Happy Thanksgiving edition of the Security Wrap-Up! Well, Happy Thanksgiving to all of my US counterparts. Unfortunately, none of these articles have anything to do with dressing, turkey, or green bean casserole, but they’re good reads to get you through the day. And one day closer to stuffing your face!
VMware Zero-Day bug allows command injection
Tracked as CVE-2020-4006, this bug impacts both Windows and Linux operating systems and VMware’s Workspace One. The bug has a CVSS severity rating of 9.1 out of 10. “A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware wrote. At this point, patches are forthcoming and workarounds for a temporary solution are available. These workarounds are outlined by VMware as a “temporary solution only, and customers are advised to follow VMSA-2020-0027 to be alerted when patches are available.” (Temporary workarounds can be found here.)
How to identify Cobalt Strike on your network
Cobalt Strike has become one of the most prevalent threat emulation software packages, but with its combination of multiple exploitation techniques, it’s also a platform of choice for attackers. And unfortunately, many common antivirus systems frequently miss Cobalt Strike in its scans due to the numerous evasion techniques - obfuscating the shellcode and leveraging a comain-specific language called Malleable Command and Control (Malleable C2). Fortunately, Cobalt Strike has distinct network markers to help you root out Cobalt Strike on your network. I could summarize here, but I think it’s best to read the full breakdown in the Dark Reading link above!
German COVID-19 contact-tracing app vulnerability allowed RCE
A security vulnerability was discovered by Alvaro Muñoz and his team at GitHub Security Labs, affecting Germany’s official COVID-19 contact-tracing app, called the Corona-Warn-App (CWA). This vulnerability would have allowed pre-authenticated remote code execution (RCE). The vulnerable code was located in the Submission Service, a micro service developed on top of the Spring Boot framework responsible for validating the information that CWA users submit. In the end, not only did the team squash out an important security bug, but it also became a success story for the merits of open source.
Facebook has paid out $11.7 million in bug bounties since 2011
Need some extra cash for the holidays? Last week, Facebook announced that they’ve paid out more than $11.7 million in bug bounties since 2011. To date, more than 50,000 researchers signed up for the company’s bug bounty program, and approximately 1,500 of them have received a bug bounty reward. In 2020 alone, the company awarded more than $1.98 million to security researchers from over 50 countries, and has paid two of the highest bounty rewards to date. The most notable reports this year were for vulnerabilities identified in the Content Delivery Network (CDN) and in Messenger for Android.
What important security updates have you seen this week?