Microsoft Releases December 2018 Security Updates

US-CERT All NCAS Products - Tue, 12/11/2018 - 22:11
Original release date: December 11, 2018

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker could exploit some of these vulnerabilities to obtain access to sensitive information.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review Microsoft’s December 2018 Security Update Summary and Deployment Information and apply the necessary updates.

 

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

Mozilla Releases Security Updates for Firefox

US-CERT All NCAS Products - Tue, 12/11/2018 - 17:13
Original release date: December 11, 2018

Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the Mozilla Security Advisories for Firefox 64 and Firefox ESR 60.4 and apply the necessary updates.

 

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

Adobe Releases Security Updates

US-CERT All NCAS Products - Tue, 12/11/2018 - 17:10
Original release date: December 11, 2018

Adobe has released security updates to address vulnerabilities in Adobe Acrobat and Reader. An attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review Adobe Security Bulletin APSB18-41 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

SB18-344: Vulnerability Summary for the Week of December 3, 2018

US-CERT All NCAS Products - Mon, 12/10/2018 - 12:09
Original release date: December 10, 2018

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

 

High VulnerabilitiesPrimary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch InfoThere were no high vulnerabilities recorded this week.Back to top

 

Medium VulnerabilitiesPrimary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch Infometinfo -- metinfoMetinfo 6.1.3 has reflected XSS via the admin/column/move.php lang_columnerr4 parameter.2018-12-034.3CVE-2018-19835
MISCBack to top

 

Low VulnerabilitiesPrimary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch InfoThere were no low vulnerabilities recorded this week.Back to top

 

Severity Not Yet AssignedPrimary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch Infoactiontec -- c1000a_routerPersistent Cross-Site Scripting (XSS) in the advancedsetup_websiteblocking.html Website Blocking page of the Actiontec C1000A router with firmware through CAC004-31.30L.95 allows a remote attacker to inject arbitrary HTML into the Website Blocking page by inserting arbitrary HTML into the 'TodUrlAdd' URL parameter in a /urlfilter.cmd POST request.2018-12-06not yet calculatedCVE-2018-19922
MISCamazon_web_services -- freertosAmazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow information disclosure during parsing of ICMP packets in prvProcessICMPPacket.2018-12-06not yet calculatedCVE-2018-16527
MISC
MISC
CONFIRMamazon_web_services -- freertosAmazon Web Services (AWS) FreeRTOS through 1.3.1 allows remote attackers to execute arbitrary code because of mbedTLS context object corruption in prvSetupConnection and GGD_SecureConnect_Connect in AWS TLS connectivity modules.2018-12-06not yet calculatedCVE-2018-16528
MISC
MISC
CONFIRMamazon_web_services -- freertosAn issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds memory access during parsing of DHCP responses in prvProcessDHCPReplies can be used for information disclosure.2018-12-06not yet calculatedCVE-2018-16602
MISC
MISC
CONFIRMamazon_web_services -- freertosAn issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. A crafted IP header triggers a full memory space copy in prvProcessIPPacket, leading to denial of service and possibly remote code execution.2018-12-06not yet calculatedCVE-2018-16601
MISC
MISC
CONFIRMamazon_web_services -- freertosAn issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds memory access during parsing of ARP packets in eARPProcessPacket can be used for information disclosure.2018-12-06not yet calculatedCVE-2018-16600
MISC
MISC
CONFIRMamazon_web_services -- freertosAn issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. In xProcessReceivedUDPPacket and prvParseDNSReply, any received DNS response is accepted, without confirming it matches a sent DNS request.2018-12-06not yet calculatedCVE-2018-16598
MISC
MISC
CONFIRMamazon_web_services -- freertosAn issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds memory access during parsing of NBNS packets in prvTreatNBNS can be used for information disclosure.2018-12-06not yet calculatedCVE-2018-16599
MISC
MISC
CONFIRMamazon_web_services -- freertosAmazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow remote attackers to leak information or execute arbitrary code because of a Buffer Overflow during generation of a protocol checksum in usGenerateProtocolChecksum and prvProcessIPPacket.2018-12-06not yet calculatedCVE-2018-16526
MISC
MISC
CONFIRMamazon_web_services -- freertosAmazon Web Services (AWS) FreeRTOS through 1.3.1 has an uninitialized pointer free in SOCKETS_SetSockOpt.2018-12-06not yet calculatedCVE-2018-16522
MISC
MISC
CONFIRMamazon_web_services -- freertosAn issue was discovered in Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component. Out of bounds access to TCP source and destination port fields in xProcessReceivedTCPPacket can leak data back to an attacker.2018-12-06not yet calculatedCVE-2018-16603
MISC
MISC
CONFIRMamazon_web_services -- freertosAmazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow remote attackers to execute arbitrary code or leak information because of a Buffer Overflow during parsing of DNS\LLMNR packets in prvParseDNSReply.2018-12-06not yet calculatedCVE-2018-16525
MISC
MISC
CONFIRMamazon_web_services -- freertosAmazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow information disclosure during parsing of TCP options in prvCheckOptions.2018-12-06not yet calculatedCVE-2018-16524
MISC
MISC
CONFIRMamazon_web_services -- freertosAmazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), and WITTENSTEIN WHIS Connect middleware TCP/IP component allow division by zero in prvCheckOptions.2018-12-06not yet calculatedCVE-2018-16523
MISC
MISC
CONFIRManker -- nebula_capsule_pro_nbui_m1_devicesAnker Nebula Capsule Pro NBUI_M1_V2.1.9 devices allow attackers to cause a denial of service (reboot of the underlying Android 7.1.2 operating system) via a crafted application that sends data to WifiService.2018-12-08not yet calculatedCVE-2018-19980
MISCantiy_labs -- avl_atoolLocal attackers can trigger a stack-based buffer overflow on vulnerable installations of Antiy-AVL ATool security management v1.0.0.22. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the processing of IOCTL 0x80002000 by the IRPFile.sys Antiy-AVL ATool kernel driver. The bug is caused by failure to properly validate the length of the user-supplied data, which results in a kernel stack buffer overflow. An attacker can leverage this vulnerability to execute arbitrary code in the context of the kernel, which could lead to privilege escalation and a failed exploit could lead to denial of service.2018-12-05not yet calculatedCVE-2018-19650
MISCarm -- mbed_tlsArm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites.2018-12-05not yet calculatedCVE-2018-19608
MISC
CONFIRM
CONFIRMartifex -- mupdfIn Artifex MuPDF 1.14.0, svg/svg-run.c allows remote attackers to cause a denial of service (recursive calls followed by a fitz/xml.c fz_xml_att crash from excessive stack consumption) via a crafted svg file, as demonstrated by mupdf-gl.2018-12-05not yet calculatedCVE-2018-19881
MISC
MISCartifex -- mupdfIn Artifex MuPDF 1.14.0, the svg_run_image function in svg/svg-run.c allows remote attackers to cause a denial of service (href_att NULL pointer dereference and application crash) via a crafted svg file, as demonstrated by mupdf-gl.2018-12-05not yet calculatedCVE-2018-19882
MISC
MISCaruba -- access_pointsA vulnerability exists in the firmware of embedded BLE radios that are part of some Aruba Access points. An attacker who is able to exploit the vulnerability could install new, potentially malicious firmware into the AP's BLE radio and could then gain access to the AP's console port. This vulnerability is applicable only if the BLE radio has been enabled in affected access points. The BLE radio is disabled by default. Note - Aruba products are NOT affected by a similar vulnerability being tracked as CVE-2018-16986.2018-12-07not yet calculatedCVE-2018-7080
BID
CONFIRMaruba -- clearpassA Remote Authentication bypass in Aruba ClearPass Policy Manager leads to complete cluster compromise. An authentication flaw in all versions of ClearPass could allow an attacker to compromise the entire cluster through a specially crafted API call. Network access to the administrative web interface is required to exploit this vulnerability. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix.2018-12-07not yet calculatedCVE-2018-7067
CONFIRMaruba -- clearpassAruba ClearPass Policy Manager guest authorization failure. Certain administrative operations in ClearPass Guest do not properly enforce authorization rules, which allows any authenticated administrative user to execute those operations regardless of privilege level. This could allow low-privilege users to view, modify, or delete guest users. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix.2018-12-07not yet calculatedCVE-2018-7079
CONFIRMaruba -- clearpassAn unauthenticated remote command execution exists in Aruba ClearPass Policy Manager on linked devices. The ClearPass OnConnect feature permits administrators to link other network devices into ClearPass for the purpose of collecting enhanced information about connected endpoints. A defect in the API could allow a remote attacker to execute arbitrary commands on one of the linked devices. This vulnerability is only applicable if credentials for devices have been supplied to ClearPass under Configuration -> Network -> Devices -> CLI Settings. Resolution: Fixed in 6.7.5 and 6.6.10-hotfix.2018-12-07not yet calculatedCVE-2018-7066
CONFIRMaruba -- clearpassAn authenticated SQL injection vulnerability in Aruba ClearPass Policy Manager can lead to privilege escalation. All versions of ClearPass are affected by multiple authenticated SQL injection vulnerabilities. In each case, an authenticated administrative user of any type could exploit this vulnerability to gain access to "appadmin" credentials, leading to complete cluster compromise. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix.2018-12-07not yet calculatedCVE-2018-7065
CONFIRMaruba -- clearpassIn Aruba ClearPass, disabled API admins can still perform read/write operations. In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of the XML API. This can lead to unauthorized access to the API and complete compromise of the ClearPass instance if an attacker knows of the existence of these accounts.2018-12-07not yet calculatedCVE-2018-7063
CONFIRMasustor -- admDirectory Traversal in downloadwallpaper.cgi in ASUSTOR ADM version 3.1.1 allows attackers to download arbitrary files by manipulating the "file" and "folder" URL parameters.2018-12-04not yet calculatedCVE-2018-12314
MISCasustor -- admMissing verification of a password in ASUSTOR ADM version 3.1.1 allows attackers to change account passwords without entering the current password.2018-12-04not yet calculatedCVE-2018-12315
MISCasustor -- admDenial-of-service in the login page of ASUSTOR ADM 3.1.1 allows attackers to prevent users from signing in by placing malformed text in the title.2018-12-04not yet calculatedCVE-2018-12319
MISCasustor -- admOS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "secret_key" URL parameter.2018-12-04not yet calculatedCVE-2018-12312
MISCasustor -- admInformation disclosure in the SNMP settings page in ASUSTOR ADM version 3.1.1 allows attackers to obtain the SNMP password in cleartext.2018-12-04not yet calculatedCVE-2018-12318
MISCasustor -- admOS command injection in group.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root by modifying the "name" POST parameter.2018-12-04not yet calculatedCVE-2018-12317
MISCasustor -- admOS Command Injection in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands by modifying the filename POST parameter.2018-12-04not yet calculatedCVE-2018-12316
MISCasustor -- admCross-site scripting in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript by uploading SVG images with embedded JavaScript.2018-12-04not yet calculatedCVE-2018-12305
MISCasustor -- admOS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "name" POST parameter.2018-12-04not yet calculatedCVE-2018-12307
MISCasustor -- admCross-site scripting vulnerability in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute arbitrary JavaScript when a file is moved via a malicious filename.2018-12-04not yet calculatedCVE-2018-12311
MISCasustor -- admCross-site scripting in the Login page in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript via the System Announcement feature.2018-12-04not yet calculatedCVE-2018-12310
MISCasustor -- admDirectory Traversal in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to upload files to arbitrary locations by modifying the "path" URL parameter. NOTE: the "filename" POST parameter is covered by CVE-2018-11345.2018-12-04not yet calculatedCVE-2018-12309
MISCasustor -- admEncryption key disclosure in share.cgi in ASUSTOR ADM version 3.1.1 allows attackers to obtain the encryption key via the "encrypt_key" URL parameter.2018-12-04not yet calculatedCVE-2018-12308
MISCasustor -- admDirectory Traversal in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to view arbitrary files by modifying the "file1" URL parameter, a similar issue to CVE-2018-11344.2018-12-04not yet calculatedCVE-2018-12306
MISCasustor -- admOS command injection in snmp.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands without authentication via the "rocommunity" URL parameter.2018-12-04not yet calculatedCVE-2018-12313
MISCbastian_allgeier -- kirbypanel/login in Kirby v2.5.12 allows XSS via a blog name.2018-12-04not yet calculatedCVE-2018-16628
MISCbrocade_communications -- fabric_osA vulnerability in the proxy service of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow remote unauthenticated attackers to obtain sensitive information and possibly cause a denial of service attack.2018-12-03not yet calculatedCVE-2018-6440
CONFIRMbrocade_communications -- fabric_osA vulnerability in the configdownload command of Brocade Fabric OS command line interface (CLI) versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to escape the restricted shell and, gain root access.2018-12-03not yet calculatedCVE-2018-6439
CONFIRMcairo -- cairocairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a free function incompatible with WebKit's fastMalloc, leading to an application crash with a "free(): invalid pointer" error.2018-12-05not yet calculatedCVE-2018-19876
MISC
MISCchipsbank_technologies -- ump_toolChipsBank UMPTool saves the password to the NAND with a simple substitution cipher, which allows attackers to get full access when having physical access to the device.2018-12-03not yet calculatedCVE-2018-19795
MISCcisco -- energy_management_suiteA vulnerability in the configuration of a local database installed as part of the Cisco Energy Management Suite (CEMS) could allow an authenticated, local attacker to access and alter confidential data. The vulnerability is due to the installation of the PostgreSQL database with unchanged default access credentials. An attacker could exploit this vulnerability by logging in to the machine where CEMS is installed and establishing a local connection to the database. The fix for this vulnerability randomizes the database access password in new installations; however, the fix will not change the password for existing installations. Users are required to manually change the password, as documented in the Workarounds section of this advisory. There are workarounds that address this vulnerability.2018-12-04not yet calculatedCVE-2018-0468
BID
CISCO
MISCcloud_foundry -- cloud_foundry_nfsCloud Foundry NFS volume release, 1.2.x prior to 1.2.5, 1.5.x prior to 1.5.4, 1.7.x prior to 1.7.3, logs the cf admin username and password when running the nfsbrokerpush BOSH deploy errand. A remote authenticated user with access to BOSH can obtain the admin credentials for the Cloud Foundry Platform through the logs of the NFS volume deploy errand.2018-12-05not yet calculatedCVE-2018-15797
CONFIRMcrafter_software -- crafter_cmsA Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS commands by Creating/Editing a template file (.ftl filetype) that triggers a call to freemarker.template.utility.Execute in the FreeMarker library during rendering of a web page.2018-12-06not yet calculatedCVE-2018-19907
MISC
MISCdell -- encryptionDell Encryption (formerly Dell Data Protection | Encryption) v10.1.0 and earlier contain an information disclosure vulnerability. A malicious user with physical access to the machine could potentially exploit this vulnerability to access the unencrypted RegBack folder that contains back-ups of sensitive system files.2018-12-05not yet calculatedCVE-2018-15773
MISCdomainmod -- domainmodDomainMOD through 4.11.01 has XSS via the assets/add/registrar-accounts.php UserName, Reseller ID, or notes field.2018-12-06not yet calculatedCVE-2018-19913
MISCdomainmod -- domainmodDomainMOD through 4.11.01 has XSS via the assets/add/dns.php Profile Name or notes field.2018-12-06not yet calculatedCVE-2018-19914
MISCdomainmod -- domainmodDomainMOD through 4.11.01 has XSS via the assets/edit/host.php Web Host Name or Web Host URL field.2018-12-06not yet calculatedCVE-2018-19915
MISCdomainmod -- domainmodDomainMOD through 4.11.01 has XSS via the admin/dw/add-server.php DisplayName, HostName, or UserName field.2018-12-05not yet calculatedCVE-2018-19892
MISCdrobo -- 5n2_nasIncorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter.2018-12-03not yet calculatedCVE-2018-14695
MISCdrobo -- 5n2_nasIncorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.2018-12-03not yet calculatedCVE-2018-14696
MISCdrobo -- 5n2_nasCross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter.2018-12-03not yet calculatedCVE-2018-14697
MISCdrobo -- 5n2_nasCross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the "username" URL parameter.2018-12-03not yet calculatedCVE-2018-14698
MISCdrobo -- 5n2_nasSystem command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.2018-12-03not yet calculatedCVE-2018-14699
MISCdrobo -- 5n2_nasIncorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password.2018-12-03not yet calculatedCVE-2018-14703
MISCdrobo -- 5n2_nasSystem command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.2018-12-03not yet calculatedCVE-2018-14701
MISCdrobo -- 5n2_nasIncorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.2018-12-03not yet calculatedCVE-2018-14702
MISCdrobo -- 5n2_nasIncorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation.2018-12-03not yet calculatedCVE-2018-14709
MISCdrobo -- 5n2_nasAn insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic.2018-12-03not yet calculatedCVE-2018-14708
MISCdrobo -- 5n2_nasDirectory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations.2018-12-03not yet calculatedCVE-2018-14707
MISCdrobo -- 5n2_nasSystem command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request.2018-12-03not yet calculatedCVE-2018-14706
MISCdrobo -- 5n2_nasIncorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter.2018-12-03not yet calculatedCVE-2018-14700
MISCdrobo -- 5n2_nasCross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path.2018-12-03not yet calculatedCVE-2018-14704
MISCf5 -- big-ipThe svpn component of the F5 BIG-IP APM client prior to version 7.1.7.2 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host in a race condition.2018-12-06not yet calculatedCVE-2018-15332
BID
CONFIRMforeman -- foremanA cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Foreman before 1.18.3, 1.19.1, and 1.20.0 are vulnerable.2018-12-07not yet calculatedCVE-2018-16861
CONFIRMfreebsd -- freebsdIn FreeBSD before 11.2-STABLE(r340854) and 11.2-RELEASE-p5, an integer overflow error when handling opcodes can cause memory corruption by sending a specially crafted NFSv4 request. Unprivileged remote users with access to the NFS server may be able to execute arbitrary code.2018-12-04not yet calculatedCVE-2018-17157
SECTRACK
MISC
FREEBSDfreebsd -- freebsdIn FreeBSD before 11.2-STABLE(r340854) and 11.2-RELEASE-p5, an integer overflow error can occur when handling the client address length field in an NFSv4 request. Unprivileged remote users with access to the NFS server can crash the system by sending a specially crafted NFSv4 request.2018-12-04not yet calculatedCVE-2018-17158
SECTRACK
MISC
FREEBSDfreebsd -- freebsdIn FreeBSD before 11.2-STABLE(r340854) and 11.2-RELEASE-p5, the NFS server lacks a bounds check in the READDIRPLUS NFS request. Unprivileged remote users with access to the NFS server can cause a resource exhaustion by forcing the server to allocate an arbitrarily large memory allocation.2018-12-04not yet calculatedCVE-2018-17159
SECTRACK
MISC
FREEBSDfreebsd -- freebsdIn FreeBSD before 11.2-STABLE(r341486) and 11.2-RELEASE-p6, insufficient bounds checking in one of the device models provided by bhyve can permit a guest operating system to overwrite memory in the bhyve host possibly permitting arbitrary code execution. A guest OS using a firmware image can cause the bhyve process to crash, or possibly execute arbitrary code on the host as root.2018-12-04not yet calculatedCVE-2018-17160
FREEBSDfreeswitch -- freeswitchFreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used.2018-12-06not yet calculatedCVE-2018-19911
MISC
MISCfreeware_advanced_audio_coder -- freeware_advanced_audio_coderAn invalid memory address dereference was discovered in the huffcode function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) 1.29.9.2. The vulnerability causes a segmentation fault and application crash, which leads to denial of service in the book 4 case.2018-12-05not yet calculatedCVE-2018-19887
MISCfreeware_advanced_audio_coder -- freeware_advanced_audio_coderAn invalid memory address dereference was discovered in the huffcode function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) 1.29.9.2. The vulnerability causes a segmentation fault and application crash, which leads to denial of service in the book 10 case.2018-12-05not yet calculatedCVE-2018-19891
MISCfreeware_advanced_audio_coder -- freeware_advanced_audio_coderAn invalid memory address dereference was discovered in the huffcode function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) 1.29.9.2. The vulnerability causes a segmentation fault and application crash, which leads to denial of service in the book 2 case.2018-12-05not yet calculatedCVE-2018-19890
MISCfreeware_advanced_audio_coder -- freeware_advanced_audio_coderAn invalid memory address dereference was discovered in the huffcode function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) 1.29.9.2. The vulnerability causes a segmentation fault and application crash, which leads to denial of service in the HCB_ESC case.2018-12-05not yet calculatedCVE-2018-19888
MISCfreeware_advanced_audio_coder -- freeware_advanced_audio_coderAn invalid memory address dereference was discovered in the huffcode function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) 1.29.9.2. The vulnerability causes a segmentation fault and application crash, which leads to denial of service in the book 6 case.2018-12-05not yet calculatedCVE-2018-19889
MISCfreeware_advanced_audio_coder -- freeware_advanced_audio_coderAn invalid memory address dereference was discovered in the huffcode function (libfaac/huff2.c) in Freeware Advanced Audio Coder (FAAC) 1.29.9.2. The vulnerability causes a segmentation fault and application crash, which leads to denial of service in the book 8 case.2018-12-05not yet calculatedCVE-2018-19886
MISCgeneral_electric -- proficy_cimplicity_gdsXXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.02018-12-07not yet calculatedCVE-2018-15362
BID
MISCgitlab -- community_and_enterprise_editionAn issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via Epic change descriptions.2018-12-04not yet calculatedCVE-2018-17976
CONFIRM
CONFIRMgitlab -- community_and_enterprise_editionAn issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Cleartext Storage of Sensitive Information.2018-12-04not yet calculatedCVE-2018-18641
CONFIRM
CONFIRMgitlab -- community_and_enterprise_editionAn issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has XSS.2018-12-04not yet calculatedCVE-2018-18642
CONFIRM
CONFIRMgitlab -- community_and_enterprise_editionAn issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Information Exposure Through an Error Message.2018-12-04not yet calculatedCVE-2018-18648
CONFIRM
CONFIRMgitlab -- community_and_enterprise_editionAn issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows Information Exposure via a Gitlab Prometheus integration.2018-12-04not yet calculatedCVE-2018-18644
CONFIRM
CONFIRMgitlab -- community_and_enterprise_editionAn issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows SSRF.2018-12-04not yet calculatedCVE-2018-18646
CONFIRM
CONFIRMgitlab -- community_and_enterprise_editionAn issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via the GFM markdown API.2018-12-04not yet calculatedCVE-2018-17975
CONFIRM
CONFIRMgitlab -- community_and_enterprise_editionAn issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Missing Authorization.2018-12-04not yet calculatedCVE-2018-18647
CONFIRM
CONFIRMgitlab -- community_and_enterprise_editionAn issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via the merge request JSON endpoint.2018-12-04not yet calculatedCVE-2018-17939
CONFIRM
CONFIRMgitlab -- community_and_enterprise_editionAn issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Information Exposure Through Browser Caching.2018-12-04not yet calculatedCVE-2018-18640
CONFIRM
CONFIRMgitlab -- community_and_enterprise_editionAn issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for Information Exposure via unsubscribe links in email replies.2018-12-04not yet calculatedCVE-2018-18645
CONFIRM
CONFIRMgitlab -- enterprise_editionThe Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4.4 has SSRF.2018-12-04not yet calculatedCVE-2018-18843
CONFIRM
CONFIRMgnu -- binutilsAn issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.2018-12-07not yet calculatedCVE-2018-19932
MISC
MISCgnu -- binutilsAn issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted.2018-12-07not yet calculatedCVE-2018-19931
MISC
MISCgnu -- c_libraryIn the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.2018-12-04not yet calculatedCVE-2018-19591
BID
SECTRACK
FEDORA
FEDORA
CONFIRM
CONFIRM
CONFIRMgoogle -- androidIn lppTransposer of lpp_tran.cpp there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112160868.2018-12-06not yet calculatedCVE-2018-9549
BID
CONFIRMgoogle -- androidIn V4L2SliceVideoDecodeAccelerator::Dequeue of v4l2_slice_video_decode_accelerator.cc, there is a possible out of bounds read of a function pointer due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.1 Android-9. Android ID: A-112181526.2018-12-06not yet calculatedCVE-2018-9538
BID
CONFIRMgoogle -- androidIn CAacDecoder_Init of aacdecoder.cpp, there is a possible out-of-bound write due to a missing bounds check. This could lead to remote code execution in the media server with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-112891548.2018-12-06not yet calculatedCVE-2018-9551
BID
CONFIRMgoogle -- androidIn ihevcd_sao_shift_ctb of ihevcd_sao.c there is a possible out of bounds write due to missing bounds check. This could lead to information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-113260892.2018-12-06not yet calculatedCVE-2018-9552
BID
CONFIRMgoogle -- androidIn ParsePayloadHeader of payload_metadata.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-113118184.2018-12-06not yet calculatedCVE-2018-9556
CONFIRMgoogle -- androidIn impd_parse_loud_eq_instructions of impd_drc_dynamic_payload.c there is a possible out-of-bound write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116020594.2018-12-07not yet calculatedCVE-2018-9571
CONFIRMgoogle -- androidIn nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945.2018-12-07not yet calculatedCVE-2018-9518
CONFIRM
UBUNTU
UBUNTUgoogle -- androidIn dumpExtractors of IMediaExtractor.cp, there is a possible disclosure of recently accessed media files due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1. Android ID: A-114770654.2018-12-06not yet calculatedCVE-2018-9554
BID
CONFIRMgoogle -- androidIn l2c_lcc_proc_pdu of l2c_fcr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112321180.2018-12-06not yet calculatedCVE-2018-9555
CONFIRMgoogle -- androidIn impd_parse_parametric_drc_instructions of impd_drc_static_payload.c there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116715245.2018-12-07not yet calculatedCVE-2018-9576
CONFIRMgoogle -- androidIn easelcomm_hw_build_scatterlist, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System privileges required. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-69808833.2018-12-07not yet calculatedCVE-2018-9519
CONFIRMgoogle -- androidIn pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931.2018-12-07not yet calculatedCVE-2018-9517
CONFIRMgoogle -- androidIn impd_parametric_drc_parse_gain_set_params of impd_drc_static_payload.c there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116715937.2018-12-07not yet calculatedCVE-2018-9577
CONFIRMgoogle -- androidIn multiple functions of ContentProvider.java, there is a possible permission bypass due to a missing URI validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112555574.2018-12-06not yet calculatedCVE-2018-9548
BID
CONFIRMgoogle -- androidIn impd_parse_dwnmix_instructions of impd_drc_static_payload.c there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116619387.2018-12-07not yet calculatedCVE-2018-9575
CONFIRMgoogle -- androidIn unflatten of GraphicBuffer.cpp, there is a possible bad fd close due to improper input validation. This could lead to local escalation of privilege in the system server with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.1 Android-9. Android ID: A-114223584.2018-12-06not yet calculatedCVE-2018-9547
BID
CONFIRMgoogle -- androidIn MasteringMetadata::Parse of mkvparser.cc there is a possible double free due to an insecure default value. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-116615297.2018-12-06not yet calculatedCVE-2018-9553
BID
CONFIRMgoogle -- androidIn ixheaacd_adts_crc_start_reg of ixheaacd_adts_crc_check.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-113261928.2018-12-07not yet calculatedCVE-2018-9578
CONFIRMgoogle -- androidIn rw_t2t_handle_tlv_detect of rw_t2t_ndef.cc, there is a possible out-of-bounds write due to a missing bounds check. This could lead to local escalation of privilege in the NFC kernel with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112161557.2018-12-06not yet calculatedCVE-2018-9558
CONFIRMgoogle -- androidIn readBytes of xltdecwbxml.c, there is a possible out of bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-16680558.2018-12-06not yet calculatedCVE-2018-9565
BID
CONFIRMgoogle -- androidIn process_service_search_rsp of sdp_discovery.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure when connecting to a malicious Bluetooth device with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-74249842.2018-12-06not yet calculatedCVE-2018-9566
CONFIRMgoogle -- androidOn Pixel devices there is a bug causing verified boot to show the same certificate fingerprint despite using different signing keys. This may lead to local escalation of privilege if people are relying on those fingerprints to determine what version of the OS the device is running, with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-65543936.2018-12-06not yet calculatedCVE-2018-9567
BID
CONFIRMgoogle -- androidIn impd_parse_split_drc_characteristic of impd_drc_static_payload.c there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116619337.2018-12-07not yet calculatedCVE-2018-9574
CONFIRMgoogle -- androidIn sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-113509306. References: Upstream kernel.2018-12-06not yet calculatedCVE-2018-9568
CONFIRMgoogle -- androidIn impd_init_drc_decode_post_config of impd_drc_gain_decoder.c there is a possible out-of-bound write due to incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-113885537.2018-12-07not yet calculatedCVE-2018-9569
CONFIRMgoogle -- androidIn CAacDecoder_Init of aacdecoder.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-112660981.2018-12-06not yet calculatedCVE-2018-9550
BID
CONFIRMgoogle -- androidIn impd_parse_drc_ext_v1 of impd_drc_dynamic_payload.c there is a possible out-of-bound write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-115375616.2018-12-07not yet calculatedCVE-2018-9570
CONFIRMgoogle -- androidIn bta_ag_do_disc of bta_ag_sdp.cc, there is a possible out-of-bound read due to an incorrect parameter size. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-113164621.2018-12-06not yet calculatedCVE-2018-9562
CONFIRMgoogle -- androidIn really_install_package of install.cpp, there is a possible free of arbitrary memory due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2. Android ID: A-35385357.2018-12-06not yet calculatedCVE-2018-9557
CONFIRMgoogle -- androidIn impd_parse_filt_block of impd_drc_dynamic_payload.c there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116467350.2018-12-07not yet calculatedCVE-2018-9573
CONFIRMgoogle -- androidIn HID_DevAddRecord of hidd_api.cc, there is a possible out-of-bounds write due to a missing bounds check. This could lead to local escalation of privilege in the Bluetooth service with User execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-79946737.2018-12-06not yet calculatedCVE-2018-9560
CONFIRMgoogle -- androidIn impd_drc_parse_coeff of impd_drc_static_payload.c there is a possible out of bounds write due to missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-116224432.2018-12-07not yet calculatedCVE-2018-9572
CONFIRMgoogle -- androidIn persist_set_key and other functions of cryptfs.cpp, there is a possible out-of-bounds write due to an uncaught error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112731440.2018-12-06not yet calculatedCVE-2018-9559
CONFIRMgoogle -- chromeA lack of host validation in DevTools in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code via a crafted HTML page, if the user is running a remote DevTools debugging server.2018-12-04not yet calculatedCVE-2018-6101
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeAn integer overflow on 32-bit systems in WebAssembly in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.2018-12-04not yet calculatedCVE-2018-6092
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIAN
EXPLOIT-DBgoogle -- chromeAn integer overflow that lead to a heap buffer-overflow in Skia in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.2018-12-04not yet calculatedCVE-2018-6090
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeAn iterator-invalidation bug in PDFium in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file.2018-12-04not yet calculatedCVE-2018-6088
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeA use-after-free in WebAssembly in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.2018-12-04not yet calculatedCVE-2018-6087
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeRe-entry of a destructor in Networking Disk Cache in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code via a crafted HTML page.2018-12-04not yet calculatedCVE-2018-6085
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeIncorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted HTML page.2018-12-04not yet calculatedCVE-2018-6108
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeInappropriate setting of the SEE_MASK_FLAG_NO_UI flag in file downloads in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to potentially bypass OS malware checks via a crafted HTML page.2018-12-04not yet calculatedCVE-2018-6115
BID
CONFIRM
MISC
GENTOOgoogle -- chromeInappropriate dismissal of file picker on keyboard events in Blink in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to read local files via a crafted HTML page.2018-12-04not yet calculatedCVE-2018-6095
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeA double-eviction in the Incognito mode cache that lead to a user-after-free in Networking Disk Cache in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to execute arbitrary code via a crafted HTML page.2018-12-04not yet calculatedCVE-2018-6086
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeInline metadata in GarbageCollection in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.2018-12-04not yet calculatedCVE-2018-6094
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeThe implementation of the Page.downloadBehavior backend unconditionally marked downloaded files as safe, regardless of file type in Google Chrome prior to 66.0.3359.106 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted HTML page and user interaction.2018-12-04not yet calculatedCVE-2018-6152
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeIncorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.2018-12-04not yet calculatedCVE-2018-6104
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeA stagnant permission prompt in Prompts in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to bypass permission policy via a crafted HTML page.2018-12-04not yet calculatedCVE-2018-6103
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeIncorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.2018-12-04not yet calculatedCVE-2018-6098
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeMissing confusable characters in Internationalization in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.2018-12-04not yet calculatedCVE-2018-6102
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeIncorrect handling of confusable characters in Omnibox in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.2018-12-04not yet calculatedCVE-2018-6105
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeIncorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.2018-12-04not yet calculatedCVE-2018-6107
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeA lack of CORS checks in Blink in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to leak limited cross-origin data via a crafted HTML page.2018-12-04not yet calculatedCVE-2018-6099
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chromeA nullptr dereference in WebAssembly in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.2018-12-04not yet calculatedCVE-2018-6116
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANgoogle -- chrome
 A lack of CORS checks, after a Service Worker redirected to a cross-origin PDF, in Service Worker in Google Chrome prior to 66.0.3359.106 allowed a remote attacker to leak limited cross-origin data via a crafted HTML page.2018-12-04not yet calculatedCVE-2018-6089
BID
REDHAT
CONFIRM
MISC
GENTOO
DEBIANhashicorp -- vaultHashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported.2018-12-05not yet calculatedCVE-2018-19786
CONFIRMhitshop -- hitshopAn issue was discovered in hitshop through 2014-07-15. There is an elevation-of-privilege vulnerability (that allows control over the whole web site) via the admin.php/user/add URI because a storekeeper account (which is supposed to have only privileges for commodity management) can add an administrator account.2018-12-04not yet calculatedCVE-2018-19853
MISChpe -- integrated_lights-out_5A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates.2018-12-03not yet calculatedCVE-2018-7113
SECTRACK
CONFIRMhpe -- intelligent_management_centerHPE Intelligent Management Center (IMC) prior to IMC PLAT 7.3 (E0605P06) is vulnerable to remote buffer overflow in dbman leading to code execution. This problem is resolved in IMC PLAT 7.3 (E0605P06) or subsequent versions.2018-12-03not yet calculatedCVE-2018-7114
SECTRACK
MISC
CONFIRMhpe -- intelligent_management_centerHPE Intelligent Management Center (IMC) prior to IMC PLAT 7.3 (E0605P06) is vulnerable to a remote denial of service via dbman Opcode 10003 'Filename'. This problem is resolved in IMC PLAT 7.3 (E0605P06) or subsequent versions.2018-12-03not yet calculatedCVE-2018-7116
SECTRACK
MISC
CONFIRMhpe -- intelligent_management_centerHPE Intelligent Management Center (IMC) prior to IMC PLAT 7.3 (E0605P06) is vulnerable to a remote buffer overflow in dbman.exe opcode 10001 on Windows. This problem is resolved in IMC PLAT 7.3 (E0605P06) or subsequent versions.2018-12-03not yet calculatedCVE-2018-7115
SECTRACK
MISC
CONFIRMhpe -- multiple_serversThe HPE-provided Windows firmware installer for certain Gen9, Gen8, G7,and G6 HPE servers allows local disclosure of privileged information. This issue was resolved in previously provided firmware updates as follows. The HPE Windows firmware installer was updated in the system ROM updates which also addressed the original Spectre/Meltdown set of vulnerabilities. At that time, the Windows firmware installer was also updated in the versions of HPE Integrated Lights-Out 2, 3, and 4 (iLO 2, 3, and 4) listed in the security bulletin. The updated HPE Windows firmware installer was released in the system ROM and HPE Integrated Lights-Out (iLO) releases documented in earlier HPE Security Bulletins: HPESBHF03805, HPESBHF03835, HPESBHF03831. Windows-based systems that have already been updated to the system ROM or iLO versions described in these security bulletins require no further action.2018-12-03not yet calculatedCVE-2018-7112
SECTRACK
CONFIRM
CONFIRM
CONFIRM
CONFIRMhuawei -- p20_smartphonesThere is an out-of-bounds write vulnerability on Huawei P20 smartphones with versions before 8.1.0.171(C00). The software does not handle the response message properly when the user doing certain inquiry operation, an attacker could send crafted message to the device, successful exploit could cause a denial of service condition.2018-12-04not yet calculatedCVE-2018-7987
CONFIRMhuawei -- vip_appHuawei VIP App is a mobile app for Malaysia customers that purchased P20 Series, Nova 3/3i and Mate 20. There is a vulnerability in versions before 4.0.5 that attackers can conduct bruteforce to the VIP App Web Services to get user information.2018-12-04not yet calculatedCVE-2018-7956
CONFIRMhunan_jinyun_network_technology -- pbootcmsSearchController.php in PbootCMS 1.2.1 has SQL injection via the index.php/Search/index.html query string.2018-12-05not yet calculatedCVE-2018-19893
MISCibm -- campaignIBM Campaign 9.1.0 and 9.1.2 could allow a local user to obtain admini privileges due to the application not validating access permissions. IBM X-Force ID: 153382.2018-12-05not yet calculatedCVE-2018-1941
XF
CONFIRMibm -- connectionsIBM Connections 5.0, 5.5, and 6.0 could allow an authenticated user to obtain sensitive information from invalid request error messages. IBM X-Force ID: 153315.2018-12-06not yet calculatedCVE-2018-1935
BID
XF
CONFIRMibm -- connectionsIBM Connections 5.0, 5.5, and 6.0 is vulnerable to possible host header injection attack that could cause navigation to the attacker's domain. IBM X-Force ID: 152456.2018-12-07not yet calculatedCVE-2018-1896
XF
CONFIRMibm -- datapower_gatewaysIBM DataPower Gateways 7.5, 7.5.1, 7.5.2, 7.6, and 2018.4 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 144889.2018-12-07not yet calculatedCVE-2018-1663
XF
CONFIRMibm -- db2_for_linux_unix_and_windowsIBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5., and 11.1 db2pdcfg is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code. IBM X-Force ID: 152462.2018-11-30not yet calculatedCVE-2018-1897
CONFIRM
BID
SECTRACK
XFibm -- financial_transaction_manager_for_digital_payments_for_multi-platformIBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.0.0, 3.0.2, and 3.0.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 151329.2018-12-06not yet calculatedCVE-2018-1871
CONFIRM
XFibm -- i2_enterprise_insight_analysisIBM i2 Enterprise Insight Analysis 2.1.7 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 141340.2018-12-06not yet calculatedCVE-2018-1504
XF
CONFIRMibm -- i2_enterprise_insight_analysisIBM i2 Enterprise Insight Analysis 2.1.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 142117.2018-12-06not yet calculatedCVE-2018-1525
XF
CONFIRMibm -- i2_enterprise_insight_analysisIBM i2 Enterprise Insight Analysis 2.1.7 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 141413.2018-12-06not yet calculatedCVE-2018-1505
XF
CONFIRMibm -- marketing_platformIBM Marketing Platform 9.1.0, 9.1.2 and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152855.2018-12-07not yet calculatedCVE-2018-1920
CONFIRM
XFibm -- marketing_platformIBM Marketing Platform 9.1.0, 9.1.2, and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 139029.2018-12-07not yet calculatedCVE-2018-1424
CONFIRM
XFibm -- maximo_asset_mangementIBM Maximo Asset Management 7.6 could allow an authenticated user to enumerate usernames using a specially crafted HTTP request. IBM X-Force ID: 145966.2018-12-05not yet calculatedCVE-2018-1697
XF
CONFIRMibm -- mq_and_console_rest_apiA problem within the IBM MQ 9.0.2, 9.0.3, 9.0.4, 9.0.5, and 9.1.0.0 Console REST API Could allow attackers to execute a denial of service attack preventing users from logging into the MQ Console REST API. IBM X-Force ID: 151969.2018-12-07not yet calculatedCVE-2018-1883
XF
CONFIRMibm -- qradar_siemIBM QRadar SIEM 7.2 and 7.3 uses hard-coded credentials which could allow an attacker to bypass the authentication configured by the administrator. IBM X-Force ID: 144656.2018-12-05not yet calculatedCVE-2018-1650
CONFIRM
XFibm -- qradar_siemIBM QRadar SIEM 7.2 and 7.3 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 143118.2018-12-05not yet calculatedCVE-2018-1568
CONFIRM
XFibm -- qradar_siemIBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 147707.2018-12-05not yet calculatedCVE-2018-1728
XF
CONFIRMibm -- qradar_siemIBM QRadar SIEM 7.2 and 7.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147709.2018-12-05not yet calculatedCVE-2018-1730
XF
CONFIRMibm -- qradar_siemIBM QRadar SIEM 1.14.0 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 147810.2018-12-05not yet calculatedCVE-2018-1732
CONFIRM
XFibm -- qradar_siemIBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 144653.2018-12-05not yet calculatedCVE-2018-1648
CONFIRM
XFibm -- qradar_siemIBM QRadar SIEM 7.2.8 and 7.3 does not validate, or incorrectly validates, a certificate. This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. IBM X-force ID: 133120.2018-12-05not yet calculatedCVE-2017-1622
XF
CONFIRMibm -- websphere_application_serverIBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to gain elevated privileges on the system, caused when a security domain is configured to use a federated repository other than global federated repository and then migrated to a newer release of WebSphere Application Server. IBM X-Force ID: 150813.2018-12-03not yet calculatedCVE-2018-1840
XF
CONFIRMintelliants -- subrion_cmsSubrion CMS v4.2.1 allows XSS via the panel/configuration/general/ SITE TITLE parameter.2018-12-04not yet calculatedCVE-2018-16631
MISCintelliants -- subrion_cmspanel/uploads/#elf_l1_XA in Subrion CMS v4.2.1 allows XSS via an SVG file with JavaScript in a SCRIPT element.2018-12-04not yet calculatedCVE-2018-16629
MISCintel -- integrated performance primitivesData leakage in cryptographic libraries for Intel IPP before 2019 update1 release may allow an authenticated user to potentially enable information disclosure via local access.2018-12-05not yet calculatedCVE-2018-12155
CONFIRMinternet2 -- grouperCross-site scripting (XSS) vulnerability in UiV2Public.index in Internet2 Grouper 2.2 and 2.3 allows remote attackers to inject arbitrary web script or HTML via the code parameter.2018-12-03not yet calculatedCVE-2018-19794
MISC
MISC
MISC

jiacrontab -- jiacrontab

jiacrontab 1.4.5 allows remote attackers to execute arbitrary commands via the crontab/task/edit?addr=localhost%3a20001 command and args parameters, as demonstrated by command=cat&args=/etc/passwd in the POST data.2018-12-03not yet calculatedCVE-2018-19793
MISCkubernetes -- kubernetesIn Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.2018-12-05not yet calculatedCVE-2018-1002101
CONFIRMkubernetes -- kubernetesIn all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.2018-12-05not yet calculatedCVE-2018-1002105
BID
REDHAT
REDHAT
REDHAT
REDHAT
REDHAT
REDHAT
REDHAT
REDHAT
MISC
CONFIRM
CONFIRMkubernetes -- kubernetesIn Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environments where the IP is easy to predict, the attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard, create a new Kubernetes Deployment running arbitrary code. If minikube mount is in use, the attacker could also directly access the host filesystem.2018-12-05not yet calculatedCVE-2018-1002103
CONFIRMlibraw -- librawAn error within the "LibRaw::xtrans_interpolate()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.6 can be exploited to cause an invalid read memory access and subsequently a Denial of Service condition.2018-12-07not yet calculatedCVE-2017-16910
MISC
MISC
SECUNIA
MISC
UBUNTUlibraw -- librawA boundary error within the "quicktake_100_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be exploited to cause a stack-based buffer overflow and subsequently cause a crash.2018-12-07not yet calculatedCVE-2018-5805
REDHAT
MISC
MISC
SECUNIA
MISClibraw -- librawAn error within the "leaf_hdr_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be exploited to trigger a NULL pointer dereference.2018-12-07not yet calculatedCVE-2018-5806
REDHAT
MISC
MISC
SECUNIA
MISClibraw -- librawAn error within the "LibRaw::unpack()" function (src/libraw_cxx.cpp) in LibRaw versions prior to 0.18.7 can be exploited to trigger a NULL pointer dereference.2018-12-07not yet calculatedCVE-2018-5801
REDHAT
MISC
MISC
SECUNIA
MISC
UBUNTUlibraw -- librawAn error within the "kodak_radc_load_raw()" function (internal/dcraw_common.cpp) related to the "buf" variable in LibRaw versions prior to 0.18.7 can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash.2018-12-07not yet calculatedCVE-2018-5802
REDHAT
MISC
MISC
SECUNIA
MISC
UBUNTUlibraw -- librawAn integer overflow error within the "parse_qt()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can be exploited to trigger an infinite loop via a specially crafted Apple QuickTime file.2018-12-07not yet calculatedCVE-2018-5815
MISC
MISC
SECUNIA
MISC
UBUNTUlibraw -- librawAn integer overflow error within the "identify()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can be exploited to trigger a division by zero via specially crafted NOKIARAW file (Note: This vulnerability is caused due to an incomplete fix of CVE-2018-5804).2018-12-07not yet calculatedCVE-2018-5816
MISC
MISC
SECUNIA
MISC
UBUNTUlibraw -- librawAn error within the "samsung_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash.2018-12-07not yet calculatedCVE-2018-5807
MISC
MISC
SECUNIA
MISC
UBUNTUlibraw -- librawAn error within the "LibRaw::parse_exif()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause a stack-based buffer overflow and subsequently execute arbitrary code.2018-12-07not yet calculatedCVE-2018-5809
MISC
MISC
SECUNIA
MISClibraw -- librawAn error within the "find_green()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause a stack-based buffer overflow and subsequently execute arbitrary code.2018-12-07not yet calculatedCVE-2018-5808
MISC
MISC
SECUNIA
MISClibraw -- librawAn error within the "nikon_coolscan_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to trigger a NULL pointer dereference.2018-12-07not yet calculatedCVE-2018-5812
MISC
MISC
SECUNIA
MISC
UBUNTUlibraw -- librawA type confusion error within the "identify()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can be exploited to trigger a division by zero.2018-12-07not yet calculatedCVE-2018-5804
MISC
MISC
SECUNIA
MISClibraw -- librawAn error within the "parse_minolta()" function (dcraw/dcraw.c) in LibRaw versions prior to 0.18.11 can be exploited to trigger an infinite loop via a specially crafted file.2018-12-07not yet calculatedCVE-2018-5813
MISC
MISC
SECUNIA
MISC
UBUNTUlibraw -- librawAn error within the "rollei_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause a heap-based buffer overflow and subsequently cause a crash.2018-12-07not yet calculatedCVE-2018-5810
MISC
MISC
SECUNIA
MISC
UBUNTUlibraw -- librawAn error within the "nikon_coolscan_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash.2018-12-07not yet calculatedCVE-2018-5811
MISC
MISC
SECUNIA
MISC
UBUNTUlibraw -- librawAn off-by-one error within the "LibRaw::kodak_ycbcr_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.7 can be exploited to cause a heap-based buffer overflow and subsequently cause a crash.2018-12-07not yet calculatedCVE-2018-5800
BID
REDHAT
MISC
MISC
SECUNIA
MISC
UBUNTUlibraw -- librawAn error related to the "LibRaw::panasonic_load_raw()" function (dcraw_common.cpp) in LibRaw versions prior to 0.18.6 can be exploited to cause a heap-based buffer overflow and subsequently cause a crash via a specially crafted TIFF image.2018-12-07not yet calculatedCVE-2017-16909
MISC
MISC
SECUNIA
MISC
UBUNTUlinux -- linux_kernelIn the Linux kernel through 4.19.6, a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c.2018-12-03not yet calculatedCVE-2018-19824
BID
MISC
MISC
MISClinux -- linux_kernelAn issue was discovered in the Linux kernel before 4.19.3. crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker does not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option).2018-12-04not yet calculatedCVE-2018-19854
MISC
MISC
MISClitespeed_technologies -- openlitespeedThe server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 allows local users to cause a denial of service (buffer overflow) or possibly have unspecified other impact by creating a symlink through which the openlitespeed program can be invoked with a long command name (involving ../ characters), which is mishandled in the LshttpdMain::getServerRootFromExecutablePath function.2018-12-03not yet calculatedCVE-2018-19792
MISClitespeed_technologies -- openlitespeedThe server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 does not correctly handle requests for byte sequences, allowing an attacker to amplify the response size by requesting the entire response body repeatedly, as demonstrated by an HTTP Range header value beginning with the "bytes=0-,0-" substring.2018-12-03not yet calculatedCVE-2018-19791
MISClxml -- lxmlAn issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.2018-12-02not yet calculatedCVE-2018-19787
MISCmcafee -- true_keyPrivilege Escalation vulnerability in Microsoft Windows client in McAfee True Key (TK) 5.1.230.7 and earlier allows local users to execute arbitrary code via specially crafted malware.2018-12-06not yet calculatedCVE-2018-6757
CONFIRMmcafee -- true_keyAuthentication Abuse vulnerability in Microsoft Windows client in McAfee True Key (TK) 5.1.230.7 and earlier allows local users to execute unauthorized commands via specially crafted malware.2018-12-06not yet calculatedCVE-2018-6756
CONFIRMmcafee -- true_keyWeak Directory Permission Vulnerability in Microsoft Windows client in McAfee True Key (TK) 5.1.230.7 and earlier allows local users to execute arbitrary code via specially crafted malware.2018-12-06not yet calculatedCVE-2018-6755
CONFIRMmetinfo -- metinfoIn Metinfo 6.1.3, include/interface/applogin.php allows setting arbitrary HTTP headers (including the Cookie header), and common.inc.php allows registering variables from the $_COOKIE value. This issue can, for example, be exploited in conjunction with CVE-2018-19835 to bypass many XSS filters such as the Chrome XSS filter.2018-12-03not yet calculatedCVE-2018-19836
MISCmisp -- mispAn issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.2018-12-06not yet calculatedCVE-2018-19908
MISC
MISCmoxa -- nport_w2x50aAn exploitable authenticated command-injection vulnerability exists in the web server functionality of Moxa NPort W2x50A products with firmware before 2.2 Build_18082311. A specially crafted HTTP POST request to /goform/webSettingProfileSecurity can result in running OS commands as the root user.2018-12-06not yet calculatedCVE-2018-19660
MISC
FULLDISCmoxa -- nport_w2x50aAn exploitable authenticated command-injection vulnerability exists in the web server functionality of Moxa NPort W2x50A products with firmware before 2.2 Build_18082311. A specially crafted HTTP POST request to /goform/net_WebPingGetValue can result in running OS commands as the root user. This is similar to CVE-2017-12120.2018-12-06not yet calculatedCVE-2018-19659
MISC
FULLDISCnetapp -- data_ontapData ONTAP operating in 7-Mode versions prior to 8.2.5P2 are susceptible to a vulnerability which discloses sensitive information to an unauthorized user.2018-12-04not yet calculatedCVE-2018-5496
CONFIRMnetgate -- pfsense_ceAn exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_normal_mode` parameter.2018-12-03not yet calculatedCVE-2018-4019
MISCnetgate -- pfsense_ceAn exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_battery_mode` POST parameter.2018-12-03not yet calculatedCVE-2018-4021
MISCnetgate -- pfsense_ceAn exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_ac_mode` POST parameter parameter.2018-12-03not yet calculatedCVE-2018-4020
MISCnice_incontact -- multiple_productsTwo stack-based buffer overflow vulnerabilities have been discovered in CX-One Versions 4.42 and prior (CX-Programmer Versions 9.66 and prior and CX-Server Versions 5.0.23 and prior). When processing project files, the application allows input data to exceed the buffer. An attacker could use a specially crafted project file to overflow the buffer and execute code under the privileges of the application.2018-12-04not yet calculatedCVE-2018-18993
BID
MISCnice_incontact -- multiple_productsIn CX-One Versions 4.42 and prior (CX-Programmer Versions 9.66 and prior and CX-Server Versions 5.0.23 and prior), when processing project files, the application fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.2018-12-04not yet calculatedCVE-2018-18989
BID
MISCnorton -- password_manger_for_androidNorton Password Manager for Android (formerly Norton Identity Safe) may be susceptible to a cross site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy.2018-12-06not yet calculatedCVE-2018-18362
BID
CONFIRMnuuo -- nvrmini2NUUO NVRmini2 Network Video Recorder firmware through 3.9.1 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow), resulting in ability to read camera feeds or reconfigure the device.2018-12-05not yet calculatedCVE-2018-19864
MISC
MISCnuuo -- nvrmini2NUUO NVRMini2 version 3.9.1 is vulnerable to authenticated remote command injection. An attacker can send crafted requests to upgrade_handle.php to execute OS commands as root.2018-11-30not yet calculatedCVE-2018-15716
BID
MISC
EXPLOIT-DB
MISConionshare -- onionshareThe debug_mode function in web/web.py in OnionShare through 1.3.1, when --debug is enabled, uses the /tmp/onionshare_server.log pathname for logging, which might allow local users to overwrite files or obtain sensitive information by using this pathname.2018-12-07not yet calculatedCVE-2018-19960
MISCopenrefine -- openrefineOpenRefine before 3.5 allows directory traversal via a relative pathname in a ZIP archive.2018-12-05not yet calculatedCVE-2018-19859
MISCosb -- vt-designerVT-Designer Version 2.1.7.31 is vulnerable by the program reading the contents of a file (which is already in memory) into another heap-based buffer, which may cause the program to crash or allow remote code execution.2018-11-30not yet calculatedCVE-2018-18983
BID
MISCosb -- vt-designerVT-Designer Version 2.1.7.31 is vulnerable by the program populating objects with user supplied input via a file without first checking for validity, allowing attacker supplied input to be written to known memory locations. This may cause the program to crash or allow remote code execution.2018-11-30not yet calculatedCVE-2018-18987
BID
MISCperl -- perlPerl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.2018-12-05not yet calculatedCVE-2018-18312
SECTRACK
CONFIRM
FEDORA
CONFIRM
CONFIRM
CONFIRM
UBUNTU
DEBIANperl -- perlPerl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.2018-12-07not yet calculatedCVE-2018-18314
SECTRACK
CONFIRM
CONFIRM
FEDORA
CONFIRM
CONFIRM
UBUNTU
DEBIANperl -- perlPerl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.2018-12-07not yet calculatedCVE-2018-18311
SECTRACK
CONFIRM
CONFIRM
MLIST
FEDORA
CONFIRM
CONFIRM
CONFIRM
UBUNTU
UBUNTU
DEBIANperl -- perlPerl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.2018-12-07not yet calculatedCVE-2018-18313
SECTRACK
CONFIRM
CONFIRM
FEDORA
CONFIRM
CONFIRM
UBUNTU
UBUNTU
DEBIANphilips -- healthsuite_health_android_appPhilips HealthSuite Health Android App, all versions. The software uses simple encryption that is not strong enough for the level of protection required.2018-12-07not yet calculatedCVE-2018-19001
BID
MISCphp -- phpext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function.2018-12-07not yet calculatedCVE-2018-19935
MISCpixelimity_cms -- pixelimity_cmsPixelimity 1.0 has Persistent XSS via the admin/portfolio.php data[title] parameter, as demonstrated by a crafted onload attribute of an SVG element.2018-12-06not yet calculatedCVE-2018-19919
MISCpluck -- pluckPluck v4.7.7 allows CSRF via admin.php?action=settings.2018-12-04not yet calculatedCVE-2018-16634
MISCpluck -- pluckPluck v4.7.7 allows XSS via the admin.php?action=editpage&page= page title.2018-12-04not yet calculatedCVE-2018-16633
MISCpolicykit/polkit -- policykit/polkitA flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.2018-12-03not yet calculatedCVE-2018-19788
MISC
MISC
DEBIANpowerdns -- recursorAn issue has been found in PowerDNS Recursor before version 4.1.8 where a remote attacker sending a DNS query can trigger an out-of-bounds memory read while computing the hash of the query for a packet cache lookup, possibly leading to a crash.2018-12-03not yet calculatedCVE-2018-16855
CONFIRM
MISCproxygen -- proxygenA potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings which can cause the server to spend disproportionate resources. This affects all supported versions of HHVM (3.24.3 and 3.21.7 and below) when using the proxygen server to handle HTTP2 requests.2018-12-03not yet calculatedCVE-2018-6332
MISCpython -- simplehttpserverA Path Traversal in simplehttpserver versions <=0.2.1 allows to list any file in another folder of web root.2018-12-04not yet calculatedCVE-2018-16478
MISCqemu -- qemuThe Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption.2018-12-06not yet calculatedCVE-2018-19665
MLIST
BID
MLISTqt -- qt
 A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.2018-12-05not yet calculatedCVE-2018-19865
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISCqualcomm -- androidIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Possible buffer overflow in WLAN function due to lack of input validation in values received from firmware.2018-12-07not yet calculatedCVE-2018-11905
BID
CONFIRMqualcomm -- androidIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Userspace can pass IEs to the host driver and if multiple append commands are received, then the integer variable that stores the length can overflow and the subsequent copy of the IE data may potentially lead to a heap buffer overflow.2018-12-07not yet calculatedCVE-2017-14888
CONFIRM
CONFIRMqualcomm -- androidIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, While processing the RIC Data Descriptor IE in an artificially crafted 802.11 frame with IE length more than 255, an infinite loop may potentially occur resulting in a denial of service.2018-12-07not yet calculatedCVE-2017-15835
CONFIRM
CONFIRMquicken -- quicken_deluxe_2018_for_macAn exploitable information disclosure vulnerability exists in the password protection functionality of Quicken Deluxe 2018 for Mac version 5.2.2. A specially crafted sqlite3 request can cause the removal of the password protection, allowing an attacker to access and modify the data without knowing the password. An attacker needs to have access to the password-protected files to trigger this vulnerability.2018-12-03not yet calculatedCVE-2018-3854
MISCradare -- radare2opmov in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows attackers to cause a denial of service (buffer over-read) via crafted x86 assembly data, as demonstrated by rasm2.2018-12-04not yet calculatedCVE-2018-19843
MISC
MISCradare -- radare2getToken in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows attackers to cause a denial of service (stack-based buffer over-read) via crafted x86 assembly data, as demonstrated by rasm2.2018-12-04not yet calculatedCVE-2018-19842
MISC
MISCred_hat -- enterprise_linuxA Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.2018-12-03not yet calculatedCVE-2018-16869
MISC
BID
CONFIRMred_hat -- enterprise_linuxA Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.2018-12-03not yet calculatedCVE-2018-16868
MISC
BID
CONFIRMred_hat -- enterprise_linux_7It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509. An attacker could possibly exploit another variant of the flaw and bypass the -dSAFER protection to, for example, execute arbitrary shell commands via a specially crafted PostScript document. This only affects ghostscript 9.07 as shipped with Red Hat Enterprise Linux 7.2018-12-03not yet calculatedCVE-2018-16863
CONFIRM
CONFIRM
CONFIRM
CONFIRM
REDHAT
CONFIRMrockwell_automation -- micrologix_1400_controllers_and_1756_controllogix_communications_modulesRockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules An unauthenticated, remote threat actor could send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system as the system traffic is still attempting to communicate with the device via the overwritten IP address.2018-12-07not yet calculatedCVE-2018-17924
BID
MISCsales_and_company_management_system -- sales_and_company_management_systemAn issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. It has SQL injection via the member/member_order.php type parameter, related to the O_state parameter.2018-12-06not yet calculatedCVE-2018-19925
MISCsales_and_company_management_system -- sales_and_company_management_systemAn issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. An email address can be modified in between the request for a validation code and the entry of the validation code, leading to storage of an XSS payload contained in the modified address.2018-12-06not yet calculatedCVE-2018-19924
MISCsales_and_company_management_system -- sales_and_company_management_systemAn issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. There is member/member_email.php?action=edit CSRF.2018-12-06not yet calculatedCVE-2018-19923
MISCsanta_cruz_operation -- tarantella_enterpriseTarantella Enterprise before 3.11 allows Directory Traversal.2018-12-05not yet calculatedCVE-2018-19753
MISC
FULLDISCsanta_cruz_operation -- tarantella_enterpriseTarantella Enterprise before 3.11 allows bypassing Access Control.2018-12-05not yet calculatedCVE-2018-19754
MISC
FULLDISCsass -- libsassIn LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().2018-12-04not yet calculatedCVE-2018-19838
MISCsass -- libsassIn LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.2018-12-03not yet calculatedCVE-2018-19797
MISCsass -- libsassIn LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp.2018-12-04not yet calculatedCVE-2018-19837
MISC
MISCsass -- libsassIn LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.2018-12-04not yet calculatedCVE-2018-19839
MISC
MISCsass -- libsassIn LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.2018-12-03not yet calculatedCVE-2018-19827
MISCsass -- libsassIn inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters.2018-12-03not yet calculatedCVE-2018-19826
MISCsolarwinds -- sftp/scp_serverIn SolarWinds SFTP/SCP server through 2018-09-10, the configuration file is world readable and writable, and stores user passwords in an insecure manner, allowing an attacker to determine passwords for potentially privileged accounts. This also grants the attacker an ability to backdoor the server.2018-12-05not yet calculatedCVE-2018-16791
FULLDISCsolarwinds -- sftp/scp_serverSolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a world readable and writable configuration file that allows an attacker to exfiltrate data.2018-12-05not yet calculatedCVE-2018-16792
FULLDISCspidercontrol -- scada_webserverReflected cross-site scripting (non-persistent) in SCADA WebServer (Versions prior to 2.03.0001) could allow an attacker to send a crafted URL that contains JavaScript, which can be reflected off the web application to the victim's browser.2018-12-04not yet calculatedCVE-2018-18991
BID
MISCthinkcmf -- thinkcmfThinkCMF X2.2.2 has SQL Injection via the method edit_post in ArticleController.class.php and is exploitable by normal authenticated users via the post[id][1] parameter in an article edit_post action.2018-12-05not yet calculatedCVE-2018-19898
MISCthinkcmf -- thinkcmfThinkCMF X2.2.2 has SQL Injection via the function edit_post() in NavController.class.php and is exploitable with the manager privilege via the parentid parameter in a nav action.2018-12-05not yet calculatedCVE-2018-19895
MISCthinkcmf -- thinkcmfThinkCMF X2.2.2 has SQL Injection via the function delete() in SlideController.class.php and is exploitable with the manager privilege via the ids[] parameter in a slide action.2018-12-05not yet calculatedCVE-2018-19896
MISCthinkcmf -- thinkcmfThinkCMF X2.2.2 has SQL Injection via the function _listorders() in AdminbaseController.class.php and is exploitable with the manager privilege via the listorders[key][1] parameter in a Link listorders action.2018-12-05not yet calculatedCVE-2018-19897
MISCthinkcmf -- thinkcmfThinkCMF X2.2.2 has SQL Injection via the functions check() and delete() in CommentadminController.class.php and is exploitable with the manager privilege via the ids[] parameter in a commentadmin action.2018-12-05not yet calculatedCVE-2018-19894
MISCvideolan -- vlc_media_playerThe CAF demuxer in modules/demux/caf.c in VideoLAN VLC media player 3.0.4 may read memory from an uninitialized pointer when processing magic cookies in CAF files, because a ReadKukiChunk() cast converts a return value to an unsigned int even if that value is negative. This could result in a denial of service and/or a potential infoleak.2018-12-05not yet calculatedCVE-2018-19857
BID
MISC
MISCvmware -- esxiVMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 without ESXi650-201811301-BG contain uninitialized stack memory usage in the vmxnet3 virtual network adapter which may lead to an information leak from host to guest.2018-12-04not yet calculatedCVE-2018-6982
BID
SECTRACK
CONFIRMvmware -- multiple_productsVMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 without ESXi650-201811301-BG, VMware ESXi 6.0 without ESXi600-201811401-BG, VMware Workstation 15, VMware Workstation 14.1.3 or below, VMware Fusion 11, VMware Fusion 10.1.3 or below contain uninitialized stack memory usage in the vmxnet3 virtual network adapter which may allow a guest to execute code on the host.2018-12-04not yet calculatedCVE-2018-6981
BID
SECTRACK
SECTRACK
CONFIRMwavpack -- wavpackThe function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.2018-12-04not yet calculatedCVE-2018-19840
MISC
MISC
UBUNTUwavpack -- wavpackThe function WavpackVerifySingleBlock in open_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (out-of-bounds read and application crash) via a crafted WavPack Lossless Audio file, as demonstrated by wvunpack.2018-12-04not yet calculatedCVE-2018-19841
MISC
MISC
UBUNTUwordpress -- wordpressAn open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect parameter.2018-12-03not yet calculatedCVE-2018-19796
MISC
MISCwordpress -- wordpressThere is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.2018-12-03not yet calculatedCVE-2018-1002001
MISC
MISC
EXPLOIT-DBwordpress -- wordpressThere is blind SQL injection in WordPress Arigato Autoresponder and Newsletter v2.5.1.8 These vulnerabilities require administrative privileges to exploit. There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request.2018-12-03not yet calculatedCVE-2018-1002000
MISC
MISC
EXPLOIT-DBwordpress -- wordpressThere is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.2018-12-03not yet calculatedCVE-2018-1002003
MISC
MISC
EXPLOIT-DBwordpress -- wordpressThere is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.2018-12-03not yet calculatedCVE-2018-1002002
MISC
MISC
EXPLOIT-DBwordpress -- wordpressThese vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in bft_list.html.php:43: via the filter_signup_date parameter.2018-12-03not yet calculatedCVE-2018-1002005
MISC
MISC
EXPLOIT-DBwordpress -- wordpressThere is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.2018-12-03not yet calculatedCVE-2018-1002004
MISC
MISC
EXPLOIT-DBwordpress -- wordpressThere is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:15: via POST request variable html_id.2018-12-03not yet calculatedCVE-2018-1002007
MISC
MISC
EXPLOIT-DBwordpress -- wordpressThere is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in list-user.html.php:4: via GET request offset variable.2018-12-03not yet calculatedCVE-2018-1002008
MISC
MISC
EXPLOIT-DBwordpress -- wordpressThere is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in unsubscribe.html.php:3: via GET reuqest to the email variable.2018-12-03not yet calculatedCVE-2018-1002009
MISC
MISC
EXPLOIT-DBwordpress -- wordpressThese vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes2018-12-03not yet calculatedCVE-2018-1002006
MISC
MISC
EXPLOIT-DBwordpress -- wordpresslogin.php in Adiscon LogAnalyzer before 4.1.7 has XSS via the Login Button Referer field.2018-12-05not yet calculatedCVE-2018-19877
MISC
EXPLOIT-DBxen -- xenAn issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation.2018-12-07not yet calculatedCVE-2018-19965
MISCxen -- xenAn issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595.2018-12-07not yet calculatedCVE-2018-19966
MISCxen -- xenAn issue was discovered in Xen 4.11.x allowing x86 guest OS users to cause a denial of service (host OS hang) because the p2m lock remains unavailable indefinitely in certain error conditions.2018-12-07not yet calculatedCVE-2018-19964
MISCxen -- xenAn issue was discovered in Xen 4.11 allowing HVM guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because x86 IOREQ server resource accounting (for external emulators) was mishandled.2018-12-07not yet calculatedCVE-2018-19963
MISCxen -- xenAn issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones.2018-12-07not yet calculatedCVE-2018-19962
MISCxen -- xenAn issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes.2018-12-07not yet calculatedCVE-2018-19961
MISCxen -- xenAn issue was discovered in Xen through 4.11.x on Intel x86 platforms allowing guest OS users to cause a denial of service (host OS hang) because Xen does not work around Intel's mishandling of certain HLE transactions associated with the KACQUIRE instruction prefix.2018-12-07not yet calculatedCVE-2018-19967
MISCxiaomi -- daisy-o-miss_mi_a2_lite_and_redmi6_devicesThe Goodix GT9xx touchscreen driver for custom Linux kernels on Xiaomi daisy-o-oss Mi A2 Lite and RedMi6 pro devices through 2018-08-27 has a NULL pointer dereference in kfree after a kmalloc failure in gtp_read_Color in drivers/input/touchscreen/gt917d/gt9xx.c.2018-12-07not yet calculatedCVE-2018-19939
MISCyunohost -- yunohostTwo XSS vulnerabilities are located in the profile edition page of the user panel of the YunoHost 2.7.2 through 2.7.14 web application. By injecting a JavaScript payload, these flaws could be used to manipulate a user's session.2018-12-04not yet calculatedCVE-2018-11348
MISCyunohost -- yunohostThe YunoHost 2.7.2 through 2.7.14 web application is affected by one HTTP Response Header Injection. This flaw allows an attacker to inject, into the response from the server, one or several HTTP Header. It requires an interaction with the user to send him the malicious link. It could be used to perform other attacks such as user redirection to a malicious website, HTTP response splitting, or HTTP cache poisoning.2018-12-04not yet calculatedCVE-2018-11347
MISCyzmcms -- yzmcmsAn issue was discovered in YzmCMS 5.2. XSS exists via the admin/content/search.html searinfo parameter.2018-12-04not yet calculatedCVE-2018-19849
MISCzenitel -- ip-stationwebZenitel Norway IP-StationWeb before 4.2.3.9 allows stored XSS via the Display Name for Station Status or Account Settings, related to the goform/zForm_save_changes sip_nick parameter. The password of alphaadmin for the admin account may be used for authentication in some cases.2018-12-06not yet calculatedCVE-2018-19927
MISCzenitel -- ip-stationwebZenitel Norway IP-StationWeb before 4.2.3.9 allows reflected XSS via the goform/ PATH_INFO.2018-12-06not yet calculatedCVE-2018-19926
MISCzoho_manageengine -- opmanagerZoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller.2018-12-06not yet calculatedCVE-2018-19921
MISCzte -- zxin10_routersAll versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product Orange branch are impacted by improper access control vulnerability. Due to improper access control to devcomm process, an unauthorized remote attacker can exploit this vulnerability to execute arbitrary code with root privileges.2018-12-07not yet calculatedCVE-2018-7364
CONFIRMBack to top

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

Adobe Releases Security Updates

US-CERT All NCAS Products - Thu, 12/06/2018 - 16:45
Original release date: December 06, 2018

Adobe has released security updates to address vulnerabilities in Adobe Flash Player and Adobe Flash Player installer. An attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review Adobe Security Bulletin APSB18-42 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

Apple Releases Multiple Security Updates

US-CERT All NCAS Products - Thu, 12/06/2018 - 01:53
Original release date: December 05, 2018

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

Google Releases Security Updates for Chrome

US-CERT All NCAS Products - Tue, 12/04/2018 - 21:25
Original release date: December 04, 2018

Google has released Chrome version 71.0.3578.80 for Windows, Mac, and Linux. This version addresses multiple vulnerabilities that an attacker could exploit to take control of an affected system.

NCCIC encourages users and administrators to review the Chrome Releases page and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

FTC Issues Alert on Recent Marriott Breach

US-CERT All NCAS Products - Tue, 12/04/2018 - 19:10
Original release date: December 04, 2018

The Federal Trade Commission (FTC) has released an alert to provide affected users with recommended precautions against identity theft after the recent breach of the Marriott International Starwood guest reservation database.

NCCIC encourages users and administrators to review the FTC Alert and the NCCIC Tip on Preventing and Responding to Identity Theft. If you believe you are a victim of identity theft, visit the FTC’s identity theft website to make a report.

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

ST18-007: Questions Every CEO Should Ask About Cyber Risks

US-CERT All NCAS Products - Tue, 12/04/2018 - 16:52
Original release date: December 04, 2018

As technology continues to evolve, cyber threats continue to grow in sophistication and complexity. Cyber threats affect businesses of all sizes and require the attention and involvement of chief executive officers (CEOs) and other senior leaders. To help companies understand their risks and prepare for cyber threats, CEOs should discuss key cybersecurity risk management topics with their leadership and implement cybersecurity best practices. The best practices listed in this document have been compiled from lessons learned from incident response activities and managing cyber risk.

What should CEOs know about the cybersecurity threats their companies face?

CEOs should ask the following questions about potential cybersecurity threats:

  • How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
  • What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
  • How can my business create long-term resiliency to minimize our cybersecurity risks?
  • What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
  • What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?
What can CEOs do to mitigate cybersecurity threats?

The following questions will help CEOs guide discussions about their cybersecurity risk with management:

  • What is the threshold for notifying executive leadership about cybersecurity threats?
  • What is the current level of cybersecurity risk for our company?
  • What is the possible business impact to our company from our current level of cybersecurity risk?
  • What is our plan to address identified risks?
  • What cybersecurity training is available for our workforce?
  • What measures do we employ to mitigate insider threats?
  • How does our cybersecurity program apply industry standards and best practices?
  • Are our cybersecurity program metrics measureable and meaningful? 
  • How comprehensive are our cybersecurity incident response plan and our business continuity and disaster recovery plan?
  • How often do we exercise our plans?
  • Do our plans incorporate the whole company or are they limited to information technology (IT)?
  • How prepared is my business to work with federal, state, and local government cyber incident responders and investigators, as well as contract responders and the vendor community?
Recommended Organizatinal Cybersecurity Best Practices

The cybersecurity best practices listed below can help organizations manage cybersecurity risks.

  • Elevate cybersecurity risk management discussions to the company CEO and the leadership team.
    • CEO and senior company leadership engagement in defining an organization's risk strategy and levels of acceptable risk is critical to a comprehensive cybersecurity risk plan. The company CEO—with assistance from the chief information security officer, chief information officer, and the entire leadership team—should ensure that they know how their divisions affect the company’s overall cyber risk. In addition, regular discussion with the company board of directors regarding these risk decisions ensures visibility to all company decision makers.
      • Executives should construct policy from the top down to ensure everyone is empowered to perform the tasks related to their role in reducing cybersecurity risk. A top-down policy defines roles and limits the power struggles that can hurt IT security.
  • Implement industry standards and best practices rather than relying solely on compliance standards or certifications.
    • Lower cybersecurity risks by implementing industry benchmarks and best practices (e.g., follow best practices from organizations like the Center for Internet Security). Organizations should tailor best practices to ensure they are relevant for their specific use cases.
    • Follow consistent best practices to establish an organizational baseline of expected enterprise network behavior. This allows organizations to be proactive in combatting cybersecurity threats, rather than expending resources to "put out fires."
    • Compliance standards and regulations (e.g., the Federal Information Security Modernization Act) provide guidance on minimal requirements; however, there is more businesses can do to go beyond the requirements.
  • Evaluate and manage organization-specific cybersecurity risks.
    • Identify your organization’s critical assets and the associated impacts from cybersecurity threats to those assets to understand your organization’s specific risk exposure—whether financial, competitive, reputational, or regulatory. Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, inform long-term investments, and develop policies and strategies to manage cybersecurity risks.
    • Ask the questions that are necessary to understanding your security planning, operations, and security-related goals. For example, it is better to focus on the goals your organization will achieve by implementing overall security controls instead of inquiring about specific security controls, safeguards, and countermeasures.
    • Focus cyber enterprise risk discussions on "what-if" situations and resist the "it can't happen here" patterns of thinking.
    • Create a repeatable process to cross-train employees to conduct risk and incident management as an institutional practice. Often, there are only a few employees with subject matter expertise in key areas.
  • Ensure cybersecurity risk metrics are meaningful and measurable.
    • An example of a useful metric is the time it takes an organization to patch a critical vulnerability across the enterprise. In this example, reducing the days it takes to patch a vulnerability directly reduces the risk to the organization.
    • An example of a less useful metric is the number of alerts a Security Operations Center (SOC) receives in a week. There are too many variables in the number of alerts a SOC receives for this number to be consistently relevant.
  • Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery.
    • It is critical that organizations test their incident response plans across the whole organization, not just in the IT environment. Each part of the organization should know how to respond to both basic and large-scale cybersecurity incidents. Testing incident response plans and procedures can help prevent an incident from escalating.
    • Incident response plans should provide instructions on when to elevate an incident to the next level of leadership. Regularly exercising incident response plans enables an organization to respond to incidents quickly and minimize impacts.
  • Retain a quality workforce.
    • Cybersecurity tools are only as good as the people reviewing the tools’ results. It is also important to have people who can identify the proper tools for your organization. It can take a significant amount of time to learn a complex organization’s enterprise network, making retaining skilled personnel just as important as acquiring them. There is no perfect answer to stopping all cybersecurity threats, but knowledgeable IT personnel are critical to reducing cybersecurity risks.
    • New cybersecurity threats are constantly appearing. The personnel entrusted with detecting cybersecurity threats need continual training. Training increases the likelihood of personnel detecting cybersecurity threats and responding to threats in a manner consistent with industry best practices.
    • Ensure there is appropriate planning to account for the additional workload related to mitigating cybersecurity risks. 
    • Cybersecurity is emerging as a formal discipline with task orientation that requires specific alignments to key knowledge, skills, and abilities. The National Initiative for Cybersecurity Careers and Studies (NICCS) is a useful resource for workforce planning
  • Maintain situational awareness of cybersecurity threats.

 

Authors:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: LATEST ALERT

AR18-337C: MAR-10158513.r1.v1 – SamSam3

US-CERT All NCAS Products - Mon, 12/03/2018 - 18:15
Original release date: December 03, 2018
Description Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

SummaryDescription

14 files were submitted for analysis. These files are designed to encrypt a victim's system files for a ransom payment.

For a downloadable copy of IOCs, see:

Submitted Files (17)

036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050 (samsam.exe)

0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac (samsam.exe)

32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f (selfdel.exe)

45e00fe90c8aa8578fce2b305840e368d62578c77e352974da6b8f8bc895d75b (samsam.exe)

553967d05b83364c6954d2b55b8cfc2ea3808a17c268b2eee49090e71976ba29 (553967d05b83364c6954d2b55b8cfc...)

58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e (samsam.exe)

6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21 (HELP_DECRYPT_YOUR_FILES.html)

6bc2aa391b8ef260e79b99409e44011874630c2631e4487e82b76e5cb0a49307 (samsam.exe)

7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044 (samsam.exe)

89b4abb78970cd524dd887053d5bcd982534558efdf25c83f96e13b56b4ee805 (samsam.exe)

939efdc272e8636fd63c1b58c2eec94cf10299cd2de30c329bd5378b6bbbd1c8 (samsam.exe)

946dd4c4f3c78e7e4819a712c7fd6497722a3d616d33e3306a556a9dc99656f4 (samsam.exe)

979692a34201f9fc1e1c44654dc8074a82000946deedfdf6b8985827da992868 (samsam.exe)

97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95 (del.exe)

a763ed678a52f77a7b75d55010124a8fccf1628eb4f7a815c6d635034227177e (samsam.exe)

e682ac6b874e0a6cfc5ff88798315b2cb822d165a7e6f72a5eb74e6da451e155 (samsam.exe)

ffef0f1c2df157e9c2ee65a12d5b7b0f1301c4da22e7e7f3eac6b03c6487a626 (samsam.exe)

Domains (10)

anonyme.com

evilsecure9.wordpress.com

followsec7.wordpress.com

key88secu7.wordpress.com

keytwocode.wordpress.com

lordsecure4u.wordpress.com

payforsecure7.wordpress.com

secangel7d.wordpress.com

union83939k.wordpress.com

zeushelpu.wordpress.com

Findings0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfacTags

dropperransomwaretrojan

DetailsNamesamsam.exeSize218624 bytesTypePE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS WindowsMD5a14ea969014b1145382ffcd508d10156SHA1ff6aa732320d21697024994944cf66f7c553c9cdSHA2560f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfacSHA51273f28bed4ee700e15d1c0eb9871e37bdda77e3ef3c14b63a1597b9628e7407dc31f8382e0ec52c8c65f68c00a4f321f5971359f865eb35b35dc62e9f5e8e7be1ssdeep3072:ZVdp01i6vcHV1LI5FLV0pZeZKfOJizjrBnNtRg+ur199J+n9fCbP:Za1i6UHVyLV0poZa1jrD099on9Entropy6.249245AntivirusAhnlabTrojan/Win32.SamasAntiyTrojan/Win32.SGenericAviraTR/Ransom.lhumdBitDefenderGeneric.Ransom.SamSam.12451789ClamAVWin.Trojan.Samas-1CyrenW32/Trojan.MPPP-7951ESETMSIL/Filecoder.AR trojanEmsisoftGeneric.Ransom.SamSam.12451789 (B)IkarusTrojan-Ransom.SamSamK7Trojan ( 700000121 )McAfeeRansomware-SAMAS!A14EA969014BMicrosoft Security EssentialsRansom:MSIL/Samas.ANANOAVTrojan.Win32.Ransom.eamswzQuick HealTrojan.Inject.TL3SophosTroj/RansmSam-ASymantecTrojan.Gen.2Systweakmalware.gen-rTrendMicroRansom_CRYPSAM.BTrendMicro House CallRansom_CRYPSAM.BVir.IT eXplorerTrojan.Win32.MSIL9.BGXAVirusBlokAdaTrojan-Ransom.MSIL.SamasZillya!Dropper.Agent.Win32.229787Yara Rules

No matches found.

ssdeep Matches97036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050PE MetadataCompile Date2016-01-05 19:14:43-05:00Import Hashf34d5f2d4577ed6d9ceec516c1f5a744Company NameMicrosoftFile DescriptionMicrosoftSAMInternal Namesamsam.exeLegal CopyrightCopyright \xa9 2014Original Filenamesamsam.exeProduct NameMicrosoftSAMProduct Version2.4.8.4PE SectionsMD5NameRaw SizeEntropy37c3e95eb9901183e02df0ba1de6caf2header5122.7745927a556f246357051b2d82ea445571ddbb.text2160646.270810d0b581056989efaa1de31a61a8f4a9ec.rsrc15364.11033406441ad348b483e2458a535949e809cf.reloc5120.101910Packers/Compilers/CryptorsMicrosoft Visual C# v7.0 / Basic .NETRelationships0f2c5c3949...Connected_Tounion83939k.wordpress.com0f2c5c3949...Dropped6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c210f2c5c3949...Dropped32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f0f2c5c3949...Dropped97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95Description

This file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. It contains two embedded 32-bit Windows executables in its resource section:

--Begin resource--
"samsam.del.exe" ==> del.exe (SDelete) designed to securely delete files
"samsam.selfdel.exe" ==> selfdel.exe designed to delete the SamSam ransomware from the victim’s system
--End resource--

It installs the embedded files into the following directory:

--Begin files installed--
%Currentdirectory%\del.exe
%Currentdirectory%\Selfdel.exe
--End files installed--

This file is designed to accept an input text file as the command line argument. The input text file contains an RSA public key in the following format:

--Begin RSA public key--
"<RSAKeyValue><Modulus>Base64 encoded RSA public key</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
--End RSA public key--

The input text file was not available for analysis.

Displayed below is the code snippet designed to accept an input text file as the command-line argument:

--Begin command line argument--
private static void Main(string[] args)
{
   if (args.Length != 1)
   {
       return;
   }
   if (!string.IsNullOrEmpty(args[0]))
   {
       Program.publickey = File.ReadAllText(args[0]);
   }
   Program.create_from_resource();
--End command line argument--

It searches the drives installed on the victim system for files with the following file extensions:

--Begin file extensions--
"xls",".xlsx",".pdf",".doc",".docx",".ppt",".pptx",".txt",".dwg",".bak",".bkf",".pst",".dbx",".zip",".rar",".mdb",".asp",".aspx",".html",".htm",".dbf",".3dm",".3ds",".3fr",".jar",".3g2",".xml",".png",".tif",".3gp",".java",".jpe",".jpeg",".jpg",".jsp",".php",".3pr",".7z",".ab4",".accdb",".accde",".accdr",".accdt",".ach",".kbx",".acr",".act",".adb",".ads",".agdl",".ai",".ait",".al",".apj",".arw",".asf",".asm",".asx",".avi",".awg",".back",".backup",".backupdb",".pbl",".bank",".bay",".bdb",".bgt",".bik",".bkp",".blend",".bpw",".c",".cdf",".cdr",".cdr3",".cdr4",".cdr5",".cdr6",".cdrw",".cdx",".ce1",".ce2",".cer",".cfp",".cgm",".cib",".class",".cls",".cmt",".cpi",".cpp",".cr2",".craw",".crt",".crw",".phtml",".php5",".cs",".csh",".csl",".tib",".csv",".dac",".db",".db3",".db-journal",".dc2",".dcr",".dcs",".ddd",".ddoc",".ddrw",".dds",".der",".des",".design",".dgc",".djvu",".dng",".dot",".docm",".dotm",".dotx",".drf",".drw",".dtd",".dxb",".dxf",".dxg",".eml",".eps",".erbsql",".erf",".exf",".fdb",".ffd",".fff",".fh",".fmb",".fhd",".fla",".flac",".flv",".fpx",".fxg",".gray",".grey",".gry",".h",".hbk",".hpp",".ibank",".ibd",".ibz",".idx",".iif",".iiq",".incpas",".indd",".kc2",".kdbx",".kdc",".key",".kpdx",".lua",".m",".m4v",".max",".mdc",".mdf",".mef",".mfw",".mmw",".moneywell",".mos",".mov",".mp3",".mp4",".mpg",".mrw",".msg",".myd",".nd",".ndd",".nef",".nk2",".nop",".nrw",".ns2",".ns3",".ns4",".nsd",".nsf",".nsg",".nsh",".nwb",".nx2",".nxl",".nyf",".oab",".obj",".odb",".odc",".odf",".odg",".odm",".odp",".ods",".odt",".oil",".orf",".ost",".otg",".oth",".otp",".ots",".ott",".p12",".p7b",".p7c",".pab",".pages",".pas",".pat",".pcd",".pct",".pdb",".pdd",".pef",".pem",".pfx",".pl",".plc",".pot",".potm",".potx",".ppam",".pps",".ppsm",".ppsx",".pptm",".prf",".ps",".psafe3",".psd",".pspimage",".ptx",".py",".qba",".qbb",".qbm",".qbr",".qbw",".qbx",".qby",".r3d",".raf",".rat",".raw",".rdb",".rm",".rtf",".rw2",".rwl",".rwz",".s3db",".sas7bdat",".say",".sd0",".sda",".sdf",".sldm",".sldx",".sql",".sqlite",".sqlite3",".sqlitedb",".sr2",".srf",".srt",".srw",".st4",".st5",".st6",".st7",".st8",".std",".sti",".stw",".stx",".svg",".swf",".sxc",".sxd",".sxg",".sxi",".sxi",".sxm",".sxw",".tex",".tga",".thm",".tlg",".vob",".war",".wallet",".wav",".wb2",".wmv",".wpd",".wps",".x11",".x3f",".xis",".xla",".xlam",".xlk",".xlm",".xlr",".xlsb",".xlsm",".xlt",".xltm",".xltx",".xlw",".ycbcra",".yuv"
--End file extensions--

The malware avoids encrypting files in the "Windows", "Reference Assemblies\\Microsoft", and "Recycle.bin" folders:

Displayed below is the code snippet used to avoid encrypting files in the folders:

--Begin code--
if (path != Program.sysdir + "Windows" && !path.Contains("Reference Assemblies\\Microsoft") && !path.Contains("Recycle.Bin"))
--End code--

It randomly generates the following keys for encrypting the target files:

--Begin randomly generates keys--
AES key (16 bytes)
AES IV (16 bytes)
Signature key (64 bytes) for SHA256 HMAC key calculation
--End randomly generates keys--

Displayed below is the code snippet for generating the unique keys for a target file:

--Begin key generation--
public static string Encrypt(string plainFilePath, string encryptedFilePath, string manifestFilePath, string rsaKey)
{
   byte[] signatureKey = encc.GenerateRandom(64); ===> HMAC key
   byte[] key = encc.GenerateRandom(16); ==> Rijndael key
   byte[] iv = encc.GenerateRandom(16); ==> Rijndael IV
   encc.EncryptFile(plainFilePath, encryptedFilePath, key, iv, signatureKey, rsaKey);
   return null;
--End key generation--

It reads the target file into memory and encrypts it using an AES algorithm in CBC mode with the generated AES keys. The encrypted data from the original file is stored into a newly created file. This file has the same name as the original file, but has an ".encryptedRSA" extension. The ransomware calculates a SHA-256 HMAC of the encrypted data of the file.

The generated keys are encrypted using the RSA public key from the key file. The malware Base64 encodes and prepends the following data in XML format at the beginning of the encrypted file:

--Begin Base64 encodes data--
AES key, encrypted with RSA public key
AES IV, encrypted with RSA public key
SHA-256H MAC of the encrypted file data
HMAC key, encrypted with RSA public key
--End Base64 encodes data--

Displayed below is the code used to RSA encrypt and Base64 encode the data prepended at the beginning of each encrypted file.

--Begin encrypting and encoding--
byte[] inArray = encc.CalculateSignature(encryptedFilePath, signatureKey);
string text = Convert.ToBase64String(encc.RSAEncryptBytes(key, rsaKey));
string text2 = Convert.ToBase64String(encc.RSAEncryptBytes(iv, rsaKey));
string text3 = Convert.ToBase64String(inArray);
string text4 = Convert.ToBase64String(encc.RSAEncryptBytes(signatureKey, rsaKey));
string str = string.Concat(new object[]
{
   "<MtAeSKeYForFile>",
   encc.sn,
   "<Key>",
   text, ==> Base64 encoded AES key, encrypted with RSA public key with OAEP padding
   "</Key>",
   encc.sn,
   "<IV>",
   text2, ==> Base64 encoded AES IV, encrypted with RSA public key with OAEP padding
   "</IV>",
   encc.sn,
   "<Value>",
   text3, ==> Base64 encoded SHA-256 HMAC of the encrypted file data
   "</Value>",
   encc.sn,
   "<EncryptedKey>",
   text4, ==> Base64 encoded HMAC key, encrypted with RSA public key with OAEP padding
   "</EncryptedKey>",
   encc.sn,
   "<OriginalFileLength>",
   fileInfo.Length, ==> The length of the original file
   "</OriginalFileLength>",
   encc.sn,
   "</MtAeSKeYForFile>"
});
--End encrypting and encoding--

Following the encryption of the victim’s files, the ransomware executes "selfdel.exe" to delete itself from the system and installs the ransomware note "HELP_DECRYPT_YOUR_FILES.html” onto the victim’s system.

Displayed below is the embedded blog and Bitcoin address for the ransomware note:

--Begin blog and Bitcoin address--
Blog address: "http[:]//union83939k.wordpress.com"
Bitcoin address: 19CbDoaZDLTzkkT1uQrMPM42AUvfQN4Kds
--End blog and Bitcoin address--

7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044Tags

ransomwaretrojan

DetailsNamesamsam.exeSize218112 bytesTypePE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS WindowsMD514721036e16587594ad950d4f2db5f27SHA1ed1797c282f0817d2ad8f878f8dd50ab062501acSHA2567aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044SHA5124d9e75850713f0bf6892fca8d74f462a5b2c0ccec2ed089fd830b8babcce7aedbd3bcb56e25c81cb6bf285bba9111ef89913d0c665593b2ba8da5f57d9505d32ssdeep3072:gUOsdp01i6vcHV1LI5FLV0pZeZKfOJizjrBnNtRg+ur199JWbk9f7b1v:gzL1i6UHVyLV0poZa1jrD099Qbk9VEntropy6.248108AntivirusAhnlabTrojan/Win32.SamasAntiyTrojan[Ransom]/MSIL.SamasAviraTR/Ransom.lhumdBitDefenderGeneric.Ransom.SamSam.B120689ACyrenW32/Trojan.HBQK-8340ESETa variant of MSIL/Filecoder.AR trojanEmsisoftGeneric.Ransom.SamSam.B120689A (B)IkarusTrojan-Ransom.SamSamK7Trojan ( 700000121 )McAfeeRansomware-SAMAS!14721036E165Microsoft Security EssentialsRansom:MSIL/Samas.ANANOAVTrojan.Win32.Samas.eajehaQuick HealTrojan.Inject.TL3SophosTroj/RansmSam-ASymantecRansom.SamSam!gen1Systweaktrojan-spy.filecryptorTrendMicroRansom_.2933F726TrendMicro House CallRansom_.2933F726Vir.IT eXplorerTrojan.Win32.Atros3.CWXVirusBlokAdaTrojan-Ransom.MSIL.SamasZillya!Trojan.Filecoder.Win32.2108Yara Rules

No matches found.

ssdeep Matches

No matches found.

Packers/Compilers/CryptorsMicrosoft Visual C# v7.0 / Basic .NETRelationships7aa585e6fd...Dropped6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c217aa585e6fd...Dropped32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f7aa585e6fd...Dropped97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb957aa585e6fd...Connected_Tounion83939k.wordpress.comDescription

This file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. It contains two embedded 32-bit Windows executables in its resource section:

--Begin resource--
"samsam.del.exe" ==> del.exe (SDelete) designed to securely delete files
"samsam.selfdel.exe" ==> selfdel.exe designed to delete the SamSam ransomware from the victim’s system
--End resource--

It installs the embedded files into the following directory:

--Begin files installed--
%Currentdirectory%\del.exe
%Currentdirectory%\Selfdel.exe
--End files installed--

This file is designed to accept an input text file as the command line argument. The input text file contains an RSA public key in the following format:

--Begin RSA public key--
"<RSAKeyValue><Modulus>Base64 encoded RSA public key</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
--End RSA public key--

The input text file was not available for analysis.

Displayed below is the code snippet designed to accept an input text file as the command-line argument:

--Begin command line argument--
private static void Main(string[] args)
{
   if (args.Length != 1)
   {
       return;
   }
   if (!string.IsNullOrEmpty(args[0]))
   {
       Program.publickey = File.ReadAllText(args[0]);
   }
   Program.create_from_resource();
--End command line argument--

It searches the drives installed on the victim system for files with the following file extensions:

--Begin file extensions--
"xls",".xlsx",".pdf",".doc",".docx",".ppt",".pptx",".txt",".dwg",".bak",".bkf",".pst",".dbx",".zip",".rar",".mdb",".asp",".aspx",".html",".htm",".dbf",".3dm",".3ds",".3fr",".jar",".3g2",".xml",".png",".tif",".3gp",".java",".jpe",".jpeg",".jpg",".jsp",".php",".3pr",".7z",".ab4",".accdb",".accde",".accdr",".accdt",".ach",".kbx",".acr",".act",".adb",".ads",".agdl",".ai",".ait",".al",".apj",".arw",".asf",".asm",".asx",".avi",".awg",".back",".backup",".backupdb",".pbl",".bank",".bay",".bdb",".bgt",".bik",".bkp",".blend",".bpw",".c",".cdf",".cdr",".cdr3",".cdr4",".cdr5",".cdr6",".cdrw",".cdx",".ce1",".ce2",".cer",".cfp",".cgm",".cib",".class",".cls",".cmt",".cpi",".cpp",".cr2",".craw",".crt",".crw",".phtml",".php5",".cs",".csh",".csl",".tib",".csv",".dac",".db",".db3",".db-journal",".dc2",".dcr",".dcs",".ddd",".ddoc",".ddrw",".dds",".der",".des",".design",".dgc",".djvu",".dng",".dot",".docm",".dotm",".dotx",".drf",".drw",".dtd",".dxb",".dxf",".dxg",".eml",".eps",".erbsql",".erf",".exf",".fdb",".ffd",".fff",".fh",".fmb",".fhd",".fla",".flac",".flv",".fpx",".fxg",".gray",".grey",".gry",".h",".hbk",".hpp",".ibank",".ibd",".ibz",".idx",".iif",".iiq",".incpas",".indd",".kc2",".kdbx",".kdc",".key",".kpdx",".lua",".m",".m4v",".max",".mdc",".mdf",".mef",".mfw",".mmw",".moneywell",".mos",".mov",".mp3",".mp4",".mpg",".mrw",".msg",".myd",".nd",".ndd",".nef",".nk2",".nop",".nrw",".ns2",".ns3",".ns4",".nsd",".nsf",".nsg",".nsh",".nwb",".nx2",".nxl",".nyf",".oab",".obj",".odb",".odc",".odf",".odg",".odm",".odp",".ods",".odt",".oil",".orf",".ost",".otg",".oth",".otp",".ots",".ott",".p12",".p7b",".p7c",".pab",".pages",".pas",".pat",".pcd",".pct",".pdb",".pdd",".pef",".pem",".pfx",".pl",".plc",".pot",".potm",".potx",".ppam",".pps",".ppsm",".ppsx",".pptm",".prf",".ps",".psafe3",".psd",".pspimage",".ptx",".py",".qba",".qbb",".qbm",".qbr",".qbw",".qbx",".qby",".r3d",".raf",".rat",".raw",".rdb",".rm",".rtf",".rw2",".rwl",".rwz",".s3db",".sas7bdat",".say",".sd0",".sda",".sdf",".sldm",".sldx",".sql",".sqlite",".sqlite3",".sqlitedb",".sr2",".srf",".srt",".srw",".st4",".st5",".st6",".st7",".st8",".std",".sti",".stw",".stx",".svg",".swf",".sxc",".sxd",".sxg",".sxi",".sxi",".sxm",".sxw",".tex",".tga",".thm",".tlg",".vob",".war",".wallet",".wav",".wb2",".wmv",".wpd",".wps",".x11",".x3f",".xis",".xla",".xlam",".xlk",".xlm",".xlr",".xlsb",".xlsm",".xlt",".xltm",".xltx",".xlw",".ycbcra",".yuv"
--End file extensions--

The malware avoids encrypting files in the "Windows", "Reference Assemblies\\Microsoft", and "Recycle.bin" folders:

Displayed below is the code snippet used to avoid encrypting files in the folders:

--Begin code--
if (path != Program.sysdir + "Windows" && !path.Contains("Reference Assemblies\\Microsoft") && !path.Contains("Recycle.Bin"))
--End code--

It randomly generates the following keys for encrypting the target files:

--Begin randomly generates keys--
AES key (16 bytes)
AES IV (16 bytes)
Signature key (64 bytes) for SHA256 HMAC key calculation
--End randomly generates keys--

Displayed below is the code snippet for generating the unique keys for a target file:

--Begin key generation--
public static string Encrypt(string plainFilePath, string encryptedFilePath, string manifestFilePath, string rsaKey)
{
   byte[] signatureKey = encc.GenerateRandom(64); ===> HMAC key
   byte[] key = encc.GenerateRandom(16); ==> Rijndael key
   byte[] iv = encc.GenerateRandom(16); ==> Rijndael IV
   encc.EncryptFile(plainFilePath, encryptedFilePath, key, iv, signatureKey, rsaKey);
   return null;
--End key generation--

It reads the target file into memory and encrypts it using an AES algorithm in CBC mode with the generated AES keys. The encrypted data from the original file is stored into a newly created file. This file has the same name as the original file, but has an ".encryptedRSA" extension. The ransomware calculates a SHA-256 HMAC of the encrypted data of the file.

The generated keys are encrypted using the RSA public key from the key file. The malware Base64 encodes and prepends the following data in XML format at the beginning of the encrypted file:

--Begin Base64 encodes data--
AES key, encrypted with RSA public key
AES IV, encrypted with RSA public key
SHA-256H MAC of the encrypted file data
HMAC key, encrypted with RSA public key
--End Base64 encodes data--

Displayed below is the code used to RSA encrypt and Base64 encode the data prepended at the beginning of each encrypted file.

--Begin encrypting and encoding--
byte[] inArray = encc.CalculateSignature(encryptedFilePath, signatureKey);
string text = Convert.ToBase64String(encc.RSAEncryptBytes(key, rsaKey));
string text2 = Convert.ToBase64String(encc.RSAEncryptBytes(iv, rsaKey));
string text3 = Convert.ToBase64String(inArray);
string text4 = Convert.ToBase64String(encc.RSAEncryptBytes(signatureKey, rsaKey));
string str = string.Concat(new object[]
{
   "<MtAeSKeYForFile>",
   encc.sn,
   "<Key>",
   text, ==> Base64 encoded AES key, encrypted with RSA public key with OAEP padding
   "</Key>",
   encc.sn,
   "<IV>",
   text2, ==> Base64 encoded AES IV, encrypted with RSA public key with OAEP padding
   "</IV>",
   encc.sn,
   "<Value>",
   text3, ==> Base64 encoded SHA-256 HMAC of the encrypted file data
   "</Value>",
   encc.sn,
   "<EncryptedKey>",
   text4, ==> Base64 encoded HMAC key, encrypted with RSA public key with OAEP padding
   "</EncryptedKey>",
   encc.sn,
   "<OriginalFileLength>",
   fileInfo.Length, ==> The length of the original file
   "</OriginalFileLength>",
   encc.sn,
   "</MtAeSKeYForFile>"
});
--End encrypting and encoding--

Following the encryption of the victim’s files, the ransomware executes "selfdel.exe" to delete itself from the system and installs the ransomware note "HELP_DECRYPT_YOUR_FILES.html” onto the victim’s system.

Displayed below is the embedded blog and Bitcoin address for the ransomware note:

--Begin blog and Bitcoin address--
blog address: "http://union83939k.wordpress.com"
Bitcoin address: 19CbDoaZDLTzkkT1uQrMPM42AUvfQN4Kds
--End blog and Bitcoin address--

union83939k.wordpress.comURLs
  • http://union83939k.wordpress.com
Whois

Domain Name: WORDPRESS.COM
Registry Domain ID: 21242797_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-01-12T22:53:10Z
Creation Date: 2000-03-03T12:13:23Z
Registry Expiry Date: 2020-03-03T12:13:23Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: NS1.WORDPRESS.COM
Name Server: NS2.WORDPRESS.COM
Name Server: NS3.WORDPRESS.COM
Name Server: NS4.WORDPRESS.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2018-03-27T18:16:17Z <<<
NetRange:     192.0.64.0 - 192.0.127.255
CIDR:         192.0.64.0/18
NetName:        AUTOMATTIC
NetHandle:     NET-192-0-64-0-1
Parent:         NET192 (NET-192-0-0-0-0)
NetType:        Direct Assignment
OriginAS:     AS2635
Organization: Automattic, Inc (AUTOM-93)
RegDate:        2012-11-20
Updated:        2012-11-20
Ref:            https://whois.arin.net/rest/net/NET-192-0-64-0-1


OrgName:        Automattic, Inc
OrgId:         AUTOM-93
Address:        60 29th Street #343
City:         San Francisco
StateProv:     CA
PostalCode:     94110
Country:        US
RegDate:        2011-10-05
Updated:        2013-11-01
Ref:            https://whois.arin.net/rest/org/AUTOM-93


OrgAbuseHandle: ABUSE3970-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-877-273-8550
OrgAbuseEmail: abuse@automattic.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE3970-ARIN

OrgTechHandle: NOC12276-ARIN
OrgTechName: NOC
OrgTechPhone: +1-877-273-8550
OrgTechEmail: ipadmin@automattic.com
OrgTechRef:    https://whois.arin.net/rest/poc/NOC12276-ARIN

OrgNOCHandle: NOC12276-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-877-273-8550
OrgNOCEmail: ipadmin@automattic.com
OrgNOCRef:    https://whois.arin.net/rest/poc/NOC12276-ARIN

Relationshipsunion83939k.wordpress.comConnected_From0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfacunion83939k.wordpress.comConnected_From7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050Tags

dropperransomwaretrojan

DetailsNamesamsam.exeSize218624 bytesTypePE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS WindowsMD5fe998080463665412b65850828bce41fSHA1203bb8ec1da6b237a092bab71fa090849c7db9bdSHA256036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050SHA5129ade6edde3f063fc935f53366ffc9cb6cf7e17691d22fd2fe107d779da3b61eaed006ef7679b456bc16aca8b686d035f09aaf42bf06fa62b872e0a89046994ebssdeep3072:bVdp01i6vcHV1LI5FLV0pZeZKfOJizjrBnNtRg+ur199J+n9fCbM:ba1i6UHVyLV0poZa1jrD099on9Entropy6.249304AntivirusAhnlabTrojan/Win32.SamasAntiyTrojan/Win32.SGenericAviraTR/Ransom.lhumdBitDefenderGeneric.Ransom.SamSam.CDB17A36ClamAVWin.Trojan.Samas-1CyrenW32/SamSam.D.gen!EldoradoESETMSIL/Filecoder.AR trojanEmsisoftGeneric.Ransom.SamSam.CDB17A36 (B)IkarusTrojan-Ransom.SamSamK7Trojan ( 700000121 )McAfeeRansomware-SAMAS!FE9980804636Microsoft Security EssentialsRansom:MSIL/Samas.ANANOAVTrojan.Win32.Ransom.eamenbNetGateTrojan.Win32.MalwareQuick HealTrojan.Inject.TL3SophosTroj/RansmSam-ASymantecRansom.SamSam!gen1Systweakmalware.gen-rTrendMicroRansom_.2933F726TrendMicro House CallRansom_.2933F726Vir.IT eXplorerTrojan.Win32.MSIL9.BGXAVirusBlokAdaTrojan-Ransom.MSIL.SamasZillya!Dropper.Agent.Win32.229787Yara Rules

No matches found.

ssdeep Matches970f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfacPackers/Compilers/CryptorsMicrosoft Visual C# v7.0 / Basic .NETRelationships036071786d...Dropped6245a51e78526c25510d0aa0909576119fdf0244619f670036538063b88f1c21036071786d...Dropped32445c921079aa3e26a376d70ef6550bafeb1f6b0b7037ef152553bb5dad116f036071786d...Dropped97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95036071786d...Connected_Tokeytwocode.wordpress.comDescription

This file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware. It contains two embedded 32-bit Windows executables in its resource section:

--Begin resource--
"samsam.del.exe" ==> del.exe (SDelete) designed to securely delete files
"samsam.selfdel.exe" ==> selfdel.exe designed to delete the SamSam ransomware from the victim’s system
--End resource--

It installs the embedded files into the following directory:

--Begin files installed--
%Currentdirectory%\del.exe
%Currentdirectory%\Selfdel.exe
--End files installed--

This file is designed to accept an input text file as the command line argument. The input text file contains an RSA public key in the following format:

--Begin RSA public

Revisions
  • December 3, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

AR18-337B: MAR-10166283.r1.v1 – SamSam2

US-CERT All NCAS Products - Mon, 12/03/2018 - 18:12
Original release date: December 03, 2018
Description Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

SummaryDescription

These files are related to SamSam ransomware. SamSam is a variety of ransomware based on the .NET framework.

For a downloadable copy of IOCs, see:

Submitted Files (6)

2b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9 (winnetuse.exe)

427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d (ss2.exe)

594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c (ss2.stubbin)

a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcb (SORRY-FOR-FILES.html)

bc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0 (g04inst.bat)

da9c2ecc88e092e3b8c13c6d1a71b968aa6f705eb5966370f21e306c26cd4fb5 (sdgasfse.dll)

Domains (1)

jcmi5n4c3mvgtyt5.onion

Findings594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424cTags

obfuscatedransomwaretrojan

DetailsNamess2.stubbinSize278032 bytesTypedataMD59202651c295369eb01cc7a10cd59adffSHA1ff2f511009b2813af9d12c6103206828560869dbSHA256594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424cSHA512547efea0c2407d1e2949e84fe107820a1efaab2eaddeaf60ceb8f23b53d635b7c86ceadb1e19c07432e51a3609d02f12aca99cb5e23b5d324febb67994f83a9cssdeep6144:gXNGATWMK0AlJgQpQXFvr0Cn8wyrQ4EeGiEb53fSEnetKA:gjDoWiUFe+NPSEnQHEntropy7.999190AntivirusAhnlabBinImage/ObfuscatedAntiyGrayWare/Win32.PresenokerCyrenTrojan.FTIO-1McAfeeRansomware-SAMASSophosTroj/Samas-GTrendMicroRansom_.67284F17TrendMicro House CallRansom_.67284F17Yara Rules

No matches found.

ssdeep Matches

No matches found.

Relationships594b9b42a2...Contains427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989dDescription

This file is an encrypted data file with ".stubbin” extension. It contains the AES encrypted SamSam ransomware ss2.exe (1afc39b101a64c61b763fdf07fde1d55).

427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989dTags

dropperransomwaretrojan

DetailsNamess2.exeSize278016 bytesTypePE32 executable (console) Intel 80386 Mono/.Net assembly, for MS WindowsMD51afc39b101a64c61b763fdf07fde1d55SHA189fe55d2669e6c995b9a0d9ed5d5aa404d20713bSHA256427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989dSHA51235b066679ce733b0de20b79cb7570570164eb695307cbb96173bd7c4485b62a42e5b67caab8b9373e45b9cd9abe72ab0eb78960256420144b9f609c3734320f0ssdeep1536:VLDPjQejqUjWMuX/28KIGsA/Nu4vlIXa5CjZwEclPcx6KtCNvmuxOfgQBAMyOk3t:V3Mexh8KIXAV9vOX6mz6ylgrEntropy4.757791AntivirusAviraTR/Dropper.MSIL.GenBitDefenderGeneric.Ransom.SamSam.82D17683ClamAVWin.Ransomware.Samsam-6425958-0ESETa variant of MSIL/Filecoder.Samas.B trojanEmsisoftGeneric.Ransom.SamSam.82D17683 (B)IkarusTrojan-Ransom.SamasMcAfeeTrojan-FNEY!1AFC39B101A6SophosTroj/Samas-LSymantecRansom.SamSamYara Rules

No matches found.

ssdeep Matches

No matches found.

Relationships427091e188...Contained_Within594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c427091e188...Downloadeda660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcbDescription

This file is a 32-bit Windows .NET compiled executable designed to encrypt victim system files for a ransom payment. This file is a variant of SamSam ransomware.

The ransomware accepts the following three arguments during runtime:

--Begin arguments--
"nonpenetrable"
"6"
"0.8"
--End arguments--

When executed, it searches and if installed will load a key file with a ".keyxml" extension into the %CurrentDirectory%. The key file contains a RSA public key in the following format:

--Begin RSA public key--
"<RSAKeyValue><Modulus>Base64 encoded RSA public key</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
--End RSA public key--

The key file was not available for analysis.

The ransomware searches for files to encrypt on all drives installed on the victim’s system. The malware avoids encrypting files with the following extensions and files in the following folders:

--Begin files--
"desktop.ini"
"g04inst.bat"
"ntuser.dat"
"search-ms"
.search-ms"
".exe"
".msi"
".lnk"
".wim"
".scf"
"microsoft\\windows"
"appdata"
.ini"
.sys"
".dll"                        
--End files--

It randomly generates the following keys for encrypting the target files:

--Begin randomly generated keys--
AES key (16 bytes)
AES IV (16 bytes)
Signature key (64 bytes) for SHA256 HMAC key calculation
--End randomly generated keys--

Displayed below is the code snippet for generating unique keys for each target file.

--Begin key generation--
public static string myff1(string plainFilePath, string encryptedFilePath, string manifestFilePath, string rsaKey)
{
byte[] signatureKey = encc.GenerateRandom(64); ===> HMAC key
byte[] key = encc.GenerateRandom(16); ; ==> Rijndael key
byte[] iv = encc.GenerateRandom(16); ; ==> Rijndael IV
encc.EncryptFile(plainFilePath, encryptedFilePath, key, iv, signatureKey, rsaKey);
return null;
--End key generation--

The malware reads the target file into memory and encrypts it using an AES algorithm in CBC mode by using the generated AES key. The encrypted data from the original file is stored into a newly created file. The newly created file has the same name as the original file, but with a ".weapologize" extension. The ransomware calculates a SHA-256 HMAC of the encrypted data of the file. The generated keys are encrypted using the RSA public key from the key file. The malware Base64 encodes and prepends the following data in XML format at the beginning of the encrypted file:

--Begin base64 encodes data--
AES key, encrypted with RSA public key
AES IV, encrypted with RSA public key
SHA-256H MAC of the encrypted file data
HMAC key, encrypted with RSA public key
--End base64 encodes data--

Displayed below is the code used to RSA encrypt and Base64 encode data prepended at the beginning of each encrypted file:

--Begin encrypting and encoding--
string text = Convert.ToBase64String(encc.RSAEncryptBytes(key, rsaKey));
string text2 = Convert.ToBase64String(encc.RSAEncryptBytes(iv, rsaKey));
string text3 = Convert.ToBase64String(encc.RSAEncryptBytes(signatureKey, rsaKey));
byte[] bytesFromString = encc.GetBytesFromString(string.Concat(new object[]
{
"<AAAAAAAAAAAAAAAAAAAAA>",
encc.nnnlllll,
"<AAA>",
text,
"</AAA>",
encc.nnnlllll,
"<AA>",
text2,
"</AA>",
encc.nnnlllll,
"<AAAAA>xPN1oBWSqfQgInnB6ydF204jiHN/uqljySnn1fkhqUk=</AAAAA>",
encc.nnnlllll,
"<AAAAAAAAAAAA>",
text3,
"</AAAAAAAAAAAA>",
encc.nnnlllll,
"<AAAAAAAAAAAAAAAAAA>",
fileInfo.Length,
"</AAAAAAAAAAAAAAAAAA>",
encc.nnnlllll,
"</AAAAAAAAAAAAAAAAAAAAA>"
}));
--End encrypting and encoding--

Following encryption, the original files are deleted and the ransomware note contents are DES encrypted and Base64 encoded in the malware. Displayed below is the hard-coded DES key and the IV used to decrypt the contents of the ransomware note.

--Begin DES key and IV--
DES KEY: 61 58 62 32 75 79 34 7A (aXb2uy4z)                
IV: 0C 15 2B 11 39 23 43 1B
--End DES key and IV--

It installs the ransomware note "SORRY-FOR-FILES.html" on the victim system. Next, the malware kills any open process, which file name contains "sql.”

a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcbDetailsNameSORRY-FOR-FILES.htmlSize3547 bytesTypeHTML document, ASCII text, with very long lines, with no line terminatorsMD5074e52525d5ec2b2af8675477180b5f0SHA1631e5f4b9a3ba6855dd93dbdccb416337560491dSHA256a660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcbSHA51216d5cab293ffe44a8bfe247fc8f60167741d4a44cb12542b378cf26b689abcff95065ab44e4725b2ab3e85295925faa695bce1159d06211c1bf971d437398414ssdeep96:2RPS2X4/vpRMdu4JW4Qy06pZu42yNSSa/kZLCXWQJxZEzQx:GulKuwscsR5Entropy4.871033Antivirus

No matches found.

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Process ListProcessPIDPPIDlsass.exe468(384)iexplore.exe2628(2332)explorer.exe1412(1368)Relationshipsa660cc6155...Downloaded_By427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989da660cc6155...Containsjcmi5n4c3mvgtyt5.onionDescription

This file is the ransom displayed to the victim. This ransomware note contains the ransom payment information and how to obtain the RSA private key to recover encrypted files. Displayed below are the embedded blog and Bitcoin addresses in the ransomware note:

--Begin blog and Bitcoin addresses--
blog address: "http://jcmi5n4c3mvgtyt5.onion/"
Bitcoin address: "1HbJu2kL4xDNK1L9YUDkJnqh3yiC119YM2"
--End blog and Bitcoin addresses--

Screenshots

Figure 1 - Screenshot of the ransom note

2b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9Tags

ransomwaretrojan

DetailsNamewinnetuse.exeSize239104 bytesTypePE32 executable (console) Intel 80386 Mono/.Net assembly, for MS WindowsMD55b168ad87a0de81c443656cc144df29aSHA1c3cf36abda1463dbe81dc7a7283c6a089c922071SHA2562b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9SHA512853eec13cba76de73361f1fb1e18d11ce3c1b9496f5e093d3050283643f569b659a5931b2092d8302cc8cfbfb69e4a6241461eed4c8931879818c4280af025cfssdeep1536:YM84wQNIdSpfYy1wDcCxqwDcCxqwDcCxqwDcCxqwDcCxqwDcCxWAAPtR8XKvfOxx:R2dHD3DD3DD3DD3DD3DD3vEntropy5.041215AntivirusAhnlabTrojan/Win32.OccamyAntiyTrojan/Win32.TSGenericBitDefenderGen:Variant.Razy.275811ClamAVWin.Ransomware.Samsam-6482587-0CyrenW32/Trojan.KJIQ-4456ESETa variant of MSIL/Runner.J trojanEmsisoftGen:Variant.Razy.275811 (B)IkarusTrojan.SuspectCRCK7Riskware ( 0040eff71 )McAfeeRDN/Generic.dxMicrosoft Security EssentialsRansom:MSIL/Samas.DNANOAVTrojan.Win32.Crypt.falsxrNetGateTrojan.Win32.MalwareQuick HealTrojan.YakbeexMSIL.ZZ4SophosMal/Kryptik-BVSymantecTrojan HorseTrendMicroTROJ_FR.5CBB1CDETrendMicro House CallTROJ_FR.5CBB1CDEZillya!Trojan.Crypt.Win32.42586Yara Rules

No matches found.

ssdeep Matches

No matches found.

Packers/Compilers/CryptorsMicrosoft Visual C# v7.0 / Basic .NETRelationships2b06d2abc8...Related_Tobc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0Description

This file is a 32-bit Windows .NET compiled executable designed to search and loads the encrypted data file ss2.stubbin (9202651c295369eb01cc7a10cd59adff) on the victim's system. If ss2.stubbin exists, it will utilize Rijndael algorithm in the Class Library file ClassLibrary1.dll to decrypt the data file. Winnetuse.exe deletes the encrypted data file after decryption.

bc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0Tags

trojan

DetailsNameg04inst.batSize267 bytesTypeASCII text, with CRLF line terminatorsMD562e21431e87e8a21cf06319da7438f11SHA1a4708853f4a7e4e242a236a433e9b5e8593f1090SHA256bc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0SHA512f2f60c6eb6d96c025a34eb58e175866e15a806f9ec805793676cc60ede00dbfd55b9ade816c6148235e4fc34c4c412d91ae873d324032f1dbd17b09a7a539233ssdeep6:JF1ZzANc4PgXsoFDVlAVyXHI+CIwZALICLA9X/1y/W:L1Jsc4PSJFDyyXo+Bb0L/1gWEntropy4.884702AntivirusMcAfeeBAT/Starter.hMicrosoft Security EssentialsRansom:BAT/SamasSophosTroj/RansRun-ASymantecTrojan.MalscriptYara Rules

No matches found.

ssdeep Matches

No matches found.

Relationshipsbc53f513df...Related_To2b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9Description

This file is a batch file designed to execute winnetuse.exe (5b168ad87a0de81c443656cc144df29a) with predefine arguments. Displayed are the arguments:
--Begin arguements--
Format: %myrunner% %password% %path% %totalprice% %priceperhost%
Sample: winnetuse.exe nvWvlIHNSzASiWhnMWCR nonpenetrable 6 0.8
--End arguements--

da9c2ecc88e092e3b8c13c6d1a71b968aa6f705eb5966370f21e306c26cd4fb5Tags

ransomwaretrojan

DetailsNamesdgasfse.dllSize5632 bytesTypePE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS WindowsMD5f702153b68628eff973abb2912af0d22SHA1138c3aae51e67db0c4134affae428fe91c0d1686SHA256da9c2ecc88e092e3b8c13c6d1a71b968aa6f705eb5966370f21e306c26cd4fb5SHA5127b5c3a6dcc30225874b70e9aa5df803d7796322e5c6654b0ace265b95b0134035384e113112a7a17b09e24dbceb71a22867424cfc1c660ec2ebb605583980dcdssdeep48:6/mWW45Rekl3tpEE4ln0LT8wVMM4W8i02+KU4AeyuNew0cxdn5Mla5GQ6bwN8ah:gBv3Z8we5i0/4Ae+2gMrGEntropy3.968484AntivirusAhnlabTrojan/Win32.SamasAntiyTrojan/Win32.AGenericAviraTR/Ransom.hlwsrBitDefenderTrojan.GenericKD.30548303ClamAVWin.Ransomware.Samsam-6482588-0CyrenW32/Trojan.USJT-3730ESETa variant of MSIL/Runner.N trojanEmsisoftTrojan.GenericKD.30548303 (B)IkarusRansom.MSIL.SamasK7Riskware ( 0040eff71 )McAfeeRDN/Generic.dxMicrosoft Security EssentialsRansom:MSIL/Samas.DNANOAVTrojan.Win32.Ransom.ffqmxtSophosTroj/Samas-FSymantecRansom.SamSamSystweaktrojan-spy.samasTrendMicroTROJ_SAMAS.BTrendMicro House CallTROJ_SAMAS.BZillya!Trojan.GenericKD.Win32.128339Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE MetadataCompile Date2018-03-06 11:43:39-05:00Import Hashdae02f32a21e03ce65412f6e56942daaCompany Namejkg kdjfhg dfkgdjf k,hh kFile Descriptionskudfkjg sjdfbsk hfkusdh fkjhInternal Namesdgasfse.dllLegal Copyrighthdf kjdfhgfk dhfkjhkhOriginal Filenamesdgasfse.dllProduct Namekh vkjhd dfgk ghdfkjhkjProduct Version9.7.1.2PE SectionsMD5NameRaw SizeEntropyb85b73ffa6d2bc4679ee6ece174a93b1header5122.53548912fe3b15c663fe9ed9480c352f9bded3.text30725.0486269cf5eb0ba3d939001e41a98351a45be5.rsrc15362.5774188ef9498de2781e9f674c2727ab3546c6.reloc5120.081539Description

This file is .NET Class Library module designed for decrypting the encrypted data file with ".stubbin” extension using Rijndael encryption algorithm. Displayed are the Key and the initialization vector used for decryption.

--Begin key--
rijndael.Key = hdfgkhioiugyfyghdseertdfygu ==> 7E 7C C0 90 0A E8 7C 3B F1 38 6C 9E 7E 89 B8 29 10 76 C1 E4 FF 6C A3 F8 42 2B 9F 8C 83 7F AC FE
rijndael.IV = ghtrfdfdewsdfgtyhgjgghfdg ==> F1 38 6C 9E 7E 89 B8 29 C3 93 32 02 C5 A0 08 10
--End key--

jcmi5n4c3mvgtyt5.onionURLs
  • http://jcmi5n4c3mvgtyt5.onion/
Relationshipsjcmi5n4c3mvgtyt5.onionContained_Withina660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcbDescription

The domain was identified in the ransom note.

Relationship Summary594b9b42a2...Contains427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989d427091e188...Contained_Within594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c427091e188...Downloadeda660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcba660cc6155...Downloaded_By427091e1888c2bf1f2e11a1010b3ab6c8634eda4ddc34d37202d401fbaa8989da660cc6155...Containsjcmi5n4c3mvgtyt5.onion2b06d2abc8...Related_Tobc53f513df363dd999ac855b53831b3b31ac5516a4bf8f324489710cf06955f0bc53f513df...Related_To2b06d2abc87f51aa7b8451da16270003ceba57184b0dd5f244670873409c75b9jcmi5n4c3mvgtyt5.onionContained_Withina660cc6155b307c0957c4c6ea119a295a852d28097196d85f00f5517944a3dcbRecommendations

NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate ACLs.

Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops.

Contact Information

NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the NCCIC at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to NCCIC? Malware samples can be submitted via three methods:

NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov.

Revisions
  • December 3, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

AR18-337A: MAR-10219351.r1.v2 – SamSam1

US-CERT All NCAS Products - Mon, 12/03/2018 - 17:45
Original release date: December 03, 2018
Description Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

SummaryDescription

Two (2) artifacts were submitted for analysis. The analysis indicates that these files are ransomware.

For a downloadable copy of IOCs, see:

Submitted Files (2)

5d65ebdde1aef8f23114f95454287e7410965288f144d880ece2a2b8c3128645 (prelecturedexe.exe)

d8d919d884b86e4d5977598bc9d637ed53e21d5964629d0427077e08ddbcba68 (proteusdlll.dll)

Findings5d65ebdde1aef8f23114f95454287e7410965288f144d880ece2a2b8c3128645Tags

ransomwaretrojan

DetailsNameprelecturedexe.exeSize1024512 bytesTypePE32 executable (console) Intel 80386 Mono/.Net assembly, for MS WindowsMD5222d7fde37ae344824a97087d473cdcdSHA190205a2761ed7ac3b188230786ec2bebd30effbaSHA2565d65ebdde1aef8f23114f95454287e7410965288f144d880ece2a2b8c3128645SHA512177f25c2e454b5366719a5536e25dbf16ab5cb01b1886b18ea1477671651191cbf663cf1754990c618be1d7c36bf523aaac8528d94a1d49583213dc8a0dee98assdeep24576:PLvqxk7+y/4NmWPWKrbE6qqE56Hglx8zudJhTyGwcKe:+Entropy4.695794AntivirusAhnlabTrojan/Win32.MSILKryptAntiyTrojan/Win32.DynamerAviraTR/Runner.egvkhBitDefenderGen:Variant.Kazy.368437CyrenW32/Trojan.XCIK-1629ESETa variant of MSIL/Runner.N trojanEmsisoftGen:Variant.Kazy.368437 (B)IkarusTrojan.MSIL.RunnerK7Trojan ( 0053adaa1 )McAfeeGeneric.dypMicrosoft Security EssentialsTrojan:MSIL/RunnerQuick HealTrojan.IGENERICSophosMal/Kryptik-BVSymantecTrojan.Gen.2Zillya!Trojan.Runner.Win32.876Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE MetadataCompile Date2018-09-16 03:31:51-04:00Import Hashf34d5f2d4577ed6d9ceec516c1f5a744PE SectionsMD5NameRaw SizeEntropy5e1317af9956be12deebdea49aae14f5header5122.723403124120a6b861fdfff756e19a77a53e05.text10209284.6951578a2d72fec9d2535440e0f83b59253f2b.rsrc25603.722300b227291feae10a83e762c2bc9d959a7f.reloc5120.101910Packers/Compilers/CryptorsMicrosoft Visual C# v7.0 / Basic .NETProcess ListProcessPIDPPIDlsass.exe488(388)5d65ebdde1aef8f23114f95454287e7410965288f144d880ece2a2b8c3128645.exe1976(2556)dw20.exe1936(1976)Relationships5d65ebdde1...Related_Tod8d919d884b86e4d5977598bc9d637ed53e21d5964629d0427077e08ddbcba68Description

This file is a 32-bit Windows executable. The file has been identified as ransomware written in C Sharp (C#). It contains a namespace named "prelecturedexe" and a class named "Program."

This ransomware is invoked using the following command-line format:

-- Begin command format --

prelecturedexe.exe <argv0> <argv1> <argv2> <argv3>

-- End command format --

The execution will quit if 4 arguments are not used.

This ransomware uses Advanced Encryption Standard (AES) encryption. When executed, it uses a command-line argument <argv0> as a component for the AES Rijndael Key and initialization vector (IV). <argv1> <argv2> <argv3> are files and directories to be encrypted/decrypted.

It reads a file named "*.nike2018" in the same directory where this executable resides. If the file "*.nike2018" does not exist, the execution quits. It removes "*.nike2018" after it reads the file content.

d8d919d884b86e4d5977598bc9d637ed53e21d5964629d0427077e08ddbcba68Tags

ransomwaretrojan

DetailsNameproteusdlll.dllSize409600 bytesTypePE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS WindowsMD5fe3ae84a8defc809e734bbd0736f82deSHA104a2ea4c78f78d628800c0a5cb9547a0c0b14378SHA256d8d919d884b86e4d5977598bc9d637ed53e21d5964629d0427077e08ddbcba68SHA5129cb6ddb8a0b9329fe08fcf8a02d45c43222432d6e145f55deacb019f772970513d3ddfa589a002c0abf190fa8712d41e08aab51836685aed9bf30d118ea00a5essdeep3072:Sa6J+OIazQ94ZPaqa7YHmIZwUSToQemTIC6:A+OIa094ZPRakH/+USEEntropy4.645654AntivirusAhnlabTrojan/Win32.MSILKryptAntiyTrojan/MSIL.RunnerAviraTR/Runner.pjtvfBitDefenderGen:Variant.Ursu.265937ClamAVWin.Ransomware.Samsam-6482588-0CyrenW32/Trojan.NADV-8499ESETa variant of MSIL/Runner.N trojanEmsisoftGen:Variant.Ursu.265937 (B)IkarusTrojan.MSIL.RunnerK7Trojan ( 0053adaa1 )McAfeeRDN/Generic.dxMicrosoft Security EssentialsTrojan:MSIL/RunnerQuick HealTrojan.IGENERICSophosTroj/Kryptik-ISSymantecTrojan.Gen.2Zillya!Trojan.Runner.Win32.880Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE MetadataCompile Date2018-09-16 03:31:51-04:00Import Hashdae02f32a21e03ce65412f6e56942daaPE SectionsMD5NameRaw SizeEntropy397b763d106b2f347c5a563922273551header5122.714618ad25e96cae2016331129ec4643535822.text4065284.65047701784b876d14b1384491318f8fce07d5.rsrc20482.987471816849886aa28e56db0cd065fae38897.reloc5120.101910Packers/Compilers/CryptorsMicrosoft Visual C# / Basic .NETProcess ListProcessPIDPPIDlsass.exe488(384)rundll32.exe3028(2984)Relationshipsd8d919d884...Related_To5d65ebdde1aef8f23114f95454287e7410965288f144d880ece2a2b8c3128645Description

This dynamic link library (DLL) contains functions used by the ransomware "prelecturedexe.exe" (222d7fde37ae344824a97087d473cdcd).

It contains a namespace named "proteusdlll" and a class named "Class1."

It contains functions to generate the AES Rijndael Key and IV, function to create the Rijndael decryptor and function to encrypt/decrypt victim's files.

The AES Rijndael Key and IV is generated from the following predefined bytes and the first command line argument <argv0>.    

-- Begin predefined bytes to generate Rijndael Key and IV --

0x49
0x76
0x61
0x6E
0x20
0x4D
0x65
0x64
0x76
0x65
0x64
0x65
0x76

-- End predefined bytes to generate Rijndael Key and IV --

Relationship Summary5d65ebdde1...Related_Tod8d919d884b86e4d5977598bc9d637ed53e21d5964629d0427077e08ddbcba68d8d919d884...Related_To5d65ebdde1aef8f23114f95454287e7410965288f144d880ece2a2b8c3128645Recommendations

NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate ACLs.

Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops.

Contact Information

NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the NCCIC at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to NCCIC? Malware samples can be submitted via three methods:

NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov.

Revisions
  • December 3, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

SamSam Ransomware

US-CERT All NCAS Products - Mon, 12/03/2018 - 17:22
Original release date: December 03, 2018

The Department of Homeland Security and the Federal Bureau of Investigation have identified cyber threat actors using SamSam ransomware—also known as MSIL/SAMAS.A—to target industries in the United States and worldwide.

NCCIC encourages users and administrators to review Alert AA18-337A: SamSam Ransomware and Malware Analysis Reports AR18-337A, AR18-337B, AR18-337C, and AR18-337D for more information.

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

AA18-337A: SamSam Ransomware

US-CERT All NCAS Products - Mon, 12/03/2018 - 17:18
Original release date: December 03, 2018
Summary

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation.

The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.

The actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point.

After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.

Analysis of tools found on victims’ networks indicated that successful cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces. FBI analysis of victims’ access logs revealed that the SamSam actors can infect a network within hours of purchasing the credentials. While remediating infected systems, several victims found suspicious activity on their networks unrelated to SamSam. This activity is a possible indicator that the victims’ credentials were stolen, sold on the darknet, and used for other illegal activity.

SamSam actors leave ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network.

Technical Details

NCCIC recommends organizations review the following SamSam Malware Analysis Reports. The reports represent four SamSam malware variants. This is not an exhaustive list.

For general information on ransomware, see the NCCIC Security Publication at https://www.us-cert.gov/security-publications/Ransomware.

Mitigations

DHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes before implementation to avoid unwanted impacts.

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users' ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

Additional information on malware incident prevention and handling can be found in Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, from the National Institute of Standards and Technology.[1]

Contact Information

To report an intrusion and request resources for incident response or technical assistance, contact NCCIC, FBI, or the FBI’s Cyber Division via the following information:

Feedback

DHS strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback.

References Revisions
  • December 3, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

AA18-337A: SamSam Ransomware

US-CERT Alerts - Mon, 12/03/2018 - 17:18
Original release date: December 03, 2018
Summary

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation.

The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.

The actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point.

After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.

Analysis of tools found on victims’ networks indicated that successful cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces. FBI analysis of victims’ access logs revealed that the SamSam actors can infect a network within hours of purchasing the credentials. While remediating infected systems, several victims found suspicious activity on their networks unrelated to SamSam. This activity is a possible indicator that the victims’ credentials were stolen, sold on the darknet, and used for other illegal activity.

SamSam actors leave ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network.

Technical Details

NCCIC recommends organizations review the following SamSam Malware Analysis Reports. The reports represent four SamSam malware variants. This is not an exhaustive list.

For general information on ransomware, see the NCCIC Security Publication at https://www.us-cert.gov/security-publications/Ransomware.

Mitigations

DHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes before implementation to avoid unwanted impacts.

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users' ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

Additional information on malware incident prevention and handling can be found in Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, from the National Institute of Standards and Technology.[1]

Contact Information

To report an intrusion and request resources for incident response or technical assistance, contact NCCIC, FBI, or the FBI’s Cyber Division via the following information:

Feedback

DHS strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback.

References Revisions
  • December 3, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

SB18-337: Vulnerability Summary for the Week of November 26, 2018

US-CERT All NCAS Products - Mon, 12/03/2018 - 12:20
Original release date: December 03, 2018

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

 

High VulnerabilitiesPrimary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch InfoThere were no high vulnerabilities recorded this week.Back to top

 

Medium VulnerabilitiesPrimary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch InfoThere were no medium vulnerabilities recorded this week.Back to top

 

Low VulnerabilitiesPrimary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch InfoThere were no low vulnerabilities recorded this week.Back to top

 

Severity Not Yet AssignedPrimary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch Infoadobe -- acrobat_and_readerAdobe Acrobat and Reader versions 2019.008.20080 and earlier, 2017.011.30105 and earlier, and 2015.006.30456 and earlier have a ntlm sso hash theft vulnerability. Successful exploitation could lead to information disclosure.2018-11-29not yet calculatedCVE-2018-15979
BID
SECTRACK
CONFIRMadobe -- flash_playerFlash Player versions 31.0.0.122 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.2018-11-29not yet calculatedCVE-2018-15978
BID
SECTRACK
REDHAT
CONFIRMadobe -- flash_playerFlash Player versions 31.0.0.148 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution.2018-11-29not yet calculatedCVE-2018-15981
BID
SECTRACK
REDHAT
CONFIRMadobe -- photoshop_ccAdobe Photoshop CC versions 19.1.6 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.2018-11-29not yet calculatedCVE-2018-15980
BID
SECTRACK
CONFIRMapache -- hadoopIn Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.2018-11-27not yet calculatedCVE-2018-11766
BID
MISCarcms -- arcmsAn issue was discovered in arcms through 2018-03-19. No authentication is required for index/main, user/useradd, or img/images.2018-11-26not yet calculatedCVE-2018-19557
MISCarcms -- arcmsAn issue was discovered in arcms through 2018-03-19. SQL injection exists via the json/newslist limit parameter because of ctl/main/Json.php, ctl/main/service/Data.php, and comp/Db/Mysql.php.2018-11-26not yet calculatedCVE-2018-19558
MISCartifex -- ghostscriptpsi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same.2018-11-23not yet calculatedCVE-2018-19475
MISC
MISC
MISC
MLIST
UBUNTU
DEBIAN
MISCartifex -- ghostscriptpsi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion.2018-11-23not yet calculatedCVE-2018-19476
MISC
MISC
MISC
MLIST
UBUNTU
DEBIAN
MISCartifex -- ghostscriptpsi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion.2018-11-23not yet calculatedCVE-2018-19477
MISC
MISC
MISC
MLIST
UBUNTU
DEBIAN
MISCartifex -- mupdfIn Artifex MuPDF 1.14.0, there is an infinite loop in the function svg_dev_end_tile in fitz/svg-device.c, as demonstrated by mutool.2018-11-30not yet calculatedCVE-2018-19777
MISCatlantis -- word_processorAn exploitable arbitrary write vulnerability exists in the open document format parser of the Atlantis Word Processor, version 3.2.7.2, while trying to null-terminate a string. A specially crafted document can allow an attacker to pass an untrusted value as a length to a constructor. This constructor will miscalculate a length and then use it to calculate the position to write a null byte. This can allow an attacker to corrupt memory, which can result in code execution under the context of the application. An attacker must convince a victim to open a specially crafted document in order to trigger this vulnerability.2018-12-01not yet calculatedCVE-2018-4038
MISCatlantis -- word_processorAn exploitable out-of-bounds write vulnerability exists in the PNG implementation of Atlantis Word Processor, version 3.2.7.2. This can allow an attacker to corrupt memory, which can result in code execution under the context of the application. An attacker must convince a victim to open a specially crafted document in order to trigger this vulnerability.2018-12-01not yet calculatedCVE-2018-4039
MISCatlantis -- word_processorAn exploitable uninitialized pointer vulnerability exists in the rich text format parser of Atlantis Word Processor, version 3.2.7.2. A specially crafted document can cause certain RTF tokens to dereference a pointer that has been uninitialized and then write to it. An attacker must convince a victim to open a specially crafted document in order to trigger this vulnerability.2018-12-01not yet calculatedCVE-2018-4040
MISCbagesoft -- bagecmsBageCMS 3.1.3 has CSRF via upload/index.php?r=admini/admin/ownerUpdate to modify a user account.2018-11-26not yet calculatedCVE-2018-19560
MISCbudabot -- budabotIn modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation allows remote attackers to perform a command injection attack against the PHP daemon with a crafted command, resulting in a denial of service or possibly unspecified other impact, as demonstrated by the "!calc 5 x 5" command. In versions before 3.0, modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above, modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code.2018-11-30not yet calculatedCVE-2018-19290
MISC
FULLDISCbuffalo -- ts5600d1206_network_devicesIncorrect access control in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to bypass authentication by sending a modified HTTP Host header.2018-11-26not yet calculatedCVE-2018-13324
MISCbuffalo -- ts5600d1206_network_devicesSystem Command Injection in network.set_auth_settings in Buffalo TS5600D1206 version 3.70-0.10 allows attackers to execute system commands via the adminUsername and adminPassword parameters.2018-11-26not yet calculatedCVE-2018-13320
MISCbuffalo -- ts5600d1206_network_devicesCross-site scripting in detail.html in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute JavaScript via the "username" cookie.2018-11-26not yet calculatedCVE-2018-13323
MISCbuffalo -- ts5600d1206_network_devicesIncorrect access controls in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allow attackers to call dangerous internal functions via the "method" parameter.2018-11-26not yet calculatedCVE-2018-13321
MISCbuffalo -- ts5600d1206_network_devicesDirectory traversal in list_folders method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to list directory contents via the "path" parameter.2018-11-26not yet calculatedCVE-2018-13322
MISCbuffalo -- ts5600d1206_network_devicesIncorrect access control in get_portal_info in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to determine sensitive device information via an unauthenticated POST request.2018-11-26not yet calculatedCVE-2018-13319
MISCbuffalo -- ts5600d1206_network_devicesSystem command injection in User.create method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute system commands via the "name" parameter.2018-11-26not yet calculatedCVE-2018-13318
MISCcesanta -- mongooseIn Cesanta Mongoose 6.13, a SIGSEGV exists in the mongoose.c mg_mqtt_add_session() function.2018-11-27not yet calculatedCVE-2018-19587
MISCcisco -- prime_license_managerA vulnerability in the web framework code of Cisco Prime License Manager (PLM) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries. The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application. A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user.2018-11-28not yet calculatedCVE-2018-15441
BID
CISCOcs_systems -- switchvpnA local privilege escalation vulnerability has been identified in the SwitchVPN client 2.1012.03 for macOS. Due to over-permissive configuration settings and a SUID binary, an attacker is able to execute arbitrary binaries as root.2018-11-30not yet calculatedCVE-2018-18860
MISC
FULLDISC
EXPLOIT-DBcuppa_cms -- cuppa_cmsCuppa CMS before 2018-11-12 has SQL Injection in administrator/classes/ajax/functions.php via the reference_id parameter.2018-11-26not yet calculatedCVE-2018-19559
MISCdcraw -- dcrawA heap buffer over-read in parse_tiff_ifd in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak private information.2018-11-26not yet calculatedCVE-2018-19566
MISC
MISCdcraw -- dcrawA stack-based buffer overflow in the find_green() function of dcraw through 9.28, as used in ufraw-batch and many other products, may allow a remote attacker to cause a control-flow hijack, denial-of-service, or unspecified other impact via a maliciously crafted raw photo file.2018-11-29not yet calculatedCVE-2018-19655
MISC
MISCdcraw -- dcrawA buffer over-read in crop_masked_pixels in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak private information.2018-11-26not yet calculatedCVE-2018-19565
MISC
MISCdcraw -- dcrawA floating point exception in kodak_radc_load_raw in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code.2018-11-26not yet calculatedCVE-2018-19568
MISC
MISCdcraw -- dcrawA floating point exception in parse_tiff_ifd in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code.2018-11-26not yet calculatedCVE-2018-19567
MISC
MISCdell_emc -- avamar_server_and_integrated_data_protection_appliance'getlogs' utility in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1 and 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 is affected by an OS command injection vulnerability. A malicious Avamar admin user may potentially be able to execute arbitrary commands under root privilege.2018-11-26not yet calculatedCVE-2018-11077
BID
SECTRACK
FULLDISC
CONFIRMdell_emc -- avamar_server_and_integrated_data_protection_applianceDell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0 and 7.4.1 and Dell EMC Integrated Data Protection Appliance (IDPA) 2.0 are affected by an information exposure vulnerability. Avamar Java management console's SSL/TLS private key may be leaked in the Avamar Java management client package. The private key could potentially be used by an unauthenticated attacker on the same data-link layer to initiate a MITM attack on management console users.2018-11-26not yet calculatedCVE-2018-11076
BID
SECTRACK
FULLDISC
CONFIRMdell_emc -- avamar_server_and_integrated_data_protection_applianceDell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 contain an open redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.2018-11-26not yet calculatedCVE-2018-11067
BID
SECTRACK
FULLDISC
CONFIRMdell_emc -- avamar_server_and_integrated_data_protection_applianceDell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 contain a Remote Code Execution vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server.2018-11-26not yet calculatedCVE-2018-11066
BID
SECTRACK
FULLDISC
CONFIRMdell -- openmanage_network_managerDell OpenManage Network Manager versions prior to 6.5.0 enabled read/write access to the file system for MySQL users due to insecure default configuration setting for the embedded MySQL database.2018-11-30not yet calculatedCVE-2018-15768
BID
MISC
EXPLOIT-DBdell -- openmanage_network_managerThe Dell OpenManage Network Manager virtual appliance versions prior to 6.5.3 contain an improper authorization vulnerability caused by a misconfiguration in the /etc/sudoers file.2018-11-30not yet calculatedCVE-2018-15767
BID
MISC
EXPLOIT-DBdomainmod -- domainmodDomainMOD through 4.11.01 has XSS via the assets/add/account-owner.php Owner name field.2018-11-29not yet calculatedCVE-2018-19749
MISCdomainmod -- domainmodDomainMOD through 4.11.01 has XSS via the assets/add/registrar.php notes field for the Registrar.2018-11-29not yet calculatedCVE-2018-19752
MISCdomainmod -- domainmodDomainMOD through 4.11.01 has XSS via the admin/ssl-fields/add.php notes field for Custom SSL Fields.2018-11-29not yet calculatedCVE-2018-19751
MISCdomainmod -- domainmodDomainMOD through 4.11.01 has XSS via the admin/domain-fields/ notes field in an Add Custom Field action for Custom Domain Fields.2018-11-29not yet calculatedCVE-2018-19750
MISCdotcms -- dotcmsAn issue was discovered in Dotcms through 5.0.3. Attackers may perform XSS attacks via the inode, identifier, or fieldName parameter in html/js/dotcms/dijit/image/image_tool.jsp.2018-11-26not yet calculatedCVE-2018-19554
MISCexiv2 -- exiv2In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service (application crash due to a heap-based buffer over-read) via a crafted PNG file.2018-11-25not yet calculatedCVE-2018-19535
MISC
MISCexiv2 -- exiv2Exiv2::isoSpeed in easyaccess.cpp in Exiv2 v0.27-RC2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file.2018-11-27not yet calculatedCVE-2018-19607
MISCfortinet -- fortiosAn uninitialized memory buffer leak exists in Fortinet FortiOS 5.6.1 to 5.6.3, 5.4.6 to 5.4.7, 5.2 all versions under web proxy's disclaimer response web pages, potentially causing sensitive data to be displayed in the HTTP response.2018-11-27not yet calculatedCVE-2018-13376
BID
CONFIRMfreebsd -- freebsdIn FreeBSD before 11.2-STABLE(r340268) and 11.2-RELEASE-p5, due to incorrectly accounting for padding on 64-bit platforms, a buffer underwrite could occur when constructing an ICMP reply packet when using a non-standard value for the net.inet.icmp.quotelen sysctl.2018-11-28not yet calculatedCVE-2018-17156
BID
CONFIRMfreerdp -- freerdpFreeRDP prior to version 2.0.0-rc4 contains a Heap-Based Buffer Overflow in function zgfx_decompress() that results in a memory corruption and probably even a remote code execution.2018-11-29not yet calculatedCVE-2018-8785
CONFIRMfreerdp -- freerdpFreeRDP prior to version 2.0.0-rc4 contains a Heap-Based Buffer Overflow in function zgfx_decompress_segment() that results in a memory corruption and probably even a remote code execution.2018-11-29not yet calculatedCVE-2018-8784
CONFIRMfreerdp -- freerdpFreeRDP prior to version 2.0.0-rc4 contains an Integer Truncation that leads to a Heap-Based Buffer Overflow in function update_read_bitmap_update() and results in a memory corruption and probably even a remote code execution.2018-11-29not yet calculatedCVE-2018-8786
CONFIRMfreerdp -- freerdpFreeRDP prior to version 2.0.0-rc4 contains an Integer Overflow that leads to a Heap-Based Buffer Overflow in function gdi_Bitmap_Decompress() and results in a memory corruption and probably even a remote code execution.2018-11-29not yet calculatedCVE-2018-8787
CONFIRMfreerdp -- freerdpFreeRDP prior to version 2.0.0-rc4 contains an Out-Of-Bounds Write of up to 4 bytes in function nsc_rle_decode() that results in a memory corruption and possibly even a remote code execution.2018-11-29not yet calculatedCVE-2018-8788
CONFIRMfreerdp -- freerdpFreeRDP prior to version 2.0.0-rc4 contains several Out-Of-Bounds Reads in the NTLM Authentication module that results in a Denial of Service (segfault).2018-11-29not yet calculatedCVE-2018-8789
CONFIRMgit -- gitGit before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.2018-11-23not yet calculatedCVE-2018-19486
BID
SECTRACK
MISC
MISC
UBUNTUgitlab -- gitlab_community_and_enterprise_editionAn issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution.2018-11-29not yet calculatedCVE-2018-18649
CONFIRM
CONFIRMgnuplot -- gnuplotAn issue was discovered in post.trm in Gnuplot 5.2.5. This issue allows an attacker to conduct a buffer overflow with an arbitrary amount of data in the PS_options function. This flaw is caused by a missing size check of an argument passed to the "set font" function. This issue occurs when the Gnuplot postscript terminal is used as a backend.2018-11-23not yet calculatedCVE-2018-19491
MLIST
MLIST
MISC
MISCgnuplot -- gnuplotAn issue was discovered in cairo.trm in Gnuplot 5.2.5. This issue allows an attacker to conduct a buffer overflow with an arbitrary amount of data in the cairotrm_options function. This flaw is caused by a missing size check of an argument passed to the "set font" function. This issue occurs when the Gnuplot pngcairo terminal is used as a backend.2018-11-23not yet calculatedCVE-2018-19492
MLIST
MLIST
MISC
MISCgnuplot -- gnuplotAn issue was discovered in datafile.c in Gnuplot 5.2.5. This issue allows an attacker to conduct a heap-based buffer overflow with an arbitrary amount of data in df_generate_ascii_array_entry. To exploit this vulnerability, an attacker must pass an overlong string as the right bound of the range argument that is passed to the plot function.2018-11-23not yet calculatedCVE-2018-19490
MLIST
MLIST
MISC
MISCgoogle -- androidAndroid 1.0 through 9.0 has Insecure Permissions. The Android bug ID is 77286983.2018-11-30not yet calculatedCVE-2018-15835
MISC
FULLDISC
MISCharman/kardon -- subaru_starlink_harman_head_unitsA vulnerability in the update mechanism of Subaru StarLink Harman head units 2017, 2018, and 2019 may give an attacker (with physical access to the vehicle's USB ports) the ability to rewrite the firmware of the head unit. This occurs because the device accepts modified QNX6 filesystem images (as long as the attacker obtains access to certain Harman decryption/encryption code) as a consequence of a bug where unsigned images pass a validity check. An attacker could potentially install persistent malicious head unit firmware and execute arbitrary code as the root user.2018-11-28not yet calculatedCVE-2018-18203
MISChttl -- httlHTTL (aka Hyper-Text Template Language) through 1.0.11 allows remote command execution because the decodeXml function uses XStream unsafely when configured with an xml.codec=httl.spi.codecs.XstreamCodec setting.2018-11-25not yet calculatedCVE-2018-19530
MISChttl -- httl
 HTTL (aka Hyper-Text Template Language) through 1.0.11 allows remote command execution because the decodeXml function uses java.beans.XMLEncoder unsafely when configured without an xml.codec= setting.2018-11-25not yet calculatedCVE-2018-19531
MISChuawei -- espaceThere is an anonymous TLS cipher suites supported vulnerability in Huawei eSpace product. An unauthenticated, remote attacker launches man-in-the-middle attack to hijack the connection from a client when the user signs up to log in by TLS. Due to insufficient authentication, which may be exploited to intercept and tamper with the data information.2018-11-27not yet calculatedCVE-2018-7958
CONFIRMhuawei -- espaceThere is a short key vulnerability in Huawei eSpace product. An unauthenticated, remote attacker launches man-in-the-middle attack to intercept and decrypt the call information when the user enables SRTP to make a call. Successful exploitation may cause sensitive information leak.2018-11-27not yet calculatedCVE-2018-7959
CONFIRMhuawei -- espaceThere is a SRTP icon display vulnerability in Huawei eSpace product. An unauthenticated, remote attacker launches man-in-the-middle attack to intercept the packets in non-secure transmission mode. Successful exploitation may intercept and tamper with the call information, eventually cause sensitive information leak.2018-11-27not yet calculatedCVE-2018-7960
CONFIRMhuawei -- multiple_productsThere is an information leakage vulnerability on several Huawei products. Due to insufficient communication protection for specific services, a remote, unauthorized attacker can exploit this vulnerability to connect to specific services to obtain additional information. Successful exploitation of this vulnerability can lead to information leakage.2018-11-27not yet calculatedCVE-2018-7977
CONFIRMhuawei -- smartphonesThere is an information leak vulnerability in some Huawei smartphones. An attacker may do some specific configuration in the smartphone and trick a user into inputting some sensitive information. Due to improper design, successful exploit may cause some information leak.2018-11-27not yet calculatedCVE-2018-7946
CONFIRMhuawei -- smartphonesThere is a Factory Reset Protection (FRP) bypass vulnerability on several smartphones. The system does not sufficiently verify the permission, an attacker uses a data cable to connect the smartphone to another smartphone and then perform a series of specific operations. Successful exploit could allow the attacker bypass the FRP protection.2018-11-27not yet calculatedCVE-2018-7988
CONFIRMhuawei -- smartphonesThere is a smart SMS verification code vulnerability in some Huawei smartphones. An attacker should trick a user to access malicious Website or malicious App and register. Due to incorrect processing of the smart SMS verification code, successful exploitation can cause sensitive information leak.2018-11-27not yet calculatedCVE-2018-7961
CONFIRMhunan_jinyun_network_technology_co -- pbootcmsPbootCMS V1.3.1 build 2018-11-14 allows remote attackers to execute arbitrary code via use of "eval" with mixed case, as demonstrated by an index.php/list/5/?current={pboot:if(evAl($_GET[a]))}1{/pboot:if}&a=phpinfo(); URI, because of an incorrect apps\home\controller\ParserController.php parserIfLabel protection mechanism.2018-11-27not yet calculatedCVE-2018-19595
MISCi4_assistant -- i4_assistanti4 assistant 7.85 allows XSS via a crafted machine name field within iOS settings.2018-11-29not yet calculatedCVE-2018-19527
MISCibm -- db2_for_linux_unix_and_windowsIBM DB2 for Linux, UNIX, and Windows 9.7, 10.1, 10.5., and 11.1 db2pdcfg is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code. IBM X-Force ID: 152462.2018-11-30not yet calculatedCVE-2018-1897
CONFIRM
SECTRACK
XFibm -- integration_busIBM Integration Bus 9.0.0.0, 9.0.0.11, 10.0.0.0, and 10.0.0.14 (including IBM WebSphere Message Broker 8.0.0.0 and 8.0.0.9) has insecure permissions on certain files. A local attacker could exploit this vulnerability to modify or delete these files with an unknown impact. IBM X-Force ID: 127406.2018-11-26not yet calculatedCVE-2017-1418
CONFIRM
XFibm -- maximo_asset_managementIBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 143497.2018-11-28not yet calculatedCVE-2018-1584
XF
CONFIRMibm -- rational_collaborative_lifecycle_managementIBM Rational Collaborative Lifecycle Management 5.0 through 5.0.2 and 6.0 through 6.0.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148616.2018-11-29not yet calculatedCVE-2018-1762
XF
CONFIRMibm -- stored_iqIBM StoredIQ 7.6.0 does not implement proper authorization of user roles due to which it was possible for a low privileged user to access the application endpoints of high privileged users and also perform some state changing actions restricted to a high privileged user. IBM X-Force ID: 153119.2018-11-30not yet calculatedCVE-2018-1928
CONFIRM
XFibm -- stored_iqIBM StoredIQ 7.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 153118.2018-11-30not yet calculatedCVE-2018-1927
CONFIRM
XFibm -- websphere_application_serverIBM WebSphere Application Server 9.0.0.0 through 9.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152534.2018-11-26not yet calculatedCVE-2018-1905
BID
XF
CONFIRMimperva -- securesphereThe Python CGI scripts in PWS in Imperva SecureSphere 13.0.10, 13.1.10, and 13.2.10 allow remote attackers to execute arbitrary OS commands because command-line arguments are mishandled.2018-11-28not yet calculatedCVE-2018-19646
EXPLOIT-DBinterspire -- email_marketeradmin/functions/remote.php in Interspire Email Marketer through 6.1.6 has Server Side Request Forgery (SSRF) via a what=importurl&url= request with an http or https URL. This also allows reading local files with a file: URL.2018-11-28not yet calculatedCVE-2018-19651
MISCinterspire -- email_marketerInterspire Email Marketer through 6.1.6 has SQL Injection via an updateblock sortorder request to Dynamiccontenttags.php2018-11-26not yet calculatedCVE-2018-19553
MISCinterspire -- email_marketerInterspire Email Marketer through 6.1.6 has SQL Injection via a deleteblock blockid[] request to Dynamiccontenttags.php.2018-11-26not yet calculatedCVE-2018-19552
MISCinterspire -- email_marketerInterspire Email Marketer through 6.1.6 has SQL Injection via a checkduplicatetags tagname request to Dynamiccontenttags.php.2018-11-26not yet calculatedCVE-2018-19551
MISCinterspire -- email_marketerInterspire Email Marketer through 6.1.6 allows arbitrary file upload via a surveys_submit.php "create survey and submit survey" operation, which can cause a .php file to be accessible under a admin/temp/surveys/ URI.2018-11-26not yet calculatedCVE-2018-19550
MISCinterspire -- email_marketerInterspire Email Marketer through 6.1.6 has SQL Injection via a tagids Delete action to Dynamiccontenttags.php.2018-11-26not yet calculatedCVE-2018-19549
MISCjasper -- jasperAn issue was discovered in JasPer 2.0.14. There is an access violation in the function jas_image_readcmpt in libjasper/base/jas_image.c, leading to a denial of service.2018-11-25not yet calculatedCVE-2018-19539
MISCjasper -- jasperAn issue was discovered in JasPer 2.0.14. There is a heap-based buffer over-read of size 8 in the function jp2_decode in libjasper/jp2/jp2_dec.c.2018-11-25not yet calculatedCVE-2018-19543
MISCjasper -- jasperAn issue was discovered in JasPer 2.0.14. There is a NULL pointer dereference in the function jp2_decode in libjasper/jp2/jp2_dec.c, leading to a denial of service.2018-11-25not yet calculatedCVE-2018-19542
MISCjasper -- jasperAn issue was discovered in JasPer 2.0.14. There is a heap-based buffer over-read of size 8 in the function jas_image_depalettize in libjasper/base/jas_image.c.2018-11-25not yet calculatedCVE-2018-19541
MISCjasper -- jasperAn issue was discovered in JasPer 2.0.14. There is a heap-based buffer overflow of size 1 in the function jas_icctxtdesc_input in libjasper/base/jas_icc.c.2018-11-25not yet calculatedCVE-2018-19540
MISCjiangxi_jinlei_technology_development -- jeecmsJEECMS 9.3 has CSRF via the api/admin/content/save URI to add news.2018-11-26not yet calculatedCVE-2018-19544
MISCjiangxi_jinlei_technology_development -- jeecmsJEECMS 9.3 has CSRF via the api/admin/role/save URI to add a user.2018-11-26not yet calculatedCVE-2018-19545
MISCjtbc -- jtbcJTBC (PHP) 3.0.1.7 has CSRF via the console/xml/manage.php?type=action&action=edit URI, as demonstrated by an XSS payload in the content parameter.2018-11-26not yet calculatedCVE-2018-19546
MISC
MISCjtbc -- jtbc
 JTBC (PHP) 3.0.1.7 has XSS via the console/xml/manage.php?type=action&action=edit content parameter.2018-11-26not yet calculatedCVE-2018-19547
MISC
MISCkde -- kde_applicationsThe HTML thumbnailer plugin in KDE Applications before 18.12.0 allows attackers to trigger outbound TCP connections to arbitrary IP addresses, leading to disclosure of the source IP address.2018-11-29not yet calculatedCVE-2018-19120
MISC
FEDORAlenovo -- lxciLXCI for VMware versions prior to 5.5 and LXCI for Microsoft System Center versions prior to 3.5, allow an authenticated user to write to any system file due to insufficient sanitization during the upload of a certificate.2018-11-30not yet calculatedCVE-2018-16097
CONFIRMlenovo -- lxciIn versions prior to 5.5, LXCI for VMware allows an authenticated user to download any system file due to insufficient input sanitization during file downloads.2018-11-30not yet calculatedCVE-2018-9072
CONFIRMlenovo -- lxciIn versions prior to 5.5, LXCI for VMware allows an authenticated user to write to any system file due to insufficient sanitization during the upload of a backup file.2018-11-30not yet calculatedCVE-2018-16093
CONFIRMlenovo -- system_management_moduleIn System Management Module (SMM) versions prior to 1.06, the SMM certificate creation and parsing logic is vulnerable to several buffer overflows.2018-11-27not yet calculatedCVE-2018-16091
CONFIRMlenovo -- system_management_moduleIn System Management Module (SMM) versions prior to 1.06, an internal SMM function that retrieves configuration settings is prone to a buffer overflow.2018-11-27not yet calculatedCVE-2018-16094
CONFIRMlenovo -- system_management_moduleIn System Management Module (SMM) versions prior to 1.06, the SMM web interface for changing Enclosure VPD fails to sufficiently sanitize all input for HTML tags, possibly opening a path for cross-site scripting.2018-11-27not yet calculatedCVE-2018-16096
CONFIRMlenovo -- system_management_moduleIn System Management Module (SMM) versions prior to 1.06, the SMM certificate creation and parsing logic is vulnerable to post-authentication command injection.2018-11-27not yet calculatedCVE-2018-16090
CONFIRMlenovo -- system_management_moduleIn System Management Module (SMM) versions prior to 1.06, a field in the header of SMM firmware update images is insufficiently sanitized, allowing post-authentication command injection on the SMM as the root user.2018-11-27not yet calculatedCVE-2018-16089
CONFIRMlenovo -- system_management_moduleIn System Management Module (SMM) versions prior to 1.06, if an attacker manages to log in to the device OS, the validation of software updates can be circumvented.2018-11-27not yet calculatedCVE-2018-9084
CONFIRMlenovo -- system_management_moduleIn System Management Module (SMM) versions prior to 1.06, the SMM records hashed passwords to a debug log when user authentication fails.2018-11-27not yet calculatedCVE-2018-16095
CONFIRMlenovo -- system_management_moduleIn System Management Module (SMM) versions prior to 1.06, the FFDC feature includes the collection of SMM system files containing sensitive information; notably, the SMM user account credentials and the system shadow file.2018-11-27not yet calculatedCVE-2018-16092
CONFIRMlenovo -- system_management_moduleIn System Management Module (SMM) versions prior to 1.06, the SMM contains weak default root credentials which could be used to log in to the device OS -- if the attacker manages to enable SSH or Telnet connections via some other vulnerability.2018-11-27not yet calculatedCVE-2018-9083
CONFIRMlibconfuse -- libconfusecfg_init in confuse.c in libConfuse 3.2.2 has a memory leak.2018-11-29not yet calculatedCVE-2018-19760
MISClibjpeg-turbo -- libjpeg-turbolibjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel_rows function in wrbmp.c, as demonstrated by djpeg.2018-11-29not yet calculatedCVE-2018-19664
MISClibsixel -- libsixelThere is a heap-based buffer over-read at stb_image.h (function: stbi__tga_load) in libsixel 1.8.2 that will cause a denial of service.2018-11-29not yet calculatedCVE-2018-19756
MISClibsixel -- libsixelThere is a heap-based buffer over-read at stb_image_write.h (function: stbi_write_png_to_mem) in libsixel 1.8.2 that will cause a denial of service.2018-11-29not yet calculatedCVE-2018-19759
MISClibsixel -- libsixelThere is an illegal address access at fromsixel.c (function: sixel_decode_raw_impl) in libsixel 1.8.2 that will cause a denial of service.2018-11-29not yet calculatedCVE-2018-19761
MISClibsixel -- libsixelThere is a heap-based buffer overflow at fromsixel.c (function: image_buffer_resize) in libsixel 1.8.2 that will cause a denial of service or possibly unspecified other impact.2018-11-29not yet calculatedCVE-2018-19762
MISClibsixel -- libsixelThere is a heap-based buffer over-read at writer.c (function: write_png_to_file) in libsixel 1.8.2 that will cause a denial of service.2018-11-29not yet calculatedCVE-2018-19763
MISClibsixel -- libsixelThere is a NULL pointer dereference at function sixel_helper_set_additional_message (status.c) in libsixel 1.8.2 that will cause a denial of service.2018-11-29not yet calculatedCVE-2018-19757
MISClibsndfile -- libsndfileThere is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service.2018-11-29not yet calculatedCVE-2018-19758
MISClibsndfile -- libsndfileAn issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2ulaw_array in ulaw.c that will lead to a denial of service.2018-11-29not yet calculatedCVE-2018-19661
MISClibsndfile -- libsndfileAn issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2alaw_array in alaw.c that will lead to a denial of service.2018-11-29not yet calculatedCVE-2018-19662
MISClinux -- linux_kernelThe Linux kernel before 4.15-rc8 was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.2018-11-26not yet calculatedCVE-2018-14646
REDHAT
REDHAT
CONFIRM
CONFIRM
CONFIRMlinux -- linux_kernelA security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one.2018-11-26not yet calculatedCVE-2018-16862
BID
CONFIRM
CONFIRM
MLISTmoodle -- moodleA flaw was found in moodle before versions 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15. The login form is not protected by a token to prevent login cross-site request forgery.2018-11-26not yet calculatedCVE-2018-16854
CONFIRM
BID
SECTRACK
CONFIRM
CONFIRMnetwide_assembler -- netwide_assemblerThere is an illegal address access at asm/preproc.c (function: is_mmacro) in Netwide Assembler (NASM) 2.14rc16 that will cause a denial of service (out-of-bounds array access) because a certain conversion can result in a negative integer.2018-11-29not yet calculatedCVE-2018-19755
MISC
MISCnode.js -- node.jsNode.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.2018-11-28not yet calculatedCVE-2018-12123
CONFIRMnode.js -- node.jsNode.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.2018-11-28not yet calculatedCVE-2018-12122
BID
CONFIRMnode.js -- node.jsNode.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.2018-11-28not yet calculatedCVE-2018-12121
BID
CONFIRMnode.js -- node.jsNode.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.2018-11-28not yet calculatedCVE-2018-12116
CONFIRMnode.js -- node.jsNode.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.2018-11-28not yet calculatedCVE-2018-12120
BID
CONFIRMnuuo -- nuuo_cmsNUUO CMS All versions 3.3 and prior the application allows the upload of arbitrary files that can modify or overwrite configuration files to the server, which could allow remote code execution.2018-11-27not yet calculatedCVE-2018-17936
MISCnuuo -- nuuo_cmsNUUO CMS All versions 3.3 and prior the application allows external input to construct a pathname that is able to be resolved outside the intended directory. This could allow an attacker to impersonate a legitimate user, obtain restricted information, or execute arbitrary code.2018-11-27not yet calculatedCVE-2018-17934
MISCnuuo -- nuuo_cmsNUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution.2018-11-27not yet calculatedCVE-2018-18982
MISCnuuo -- nvrmini2_devicesNUUO NVRMini2 version 3.10.0 and earlier is vulnerable to authenticated remote command injection. An attacker can send crafted requests to upgrade_handle.php to execute OS commands as root.2018-11-30not yet calculatedCVE-2018-15716
MISC
MISCnvidia -- geforce_experienceNVIDIA GeForce Experience contains a vulnerability in all versions prior to 3.16 during application installation on Windows 7 in elevated privilege mode, where a local user who initiates a browser session may obtain escalation of privileges on the browser.2018-11-27not yet calculatedCVE-2018-6265
CONFIRMnvidia -- geforce_experienceNVIDIA GeForce Experience contains a vulnerability in all versions prior to 3.16 on Windows where a local user may obtain third party integration parameters, which may lead to information disclosure.2018-11-27not yet calculatedCVE-2018-6266
CONFIRMnvidia -- geforce_experienceNVIDIA GeForce Experience contains a vulnerability in all versions prior to 3.16 on Windows in which an attacker who has access to a local user account can plant a malicious dynamic link library (DLL) during application installation, which may lead to escalation of privileges.2018-11-27not yet calculatedCVE-2018-6263
CONFIRMocs_inventory_ng -- ocs_inventory_ngUnrestricted file upload (with remote code execution) in OCS Inventory NG ocsreports allows a privileged user to gain access to the server via crafted HTTP requests.2018-11-29not yet calculatedCVE-2018-15537
MISC
FULLDISCopenwrt_project -- openwrt/ledecgi_handle_request in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the URI, as demonstrated by a cgi-bin/?[XSS] URI.2018-11-28not yet calculatedCVE-2018-19630
MISCosb -- vt-designerVT-Designer Version 2.1.7.31 is vulnerable by the program reading the contents of a file (which is already in memory) into another heap-based buffer, which may cause the program to crash or allow remote code execution.2018-11-30not yet calculatedCVE-2018-18983
MISCosb -- vt-designerVT-Designer Version 2.1.7.31 is vulnerable by the program populating objects with user supplied input via a file without first checking for validity, allowing attacker supplied input to be written to known memory locations. This may cause the program to crash or allow remote code execution.2018-11-30not yet calculatedCVE-2018-18987
MISCossec -- ossecThe agent in OSSEC through 3.1.0 on Windows allows local users to gain NT AUTHORITY\SYSTEM access via Directory Traversal by leveraging full access to the associated OSSEC server.2018-11-29not yet calculatedCVE-2018-19666
MISCpalo_alto_networks -- expedition_migration_toolThe Expedition Migration tool 1.0.106 and earlier may allow an unauthenticated attacker to enumerate files on the operating system.2018-11-27not yet calculatedCVE-2018-10142
CONFIRMphp_proxy -- php_proxyThe str_rot_pass function in vendor/atholn1600/php-proxy/src/helpers.php in PHP Proxy 5.1.0 uses weak cryptography, which makes it easier for attackers to calculate the authorization data needed for local file inclusion.2018-11-30not yet calculatedCVE-2018-19784
MISC
MISCphp_proxy -- php_proxyPHP Proxy through 5.1.0 has Cross-Site Scripting (XSS) via the URL field in index.php.2018-11-30not yet calculatedCVE-2018-19785
MISC
MISCphpok -- phpokAn issue was discovered in PHPok 4.9.015. admin.php?c=update&f=unzip allows remote attackers to execute arbitrary code via a "Login Background > Program Upgrade > Compressed Packet Upgrade" action in which a .php file is inside a ZIP archive.2018-11-26not yet calculatedCVE-2018-19562
MISCplohni -- advanced_comment_systeminternal/advanced_comment_system/admin.php in Advanced Comment System 1.0 is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query, allowing remote attackers to execute the sqli attack via a URL in the "page" parameter. NOTE: The product is discontinued.2018-11-29not yet calculatedCVE-2018-18619
MISC
FULLDISC
EXPLOIT-DBpodofo -- podofoA NULL pointer dereference vulnerability exists in the function PdfTranslator::setTarget() in pdftranslator.cpp of PoDoFo 0.9.6, while creating the PdfXObject, as demonstrated by podofoimpose. It allows an attacker to cause Denial of Service.2018-11-25not yet calculatedCVE-2018-19532
MISC
MISCpowerdns -- dnsdistAn issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing data such that the addition of a record by dnsdist, for example an OPT record when adding EDNS Client Subnet, might result in the trailing data being smuggled to the backend as a valid record while not seen by dnsdist. This is an issue when dnsdist is deployed as a DNS Firewall and used to filter some records that should not be received by the backend. This issue occurs only when either the 'useClientSubnet' or the experimental 'addXPF' parameters are used when declaring a new backend.2018-11-26not yet calculatedCVE-2018-14663
CONFIRM
CONFIRMpowerdns -- powerdns_authoritative_server_and_powerdns_recursorPowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excluding 4.1.5 and 4.0.9, are vulnerable to a memory leak while parsing malformed records that can lead to remote denial of service.2018-11-29not yet calculatedCVE-2018-10851
CONFIRM
CONFIRM
CONFIRMpowerdns -- powerdns_authoritative_server_and_powerdns_recursorPowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerable to a packet cache pollution via crafted query that can lead to denial of service.2018-11-29not yet calculatedCVE-2018-14626
CONFIRM
CONFIRM
CONFIRMpulse_secure -- desktop_clientPulse Secure Desktop Client 5.3 up to and including R6.0 build 1769 on Windows has Insecure Permissions.2018-11-29not yet calculatedCVE-2018-11002
MISCqnap_systems -- multiple_productsCross-site scripting vulnerability in QTS 4.2.6 build 20180711, QTS 4.3.3: Qsync Central 3.0.2, QTS 4.3.4: Qsync Central 3.0.3, QTS 4.3.5: Qsync Central 3.0.4 and earlier versions could allow remote attackers to inject Javascript code in the compromised application.2018-11-30not yet calculatedCVE-2018-0716
CONFIRMqnap_systems -- qtsCross-site scripting (XSS) vulnerability in QNAP QTS 4.2.6 build 20180711 and earlier versions, 4.3.3 build 20180725 and earlier versions, and 4.3.4 build 20180710 and earlier versions could allow remote attackers to inject javascript code.2018-11-27not yet calculatedCVE-2018-0719
CONFIRMqnap_systems -- qtsCommand Injection vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could allow remote attackers to run arbitrary commands on the NAS.2018-11-28not yet calculatedCVE-2018-14746
CONFIRMqnap_systems -- qtsImproper Authorization vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could allow remote attackers to power off the NAS.2018-11-28not yet calculatedCVE-2018-14748
CONFIRMqnap_systems -- qtsNULL Pointer Dereference vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could allow remote attackers to crash the NAS media server.2018-11-28not yet calculatedCVE-2018-14747
CONFIRMqnap_systems -- qtsBuffer Overflow vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could have unspecified impact on the NAS.2018-11-28not yet calculatedCVE-2018-14749
CONFIRMqnap_systems -- qtsBuffer Overflow vulnerability in QNAP QTS 4.2.6 build 20180711 and earlier versions, 4.3.3 build 20180725 and earlier versions, and 4.3.4 build 20180710 and earlier versions could allow remote attackers to run arbitrary code on NAS devices.2018-11-27not yet calculatedCVE-2018-0721
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper configuration of script may lead to unprivileged access.2018-11-27not yet calculatedCVE-2018-11911
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, there is a security concern with default privileged access to ADB and debug-fs.2018-11-27not yet calculatedCVE-2018-11906
CONFIRM
CONFIRM
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /data/ which presents a potential issue.2018-11-27not yet calculatedCVE-2018-11908
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /persist/ which presents a potential issue.2018-11-27not yet calculatedCVE-2018-11910
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing a fast Initial link setup (FILS) connection request, integer overflow may lead to a buffer overflow when the key length is zero.2018-11-27not yet calculatedCVE-2018-11260
SECTRACK
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, the UPnP daemon should not be running out of box because it enables port forwarding without authentication.2018-11-27not yet calculatedCVE-2018-11946
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper configuration of daemons may lead to unprivileged access.2018-11-27not yet calculatedCVE-2018-11912
CONFIRM
CONFIRMqualcomm -- androidIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /cache/ which presents a potential issue.2018-11-27not yet calculatedCVE-2018-11909
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /systemrw/ which presents a potential security.2018-11-27not yet calculatedCVE-2018-11914
CONFIRM
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing fastboot flash command, memory leak or unexpected behavior may occur due to processing of unintialized data buffers.2018-11-27not yet calculatedCVE-2018-11943
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper configuration of dev nodes may lead to potential security issue.2018-11-27not yet calculatedCVE-2018-11913
CONFIRM
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, there is a possible Use-after-free issue in Media Codec process. Any application using codec service will be affected.2018-11-27not yet calculatedCVE-2018-11261
CONFIRM
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, there is a potential heap overflow and memory corruption due to improper error handling in SOC infrastructure.2018-11-27not yet calculatedCVE-2018-11919
CONFIRM
CONFIRM
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing the boot image header, an out of bounds read can occur in boot.2018-11-27not yet calculatedCVE-2017-11078
CONFIRM
CONFIRMqualcomm -- androidIn all android release s(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper mounting lead to device node and executable to be run from /dsp/ which presents a potential security issue.2018-11-27not yet calculatedCVE-2018-11956
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while list traversal in LPM status driver for clean up, use after free vulnerability may occur.2018-11-27not yet calculatedCVE-2018-5904
CONFIRM
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper input validation can lead to an improper access to already freed up dci client entries while closing dci client.2018-11-27not yet calculatedCVE-2018-11266
CONFIRM
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, there is a possible buffer overflow in display function due to lack of buffer length validation before copying.2018-11-27not yet calculatedCVE-2018-5908
CONFIRM
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a use after free issue in WLAN host driver can lead to device reboot.2018-11-27not yet calculatedCVE-2018-5919
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, there is a possible buffer overflow in debugfs module due to lack of check in size of input before copying into buffer.2018-11-27not yet calculatedCVE-2018-5906
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a memory corruption can occur in kernel due to improper check in callers count parameter in display handlers.2018-11-27not yet calculatedCVE-2018-5910
CONFIRM
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, buffer overflow occur may occur in display handlers due to lack of checking in buffer size before copying into it and will lead to memory corruption.2018-11-27not yet calculatedCVE-2018-5909
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /firmware/ which presents a potential issue.2018-11-27not yet calculatedCVE-2018-11907
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, due to a race condition, a Use After Free condition can occur in Audio.2018-11-27not yet calculatedCVE-2018-5856
CONFIRM
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, freeing device memory in driver probe failure will result in double free issue in power module.2018-11-27not yet calculatedCVE-2018-11823
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, memory allocated is automatically released by the kernel if the 'probe' function fails with an error code.2018-11-27not yet calculatedCVE-2018-11918
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a partition name-check variable is not reset for every iteration which may cause improper termination in the META image.2018-11-27not yet calculatedCVE-2018-11995
BID
CONFIRM
CONFIRMqualcomm -- androidIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, existing checks in place on partition size are incomplete and can lead to heap overwrite vulnerabilities while loading a secure application from the boot loader.2018-11-27not yet calculatedCVE-2018-5861
CONFIRM
CONFIRMqualcomm -- multiple_productsPossible buffer overflow in DRM Trusted application due to lack of check function return values in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDA845, SDX24, SXR1130.2018-11-28not yet calculatedCVE-2018-5918
CONFIRMqualcomm -- multiple_productsWhen a malformed command is sent to the device programmer, an out-of-bounds access can occur in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 600, SD 820, SD 820A, SD 835, SDA660, SDX20, SDX24.2018-11-28not yet calculatedCVE-2018-11996
BID
CONFIRMqualcomm -- multiple_productsBuffer overread while decoding PDP modify request or network initiated secondary PDP activation in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDA845, SDX20, SXR1130.2018-11-28not yet calculatedCVE-2018-5916
BID
CONFIRMqualcomm -- multiple_productsFailure condition is not handled properly and the correct error code is not returned. It could cause unintended SUI behavior and create unintended SUI display in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDA845, SDX24, SXR1130.2018-11-28not yet calculatedCVE-2018-11921
CONFIRMqualcomm -- multiple_productsIn the device programmer target-side code for firehose, a string may not be properly NULL terminated can lead to a incorrect buffer size in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9640, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 600, SD 820, SD 820A, SD 835, SDA660, SDX20.2018-11-28not yet calculatedCVE-2018-5877
BID
CONFIRMqualcomm -- multiple_productsSecure application can access QSEE kernel memory through Ontario kernel driver in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDA845, SDX24, SXR1130.2018-11-28not yet calculatedCVE-2017-18316
BID
CONFIRMqualcomm -- multiple_productsPossible buffer overflow in Ontario fingerprint code due to lack of input validation for the parameters coming into TZ from HLOS in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SDA660.2018-11-28not yet calculatedCVE-2018-11264
BID
CONFIRMqualcomm -- multiple_productsSMMU secure camera logic allows secure camera controllers to access HLOS memory during session in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDA845, SDX24, SXR1130.2018-11-28not yet calculatedCVE-2018-11994
BID
CONFIRMqualcomm -- snapdragon_automobile_and_snapdragon_mobileMissing validation check on CRL issuer name in Snapdragon Automobile, Snapdragon Mobile in versions MSM8996AU, SD 410/12, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 810, SD 820, SD 820A.2018-11-28not yet calculatedCVE-2017-18318
BID
CONFIRMqualcomm -- snapdragon_automobile_and_snapdragon_mobileRestrictions related to the modem (sim lock, sim kill) can be bypassed by manipulating the system to issue a deactivation flow sequence in Snapdragon Automobile, Snapdragon Mobile in versions MSM8996AU,SD 410/12,SD 820,SD 820A.2018-11-28not yet calculatedCVE-2017-18317
BID
CONFIRMqualcomm -- snapdragon_automobile_and_snapdragon_mobilePossible buffer overflow in OEM crypto function due to improper input validation in Snapdragon Automobile, Snapdragon Mobile in versions MSM8996AU, SD 425, SD 430, SD 450, SD 625, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDA845, SDX24, SXR1130.2018-11-28not yet calculatedCVE-2018-5917
BID
CONFIRMqualcomm -- snapdragon_automobile_and_snapdragon_mobilePotential buffer overflow in Video due to lack of input validation in input and output values in Snapdragon Automobile, Snapdragon Mobile in versions MSM8996AU, SD 450, SD 625, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660.2018-11-28not yet calculatedCVE-2018-5912
BID
CONFIRMqualcomm -- snapdragon_mobileBuffer over-read vulnerabilities in an older version of ASN.1 parser in Snapdragon Mobile in versions SD 600.2018-11-28not yet calculatedCVE-2017-18315
BID
CONFIRMqualcomm -- snapdragon_mobileWhile loading a service image, an untrusted pointer dereference can occur in Snapdragon Mobile in versions SD 835, SDA660, SDX24.2018-11-28not yet calculatedCVE-2018-5870
BID
CONFIRMrapid7 -- komandIn Rapid7 Komand version 0.41.0 and prior, certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response sent over an encrypted channel. This issue does not affect Rapid7 Komand version 0.42.0 and later versions.2018-11-28not yet calculatedCVE-2018-5559
CONFIRM
MISCred_hat -- ansible_engineExecution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.2018-11-29not yet calculatedCVE-2018-16859
BID
CONFIRM
CONFIRMred_hat -- keycloakThe SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.2018-11-30not yet calculatedCVE-2018-14637
CONFIRMruby_on_rails -- ruby_on_railsA bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path.2018-11-30not yet calculatedCVE-2018-16477
MISC
MISCruby_on_rails -- ruby_on_railsA Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.2018-11-30not yet calculatedCVE-2018-16476
MISC
MISCrudra_softech -- edusoftindex.php?r=site%2Flogin in EduSec through 4.2.6 does not restrict sending a series of LoginForm[username] and LoginForm[password] parameters, which might make it easier for remote attackers to obtain access via a brute-force approach.2018-11-26not yet calculatedCVE-2018-19548
MISCsales_and_company_management_system -- sales_and_company_management_systemAn issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. There is a discrepancy in username checking between a component that does string validation, and a component that is supposed to query a MySQL database. Thus, it is possible to register a new account with a duplicate username, as demonstrated by use of the test%c2 string when a test account already exists.2018-11-29not yet calculatedCVE-2018-19654
MISCsamba -- ldap_serverA denial of service vulnerability was discovered in Samba's LDAP server before versions 4.7.12, 4.8.7, and 4.9.3. A CNAME loop could lead to infinite recursion in the server. An unprivileged local attacker could create such an entry, leading to denial of service.2018-11-28not yet calculatedCVE-2018-14629
BID
CONFIRM
CONFIRM
UBUNTU
UBUNTU
DEBIAN
CONFIRMsamba -- sambaSamba from version 4.0.0 and before versions 4.7.12, 4.8.7, 4.9.3 is vulnerable to a denial of service. During the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client, the entries are cached in a single memory object with a maximum size of 256MB. When this size is reached, the Samba process providing the LDAP service will follow the NULL pointer, terminating the process. There is no further vulnerability associated with this issue, merely a denial of service.2018-11-28not yet calculatedCVE-2018-16851
BID
CONFIRM
CONFIRM
UBUNTU
UBUNTU
DEBIAN
CONFIRMsamba -- sambaSamba from version 4.9.0 and before version 4.9.3 is vulnerable to a NULL pointer de-reference. During the processing of an DNS zone in the DNS management DCE/RPC server, the internal DNS server or the Samba DLZ plugin for BIND9, if the DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS property is set, the server will follow a NULL pointer and terminate. There is no further vulnerability associated with this issue, merely a denial of service.2018-11-28not yet calculatedCVE-2018-16852
BID
CONFIRM
CONFIRM
CONFIRMsamba -- sambaSamba from version 4.3.0 and before versions 4.7.12, 4.8.7 and 4.9.3 are vulnerable to a denial of service. When configured to accept smart-card authentication, Samba's KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. talloc is robust against further corruption from a double-free with talloc_free() and directly calls abort(), terminating the KDC process.2018-11-28not yet calculatedCVE-2018-16841
BID
CONFIRM
CONFIRM
UBUNTU
UBUNTU
DEBIAN
CONFIRMsamba -- sambaSamba from version 4.7.0 has a vulnerability that allows a user in a Samba AD domain to crash the KDC when Samba is built in the non-default MIT Kerberos configuration. With this advisory the Samba Team clarify that the MIT Kerberos build of the Samba AD DC is considered experimental. Therefore the Samba Team will not issue security patches for this configuration. Additionally, Samba 4.7.12, 4.8.7 and 4.9.3 have been issued as security releases to prevent building of the AD DC with MIT Kerberos unless --with-experimental-mit-ad-dc is specified to the configure command.2018-11-28not yet calculatedCVE-2018-16853
BID
CONFIRM
CONFIRM
CONFIRMsamba -- sambaSamba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation's password policies apply as expected may not have been re-done after the upgrade.2018-11-28not yet calculatedCVE-2018-16857
BID
CONFIRM
CONFIRM
CONFIRMschneider_electric -- quantum_modiconAn Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the password delete function of the web server.2018-11-30not yet calculatedCVE-2018-7809
CONFIRM
MISCschneider_electric -- quantum_modiconAn Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the change password function of the web server2018-11-30not yet calculatedCVE-2018-7811
CONFIRM
MISCschneider_electric -- quantum_modiconImproper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where a denial of service can occur for ~1 minute by sending a specially crafted HTTP request.2018-11-30not yet calculatedCVE-2018-7830
CONFIRM
MISCschneider_electric -- quantum_modiconAn Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 allowing an attacker to send a specially crafted URL to a currently authenticated web server user to execute a password change on the web server.2018-11-30not yet calculatedCVE-2018-7831
CONFIRM
MISCschneider_electric -- quantum_modiconAn Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 allowing an attacker to craft a URL containing JavaScript that will be executed within the user's browser, potentially impacting the machine the browser is running on.2018-11-30not yet calculatedCVE-2018-7810
CONFIRM
MISCschneider_electric -- struxureware_data_center _operationData Center Operation allows for the upload of a zip file from its user interface to the server. A carefully crafted, malicious file could be mistakenly uploaded by an authenticated user via this feature which could contain path traversal file names. As such, it could allow for the arbitrary upload of files contained with the zip onto the server file system outside of the intended directory. This is leveraging the more commonly known ZipSlip vulnerability within Java code.2018-11-30not yet calculatedCVE-2018-7806
MISCschneider_electric -- struxureware_data_center_expertData Center Expert, versions 7.5.0 and earlier, allows for the upload of a zip file from its user interface to the server. A carefully crafted, malicious file could be mistakenly uploaded by an authenticated user via this feature which could contain path traversal file names. As such, it could allow for the arbitrary upload of files contained with the zip onto the server file system outside of the intended directory. This is leveraging the more commonly known ZipSlip vulnerability within Java code.2018-11-30not yet calculatedCVE-2018-7807
MISCsdcms -- sdcmsapp/plug/attachment/controller/admincontroller.php in SDCMS 1.6 allows reading arbitrary files via a /?m=plug&c=admin&a=index&p=attachment&root= directory traversal. The value of the root parameter must be base64 encoded (note that base64 encoding, instead of URL encoding, is very rare in a directory traversal attack vector).2018-11-29not yet calculatedCVE-2018-19748
MISC
MISCsdcms -- sdcmsAn issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a check_bad function in an attempt to block certain PHP functions such as eval, but does not prevent use of preg_replace 'e' calls, allowing users to execute arbitrary code by leveraging access to admin template management.2018-11-25not yet calculatedCVE-2018-19520
MISC
MISCshowdoc -- showdocserver/index.php?s=/api/teamMember/save in ShowDoc 2.4.2 has a CSRF that can add members to a team.2018-11-28not yet calculatedCVE-2018-19621
MISCshowdoc -- showdocShowDoc 2.4.1 allows remote attackers to obtain sensitive information by navigating with a modified page_id, as demonstrated by reading note content, or discovering a username in the JSON data at a diff URL.2018-11-27not yet calculatedCVE-2018-19609
MISCshowdoc -- showdocShowDoc 2.4.1 allows remote attackers to edit other users' notes by navigating with a modified page_id.2018-11-28not yet calculatedCVE-2018-19620
MISC
MISC
MISCsikcms -- sikcmssikcms 1.1 has CSRF via admin.php?m=Admin&c=Users&a=userAdd to add an administrator account.2018-11-26not yet calculatedCVE-2018-19561
MISCsuse -- opensuse_leap_and_suse_linux_enterpriseA incorrect variable in a SUSE specific patch for pam_access rule matching in PAM 1.3.0 in openSUSE Leap 15.0 and SUSE Linux Enterprise 15 could lead to pam_access rules not being applied (fail open).2018-11-27not yet calculatedCVE-2018-17953
CONFIRMsymantec -- endpoint_protectionSymantec Endpoint Protection prior to 14.2 MP1 may be susceptible to a DLL Preloading vulnerability, which in this case is an issue that can occur when an application being installed unintentionally loads a DLL provided by a potential attacker. Note that this particular type of exploit only manifests at install time; no remediation is required for software that has already been installed. This issue only impacted the Trialware media for Symantec Endpoint Protection, which has since been updated.2018-11-29not yet calculatedCVE-2018-12245
BID
CONFIRMsymantec -- multiple_productsNorton prior to 22.15; Symantec Endpoint Protection (SEP) prior to 12.1.7454.7000 & 14.2; Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to NIS-22.15.1.8 & SEP-12.1.7454.7000; and Symantec Endpoint Protection Cloud (SEP Cloud) prior to 22.15.1 may be susceptible to an AV bypass issue, which is a type of exploit that works to circumvent one of the virus detection engines to avoid a specific type of virus protection. One of the antivirus engines depends on a signature pattern from a database to identify malicious files and viruses; the antivirus bypass exploit looks to alter the file being scanned so it is not detected.2018-11-29not yet calculatedCVE-2018-12238
BID
CONFIRMsymantec -- multiple_productsNorton prior to 22.15; Symantec Endpoint Protection (SEP) prior to 12.1.7454.7000 & 14.2; Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to NIS-22.15.1.8 & SEP-12.1.7454.7000; and Symantec Endpoint Protection Cloud (SEP Cloud) prior to 22.15.1 may be susceptible to an AV bypass issue, which is a type of exploit that works to circumvent one of the virus detection engines to avoid a specific type of virus protection. One of the antivirus engines depends on a signature pattern from a database to identify malicious files and viruses; the antivirus bypass exploit looks to alter the file being scanned so it is not detected.2018-11-29not yet calculatedCVE-2018-12239
BID
CONFIRMsymantec -- security_analytics_web_uiThe Symantec Security Analytics (SA) 7.x prior to 7.3.4 Web UI is susceptible to a reflected cross-site scripting (XSS) vulnerability. A remote attacker with knowledge of the SA web UI hostname or IP address can craft a malicious URL for the SA web UI and target SA web UI users with phishing attacks or other social engineering techniques. A successful attack allows injecting malicious JavaScript code into the SA web UI client application.2018-11-27not yet calculatedCVE-2018-12241
BID
CONFIRMtcpdump -- tcpdumpIn tcpdump 4.9.2, a stack-based buffer over-read exists in the print_prefix function of print-hncp.c via crafted packet data because of missing initialization.2018-11-25not yet calculatedCVE-2018-19519
MISCteledyne_dalsa -- sherlockA stack-based buffer overflow vulnerability has been identified in Teledyne DALSA Sherlock Version 7.2.7.4 and prior, which may allow remote code execution.2018-11-28not yet calculatedCVE-2018-17930
BID
MISC
MISCterramaster -- tosCross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names.2018-11-27not yet calculatedCVE-2018-13357
MISCterramaster -- tosSystem command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter.2018-11-27not yet calculatedCVE-2018-13353
MISCterramaster -- tosSystem command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event" parameter.2018-11-27not yet calculatedCVE-2018-13354
MISCterramaster -- tosUser enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter.2018-11-27not yet calculatedCVE-2018-13361
MISCterramaster -- tosIncorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization.2018-11-27not yet calculatedCVE-2018-13355
MISCterramaster -- tosCross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter.2018-11-27not yet calculatedCVE-2018-13360
MISCterramaster -- tosSystem command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter.2018-11-27not yet calculatedCVE-2018-13358
MISCterramaster -- tosSystem command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter.2018-11-27not yet calculatedCVE-2018-13418
MISCterramaster -- tosCross-site scripting in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "modgroup" parameter.2018-11-27not yet calculatedCVE-2018-13359
MISCterramaster -- tosIncorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions.2018-11-27not yet calculatedCVE-2018-13356
MISCterramaster -- tosCross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames.2018-11-27not yet calculatedCVE-2018-13331
MISCterramaster -- tosSession Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript.2018-11-27not yet calculatedCVE-2018-13337
MISCterramaster -- tosCross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders via their descriptions.2018-11-27not yet calculatedCVE-2018-13335
MISCterramaster -- tosCross-site scripting in handle.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "options[sysname]" parameter.2018-11-27not yet calculatedCVE-2018-13334
MISCterramaster -- tosCross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by placing JavaScript in users' usernames.2018-11-27not yet calculatedCVE-2018-13333
MISCterramaster -- tosDirectory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations via the "path" URL parameter.2018-11-27not yet calculatedCVE-2018-13332
MISCterramaster -- tosSystem command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter.2018-11-27not yet calculatedCVE-2018-13330
MISCterramaster -- tosSystem command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation.2018-11-27not yet calculatedCVE-2018-13336
MISCterramaster -- tosCross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "lines" URL parameter.2018-11-27not yet calculatedCVE-2018-13329
MISCterramaster -- tosSystem command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation.2018-11-27not yet calculatedCVE-2018-13338
MISCterramaster -- tosCross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username.2018-11-27not yet calculatedCVE-2018-13349
MISCterramaster -- tosSQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter.2018-11-27not yet calculatedCVE-2018-13350
MISCterramaster -- tosSession Exposure in the web application for TerraMaster TOS version 3.1.03 allows attackers to view active session tokens in a world-readable directory.2018-11-27not yet calculatedCVE-2018-13352
MISCterramaster -- tosCross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form.2018-11-27not yet calculatedCVE-2018-13351
MISCthe-sleuth_kit -- the_sleuth_kit
 In The Sleuth Kit (TSK) through 4.6.4, hfs_cat_traverse in tsk/fs/hfs.c does not properly determine when a key length is too large, which allows attackers to cause a denial of service (SEGV on unknown address with READ memory access in a tsk_getu16 call in hfs_dir_open_meta_cb in tsk/fs/hfs_dent.c).2018-11-29not yet calculatedCVE-2018-19497
MISC
MISCtibco_software -- tibco_statistica_serverThe web application of the TIBCO Statistica component of TIBCO Software Inc.'s TIBCO Statistica Server contains vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Statistica Server versions up to and including 13.4.0.2018-11-26not yet calculatedCVE-2018-18807
BID
MISC
CONFIRMtotolink -- a3002ru_routersCross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password.2018-11-26not yet calculatedCVE-2018-13309
MISCtotolink -- a3002ru_routersCross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username.2018-11-26not yet calculatedCVE-2018-13310
MISCtotolink -- a3002ru_routersSystem command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter.2018-11-27not yet calculatedCVE-2018-13306
MISCtotolink -- a3002ru_routersSystem command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable.2018-11-27not yet calculatedCVE-2018-13307
MISCtotolink -- a3002ru_routersCross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "User phrases button" field.2018-11-26not yet calculatedCVE-2018-13308
MISCtotolink -- a3002ru_routersCross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field.2018-11-26not yet calculatedCVE-2018-13312
MISCtotolink -- a3002ru_routersPassword disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to obtain the plaintext password for the admin user by making a GET request for password.htm.2018-11-26not yet calculatedCVE-2018-13317
MISCtotolink -- a3002ru_routersSystem command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter.2018-11-27not yet calculatedCVE-2018-13314
MISCtotolink -- a3002ru_routersIncorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request.2018-11-26not yet calculatedCVE-2018-13315
MISCtotolink -- a3002ru_routersSystem command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter.2018-11-27not yet calculatedCVE-2018-13316
MISCtotolink -- a3002ru_routersSystem command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter.2018-11-26not yet calculatedCVE-2018-13311
MISCtp-link -- archer_c5_devicesTP-Link Archer C5 devices through V2_160201_US allow remote command execution via shell metacharacters on the wan_dyn_hostname line of a configuration file that is encrypted with the 478DA50BF9E3D2CF key and uploaded through the web GUI by using the web admin account. The default password of admin may be used in some cases.2018-11-25not yet calculatedCVE-2018-19537
MISCtp-link -- tl-r600vpn_http_serverAn exploitable remote code execution vulnerability exists in the HTTP header-parsing function of the TP-Link TL-R600VPN HTTP Server. A specially crafted HTTP request can cause a buffer overflow, resulting in remote code execution on the device. An attacker can send an authenticated HTTP request to trigger this vulnerability.2018-12-01not yet calculatedCVE-2018-3951
MISCtp-link -- tl-r600vpn_http_serverAn exploitable denial-of-service vulnerability exists in the URI-parsing functionality of the TP-Link TL-R600VPN HTTP server. A specially crafted URL can cause the server to stop responding to requests, resulting in downtime for the management portal. An attacker can send either an unauthenticated or authenticated web request to trigger this vulnerability.2018-11-30not yet calculatedCVE-2018-3948
MISCtp-link -- tl-r600vpn_http_serverAn exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A specially crafted URL can cause a directory traversal, resulting in the disclosure of sensitive system files. An attacker can send either an unauthenticated or an authenticated web request to trigger this vulnerability.2018-11-30not yet calculatedCVE-2018-3949
MISCtp-link -- tl-r600vpn_hwv3_frnv1.3.o_and_hwv2_frnv1.2.3An exploitable remote code execution vulnerability exists in the ping and tracert functionality of the TP-Link TL-R600VPN HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3 http server. A specially crafted IP address can cause a stack overflow, resulting in remote code execution. An attacker can send a single authenticated HTTP request to trigger this vulnerability.2018-11-30not yet calculatedCVE-2018-3950
MISCtp-link -- tl-wr886n_devicesTP-Link TL-WR886N 7.0 1.1.0 devices allow remote attackers to cause a denial of service (Tlb Load Exception) via crafted DNS packets to port 53/udp.2018-11-25not yet calculatedCVE-2018-19528
MISCtp4a -- teleporttp4a TELEPORT 3.1.0 has CSRF via user/do-reset-password to change any password, such as the administrator password.2018-11-26not yet calculatedCVE-2018-19555
MISCtp5cms -- tp5cmsAn issue was discovered in tp5cms through 2017-05-25. admin.php/system/set.html has XSS via the title parameter.2018-11-29not yet calculatedCVE-2018-19693
MISCtp5cms -- tp5cmsAn issue was discovered in tp5cms through 2017-05-25. admin.php/upload/picture.html allows remote attackers to execute arbitrary PHP code by uploading a .php file with the image/jpeg content type.2018-11-29not yet calculatedCVE-2018-19692
MISCumbraco -- umbraco_cmsPersistent cross-site scripting (XSS) vulnerability in Umbraco CMS 7.12.3 allows authenticated users to inject arbitrary web script via the Header Name of a content (Blog, Content Page, etc.). The vulnerability is exploited when updating or removing public access of a content.2018-11-27not yet calculatedCVE-2018-17256
MISCuniversity_of_washington -- imap_toolkit_2007f
 University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.2018-11-25not yet calculatedCVE-2018-19518
BID
SECTRACK
MISC
MISC
MISC
MISC
MISC
MISC
MISC
CONFIRM
MISC
EXPLOIT-DB
MISCvmware -- workstationVMware Workstation (15.x before 15.0.2 and 14.x before 14.1.5) and Fusion (11.x before 11.0.2 and 10.x before 10.1.5) contain an integer overflow vulnerability in the virtual network devices. This issue may allow a guest to execute code on the host.2018-11-27not yet calculatedCVE-2018-6983
BID
CONFIRMwireshark -- wiresharkIn Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the MMSE dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-mmse.c by preventing length overflows.2018-11-28not yet calculatedCVE-2018-19622
BID
MISC
MISC
MISCwireshark -- wiresharkIn Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the LBMPDM dissector could crash. In addition, a remote attacker could write arbitrary data to any memory locations before the packet-scoped memory. This was addressed in epan/dissectors/packet-lbmpdm.c by disallowing certain negative values.2018-11-28not yet calculatedCVE-2018-19623
BID
MISC
MISC
MISCwireshark -- wiresharkIn Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the PVFS dissector could crash. This was addressed in epan/dissectors/packet-pvfs2.c by preventing a NULL pointer dereference.2018-11-28not yet calculatedCVE-2018-19624
BID
MISC
MISC
MISCwireshark -- wiresharkIn Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the dissection engine could crash. This was addressed in epan/tvbuff_composite.c by preventing a heap-based buffer over-read.2018-11-28not yet calculatedCVE-2018-19625
BID
MISC
MISC
MISCwireshark -- wiresharkIn Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the DCOM dissector could crash. This was addressed in epan/dissectors/packet-dcom.c by adding '\0' termination.2018-11-28not yet calculatedCVE-2018-19626
BID
MISC
MISC
MISCwireshark -- wiresharkIn Wireshark 2.6.0 to 2.6.4, the ZigBee ZCL dissector could crash. This was addressed in epan/dissectors/packet-zbee-zcl-lighting.c by preventing a divide-by-zero error.2018-11-28not yet calculatedCVE-2018-19628
BID
MISC
MISC
MISCwireshark -- wiresharkIn Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the IxVeriWave file parser could crash. This was addressed in wiretap/vwr.c by adjusting a buffer boundary.2018-11-28not yet calculatedCVE-2018-19627
BID
MISC
MISC
MISCwordpress -- wordpressA Race condition vulnerability in unzip_file in admin/import/class-import-settings.php in the Yoast SEO (wordpress-seo) plugin before 9.2.0 for WordPress allows an SEO Manager to perform command execution on the Operating System via a ZIP import.2018-11-28not yet calculatedCVE-2018-19370
MISC
MISC
MISCwordpress -- wordpressStored XSS was discovered in the Easy Testimonials plugin 3.2 for WordPress. Three wp-admin/post.php parameters (_ikcf_client and _ikcf_position and _ikcf_other) have Cross-Site Scripting.2018-11-26not yet calculatedCVE-2018-19564
EXPLOIT-DBxiaomi -- mi_routerCross-site scripting vulnerability in the API 404 page on Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary JavaScript via a modified URL path.2018-11-27not yet calculatedCVE-2018-13022
MISCxiaomi -- mi_routerSystem command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter.2018-11-27not yet calculatedCVE-2018-13023
MISCxiaomi -- mi_routerSystem command injection in request_mitv in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary system commands via the "payload" URL parameter.2018-11-27not yet calculatedCVE-2018-16130
MISCz-blogphp -- z-blogphpzb_system/admin/index.php?act=UploadMng in Z-BlogPHP 1.5 mishandles file preview, leading to content spoofing.2018-11-26not yet calculatedCVE-2018-19556
MISCzoom_video_communications -- zoomZoom clients on Windows (before version 4.1.34814.1119), Mac OS (before version 4.1.34801.1116), and Linux (2.4.129780.0915 and below) are vulnerable to unauthorized message processing. A remote unauthenticated attacker can spoof UDP messages from a meeting attendee or Zoom server in order to invoke functionality in the target client. This allows the attacker to remove attendees from meetings, spoof messages from users, or hijack shared screens.2018-11-30not yet calculatedCVE-2018-15715
MISCzyxel_communications -- nsa325_devicesA system command injection vulnerability in zyshclient in ZyXEL NSA325 V2 version 4.81 allows attackers to execute system commands via the web application API.2018-11-27not yet calculatedCVE-2018-14893
MISCzyxel_communications -- nsa325_devicesMissing protections against Cross-Site Request Forgery in the web application in ZyXEL NSA325 V2 version 4.81 allow attackers to perform state-changing actions via crafted HTTP forms.2018-11-27not yet calculatedCVE-2018-14892
MISCBack to top

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

Protecting Against Identity Theft

US-CERT All NCAS Products - Fri, 11/30/2018 - 03:12
Original release date: November 29, 2018

As the holidays draw near, many consumers turn to the internet to shop for goods and services. Although online shopping can offer convenience and save time, shoppers should be cautious online and protect personal information against identity theft. Identity thieves steal personal information, such as a credit card, and run up bills in the victim’s name.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages consumers to review the following tips to help reduce the risk of falling prey to identity theft:

If you believe you are a victim of identity theft, visit the FTC’s identity theft website to file a report and create a personal recovery plan.

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

AR18-337D: MAR-10164494.r1.v1 – SamSam4

US-CERT All NCAS Products - Fri, 11/30/2018 - 02:00
Original release date: November 29, 2018 | Last revised: December 03, 2018
Description Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

SummaryDescription

Three artifacts were submitted for analysis.

For a downloadable copy of IOCs, see:

MAR-10164494.r1.v1.stix

Submitted Files (3)

738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86 (mswinupdate.exe)

9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12 (ClassLibrary1.dll)

bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58 (g04inst.bat)

Findings9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12Tags

downloaderransomwaretrojan

DetailsNameClassLibrary1.dllSize5120 bytesTypePE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS WindowsMD576bd79f774ae892fd6a30b6463050a91SHA14d7a60bd1fb3677a553f26d95430c107c8485129SHA2569b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12SHA51267e0046db0b565a1ac1862bbd536016c3ea984f8fceadaa31b4c99e7a8b434b170d5badbb10c2c25e264b17bbf2f97576f252e7ef74279b3b845b1553cef9829ssdeep48:6DhamfhRd4tvDo4Xbgj/aarU3LT88VMM8UX8i02+KfANbU7gjBRd1trWO8lGO+3L:m+5DoAbgfU88Spi0oANbsgjMPYp3XIIEntropy4.004964AntivirusAhnlabTrojan/Win32.BlackAntiyTrojan/Win32.AGenericBitDefenderTrojan.GenericKD.30369417ClamAVWin.Trojan.Agent-6538241-0CyrenW32/Trojan.URRI-3517ESETa variant of MSIL/Runner.N trojanEmsisoftTrojan.GenericKD.30369417 (B)IkarusRansom.MSIL.SamasK7Riskware ( 0040eff71 )McAfeeRansomware-GJY!76BD79F774AEMicrosoft Security EssentialsRansom:MSIL/Samas.DNANOAVTrojan.Win32.Runner.ffvfblSophosTroj/Samas-FSymantecTrojan.Gen.2Systweaktrojan.downloaderTrendMicroTROJ_STUBDCRYP.ATrendMicro House CallTROJ_STUBDCRYP.AYara Rules

No matches found.

ssdeep Matches

No matches found.

PE MetadataCompile Date2018-01-28 06:09:15-05:00Import Hashdae02f32a21e03ce65412f6e56942daaFile DescriptionClassLibrary1Internal NameClassLibrary1.dllLegal CopyrightCopyright © 2018Original FilenameClassLibrary1.dllProduct NameClassLibrary1Product Version1.0.0.0PE SectionsMD5NameRaw SizeEntropy34943f18fd2a99cc3f5cabe43b4765f8header5122.54792006219fe6e30e15dce12688ca2b434890.text30724.85667011b58fc9ac45168b871cc50399b7c86c.rsrc10242.888335ec45a535f38fb6dc4ac4ed7cbf63b754.reloc5120.081539Description

This file is a .NET Class Library module designed to decrypt the encrypted data file with a ".stubbin” extension using a Rijndael encryption algorithm.

Displayed below is the encryption key and the initialization vector used for decryption.

--Begin encryption information--
rijndael.Key = hdfgkhioiugyfyghdseertdfygu
rijndael.IV = ghtrfdfdewsdfgtyhgjgghfdg
--End encryption information--

738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86Tags

ransomwaretrojan

DetailsNamemswinupdate.exeSize6144 bytesTypePE32 executable (console) Intel 80386 Mono/.Net assembly, for MS WindowsMD5b96620d8a08fa436ea22ef480dd883ceSHA1a1ab74d2f06a542e77ea2c6d641aae4ed163a2daSHA256738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86SHA5122a9f4ebb025c8e7b4e074d301477656ffad66318da5ea35ddc8363c17f4bdbf501778539133261adbb9f441066a1e2b79240306ad1877f5ef17009c8f05ff4a6ssdeep48:6ZMMEikGAgS7zfMFmZUX7OLbqMMou6ZVqsPIUlf41cjGPRMfNFrbvZiJY527qnfF:/ikGAgS7b0807M+And6c6mBiJYPezNtEntropy4.238961AntivirusAhnlabTrojan/Win32.SamasAntiyTrojan[Ransom]/MSIL.SamasAviraTR/Samas.qybuhBitDefenderTrojan.GenericKD.30367991CyrenW32/Trojan.VYAP-2611ESETa variant of MSIL/Runner.N trojanEmsisoftTrojan.GenericKD.30367991 (B)IkarusRansom.MSIL.SamasK7Riskware ( 0040eff71 )McAfeeRansomware-GJX!B96620D8A08FMicrosoft Security EssentialsRansom:MSIL/SamasNANOAVTrojan.Win32.Generic.eymsceNetGateMalware.GenericSophosMal/Kryptik-BVSymantecTrojan.Gen.2Systweakmalware.shurikenTrendMicroTROJ_RUNNER.GBBTrendMicro House CallTROJ_RUNNER.GBBZillya!Trojan.Samas.Win32.32Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE MetadataCompile Date2018-01-28 06:09:17-05:00Import Hashf34d5f2d4577ed6d9ceec516c1f5a744Company Nameoiauoyqtfhqiwur578q26trgqiwue ffh iufiuqwytf 78wt8File Descriptiondkhjkasyfafa udfiu asd fuiysfd fiusdfh oiafiuayInternal Namerock2.exeLegal Copyrightiusy ergy8wej udg uyOriginal Filenamerock2.exeProduct Name98y4798t qiy er998ergg iuery 8 o8uieyfui qewhfiuoyafibuwy ey7fq iuyiProduct Version76.7.99.12PE SectionsMD5NameRaw SizeEntropy7f1dc4bd716bc037dea251c4dff12cddheader5122.538579c8076584486a2745281e4945da9b8b13.text30724.9462721efe88aa4756d059ec1d3b49e342de5d.rsrc20483.9173957048daac38c935b38e086adcd8035d2a.reloc5120.081539Packers/Compilers/CryptorsMicrosoft Visual C# v7.0 / Basic .NETDescription

This file is a PE32 .NET executable designed to search and load an encrypted data file with a ".stubbin" extension onto the victim's system. If the file exists, it will utilize the Rijndael algorithm in the Class Library file (ClassLibrary1.dll) to decrypt the data file. After decryption, the file deletes the encrypted data file. The encrypted file with a ".stubbin" extension was not available for analysis.

bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58Tags

ransomwaretrojan

DetailsNameg04inst.batSize276 bytesTypeASCII text, with CRLF line terminatorsMD502c19bbf8e19bb69fc7870ec872d355eSHA1cc76586ef94122329e825c78aad2ecb9ac064343SHA256bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58SHA512283681b5b8e78440bf474c8e50504e6e82f25bd3f6240d5e70600e43fc9fd609a78ee7b837c9b68aa25ed13f2ee735f360a18e614ded15e11bb62043cd028c99ssdeep6:JF1ZzA+QragXsoNLYjClAVyXHI+CIwZALICLA9XEUXR/JgW:L1J4aSJF+dyXo+Bb0LEUhyWEntropy4.962735AntivirusMcAfeeBAT/Starter.hMicrosoft Security EssentialsRansom:BAT/SamasSophosTroj/RansRun-ASymantecTrojan.MalscriptYara Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a batch file designed to execute mswinupdate.exe with predefined arguments. Displayed below are the arguments:

--Begin arguments--
Format: %myrunner% %password% %path% %totalprice% %priceperhost%
Sample: mswinupdate.exe <password> juxtapositional 5 0.8
--End arguments--

Recommendations

NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate ACLs.

Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops.

Contact Information

NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the NCCIC at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to NCCIC? Malware samples can be submitted via three methods:

NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov.

Revisions
  • December 3, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

Cisco Releases Security Update

US-CERT All NCAS Products - Thu, 11/29/2018 - 02:53
Original release date: November 28, 2018

Cisco has released a security update to address a vulnerability in Cisco Prime License Manager. A remote attacker could exploit this vulnerability to obtain sensitive information.

NCCIC encourages users and administrators to review the Cisco Security Advisory and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

3ve – Fraudulent Online Advertising

US-CERT All NCAS Products - Tue, 11/27/2018 - 19:10
Original release date: November 27, 2018

The Department of Homeland Security and the Federal Bureau of Investigation have released a joint Technical Alert (TA) on a major online ad fraud operation—referred to by the U.S. Government as "3ve."

NCCIC encourages users and administrators to review Alert TA18-331A: 3ve – Major Online Ad Fraud Operation for more information.

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: LATEST ALERT

Pages