Archive for December, 2019

CVE-2019-19793

In Cyxtera AppGate SDP Client 4.1.x through 4.3.x before 4.3.2 on Windows, a local or remote user from the same domain can gain privileges.
Source: NIST
CVE-2019-19793

CVE-2019-17123

The eGain Web Email API 11+ allows spoofed messages because the fromName and message fields (to /system/ws/v11/ss/email) are mishandled, as demonstrated by fromName header injection with a %0a or %0d character. (Also, the message parameter can have initial HTML comment characters.)
Source: NIST
CVE-2019-17123

CVE-2019-19774

An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running “select hostdetails from hostdetails” at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential data stored in the database, and recover the MD5 hashes of the accounts used to authenticate the ManageEngine platform to the managed machines on the network (most often administrative accounts). Specifically, this bypasses these restrictions: a query cannot mention password, and a query result cannot have a password column.
Source: NIST
CVE-2019-19774

CVE-2019-19790

Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request. NOTE: RadChart was discontinued in 2014 in favor of RadHtmlChart. All RadChart versions were affected. To avoid this vulnerability, you must remove RadChart’s HTTP handler from a web.config (its type is Telerik.Web.UI.ChartHttpHandler).
Source: NIST
CVE-2019-19790

Airport Facial Recognition System Fooled

Airport Facial Recognition System Fooled

Facial recognition technology used to secure airports and process payments has been fooled by photographs and 3D masks.



According to Fortune, multiple facial recognition systems in several countries were tricked in a series of tests carried out by San Diego artificial intelligence company Kneron.



Researchers at Kneron were able to access a self-boarding terminal at Amsterdam’s Schiphol Airport by tricking the sensor with a photo on a phone screen. Using the same technique, the researchers managed to gain access to pay fares and board trains at several railway stations in China. 



In stores in Asia, where use of facial recognition technology is widespread, the Kneron team were able to trick payment systems AliPay and WeChat into allowing purchases to be made. All it took to assume someone’s identity and make payments as them, was the donning of a high-quality 3D mask.



The elaborate masks were obtained from expert mask-makers in Japan and are not commonly available, but the experiment still raises concerns over the reliability of this increasingly popular technology in preventing fraud. 



Kneron’s CEO Albert Liu said that solutions are available to fix the weaknesses in facial recognition technology that his company’s tests were able to exploit, but companies are unwilling to pay for them.



“This shows the threat to the privacy of users with sub-par facial recognition that is masquerading as “AI”.” said Liu, “The technology is available to fix these issues, but firms have not upgraded it. They are taking shortcuts at the expense of security.”



Schiphol Airport, We Chat, and AliPay did not respond to Fortune’s requests for comment about the effectiveness of their facial recognition technology.



Even with the cleverly wrought 3D masks, Kneron’s researchers weren’t able to fool all the facial recognition systems they tested and had to admit defeat against the tech used by Apple’s iPhone X.



Kneron conducted their face-based experiments as part of the research and development process for a new type of facial recognition technology which they are creating. With the financial backing of high-profile investors including Qualcomm and Sequoia Capital, Kneron is developing a product called Edge AI which will not rely on cloud-based services to function.  


Source: Infosecurity
Airport Facial Recognition System Fooled

CVE-2019-19722

In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.
Source: NIST
CVE-2019-19722

'Motivating People Who Want the Struggle': Expert Advice on InfoSec Leadership

Industry veteran and former Intel security chief Malcolm Harkins pinpoints three essential elements for leaders to connect with their employees and drive business objectives.
Source: DarkReading
‘Motivating People Who Want the Struggle’: Expert Advice on InfoSec Leadership

Louisiana College Struck by Ransomware Attack

Louisiana College Struck by Ransomware Attack

Louisiana has suffered another ransomware attack just weeks after threat actors used this pernicious strain of malware to disrupt state IT infrastructure. 



Cyber-criminals struck at the beleaguered southern state for a second time on Wednesday, launching a ransomware against Baton Rouge Community College (BRCC). By luck, the incident occurred just two days ahead of students’ greatly anticipated commencement ceremonies, when the college’s 8500 students were not on campus.  



Servers at the college were shut down and the Louisiana State Police Cyber Crime Unit were called in to investigate the incident. 



In a memo released to campus personnel, interim chancellor Willie Smith wrote: “The Louisiana State Police Cyber Crime Unit investigators responded immediately and collected evidence from the BRCC network, and have recently confirmed a cyber-intrusion and ransomware situation.



“Presently, the situation is being contained and representatives from the Office of Technology Services are assisting BRCC with network restoration efforts.”



Exactly how much money was demanded from the college in the ransomware attack has not been disclosed, however Smith wrote in his memo that the college had not paid it.



Smith said the college was “not aware of any data loss,” that had occurred as a result of the attack, but several computers had been affected.



“The investigation remains ongoing at this time, and the IT Department will be sharing additional information regarding cybersecurity efforts and the restoration of individuals PCs,” wrote Smith.



BRCC spokesperson Kizzy Payton said on Wednesday that college graduation ceremonies scheduled to begin at 10am today in the college gymnasium would go ahead as planned.



“Nothing is impacting our commencement,” said Payton.



Baton Rough Community College students are still able to access email accounts via a workaround method. However, as a result of the incident, college staff are having to manually enter students’ grade from the last semester. 



Enrollments for next term, most of which have fortunately already been completed, are to be completed manually until the computer network is back online. 



Quintin Taylor, chief public affairs officer for Louisiana’s Community and Technical College (LCTC), which oversees BRCC, said that no personal information relating to students, staff or faculty could have been impacted by the attack, as such data is stored in a separate system operated by LCTCS.


Source: Infosecurity
Louisiana College Struck by Ransomware Attack

Fortinet Buys CyberSponse for SOAR Capabilities

It plans to integrate CyberSponse’s SOAR platform into the Fortinet Security Fabric.
Source: DarkReading
Fortinet Buys CyberSponse for SOAR Capabilities

CVE-2019-19785

ATasm 1.06 has a stack-based buffer overflow in the to_comma() function in asm.c via a crafted .m65 file.
Source: NIST
CVE-2019-19785