SysAdmin 24x7

Hewlett Packard Enterprise Plugs Critical Bug in Edge Platform Tool Researchers warned that unpatched versions of HPE’s Edgeline Infrastructure Manager are open to remote authentication-bypass attacks. https://threatpost.com/hewlett-packard-critical-bug-edge/165797/

Expert released PoC exploit for Microsoft Exchange flaw Security researcher released technical details and a PoC code for a high-severity vulnerability in Microsoft Exchange Server reported by the NSA. https://securityaffairs.co/wordpress/117493/hacking/microsoft-exchange.html

PHP package manager flaw left millions of web apps open to abuse. https://portswigger.net/daily-swig/php-package-manager-flaw-left-millions-of-web-apps-open-to-abuse

Pulse Secure fixes VPN zero-day used to hack high-value targets. https://www.bleepingcomputer.com/news/security/pulse-secure-fixes-vpn-zero-day-used-to-hack-high-value-targets/

Omisión de autenticación en router R7000 de NETGEAR Fecha de publicación: 03/05/2021 Importancia: 5 - Crítica Recursos afectados: Router R7000 de NETGEAR. Descripción: SSD Secure Disclosure, comunidad de investigadores y divulgadores de vulnerabilidades, ha detectado una vulnerabilidad crítica, de tipo omisión de autenticación, que afecta al router R7000 de NETGEAR. Solución: NETGEAR tiene previsto publicar próximamente una actualización de firmware que corrija esta vulnerabilidad para el producto afectado. Hasta entonces, el fabricante recomienda desactivar la gestión remota y mantener activada la seguridad Wi-Fi. Detalle: Una vulnerabilidad de omisión de autenticación en el router R7000 podría utilizarse para obtener acceso a la configuración del dispositivo, lo que podría dar lugar a otros exploits. La explotación de esta vulnerabilidad requiere una de las siguientes condiciones: que Remote Management esté activado o que un ciberatacante conecte un dispositivo a la red local del router R7000. Se ha asignado el identificador CVE-2021-31802 para esta vulnerabilidad. https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/omision-autenticacion-router-r7000-netgear

[Actualización 03/05/2021] Ejecución remota de código en Pulse Connect Secure Fecha de publicación: 21/04/2021 Importancia: 5 - Crítica Recursos afectados: Pulse Connect Secure, versión 9.0R3 y superior. Descripción: Se ha descubierto una vulnerabilidad en Pulse Connect Secure (PCS) que podría permitir a un atacante, no autenticado, la ejecución remota de archivos arbitrarios en la puerta de enlace de Pulse Connect Secure. Esta vulnerabilidad supone un riesgo importante y está siendo explotada de forma activa. Solución: Actualizar a Pulse Connect Secure, versión 9.1R.11.4 cuando esté disponible. Mientras tanto, Pulse Secure recomienda importar el archivo Workaround-2104.xml, para desactivar los dos conjuntos de características afectadas en las instancias existentes de PCS: Windows File Share Browser y Pulse Secure Collaboration. https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/ejecucion-remota-codigo-pulse-connect-secure

YARA Release v4.1.0 Published: 2021-05-01 https://isc.sans.edu/diary/YARA+Release+v4.1.0/27374

Toxic Eye Malware is Utilizing Telegram https://www.ehackingnews.com/2021/05/toxic-eye-malware-is-utilizing-telegram.html

PHP community sidesteps its third supply chain attack in three years. https://nakedsecurity.sophos.com/2021/04/30/php-community-sidesteps-its-third-supply-chain-attack-in-three-years/

Python also impacted by critical IP address validation vulnerability. https://www.bleepingcomputer.com/news/security/python-also-impacted-by-critical-ip-address-validation-vulnerability/

Purple Lambert, a new malware of CIA-linked Lambert APT group. https://securityaffairs.co/wordpress/117340/apt/purple-lambert-cia-arsenal.html

ISC Releases Security Advisory for BIND https://us-cert.cisa.gov/ncas/current-activity/2021/04/29/isc-releases-security-advisory-bind

Microsoft warns of BadAlloc flaws in OT, IoT devices Microsoft researchers are warning of major security vulnerabilities affecting OT and IoT devices and high-risks for businesses using them. https://securityaffairs.co/wordpress/117372/iot/badalloc-vulnerabilities-ot-iot.html

DigitalOcean admits data breach exposed customers’ billing details https://hotforsecurity.bitdefender.com/blog/digitalocean-admits-data-breach-exposed-customers-billing-details-25754.html

Omisión de autenticación en HPE Edgeline Infrastructure Manager Fecha de publicación: 30/04/2021 Importancia: 5 - Crítica Recursos afectados: HPE Edgeline Infrastructure Manager, versiones anteriores a 1.22. Descripción: Tenable Research ha notificado a HPE sobre una vulnerabilidad crítica, de omisión de autenticación explotable de forma remota, que afecta a su producto Edgeline Infrastructure Manager. https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/omision-autenticacion-hpe-edgeline-infrastructure-manager

Cisco Releases Security Updates for Multiple Products Original release date: April 29, 2021 https://us-cert.cisa.gov/ncas/current-activity/2021/04/29/cisco-releases-security-updates-multiple-products

F5 Big-IP Vulnerable to Security-Bypass Bug The KDC-spoofing flaw tracked as CVE-2021-23008 can be used to bypass Kerberos security and sign into the Big-IP Access Policy Manager or admin console. https://threatpost.com/f5-big-ip-security-bypass/165735/

Command injection flaw in PHP Composer allowed supply-chain attacks A vulnerability in the PHP Composer could have allowed an attacker to execute arbitrary commands and backdoor every PHP package. https://securityaffairs.co/wordpress/117366/security/php-composer-flaw.html

Linux kernel vulnerability exposes stack memory, causes data leaks The bug could also be used as a conduit for more severe attacks https://www.zdnet.com/article/linux-kernel-vulnerability-exposes-stack-memory/

SAML Authentication - Moderately critical - Access bypass - SA-CONTRIB-2021-006 Project: SAML Authentication Date: 2021-April-28 Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Access bypass Description: The SAML Authentication module allows users to authenticate against a SAML identity provider to login to your Drupal site. The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to log in through the identity provider. This creates a scenario where after such a user is blocked from logging in through the identity provider but not explicitly blocked in Drupal, they are still able to log in by sending themselves a Drupal 'password reset' e-mail. Solution: Install the latest version: for all versions of Drupal 8/9, upgrade to samlauth 8.x-3.1. for Drupal 7, upgrade to samlauth 7.x-1.1. https://www.drupal.org/sa-contrib-2021-006