//Week in review - 14 Jun 2019

AusCERT Week in Review for 14th June 2019


Happy Microsoft patch week!  An updated Windows computer is a happy Windows computer (and will make us happy too!)

In other news, if you recall the Exim vulnerability we mentioned last week, it’s now being exploited in the wild so please patch as soon as you can!

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Exim email servers are now under attack
Date Published: 14/06/2019


“Exim servers, estimated to run nearly 57% of the internet’s email servers, are now under a heavy barrage of attacks from hacker groups trying to exploit a recent security flaw in order to take over vulnerable servers, ZDNet has learned.

At least two hacker groups have been identified carrying out attacks, one operating from a public internet server, and one using a server located on the dark web.”

RAMBleed (CVE-2019-0174)
Date Published: 12/06/2019


“RAMBleed is a side-channel attack that enables an attacker to read out physical memory belonging to other processes. The implications of violating arbitrary privilege boundaries are numerous, and vary in severity based on the other software running on the target machine. As an example, in our paper we demonstrate an attack against OpenSSH in which we use RAMBleed to leak a 2048 bit RSA key. However, RAMBleed can be used for reading other data as well.”

Google decloaks Win-DoS bug before patch is released
Date Published: 12/06/2019


“Google’s Project Zero security team has decided to reveal the details of a denial of service (DoS) bug in Windows, after Microsoft said it would provide a patch outside the 90-day disclosure deadline.

Project Zero lifted the veil on the flaw, 91 days after it was disclosed to Microsoft.

The bug is found in the Windows cryptographic application programming interface, affecting the SymCrypt library arithmetic routines, Project Zero researcher Tavis Ormandy said.”


8.4TB in email metadata exposed in university data leak
Date Published: 10/06/2019


“An exposed database belonging to Shanghai Jiao Tong University exposed 8.4TB in email metadata after failing to implement basic authentication demands.

As described on the Rainbowtabl.es security blog, Paine found the ElasticSearch database through a Shodan search.

The open database contained 9.5 billion rows of data and was active at the time of discovery, given that its size increased from 7TB on May 23 to 8.4TB only a day later.”

Project Svalbard: The Future of Have I Been Pwned
Date Published: 11/06/2019


“Back in April during a regular catchup with the folks at KPMG about some otherwise mundane financial stuff (I’ve met with advisers regularly as my own financial state became more complex), they suggested I have a chat with their Mergers and Acquisition (M&A) practice about finding a new home for HIBP. I was comfy doing that; we have a long relationship and they understand not just HIBP, but the broader spectrum of the cyber things I do day to day. It wasn’t a hard decision to make – I needed help and they
had the right experience and the right expertise.”

Here are this week’s noteworthy security bulletins:

1) ASB-2019.0156 – Microsoft Windows: Multiple vulnerabilities

2) ESB-2019.2084 – vim: Execute arbitrary code/commands – Remote with user interaction

3) ESB-2019.2090 – Adobe Flash Player: Execute arbitrary code/commands – Remote with user interaction

4) ESB-2019.2101 – Intel Microprocessors: Access privileged data – Existing account

5) ESB-2019.2102 – Cisco IOS XE Software Web UI: Cross-site request forgery – Remote with user interaction

Stay safe, stay patched and have a good weekend!