ESXi Remote Code Execution Vulnerability
  • Vulnerability
  • February 10, 2020

OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

Cisco Prime Infrastructure and Evolved Programmable Network Manager Remote Code Execution Vulnerability
  • Advisory
  • February 10, 2020

The vulnerability exists because affected devices with the High Availability (HA) feature enabled do not properly perform input validation. An attacker could exploit this vulnerability by uploading a malicious file to either the HA active or standby device.

ngCERT Advisory on Scranos Malware
  • Advisory
  • February 10, 2020

The threat spreads via Trojanized applications disguised as cracked software, or applications posing as legitimate software such as e-book readers, video players, drivers, or even antivirus products. The password- and data-stealing operation is based around a rootkit driver digitally signed with a possibly stolen certificate, according to the security/intelligence research and is being continually tested and upgraded for maximum effectiveness. Scranos can perform a range of malicious tasks, including the following:- Extract cookies and steal login credentials from Google Chrome, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, and other browsers Steal a user's payment accounts from Facebook, Amazon, and Airbnb Send friend requests to other accounts from the user's Facebook account Send phishing messages to the users' Facebook friends with malicious APKs to infect Android devices Steal login credentials for the user's Steam account Inject JavaScript adware in Internet Explorer Install extensions for Chrome and Opera to inject JavaScript adware Capture the user's browsing history Silently display ads or muted YouTube videos to Chrome users, or even install Chrome if it's not already installed Subscribe users to YouTube video channels Download and execute any payload

Windows 10 Task Scheduler Zero-Day Vulnerability
  • Vulnerability
  • February 10, 2020

Task Scheduler is a set of Microsoft Windows components that allows for the execution of scheduled tasks. The front-end components of Task Scheduler, such as schtasks.exe, are interfaces that allow for users to view, create, and modify scheduled tasks. The back-end part of Task Scheduler is a Windows service that runs with SYSTEM privileges. One of the libraries used by the Task Scheduler service, schedsvc.dll, has a function called tsched::SetJobFileSecurityByName(), which sets permissions of job files. The permissions of the job file in the %Windir%\system32\tasks directory are modified to give the calling user full permissions to the job file that they have created. Public proof-of-concept exploit code leverages the legacy schtasks.exe and schedsvc.dll code from Windows XP to take advantage of these high privilege levels when setting file permissions. Versions of Windows prior to Vista used job files in the %Windir%\tasks directory. Legacy versions of schtasks.exe will cause these jobs to be migrated to the %Windir%\system32\tasks directory when those program versions are executed on modern Windows platforms. In conjunction with the SYSTEM security token used by the Task Scheduler service, this migration behavior can be used along with hard links to grant full permissions of protected files to any user on a Windows system.

Intel Chips Vulnerability
  • Vulnerability
  • February 10, 2020

The techniques can be used to get applications, the operating system, virtual machines and trusted execution environments to leak information, including passwords, website content, disk encryption keys and browser history. An attacker can perform an MDS-based attack from user space, with unprivileged instructions. As the leakage occurs from stale data latched in buffers in the pipeline, the only defence is to flush the buffers before moving to a less privileged context. For example, hackers can use the ZombieLoad attack, which is a subclass of RIDL, to obtain a user’s browsing history even if the victim surfs the web from a virtual machine or uses the Tor anonymity network.

Windows BlueKeep Vulnerability
  • Vulnerability
  • February 10, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a vulnerability, known as “BlueKeep,” that exists in the following Microsoft Windows OSs, including both 32- and 64-bit versions, as well as all Service Pack versions: Windows 2000 Windows Vista Windows XP Windows 7 Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled. After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs. This exploit, which requires no user interaction, must occur before authentication to be successful. BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.