[USN-4166-2] PHP vulnerability

---------- Forwarded message ---------
From: Leonidas S. Barbosa
Date: Oct 29, 2019 8:32PM

 It was discovered that PHP incorrectly handled certain paths when being
 used in FastCGI configurations. A remote attacker could possibly use this
 issue to execute arbitrary code.

References:
  https://usn.ubuntu.com/4166-2
  https://usn.ubuntu.com/4166-1
  CVE-2019-11043

TrendLabs: AutoIT-compiled Negasteal/Agent Tesla, Ave Maria Delivered via Malspam

Figure 1. A fake shipment advisory spam email that has a .RAR attachment containing Negasteal

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-negasteal-agent-tesla-ave-maria-delivered-via-malspam/

[USN-4161-1] Linux kernel vulnerability

---------- Forwarded message ---------

From: Seth Arnold
Date: Oct 22, 2019 5:04AM

It was discovered that the IPv6 routing implementation in the Linux kernel
contained a reference counting error leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code.

References:
  https://usn.ubuntu.com/4161-1
  CVE-2019-18198

TrendLabs: Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing

Figure 1. Screenshot showing reviews about the app; one user noted how she lost mobile credits after installing the app
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/

[Checkmk Announce] New Checkmk stable release 1.5.0p23

---------- Forwarded message ---------
From: Checkmk Announcements
Date: Tue, Oct 29, 2019 at 5:12 AM

WATO:
* 10106 FIX: GUI: Fix mismatched unit on PING packet-loss graph
* 10120 FIX: Fixed error handling in automation calls
* 10261 FIX: API: The edit_users call can now be used to edit LDAP users

User interface:
* 10265 FIX: Password policy: Do not apply expiration time for LDAP users
* 10350 FIX: Fixed #rows on rulesets pages

Site management:
* 10371 FIX: omd restore: Fix possible version issues when default version is not the site version
* 10256 FIX: Debian Buster: Fix missing check_snmp active check plugin

Notifications:
* 8793 FIX: notifications crash if non ASCII characters are present in the plugin output
* 8794 FIX: mail: SSL/TLS and STARTTLS options were not used

HW/SW inventory:
* 10346 FIX: lnx_if winperf_if if solaris_addresses: Fixed sorting interfaces; otherwise the inventory history may be polluted
* 10347 FIX: if: Moved last change field to status data tree; otherwise the inventory history may be polluted
* 10219 FIX: HW/SW Inventory: Fixed filtering inventory tree if permitted paths are configured in contact groups
* 10223 FIX: HW/SW Inventory: Do not save inventory tree if Checkmk service calculates status data inventory
* 10351 FIX: HW/SW Inventory: Do not pollute inventory archive if two numerations have different order but same entries
* 10207 FIX: HW/SW Inventory History: Skip delta trees if no changes

Event console:
* 8797 FIX: Show the Contact Person in the Event Details view
* 10307 FIX: Resolve conflict event console archive event
* 10040 FIX: Fix wrong core host name in events when using host name rewriting

Core & setup:
* 10361 FIX: MKTimeout exceptions no longer fails with no argument

Checks & agents:
* 10059 RAM Leak Protection for Windows Agent 1.5
* 8999 FIX: tcp_conn_stats: display of all tcp metrics in one single graph
* 10300 FIX: sym_brightmail_queues: bug fix where WATO configuration did not alter behaviour
* 10105 FIX: oracle_rman: don't crash on intermittent connection loss
* 7720 FIX: oracle_logswitches: Handle db error maybe provided via the agent output
* 10211 FIX: netapp_api_volumes: Fixed scaling of latency values for ALL protocols
* 10348 FIX: mssql_databases: Do not alert if instance is not running
* 10151 FIX: mssql: Sanitize mssql ini file name
NOTE: Please refer to the migration notes!
* 10006 FIX: mk_logwatch: Do not crash upon non-matching optional subgroups and rewrites
* 10154 FIX: mgmt_ipmi_sensors: Missing service details for IPMI sensors services
NOTE: Please refer to the migration notes!
* 10267 FIX: dell_compellent_disks would not see more than 9 disks
* 10102 FIX: cifsmounts: Now displays performance data as check plugin nfsmounts does
* 10358 FIX: check_mail_loop: Fixed exception: Failed to fetch mail NR ('NoneType' object has no attribute '__getitem__')
* 10101 FIX: aws_rds.{bin_log_usage,transaction_logs_usage,replication_slot_usage}: Fixed discovering services
* 10103 FIX: agent_aws: Skip S3 buckets for which the location cannot be retrieved (AccessDenied)
* 10210 FIX: agent_aws: Fixed FilterLimitExceeded while collecting EC2 instance attributes
* 10189 FIX: Windows Agent reports allowed IP addresses correctly
* 10085 FIX: Service discovery page: Do not show long output of services
* 10308 FIX: Recover performance data output for averaged bandwidth use in IF checks
* 8914 FIX: Fix calculation of latency for netapp_api_vs_traffic 2
* 10108 FIX: Fix apt check when switched to "dist-upgrade" and encountering auto removals
* 10094 FIX: Checkmk Discovery: Fixed crash if a host has no data sources configured
* 10091 FIX: Agent AWS: Let EC2 services become stale if the instance was terminated

Plex: Livelier TV grid on Android TV

Livelier TV grid on Android TV

We’ve leveled up our gridview channel guide on Android TV with a huge performance boost, making it faster and easier than ever to navigate to the programming you want, with even more guide updates in the coming weeks.

ADMIN: GitLab 12.3 Brings More Security to DevOps Engineers

With the release of version 12.3, GitLab has added a new security focused feature called Web Application Firewall for Kubernetes Ingress.

“In GitLab 12.3 we are shipping our first iteration of a Web Application Firewall built into the GitLab SDLC platform. Its focus is on monitoring and reporting of security concerns related to your Kubernetes clusters,” said GitLab in a press announcement.

REF: http://www.admin-magazine.com/News/GitLab-12.3-Brings-More-Security-to-DevOps-Engineers

Cloudflare WARP as VPN

We’ve made it easy to report issues that you discover. From the 1.1.1.1 App you can click on the little bug icon near the top of the screen, or just shake your phone with the app open, and quickly send us a report. We expect, over the weeks ahead, we’ll be squashing many of the bugs that you report.

REF: https://blog.cloudflare.com/announcing-warp-plus/

TrendLabs: CVE-2019-16928: Exploiting an Exim Vulnerability via EHLO Strings

Figure 1. Memory representation during heap buffer overflow

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-16928-exploiting-an-exim-vulnerability-via-ehlo-strings/

[USN-4147-1] Linux kernel vulnerabilities

---------- Forwarded message ---------
From: Steve Beattie
Date: Oct 5, 2019 1:37AM

It was discovered that the Intel Wi-Fi device driver in the Linux kernel
did not properly validate certain Tunneled Direct Link Setup (TDLS). A
physically proximate attacker could use this to cause a denial of service
(Wi-Fi disconnect). (CVE-2019-0136)

It was discovered that the Bluetooth UART implementation in the Linux
kernel did not properly check for missing tty operations. A local attacker
could use this to cause a denial of service. (CVE-2019-10207)

It was discovered that the GTCO tablet input driver in the Linux kernel did
not properly bounds check the initial HID report sent by the device. A
physically proximate attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2019-13631)

It was discovered that an out-of-bounds read existed in the QLogic QEDI
iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly
use this to expose sensitive information (kernel memory). (CVE-2019-15090)

Hui Peng and Mathias Payer discovered that the USB audio driver for the
Linux kernel did not properly validate device meta data. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2019-15117)

Hui Peng and Mathias Payer discovered that the USB audio driver for the
Linux kernel improperly performed recursion while handling device meta
data. A physically proximate attacker could use this to cause a denial of
service (system crash). (CVE-2019-15118)

It was discovered that the Raremono AM/FM/SW radio device driver in the
Linux kernel did not properly allocate memory, leading to a use-after-free.
A physically proximate attacker could use this to cause a denial of service
or possibly execute arbitrary code. (CVE-2019-15211)

It was discovered at a double-free error existed in the USB Rio 500 device
driver for the Linux kernel. A physically proximate attacker could use this
to cause a denial of service. (CVE-2019-15212)

It was discovered that a race condition existed in the CPiA2 video4linux
device driver for the Linux kernel, leading to a use-after-free. A
physically proximate attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2019-15215)

It was discovered that a race condition existed in the Softmac USB Prism54
device driver in the Linux kernel. A physically proximate attacker could
use this to cause a denial of service (system crash). (CVE-2019-15220)

Benjamin Moody discovered that the XFS file system in the Linux kernel did
not properly handle an error condition when out of disk quota. A local
attacker could possibly use this to cause a denial of service.
(CVE-2019-15538)

It was discovered that the Hisilicon HNS3 ethernet device driver in the
Linux kernel contained an out of bounds access vulnerability. A local
attacker could use this to possibly cause a denial of service (system
crash). (CVE-2019-15925)

It was discovered that the Atheros mobile chipset driver in the Linux
kernel did not properly validate data in some situations. An attacker could
use this to cause a denial of service (system crash). (CVE-2019-15926)

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered
that the Bluetooth protocol BR/EDR specification did not properly require
sufficiently strong encryption key lengths. A physically proximate attacker
could use this to expose sensitive information. (CVE-2019-9506)

It was discovered that ZR364XX Camera USB device driver for the Linux
kernel did not properly initialize memory. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2019-15217)

It was discovered that the Siano USB MDTV receiver device driver in the
Linux kernel made improper assumptions about the device characteristics. A
physically proximate attacker could use this cause a denial of service
(system crash). (CVE-2019-15218)

It was discovered that the Line 6 POD USB device driver in the Linux kernel
did not properly validate data size information from the device. A
physically proximate attacker could use this to cause a denial of service
(system crash). (CVE-2019-15221)

It was discovered that the Line 6 USB driver for the Linux kernel contained
a race condition when the device was disconnected. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2019-15223)

References:
  https://usn.ubuntu.com/4147-1
  CVE-2019-0136, CVE-2019-10207, CVE-2019-13631, CVE-2019-15090,
  CVE-2019-15117, CVE-2019-15118, CVE-2019-15211, CVE-2019-15212,
  CVE-2019-15215, CVE-2019-15217, CVE-2019-15218, CVE-2019-15220,
  CVE-2019-15221, CVE-2019-15223, CVE-2019-15538, CVE-2019-15925,
  CVE-2019-15926, CVE-2019-9506

Plex: Next generation transcoding Yep, we just improved hardware transcoding again, giving your CPU a well-deserved break by offloading the work to that generous GPU. Depending on your setup, this means the potential to transcode more concurrent streams with even better performance.

Yep, we just improved hardware transcoding again, giving your CPU a well-deserved break by offloading the work to that generous GPU. Depending on your setup, this means the potential to transcode more concurrent streams with even better performance.

TrendLabs: Short October Patch Tuesday Includes Remote Desktop Client, Browser, and Authentication Patches

October's Patch Tuesday is relatively modest, with Microsoft releasing a total of 59 patches. However, this shorter list still warrants attention. Nine of the 59 were still identified as Critical, while the remaining 50 were labeled Important. Most of the critical bulletins were for various Internet Explorer and Microsoft Edge vulnerabilities, with one covering a Remote Desktop Client vulnerability. The Important bulletins fixed several issues, including NTLM and Microsoft IIS server vulnerabilities.

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/short-october-patch-tuesday-includes-remote-desktop-client-browser-and-authentication-patches/

LXM: CentOS 8

REF: http://www.linux-magazine.com/Issues/2019/229/This-Month-s-DVD

MagicSoft Playout ver 7.4.7

MagicSoft Playout ver 7.4.7 adds :
     - a new algorithm for calculating the elapsed time of a trimmed clip
     - option to replace a playlist entry with a clip having the same name
          ( right-click on the clip and choose the corresponding entry from menu )
     - option to insert clips that will be available at a later time (by inserting list containing the name of the clips)
     - a new algorithm for prioritizing the analyze of the selected clip
     - a new algorithm for checking the availability of the selected clip
     - option to reset the grid columns settings (from program menu, Edit -> Reset Grid Layout)
     - option to change the color text and background of the grid (from program menu, Configuration-> Settings -> Colors)
     - a new algorithm for extending the functionality of the folder templates to Playlist Editor

REF: https://www.magicsoft.tv/news.html

TrendLabs: New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign

Figure 2. Screenshot showing an example of KovCoreG’s malvertisements (captured by ProofPoint)
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/

Tailgate anywhere with Plex

Tailgate anywhere with Plex

The inexplicable glory that is American football is now upon us. Stream games live or record them with Plex Live TV and DVR to watch wherever and whenever you want.

TrendLabs: Gambling Apps Sneak into Top 100: How Hundreds of Fake Apps Spread on iOS App Store and Google Play

Figure 2. Original webpage (left) and its English translation (right)

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/gambling-apps-sneak-top-100-hundreds-fake-apps-spread-app-store-google-play/

[USN-4146-1] ClamAV vulnerabilities

---------- Forwarded message ---------
From: Marc Deslauriers
Date: Oct 2, 2019 8:05PM

It was discovered that ClamAV incorrectly handled unpacking ZIP files. A
remote attacker could possibly use this issue to cause ClamAV to crash,
resulting in a denial of service. (CVE-2019-12625)

It was discovered that ClamAV incorrectly handled unpacking bzip2 files. A
remote attacker could use this issue to cause ClamAV to crash, resulting in
a denial of service, or possibly execute arbitrary code. (CVE-2019-12900)

References:
  https://usn.ubuntu.com/4146-1
  CVE-2019-12625, CVE-2019-12900

Cloudflare Workers Sites:

Two years ago for Birthday Week, we announced Cloudflare Workers, a way for developers to write and run JavaScript and WebAssembly on our network in 194 cities around the world. A year later, we released Workers KV, our distributed key-value store that gave developers the ability to store state at the edge in those same cities.

REF:

TrendLabs: Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website

Figure 1. The suspicious shell script which was flagged by our system

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/