2019年12月29日 星期日

TrendLabs: Why Running a Privileged Container in Docker Is a Bad Idea

Figure 1. Screen capture that shows that user namespaces are not used by default
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/why-running-a-privileged-container-in-docker-is-a-bad-idea/

Plex: Nifty new navigation

Nifty new navigation
Our universal navigation interface has been rolled out across all our devices, bringing a consistent navigation approach to all of our officially-supported apps.

TrendLabs: Waterbear is Back, Uses API Hooking to Evade Security Product Detection

Figure 1. A typical Waterbear infection chain
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection/

Cloudflare: Announcing deeper insights and new monitoring capabilities from Cloudflare Analytics



This week we’re excited to announce a number of new products and features that provide deeper security and reliability insights, “proactive” analytics when there’s a problem, and more powerful ways to explore your data.
REF: https://blog.cloudflare.com/announcing-deeper-insights-and-new-monitoring-capabilities/?utm_medium=email&utm_source=product-announcement&utm_campaign=analytics-week-2019

Plex: It’s the most moviest time of the year.

Merry Couchmas!
Pear trees, partridges, and calling birds don’t compare to unlimited FREE holiday movies on Plex. Get cozy and warm up with the “Holiday Yule Log”, then get in the spirit with A Belle for ChristmasChristmas All Over AgainJingle BellsA Christmas CarolThe Dog who Saved the Holidays and more.

TrendLabs: (Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing

Figure 2. Arithmetic operations performed on the alphanumeric characters
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/almost-hollow-and-innocent-monero-miner-remains-undetected-via-process-hollowing/

Plex: Magical music

You now have the ability to add TIDAL content to your library so it shows up alongside your own personal music

CodeWeavers: Announcing CrossOver 19.0.0

The capstone of CrossOver 19 is our new ability to run 32 bit Windows applications within a 64 bit process.  This enables us to support 32 bit Windows applications on the new macOS release, Catalina, which removed all support for 32 bit applications in October.
...
In addition to that change, CrossOver’s core technology Wine has been updated to bring much of the developments of the past year to all of our users on both Mac and Linux.  These changes include over 5,000 individual improvements, all of which will act together to improve the end user experience with CrossOver.

REF: https://www.codeweavers.com/support/forums/announce/?t=24;mhl=222780;msg=222780#msg222780

TrendLabs: Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign

 Figure 9. Cassandra Crypter’s subscription plans
Figure 9. Cassandra Crypter’s subscription plans
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/obfuscation-tools-found-in-the-capesand-exploit-kit-possibly-used-in-kurdishcoder-campaign/

ADMIN: Ubuntu Server 19.10 (Live)

  • Support for nine months until July 2020
  • Linux 5.3 kernel
  • Updates to Qemu (v4.0), libvirt (v5.4), MySQL (v8.0), PostgreSQL (v11), and more
  • A fresh set of fixes and refreshes to the installer
  • A new Ubuntu Advantage service experience
REF: http://www.admin-magazine.com/Archive/2019/54/Ubuntu-Server-19.10-Live

Plex: Silky smooth content playback

Silky smooth content playback
For the last several months, we’ve been hard at work to enhance our playback engines, making sure your content looks as good and streams as smoothly as possible.

MagicSoft Playout ver 7.4.10

MagicSoft Playout ver 7.4.10 was released and it adds :

  • improved algorithm for assigning and calculating the duration of Live input entries
  • support for importing playlists made on other databases (with different GUID identifier)

REF: https://www.magicsoft.tv/news.html

FSF: Replicant needs your help to liberate Android in 2020




The Free Software Foundation (FSF) supports the work of several important free software projects through fiscal sponsorship in a program we call Working Together for Free Software.

Donations to any of the Working Together for Free Software projects directly benefit the work that can be done. Too often, these projects are underfunded and developers are putting in a lot of personal time and effort to keep the project moving forward. Because of the FSF fiscal sponsorship, they can receive donations and apply for funding.

REF: https://www.fsf.org/blogs/community/replicant-needs-your-help-to-liberate-android-in-2020

Plex: Give the gift of Plex Pass

Give the gift of Plex Pass
Looking for a last minute holiday gift? Look no further than Plex! Give the gift that keeps on giving to someone you love.

Proxmox VE 6.1 released


  • Based on Debian Buster (10.2)
  • Ceph Nautilus (14.2.4.1)
  • Corosync 3.0
  • Kernel 5.3
  • LXC 3.2
  • Qemu 4.1.1
  • ZFS 0.8.2

    REF: https://pve.proxmox.com/wiki/Roadmap#Proxmox_VE_6.1

    TrendLabs: Mac Backdoor Linked to Lazarus Targets Korean Users

    Figure 1. The spreadsheet displays a fairly known psychological test (similar to one found here); clicking on the smiley image on the top left shows a different response depending on the user’s answer.
    REF: https://blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users/

    MagicSoft Recorder ver 2.3.0

    MagicSoft Recorder ver 2.3.0 was released and it adds improved segmentation algorithm for better handling continuous recording ( 24/7/365 ).

    REF: https://www.magicsoft.tv/news.html

    How Cloudflare Stood up to a Patent Troll – and Won!


    REF: https://blog.cloudflare.com/the-project-jengo-saga-how-cloudflare-stood-up-to-a-patent-troll-and-won/

    [USN-4194-1] postgresql-common vulnerability

    ---------- Forwarded message ---------
    From: Marc Deslauriers
    Date: Nov 15, 2019 3:42AM

    Rich Mirch discovered that the postgresql-common pg_ctlcluster script
    incorrectly handled directory creation. A local attacker could possibly use
    this issue to escalate privileges.

    References:
      https://usn.ubuntu.com/4194-1
      CVE-2019-3466

    TrendLabs: Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK

    Figure 1. Operation ENDTRADE’s timeline
    REF: https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/

    TrendLabs: Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

    Following the relatively light list from last month, November proved to be a much more eventful month for Microsoft users. The November Patch Tuesday holds more fixes with a total of 74 patches, 13 of which were classified as Critical patches for remote code execution (RCE) vulnerabilities. The remaining majority were rated as Important and included patches for Windows graphics components and Microsoft SharePoint, among others. This Patch Tuesday also coincides with the start of the rollout of the Windows 10 November 2019 Update, which is now available to users as an opt-in version via Windows Update.

    REF: https://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-november-2019-patch-tuesday-reveals-74-patches-before-major-windows-update/

    [USN-4191-2] QEMU vulnerabilities

    ---------- Forwarded message ---------
    From: Steve Beattie
    Date: Nov 14, 2019 9:04AM

     It was discovered that the LSI SCSI adapter emulator implementation in QEMU
     did not properly validate executed scripts. A local attacker could use this
     to cause a denial of service. (CVE-2019-12068)

     Sergej Schumilo, Cornelius Aschermann and Simon Wörner discovered that the
     qxl paravirtual graphics driver implementation in QEMU contained a null
     pointer dereference. A local attacker in a guest could use this to cause a
     denial of service. (CVE-2019-12155)

     Riccardo Schirone discovered that the QEMU bridge helper did not properly
     validate network interface names. A local attacker could possibly use this
     to bypass ACL restrictions. (CVE-2019-13164)

     It was discovered that a heap-based buffer overflow existed in the SLiRP
     networking implementation of QEMU. A local attacker in a guest could use
     this to cause a denial of service or possibly execute arbitrary code in the
     host. (CVE-2019-14378)

     It was discovered that a use-after-free vulnerability existed in the SLiRP
     networking implementation of QEMU. A local attacker in a guest could use
     this to cause a denial of service. (CVE-2019-15890)

    References:
      https://usn.ubuntu.com/4191-2
      https://usn.ubuntu.com/4191-1
      CVE-2019-12068, CVE-2019-12155, CVE-2019-13164, CVE-2019-14378,
      CVE-2019-15890

    Plex: Name that Tunefind!

    tunefind
    Name that Tunefind!
    Not sure about you, but sometimes when we hear a song on a show or movie, we gotta know what it is, particularly those hidden gems that don’t show up on the soundtrack.
    Worry no more— we have integrated an awesome service from a company called Tunefind into Plex to do the work for you. Go to the preplay screen for movies or TV episodes on your server and see all the tracks that are found in the episode or film, playable right in Plex, using TIDAL’s massive library!

    [USN-4223-1] OpenJDK vulnerabilities

    ---------- Forwarded message ---------
    From: Steve Beattie
    Date: Dec 18, 2019 7:53AM

    Several security issues were fixed in OpenJDK.

    Software Description:
    - openjdk-lts: Open Source Java implementation
    - openjdk-8: Open Source Java implementation

    References:
      https://usn.ubuntu.com/4223-1
      CVE-2019-2894, CVE-2019-2945, CVE-2019-2949, CVE-2019-2962,
      CVE-2019-2964, CVE-2019-2973, CVE-2019-2975, CVE-2019-2977,
      CVE-2019-2978, CVE-2019-2981, CVE-2019-2983, CVE-2019-2987,
      CVE-2019-2988, CVE-2019-2989, CVE-2019-2992, CVE-2019-2999

    TrendLabs: Patched GIF Processing Vulnerability CVE-2019-11932 Still Afflicts Multiple Mobile Apps

    Figure 5. Test code and results
    REF: https://blog.trendmicro.com/trendlabs-security-intelligence/patched-gif-processing-vulnerability-cve-2019-11932-still-afflicts-multiple-mobile-apps/

    2019年12月4日 星期三

    [USN-4195-1] MySQL vulnerabilities

    ---------- Forwarded message ---------
    From: Marc Deslauriers
    Date: Nov 18, 2019 10:22PM

    MySQL has been updated to 8.0.18 in Ubuntu 19.10. Ubuntu 16.04 LTS, Ubuntu
    18.04 LTS, and Ubuntu 19.04 have been updated to MySQL 5.7.28.

    In addition to security fixes, the updated packages contain bug fixes, new
    features, and possibly incompatible changes.

    Please see the following for more information:
    https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-28.html
    https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-18.html
    https://www.oracle.com/security-alerts/cpuoct2019.html

    References:
      https://usn.ubuntu.com/4195-1
      CVE-2019-2910, CVE-2019-2911, CVE-2019-2914, CVE-2019-2920,
      CVE-2019-2922, CVE-2019-2923, CVE-2019-2924, CVE-2019-2938,
      CVE-2019-2946, CVE-2019-2948, CVE-2019-2950, CVE-2019-2957,
      CVE-2019-2960, CVE-2019-2963, CVE-2019-2966, CVE-2019-2967,
      CVE-2019-2968, CVE-2019-2969, CVE-2019-2974, CVE-2019-2982,
      CVE-2019-2991, CVE-2019-2993, CVE-2019-2997, CVE-2019-2998,
      CVE-2019-3003, CVE-2019-3004, CVE-2019-3009, CVE-2019-3011,
      CVE-2019-3018

    TrendLabs: Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

    Figure 1. Screenshots of Chatrious (left) and Apex App (right)
    Figure 1. Screenshots of Chatrious (left) and Apex App (right)
    REF: https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-distributed-through-callerspy-mounts-initial-phase-of-a-targeted-attack/

    [Checkmk Announce] New Checkmk stable release 1.6.0p6

    ---------- Forwarded message ---------
    From: Checkmk Announcements
    Date: Tue, Nov 12, 2019 at 4:34 AM

    Checks & agents:
    * 10194 Windows Agent: logwatch section size is limited now
    * 10157 FIX: Now using /dev/null instead of closing stdin in all POSIX agents
    * 10196 FIX: All text file of the Windows Agent now have Windows style line endings
    * 10405 FIX: Allow filesystems in /var/lib/docker/ to be monitored
    * 10156 FIX: Crash upon unexpected resource ID
    * 10406 FIX: Fix Domino task check pluging to use newer PS check functions
    * 10446 FIX: Output bits/s with the appropriate SI magnitude
    * 10308 FIX: Recover performance data output for averaged bandwidth use in IF checks
    * 10310 FIX: Remove duplicated check-output in IF checks on average data
    * 10487 FIX: Warn if host has tag "Always use and expect piggback data" and no piggyback data is available
    * 10192 FIX: Windows Agent User Config file is no more reset after service restart
    * 10193 FIX: Windows Agent: Invalid entries have been removed from logwatch
    * 10360 FIX: agent_aws: Fetch live data from AWS if special agent configuration has changed
    * 8799 FIX: agent_kubernetes: accept millibytes as unit
    * 8798 FIX: agent_kubernetes: allow the option 'No IP' for the Kubernetes master
    * 10329 FIX: agent_splunk: Prevent InsecureRequestWarning
    * 10358 FIX: check_mail_loop: Fixed exception: Failed to fetch mail NR ('NoneType' object has no attribute '__getitem__')
    * 10448 FIX: emc_datadomain_mtree: add missing metric definition
    * 10155 FIX: emcvnx_storage_pools: Crash upon missing auto-tiering info
    * 10494 FIX: lnx_if: Fixed confusion of interface state UNKNOWN, DOWN if ethtool output is missing
    * 10507 FIX: mk_oracle: Fixed missing option to set the TNS_ADMIN in the bakery
    * 10508 FIX: mk_oracle: Fixed missing sysdg as role choice
    * 10348 FIX: mssql_databases: Do not alert if instance is not running
    * 10509 FIX: oracle_rman: Fixed wrong incremental Level 1 Backup
    * 10449 FIX: ps: cleanup counters of processes which do not exist anymore
    * 10300 FIX: sym_brightmail_queues: bug fix where WATO configuration did not alter behaviour
    * 10408 FIX: Don't discover lparstat service on host without util info
    NOTE: Please refer to the migration notes!
    * 10447 FIX: agent_kubernetes: use new API versions
    NOTE: Please refer to the migration notes!
    * 10356 FIX: bluenet2_powerrail.{temp,humidity}: Fixed discovery of ALL temperature and humidity sensors
    NOTE: Please refer to the migration notes!
    * 8806 FIX: mk_oracle: Fixed discovery of XE instances on Oracle 18c
    NOTE: Please refer to the migration notes!
    * 8805 FIX: mk_oracle: Fixed jobs with auto_drop
    NOTE: Please refer to the migration notes!
    * 10359 FIX: mk_oracle: better support for mounted databases
    NOTE: Please refer to the migration notes!

    Core & setup:
    * 10377 FIX: Fix terminating "cmk --update-dns-cache" with CTRL+C
    * 10378 FIX: Improve "Update DNS cache" / cmk --update-dns-cache performance
    * 7281 FIX: legacy local plugins: added missing register_hook call

    Event console:
    * 8797 FIX: Show the Contact Person in the Event Details view

    HW/SW inventory:
    * 10342 FIX: HW/SW Inventory: Do not overwrite inventory tree if ALL data sources of a host fail
    * 10351 FIX: HW/SW Inventory: Do not pollute inventory archive if two numerations have different order but same entries
    * 10347 FIX: if: Moved last change field to status data tree; otherwise the inventory history may be polluted
    * 10346 FIX: lnx_if winperf_if if solaris_addresses: Fixed sorting interfaces; otherwise the inventory history may be polluted
    * 10344 FIX: lnx_if: Do not inventorize dynamic IPv6 addresses which may pollute inventory history
    * 10493 FIX: lnx_if: Use MAC address from command 'ip' if the command 'ethtool' is not available
    * 10270 FIX: solaris_mem: Fix value and unit
    NOTE: Please refer to the migration notes!

    Other components:
    * 10374 NagVis: Updated to 1.9.16
    * 10372 FIX: stunnel: Improve logging of the daemon

    Site management:
    * 10371 FIX: omd restore: Fix possible version issues when default version is not the site version
    * 10376 FIX: omd: Fix possible stopped system apache after removing a site

    User interface:
    * 10510 Added more link views for Host Groups (Summary)
    * 10382 FIX: Dashboard: Add missing link for creating a new view as dashlet
    * 10455 FIX: Don't display classical checkboxes in mobile GUI
    * 10454 FIX: Don't show an error in Commands of mobile GUI
    * 10373 FIX: Fix distributed update issue related to missing theme directory
    * 10381 FIX: Fix editing dashlet views
    * 10456 FIX: Fix redirection from login page in mobile GUI
    * 10380 FIX: Fix view action menu in dashlets
    * 10350 FIX: Fixed #rows on rulesets pages
    * 10384 FIX: IE11 incompatibility: Fix reordering view painters
    * 10489 FIX: Move ruleset "Piggybacked Host Files" to group "Access to Agents"
    * 7285 FIX: Network Topology: fixed exception in exception when the maximal allowed node limit has been reached
    * 10265 FIX: Password policy: Do not apply expiration time for LDAP users
    * 10490 FIX: Rename ruleset "Piggybacked Host Files" to "Processing of Piggybacked Host Data"
    * 10228 FIX: Several minor GUI fixes
    * 10453 FIX: Show graphs in the mobile GUI
    * 10452 FIX: Use mobile GUI for mobile devices

    WATO:
    * 10407 FIX: Consistent naming for levels in Check SQL Database active check
    * 10264 FIX: Discovery page: Fix missing "toggle all" checkboxes (1.6.0p2 regression)
    * 10379 FIX: Hostname search: Host bulk actions affected all hosts (1.6.0p4 regression)
    * 10383 FIX: Make more background job results deletable
    * 10375 FIX: NagVis backends now work with encrypted Livestatus
    * 10287 FIX: Service Discovery: fix re-enabling services which were disabled in 1.4.0
    * 10546 FIX: WATO changes: Improve table rendering with many affected sites

    You can download Checkmk from our download page:
     * https://checkmk.com/download.php

    LM: Ubuntu 19.10 "Eoan Ermine"


    REF: http://www.linux-magazine.com/Issues/2020/230/This-Month-s-DVD

    [LSN-0059-1] Linux kernel vulnerability

    ---------- Forwarded message ---------
    Date: Nov 13, 2019 7:43AM

    CVE-2018-12207
      On an Ubuntu KVM host configured to use huge pages, a malicious KVM guest
      can cause a host machine check exception (MCE) capable of bringing down
      the host OS.

    CVE-2019-0154
      On Intel processors containing an i915 graphics processing unit, it is
      possible from userspace to cause a GPU hang in certain low-power states by
      reading a specific memory-mapped IO register.

    CVE-2019-0155
      On Intel processors containing an i915 graphics processing unit, it is
      possible to use the GPU's blitter command streamer to write to
      memory-mapped IO locations, which could be used for privilege escalation
      or to leak kernel memory.

    CVE-2019-11135
      On Intel processors with support for Transactional Synchronization
      Extensions (TSX), it is possible to exploit a transactional asynchronous
      abort (TAA) to perform a side-channel attack and leak kernel memory.

    References:
    CVE-2018-12207, CVE-2019-0154, CVE-2019-0155, CVE-2019-11135

    TrendLabs: 49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play

    Figure. 2
    Figure 2. Screen captures of codes showing how the malicious app’s icon is hidden or removed
    REF: https://blog.trendmicro.com/trendlabs-security-intelligence/49-disguised-adware-apps-with-optimized-evasion-features-found-on-google-play/

    [Openvpn-announce] OpenVPN 2.4.8 released

    ---------- Forwarded message ---------
    From: Samuli Seppänen
    Date: Thu, Oct 31, 2019 at 6:37 PM

    This is primarily a maintenance release with bugfixes and improvements.
    The Windows installers (I601) have several improvements compared to the
    previous release:

    * New tap-windows6 driver (9.24.2) which fixes some suspend and resume
    issues
    * Latest OpenVPN-GUI
    * Considerable performance boost due to new compiler optimization flags

    Please note that LibreSSL is not a supported crypto backend. We accept
    patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if
    newer versions of LibreSSL break API compatibility we do not take
    responsibility to fix that.

    TrendLabs: More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting

    Figure. 1
    Figure 1. Schema showing the multiple obfuscation layers that APT33 uses
    REF: https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/

    [USN-4167-1] Samba vulnerabilities

    ---------- Forwarded message ---------
    From: Marc Deslauriers
    Date: Oct 29, 2019 9:20PM

    Michael Hanselmann discovered that the Samba client code incorrectly
    handled path separators. If a user were tricked into connecting to a
    malicious server, a remote attacker could use this issue to cause the
    client to access local pathnames instead of network pathnames.
    (CVE-2019-10218)

    Simon Fonteneau and Björn Baumbach discovered that Samba incorrectly
    handled the check password script. This issue could possibly bypass custom
    password complexity checks, contrary to expectations. This issue only
    affected Ubuntu 18.04 LTS, Ubuntu 19.04, and Ubuntu 19.10. (CVE-2019-14833)

    Adam Xu discovered that Samba incorrectly handled the dirsync LDAP control.
    A remote attacker with "get changes" permissions could possibly use this
    issue to cause Samba to crash, resulting in a denial of service.
    (CVE-2019-14847)

    References:
      https://usn.ubuntu.com/4167-1
      CVE-2019-10218, CVE-2019-14833, CVE-2019-14847

    TrendLabs: New Exploit Kit Capesand Reuses Old and New Public Exploits and Tools, Blockchain Ruse

    Figure 2. Capesand exploit kit traffic pattern

    REF: https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-capesand-reuses-old-and-new-public-exploits-and-tools-blockchain-ruse/

    MagicSoft CG ver 8.2.3

    MagicSoft CG ver 8.2.3 adds :
         - NDI input and output for all video modes
         - improved performance in 4K video modes for "picture in picture" when using Decklink or NDI as input
         - improved management of the projects in CG server

    REF: https://www.magicsoft.tv/news.html

    TrendLabs: Current and Future Hacks and Attacks that Threaten Esports

    Figure 1. Page offering custom hardware hacks, with prices starting at US$500
    REF: https://blog.trendmicro.com/trendlabs-security-intelligence/current-and-future-hacks-and-attacks-that-threaten-esports/

    LM: Red Hat Announces CentOS Stream

    CentOS Stream will sit somewhere between Fedora and RHEL to provide a place for developers who want to get their packages in RHEL. So far Fedora was used as a fast moving upstream project for RHEL. Red Hat forks code from Fedora to build the next version of RHEL. However, most enterprise-centric users were on CentOS and not Fedora, and there was not a direct path for those users to target RHEL, as CentOS was downstream of RHEL. With CentOS stream, developers can start playing with what to expect next in RHEL, and they can also submit patches.

    REF: http://www.linux-magazine.com/Online/News/Red-Hat-Announces-CentOS-Stream

    Plex: Multitask Live TV and DVR on Apple

    Multitask Live TV and DVR on Apple
    Multitask Live TV and DVR on Apple
    Professional binge watchers rejoice! Now for iOS and Apple TV users, you can simultaneously watch Live TV while scheduling your next recording without missing a beat.