CERT-EU - Publications - Security Advisories

2019-021: Detecting and Preventing Emotet 2019 Campaign

Monday, September 30, 2019 11:18:00 AM CEST

Since beginning of June 2019, the Emotet botnet stopped sending phishing emails to infect new victims. However, on August 22nd, 2019, the known Command-and-Control (CnC) servers started responding again. Since September 16th, 2019, CERT-EU has been observing new phishing campaigns. To detect and prevent infection, CERT-EU analysed the behavior of those new versions of Emotet and hereby provides some recommendations for the SOC teams.

2019-020: Simjacker Vulnerability Impacting up to 1 Billion Phone Users

Friday, September 13, 2019 06:07:00 PM CEST

AdaptiveMobile Security have uncovered a new and previously undetected vulnerability and associated exploits, called Simjacker. This vulnerability is currently being actively exploited. The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to "take over" the mobile phone to retrieve and perform sensitive commands. During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated.

2019-019: Critical Exim TLS Vulnerability

Monday, September 09, 2019 03:46:00 PM CEST

Exim Mail Transfer Agent (MTA) servers are exposed to a security vulnerability, which can grant attackers the ability to run malicious code with root privileges. This vulnerability has been assigned the number CVE-2019-15846. The vulnerability is particularly critical, as over 50% of MTAs in the world use Exim.

2019-018: Cisco Critical Vulnerability Affecting IOS XE Software

Friday, August 30, 2019 11:58:00 AM CEST

A major vulnerability affecting CISCO IOS XE operating system has been disclosed. The vulnerability identified as CVE-2019-12643 allows a remote user to bypass authentication and gain full control of the device that is running an outdated version of REST API virtual service container. This CVE obtain the highest severity score of 10.

2019-017: Vulnerabilities in Popular VPNs

Monday, August 26, 2019 01:48:00 PM CEST

Several vulnerabilities impacting popular VPNs (by Palo Alto, Pulse Security, and Fortinet) have been recently seen being exploited in the wild. In most severe case, the vulnerabilities allow for remote code execution. Although the vulnerabilities have been reported to the vendors much earlier, and they have since been fixed, many services remain unpatched. Recently, significant amount of scanning and exploitation could be seen in the wild. Hence, it is imperative to patch as soon as possible.

2019-016: Several Vulnerabilities in JQuery

Friday, August 23, 2019 05:33:00 PM CEST

A popular JavaScript framework jQuery has multiple cross-site scripting vulnerabilities. While they are not critical, due to large popularity of jQuery they may be used in many various ways, and hence it is strongly advisable to upgrade jQuery to the latest version.

2019-015: CSRF Vulnerability in Cisco IOS XE Software Web UI

Friday, June 14, 2019 03:33:00 PM CEST

A Cross-Site Request Forgery (CSRF) vulnerability in the web user interface (web UI) of CISCO IOS XE Software was discovered. In some CISCO products, the web UI has insufficient CSRF protection. An attacker can potentially perform a CSRF operation against an authenticated user in the web UI. This could allow the attacker to perform actions on the device with the permissions of the victim.

2019-014: Critical Vulnerabilities in Microsoft NTLM

Thursday, June 13, 2019 03:56:00 PM CEST

Two critical Microsoft vulnerabilities were discovered by the research team Preempt. The vulnerabilities consist of three logical flaws in NTLM (NT Lan Manager). The vulnerabilities allow an attacker to potentially execute malicious code remotely or authenticate to any HTTP server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.

2019-013: UPDATED 07/2019: Remote Desktop Services -- Remote Code Execution Vulnerability

Thursday, May 16, 2019 04:22:00 PM CEST

Microsoft released fixes for a critical Remote Code Execution vulnerability (CVE-2019-0708) in Remote Desktop Services that affects some older versions of Windows. The vulnerability has been since named BlueKeep.The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is "wormable", meaning that any malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. Exploits seem to already exist.

2019-012: Thrangrycat – Critical Vulnerability Affecting Most Cisco Devices

Tuesday, May 14, 2019 05:23:00 PM CEST

Cisco Secure Boot helps to ensure that the code that executes on Cisco hardware platforms is authentic and unmodified. The Cisco Secure Boot Hardware Tampering vulnerability (CVE-2019-1649) could allow an authenticated, local attacker to write a modified firmware image to the component. A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process. When abused together with Cisco IOS XE Software Web UI Command Injection Vulnerability, it may be possible to attack also from a remote network.

2019-011: Cisco Critical Vulnerability Affecting Nexus 9000 Switches

Friday, May 03, 2019 03:53:00 PM CEST

A critical vulnerability affecting Nexus 9000 switches has been recently disclosed. The vulnerability identified as CVE-2019-1804 is a hardcoded SSH key pair that could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user.

2019-010: UPDATE: Oracle WebLogic 0-day Vulnerability

Friday, April 26, 2019 05:00:00 PM CEST

A highly critical, zero-day vulnerability in Oracle WebLogic server was disclosed. Some attackers might have already started exploiting it in the wild. The vulnerability potentially allows attackers to remotely execute arbitrary commands. Oracle has issued an out-of-band security update to address this vulnerability.

2019-009: Confluence Server Critical Remote Code Execution Vulnerability

Monday, April 15, 2019 02:07:00 PM CEST

A server-side template injection vulnerability has been discovered in Confluence Server and Data Center, in the Widget Connector. An attacker able to exploit this issue could achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

2019-008: VMware ESXi, Workstation, and Fusion Multiple Security Vulnerabilities

Tuesday, April 02, 2019 04:55:00 PM CEST

VMware has released security updates to address security vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system including allowing the guest to execute code on the host system.

2019-007: UPDATE: Operation ShadowHammer – Compromised ASUS Computers

Tuesday, March 26, 2019 12:17:00 PM CET

In January 2019, Kaspersky has discovered a supply chain attack that affects ASUS computers. Dubbed Operation ShadowHammer, the operation took place from June to November 2018. It is similar to other supply chain attacks on Netsarang and CCleaner. Around 500 thousands of computers could have been potentially impacted, although the malware seems to have been only targeting a few hundred (around 660 identified so far) specific MAC addresses. ASUS has now released a fix and a diagnostic tool.

2019-006: Adobe ColdFusion Critical Arbitrary Code Execution

Monday, March 11, 2019 10:24:00 AM CET

A critical vulnerability (CVE-2019-7816) in the web application development platform Adobe ColdFusion has been recently patched. The vulnerability allows attackers to execute arbitrary code bypassing a file upload restriction. Adobe released a Security Bulletin that provides related information on the available patching of the affected versions.

2019-005: UPDATE: Critical Flaw in Drupal Allows Remote Code Execution

Friday, February 22, 2019 04:38:00 PM CET

An important security update was released by Drupal, which patches a remote code execution vulnerability (number CVE-2019-6340). The vulnerability was caused by the data passed into the RESTful Web service without strict verification. Successful exploitation of the vulnerability can result in remote code execution on the target host. RESTful services are not turned on by default, greatly reducing the risk of exploitation. For security reasons, users of Drupal are advised to upgrade in a timely manner.

2019-004: WordPress Remote Code Execution

Thursday, February 21, 2019 04:45:00 PM CET

A critical remote code execution vulnerability in versions of WordPress prior to 5.0.3 was disclosed. A flaw could be exploited by an attacker who gains access to an account with at least author privileges on a WordPress install to execute arbitrary PHP code on the underlying server.

2019-003: RunC Vulnerability Affecting Container Management Systems

Wednesday, February 13, 2019 01:58:00 PM CET

A container breakout security flaw was found in underlying software used by _containerization_ software (operating-system-level virtualization software). The vulnerability - CVE-2019-5736 - dubbed "runc container breakout" allows specially crafted containers to gain administrative privileges on the host. Exploits for this vulnerability are already circulating in the wild.

2019-002: Privilege Escalation Exploiting MS Exchange

Thursday, January 31, 2019 03:32:00 PM CET

A vulnerability was discovered in Microsoft Exchange Server that allows a regular user to perform a privilege escalation technique and gain Domain Administrator access. Abusing the privileged role Exchange servers normally have by default on Active Directory (AD) infrastructures, an attacker can impersonate a mail server, perform an NTLM relay attack, and gain access to the Domain Controllers secrets (e.g. NTLM hashes and Kerberos keys).

2019-001: Web Cache Poisoning Vulnerabilities -

Thursday, January 24, 2019 09:15:00 AM CET

Web cache poisoning has long been considered a _theoretical_ threat. However, already published research describes practical examples of this type of attack. Also, recently there have been documented cases of observing exploitation of these types of vulnerabilities on production systems.

Security Advisories