QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure Vulnerability” will be marked as a PCI Fail as of May 1, 2018 in accordance with its CVSS score.
In light of the recently released information about two security vulnerabilities, Qualys has considered the impact on the Qualys Cloud Platform and associated services. Qualys released a detailed advisory for customers of the Qualys Cloud Platform to help customers identify these vulnerabilities and to assist customers in their internal security assessment.
Below, please find information about how Qualys has performed its assessment and is taking steps to protect its environment and the Qualys Cloud Platform:
UPDATE 1/4/2018: Qualys has released several QIDs for detecting missing patches for these vulnerabilities.
UPDATE 1/5/2018: Pre-built AssetView dashboards to visualize impact and remediation progress.
Vulnerabilities potentially impacting all major processor vendors were disclosed today by Google Project Zero. These vulnerabilities have been named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715). Organizations should inventory their systems by processor type, apply vendor patches as they become available, and track their progress. This article describes how Qualys can help in all three areas.
Dark Reading is reporting on a new banking trojan called ‘Silence’ that mimics techniques similar to the Carbanak hacker group targeting banks and financial institutions. The attack vector is similar – target individuals using spear-phish emails to trick them into running a malicious attachment which will connect to download a dropper to further infect the user’s machine. This attack does not use an exploit against a vulnerability, but rather takes advantage of social engineering to fool the user into executing the malicious payload and infecting their machine.
Silence is interesting in that the trojan’s capabilities include a screen grabber that will take multiple screenshots of the user’s active monitor and upload the real-time stream to a command and control server for monitoring by the adversary. This technique allows the threat actor to identify which users have access to specific banking applications, systems, and accounts that they can use for financial gain.
(updated: 10/26/2017 with additional file hashes and mitigations)
A new ransomware campaign has affected at least three Russian media companies in a fast-spreading malware attack. Fontanka and Interfax are among the companies affected by the Bad Rabbit ransomware named by the researchers who first discovered it. The malware is delivered as fake Flash installer, it uses the SMB protocol to check hardcoded credentials. Bad Rabbit does not employ any exploits to gain execution or elevation of privilege. The Ukrainian computer emergency agency CERT-UA has issued an alert incident and mentioned that Odessa airport and Kiev subway were also affected. It is unsure whether this alert is regarding Bad Rabbit, but they suspect that it may be the start of a new wave of cyberattacks.
On Tuesday, a variant of the ransomware “Petya” began propagating in several countries across Europe. This new variant leverages the EternalBlue exploit used in WannaCry, and also takes advantage of misconfigured permissions to spread throughout the network.
EternalBlue is a leaked exploit developed by the NSA that leverages the vulnerability patched in MS17-010. All unpatched versions of Windows are vulnerable to EternalBlue, excluding recent versions of Windows 10. Microsoft has also chosen to release patches for some end-of-support versions of Windows.
What is the Stack Clash?
The Stack Clash is a vulnerability in the memory management of several operating systems. It affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64. It can be exploited by attackers to corrupt memory and execute arbitrary code.
Qualys researchers discovered this vulnerability and developed seven exploits and seven proofs of concept for this weakness, then worked closely with vendors to develop patches. As a result we are releasing this advisory today as a coordinated effort, and patches for all distributions are available June 19, 2017. We strongly recommend that users place a high priority on patching these vulnerabilities immediately.
The Joomla community recently patched a SQL injection vulnerability introduced in Joomla 3.7.0. The article reporting this vulnerability explains how to identify the vulnerability (which was discovered via static code analysis) and how to craft an attack, e.g.
After reviewing the description of the vulnerability, I wondered whether an automated web application scanner, known as a DAST (Dynamic Application Security Testing) tool, could identify an instance of this vulnerability without digging into the source code.
On Wednesday, the Samba Team patched a vulnerability that exists in all versions of Samba including and after version 3.5.0. Exploitation of this vulnerability could result in remote code execution on the affected host.
Samba is used to provide SMB and CIFS services for Linux systems, and is pervasive in both enterprise and consumer products. While the Samba Team is providing patches for the latest versions (4.4.x and higher), some Linux vendors, such as RedHat and Ubuntu, are providing patches for older versions of Samba if they are used in a supported version of the OS. The Samba Team may also release patches for older versions of Samba.
To assess infections from WannaCry ransomware and threat exposure from the Shadow Brokers vulnerabilities across an entire IT environment, it’s helpful to visualize your exposure via dynamic dashboards.
Using Qualys AssetView and ThreatPROTECT, I created a single-pane incident response dashboard containing six key data points that provide a complete picture to assess both infection of WannaCry and threat exposure from the Shadow Brokers vulnerabilities. With the data from this dashboard, you can take immediate action against WannaCry. Each dashboard element automatically collects trend data that allows customers to track their remediation efforts over time.
See Visualizing WannaCry and Shadow Brokers: How to Configure Dashboards in AssetView for the details of the dashboard, including how to create dashboards in Qualys AssetView and specifically how I built the dashboard for WannaCry and Shadow Brokers.