NSFOCUS Weekly Cybersecurity Report （ID: 201825）

June 28, 2018 | Adeline Zhang

Internet Threat Status

CVE Statistics

From the figure above, we can see an obvious rise in CVE IDs over last week. Besides, the fact that quite a few vulnerabilites were disclosed or discovered recently also reminded people to keep close attention to their systems’ security.

Threat Review

Quarterly Threat Report |Q1 2018 Ransomware volumes reduced; Large numbers of attacks were launched based on emails, Web and social media (06-21-2018)

Proofpoint published Quarterly Threat Report(Q1 2018) last week. During Q1 2018, reduced ransomware volumes appeared to open the door for greater payload diversity. Threat situation was analyzied across email, social media, and the web.

Link: https://www.proofpoint.com/us/resources/threat-reports/latest-quarterly-threat-research

Blockchain Threat Report | Don’t join blockchain revolution without ensuring security (06-21-2018)

In the past six months, many malware developers appear to have migrated from ransomware to cryptocurrency mining, according to McAfee? Global Threat Intelligence data that show ransomware attacks declining 32% in Q1 2018 from Q4 2017 while coin mining increased by 1,189%. Attackers have adopted many methods targeting consumers and businesses. The primary attack vectors include phishing, malware, implementation vulnerabilities, and technology.

Links: https://securingtomorrow.mcafee.com/mcafee-labs/threat-report-dont-join-blockchain-revolution-without-ensuring-security/

Cisco arbitray code execution vulnerability cause a DoS condition on affected devices (06-21-2018)

The June 20, 2018, release of the Cisco FXOS and NX-OS Software Security Advisory Collection includes 24 Cisco Security Advisories that describe 24 vulnerabilities in Cisco FXOS Software and Cisco NX-OS Software. Five of the vulnerabilities have a Security Impact Rating (SIR) of Critical. The remaining 19 vulnerabilities have a SIR of High. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access to an affected device, gain elevated privileges for an affected device, execute arbitrary code, execute arbitrary commands, gain access to sensitive information, or cause a denial of service (DoS) condition on an affected device.

Link: https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-67770

Malware targeting the Boleto payment system | Malware can hijack transactions. (06-22-2018)

The Boleto system is very popular in Brazil. Mareware and variants targeting the Boleto system were even used for stealing cash from ATMs.
Link: http://toutiao.secjia.com/article/page?topid=110380

New vulnerabilities in Phoenix Contact switches endanger industrial networks (06-21-2018）

Phoenix Contact, a German electrical engineering and automation company, has disclosed four vulnerabilities in FL SWITCH industrial switches. These devices are used for automation at digital substations and in oil and gas, maritime, and other industries.The vulnerabilities affect FL SWITCH models 3xxx, 4xxx, and 48xxx running firmware versions 1.0–1.33. To stay safe, the vendor strongly recommends updating to firmware version 1.34.

Link：http://www.itsecurityguru.org/2018/06/21/new-vulnerabilities-phoenix-contact-switches-endanger-industrial-networks/

Hackers who sabotaged the Olympic games return for more mischief （06-19-2018）
The advanced hacking group that sabotaged the Pyeongchang Winter Olympics in February has struck again, this time in attacks that targeted financial institutions in Russia and chemical- and biological-threat prevention labs in France, Switzerland, the Netherlands, and Ukraine, researchers said.
Link: https://arstechnica.com/information-technology/2018/06/hackers-whosabotaged-

Phishers Use ‘ZeroFont’ Technique to Bypass Office 365 Protections (06-19-2018)

Cybercriminals have been leveraging a technique that involves manipulating font sizes in an effort to increase the chances of their phishing emails bypassing the protections implemented by Microsoft in Office 365.

Link: https://www.securityweek.com/phishers-use-zerofont-technique-bypass-office-365-protections

Google Marks APKs Distributed by Google Play （06-21-2018）

Description: Google this week announced that it is adding a small amount of security metadata on top of APKs distributed by Google Play in order to verify their authenticity.

Link: https://www.securityweek.com/google-marks-apks-distributed-google-play

(Compiled by: NSFOCUS TI & Cybersecurity Lab)

Vulnerability Research

Updates of NSFOCUS’s Vulnerability Database

As of 22 June 2018, there have been 40,154 vulnerabilities in NSFOCUS’s vulnerability database. Among 52 vulnerabilities that were newly-added last week, two were high-risk ones, 18 were of medium severity, and 32 were low-risk vulnerability.

Exiv2 LoaderExifJpeg Integer Overflow Vulnerability(CVE-2018-12265)
Severity: Medium
CVE ID: CVE-2018-12265

Exiv2 LoaderTiff::getData()Integer Overflow Vulnerability (CVE-2018-12264)
Severity: Medium
CVE ID: CVE-2018-12264

CA Privileged Access ManagerInput Validation Error (CVE-2018-9029)
Severity: Medium
CVE ID: CVE-2018-9029

CA Privileged Access Manager Session Fixation Vulnerability (CVE-2018-9026)
Severity: Low
CVE ID: CVE-2018-9026

CA Privileged Access Manager Cross-site Scripting Vulnerability (CVE-2018-9027)
Severity: Low
CVE ID: CVE-2018-9027

CA Privileged Access Manager Weak Cryptography Vulnerability (CVE-2018-9028)
Severity: Low
CVE ID: CVE-2018-9028

CA Privileged Access Manager Input Validation Error(CVE-2018-9025)
Severity: Low
CVE ID: CVE-2018-9025

CA Privileged Access Manager Authentication Bypass Vulnerability (CVE-2018-9021)
Severity: Medium
CVE ID: CVE-2018-9021

CA Privileged Access Manager Authentication Bypass Vulnerability (CVE-2018-9022)
Severity: Medium
CVE ID: CVE-2018-9022

CA Privileged Access Manager Input Validation Error (CVE-2018-9023)
Severity: Medium
CVE ID: CVE-2018-9023

CA Privileged Access Manager Authentication Bypass Vulnerability (CVE-2018-9024)
Severity: Low
CVE ID: CVE-2018-9024

CA Privileged Access Manager Input Validation Error (CVE-2015-4664)
Severity: Medium
CVE ID: CVE-2015-4664

McAfee Threat Intelligence Exchange Server Code Injection Vulnerability (CVE-2017-3907)
Severity: Medium
CVE ID: CVE-2017-3907

QEMU Heap Buffer Overflow Vulnerability(CVE-2018-11806)
Severity: Low
BID:104400
CVE ID: CVE-2018-11806

McAfee ePolicy Orchestrator Security Bypass Vulnerability (CVE-2018-6671)
Severity: Low
BID:104485
CVE ID: CVE-2018-6671

McAfee ePolicy Orchestrator Information Disclosure Vulnerability (CVE-2018-6672)
Severity: Low
BID:104485
CVE ID: CVE-2018-6672

FFmpeg ff_mpeg4_decode_picture_header Denial of Service Vulnerability (CVE-2018-12459)
Severity: Medium
CVE ID: CVE-2018-12459

FFmpeg mpeg4_encode_gop_header Denial of Service Vulnerability (CVE-2018-12458)
Severity: Medium
CVE ID: CVE-2018-12458

PHPOK Arbitrary File Deletion Vulnerability (CVE-2018-12492)
Severity: Low
CVE ID: CVE-2018-12492

PHPOK Arbitrary File Deletion Vulnerability (CVE-2018-12491)
Severity: Low
CVE ID: CVE-2018-12491

FFmpeg libavcodec Denial of Service Vulnerability (CVE-2018-12460)
Severity: Medium
CVE ID: CVE-2018-12460

CA Privileged Access Manager Input Validation Error (CVE-2015-4664)
Severity: Low
CVE ID: CVE-2015-4664

PublicCMS Directory Traversal Vulnerability(CVE-2018-12493)
Severity: Low
CVE ID: CVE-2018-12493

PublicCMS Directory Traversal Vulnerability (CVE-2018-12494)
Severity: Low
CVE ID: CVE-2018-12494

AKCMS Cross Site Request Forgery Vulnerability (CVE-2018-12583)
Severity: Low
CVE ID: CVE-2018-12583

AKCMS Cross Site Request Forgery Vulnerability(CVE-2018-12582)
Severity: Low
CVE ID: CVE-2018-12582

libfsntfs libfsntfs_mft_entry_read_attributes Information Disclosure Vulnerability (CVE-2018-11731)
Severity: Low
CVE ID: CVE-2018-11731

liblnk liblnk_data_string_get_utf8_string_size Information Disclosure Vulnerability(CVE-2018-12096)
Severity: Low
CVE ID: CVE-2018-12096

liblnk liblnk_location_information_read_data Information Disclosure Vulnerability (CVE-2018-12097)
Severity: Low
CVE ID: CVE-2018-12097

liblnk liblnk_data_block_read Information Disclosure Vulnerability (CVE-2018-12098)
Severity: Low
CVE ID: CVE-2018-12098

libfsntfs libfsntfs_reparse_point_values_read_data Information Disclosure Vulnerability (CVE-2018-11728)
Severity: Low
CVE ID: CVE-2018-11728

libfsntfs libfsntfs_mft_entry_read_header Information Disclosure Vulnerability (CVE-2018-11729)
Severity: Low
CVE ID: CVE-2018-11729

libfsntfs libfsntfs_security_descriptor_values_free Information Disclosure Vulnerability(CVE-2018-11730)
Severity: Low
CVE ID: CVE-2018-11730

Libmobi mobi_pk1_decrypt Denial of Service Vulnerability (CVE-2018-11724)
Severity: Low
CVE ID: CVE-2018-11724

Libmobi mobi_parse_index_entry Information Disclosure Vulnerability (CVE-2018-11725)
Severity: Low
CVE ID: CVE-2018-11725

Libmobi mobi_decode_font_resource Denial of Service Vulnerability (CVE-2018-11726)
Severity: Low
CVE ID: CVE-2018-11726

libfsntfs libfsntfs_attribute_read_from_mft Information Disclosure Vulnerability (CVE-2018-11727)
Severity: Low
CVE ID: CVE-2018-11727

Oracle Fusion Middleware Outside In Technology Component Security Vulnerability（CVE-2018-2806)
Severity: Medium
BID:103816
CVE ID: CVE-2018-2806

Oracle Fusion Middleware Outside In Technology Component Security Vulnerability (CVE-2018-2801)
Severity: Medium
BID:103819
CVE ID: CVE-2018-2801

Oracle Fusion Middleware Outside In Technology Component Security Vulnerability (CVE-2018-2768)
Severity: Medium
BID:103815
CVE ID: CVE-2018-2768

Symantec Endpoint Protection Local Denial of Service Vulnerability(CVE-2018-5236)
Severity: Medium
BID:104198
CVE ID: CVE-2018-5236

Symantec Endpoint Protection Local Privilege Escalation Vulnerability(CVE-2018-5237)
Severity: Medium
BID:104199
CVE ID: CVE-2018-5237

FastStone Image Viewer Access Violation Vulnerability (CVE-2018-11702)
Severity: Medium
CVE ID: CVE-2018-11702

FastStone Image Viewer Denial of Service Vulnerability (CVE-2018-11701)
Severity: Low
CVE ID: CVE-2018-11701

NTP ntpq and ntpdc Stack-based Buffer Overflow Vulnerability (CVE-2018-12327)
Severity: Medium
CVE ID: CVE-2018-12327

Cisco NX-OS Software NX-API Arbitrary Code Execution Vulnerability (CVE-2018-0301)
Severity: Critical
CVE ID: CVE-2018-0301

Cisco FXOS/NX-OS Software Fabric Services Remote Code Execution Vulnerability (CVE-2018-0308)
Severity: Critical
BID: 104514
CVE ID: CVE-2018-0308

FastStone Image Viewer Denial of Service Vulnerability (CVE-2018-11705)
Severity: Low
CVE ID: CVE-2018-11705

FastStone Image Viewer 0x00402d7d Access Violation Vulnerability (CVE-2018-11704)
Severity: Low
CVE ID: CVE-2018-11704

FastStone Image Viewer 0x00402d6a Access Violation Vulnerability (CVE-2018-11703)
Severity: Low
CVE ID: CVE-2018-11703

FastStone Image Viewer 0x0057898e Access Violation Vulnerability (CVE-2018-11707)
Severity: Low
CVE ID: CVE-2018-11707

FastStone Image Viewer 0x00578dd8 Access Violation Vulnerability (CVE-2018-11706)
Severity: Low
CVE ID: CVE-2018-11706

Microsoft Windows Desktop Bridge Local Privilege Escalation Vulnerability (CVE-2018-8214)
Severity: Critical
BID:104394
CVE ID: CVE-2018-8214

Microsoft Excel Information Disclosure Vulnerability (CVE-2018-8246)
Severity: Critical
BID:104322
CVE ID: CVE-2018-8246

Microsoft Excel Remote Code Execution Vulnerability (CVE-2018-8248)
Severity: Critical
BID:104318
CVE ID: CVE-2018-8248

Microsoft SharePoint Server Remote Privilege Escalation Vulnerability (CVE-2018-8252)
Severity: Critical
BID:104317
CVE ID: CVE-2018-8252

Microsoft SharePoint Server Remote Privilege Escalation Vulnerability (CVE-2018-8254)
Severity: Critical
BID:104325
CVE ID: CVE-2018-8254

Microsoft Windows Hyper-V Code Integrity Privilege Escalation Vulnerability (CVE-2018-8219)
Severity: Critical
BID:104353
CVE ID: CVE-2018-8219

Microsoft Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8227)
Severity: Critical
BID:104368
CVE ID: CVE-2018-8227

Microsoft Internet Explorer Remote Memory Corruption Vulnerability (CVE-2018-0978)
Severity: Critical
BID:104364
CVE ID: CVE-2018-0978

Microsoft Windows Hyper-V Remote Denial of Service Vulnerability (CVE-2018-8218)
Severity: Critical
BID:104402
CVE ID: CVE-2018-8218

Microsoft Windows Kernel Local Privilege Escalation Vulnerability (CVE-2018-8224)
Severity: Critical
BID:104381
CVE ID: CVE-2018-8224

Microsoft Windows ‘HTTP.sys’Remote Denial of Service Vulnerability(CVE-2018-8226)
Severity: Critical
BID:104361
CVE ID: CVE-2018-8226

Microsoft Windows Kernel ‘Win32k.sys’ Local Privilege Escalation Vulnerability(CVE-2018-8233)
Severity: Critical
BID:104383
CVE ID: CVE-2018-8233

Vulnerability in the Spotlight

Microsoft Windows VBScript Engine Security Vulnerability

NSFOCUS: ID 39836
CVE ID: CVE-2018-8174

Affected Versions:

Microsoft Windows Server 2016
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2008
Microsoft Windows RT 8.1
Microsoft Windows 8.1
Microsoft Windows 7

Comment

Microsoft Windows is a set of operting systems developed by Microsoft Corporation. The Windows VBScript is one of the VBScript (Scripting Language) Engines. Recently a remote code execution vulnerability was discovered when Micorsoft Windows VBScript engine is processing a memory object. A remote attacker could exploit this vulnerability to execute arbitrary code in the current user’s context. Vendor has released patches (Download Page) to address this flaw.

(Source: NSFOCUS Security Research & Product Groups)