IBM Spectrum Protect Plus Directory Traversal and Arbitrary Code Execution Vulnerabilities (CVE-2020-4711, CVE-2020-4703) Threat Alert
outubro 9, 2020
Vulnerability Description
On September 15, 2020, NSFOCUS detected that IBM released a security bulletin, which fixed directory traversal and arbitrary code execution vulnerabilities (CVE-2020-4711, CVE-2020-4703) in IBM Spectrum Protect Plus Administrative Console. The directory traversal vulnerability (CVE-2020-4711) exists in a script (/opt/ECX/tools/scripts/restore_wrapper.sh) within Spectrum Protect Plus. An unauthenticated attacker could send a crafted HTTP request to view arbitrary files on the system. CVE-2020-4703 allows an authenticated attack to upload arbitrary files, which could then be used to execute arbitrary code on the vulnerable server. This vulnerability is due to an incomplete fix for CVE-2020-4470. Currently, the proof of concept (PoC) of this vulnerability has been made publicly available. Relevant users are advised to take protective measures as soon as possible.
IBM Spectrum Protect Plus is a data protection and availability solution for virtual environments. It can be implemented as an independent solution or environmentally integrated into IBM Spectrum Protect, thereby offloading copies for long-term storage and data governance efficiently at scale.
(mais…)DHDiscover reflection attacks can magnify nearly 200 times of the attack 2
outubro 8, 2020
DHDiscover reflection attack analysis
In this chapter, we’ll demonstrate the threat status quo of DHDiscover reflection attack after referring to log data captured by the NSFOCUS Threat Capture System[AZ1] from June 1, 2020 to August 18, 2020 at the port 37810.
We analyzed the number of logs at the port 37810 as shown in the figure. It can be seen from the figure that the attacks increased in an upward trend from early June to early August, and then decreased in mid-August, with the maximum number of packets captured by a single honeypot reaching 900,000 in a single day.
Figure 1.1 DHDiscover[AZ3] server accessing trend
We also have counted the payload in the log data received at the port 37810. And out of the concern not to spread the attack messages, we have named them here according to the length of the messages. As we can tell in Figure 1.1, the more common payloads used by attackers are 4 bytes and 62 bytes in length, between which the 62-byte payload also has been mentioned in an article written by Tencent.
(mais…)Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2020-16875) Handling Guide
outubro 7, 2020
Vulnerability Description
Recently, NSFOCUS detected that security personnel disclosed the procedure for exploiting the Microsoft Exchange Server remote code execution vulnerability (CVE-2020-16875) online. The vulnerability was made public by Microsoft in its September 2020 Security Updates. A remote code execution vulnerability exists in the way that Microsoft Exchange Server handles objects in memory. The prerequisite for successfully exploiting the vulnerability is to have user rights that can be authenticated as an Exchange role. An attacker could trigger the vulnerability by sending an email that contains special cmdlet arguments to the affected Exchange server. An attacker who successfully exploited the vulnerability could execute arbitrary code with system privileges on the affected system. Users should take preventive measures as soon as possible.
(mais…)Botnet Trend Report 2019-13
outubro 5, 2020
Mirai
At present, Mirai is among the biggest IoT botnet families which have the most variants and infect the most devices to impose the most extensive impact. In 2019, NSFOCUS Security Labs captured 10,635 Mirai samples in total (excluding the repetitive malware arising from cross compilation), identified 1660 C&C addresses, and detected more than 40 exploits.
(mais…)DHDiscover reflection attacks can magnify nearly 200 times of the attack 1
outubro 4, 2020
1. Abstract
In March 2020, Tencent published an article about a DVR being used for reflection attacks. Service port of this DVR is 37810, we named it DHDiscover service as there was DHDiscover shown in it. In the reflection attacks captured by Tencent, the scale of attack traffic exceeded 50G, and the reflection source regions were concentrated in many countries and regions in America, Asia, and Europe, with South Korea and Brazil being the hardest hit areas. Based on the network-wide surveying and mapping data of NSFOCUS Threat Intelligence (NTI) and the captured data of NSFOCUS Threat Capture System, this article provides analisys on its network-wide exposure, reflection attack trends, attack methods commonly used by attackers, and reflection attack bandwidth amplification factors.
(mais…)PAN-OS Remote Code Execution Vulnerability (CVE-2020-2040) Threat Alert
outubro 3, 2020
Vulnerability Description
Recently, NSFOCUS detected that Palo Alto Networks (PAN) released a security advisory, which announced a critical vulnerability (CVE-2020-2040) assigned a CVSS base score of 9.8. When Captive Portal is enabled or Multi-Factor Authentication (MFA) is configured, this buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to potentially disrupt system processes and execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or MFA interface. This vulnerability is easy to exploit and requires no user interaction. Affected users are advised to take measures without delay.
PAN-OS is an operating system that runs on PAN firewalls and enterprise VPN appliances.
(mais…)Netlogon Privilege Escalation Vulnerability (CVE-2020-1472) Handling Guide
outubro 2, 2020
1. Vulnerability Description
Recently, NSFOCUS detected that the foreign security company Secura disclosed detailed information and validation scripts about the Netlogon privilege escalation vulnerability (CVE-2020-1472), which increases vulnerability risks abruptly. Exploitation of this vulnerability requires a computer on the same local area network (LAN) as the target. When using the Netlogon Remote Protocol (MS-NRPC) to establish a secure channel connection to a domain controller, an unauthenticated attacker could exploit the vulnerability to obtain domain administrator access. The vulnerability was disclosed by Microsoft in its August 2020 security updates. With a CVSS base score of 10, it has an extensive impact. At present, EXP has been made public on the Internet. Affected users are advised to take preventive measures as soon as possible.
(mais…)Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2020-16875) Threat Alert
setembro 30, 2020
Overview
Microsoft has fixed a critical vulnerability in its September 2020 Security Updates, which is a remote code execution vulnerability (CVE-2020-16875) in Microsoft Exchange Server. Recently, relevant proof of concept (PoC) has appeared on the Internet.
Due to incorrect verification of cmdlet arguments, an attacker may trigger this vulnerability by sending an email that contains special cmdlet arguments to the affected Exchange server. An attacker who successfully exploited the vulnerability could execute arbitrary code with system privileges on the affected system. It is worth noting that the prerequisite for successfully exploiting the vulnerability is to have user rights that can be authenticated as an Exchange role.
(mais…)Microsoft September 2020 Security Updates for Multiple High-Risk Product Vulnerabilities Threat Alert
setembro 29, 2020
Vulnerability Description
On September 9, 2020, Beijing time, Microsoft released September 2020 Security Updates that fix 129 vulnerabilities ranging from remote code execution to privilege escalation in various products, including Microsoft Windows, Internet Explorer, Microsoft Office, Microsoft Exchange Server, Visual Studio, and ASP.NET.
(mais…)