//Week in review - 16 Aug 2019

AusCERT Week in Review for 16th August 2019


Windows’ Remote Desktop Services is in the spotlight this week, with two separate announcements. Firstly, the ACSC issued a warning on Monday night that May’s “BlueKeep” vulnerability was being exploited in the wild. Then, Microsoft warned on Patch Tuesday (or Wednesday for us antipodeans) that it had found two more similar vulnerabilities, with patches available immediately.

In other news, F-Secure have written up a novel injection attack. While injection attacks are famously seen in carelessly-written SQL and shell scripts, this week brought a blog post documenting how vendor F5’s own example configuration code often contained vulnerable Tcl. While F5 released an advisory in May to this effect, F-Secure’s post brings greater notoriety to the issue.

While scripting languages are on your mind, consider ShellCheck. Yours truly will always recommend an extra pair of eyes on any shell scripts being written.

ASD upgrades BlueKeep Win. RDP warning, 50K Aust. devices at risk
Author: iTnews
Date published: 2019-08-13

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has issued a late evening warning to business and government that a recently revealed legacy Windows exploit has jumped ‘research’ quarantine and is expected to start fanging victims imminently.

New Bluetooth KNOB Flaw Lets Attackers Manipulate Traffic
Author: BleepingComputer
Date published: 2019-08-13

A new Bluetooth vulnerability named “KNOB” has been disclosed that allows attackers to more easily brute-force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices.

‘Cyber paramedics’ keep Vic agencies safe
Author: Government News
Date published: 2019-08-12

When David Cullen took up the job of Principal Advisor of Cyber Incidents and Emergency Management at the Victorian Department of Premier and Cabinet a year ago he was told there had been just 13 cyber-attacks in the history of the organisation.
“I scratched my head and thought, ‘what a ripping job I’ve landed in’,” he told delegates at a Technology in Government conference in Canberra last week.
He soon found out those 13 attacks weren’t “even close to the tip of the iceberg”.
After conducting a whole of government survey it became apparent that hackers were attempting to breach government systems every 45 seconds and that nine in 10 Victorian government organisations had experienced a cyber incident.

WordPress team working on daring plan to forcibly update old websites
Author: ZDNet
Date published: 2019-08-08

The developers behind the WordPress open-source content management system (CMS) are working on a plan to forcibly auto-update older versions of the CMS to more recent releases.
The goal of this plan is to improve the security of the WordPress ecosystem, and the internet as a whole, since WordPress installations account for more than 34% of all internet websites.

Hidden Injection Flaws Found in BIG-IP Load Balancers
Author: SecurityWeek
Date published: 2019-08-09

The issue cannot be patched. “This is not a vulnerability in Tcl, or F5 products, but rather an issue relating to coding practices used when writing Tcl code,” explained F5 in its advisory. The effect, however, could give an attacker access to the load balancer and its hosting device, the ability to read passing traffic (including user credentials), and the potential to use this as a beachhead for gaining access to the internal network.

The inability to patch the problem and the difficulty for companies to know whether their own code exposes the problem, prompted the flaw finder, F-Secure’s senior security consultant Christoffer Jerkeby, to publish a paper on his findings.


This free tool is available online and as a binary, and scours your shell scripts for common mistakes. It’s also available as a plug-in for your favourite editor.

This week’s noteworthy bulletins:

1. ESB-2019.3059 – [Appliance] FortiOS
JavaScript files used in the appliance’s web UI would reveal OS version information even to unauthenticated users.

2. ASB-2019.0238 – [Windows] Microsoft Windows (login wall)
Microsoft’s Patch Tuesday included two “wormable” RCEs in Remote Desktop Services, similar to the BlueKeep bug patched in May.
Two more RCEs were also patched in the Windows DHCP client.

3. ESB-2019.3092 – [Windows] [macOS] Adobe Acrobat and Reader
Opening a crafted file could execute arbitrary code. A good reminder not to open suspicious files.

4. ESB-2019.3116 – [Windows] [UNIX/Linux] nginx
Multiple DoS vulnerabilities were found in HTTP/2 servers by a researcher at Netflix.
Nginx happens to be the first to release a fix.

Stay safe, stay patched, try out ShellCheck, and have a great weekend!