NetSarang Multiple Products Backdoor Vulnerability (ShadowPad)

漏洞类别:Local

漏洞等级:

漏洞信息

NetSarang Computer, Inc. develops, markets and supports secure connectivity solution in the global market. The company develops a family of PC X server and SSH client software for PC-to-Unix and PC-to-Linux, and is expanding its TCP/IP network technologies to other Internet businesses.

It was found that NetSarang’s update mechanism was recently hijacked and a backdoor was inserted silently in the software update, so that the malicious code would silently deliver to all of its clients with NetSarang’s legitimate signed certificate.

Affected Version:
Xmanager Enterprise 5 Build 1232
Xmanager 5 Build 1045
Xshell 5 Build 1322
Xftp 5 Build 1218
Xlpd 5 Build 1220

Detection Logic:
This QID checks for affected product’s build version in the registry and its associated executable.

漏洞危害

An unauthenticated, remote attacker could exploit compromised targets.

解决方案

Customers are advised to download latest packages from NetSarang Product Downloads

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Downloads

0daybank

Backdoors and trojan horses 2017-08-16 10:45:05 Mamba Ransomware Detected (Pre-Reboot)

漏洞类别:Backdoors and trojan horses

漏洞等级:

漏洞信息

Mamba is an ransomware, which post infection overwrites the existing Master Boot Record on a Windows installation, with a custom MBR and encrypts the hard drive leveraging an open source full disk encryption utility called DiskCryptor. It is unclear if the malware contains a propagation mechanism. However, it seems that a malware group exploit a network and after they gain access to an organizations network they use the psexec utility to execute the ransomware in the network.

QID Detection Logic:
This authenticated detection works by checking for the presence of a few files such as %SYSTEMDRIVE%\DC22\dcinst.exe, %SYSTEMDRIVE%\DC22\log_file.txt, %SYSTEMDRIVE%\xampp\http\dcinst.exe, %SYSTEMDRIVE%\xampp\http\log_file.txt that are found on an infected pre-reboot system.

漏洞危害

Systems infected by this ransomware will have their files encrypted and rendered unusable until they pay a price to an anonymous party.

解决方案

To Protect your systems:
– Use the Windows AppLocker feature to disable the execution of PSExec.exe.
– Disable WMI
– Disable SMBv1
– Make sure systems are running up to date anti-malware.
– Block ADMIN$ access via GPO.
– Maintain good back-ups so that if an infection occurs, you can restore your data.

Cleaning up Infected systems:
– Contact your Anti-Malware vendor to remove the infection.

0daybank

Fedora Security Update for knot-resolver (FEDORA-2017-b9433ad88e)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for knot-resolver to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-b9433ad88e: Fedora 25

0daybank

Fedora Security Update for php-horde-Horde-Core (FEDORA-2017-b812362f61)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for php-horde-horde-core to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-b812362f61: Fedora 25

0daybank

Fedora Security Update for php-horde-Horde-Form (FEDORA-2017-26f9e09c8a)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for php-horde-horde-form to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-26f9e09c8a: Fedora 25

0daybank

Fedora Security Update for php-horde-turba (FEDORA-2017-449b22158f)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for php-horde-turba to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-449b22158f: Fedora 25

0daybank

Amazon Linux Security Advisory for aws-cfn-bootstrap: ALAS-2017-866

漏洞类别:Amazon Linux

漏洞等级:

漏洞信息

A vulnerability was reported in the CloudFormation bootstrap tools, different from the one in CVE-2017-9450 , where default behavior in the handling of cfn-init metadata can provide escalated privileges to an attacker with local access to the system

QID Detection Logic:
This authenticated QID verifies if the version of the following files is lesser than 1.4-20.12.amzn1: aws-cfn-bootstrap

漏洞危害

Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.

解决方案

Please refer to Amazon advisory ALAS-2017-866 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ALAS-2017-866: Amazon Linux

0daybank

Fedora Security Update for seamonkey (FEDORA-2017-cd5d8cac23)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for seamonkey to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-cd5d8cac23: Fedora 25

0daybank

Web server Serviio Media Server Multiple Security Vulnerabilities

漏洞类别:Web server

漏洞等级:

漏洞信息

Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.

The vulnerabilities found in Serviio Media Server are:
– Remote Code Execution
– Local Privilege Escalation
– Unauthenticated Password Modification
– Information Disclosure
– DOM-Based Cross-Site Scripting (XSS)
Affected versions:
Serviio Media Server 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1.

QID Detection Logic (Unauthenticated):
This QID matches directory information in the response by sending a crafted HTTP GET request to target.

漏洞危害

Successful exploitation could allow an attacker to compromise the targeted system.

解决方案

The vendor has not confirmed the vulnerability and no patch has been released to specifically fix the vulnerability , however a newer version of software is available for download.

0daybank

GitHub Enterprise Management Console Remote Code Execution

漏洞类别:General remote services

漏洞等级:

漏洞信息

GitHub is a web-based Git or version control repository and Internet hosting service.
There is a bug that resulted in a static value being used as the Ruby on Rails session secret for GitHub Enterprise’s management console.

漏洞危害

A static session secret could allow an attacker to sign arbitrary session cookies and exploitation could result in remote code execution on the server.

解决方案

This issue has been fixed in GitHub Enterprise 2.8.7 or later versions.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

GitHub: GitHub (GitHub Enterprise management console)

0daybank