From security em unicamp.br Tue Nov 17 14:08:33 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Tue, 17 Nov 2020 14:08:33 -0300 Subject: [SECURITY-L] [RHSA-2020:5135-01] Critical: firefox security update In-Reply-To: <202011171635.0AHGZMUF031758@lists01.pubmisc.prod.ext.phx2.redhat.com> References: <202011171635.0AHGZMUF031758@lists01.pubmisc.prod.ext.phx2.redhat.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2020:5135-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5135 Issue date: 2020-11-17 CVE Names: CVE-2020-26950 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.4.1 ESR. Security Fix(es): * Mozilla: Write side effects in MCallGetProperty opcode not accounted for (CVE-2020-26950) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1896306 - CVE-2020-26950 Mozilla: Write side effects in MCallGetProperty opcode not accounted for 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: firefox-78.4.1-1.el8_1.src.rpm aarch64: firefox-78.4.1-1.el8_1.aarch64.rpm firefox-debuginfo-78.4.1-1.el8_1.aarch64.rpm firefox-debugsource-78.4.1-1.el8_1.aarch64.rpm ppc64le: firefox-78.4.1-1.el8_1.ppc64le.rpm firefox-debuginfo-78.4.1-1.el8_1.ppc64le.rpm firefox-debugsource-78.4.1-1.el8_1.ppc64le.rpm s390x: firefox-78.4.1-1.el8_1.s390x.rpm firefox-debuginfo-78.4.1-1.el8_1.s390x.rpm firefox-debugsource-78.4.1-1.el8_1.s390x.rpm x86_64: firefox-78.4.1-1.el8_1.x86_64.rpm firefox-debuginfo-78.4.1-1.el8_1.x86_64.rpm firefox-debugsource-78.4.1-1.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-26950 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX7P7xtzjgjWX9erEAQicYQ/8DWg/CkdASNjLtnjdSNHAhKWqV93YVSoI DIKKjydvZ3Ty9yW1LTR/qpPh/aEIunuyTnSUcBxpjRyBA5ilhGMNjF6eZeYWlivP 2vnGXxX2Z9EdUib9ENalN+Ujx/Cw0D6eMqXI0MIN/AJZqR1UF8AKLeHvcLhvdlI8 drVEcXCuw6ABrZprJ/oyP9AbZ0L1y8FzAlZ8n5XNcXC7RAZRc3TJO+g9yQuYR0gv YnXZ1+nSoyFdZjZZsOV02m2WBfmt7DTydmx+tCzRJ2x50y3zxV8z7lBUGfu6QR9L PMQ0CvALHMFkSiVk6zLR5TmbxHTwg8FA6PLm8+SNfVc/Pl6oQfEcrHhcJDYLd6ZT 18Msb6+bfXTaPwqT1hJ3QVJSGgM+bqQDsJPAt1XbIjg1OADHFGc/gAq9Gqpel5K4 s2sPrPBZ56Cl5YB57Skn42MqPXDGxhOilt3qJuHNiETWTG5v2MDhyAcd3JPvBS7Z x4c0sxJLxgpyPi1KZF5Cu34trSqhQfmVdbqd3G09TlM9QI4mR0lAZ9v8OOhRzLi8 ymWZlxlW2MdtfvbwsaZBOpB3wFoOfOeZnqf99ESBwQa2bM88cBwJvyvzJ92sL6pE NO3SEEj2z2fHBW47vM71G1CHaLEuiTJkc3Z4eFOIufYFskzJXX+aSYbZMfSV+SoC A2C64pMCVmc= =Ttbf -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce em redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Nov 18 15:10:36 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 18 Nov 2020 15:10:36 -0300 Subject: [SECURITY-L] [Security-news] Examples for Developers - Critical - Remote Code Execution - SA-CONTRIB-2020-035 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/sa-contrib-2020-035 Project: Examples for Developers [1] Date: 2020-November-18 Security risk: *Critical* 17?25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Remote Code Execution Description: The File Example submodule within the Examples project does not properly sanitize certain filenames as described in SA-CORE-2020-012 [3], along with other related vulnerabilities. Therefore, File Example so is being removed from Examples until a version demonstrating file security best practices can added back in the future. Solution: Any sites that have File Example submodule installed should uninstall it immediately Then, install the latest version of Examples: * If you use Examples 3 (Drupal 9-compatible), upgrade to Examples 3.0.2 [4] * If you use the Examples module's 8.x-1.x branch, upgrade to Examples 8.x-1.1 [5] Reported By: * Alex Pott [6] of the Drupal Security Team Fixed By: * Valery Lourie [7] * Samuel Mortenson [8] of the Drupal Security Team * Jess (xjm) [9] of the Drupal Security Team * Alex Pott [10] of the Drupal Security Team Coordinated By: * Michael Hess [11] of the Drupal Security Team * Jess (xjm) [12] of the Drupal Security Team * Drew Webber [13] of the Drupal Security Team * Alex Pott [14] of the Drupal Security Team [1] https://www.drupal.org/project/examples [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2020-012 [4] https://www.drupal.org/project/examples/releases/3.0.2 [5] https://www.drupal.org/project/examples/releases/8.x-1.1 [6] https://www.drupal.org/user/157725 [7] https://www.drupal.org/user/239562 [8] https://www.drupal.org/user/2582268 [9] https://www.drupal.org/user/65776 [10] https://www.drupal.org/user/157725 [11] https://www.drupal.org/user/102818 [12] https://www.drupal.org/user/xjm [13] https://www.drupal.org/user/255969 [14] https://www.drupal.org/user/157725 _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Nov 18 15:11:21 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 18 Nov 2020 15:11:21 -0300 Subject: [SECURITY-L] [Security-news] Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/sa-contrib-2020-036 Project: Media: oEmbed [1] Date: 2020-November-18 Security risk: *Critical* 17?25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Remote Code Execution Description: Media oEmbed does not properly sanitize certain filenames as described in SA-CORE-2020-012 [3]. Solution: Install the latest version: * Upgrade to Media oEmbed 7.x-2.8 [4] Reported By: * Alex Pott [5] of the Drupal Security Team Fixed By: * Samuel Mortenson [6] of the Drupal Security Team * Alex Pott [7] of the Drupal Security Team * Drew Webber [8] of the Drupal Security Team Coordinated By: * Samuel Mortenson [9] of the Drupal Security Team * Alex Pott [10] of the Drupal Security Team * Drew Webber [11] of the Drupal Security Team * xjm [12] of the Drupal Security Team [1] https://www.drupal.org/project/media_oembed [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2020-012 [4] https://www.drupal.org/project/media_oembed/releases/7.x-2.8 [5] https://www.drupal.org/user/157725 [6] https://www.drupal.org/user/2582268 [7] https://www.drupal.org/user/157725 [8] https://www.drupal.org/user/255969 [9] https://www.drupal.org/user/2582268 [10] https://www.drupal.org/user/157725 [11] https://www.drupal.org/user/255969 [12] https://www.drupal.org/user/65776 _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Nov 18 15:12:08 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 18 Nov 2020 15:12:08 -0300 Subject: [SECURITY-L] [Security-news] Ink Filepicker - Critical - Unsupported - SA-CONTRIB-2020-037 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/sa-contrib-2020-037 Project: Ink Filepicker [1] Date: 2020-November-18 Security risk: *Critical* 17?25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Unsupported Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. It looks like the 3rd party service that this module integrates with may have been retired. If you would like to maintain this project nevertheless, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported [3] Solution: If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported [4] in full. [1] https://www.drupal.org/project/media_inkfilepicker [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/251466#procedure---own-project---unsupported [4] https://www.drupal.org/node/251466#procedure---own-project---unsupported _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Nov 18 15:12:50 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 18 Nov 2020 15:12:50 -0300 Subject: [SECURITY-L] [Security-news] SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-038 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/sa-contrib-2020-038 Project: SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider [1] Date: 2020-November-18 Security risk: *Critical* 16?25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description: This module enables your users residing at a SAML 2.0 compliant Identity Provider to login to your Drupal website. The module has two Authentication Bypass vulnerabilities. Solution: Install the latest version: * If you use the miniorange_saml module for Drupal 8.x, upgrade to miniorange_saml 8.x-2.14 [3] * If you use the miniorange_saml module for Drupal 7.x, upgrade to miniorange_saml 7.x-2.54 [4] Reported By: * Heine [5] of the Drupal Security Team * Michael Mazzolini [6] Fixed By: * abhay19 [7] Coordinated By: * Heine [8] of the Drupal Security Team * Chris McCafferty [9] of the Drupal Security Team [1] https://www.drupal.org/project/miniorange_saml [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/miniorange_saml/releases/8.x-2.14 [4] https://www.drupal.org/project/miniorange_saml/releases/7.x-2.54 [5] https://www.drupal.org/user/17943 [6] https://www.drupal.org/user/3649306 [7] https://www.drupal.org/user/3549350 [8] https://www.drupal.org/user/17943 [9] https://www.drupal.org/user/1850070 _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Nov 18 15:13:31 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 18 Nov 2020 15:13:31 -0300 Subject: [SECURITY-L] [Security-news] Drupal core - Critical - Remote code execution - SA-CORE-2020-012 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/sa-core-2020-012 Project: Drupal core [1] Date: 2020-November-18 Security risk: *Critical* 17?25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Remote code execution CVE IDs: CVE-2020-13671 Description: Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. Solution: Install the latest version: * If you are using Drupal 9.0, update to Drupal 9.0.8 [3] * If you are using Drupal 8.9, update to Drupal 8.9.9 [4] * If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11 [5] * If you are using Drupal 7, update to Drupal 7.74 [6] Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like .php.txt or .html.gif. Reported By: * ufku [7] * Mark Ferree [8] * Frédéric G. Marand [9] * Samuel Mortenson [10] of the Drupal Security Team * Derek Wright [11] Fixed By: * Heine [12] of the Drupal Security Team * ufku [13] * Mark Ferree [14] * Michael Hess [15] of the Drupal Security Team * David Rothstein [16] of the Drupal Security Team * Peter Wolanin [17] of the Drupal Security Team * Jess [18] of the Drupal Security Team * Frédéric G. Marand [19] * Stefan Ruijsenaars [20] * David Snopek [21] of the Drupal Security Team * Rick Manelius [22] * David Strauss [23] of the Drupal Security Team * Samuel Mortenson [24] of the Drupal Security Team * Ted Bowman [25] * Alex Pott [26] of the Drupal Security Team * Derek Wright [27] * Lee Rowlands [28] of the Drupal Security Team * Kim Pepper [29] * Wim Leers [30] * Nate Lampton [31] * Drew Webber [32] of the Drupal Security Team * Fabian Franz [33] * Alex Bronstein [34] of the Drupal Security Team * Neil Drumm [35] of the Drupal Security Team * Joseph Zhao [36] * Ryan Aslett [37] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/9.0.8 [4] https://www.drupal.org/project/drupal/releases/8.9.9 [5] https://www.drupal.org/project/drupal/releases/8.8.11 [6] https://www.drupal.org/project/drupal/releases/7.74 [7] https://www.drupal.org/user/9910 [8] https://www.drupal.org/user/76245 [9] https://www.drupal.org/user/27985 [10] https://www.drupal.org/user/2582268 [11] https://www.drupal.org/user/46549 [12] https://www.drupal.org/user/17943 [13] https://www.drupal.org/user/9910 [14] https://www.drupal.org/user/76245 [15] https://www.drupal.org/user/102818 [16] https://www.drupal.org/user/124982 [17] https://www.drupal.org/user/49851 [18] https://www.drupal.org/user/65776 [19] https://www.drupal.org/user/27985 [20] https://www.drupal.org/user/551886 [21] https://www.drupal.org/user/266527 [22] https://www.drupal.org/user/680072 [23] https://www.drupal.org/user/93254 [24] https://www.drupal.org/user/2582268 [25] https://www.drupal.org/user/240860 [26] https://www.drupal.org/user/157725 [27] https://www.drupal.org/user/46549 [28] https://www.drupal.org/user/395439 [29] https://www.drupal.org/user/370574 [30] https://www.drupal.org/user/99777 [31] https://www.drupal.org/user/35821 [32] https://www.drupal.org/user/255969 [33] https://www.drupal.org/user/693738 [34] https://www.drupal.org/user/78040 [35] https://www.drupal.org/user/3064 [36] https://www.drupal.org/user/1987218 [37] https://www.drupal.org/user/391689 _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Thu Nov 19 13:28:23 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Thu, 19 Nov 2020 13:28:23 -0300 Subject: [SECURITY-L] =?utf-8?q?=5BRNP/CAIS_Alerta_=230056=5D_Vulnerabili?= =?utf-8?q?dade_em_servi=C3=A7os_de_DNS?= In-Reply-To: <1069654764.32836860.1605802603967.JavaMail.zimbra@rnp.br> References: <1069654764.32836860.1605802603967.JavaMail.zimbra@rnp.br> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Prezados, CAIS-Alerta [19/11/2020]: Vulnerabilidade em serviços de DNS O CAIS alerta para uma recente vulnerabilidade encontrada em serviços de DNS, constatou-se que serviços de DNS Resolver hospedados em sistemas operacionais cujo bloqueio de tráfego de saída ICMP esteja habilitado sejam vulneráveis ao ataque conhecido SAD DNS. Já foram publicadas provas de conceitos sobre a exploraçăo dessa vulnerabilidade. DESCRIÇĂO O ataque consiste em uma nova versăo do ataque conhecido como DNS Poisoning, permitindo que um usuário năo autorizado envie pacotes de sondagem em busca de portas de comunicaçăo usadas por serviços vulneráveis e injete um registro malicioso de DNS junto ao cache de serviços de DNS recursivos, tais como BIND, Unbound, dnsmasq, e outros. O ataque em questăo depende da observaçăo do tráfego ICMP disparado contra um DNS Resolver, visando aferir quais portas UDP săo utilizadas para uma pesquisa de DNS em especial. Mesmo com o uso de recursos para năo fragmentaçăo de pacotes e uso de portas dinâmicas, é possível um atacante obter sucesso ao abusar da comunicaçăo via ICMP, ainda que esta conte com rate limits estabelecidos, descobrindo assim a porta em uso e forjando um pacote malicioso, posteriormente encaminhado como resposta ao requisitante do serviço. É válido dizer que esta vulnerabilidade pode ser explorada por qualquer atacante que possua conhecimento dos endereços públicos de serviços de DNS Autoritativos e Recursivos, sendo estimado que em média 35%[1] dos resolvers públicos estejam vulneráveis ao ataque SAD DNS. SISTEMAS IMPACTADOS - - Sistemas Operacionais Microsoft Windows - - Sistemas Operacionais GNU/Linux - - Sistemas Operacionais MacOS VERSŐES AFETADAS - - Linux 3.18-5.10; - - Windows Server 2019 (version 1809) e versőes mais recentes; - - MacOS 10.15 e versőes mais recentes; - - FreeBSD 12.1.0 e versőes mais recentes. É importante ressaltar que inexistem testes em versőes posteriores dos produtos acima relacionados, portanto, entendem-se as mesmas vulneráveis ao ataque SAD DNS. CORREÇŐES DISPONÍVEIS - - Desabilitar ou bloquear as mensagens do tipo "port unreachable"; - - Promover a atualizaçăo do kernel do GNU/Linux para uma versăo com rate limits aleatórios, incluído ŕ partir da v5.10[3]; - - Habilitar a validaçăo de DNSSEC nos resolver/forwarders; - - Atualizar o serviço de DNS. IDENTIFICADORES CVE (http://cve.mitre.org) - - CVE-2020-25705 MAIS INFORMAÇŐES [1] https://www.saddns.net/ [2] https://blog.cloudflare.com/sad-dns-explained/ [3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38e7819cae946e2edf869e604af1e65a5d241c5 [4] https://www.addvalue.com.br/seguranca/sad-dns/ [5] https://nvd.nist.gov/vuln/detail/CVE-2020-25705 [6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25705 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versőes e correçőes oferecidas pelos fabricantes. Os alertas do CAIS também podem ser acompanhados pelas redes sociais da RNP. Siga-nos! Twitter: @caisRNP Facebook: facebook.com/RedeNacionaldeEnsinoePesquisaRNP. Atenciosamente, CAIS/RNP ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.rnp.br/servicos/seguranca # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel https://www.cais.rnp.br/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: OpenPGP.js v2.6.2 Comment: https://openpgpjs.org wsFcBAEBCAAQBQJftpplCRB83qA0uPj0mAAAaVsP/ifVX9tucOoWZJhpgoOZ aSMlJlMl7byS+INACcEEgaO9EfJlCQpzqZ0rs3ax6Kmg2aAF2ZSx1hDOUQ96 KZBu0qm4mgMiczk99M8tupfbJ7Mnv0twrxxjVXkypgK+G6VDTZCoKvaPdaEl aI7QMA7QsqAfu2ZMCTg2HrpIBXBdBYLI3hdpLICwZKTiJni9CBZfYO/gQGGz XejPFYftPytOoVjh+2s2XVm5mswTNoqBlRHY1z1L3OX/eYrNh6el2jMoILJB JeoyiqYvHnG5HvF6dKj3wj3+miB3LmuhrrbqHEWTPKsDuiX1ja6FrRwKJquQ vIfU07SCgj31Oz/wtbTBRazJPrwgSLIHqOGdhJQPwnaDCzDRyAdly1QPMOwi 3tUaQ9r+jsmyk4aKmeLnBIH7bYpHt2tLgXZVReCjaca/vY4EWrhYMUy1Ilbe ShEPsWAXigcr1T3gk4IElSceDU8PRftMkWNXO0uDUsG46s2LHiR5dwC0RMHk 9nc+lyg79vRzJXY+Z7E+QombRFRLhTqJ5qLpRKus+3RrspVsS2W1SW4XVz8l QhcK9RndZ8WkwKXfiYznK06jNX5/HF8txK7/OJsBYUghWX2K0D+BfedBoUaW +waTAVkd08uKmsLy4Stbi4oy7orCJNSVjqXC/LWQCKf4uZiL4PyrqGez5eGI VpFB =hodT -----END PGP SIGNATURE----- _______________________________________________ RNP-Alerta rnp-alerta em listas.rnp.br https://listas.rnp.br/mailman/listinfo/rnp-alerta === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Fri Nov 20 14:10:56 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Fri, 20 Nov 2020 14:10:56 -0300 Subject: [SECURITY-L] [RNP/CAIS Alerta #0057] Vulnerabilidade no Application Server Apache Tomcat In-Reply-To: <45543712.33741177.1605891192338.JavaMail.zimbra@rnp.br> References: <45543712.33741177.1605891192338.JavaMail.zimbra@rnp.br> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Prezados, CAIS-Alerta [20/11/2020]: Vulnerabilidade no Application Server Apache Tomcat O CAIS alerta para uma vulnerabilidade crítica no Application Server Apache Tomcat que pode permitir execuçăo remota de códigos maliciosos. Já foram publicados códigos de exploraçăo para algumas das vulnerabilidades identificadas. DESCRIÇĂO Uma falha na arquitetura do módulo de persistęncia de sessőes do servidor Apache Tomcat, quando operado em conjunto com um objeto de classe FileStore e configurado para tratar a replicaçăo de atributos de sessăo como nula, permite que um usuário malicioso faça requisiçőes forjadas e execute códigos remotos no servidor, forçando a desserializaçăo do código previamente enviado, executando-o junto ao Application Server. A exploraçăo da vulnerabilidade também é possibilitada por algumas características da configuraçăo do Apache Tomcat: - - a possibilidade de um usuário malicioso controlar o conteúdo e nome de arquivos persistentes no servidor; - - o uso do recurso PersistenceManager associado a um FileStore; - - o atributo sessionAttributeValueClassNameFilter como 'null' ou com filtros inadequados; - - conhecimento do caminho da unidade de armazenamento utilizada pelo FileStore para armazenamento do arquivo manipulado pelo usuário malicioso. SISTEMAS IMPACTADOS Aplicaçőes executadas no Apache Tomcat VERSŐES AFETADAS - - Apache Tomcat 10.0.0-M1 a 10.0.0-M4 - - Apache Tomcat 9.0.0.M1 a 9.0.34 - - Apache Tomcat 8.5.0 a 8.5.54 - - Apache Tomcat 7.0.0 a 7.0.103 CORREÇŐES DISPONÍVEIS Atualizar a versăo do servidor Apache Tomcat para a versăo mais recente disponibilizada pelos desenvolvedores: - - 7.0.104 para versőes 7.0.103 e anteriores. - - 8.5.55 para versőes 8.5.54 e anteriores. - - 9.0.35 para versőes 9.0.34 e anteriores. - - 10.0.0-M5 para versőes 10.0.0-M4 e anteriores. - - Como soluçăo de contorno - para casos onde a atualizaçăo năo seja possível até a janela de manutençăo da gestăo de mudanças - é necessária a desativaçăo dos FileStore ou a configuraçăo do atributo sessionAttributeValueClassNameFilter separadamente, de modo que apenas objetos específicos possam ser serializados/desserializados. [6] IDENTIFICADORES CVE (http://cve.mitre.org) - - CVE-2020-9484 MAIS INFORMAÇŐES [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484 [2] https://medium.com/@romnenko/apache-tomcat-deserialization-of-untrusted-data-rce-cve-2020-9484-afc9a12492c4 [3] https://github.com/osamahamad/CVE-2020-9484-Mass-Scan [4] https://meterpreter.org/cve-2020-9484-apache-tomcat-remote-code-execution-vulnerability-alert/ [5] https://nvd.nist.gov/vuln/detail/CVE-2020-9484 [6] https://tomcat.apache.org/tomcat-9.0-doc/config/cluster-manager.html [7] http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104 [8] http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55 [9] http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35 [10] http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5 [11] https://security.netapp.com/advisory/ntap-20200528-0005/ O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versőes e correçőes oferecidas pelos fabricantes. Os alertas do CAIS também podem ser acompanhados pelas redes sociais da RNP. Siga-nos! Twitter: @caisRNP Facebook: facebook.com/RedeNacionaldeEnsinoePesquisaRNP. Atenciosamente, CAIS/RNP ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.rnp.br/servicos/seguranca # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel https://www.cais.rnp.br/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: OpenPGP.js v2.6.2 Comment: https://openpgpjs.org wsFcBAEBCAAQBQJft/RzCRB83qA0uPj0mAAA+icP/2/MM4lCCkCVraAVJNHI wbdRM7CfleEixCm9fpEmtRANrBQ16X17DLB2BgYSwdQlf8JABbG18GZLkuvF 8Z0GQ1FTu/7GPRxs7CE27NGR7QaBScqrgodvcfMltI7C0YOGONeZS5aFhzzn OR+QTqnzcu0yg7QQj2I8moJeuOzfaITbI8WQtBwgttQwWr6k0MRrnT55IjlJ AgYve0ZV3MhHPCuFGcF4caEokiUyjmKVA05/hY62l2msPB1ctSfBd3Hm3DRo 6A4OcLFgIMdECPm0ozx09r72RVlCtr2jyOUTiIpvsdVNwZVMhK6YYdMHLOZQ M1IMblzUSiRB7WuBbCtxHx8BNqydOdJoL+wXCn75vYMk34HPzwqIEitTbxnb oCH777ypidjKUBg1BB/vq876hceLPWjtvHwnVLiP8bLoSEI8AZMruC5Ua4Y6 SmL/lY8hdc+53QTV2z4uVuNaQOV55TAlWih2vFyboPjG9ZBQYcg+shaGma2n IHEt0Dc/HP41Vu2X+YsL63stk1d85H2X4ZSRFu/juVfbKIIb7i/zBoi1W/DB nKaMHz9GD5fnXQ8xyolAKbLQqWQRiBtQb4udzM/9xoLrPodOb1NWP23zQrSp rVSvOus4czB7NNoyuxKLg85J+DlVqyJcG34QTXkFxkuT/H0Q6hpkI40058ol JkSW =X0X1 -----END PGP SIGNATURE----- _______________________________________________ RNP-Alerta rnp-alerta em listas.rnp.br https://listas.rnp.br/mailman/listinfo/rnp-alerta === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Fri Nov 20 17:18:35 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Fri, 20 Nov 2020 17:18:35 -0300 Subject: [SECURITY-L] =?utf-8?q?=5BRNP/CAIS_Alerta_=230058=5D_Vulnerabili?= =?utf-8?q?dade_cr=C3=ADtica_no_CMS_Drupal_=28CORE=29?= In-Reply-To: <1152266230.33743473.1605899660221.JavaMail.zimbra@rnp.br> References: <1152266230.33743473.1605899660221.JavaMail.zimbra@rnp.br> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Prezados, CAIS-Alerta [20/11/2020]: Vulnerabilidade crítica no CMS Drupal (CORE) O CAIS alerta para uma vulnerabilidade crítica recentemente encontrada no Drupal CMS que pode permitir a execuçăo remota de códigos. Até o momento da publicaçăo deste alerta, năo foram identificados códigos de exploraçăo para a vulnerabilidade identificada. DESCRIÇĂO Dada uma falha nos controles de sanitizaçăo de arquivos do módulo de upload do Drupal, é possível que arquivos sejam interpretados com extensőes incorretas e sejam exibidos ao requisitante com o MIME type incoerente e, em casos específicos, executados como scripts PHP, dependendo das configuraçőes do serviço. A janela de oportunidade para exploraçăo desta vulnerabilidade consiste na maneira como CMS exibe sua API de upload, tendendo a variar dependendo da implantaçăo e configuraçăo do CMS, ou seja, um usuário pode realizar upload ou com uma credencial e sessăo válida, ou de forma pública. A vulnerabilidade pode ser explorada tanto por um usuário autenticado como também sem autenticaçăo. SISTEMAS IMPACTADOS Sistemas utilizando Drupal. VERSŐES AFETADAS - - Drupal 9.0.7 e anteriores - - Drupal 8.9.8 e anteriores - - Drupal 8.8.10 e anteriores - - Drupal 7.73 e anteriores CORREÇŐES DISPONÍVEIS Atualizar a versăo do CMS Drupal para a versăo mais recente disponibilizada pelos desenvolvedores: - - Versăo 9.0.8 para versőes 9.0.x; - - Versăo 8.9.9 para versőes 8.9.x; - - Versăo 8.8.11 para versőes 8.8.x; - - Versăo 7.74 para versőes 7.x; Recomendaçőes adicionais: - - Auditar arquivos previamente enviados via API de upload do Drupal, de modo a identificar extensőes maliciosas; - - Verificar se arquivos enviados possuem mais de uma extensăo, como por exemplo "arquivo.txt.php" ou "arquivo.html.gif" sem um underscore (_) ao final da extensăo. - - Verificar arquivos suspeitos com extensőes, como, por exemplo: .phar, .php, .pl, .py, .cgi, .asp, .js, .html, .htm, .phtml (lista năo limita aos exemplos citados). IDENTIFICADORES CVE (http://cve.mitre.org) CVE-2020-13671 MAIS INFORMAÇŐES [1] https://www.drupal.org/sa-core-2020-012 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13671 [3] https://meterpreter.org/cve-2020-13671-drupal-remote-code-execution-vulnerability-alert/ O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versőes e correçőes oferecidas pelos fabricantes. Os alertas do CAIS também podem ser acompanhados pelas redes sociais da RNP. Siga-nos! Twitter: @caisRNP Facebook: facebook.com/RedeNacionaldeEnsinoePesquisaRNP. Atenciosamente, CAIS/RNP ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.rnp.br/servicos/seguranca # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel https://www.cais.rnp.br/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: OpenPGP.js v2.6.2 Comment: https://openpgpjs.org wsFcBAEBCAAQBQJfuBWDCRB83qA0uPj0mAAAl/YP/3VWCaurXuMIVN5H2EAz FMFG6VeOURXUYlOde/PU+kjdI6DlOtZR6t2Xb43vfMHTvwX20QA1dFgJ7xpM +ufABDyGoaGEOla1SudLHNuMp45BsA+blDw2eoHqYLgvXQmCz+ZhO1p3FBVT l/XxsrqMkEqskLuff3WLiG2f2nyaxlVy3CunPfnNr4h/ewyyjeIrpfabrO/R P82kcAv35ZLwnpaQy0AvXn8JZUo4vaKg4DxQfGyXEv8Na84MPZR6vWrt7MCx HAw8hD/dCsgcXlYOyQaQ5V+El1h+8a+ZIcls2b6fBO1Y9c6K+fSp7OdI8UJN 7YxIxkucyRp9unJjG7bkhWmdqPmBd2ezREH/J8fDeHwPRqx8mtdnWsjcNYVn y/uDUw5z6+42ePSrw4A04isJHRiDf7y3W/jP6h+bx352OKYHEQvcQfCf6NqQ 5ZMOIDqW8OkmnAhVH54mWbg2h9A/UFOhNdhf/UZduy2Z2wLFDY6S9GP9UnDt w+im79xwzl6BOkfa2Imwyv7JlOlbW43qxAIaWqtqBzWNiqs2qp1d60m2OYl9 3s5Ri4xNLyZBMX9IqttJO3EOq9nXzXf4NZhxRFxsQXf+FvdnjAmQn5Hlj9bc 0EnEFdoVF//SbODlpdQD/VvpjmHCMT7J9VknwlljyhLz8Jm2TptdDQUO+ELk xnwP =Hvyn -----END PGP SIGNATURE----- _______________________________________________ RNP-Alerta rnp-alerta em listas.rnp.br https://listas.rnp.br/mailman/listinfo/rnp-alerta === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Fri Nov 27 16:07:27 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Fri, 27 Nov 2020 16:07:27 -0300 Subject: [SECURITY-L] =?utf-8?q?Fwd=3A_=5BRNP/CAIS_Alerta_=230059=5D_Vuln?= =?utf-8?q?erabilidades_cr=C3=ADticas_na_plataforma_de_virtualiza?= =?utf-8?b?w6fDo28gVk1XYXJl?= In-Reply-To: <1653458164.33832888.1606495005244.JavaMail.zimbra@rnp.br> References: <1653458164.33832888.1606495005244.JavaMail.zimbra@rnp.br> Message-ID: ---------- Forwarded message --------- De: CAIS/RNP Alerta Date: sex., 27 de nov. de 2020 ŕs 13:50 Subject: [RNP/CAIS Alerta #0059] Vulnerabilidades críticas na plataforma de virtualizaçăo VMWare To: rnp-alerta -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Prezados, CAIS-Alerta [27/11/2020]: Vulnerabilidades críticas na plataforma de virtualizaçăo VMWare O CAIS alerta para as recentes vulnerabilidades críticas encontradas na plataforma de virtualizaçăo VMWare. Até o momento da publicaçăo deste alerta, năo foram identificados códigos de exploraçăo para as vulnerabilidades identificadas. DESCRIÇĂO - -- Execuçăo de comandos arbitrários Foi identificado que componentes do WMware, Workspace One Access (VMware Workspace One Access, Access Connector, Identity Manager e Identity Manager Connector) apresentam uma falha que permite a usuário autenticado em suas respectivas consoles de configuraçăo administrativa, via porta 8443/TCP, realizar a injeçăo de comandos no sistema operacional do host com privilégios irrestritos. - -- Execuçăo de comandos arbitrários Uma falha identificada nos produtos VMware ESXi, Workstation e Fusion permite a existęncia de uma vulnerabilidade do tipo free-after-use nos controladores XHCI USB, permitindo que atacantes locais com privilégios administrativos nos sistemas virtualizados sejam capazes de executar códigos arbitrários nos processos VMX do hypervisor. - -- Escalada de privilégios Foi identificada uma falha junto as chamadas de sistemas dos processos VMX, onde um atacante mesmo com privilégios limitados, é capaz de escalar privilégios junto ao sistema afetado. O sucesso na exploraçăo desta vulnerabilidade só é possível quando atrelado a vulnerabilidade citada acima. SISTEMAS IMPACTADOS VMware Workspace One Access (Access) VMware Workspace One Access Connector (Access Connector) VMware Identity Manager (vIDM) VMware Identity Manager Connector (vIDM Connector) VMware Cloud Foundation vRealize Suite Lifecycle Manager VMware ESXi VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) VMware Cloud Foundation Escalaçăo de Privilégios VMware ESXi VMware Cloud Foundation (ESXi) VERSŐES AFETADAS VMware Workspace One Access v20.10 (Linux) VMware Workspace One Access v20.01 (Linux) VMware Identity Manager v3.3.3 (Linux) VMware Identity Manager v3.3.2 (Linux) VMware Identity Manager v3.3.1 (Linux) VMware Identity Manager Connector v3.3.2 and 3.3.1 (Linux) VMware Identity Manager Connector v3.3.3, 3.3.2, and 3.3.1 (Windows) VMware Cloud Foundation (vIDM) v4.x (qualquer plataforma) vRealize Suite Lifecycle Manager (vIDM) v8.x (qualquer plataforma) VMware ESXi v7.0 VMware ESXi v6.7 VMware ESXi v6.5 VMware Fusion v11.x VMware Workstation v15.x VMware Cloud Foundation (ESXi) v4.0 VMware Cloud Foundation (ESXi) v3.0 VMware ESXi v7.0 VMware ESXi v6.7 VMware ESXi v6.5 VMware Cloud Foundation (ESXi) v4.0 VMware Cloud Foundation (ESXi) v3.0 CORREÇŐES DISPONÍVEIS Execuçăo de comandos arbitrários Seguir a documentaçăo disponibilizada pelo fabricante disponível em [5] e [6]. Escalada de privilégios Seguir a documentaçăo disponibilizada pelo fabricante disponível em [6]. IDENTIFICADORES CVE (http://cve.mitre.org) CVE-2020-4006 CVE-2020-4004 CVE-2020-4005 MAIS INFORMAÇŐES [1] https://www.vmware.com/security/advisories/VMSA-2020-0027.html [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006 [3] https://www.kb.cert.org/vuls/id/724367 [4] https://nvd.nist.gov/vuln/detail/CVE-2020-4006 [5] https://kb.vmware.com/s/article/81731 [6] https://www.vmware.com/security/advisories/VMSA-2020-0026.html [7] https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.vm_admin.doc/GUID-ACA30034-EC88-491B-8D8B-4E319611C308.html [8] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4004 [9] https://nvd.nist.gov/vuln/detail/CVE-2020-4004 [10] https://nvd.nist.gov/vuln/detail/CVE-2020-4005 [11] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4005 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versőes e correçőes oferecidas pelos fabricantes. Os alertas do CAIS também podem ser acompanhados pelas redes sociais da RNP. Siga-nos! Twitter: @RedeRNP Facebook: facebook.com/RedeNacionaldeEnsinoePesquisaRNP. Atenciosamente, CAIS/RNP ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.rnp.br/servicos/seguranca # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel https://www.cais.rnp.br/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: OpenPGP.js v2.6.2 Comment: https://openpgpjs.org wsFcBAEBCAAQBQJfwSsTCRB83qA0uPj0mAAAwrkP/2IQLVf+DJbHS3y9Mcig Y6wiaS7Hf7JrOzuRcKTzN1h992rb6nyzfAZMRN2Vnb6e5L2lq/LWIa2HBqk1 J+B5yP6e7ODiJ83zQfq9S5bE0dbhIc87SMDTnA0sHVCX7hROPIt2YlUY1aOv DQiFtmDyT4FE/WJec/h7IWaTSGmvcWQT5Bie9pEw98APjcXksHUS0QktjqES 7jkamaRLi3bBLx4GPYaMPN5781TE6l0yaaxVogmhqkVEQyitREOng6n/v7vP 6ZdcXDhm8qRveJc0hzB+XSQW87jYoE/3f1sBTNSgYH1HbWJ2CRdpNFScQsaD TRCn++nHhbTk5YcevxQJOyKAChX/j4xXcrkQFKOg7qrZM3v+iGe5dP8qCbj6 8VbUSpoKCyf9XRIadPXxvxPQkFAhUDM2ub8wqJrtEtTbpqukkH6A/Egz6z+l hZLPN27asTatVsUC5vxmeqGjO6pVRWaFQYIddv3xLmKILqMR1RuUVss25M47 XE9IotwYuPy/LPiwOy549E4qWwOHnRnGw7ICiA9xJuzFV9TpFsINGDk2q6lW 1WGT5vxQ3stVObcsJnw7SeiYcn5pLN3auGe07/bog+bnRj5rO/BIZFp9rLVg 6A7+bBGJk6ekZI1teqfIWmtsp7Ya82nv8iu2ypDEc0ulzwUeuCnW2MpA47w+ kly3 =rNgV -----END PGP SIGNATURE----- _______________________________________________ RNP-Alerta rnp-alerta em listas.rnp.br https://listas.rnp.br/mailman/listinfo/rnp-alerta -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: