阅读: 104
绿盟科技发布了本周安全通告,周报编号NSFOCUS-18-45,绿盟科技漏洞库本周新增53条,其中高危7条。本次周报建议大家关注QEMU NVM Express Controller 缓冲区溢出漏洞等,此漏洞位于nvme设备的nvme_cmb_ops例程中。攻击者可利用该漏洞造成拒绝服务,也可能运行任意代码。目前厂商已经发布了升级补丁,请用户及时到厂商主页下载补丁修复这个安全问题。
文章目录
焦点漏洞 QEMU NVM Express Controller 缓冲区溢出漏洞 CVE ID CVE-2018-16847 NSFOCUS ID 41849 受影响版本 QEMU QEMU 漏洞点评 QEMU在NVM Express Controller模拟中存在基于堆的缓冲区溢出漏洞。此漏洞位于nvme设备的nvme_cmb_ops例程中。攻击者可利用该漏洞造成拒绝服务,也可能运行任意代码。目前厂商已经发布了升级补丁,请用户及时到厂商主页下载补丁修复这个安全问题。(数据来源:绿盟科技安全研究部&产品规则组)
一. 互联网安全威胁态势 1.1 CVE统计最近一周CVE公告总数与前期相比有明显增长。
1.2 威胁信息回顾 标题:HSBC Bank Data Breach Exposed Account Numbers, Balances, and More By 时间:2018-11-06 简介:A data breach at HSBC Bank has allowed attackers to gain access to a limited amount of customer’s information such as account numbers, balances, addresses, transaction history, and much more. 链接:https://www.bleepingcomputer.com/news/security/hsbc-bank-data-breach-exposed-account-numbers-balances-and-more/ 标题:November Android Security Update Fixes Critical Bugs, Drops Media Library 时间:2018-11-07 简介:Google released to all users and partners its November security bulletin for the Android operating system, with fixes for critical remote code execution (RCE) and privilege escalation vulnerabilities. 链接:https://www.bleepingcomputer.com/news/security/november-android-security-update-fixes-critical-bugs-drops-media-library/ 标题:Vulnerabilities’ CVSS scores soon to be assigned by AI 时间:2018-11-05 简介:The National Institute of Standards and Technology (NIST) is planning to use IBM’s Watson to evaluate how critical publicly reported computer vulnerabilities are and assign an appropriate severity score. 链接:https://www.helpnetsecurity.com/2018/11/05/ai-assigns-cvss-scores/ 标题:Cambodia’s ISPs hit by some of the biggest DDoS attacks in the country’s history 时间:2018-11-08 简介:Several of Cambodia’s biggest internet service providers (ISPs) have been hit by large-scale DDoS attacks over the last few days. 链接:https://www.zdnet.com/article/cambodias-isps-hit-by-some-of-the-biggest-ddos-attacks-in-the-countrys-history/ 标题:Popular WooCommerce WordPress Plugin Patches Critical Vulnerability 时间:2018-11-06 简介:If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new vulnerability that could compromise your online store. 链接:https://thehackernews.com/2018/11/woocommerce-wordpress-hacking.html 标题:Amex India data breach saw 700,000 customers information inadvertently exposed online 时间:2018-11-08 简介:Around 700,000 customers of American Express India’s data was left exposed in an unsecured database. The accidental data leak was caused by a MongoDB server that was left exposed without any password protection. 链接:https://cyware.com/news/amex-india-data-breach-saw-700000-customers-information-inadvertently-exposed-online-40b84b0c 标题:UK Government Warns Telcos of 5G Security Review 时间:2018-11-06 简介:The UK government has reminded 5G network providers to ensure their suppliers are heavily vetted for security, in what could signal a change of approach to a major Chinese telecoms player. 链接:https://www.infosecurity-magazine.com/news/uk-government-warns-telcos-5g/ 标题:USB drives are primary vector for destructive threats to industrial facilities 时间:2018-11-07 简介:USB removable storage devices are the main vector for malware attacks against industrial facilities, states Honeywell report. 链接:https://securityaffairs.co/wordpress/77676/malware/industrial-facilities-malware.html 标题:GPU side channel attacks can enable spying on web activity, password stealing 时间:2018-11-06 简介:Computer scientists at the University of California, Riverside have revealed for the first time how easily attackers can use a computer’s graphics processing unit, or GPU, to spy on web activity, steal passwords, and break into cloud-based applications. 链接:https://www.helpnetsecurity.com/2018/11/06/gpu-side-channel-attacks/ 标题:VirtualBox Zero-Day Vulnerability Details and Exploit Are Publicly Available 时间:2018-11-06 简介:A Russian vulnerability researcher and exploit developer has published detailed information about a zero-day vulnerability in VirtualBox. His explanations include step-by-step instructions for exploiting the bug.According to the initial details in the disclosure, the issue is present in a shared code base of the virtualization software, available on all supported operating systems. 链接:https://www.bleepingcomputer.com/news/security/virtualbox-zero-day-vulnerability-details-and-exploit-are-publicly-available/(数据来源:绿盟科技 威胁情报与网络安全实验室 收集整理)
二. 漏洞研究 2.1 漏洞库统计截止到2018年11月9日,绿盟科技漏洞库已收录总条目达到41879条。本周新增漏洞记录53条,其中高危漏洞数量7条,中危漏洞数量29条,低危漏洞数量17条。
Red Hat Gluster Storage glusterfs server拒绝服务漏洞(CVE-2018-14661) 危险等级:中 cve编号:CVE-2018-14661 JasPer 拒绝服务安全漏洞(CVE-2018-18873) 危险等级:低 cve编号:CVE-2018-18873 EmpireCMS 任意代码执行安全漏洞(CVE-2018-18869) 危险等级:低 cve编号:CVE-2018-18869 IBM WebSphere Application Server Liberty OpenID Connect任意代码执行漏洞(CVE-2018-1851) 危险等级:中 cve编号:CVE-2018-1851 MiniCMS 任意代码执行安全漏洞(CVE-2018-18892) 危险等级:低 cve编号:CVE-2018-18892 MiniCMS 任意文件删除安全漏洞(CVE-2018-18891) 危险等级:低 cve编号:CVE-2018-18891 MiniCMS 信息泄露安全漏洞(CVE-2018-18890) 危险等级:低 cve编号:CVE-2018-18890 IBM Robotic Process Automation with Automation Anywhere 安全漏洞(CVE-2018-1552) 危险等级:中 cve编号:CVE-2018-1552 IBM Robotic Process Automation with Automation Anywhere信息泄露安全漏洞(CVE-2018-1876) 危险等级:中 cve编号:CVE-2018-1876 IBM Robotic Process Automation with Automation Anywhere 信息泄露漏洞(CVE-2018-1877) 危险等级:中 cve编号:CVE-2018-1877 IBM Robotic Process Automation with Automation Anywhere信息泄露漏洞(CVE-2018-1878) 危险等级:低 cve编号:CVE-2018-1878 Cisco ASA和FTD拒绝服务漏洞(CVE-2018-15454) 危险等级:高 cve编号:CVE-2018-15454 Cisco Advanced Malware Protection for Endpoints for windows拒绝服务安全漏洞 危险等级:中 cve编号:CVE-2018-15452 QEMU ‘NBD_OPT_LIST’缓冲区溢出漏洞(CVE-2017-2630) 危险等级:中 BID:96265 cve编号:CVE-2017-2630 Pidgin