TippingPoint Threat Intelligence and Zero-Day Coverage – Week of September 25, 2017

Credit to Author: Elisa Lippincott (TippingPoint Global Product Marketing)| Date: Fri, 29 Sep 2017 18:24:40 +0000

A couple of years back, I remember working at a tradeshow booth and giving a demo to someone who was interested in our solution. He said, “Your solution is great, but I need something that will not let anyone from the outside in my network and I need something that will not let my employees do anything on the Internet.” I asked, “You don’t want your employees doing anything on the Web?” He replied, “Correct. If they want to do something on the Web, they can do it on their own time and on their own systems.” Hmmm. My tongue-in-cheek response? “Turn off your Internet connection.” I get it…no one wants to have to deal with cyber-attacks, especially in light of recent breaches like Equifax and Sonic Drive-In, and no one wants to deal with zero-day attacks either. Speaking of zero-days…

Earlier this week, the Zero Day Initiative (ZDI) published a zero-day advisory for a bug in the EMC Data Protection Advisor. The team follows specific guidelines on this, so when the time comes where they have to publish an advisory, it’s a big deal. While some of the bugs were addressed through security patches, one bug was not patched because EMC described the issue as “by design.” The bug makes it possible to specify arbitrary executables and even remote storage locations. Although the vulnerability is quite straightforward, exploitation is not as trivial. The endpoint is only reachable by authenticated users, which can be a little interesting since every installation comes with multiple free backdoor accounts: DPA Metrics User, Agent Registration User, and Donald Duck. Yes, I said Donald Duck, the Disney cartoon character – who also happens to have Administrator privileges! Additional steps are needed for full exploitation, which the researcher has provided. This selection of bugs discovered by the researcher has demonstrated how attackers can combine multiple non-RCE vulnerabilities in a target to eventually achieve total system compromise. You can read the details of the EMC zero-day and watch a video on how the exploit chain can be used on the ZDI blog.

Zero-Day Filters

There are seven new zero-day filters covering two vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website. You can also follow the Zero Day Initiative on Twitter @thezdi and on their blog.

Adobe (6)

  • 29634: ZDI-CAN-5035: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29635: ZDI-CAN-5036: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29636: ZDI-CAN-5037: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29637: ZDI-CAN-5038: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29638: ZDI-CAN-5039: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29639: ZDI-CAN-5040: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)

Cisco (1)

  • 29640: ZDI-CAN-5041: Zero Day Initiative Vulnerability (Cisco Webex)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

http://feeds.trendmicro.com/TrendMicroSimplySecurity