//Week in review - 10 Jul 2020
AusCERT Week in Review for 10th July 2020
This week saw us starting the week with a critical alert for members to urgently patch the multiple vulnerabilities found within F5's BIG-IP products: CVE-2020-5902. We trust that all necessary steps have been undertaken within your organisation.
Having observed a substantial increase in the number of followers within our social media platforms, we thought it was pertinent to share our Glossary of InfoSec Terms & Acronyms again with our readers. This is a resource we’ve had plenty of positive feedback about and hopefully it comes in handy for you too.
Keep an eye out for a copy of our member Security Bulletins survey landing in your inbox next week. This survey has been prepared by our team, and the results will be used to strengthen our delivery of this particular service and will be part of a long-term service improvement project. We look forward to collating our member thoughts and feedback!
Until next week, we hope everyone has a restful weekend ahead – and to our friends and colleagues in Victoria, we’re thinking of you. Please stay safe and thank you for staying home.
Critical F5 BIG-IP vulnerability made public
[See also AusCERT bulletin ESB-2020.2260.5.]
Users of F5 enterprise and data centre BIG-IP network products are warned to patch the devices as soon as possible to handle a critical, easy to exploit remote code execution vulnerability that has now been made public.
Examples of the exploit have now been posted on social media, one of which uses a single line of code that calls a JavaServer Page function to reveal the passwords stored on BIG-IP devices.
The vulnerability rates as 10 out 10 on the Common Vulnerabilities Scoring System, and lies in lack of proper access control for the Traffic Management User Interface (TMUI) configuration utility for the devices.
Citrix Bugs Allow Unauthenticated Code Injection, Data Theft
[Refer to AusCERT bulletin ESB-2020.2310]
Admins should patch their Citrix ADC and Gateway installs immediately.
Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker.
The Citrix products ?(formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies.
Other flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO.
Exploit developed for critical Palo Alto authentication flaw
Author: The Daily Swig (Portswigger)
Security researchers at Randori have developed a proof-of-concept exploit against a recently discovered flaw in firewalls and VPNs from Palo Alto Networks.
The Security Assertion Markup Language (SAML) authentication bypass (CVE-2020-2021) in PAN-OS is configuration specific, but high severity – rating a maximum 10 on the CVSS scale.
Randori’s work demonstrates that the vulnerability is not only critical but readily exploitable, a development that underlines the need to apply patches released last week or remove the risk of attack by switching authentication methods.
“Organizations leveraging SAML for authentication on affected systems should assume that an adversary may have gained access to their network,” Randori advises.
“They should review historical logs for anomalous behavior, such as abnormal usernames or source IP connections, and signs of compromise.”
Microsoft takes down domains used in COVID-19-related cybercrime
Author: Bleeping Computer
Microsoft took control of domains used by cybercriminals as part of the infrastructure needed to launch phishing attacks designed to exploit vulnerabilities and public fear resulting from the COVID-19 pandemic.
The threat actors who controlled these domains were first spotted by Microsoft’s Digital Crimes Unit (DCU) while attempting to compromise Microsoft customer accounts in December 2019 using phishing emails designed to help harvest contact lists, sensitive documents, and other sensitive information, later to be used as part of Business Email Compromise (BEC) attacks.
The attackers baited their victims (more recently using COVID-19-related lures) into giving them permission to access and control their Office 365 account by granting access permissions to attacker-controlled malicious OAuth apps.
$2.5 billion lost over a decade: ‘Nigerian princes’ lose their sheen, but scams are on the rise
Author: The Conversation
Last year, Australians reported more than A$634 million lost to fraud, a significant jump from $489.7 million the year before.
The Australian Competition and Consumer Commission has released its latest annual Targeting Scams report.
But despite increased awareness, scam alerts and targeted education campaigns, more Australians are being targeted than ever before.
Mozilla suspends Firefox Send service while it addresses malware abuse
Mozilla has temporarily suspended the Firefox Send file-sharing service while it adds a Report Abuse mechanism.
Windows 10's Microsoft Store Codecs patches are confusing users
On June 30th, Microsoft released two out-of-band security updates for remote code execution vulnerabilities in the Windows Codecs Library [known as the HEVC packages]. They stated that they affected both Windows 10 and Windows Server at the time.
Instead of delivering these security updates via Windows Update, Microsoft is rolling them out via auto-updates on the Microsoft Store.
Even more confusing, the advisories did not explain what Microsoft Store apps would be updated to resolve the vulnerabilities, leaving users in the dark as to whether they were affected and patched by an update.
Microsoft Defender ATP web content filtering is now free
The new Microsoft Defender Advanced Threat Protection Web Content Filtering feature will be provided for free to all enterprise customers without the need for an additional partner license.
Web Content Filtering is part of Microsoft Defender ATP's Web protection capabilities and it allows security admins to design and deploy custom web usage policies across their entire organizations, making it simple to track and control access to websites based on their content category.
The feature is available on all major web browsers, with blocks performed by Network Protection (on Chrome and Firefox) and SmartScreen (on Edge).
Multiple vulnerabilities have been discovered in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP. These vulnerabilities could result in a number of security issues.
A new mitigation has been developed and published to address an RCE vulnerability in the TMUI.
Hotfixes have been released by Citrix to address two issues in Citrix Hypervisor.
Multiple security vulnerabilities identified affecting Android devices. Security patch levels of 2020-07-05 or later address all of these issues.
An update has been released to address multiple vulnerabilities in Firefox.
Multiple security issues have been found in Thunderbird which could result in denial of service or potentially the execution of arbitrary code.
Multiple security issues were found in PHP, which could result in information disclosure, denial of service or potentially the execution of arbitrary code.
Stay safe, stay patched and have a good weekend!