Please see Security Advisories for the week ending June 12, 2020
- WordPress Security Update
- IC3 Releases Alert on Mobile Banking Apps
- VMware Horizon Client for Windows Security Update
- Adobe Security Updates for Flash Player, Experience Manager, and FrameMaker
- Microsoft June 2020 Security Updates
- CallStranger Vulnerability in Universal Plug and Play Protocol
________________________________
Situation
The WordPress Foundation has discovered and patched several security vulnerabilities in WordPress.
Problem
The WordPress Foundation has identified numerous security vulnerabilities for its previous versions of Word Press. These vulnerabilities allowed an attacker to use Cross-site scripting (XSS) to gain elevated rights and gain control of affected systems.
Implication
Failure to patch systems to latest patch could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
The WordPress Foundation advises patching to newest update for WordPress 5.4.2
For a brief overview:
For a more technical overview:
https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release
________________________________
IC3 Releases Alert on Mobile Banking Apps
Situation
IC3 and CISA alerting that with more mobile banking more malicious actors will begin using fake banking app’s and attacking mobile platforms with trojan software to steak banking information and personal data. IC3 and CISA have released some tips to keep your information and your mobile devices more secure.
Problem
With more people using mobile banking and keeping all their information on their mobile devices cyber criminals are beginning to target mobile devices for information and access into peoples accounts and lives.
Implication
People untrained for what to look for and proper safe practices on their phone may be susceptible to these types of attacks.
Need
Ic3.gov and us-cert.gov have released a full report on do’s and don’ts for mobile security and recommend visiting their reports for detailed information on protecting yourself and your mobile data.
For a brief overview:
https://www.us-cert.gov/ncas/tips/st19-003
For a more technical overview:
https://www.ic3.gov/media/2020/200610.aspx
________________________________
VMware Horizon Client for Windows Security Update
Situation
VMware has issued an advisory for a recently patched privilege escalation vulnerability affecting VMware Horizon Client for Windows.
Problem
The vulnerability (CVE-2020-3961) in VMware’s Windows Horizon Client is due to folder permission configuration and unsafe loading of libraries which can cause a privilege escalation.
Implication
If an attacker is able to successfully exploit this vulnerability they could act as a local user on the system where the software run commands as any user.
Need
VMware recommends updating VMware Horizon Client for Windows to version 5.4.3 or newer to prevent against this vulnerability.
________________________________
Adobe Security Updates for Flash Player, Experience Manager, and FrameMaker
Situation
Adobe has released security updates for Flash Player, Experience Manager, and FrameMaker that address Important and Critical vulnerabilities.
Problem
Adobe products are widely used and often have many vulnerabilities. Patching as soon as possible is recommended to prevent privileged escalation.
Implication
Flash Player: Arbitrary code execution vulnerability for Desktop Runtime, Google Chrome, Microsoft Edge, and Internet Explorer 11 have been fixed.
Experience Manager: Server-side request forgery and cross site scripting vulnerabilities for version 6.5 and earlier have been fixed.
FrameMaker: Memory corruption and out-of-bounds write vulnerabilities for Windows version 2019.0.5 and below have been fixed.
Need
Adobe recommends updating the software as soon as possible. See below for more information and instructions on how to update
Flash Player: https://helpx.adobe.com/security/products/flash-player/apsb20-30.html
Experience Manager: https://helpx.adobe.com/security/products/experience-manager/apsb20-31.html
Framemaker: https://helpx.adobe.com/security/products/framemaker/apsb20-32.html
________________________________
Microsoft June 2020 Security Updates
Situation
Microsoft has released patches for 129 vulnerabilities in Microsoft software as part of its June 2020 patch updates. The affected software of these vulnerabilities are listed below:
- Microsoft Windows
- Microsoft Edge (EdgeHTML-based)
- Microsoft Edge (Chromium-based) in IE Mode
- Microsoft ChakraCore
- Internet Explorer
- Microsoft Office and Microsoft Office Services and Web Apps
- Windows Defender
- Microsoft Dynamics
- Visual Studio
- Azure DevOps
- HoloLens
- Adobe Flash Player
- Microsoft Apps for Android
- Windows App Store
- System Center
Problem
Of these 129 patches, 11 are rated critical all leading to remote code execution attacks. While the other 118 are rated important in severity most of which lead to privilege escalation and spoofing attacks, with one of these vulnerabilities affecting the Microsoft Word Android app.
Implication
If an attacker is able to successfully exploit some of the more severe vulnerabilities, they could be able to take control of the affected system.
Need
Microsoft recommends administrators and users to apply the latest security patches as soon as possible to prevent these vulnerabilities from being exploited. Please check the update status in Microsoft Windows settings and Microsoft applications, and apply the latest patch. Additional information on these vulnerabilities can be found in the links below.
Additional information
https://support.microsoft.com/en-us/help/20200609/security-update-deployment-information-june-9-2020
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jun
________________________________
CallStranger Vulnerability in Universal Plug and Play Protocol
Situation
The US CERT Coordination Center has issued a security advisory for a vulnerability affecting the Universal Plug and Play (UPnP) protocol prior to April 17, 2020. The vulnerability is also known as CallStranger and can be abused to send traffic to arbitrary destinations using the SUBSCRIBE functionality.
Problem
The vulnerability (CVE-2020-12695) CallStranger is caused by the Callback header value in UPnP SUBSCRIBE function. This can permit an attacker to send large amounts of data to arbitrary destinations accessible over the Internet, which could lead to a Distributed Denial of Service (DDoS), data exfiltration, and other unexpected network behavior.
Implication
If an attacker is able to successfully exploit this vulnerability it could allow them to bypass DLP and network security devices to exfiltrate data, scan internal ports from Internet facing UPnP devices, or even cause your network to participate in a DDoS attack.
Need
It is recommended for administrators and users to monitor vendor support channels for updates that implement the new UPnP specification, then apply these updates as they becomes available. A workaround is, if the UPnP protocol is not required by the administrator or user then it should be disabled. Additional information can be found in the links below.
Additional information
