News

Summary

The Information Security Office is aware of published reports that there are flaws in the built-in Mail app on iPhones. These flaws reportedly allow attackers to get remote access in the context of the Mail app without any interaction on the users part. [1]

Summary

The Information Security Office (ISO) is aware of the new, unpatched Windows Zero-day exploit, that has been reported by Microsoft[1] and in the press[2]. The vulnerability is currently unpatched; however, workarounds are available.

Summary

*** Patch Windows 10 and affected Windows Server 2019 systems IMMEDIATELY, even where there is a potential business impact (unscheduled maintenance). Notify security@berkeley.edu if you anticipate delays in patching. ***

Summary

Mozilla has published an out-of-band patch for Mozilla Firefox and Firefox Extended Support Release (ESR).  It fixes a type confusion vulnerability in Mozilla’s Javascript compiler, IonMonkey. This vulnerability is identified as CVE-2019-17026. [1]

Mozilla’s advisory states they are “aware of targeted attacks in the wild abusing this flaw.” Based on this note in the advisory, it appears the vulnerability was exploited in the wild as a zero-day. [2]

Summary

Impact

Summary

A vulnerability has been discovered in Exim, which could allow for unauthenticated remote attackers to execute arbitrary system commands on the mail server. Exim is a mail transfer agent used to deploy mail servers on Unix-like systems. Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Summary

A vulnerability has been discovered in PHP 7.3 (the latest release series) that could allow an attacker to execute arbitrary code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.  [1]

Summary

A vulnerability has been publicly disclosed in the Mac version of Zoom that allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. [1]

Advisory 

Summary

Serious security vulnerabilities have been discovered in the Ruby on Rails web application framework including a remote file content disclosure flaw and a Denial of Service (DoS) vulnerability. Please read the References links below to learn if your Rails application is affected.

Impact

Summary

A highly critical bug has been discovered in Drupal that can be used for remote code execution [1].  Drupal is a Content Management System (CMS) commonly used to host websites. In the past this sort of exploit has been used to deliver remote access tools, ransomware, and cryptominers to web servers [2]. Based on similar exploits against various CMS software in the past, we can expect that attackers will begin exploiting this software quickly.

Summary

Open Containers runc is prone to a local command-execution vulnerability. Runc is a command line utility designed to spawn container systems. It is the container runtime that underpins many open source container management systems including Docker, Kubernetes, containerd, Podman, and CRI-O. [1] [3]

Summary

Microsoft just published an out-of-band patch for Internet Explorer. It fixes a memory corruption vulnerability in the scripting engine. This vulnerability is identified as CVE-2018-8653.

When successfully exploited, Internet Explorer could execute arbitrary code in the context of the current user. To exploit the vulnerability, the victim must just visit a malicious web page delivered through a phishing email or social engineering. [1]

Summary

A critical remote code execution vulnerability has been discovered in Apache Struts, a popular open source framework for developing web applications in the Java programming language. [1] In the past, Apache Struts RCE vulnerabilities have been weaponized in less than 24 hours -- one of which resulted in the Equifax breach that totaled over $600 million in cost. [2]

Summary

A vulnerability has been discovered in Oracle Database that could allow for complete compromise of the database, as well as shell access to the underlying server. [1] . The vulnerability resides in the Java Virtual Machine component of the Oracle Database Server and does not require user interaction. The vulnerability allows low-privileged attackers that have Create Session privilege with network access via Oracle Net to compromise the Java VM component.

NOTE: These vulnerabilities are already being exploited in the wild. If you have an affected Drupal site, update IMMEDIATELY!

Summary

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. [1]