their specific needs and choose the tools that best support their application security policy and strategy. 

 

Getting It Right: The Application Security Maturity Model

While getting the right tools for application security is important, it is just one step. Though most tools today focus on detection, a mature application security policy goes a few steps further to bridge the gap from detection to remediation. 

Considering the continuous increase in known software vulnerabilities, focusing on detection will leave organizations with an incomplete application security model. Application security tools often provide security and development teams with exhausting laundry lists of security alerts. However, teams also need to have the means to quickly fix the issues that present the biggest security risks. 

In order to address the most urgent application security threats, organizations need to adopt a mature application security model that includes prioritization and remediation on top of detection. 

While detecting as many security issues in the application layer is extremely important, considering the current threat landscape and competitive release timelines, it has become unrealistic to attempt to fix them all. It’s important to remember Gartner analysts’ Neil MacDonald and Ian Head’s statement from Gartner’s 10 Things to Get Right for Successful DevSecOps: “Perfect security is impossible, Zero risk is impossible. We must bring continuous risk and trust-based assessment and prioritization of application vulnerabilities to DevSecOps.” 

A mature application security model includes strategies and technologies that help teams prioritize — providing them the tools to zero-in on the security vulnerabilities that present the biggest risk to their systems so that they can address them as quickly as possible. Otherwise, teams end up spending a lot of valuable time sorting through alerts, debating what to fix first, and running the risk of leaving the most urgent issues unattended. 

Next in the application security maturity model comes remediation — technologies that integrate seamlessly into the development cycle to help remediate issues when they are relatively easier and cheaper to fix, and update vulnerable versions automatically. 

Application Security at the Speed of DevSecOps 

As development cycles get shorter, security professionals and developers struggle to address security issues while keeping up with the increasingly rapid pace of release cycles. This constant push and pull between application security needs and the speed of development often results in friction between developers who don’t want security to slow them down and security professionals who feel developers are neglecting security. The DevSecOps approach attempts to address this conflict, and break the silos between developers and security. 

WhiteSource Report – DevSecOps Insights 2020 Download Free
Report

DevSecOps addresses the challenge of continuously increasing the pace of development and delivery without compromising on security. First came DevOps, which helped organizations create shorter release cycles so that they could meet the market demand of delivering innovative software products at a rapid pace. DevSecOps adds security to the mix, integrating security throughout the software development lifecycle (SDLC), to make sure that security doesn’t slow down development and application development is both agile and secure. 

DevSecOps aims to seamlessly integrate application security in the earliest stages of the SDLC, by updating organizations’ application security practices, tools, and teamwork. It calls for shifting security testing left to help teams work together to address security issues early in development when remediation can be relatively simple. 

 

Hackers Are Keeping up with the Evolving Software Development Landscape. Are You? 

As applications evolve and take on new forms, malicious players adapt to the new technologies and environments. The days of applications being heavy monolithic client/server behemoths are long gone, and your application security strategies need to keep up in order to protect against current threats to your applications. 

Attackers compromise modern applications through unsecured API endpoints, unvalidated API payloads, and client-side attacks injecting malware into unprotected scripts. The rise of new architectures like cloud-native and frameworks offers new attack surfaces. Security professionals need to adjust their focus and address issues like image integrity, vulnerabilities in common container images, and changes to containers and functions in production.

Application security is a constantly evolving ecosystem of tools and processes. If you want to stay ahead of the hackers, you need to make sure that your application security practices are as advanced as today’s software development technologies. 

The post Achieving Application Security in Today’s Complex Digital World appeared first on Security Boulevard.

Read More

The post Achieving Application Security in Today’s Complex Digital World appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/achieving-application-security-in-todays-complex-digital-world/?utm_source=rss&utm_medium=rss&utm_campaign=achieving-application-security-in-todays-complex-digital-world

Cado Security Gets $1.5 Million Seed

The seed funding round was led by Ten Eleven Ventures.

The post Cado Security Gets $1.5 Million Seed appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/cado-security-gets-1-5-million-seed/?utm_source=rss&utm_medium=rss&utm_campaign=cado-security-gets-1-5-million-seed