Aamir Lakhani, cybersecurity researcher and practitioner at FortiGuard Labs, explains the rise of RaaS and the critical role of threat intel in effectively defending against it.
Read More
The post Defeating Ransomware-as-a-Service? Think Intel-Sharing appeared first on Malware Devil.
Financial services giant Intuit this week informed 1.4 million small businesses using its QuickBooks Online Payroll and Intuit Online Payroll products that their payroll information will be shared with big-three consumer credit bureau Equifax starting later this year unless customers opt out by the end of this month.
Intuit says the change is tied to an “exciting” and “free” new service that will let millions of small business employees get easy access to employment and income verification services when they wish to apply for a loan or line of credit.
“In early fall 2021, your QuickBooks Online Payroll subscription will include an automated income and employment verification service powered by The Work Number from Equifax,” reads the Intuit email, which includes a link to the new Terms of Service. “Your employees may need to verify their income and employment info when applying for things like loans, credit, or public aid. Before, you likely had to manually provide this info to lenders, creditors or government agencies. These verifications will be automated by The Work Number, which helps employees get faster approvals and saves you time.”
An Intuit spokesperson clarified that the new service is not available through QuickBooks Online or to QuickBooks Online users as a whole. Intuit’s FAQ on the changes is here.
Equifax’s 2017 megabreach that exposed the personal and financial details of 145.5 million Americans may have shocked the public, but it did little to stop more than a million employers from continuing to sell Equifax their employee payroll data, Bloomberg found in late 2017.
“The workforce-solutions unit is now among Equifax’s fastest-growing businesses, contributing more than a fifth of the firm’s $3.1 billion of revenue last year,” wrote Jennifer Surane. “Using payroll data from government agencies and thousands of employers — including a vast majority of Fortune 500 companies — Equifax has cultivated a database of 300 million current and historic employment records, according to regulatory filings.”
QuickBooks Online user Anthony Citrano posted on Twitter about receiving the notice, noting that the upcoming changes had yet to receive any attention in the financial or larger media space.
“The way I read the terms, Equifax gets to proactively collect all payroll data just in case they need to share it later — similar to how they already handle credit reporting,” said Citrano, who is founder and CEO of Acquicent, a company that issues non-fungible tokens (NFTs). “And that feels like a disaster waiting to happen, especially given Equifax’s history.”
In selling payroll data to Equifax, Intuit will be joining some of the world’s largest payroll providers. For example, ADP — the largest payroll software provider in the United States — has long shared payroll data with Equifax.
But Citrano said this move by Intuit will incorporate a large number of fairly small businesses.
“ADP participates in some way already, but QuickBooks Online jumping on the bandwagon means a lot of employees of small to mid-sized businesses are going to be affected,” he said.
Why might small businesses want to think twice before entrusting Equifax with their payroll data? The answer is the company doesn’t have a great track record of protecting that information.
In the days following the 2017 breach at Equifax, KrebsOnSecurity pointed out that The Work Number made it a little too easy for anyone to learn your salary history. At the time, all you needed to view someone’s entire work and salary history was their Social Security number and date of birth. It didn’t help that for roughly half the U.S. population, both of the pieces of information were known to be in the possession of criminals behind the breach.
Equifax responded by taking down its Work Number website until it was able to include additional authentication requirements, saying anyone could opt out of Equifax revealing their salary history.
Equifax’s security improvements included the addition of four multiple-guess questions whose answers were based on publicly-available data. But these requirements were easily bypassed, as evidenced by a previous breach at Equifax’s employment division.
The Work Number is a user-paid verification of employment database created by TALX Corp., a data broker acquired by Equifax in 2007. Four months before the epic 2017 breach became public, KrebsOnSecurity broke the news that fraudsters who specialize in tax refund fraud had been successfully guessing the answers to those secret questions to reset TALX account PINs, which then let them view past W-2 tax forms for employees at many Fortune 500 companies.
Intuit says affected customers that do not want this new service included must update their preferences and opt-out by July 31, 2021. Otherwise, they will be automatically will be opted in. According to Intuit, customers can opt out by following these steps:
1. Sign in to QuickBooks Online Payroll.
2. Go to Payroll Settings.
3. In the Shared data section, select the pencil and uncheck the box.
4. Select Save.
The post Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax appeared first on Malware Devil.
LimeVPN has confirmed a data incident, and meanwhile its website has been knocked offline.
Read More
The post Hacked Data for 69K LimeVPN Users Up for Sale on Dark Web appeared first on Malware Devil.
This week, we kick off the show by interviewing Rob Shavelle, Co-Founder and CEO of Abine/DeleteMe, to talk New Security Threats Stemming from PII Online! Then we welcome Haseeb Awan, CEO of EFANI Inc, to talk about The Rise of Sim Swapping! Finally, we wrap the show with the Security News!
→Full Show Notes: https://securityweekly.com/psw701
→Join the Security Weekly Discord Server: https://discord.gg/pqSwWm4
→Visit our website: https://www.securityweekly.com
→Follow us on Twitter: https://www.twitter.com/securityweekly
The post 🔴 LIVE: Paul’s Security Weekly #701 appeared first on Malware Devil.
LinkedIn is fighting a crescendo of criticism over a huge data breach. But when is a breach not a “breach”?
The post LinkedIn Leaks 93% of Users’ Data—Refuses Blame for Breach appeared first on Security Boulevard.
The post LinkedIn Leaks 93% of Users’ Data—Refuses Blame for Breach appeared first on Malware Devil.
The gang’s source code is now available to rivals and security researchers alike – and a decryptor likely is not far behind.
Read More
The post Babuk Ransomware Builder Mysteriously Appears in VirusTotal appeared first on Malware Devil.
Latest episode – listen now!
Read More
The post S3 Ep39: Paying the date, #SocialMediaDay tips, and a special splintersode [Podcast] appeared first on Malware Devil.
Data leaks are a serious concern for companies of all sizes; if one occurs, it may put them out of business permanently. Here’s how you can protect your organization from data theft.
Read More
The post Data Exfiltration: What You Should Know to Prevent It appeared first on Malware Devil.
DELTA is a penetration testing framework that regenerates known attack scenarios for diverse test cases. This framework also provides the capability of discovering unknown security problems in SDN by employing a fuzzing technique.
Agent-Manager is the control tower. It takes full control over all the agents deployed to the target SDN network.
Application-Agent is a legitimate SDN application that conducts attack procedures and is controller-dependent. The known malicious functions are implemented as application-agent functions.
Channel-Agent is deployed between the controller and the OpenFlow-enabled switch. The agent sniffs and modifies the unencrypted control messages. It is controller-independent.
Host-Agent behaves as if it was a legitimate host participating in the target SDN network. The agent demonstrates an attack in which a host attempts to compromise the control plane.
In order to build and run DELTA, the following are required:
An agent manager based on Ubuntu 16.04 LTS 64 bit
Ant build system
Maven v3.3.9
LXC 2.0
JDK 1.8
Target Controller (for application agent)
Floodlight: ~1.2
ONOS: 1.1, 1.6, 1.9, 1.13.1 (being tested)
OpenDaylight: ~Oxygen
Ryu: 4.16
Cbench (for channel agent)
Mininet 2.2 (for host agent)
(in the case of All-In-One Single Machine) Three lxc containers based on Ubuntu 16.04 LTS 64 bit.
Container-1: Target controller + Application agent
Container-2: Channel agent
Container-3: Host agent
DELTA installation depends on maven and ant build system. The mvn command is used to install the agent-manager and the agents. DELTA can support an All-In-One Single Machine environment via containers as well as a real hardware SDN environment.
STEP 1. Get the source code of DELTA on the agent manager machine
STEP 2. Install DELTA dependencies
STEP 3. Install three containers using lxc
$ sudo vi /etc/default/lxc-net
Uncomment “LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf”
$ sudo service lxc-net restart
$ sudo lxc-start -n container-cp -d
$ sudo vi /etc/apparmor.d/abstractions/lxc/container-base
Uncomment “mount options=(rw, make-rprivate) -> **,”
$ sudo apparmor_parser -r /etc/apparmor.d/lxc-containers
$ cd ~
$ ssh-keygen -t rsa
(Press Enter)
$ ssh-copy-id -i ~/.ssh/id_rsa.pub $DELTA_CP
(ID: ubuntu, PW: ubuntu)
$ ssh $DELTA_CP
(DELTA_CP) $ sudo visudo
In the bottom of the file, type the follow:
ubuntu ALL=(ALL) NOPASSWD: ALL
(DELTA_CP) $ exit
$ cd <DELTA>/tools/dev/lxc-setup
$ ./lxc-dev-setup
$ ssh-copy-id -i ~/.ssh/id_rsa.pub $DELTA_CH
$ ssh-copy-id -i ~/.ssh/id_rsa.pub $DELTA_DP
STEP 4. Install DELTA using maven build
The test environment is automatically setup as below:
The agent-manager automatically reads a configuration file and sets up the test environment based on the file. [/tools/config/manager_default.cfg] contains the All-In-One Single Machine configuration by default.
Floodlight 1.2
ONOS 1.1 (depreciated)
ONOS 1.6, 1.9 or 1.13.1
OpenDaylight Oxygen
Ryu 4.16
The app-agent (on the controller container) needs ‘agent.cfg’ file to connect to the agent-manager.
STEP 1. Distribute the executable files to Containers
STEP 2. Execute Agent-Manager first
DELTA: A Penetration Testing Framework for Software-Defined Networks
[pP] – Show all known attacks
[cC] – Show configuration info
[kK] – Replaying known attack(s)
[uU] – Finding an unknown attack
[qQ] – Quit
Command>_
STEP 3. Connect Web-based UI (port number is 7070)
Seungsoo Lee (KAIST)
Jinwoo Kim (KAIST)
Seungwon Woo (KAIST)
Haney Kang (KAIST)
Jaehan Kim (KAIST)
Changhoon Yoon (KAIST)
Sandra Scott-Hayward (Queen’s University Belfast)
Seungwon Shin (KAIST)
Phil Porras, Vinod Yegneswaran (SRI International)
Kyuho Hwang, Daewon Jung (National Security Research Institute)
Atto Research
Send questions or feedback to: lss365@kaist.ac.kr, jinwoo.kim@kaist.ac.kr
Original repository: https://github.com/seungsoo-lee/DELTA
The post DELTA – SDN security evaluation framework appeared first on Hakin9 – IT Security Magazine.
The post DELTA – SDN security evaluation framework appeared first on Malware Devil.
Last year, we decided to take a look at how the pandemic influenced the gaming industry and what new threats gamers could be facing. What we found was that, with the transition to remote work and remote learning, the number of blocked attempts to visit malicious game-related websites or follow malicious links from legitimate game-related websites and forums, increased by more than 50%. One year later, as the pandemic continues, we decided to revisit the threat landscape for gamers and the gaming industry.
Here’s what we found:
Online gamers have become even more active over the past year, and cybercriminals continue to exploit this.
Criminals are actively targeting leaders in the gaming industry to retrieve the source code of their games.
The games most often used as bait were Minecraft and Counter-Strike: Global Offensive (CS: GO).
In 2020, the number of gamers worldwide surpassed 2.7 million. According to data from Newzoo, the largest percentage of active users live in the Asia-Pacific.
And the number of video-game enthusiasts just keeps on growing every year. This is reflected in the statistics on the number of active players using the Steam platform. They dropped off slightly after reaching the all-time peak in May 2020 mentioned in our last year’s report. However, they didn’t fall back to pre-COVID levels. At the end of the summer holidays, the number of active users began to grow again reaching an all-time high of almost 27 million players in March 2021.
The number of Steam users per day. Source: steamdb.info
Last year, we also reviewed reports from Steam on the hardware players used and noticed an increase in the share of Intel and AMD graphics cards, which was maintained until spring 2020. This growth suggests hundreds of thousands of work computers were connected to Steam. This year’s report looked at the period from December 2019 to May 2021, which shows that not only were work computers connected to Steam, but they also remained connected. The percentage of Intel and AMD video graphics cards stabilized again, but at the level it had reached at the beginning of the pandemic. Given that the amount of Intel and AMD cards has remained the same while the number of Steam users continues to grow, this means that even more office computers are being connected to Steam.
Source: steampowered.com
There’s been more than just a handful of cybercriminal attacks aimed at the gaming industry over the past year. In May for example, criminals attacked one of Sony’s flagship games — Little Big Planet. The developers were even forced to turn off the gaming servers for a period of time. And not long ago at the beginning of June 2021, one of the largest gaming companies — EA Games — was hacked, with attackers managing to steal the source code for several games. At the same time, the company CD Projekt reported the theft of their data, which could possibly have included the source code for Cyberpunk 2077 and The Witcher 3. Not only can these attacks result in source code falling into the hands of competitors, but the attackers may also discover and exploit previously unknown vulnerabilities in the gaming software.
Cybercriminals aren’t just attacking companies, they’re still attacking gamers too. If you look at the statistics for web antivirus detections on sites that exploit the gaming theme, there was a very notable surge in sites using the names of popular video games and gaming platforms from November to December 2020. This surge is most likely connected with the launch of Cyberpunk 2077. Attackers were probably trying everything they could to exploit the hotly anticipated release by tricking impatient gamers.
The number of web attacks exploiting gaming themes from January 2020 to May 2021. Source: Kaspersky Security Network (KSN) (download)
The list of malicious programs most frequently distributed via purportedly game-related links significantly changed when compared with the previous year. One of the most frequently encountered malware families in such attacks this year was a Trojan called Badur.
At the same time, the set of tricks used by cybercriminals didn’t change substantively. As usual, the malware was disguised as free versions, updates, extensions for popular games or cheat programs.
HEUR:Trojan.MSOffice.Badur.gena
4,72%
HEUR:Trojan.Script.Miner.gen
3,02%
HEUR:Trojan.PDF.Badur.gena
2,36%
HEUR:Trojan.OLE2.Badur.gena
1,57%
HEUR:Trojan.Multi.Preqw.gen
1,46%
HEUR:Trojan-PSW.Script.Generic
0,86%
Trojan-Downloader.Win32.Upatre.vwi
0,82%
HEUR:Trojan.Win32.Generic
0,81%
HEUR:Trojan.Script.SAgent.gen
0,70%
HEUR:Trojan.Script.Fraud.gen
0,43%
The statistics do not take into account the category of threats known as Hacktools, which are usually installed by users themselves but, in some cases, can be used for malicious purposes. Hacktool refers to things like remote access clients, traffic analyzers, cheat programs etc. It’s worth noting that modern cheat programs often use the same technology as malicious programs such as memory injection and the exploitation of vulnerabilities to bypass protection.
Based on the statistics from our web antivirus, cybercriminals are still mainly placing their bets on exploiting Minecraft as a decoy.
The number of attacks that exploited the name of a particular online game, January 2020 — May 2021. Source: KSN (download)
The dynamics of attacks using specific online games as a lure, January 2020 — May 2021. Source: KSN (download)
At the same time, if you look at the attack dynamics during the reporting period you can see that CS: GO is gradually becoming the most popular bait for gamers. Also entering the ratings of the most popular games used as lures are Dota, Warcraft, and PUBG.
The dynamics in attacks exploiting the mobile game Dota are particularly interesting. Last summer, malicious links exploiting the name of this game even climbed to the top spot.
For almost a year and a half of the pandemic, the demand for video games has only continued to increase. The total number of active gamers is approaching 3 billion worldwide, with more and more users connecting their work devices to Steam.
Against the backdrop of this growth in the gaming industry, there’s been a rise in the number of cyberattacks in this sphere. Attackers have taken their trickery to the next level over the past year, now not only targeting gamers but also frequently targeting game developers. In some cases, the cybercriminals have managed to steal source code which may enable them to exploit new vulnerabilities in these games in the future.
To avoid falling victim to these cybercriminals, gamers should remain vigilant: do not trust emails sent on behalf of gaming services, do not enter your account details on dubious resources, and only download games from official sources.
The post Do cybercriminals play cyber games in quarantine? A look one year later appeared first on Malware Devil.
A refined database of 88K U.S. business owners on LinkedIn has been posted in a hacker forum.
Read More
The post LinkedIn’s 1.2B Data-Scrape Victims Already Being Targeted by Attackers appeared first on Malware Devil.
Microsoft researchers discovered the firmware flaws in the DGN-2200v1 series router that can enable authentication bypass to take over devices and access stored credentials.
Read More
The post Netgear Authentication Bypass Allows Router Takeover appeared first on Malware Devil.
The ongoing spear-phishing campaign targeting the Afghan government uses Dropbox as an API that leaves no traces of communications with weirdo websites.
Read More
The post Dropbox Used to Mask Malware Movement in Cyberespionage Campaign appeared first on Malware Devil.
In light of surging ransomware cases and recent high-profile cyberattacks like those on SolarWinds, Colonial Pipeline, and meat supplier JBS, enterprise security teams may fall into the trap of thinking, “more defenses are better.” They implement an arsenal of point solutions, hoping their bases will be covered. The reality is, an organization can spend as..
The post The Network is Key to Securing the Everywhere Perimeter appeared first on Security Boulevard.
The post The Network is Key to Securing the Everywhere Perimeter appeared first on Malware Devil.
In the last two decades, the cybersecurity industry has grown from a niche sector into a dominant force in the business world. Today, Gartner predicts that cybersecurity spending will reach $150 billion this year, almost double what was predicted in 2015. These figures highlight that the cybersecurity industry is growing exponentially and that cybersecurity protection..
The post Can Managed Security Keep Businesses Safer? appeared first on Security Boulevard.
The post Can Managed Security Keep Businesses Safer? appeared first on Malware Devil.
As automotive supply chains become more complex, automotive manufacturers are increasingly susceptible to a ransomware attack, according to a report from Black Kite. The security firm’s researchers analyzed the cybersecurity posture and ransomware susceptibility for the top 100 automotive manufacturers and the top 100 automotive suppliers, finding alarming security issues including companies’ susceptibility to phishing..
The post Ransomware in Auto Manufacturing Threatens Industry’s Recovery appeared first on Security Boulevard.
The post Ransomware in Auto Manufacturing Threatens Industry’s Recovery appeared first on Malware Devil.
The post 2021-06-30 – TA551 (Shathak) pushes Trickbot with DarkVNC and Cobalt Strike appeared first on Malware Devil.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2297
htmldoc security update
1 July 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: htmldoc
Publisher: Debian
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands — Remote/Unauthenticated
Denial of Service — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-26948 CVE-2021-26259 CVE-2021-26252
CVE-2021-23206 CVE-2021-23191 CVE-2021-23180
CVE-2021-23165 CVE-2021-23158 CVE-2021-20308
CVE-2019-19630
Reference: ESB-2021.2083
ESB-2021.0207
ESB-2019.4591
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2021/07/msg00000.html
– ————————–BEGIN INCLUDED TEXT——————–
– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
– – ———————————————————————–
Debian LTS Advisory DLA-2700-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
July 01, 2021 https://wiki.debian.org/LTS
– – ———————————————————————–
Package : htmldoc
Version : 1.8.27-8+deb9u1
CVE ID : CVE-2019-19630 CVE-2021-20308 CVE-2021-23158
CVE-2021-23165 CVE-2021-23180 CVE-2021-23191
CVE-2021-23206 CVE-2021-26252 CVE-2021-26259
CVE-2021-26948
A buffer overflow was discovered in HTMLDOC, a HTML processor that
generates indexed HTML, PS, and PDF, which could potentially result
in the execution of arbitrary code. In addition a number of crashes
were addressed.
For Debian 9 stretch, these problems have been fixed in version
1.8.27-8+deb9u1.
We recommend that you upgrade your htmldoc packages.
For the detailed security status of htmldoc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/htmldoc
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
– —–BEGIN PGP SIGNATURE—–
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmDdE0IACgkQgj6WdgbD
S5Y1cBAA1jF9d6fyIIIxW0L0Mtye8O47Njfy6Xu2YskPhLIX5U0RXYs5MgjLhE2J
05amacugyfuvJQbmpQmsqw3XK0+uDuovvnbZWzG4JA6D0I9ZBCqD/+RZU/1SUa3M
Q/O3xZwsg2T52gaYiGai19IRxZS5JCEglLn835mNr4r4Afn3zTKxLY7GKWlklPMn
wvm+UBs0J5KnwVxs+Cxlaa4IHOw7aLwwZrV1bsw/CEhBE+v4i4c8eW2XthxTn2F9
yA6Vopt5qNkJZkPXRUrZu1A6oDBsYi1gEFIDU/lPiC52NTMS+RmwpfEOOvWgr55x
t/J0D213u6+EFrs8BXRRsqnm/QQLtlP7fi3irOeNCYL2KnFRmruCtc4QC7R0/9zm
kyjl2NjXeEnMvM99tTJt35yfTe2jX1KDcCbDRfZW7tmAn0J1y/6X+hr1VMVj4gV1
40X7WOqj4Z0YZC+GAmPpwD0Mo8HZ8MnxIRBQieoH5XW/nXdSrMhbhzwAEbRkA1pM
KcEg5MKeC+vBRDTOkVIgerIt2YFxS6SC4IqcuzR40WEH/bWHb36wyZhlDLGnJsSj
0WzOYpQn0tHxKG2HfkcbzMVdkbRZK0/tPsfIxhH2JSlymt6NFuhmyOCB1vHjA/vY
SzPXEpCYzIFnB5HEI5Y15EcOpwDA14a5ATE5z18DPa/hDdle6x4=
=4d6k
– —–END PGP SIGNATURE—–
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYN1d8eNLKJtyKPYoAQjamQ//Ri14Tq5QqwA0u7Lh3QYcPwNWE2SNvRg3
dOrOm9HIUSVH4rQapt8pfhDzGMU+m4Ut6/F7mdP3ip3zQnaPignEXWFSM5+Xqezk
qDhqzk4bVi6xrXVfybVl7ru3LP9TpDYsZQbjOyxsjSXOflOJ9o7YQG5WjMx88+jE
qklobP2ipnbfO+aYyKzGvPN1+lBT7dwWdaCYhBJAnAovUZ9JZM4c9hJUT9Kmy74M
PA18jeSFYjdG4oODVhx4rAFtSVpOreDooGeV+cWz+4P/JOQNfw+p48STjGZeOKtl
mh31nkILkaGf16EhM1FySUQpe6RcVc3obGxh/3gB8F083fJck8kJHNvXAgjyMEHh
VmvjldOXKU5ShzSRiIVOma9zf+HZg3IB79VgXyJAjJtgeJHkiWi9cHMvIJFfdUy1
M4mOlNrejpCjLSVLDBacdVQwP+kJ11I+20HTbUPpLmHiWnXRjPS/lDQKr55nuE/1
QWjdb3vbccaU4pMv0kLBGkFxbRtmtFn9JuPavJykulkCiSzwkEqAaroKk3ANTQkr
KPJEDwAG+rI/NII9ysYmkb6Es5LJEZVWv8JkvUya6ybZuCMnTILyFq8KLHLwSQAF
OrthKQJ4MGni/Yxohp1Fno0V8Q9QSOAKqOB1K/ZI8WKzE+t6HnNIbM6RXok/jA12
IPEk6MiLIxE=
=+RsZ
—–END PGP SIGNATURE—–
The post ESB-2021.2297 – [SUSE] htmldoc: Multiple vulnerabilities appeared first on Malware Devil.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post ISC Stormcast For Thursday, July 1st, 2021 https://isc.sans.edu/podcastdetail.html?id=7566, (Thu, Jul 1st) appeared first on Malware Devil.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1135.2
Grafana vulnerability CVE-2019-15043
1 July 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: BIG-IQ Centralized Management
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-15043
Original Bulletin:
https://support.f5.com/csp/article/K00843201
Revision History: July 1 2021: Vendor updated advisory to include fix information
April 6 2021: Initial Release
– ————————–BEGIN INCLUDED TEXT——————–
K00843201: Grafana vulnerability CVE-2019-15043
Original Publication Date: 03 Apr, 2021
Latest Publication Date: 01 Jul, 2021
Security Advisory Description
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow
unauthenticated use. This makes it possible to run a denial of service attack
against the server running Grafana. (CVE-2019-15043)
Impact
An unauthorized user may be able to leverage the Grafana component to run a
snapshot task on the system.
Security Advisory Status
F5 Product Development has assigned ID 1008397 (BIG-IQ) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
Note: After a fix is introduced for a vulnerable version, that fix applies to
all subsequent point releases for that version and no additional fixes for that
version will be listed in the table. For example, when a fix is introduced in
14.1.2.3, the fix applies to 14.1.2.4 and all later point releases.
+————+——+————–+———-+———-+——+————-+
| | |Versions known|Fixes | |CVSSv3|Vulnerable |
|Product |Branch|to be |introduced|Severity |score^|component or |
| | |vulnerable^1 |in | |2 |feature |
+————+——+————–+———-+———-+——+————-+
| |16.x |None |Not | | | |
| | | |applicable| | | |
| +——+————–+———-+ | | |
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +——+————–+———-+ | | |
| |14.x |None |Not | | | |
|BIG-IP (all | | |applicable|Not | | |
|modules) +——+————–+———-+vulnerable|None |None |
| |13.x |None |Not | | | |
| | | |applicable| | | |
| +——+————–+———-+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +——+————–+———-+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+————+——+————–+———-+———-+——+————-+
| |8.x |8.0.0 |8.1.0 | | | |
|BIG-IQ +——+————–+———-+ | | |
|Centralized |7.x |7.0.0 – 7.1.0 |None |High |7.5 |Grafana |
|Management +——+————–+———-+ | | |
| |6.x |6.0.0 – 6.1.0 |None | | | |
+————+——+————–+———-+———-+——+————-+
|F5OS |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+————+——+————–+———-+———-+——+————-+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+————+——+————–+———-+———-+——+————-+
^1F5 only evaluates software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by installing a version listed in
the Fixes introduced in column. If the Fixes introduced in column does not list
a version for your branch, then no update candidate currently exists for that
branch and F5 recommends upgrading to a version with the fix (refer to the
table).
If the Fixes introduced in column lists a version prior to the one you are
running, in the same branch, then your version should have the fix.
Mitigation
To mitigate this vulnerability, you can modify the webd configuration file to
deny access to the snapshot API endpoint. To do so, perform the following
procedure.
Impact of action: This procedure involves restarting the webd daemon, which
causes the BIG-IQ user interface to be inaccessible. F5 recommends performing
this procedure during a scheduled maintenance window.
Modify the ‘webd’ configuration file to deny access to the snapshot API
endpoint
Create a backup of the ‘webd’ configuration file
1. Log in to the BIG-IQ system Advanced Shell (bash) using administrator role
credentials.
2. Create a backup copy of the webd configuration file by typing the following
command:
cp -a /etc/webd/webd.conf /etc/webd/webd.conf.backup
Modify the ‘webd’ configuration file
Use the text editor of your choice to modify the /etc/webd/webd.conf file.
1. Locate the following stanza in the configuration file:
location /mgmt/grafana/api/datasources/proxy/ {
deny all;
return 404;
}
2. Insert the following stanza directly after the /mgmt/grafana/api/
datasources/proxy/ stanza:
location /mgmt/grafana/api/snapshots {
deny all;
return 404;
}
3. Confirm that the entire section appears similar to the following example:
location /mgmt/grafana/ {
proxy_pass http://grafana/;
proxy_set_header Host $hostname:$proxy_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 5s;
proxy_read_timeout 300s;
# completely disallow all access through the grafana data source proxy
# TODO: Move this to the /mgmt/ block after the auth proxy is in place
location /mgmt/grafana/api/datasources/proxy/ {
deny all;
return 404;
}
location /mgmt/grafana/api/snapshots {
deny all;
return 404;
}
}
4. Save the changes and exit the text editor.
Verify the file and restart the daemon
1. Verify that the configuration file is valid, by typing the following
command:
webd -t
The output should appear similar to the following example:
webd: the configuration file /etc/webd/webd.conf syntax is ok
webd: configuration file /etc/webd/webd.conf test is successful
2. Restart the webd daemon by typing the following command:
tmsh restart sys service webd
Supplemental Information
o K14736: BIG-IQ daemons
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K8986: F5 software lifecycle policy
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYN0mqeNLKJtyKPYoAQjtTQ//XqEn3HtqDGZf6yf8W98jkbktTAW+a9mK
aU5GrIp5OhO9VAkzor+cT9X0jgJR1xC20IUxkc5zYh+MowLGuObT1scMau2Pzrh/
ZpUSBRjHc0enEb8H1DZLdDEbNiPMvio5H1aPaDHMSqw03bfE78crFiqPnD+FD9gh
fS/hKeOEUaZELjwcG4HyjNvuh16xI3PuEu26O1wby812yvaLZON+lE31kRstjDf2
jaHYpt7+2nQdbg1YoHJzcoswE8kMAFpoYvcflBjmTYtSTPHG2nYOSOdCH8KL9CHr
teUgIqwzsGbzaoS5JZ+DInwqRSLKnU0Lu0HvTTmtAd5H3LiJVCP1g31jpLBqqFWy
qjqz/3k0mbJ1kyQ+oV5Fc3TpVf3jNCn2k5tPnlDWaFOwTc+XB/2SEIB7DH5NfK1K
DJMP1ybFwwffKHykjBPooKnMHVclpRXFPN3pTIEOaAyheGHPOBxc3gZJ5GUs0be9
jlq/eZAo4h4h47+xrtlSSXAjMbjISDKAFqtPCPF37R+O9oSyNYKwZKroKGwmkfP5
fnqt3Q0LR0zqIYVEVULawNQQ+P1CgXAN9FNIE4X3djEpKW0KtIcIcZ9DP4/+aLQd
YDXeJsf7Ekhwu8U9XwiDNrr6qlgrRW+uotY3mt3K2QD0DUDfTg29r2jco+W1YPtQ
epEiSQdcQCA=
=Fmxp
—–END PGP SIGNATURE—–
The post ESB-2021.1135.2 – UPDATE [Appliance] BIG-IQ Centralized Management: Denial of service – Remote/unauthenticated appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
