HIGHLIGHT
Netgear File Upload Zero Day
What does it do?
With this vulnerability, a written class in the Netgear ProSAFE Network Management System fails to validate a user-supplied path, allowing for code execution in the product.
Potential Impact
With the ability to arbitrarily execute code along a supplied path, attackers may have free reign over the product - from gaining access to data as the SYSTEM to modifying operation.
Remediation
Netgear have released a security update as of March 26th.
More Information:
HIGHLIGHT
Cisco IOS XE Boundary Checks
What does it do?
On some Cisco Catalyst 4500 and 4500-X series switches, a lack of boundary checks on Easy VSS protocol packets allows for a crafted buffer overflow from an attacker. Once this overflow is triggered, the attacker may gain admin access to the underlying Linux operating system or the ability to perform a denial of service.
Potential Impact
Complete loss of access through denial of service, possible total breach of confidentiality and data integrity.
Remediation
No workarounds or patches are available, but some mitigations have been suggested, such as disabling Discovery Protocol.
More Information:
HIGHLIGHT
Snapdragon Buffer Overflow
What does it do?
This vulnerability copies the data within a RTT/TTY packet without verifying the size of the destination buffer, causing a possible buffer overflow. This can then be used to perform an out-of-bound write of data.
Potential Impact
Out-of-bound writes can cause crashes, unexpected behavior, or even code execution. This can result in the complete disruption of the CIA triad.
Remediation
Qualcomm has addressed this and several other vulnerabilities in their March 2021 patch.
More Information:
Additional Threats
CVE-2021-21982
VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings.
More InfoCVE-2021-29066
Certain NETGEAR devices are affected by authentication bypass. This affects RBK852 before 3.2.17.12, RBK853 before 3.2.17.12, RBK854 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12.
More InfoCVE-2021-1818
A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause unexpected application termination or arbitrary code execution.
More InfoDescription |
||
CVE-2021-21982 |
VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings. |
More Info |
CVE-2021-29066 |
Certain NETGEAR devices are affected by authentication bypass. This affects RBK852 before 3.2.17.12, RBK853 before 3.2.17.12, RBK854 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12. |
More Info |
CVE-2021-1818 |
A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause unexpected application termination or arbitrary code execution. |
More Info |
Customer Use Case
Automatic Rule Pushing
Summary
There is something to be said of being able to make updates on the fly. In the case of irritating IPs and abnormal host activity on a fast-paced network, rules must be pushed to firewalls quickly and effectively to avoid more noise for analysts. This often involves making sure that either all analysts or all in a certain group have access to every security appliance, then allowing them to add rules manually as needed.
Automated Solution
Instead of a manual and individual addition of every firewall rule, rules are automatically pushed to the security appliance after the detection of certain activities in connection to an IP. When a case is created that is a verified network scanner or has been verified as a malicious IP, this may be triggered, or an analyst can run the command to automatically input data into a new rule.
Benefits to This Approach
- Fast rule push for high-throughput environments
- No need for special permissions to devices - all is done through a single agent
- Both a preventative and proactive approach to rule-building
A Fake Cybersecurity Firm Built to Target Security Researchers
A North Korean campaign created accounts for fake security firm SecuriElite, aiming to bait users into accessing a malicious website. All of the accounts created have since been suspended and was initially flagged in January of 2021.
Gaming mods, cheat engines are spreading Trojan malware and planting backdoors
Remote access trojans are being distributed en-masse in the form of gaming cheat engines, say researchers with Cisco Talos. Initially spread through malvertising in the form of YouTube videos or website advertisements, malware developers are making more efforts to avoid detection, even going so far as to check their created code against VirusTotal and similar services.
CISA Releases Tool to Review M365 Post-Compromise Activity
The new tool, nicknamed Aviary, is a Splunk-based dashboard that assists researchers in hunting down activity from the SolarWinds supply-chain attack. It allows for the review of Powershell mailbox sign-ins to verify the legitimacy of activities.
Facebook Data Leak: No Notifications, Attributed to Web Scraping
The 500m+ users that were affected by the Facebook data leaking incident will not be receiving notification of their involvement, nor will Facebook be attributing this incident to a hack. Instead, Facebook has attributed this incident to web scraping based on user phone numbers connected to accounts, with the company claiming to have insufficient visibility into the exact accounts affected in order to send notifications.
Ransomware gang urges victims’ customers to demand a ransom payment
In an unusual new method of coercing a ransom from victims, the Clop ransomware gang is emailing the customers, partners, and employees of affected companies in an attempt to pressure them into payment. The emails put special focus on customer information privacy.
Recommended Sources
PODCASTS
(New to Podcasts? Recommended players are Spotify and PocketCasts)
Cyberwire Daily Podcast ThreatPost Daily Podcast Smashing Security (Weekly) Hacking Humans by Cyberwire (Weekly, social engineering) Hak5 Podcast (Weekly) The Social Engineer Podcast (Monthly) The Shared Security Podcast (Weekly)LET'S GET STARTED
I would like to