//Week in review - 17 Jul 2020

AusCERT Week in Review for 17th July 2020


Have we been busy!

This week has been another tough one for networking vendors.

SAP NetWeaver, Windows Server and Cisco’s RV-series routers have all had critical vulnerabilities this week, enabling unauthenticated remote code execution. See the highlighted articles bulletins below for more information, and if you’re affected, we advise applying patches or mitigations ASAP.

And last but not least, an AusCERT membership email would have landed in your inbox this week containing some important updates for July 2020:

  1. An invitation to complete the 2020 AusCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August. We look forward to collating our member thoughts and feedback, thank you in advance for your time and support!

  2. An update regarding our Quarter 2; an overview of the cyber security incidents reported by members, from 1 April – 30 June 2020 and includes a summary of other key achievements this quarter.

  3. An invitation to attend our Malicious URL Feed webinar taking place next Wednesday 22 July.

Until next week, wishing everyone a restful weekend.

Critical SAP Recon flaw exposes thousands of systems to attacks
Date: 2020-07-13
Author: Bleeping Computer

[Refer to AusCERT bulletin ESB-2020.2381]
SAP patched a critical vulnerability affecting over 40,000 systems and found in the SAP NetWeaver Java versions 7.30 to 7.50, a core component of several solutions and products deployed in most SAP environments.
The RECON (short for Remotely Exploitable Code On NetWeaver) vulnerability is rated with a maximum CVSS score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to fully compromise unpatched SAP systems according to Onapsis, the company that found and responsibly disclosed RECON to the SAP Security Response Team.

Microsoft urges patching severe-impact, wormable server vulnerability
Date: 2020-07-15
Author: Ars Technica

[Refer to AusCERT bulletin ASB-2020.0120; member portal login required]
Microsoft is urgently advising Windows server customers to patch a vulnerability that allows attackers to take control of entire networks with no user interaction and, from there, rapidly spread from computer to computer.
The vulnerability, dubbed SigRed by the researchers who discovered it, resides in Windows DNS, a component that automatically responds to requests to translate a domain into the IP address computers need to locate it on the Internet. By sending maliciously formed queries, attackers can execute code that gains domain administrator rights and, from there, take control of an entire network. The vulnerability, which doesn’t apply to client versions of Windows, is present in server versions from 2003 to 2019. SigRed is formally tracked as CVE-2020-1350. Microsoft issued a fix as part of this month’s Update Tuesday.

Cyber experts urge Australia to develop local capability to defend against hackers
Date: 2020-07-12
Author: Sydney Morning Herald

Cyber experts have urged the federal government to become less reliant on overseas businesses, technologies and expertise for its defences against hackers as it puts the finishing touches on the nation’s new cyber security strategy.
Foreign providers are responsible for most of the cyber security products and services in Australia, with no local companies among the 15 largest software providers in the local market.

Thousands of shop, bank, and government websites shut down by EV revocation
Date: 2020-07-13
Author: Netcraft

More than two thousand sites using Extended Validation certificates stopped working this weekend and remain inaccessible today (Monday), including those run by banks, governments, and online shops. The EV certificates used by these sites were revoked on Saturday, and have yet to be replaced. Most visitors using modern web browsers are completely locked out: this certificate error cannot be bypassed in Chrome, Firefox, Safari, or Microsoft Edge.
On Monday morning, Netcraft found 3,800 sites still using EV certificates issued by the affected sub-CAs. Of these 3,800, more than 2,300 were still using a revoked EV certificate, completely disabling the sites for users in modern browsers, which handle EV revocation more robustly than other types of certificate. The remainder are yet to be revoked.

SANS Institute Provides Guidance on Improving Cyber Defense Using the MITRE ATT&CK Framework
Date: 2020-07-13
Author: CISION PR Newswire

[SANS Institute will be speaking and are a sponsor at AusCERT2020.]
A new report from the SANS Institute, “Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework,” provides expert guidance to help cyber defense professionals learn how to best leverage the MITRE ATT&CK Framework to improve their organization’s security posture.

Outlook down? How to fix it
Date: 2020-07-15
Author: ZDNet

It was just another morning at work on July 15, 2020, for many Windows users. They turned on their computers — some of them may have noted that they’d gotten an Outlook program update — and then they tried to open their e-mail in Outlook… Suddenly their day took a turn for the worst.
For many, Windows Outlook silently crashed when they tried to launch it. Many Office 365 business users also found that the Outlook mail service also launched only to immediately crash. Hours later, Microsoft admitted on Twitter there was a real problem.

ESB-2020.2381.2 – UPDATE [ALERT] SAP NetWeaver AS Java: Multiple Vulnerabilities

A critical Vulnerability in SAP NetWeaver AS Java is identified and applying critical patches as soon as possible is recommended.

ASB-2020.0120 – [ALERT] Windows: Multiple vulnerabilities

Microsoft security update resolves the wormable vulnerability “SIGRed” in Windows servers acting as a DNS server.

ASB-2020.0121 – Extended Support Update products: Multiple vulnerabilities

Windows Server 2008 Extended Support Update (ESU) also gets a SIGRed patch.

ESB-2020.2417 – [ALERT] Cisco RV-series routers: Multiple vulnerabilities

Cisco update fixes a vulnerability in the web-based management interface of its RV-series routers, leading to unauthenticated root compromise of the device.

Stay safe, stay patched and have a good weekend!