Riasztások

ECHO Network · 2021. április 16.

Privacy may be dead, but it can also be the catalyst for real change

Data has become the most valuable commodity and today, most organizations know more about an individual than ever before. Unfortunately, our information it not being handled appropriately given the number of data breaches we see in the news. In fact, in 2020, it was reported that there were 37....
ECHO Network · 2021. április 16.

Trickbot Actors Target Slack and BaseCamp Users

via infosecurity-magazine.com Trickbot Actors Target Slack and BaseCamp UsersThe threat actors behind the infamous Trickbot botnet have been at work again, firing highly customized phishing emails targeting Slack and BaseCamp users with loader malware, according to Sophos.
ECHO Network · 2021. április 16.

Facebook Expands Oversight Board Scope | Avast

16 April 2021. Plus, WhatsApp and Clubhouse face privacy issues and the FBI protects unsuspecting users by...hacking them? Facebook made an announcement this week that it has expanded the scope of its Oversight Board to include appeals against content that has been left up on either Instagram or Facebook after someone had reported it.
ECHO Network · 2021. április 16.

[webapps] GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF to RCE

# Exploit Title: GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF to RCE # Exploit Author: Bobby Cooke (boku) # Date: 15/04/2021 # Vendor Homepage: http://get-simple.info # Software Link: http://get-simple.info/extend/download.php?file=files/18274/1221/my-smtp-contact_1.1.1.zip&id=1221 # Vendor: NetExplorer # Version: <= v1.
ECHO Network · 2021. április 16.

Critical Microsoft Exchange Server Vulnerabilities Could Allow Hackers to Control of Enterprise Networks

In a daily routine check-up, the cybersecurity experts of the U.S. National Security Agency have detected two critical Microsoft Exchange Server vulnerabilities. After detecting the vulnerabilities, the analysts asserted that these two vulnerabilities could enable the threat actors to persistently access and control business networks.
ECHO Network · 2021. április 16.

NA - CVE-2021-31414 - The unofficial vscode-rpm-spec extension before...

This vulnerability is currently undergoing analysis and not all information is available. Please check back soon to view the completed vulnerability summary The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
SANS · 2021. április 16.

HTTPS Support for All Internal Services, (Fri, Apr 16th)

SSL/TLS has been on stage for a while with deprecated protocols[1], free certificates for everybody[2]. The landscape is changing to force more and more people to switch to encrypted communications and this is good! Like Johannes explained yesterday[3], Chrome 90 will now append "https://" by default in the navigation bar. Yesterday diary covered the deployment of your own internal CA to generate certificates and switch everything to secure communications. This is a good point. Especially, by deploying your own root CA, you will add an extra  string to your securitybow: SSL interception and inspection.

But sometimes, you could face other issues:

  • If you have guests on your network, they won't have the root CA installed and will receive annoying messages
  • If you have very old devices or "closed" devices (like all kind of IoT gadgets), it could be difficult to switch them to HTTPS.

On my network, I'm still using Let's Encrypt but to generate certificates for internal hostname. To bypass the reconfiguration of "old devices", I'm concentrating all the traffic behind a Traefik[4] reverse-proxy. Here is my setup:

My IoT devices and facilities (printers, cameras, lights) are connected to a dedicated VLAN with restricted capabilities. As you can see, URLs to access them can be on top of HTTP, HTTPS, use standard ports or exotic ports. A Traefik reverse-proxy is installed on the IoT VLAN and accessible from clients only through TCP/443. Access to the "services" is provided through easy to remember URLs (https://service-a.internal.mydomain.be, etc).

From an HTTP point of view, Traefik is deployed in a standard way (in a Docker in my case). The following configuration is added to let it handle the certificates:

# Enable ACME certificatesResolvers: le: acme: email: xavier@<redacted>.be storage: /etc/traefik/acme.json dnsChallenge: provider: ovh delayBeforeCheck: 10 resolvers: - "8.8.8.8:53" - "8.8.4.4:53"

There is one major requirement for this setup: You need to use a valid domain name (read: a publicly registered domain) to generate internal URL (in my case, "mydomain.be") and the domain must be hosted at a provider that provides an API to manage the DNS zone (in my case, OVH). This is required by the DNS authentication mechanism that we will use. Every new certificate generation will requite a specific DNS record to be created through the API:

_acme-challenge.service-a.internal.mydomain.be

The subdomain is your preferred choice ("internal", "dmz", ...), be imaginative!

For all services running in Docker containers, Traefik is able to detect them and generate certificates on the fly. For other services like IoT devices, you just create a new config in Traefik, per service:

http: services: service_cam1: loadBalancer: servers: - url: "https://172.16.0.155:8443/" routers: router_cam1: rule: Host("cam1.internal.mydomain.be") entryPoints: [ "websecure" ] service: service_cam1 tls: certResolver: le

You can instruct Traefik to monitor new configuration files and automatically load them:

# Enable automatic reload of the config providers: file: directory: /etc/traefik/hosts/ watch: true

Now you are ready to deploy all your HTTPS internal URL and map them to your gadgets!

Of course, you have to maintain an internal DNS zone with records pointing to your Traefik instance.

Warning: Some services accessed through this kind of setup may require configuration tuning. By example, search for parameters like "base URL" and changed to reflex the URL that you're using with Traefik. More details about ACME support is available here[5] (with a list of all supported DNS providers).

[1] https://isc.sans.edu/forums/diary/Old+TLS+versions+gone+but+not+forgotten+well+not+really+gone+either/27260
[2] https://letsencrypt.org
[3] https://isc.sans.edu/forums/diary/Why+and+How+You+Should+be+Using+an+Internal+Certificate+Authority/27314/
[4] https://traefik.io
[5] https://doc.traefik.io/traefik/https/acme/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ECHO Network · 2021. április 16.

NA - CVE-2021-21405 - Lotus is an Implementation of the Filecoin...

Lotus is an Implementation of the Filecoin protocol written in Go. BLS signature validation in lotus uses blst library method VerifyCompressed. This method accepts signatures in 2 forms: "serialized", and "compressed", meaning that BLS signatures can be provided as either of 2 unique byte arrays.
ECHO Network · 2021. április 16.

NA - CVE-2021-29430 - Sydent is a reference Matrix identity server....

Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it makes to remote Matrix homeservers.
ECHO Network · 2021. április 16.

NA - CVE-2021-29450 - Wordpress is an open source CMS. One of the...

Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases.
NVD: all CVE · 2021. április 16.

CVE-2021-31414

The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
NVD: all CVE · 2021. április 16.

CVE-2021-26073

Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions between 3.0.2 - 6.5.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app.
NVD: all CVE · 2021. április 16.

CVE-2021-26074

Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions between 1.1.0 - 2.1.2 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app.
ECHO Network · 2021. április 16.

FoundCore: Evasive Malware Used by Chinese Hackers for Cyber Espionage

Security experts from Kaspersky Lab have uncovered a long-lasting cyber espionage operation launched by a Chinese nation-backed actor to target government and military institutions across Vietnam. The hacker group, known as Cycldek, APT27, GoblinPanda, and LuckyMouse, relied on a brand-new and....
NVD: all CVE · 2021. április 16.

CVE-2018-19942

A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QTS 4.5.1.1456 build 20201015 (and later) QTS 4.3.6.1446 build 20200929 (and later) QTS 4.3.4.1463 build 20201006 (and later) QTS 4.3.3.1432 build 20201006 (and later) QTS 4.2.6 build 20210327 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) QuTScloud c4.5.4.1601 build 20210309 (and later) QuTScloud c4.5.3.1454 build 20201013 (and later)
ECHO Network · 2021. április 16.

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.5

Description. CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') The vulnerability allows a remote attacker to perform a denial of service (DoS) attack. The vulnerability exists due to a race condition in some net/http servers, as demonstrated by the httputil.
SANS · 2021. április 16.

ISC Stormcast For Friday, April 16th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7460, (Fri, Apr 16th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
NVD: all CVE · 2021. április 16.

CVE-2021-27691

Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request. This occurs because the "formSetDebugCfg" function executes glibc's system function with untrusted input.
NVD: all CVE · 2021. április 16.

CVE-2021-27692

Command Injection in Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted "action/umountUSBPartition" request. This occurs because the "formSetUSBPartitionUmount" function executes the "doSystemCmd" function with untrusted input.
ECHO Network · 2021. április 16.

Name:Wreck – Forscher entdecken weitere Schwachstellen in TCP/IP-Stacks

Gleich acht Sicherheitslücken in bestimmten Versionen der Stack-Implementierungen von Nucleus Net (Siemens), FreeBSD und NetX alias Azure RTOS NetX (Microsoft) melden Sicherheitsforscher der Firma Forescout. Hinzu kommt eine "wiederentdeckte", aber schon lange gepatchte Lücke in IPNet. Die Forscher nenne ihre aktuelle Entdeckung "Name:Wreck".