ISC BIND CVE-2017-3138 Remote Denial of Service Vulnerability
Juniper NorthStar Controller Application CVE-2017-2319 Authentication Bypass Vulnerability
Juniper NorthStar Controller Application CVE-2017-2323 Denial of Service Vulnerability

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
LibreOffice CVE-2017-7870 Heap Buffer Overflow Vulnerability
IBM API Connect CVE-2017-1161 Command Execution Vulnerability
Juniper NorthStar Controller Application CVE-2017-2318 Remote Privilege Escalation Vulnerability
IBM Marketing Platform CVE-2016-0228 Open Redirect Vulnerability
FFmpeg CVE-2017-7859 Heap Buffer Overflow Vulnerability
LibreOffice CVE-2017-7856 Heap Buffer Overflow Vulnerability
FFmpeg CVE-2017-7866 Stack Buffer Overflow Vulnerability X Server Local Multiple Security Vulnerabilities
Juniper NorthStar Controller Application CVE-2017-2316 Local Buffer Overflow Vulnerability
X.Org libXi CVE-2016-7946 Multiple Unspecified Security Vulnerabilities

Enlarge / A computer screen displaying Eternalromance, one of the hacking tools dumped Friday by Shadow Brokers. (credit: Matthew Hickey)

The Shadow Brokers—the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency's weaponized software exploits—just published its most significant release yet. Friday's dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world.

Friday's release—which came as much of the computing world was planning a long weekend to observe the Easter holiday—contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date.

"It is by far the most powerful cache of exploits ever released," Matthew Hickey, a security expert and co-founder of Hacker House, told Ars. "It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it. A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective."

Read 13 remaining paragraphs | Comments


[This exploit is now confirmed to work]

To protect yourself from this exploit, disable SMBv1 (see this KB article by Microsoft about details), and make sure you are blocking port 445. So far I havent seen anything official from Microsoft regarding this issue.

Shadowbroker, as part of the set of exploits it collected and had offered for auction, today released a number of Windows-related exploits. One that looks in particular interesting as it promises anexploit via SMB for Windows hosts up to Windows 8 and Windows Server 2012, was published under the name ETERNALBLUE.

Right now, I havent been able to make it fully work yet, but I was able to collect some packets to a Windows 7 system. The exploit makes by default three attempts to attack a system. An XML file accompanying the exploit allows the attacker to configure various parameters.

In general, an SMB exploit *should* not be all that exciting these days, as blocking port 445 is standard best practice. I am attaching a link to a packet capture below to allow you to analyze it further. In the packet capture, the vulnerable hosts IP address is

After repeated attempts, the Windows 7 host crashed.


Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle April 2017 Critical Patch Update Multiple Vulnerabilities
Concrete5 CVE-2017-7725 HTML Injection Vulnerability
Drupal Book access Module Unspecified Security Vulnerability
WordPress Spider Event Calendar Plugin CVE-2017-7719 Multiple SQL Injection Vulnerabilities
Samsung SecEmailSync CVE-2016-2565 Information Disclosure Vulnerability
Samsung SecEmailSync CVE-2016-2566 SQL Injection Vulnerability
ISC BIND CVE-2017-3136 Remote Denial of Service Vulnerability
ISC BIND CVE-2017-3137 Remote Denial of Service Vulnerability
Multiple Samsung Galaxy Products CVE-2016-4032 Security Bypass Vulnerability
Drupal References Module Unspecified Security Vulnerability
GNU oSIP 'osipparser2/osip_message_parse.c' Heap Buffer Overflow Vulnerability
Drupal Media Module Unspecified Security Vulnerability
Drupal Open Atrium Module Information Disclosure Vulnerability
radare2 '/format/wasm/wasm.c' Heap Buffer Overflow Vulnerability
Apache Groovy CVE-2016-6814 Remote Code Execution Vulnerability
Elasticsearch Groovy Scripting Engine Sandbox Security Bypass Vulnerability
SAP NetWeaver ADBC Demo Programs Remote Authorization Bypass Vulnerability
SAP ERP Remote Authorization Bypass Vulnerability
Red Hat 389-ds-base CVE-2017-2668 Remote Denial of Service Vulnerability
Magento CMS 'RetrieveImage.php' Arbitrary File Upload Vulnerability
LibreOffice CVE-2017-3157 Local Information Disclosure Vulnerability
Libosip Multiple Denial of Service Vulnerabilities
[security bulletin] HPESBGN03728 rev.1 - HPE Operations Agent using OpenSSL, Remote Denial of Service (DoS), Unauthorized Access to Data
concrete5 v8.1.0 Host Header Injection
[slackware-security] bind (SSA:2017-103-01)
Internet Storm Center Infocon Status