PAN-OS Remote Code Execution Vulnerability (CVE-2020-2040) Threat Alert
outubro 3, 2020
Vulnerability Description
Recently, NSFOCUS detected that Palo Alto Networks (PAN) released a security advisory, which announced a critical vulnerability (CVE-2020-2040) assigned a CVSS base score of 9.8. When Captive Portal is enabled or Multi-Factor Authentication (MFA) is configured, this buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to potentially disrupt system processes and execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or MFA interface. This vulnerability is easy to exploit and requires no user interaction. Affected users are advised to take measures without delay.
PAN-OS is an operating system that runs on PAN firewalls and enterprise VPN appliances.
(mais…)Netlogon Privilege Escalation Vulnerability (CVE-2020-1472) Handling Guide
outubro 2, 2020
1. Vulnerability Description
Recently, NSFOCUS detected that the foreign security company Secura disclosed detailed information and validation scripts about the Netlogon privilege escalation vulnerability (CVE-2020-1472), which increases vulnerability risks abruptly. Exploitation of this vulnerability requires a computer on the same local area network (LAN) as the target. When using the Netlogon Remote Protocol (MS-NRPC) to establish a secure channel connection to a domain controller, an unauthenticated attacker could exploit the vulnerability to obtain domain administrator access. The vulnerability was disclosed by Microsoft in its August 2020 security updates. With a CVSS base score of 10, it has an extensive impact. At present, EXP has been made public on the Internet. Affected users are advised to take preventive measures as soon as possible.
(mais…)Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2020-16875) Threat Alert
setembro 30, 2020
Overview
Microsoft has fixed a critical vulnerability in its September 2020 Security Updates, which is a remote code execution vulnerability (CVE-2020-16875) in Microsoft Exchange Server. Recently, relevant proof of concept (PoC) has appeared on the Internet.
Due to incorrect verification of cmdlet arguments, an attacker may trigger this vulnerability by sending an email that contains special cmdlet arguments to the affected Exchange server. An attacker who successfully exploited the vulnerability could execute arbitrary code with system privileges on the affected system. It is worth noting that the prerequisite for successfully exploiting the vulnerability is to have user rights that can be authenticated as an Exchange role.
(mais…)Microsoft September 2020 Security Updates for Multiple High-Risk Product Vulnerabilities Threat Alert
setembro 29, 2020
Vulnerability Description
On September 9, 2020, Beijing time, Microsoft released September 2020 Security Updates that fix 129 vulnerabilities ranging from remote code execution to privilege escalation in various products, including Microsoft Windows, Internet Explorer, Microsoft Office, Microsoft Exchange Server, Visual Studio, and ASP.NET.
(mais…)Botnet Trend Report 2019-12
setembro 28, 2020
This chapter describes active botnet families under long-term tracking of and other families newly captured by NSFOCUS Security Labs, from the perspectives of their background, activity, and association with other families.
Botnet Families
- GoBrut
Malware in the GoBrut family, written in Go, made its debut in early 2019, in a bid to detect services on a target website and obtain the login user name and password via brute force attacks. The GoBrut family emerged during an epoch characterized by poor security of website management frameworks (like Magento, WordPress, and Drupal) and ubiquitous weak passwords. After obtaining the user name and password of the target website, the attacker can log in to the website to gain shell privileges for further malicious operations.
(mais…)Apache DolphinScheduler High-Risk Vulnerabilities (CVE-2020-11974, CVE-2020-13922) Handling Guide
setembro 26, 2020
1. Vulnerability Description
On September 11, 2020, NSFOCUS detected that the Apache Software Foundation released security advisories fixing Apache DolphinScheduler permission overwrite vulnerability (CVE-2020-13922) and Apache DolphinScheduler remote code execution vulnerability (CVE-2020-11974). CVE-2020-11974 is related to mysql connectorj remote code execution vulnerability. When choosing mysql as database, an attacker could execute code remotely on the DolphinScheduler server by inputting {“detectCustomCollations”:true, “autoDeserialize”:true} through jdbc connect parameters. CVE-2020-13922 allows an ordinary user to overwrite other users’ passwords in the DolphinScheduler system through api interface /dolphinscheduler/users/update. Affected users are advised to upgrade without delay.
(mais…)Analysis of the 2020 H1 Malware Trend
setembro 25, 2020
1. Overview
From data collected throughout 2019 and data as of June 30, 2020, we extracted information about malware, whose distribution by type is shown in Figure 1-1. Compared with 2019, the percentages of various types of malware in 2020 H1 changed, with backdoors overtaking crytominers to become No .1 with a percentage of 48.05%, and the percentage of cryptominers fell significantly. Meanwhile, worms’ activity level was basically flat on 2019. Cryptominers, worms, and backdoors together accounted for 87% of all malware activities.
(mais…)Apache DolphinScheduler High-Risk Vulnerabilities (CVE-2020-11974, CVE-2020-13922) Threat Alert
setembro 23, 2020
1. Vulnerability Description
On September 11, 2020, NSFOCUS detected that the Apache Software Foundation released security advisories fixing Apache DolphinScheduler permission overwrite vulnerability (CVE-2020-13922) and Apache DolphinScheduler remote code execution vulnerability (CVE-2020-11974). CVE-2020-11974 is related to mysql connectorj remote code execution vulnerability. When choosing mysql as database, an attacker could execute code remotely on the DolphinScheduler server by inputting {“detectCustomCollations”:true, “autoDeserialize”:true} through jdbc connect parameters. CVE-2020-13922 allows an ordinary user to overwrite other users’ passwords in the DolphinScheduler system through api interface /dolphinscheduler/users/update. Affected users are advised to upgrade without delay.
(mais…)BT.CN Unauthenticated phpmyadmin Vulnerability Threat Alert
setembro 22, 2020
Overview
On August 23, 2020, Beijing time, BT.CN released an urgent security update announcing that BT-Panel for Linux 7.4.2 and BT-Panel for Windows 6.8 are vulnerable.
Unauthenticated phpmyadmin causes direct database login by accessing a specific address.
BT-Panel is server management software that improves the operation and maintenance efficiency. It supports more than 100 server management functions, such as cluster, monitoring, website, FTP, database, and Java.
(mais…)Botnet Trend Report 2019-11
setembro 21, 2020
Overview
Overall, malware on mobile platforms, though evolving in the same way as those on PC, has a complex composition.
In 2019, ad apps still dominated the list of malware threatening the security of Android users. Potentially dangerous software involving sensitive operations also made up a large proportion. Agent programs launching attacks via remote code execution, thanks to the inherent nature of Android, were another type of mobile threats at the top of the list. In addition, it becomes quite common to use dropper or downloader to drop malicious payloads, but the scale is yet to be as large as those released by PCs. High-risk threats, such as spyware, banking Trojans, and ransomware, were small in number, but most of them had been around for some time and some even for years.
(mais…)