A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors and the OWASP reference page Cross-site Scripting (XSS).

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ise2 A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors and the OWASP reference page Cross-site Scripting (XSS).

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ise2
Security Impact Rating: Medium
CVE: CVE-2017-6734

A vulnerability in the web-based application interface of the Cisco Identity Services Engine (ISE) portal could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of an affected system.

The vulnerability is due to insufficient input validation and output-encoding parameters for data that is passed between an affected client and server. An attacker could exploit this vulnerability by intercepting targeted user packets and injecting malicious code into the targeted traffic stream. A successful exploit could allow the attacker to inject script code into the HTTP flow between the targeted user and the affected system.

For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors and the OWASP reference page Cross-site Scripting (XSS).

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ise1 A vulnerability in the web-based application interface of the Cisco Identity Services Engine (ISE) portal could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of an affected system.

The vulnerability is due to insufficient input validation and output-encoding parameters for data that is passed between an affected client and server. An attacker could exploit this vulnerability by intercepting targeted user packets and injecting malicious code into the targeted traffic stream. A successful exploit could allow the attacker to inject script code into the HTTP flow between the targeted user and the affected system.

For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors and the OWASP reference page Cross-site Scripting (XSS).

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ise1
Security Impact Rating: Medium
CVE: CVE-2017-6733

A vulnerability in Multicast Source Discovery Protocol (MSDP) ingress packet processing for Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause the MSDP session to be unexpectedly reset, causing a short denial of service (DoS) condition. The MSDP session will restart within a few seconds.

The vulnerability is due to incorrect error handling of an MSDP packet that contains an error in the packet header. An attacker could exploit this vulnerability by sending a malformed MSDP packet for an established MSDP session to the targeted device. An exploit could allow the attacker to cause a short DoS condition if the MSDP session restarts.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-iosxr A vulnerability in Multicast Source Discovery Protocol (MSDP) ingress packet processing for Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause the MSDP session to be unexpectedly reset, causing a short denial of service (DoS) condition. The MSDP session will restart within a few seconds.

The vulnerability is due to incorrect error handling of an MSDP packet that contains an error in the packet header. An attacker could exploit this vulnerability by sending a malformed MSDP packet for an established MSDP session to the targeted device. An exploit could allow the attacker to cause a short DoS condition if the MSDP session restarts.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-iosxr
Security Impact Rating: Medium
CVE: CVE-2017-6731

A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary code at the root privilege level on an affected system.

The vulnerability is due to incorrect permissions that are given to a set of users. An attacker could exploit this vulnerability by logging in to an affected device and elevating their privileges via crafted input. A successful exploit could allow the attacker to gain root-level privileges and take full control of the affected device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ios A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary code at the root privilege level on an affected system.

The vulnerability is due to incorrect permissions that are given to a set of users. An attacker could exploit this vulnerability by logging in to an affected device and elevating their privileges via crafted input. A successful exploit could allow the attacker to gain root-level privileges and take full control of the affected device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ios
Security Impact Rating: Medium
CVE: CVE-2017-6728

A vulnerability in the Play Framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to gain full access to the affected system.

The vulnerability is due to static, default credentials for the Cisco ESC UI that are shared between installations. An attacker who can extract the static credentials from an existing installation of Cisco ESC could generate an admin session token that allows access to all instances of the ESC web UI.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. 

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-esc2 A vulnerability in the Play Framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to gain full access to the affected system.

The vulnerability is due to static, default credentials for the Cisco ESC UI that are shared between installations. An attacker who can extract the static credentials from an existing installation of Cisco ESC could generate an admin session token that allows access to all instances of the ESC web UI.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. 

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-esc2
Security Impact Rating: Critical
CVE: CVE-2017-6713

A vulnerability in certain commands of Cisco Elastic Services Controller could allow an authenticated, remote attacker to elevate privileges to root and run dangerous commands on the server.

The vulnerability occurs because a "tomcat" user on the system can run certain shell commands, allowing the user to overwrite any file on the filesystem and elevate privileges to root. An exploit could allow an authenticated, remote attacker to elevate privileges and run dangerous commands on the server.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. 

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-esc1 A vulnerability in certain commands of Cisco Elastic Services Controller could allow an authenticated, remote attacker to elevate privileges to root and run dangerous commands on the server.

The vulnerability occurs because a "tomcat" user on the system can run certain shell commands, allowing the user to overwrite any file on the filesystem and elevate privileges to root. An exploit could allow an authenticated, remote attacker to elevate privileges and run dangerous commands on the server.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. 

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-esc1
Security Impact Rating: High
CVE: CVE-2017-6712

A vulnerability in the CLI of the Cisco Prime Network Gateway could allow an authenticated, local attacker to retrieve system process information, which could lead to the disclosure of confidential information.

The vulnerability is due to a lack of input and validation checking mechanisms in the system. An attacker could exploit this vulnerability by issuing specific, known commands after authenticating locally to the system via the CLI. A successful exploit could allow the attacker to view confidential information that should only be visible to authenticated users.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-cpn A vulnerability in the CLI of the Cisco Prime Network Gateway could allow an authenticated, local attacker to retrieve system process information, which could lead to the disclosure of confidential information.

The vulnerability is due to a lack of input and validation checking mechanisms in the system. An attacker could exploit this vulnerability by issuing specific, known commands after authenticating locally to the system via the CLI. A successful exploit could allow the attacker to view confidential information that should only be visible to authenticated users.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-cpn
Security Impact Rating: Medium
CVE: CVE-2017-6726

A vulnerability in the CLI command-parsing code of the Cisco StarOS operating system for Cisco ASR 5000 Series, 5500 Series, and 5700 Series devices and Cisco Virtualized Packet Core (VPC) Software could allow an authenticated, local attacker to break from the StarOS CLI of an affected system and execute arbitrary shell commands as a Linux root user on the system.

The vulnerability exists because the affected operating system does not sufficiently sanitize commands before inserting them into Linux shell commands. An attacker could exploit this vulnerability by submitting a crafted CLI command for execution in a Linux shell command as a root user. A successful exploit could allow the attacker to break from the StarOS CLI and execute arbitrary commands on the affected system as a Linux root user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-asrcmd A vulnerability in the CLI command-parsing code of the Cisco StarOS operating system for Cisco ASR 5000 Series, 5500 Series, and 5700 Series devices and Cisco Virtualized Packet Core (VPC) Software could allow an authenticated, local attacker to break from the StarOS CLI of an affected system and execute arbitrary shell commands as a Linux root user on the system.

The vulnerability exists because the affected operating system does not sufficiently sanitize commands before inserting them into Linux shell commands. An attacker could exploit this vulnerability by submitting a crafted CLI command for execution in a Linux shell command as a root user. A successful exploit could allow the attacker to break from the StarOS CLI and execute arbitrary commands on the affected system as a Linux root user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-asrcmd
Security Impact Rating: High
CVE: CVE-2017-6707

Original release date: July 01, 2017 | Last revised: July 07, 2017
Systems Affected

Microsoft Windows operating systems

Overview

On June 27, 2017, NCCIC was notified of Petya ransomware events occurring in multiple countries and affecting multiple sectors. Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable.

The NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide in-depth technical analysis of the malware. In coordination with public and private sector partners, NCCIC is also providing additional IOCs in comma-separated-value form for information sharing purposes.

Available Files:

• MIFR-10130295.pdf
• MIFR-10130295_stix.xml
• TA-17-181B_IOCs.csv

The scope of this Alert’s analysis is limited to the newest “Petya” variant that surfaced June 27, 2017, and this malware is referred to as “Petya” throughout this Alert.

Description

Based on initial reporting, this Petya campaign involves multiple methods of initial infection and propagation, including exploiting vulnerabilities in Server Message Block (SMB). Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Background information on ransomware infections is provided in US-CERT Alert TA16-091A.

Technical Details

US-CERT received a sample of this Petya ransomware variant and performed a detailed malware analysis. The team found that this Petya variant encrypts the victim’s files with a dynamically generated, 128-bit key and creates a unique ID of the victim. However, there is no evidence of a relationship between the encryption key and the victim’s ID, which means it may not be possible for the attacker to decrypt the victim’s files even if the ransom is paid.

This Petya variant spreads using the SMB exploit as described in MS17-010 and by stealing the user’s Windows credentials. This variant of Petya is notable for installing a modified version of the Mimikatz tool, which can be used to obtain the user’s credentials. The stolen credentials can be used to access other systems on the network. This Petya variant will also attempt to identify other hosts on the network by checking the compromised system’s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload.

The compromised system’s files are encrypted with a 128-bit Advanced Encryption Standard (AES) algorithm during runtime. This Petya variant writes a text file on the “C:\” drive with the Bitcoin wallet information and RSA keys for the ransom payment. It modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR, then reboots the system. Based on the encryption methods used, it appears unlikely that the files can be restored even if the attacker received the victim’s unique ID.

Impact

According to multiple reports, this Petya ransomware campaign has infected organizations in several sectors including finance, transportation, energy, commercial facilities, and healthcare. While these victims are business entities, other Windows systems without patches installed for the vulnerabilities in MS17‑010, CVE-2017-0144, and CVE-2017-0145 are at risk of infection.

Negative consequences of ransomware infection include the following:

• temporary or permanent loss of sensitive or proprietary information,
• disruption to regular operations,
• financial losses incurred to restore systems and files, and
• potential harm to an organization’s reputation.

Solution

NCCIC recommends against paying ransoms; doing so enriches malicious actors while offering no guarantee that the encrypted files will be released. In this incident, the email address for payment validation was shut down by the email provider, so payment is especially unlikely to lead to data recovery.[1] According to one NCCIC stakeholder, the below sites are C2 payment sites for this activity. These sites are not included in the CSV package as IOCs.

hxxp://mischapuk6hyrn72[.]onion/
hxxp://petya3jxfp2f7g3i[.]onion/
hxxp://petya3sen7dyko2n[.]onion/
hxxp://mischa5xyix2mrhd[.]onion/MZ2MMJ
hxxp://mischapuk6hyrn72[.]onion/MZ2MMJ
hxxp://petya3jxfp2f7g3i[.]onion/MZ2MMJ
hxxp://petya3sen7dyko2n[.]onion/MZ2MMJ

Network Signatures

NCCIC recommends that organizations coordinate with their security vendors to ensure appropriate coverage for this threat. Because there is overlap between the WannaCry and Petya activities, many of the available rulesets can protect against both malware strains when appropriately implemented. The following rulesets provided in publically available sources may help detect this activity:

• sid:2001569, “ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection”[2]
• sid:2012063, “ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID? Function Table Dereference (CVE-2009-3103)”[3]
• sid:2024297, “ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010”[4]

Recommended Steps for Prevention

• Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.[5]
• Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing. 
• Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
• Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
• Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary. 
• Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. 
• Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
• Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
• Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
• Test your backups to ensure they work correctly upon use.
• Utilize host-based firewalls and block workstation-to-workstation communications.

Recommendations for Network Protection 

• Disable SMBv1 and
• Block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

Note: disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users.

Review US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations [6] and consider implementing the following best practices:

1. Segregate networks and functions.
2. Limit unnecessary lateral communications.
3. Harden network devices.
4. Secure access to infrastructure devices.
5. Perform out-of-band network management.
6. Validate integrity of hardware and software.

Recommended Steps for Remediation

• Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
• Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup. 

General Advice for Defending Against Ransomware

Precautionary measures to mitigate ransomware threats include:

• Ensure anti-virus software is up-to-date.
• Implement a data backup and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
• Scrutinize links contained in emails, and do not open attachments included in unsolicited emails.
• Only download software—especially free software—from sites you know and trust.
• Enable automated patches for your operating system and Web browser.

Report Notice

DHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, contact DHS’s National Cybersecurity and Communications Integration Center (NCCIC) at NCCICcustomerservice@hq.dhs.gov or 888-282-0870. Cyber crime incidents can also be reported to the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.

References

• [1] Bleeping Computer: Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files
• [2] Emerging Threats 2001569
• [3] Emerging Threats 2012063
• [4] Emerging Threats 2024297
• [5] Microsoft: Security Bulletin MS17-010
• [6] US-CERT: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
• [7] F-Secure: (Eternal) Petya from a Developer’s Perspective
• [8] Microsoft |TechNet: New ransomware, old techniques: Petya adds worm capabilities
• [9] US-CERT: Ransomware and Recent Variants
• [10] Microsoft: Windows 10 platform resilience against the Petya ransomware attack

Revision History

• July 1, 2017: Initial version
• July 3, 2017: Updated to include MIFR-10130295_stix.xml file. Substituted TA-17-181B_IOCs.csv for TA-17-181A_IOCs.csv.
• July 7, 2017: Included further guidance from Microsoft in the Reference Section

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: July 01, 2017
Systems Affected

Microsoft Windows operating systems

Overview

On June 27, 2017, NCCIC was notified of Petya ransomware events occurring in multiple countries and affecting multiple sectors. Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable.

The NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide in-depth technical analysis of the malware. In coordination with public and private sector partners, NCCIC is also providing additional IOCs in comma-separated-value form for information sharing purposes.

Available Files:

• MIFR-10130295.pdf
• TA-17-181A_IOCs.csv

The scope of this Alert’s analysis is limited to the newest “Petya” variant that surfaced June 27, 2017, and this malware is referred to as “Petya” throughout this Alert.

Description

Based on initial reporting, this Petya campaign involves multiple methods of initial infection and propagation, including exploiting vulnerabilities in Server Message Block (SMB). Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Background information on ransomware infections is provided in US-CERT Alert TA16-091A.

Technical Details

US-CERT received a sample of this Petya ransomware variant and performed a detailed malware analysis. The team found that this Petya variant encrypts the victim’s files with a dynamically generated, 128-bit key and creates a unique ID of the victim. However, there is no evidence of a relationship between the encryption key and the victim’s ID, which means it may not be possible for the attacker to decrypt the victim’s files even if the ransom is paid.

This Petya variant spreads using the SMB exploit as described in MS17-010 and by stealing the user’s Windows credentials. This variant of Petya is notable for installing a modified version of the Mimikatz tool, which can be used to obtain the user’s credentials. The stolen credentials can be used to access other systems on the network. This Petya variant will also attempt to identify other hosts on the network by checking the compromised system’s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload.

The compromised system’s files are encrypted with a 128-bit Advanced Encryption Standard (AES) algorithm during runtime. This Petya variant writes a text file on the “C:\” drive with the Bitcoin wallet information and RSA keys for the ransom payment. It modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR, then reboots the system. Based on the encryption methods used, it appears unlikely that the files can be restored even if the attacker received the victim’s unique ID.

Impact

According to multiple reports, this Petya ransomware campaign has infected organizations in several sectors including finance, transportation, energy, commercial facilities, and healthcare. While these victims are business entities, other Windows systems without patches installed for the vulnerabilities in MS17‑010, CVE-2017-0144, and CVE-2017-0145 are at risk of infection.

Negative consequences of ransomware infection include the following:

• temporary or permanent loss of sensitive or proprietary information,
• disruption to regular operations,
• financial losses incurred to restore systems and files, and
• potential harm to an organization’s reputation.

Solution

NCCIC recommends against paying ransoms; doing so enriches malicious actors while offering no guarantee that the encrypted files will be released. In this incident, the email address for payment validation was shut down by the email provider, so payment is especially unlikely to lead to data recovery.[1] According to one NCCIC stakeholder, the below sites are C2 payment sites for this activity. These sites are not included in the CSV package as IOCs.

hxxp://mischapuk6hyrn72[.]onion/
hxxp://petya3jxfp2f7g3i[.]onion/
hxxp://petya3sen7dyko2n[.]onion/
hxxp://mischa5xyix2mrhd[.]onion/MZ2MMJ
hxxp://mischapuk6hyrn72[.]onion/MZ2MMJ
hxxp://petya3jxfp2f7g3i[.]onion/MZ2MMJ
hxxp://petya3sen7dyko2n[.]onion/MZ2MMJ

Network Signatures

NCCIC recommends that organizations coordinate with their security vendors to ensure appropriate coverage for this threat. Because there is overlap between the WannaCry and Petya activities, many of the available rulesets can protect against both malware strains when appropriately implemented. The following rulesets provided in publically available sources may help detect this activity:

• sid:2001569, “ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection”[2]
• sid:2012063, “ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID? Function Table Dereference (CVE-2009-3103)”[3]
• sid:2024297, “ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010”[4]

Recommended Steps for Prevention

• Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.[5]
• Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing. 
• Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
• Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
• Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary. 
• Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. 
• Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
• Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
• Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
• Test your backups to ensure they work correctly upon use.
• Utilize host-based firewalls and block workstation-to-workstation communications.

Recommendations for Network Protection 

• Disable SMBv1 and
• Block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

Note: disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users.

Review US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations [6] and consider implementing the following best practices:

1. Segregate networks and functions.
2. Limit unnecessary lateral communications.
3. Harden network devices.
4. Secure access to infrastructure devices.
5. Perform out-of-band network management.
6. Validate integrity of hardware and software.

Recommended Steps for Remediation

• Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
• Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup. 

General Advice for Defending Against Ransomware

Precautionary measures to mitigate ransomware threats include:

• Ensure anti-virus software is up-to-date.
• Implement a data backup and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
• Scrutinize links contained in emails, and do not open attachments included in unsolicited emails.
• Only download software—especially free software—from sites you know and trust.
• Enable automated patches for your operating system and Web browser.

Report Notice

DHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, contact DHS’s National Cybersecurity and Communications Integration Center (NCCIC) at NCCICcustomerservice@hq.dhs.gov or 888-282-0870. Cyber crime incidents can also be reported to the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.

References

• [1] Bleeping Computer: Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files
• [2] Emerging Threats 2001569
• [3] Emerging Threats 2012063
• [4] Emerging Threats 2024297
• [5] Microsoft: Security Bulletin MS17-010
• [6] US-CERT: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
• [7] F-Secure: (Eternal) Petya from a Developer’s Perspective
• [8] Microsoft |TechNet: New ransomware, old techniques: Petya adds worm capabilities
• [9] US-CERT: Ransomware and Recent Variants

Revision History

• July 1, 2017: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities.

The vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. The vulnerabilities affect all versions of SNMP - Versions 1, 2c, and 3. To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities via SNMP Version 3, the attacker must have user credentials for the affected system. A successful exploit could allow the attacker to execute arbitrary code and obtain full control of the affected system or cause the affected system to reload.

Cisco will release software updates that address these vulnerabilities. There are workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities.

The vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. The vulnerabilities affect all versions of SNMP - Versions 1, 2c, and 3. To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities via SNMP Version 3, the attacker must have user credentials for the affected system. A successful exploit could allow the attacker to execute arbitrary code and obtain full control of the affected system or cause the affected system to reload.

Cisco will release software updates that address these vulnerabilities. There are workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp
Security Impact Rating: High
CVE: CVE-2017-6736,CVE-2017-6737,CVE-2017-6738,CVE-2017-6739,CVE-2017-6740,CVE-2017-6741,CVE-2017-6742,CVE-2017-6743,CVE-2017-6744

Revision Note: V1.0 (June 27, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to inform customers that a new version of Azure Active Directory (AD) Connect is available that addresses an Important security vulnerability.

A vulnerability in the ingress UDP packet processing functionality of Cisco Virtualized Packet Core−Distributed Instance (VPC−DI) Software could allow an unauthenticated, remote attacker to cause both control function (CF) instances on an affected system to reload, resulting in a denial of service (DoS) condition.

The vulnerability is due to insufficient handling of user-supplied data by the affected software. An attacker could exploit this vulnerability by sending crafted UDP packets to the distributed instance (DI) network addresses of both CF instances on an affected system. A successful exploit could allow the attacker to cause an unhandled error condition on the affected system, which would cause the CF instances to reload and consequently cause the entire VPC to reload, resulting in the disconnection of all subscribers and a DoS condition on the affected system.

This vulnerability can be exploited via IPv4 traffic only.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-vpc A vulnerability in the ingress UDP packet processing functionality of Cisco Virtualized Packet Core−Distributed Instance (VPC−DI) Software could allow an unauthenticated, remote attacker to cause both control function (CF) instances on an affected system to reload, resulting in a denial of service (DoS) condition.

The vulnerability is due to insufficient handling of user-supplied data by the affected software. An attacker could exploit this vulnerability by sending crafted UDP packets to the distributed instance (DI) network addresses of both CF instances on an affected system. A successful exploit could allow the attacker to cause an unhandled error condition on the affected system, which would cause the CF instances to reload and consequently cause the entire VPC to reload, resulting in the disconnection of all subscribers and a DoS condition on the affected system.

This vulnerability can be exploited via IPv4 traffic only.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-vpc
Security Impact Rating: High
CVE: CVE-2017-6678

A vulnerability in the IPsec component of Cisco StarOS for Cisco ASR 5000 Series Routers could allow an unauthenticated, remote attacker to terminate all active IPsec VPN tunnels and prevent new tunnels from establishing, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper processing of Internet Key Exchange (IKE) messages. An attacker could exploit this vulnerability by sending crafted IKE messages toward an affected router. An exploit could allow the attacker to cause the ipsecmgr service to reload. A reload of the ipsecmgr service could result in all IPsec VPN tunnels being terminated and prevent new tunnels from being established until the service has restarted, resulting in a DoS condition.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-asr A vulnerability in the IPsec component of Cisco StarOS for Cisco ASR 5000 Series Routers could allow an unauthenticated, remote attacker to terminate all active IPsec VPN tunnels and prevent new tunnels from establishing, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper processing of Internet Key Exchange (IKE) messages. An attacker could exploit this vulnerability by sending crafted IKE messages toward an affected router. An exploit could allow the attacker to cause the ipsecmgr service to reload. A reload of the ipsecmgr service could result in all IPsec VPN tunnels being terminated and prevent new tunnels from being established until the service has restarted, resulting in a DoS condition.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-asr
Security Impact Rating: Medium
CVE: CVE-2017-3865

Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious ARF file via email or URL and convincing the user to launch the file. Exploitation of these vulnerabilities could cause an affected player to crash and, in some cases, could allow arbitrary code execution on the system of a targeted user.

The Cisco WebEx Network Recording Player is an application that is used to play back WebEx meeting recordings that have been recorded on the computer of an online meeting attendee. The player can be automatically installed when the user accesses a recording file that is hosted on a WebEx server.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-wnrp Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious ARF file via email or URL and convincing the user to launch the file. Exploitation of these vulnerabilities could cause an affected player to crash and, in some cases, could allow arbitrary code execution on the system of a targeted user.

The Cisco WebEx Network Recording Player is an application that is used to play back WebEx meeting recordings that have been recorded on the computer of an online meeting attendee. The player can be automatically installed when the user accesses a recording file that is hosted on a WebEx server.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-wnrp
Security Impact Rating: High
CVE: CVE-2017-6669

A vulnerability in the ingress processing of fragmented TCP packets by Cisco Wide Area Application Services (WAAS) could allow an unauthenticated, remote attacker to cause the WAASNET process to restart unexpectedly, causing a denial of service (DoS) condition.

The vulnerability is due to incomplete input validation of TCP packets when a packet chain is fragmented. An attacker could exploit this vulnerability by sending a crafted set of TCP fragments through an affected device. An exploit could allow the attacker to cause a DoS condition due to a process restarting unexpectedly. The WAAS could drop traffic during the brief time that the WAASNET process is restarting.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-waas A vulnerability in the ingress processing of fragmented TCP packets by Cisco Wide Area Application Services (WAAS) could allow an unauthenticated, remote attacker to cause the WAASNET process to restart unexpectedly, causing a denial of service (DoS) condition.

The vulnerability is due to incomplete input validation of TCP packets when a packet chain is fragmented. An attacker could exploit this vulnerability by sending a crafted set of TCP fragments through an affected device. An exploit could allow the attacker to cause a DoS condition due to a process restarting unexpectedly. The WAAS could drop traffic during the brief time that the WAASNET process is restarting.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-waas
Security Impact Rating: Medium
CVE: CVE-2017-6721

A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of Cisco Unified Contact Center Express (UCCx) could allow an unauthenticated, remote attacker to masquerade as a legitimate user.

The vulnerability is due to the XMPP service incorrectly processing an unsecured HTTP port for third-party, remote presence monitoring. A successful exploit could allow the attacker to access the system as another user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-ucce A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of Cisco Unified Contact Center Express (UCCx) could allow an unauthenticated, remote attacker to masquerade as a legitimate user.

The vulnerability is due to the XMPP service incorrectly processing an unsecured HTTP port for third-party, remote presence monitoring. A successful exploit could allow the attacker to access the system as another user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-ucce
Security Impact Rating: Medium
CVE: CVE-2017-6722

A vulnerability in the web framework code of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system.

The vulnerability is due to insufficient input validation of some parameters passed to the web server. An attacker could exploit this vulnerability by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request. An exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information.

For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piwf1 A vulnerability in the web framework code of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system.

The vulnerability is due to insufficient input validation of some parameters passed to the web server. An attacker could exploit this vulnerability by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request. An exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information.

For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piwf1
Security Impact Rating: Medium
CVE: CVE-2017-6725

A vulnerability in the web framework code of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system.

The vulnerability is due to insufficient input validation of some parameters passed to the web server. An attacker could exploit this vulnerability by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request. An exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information.

For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piwf A vulnerability in the web framework code of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system.

The vulnerability is due to insufficient input validation of some parameters passed to the web server. An attacker could exploit this vulnerability by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request. An exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information.

For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piwf
Security Impact Rating: Medium
CVE: CVE-2017-6724

A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an unauthenticated, remote attacker to conduct a Document Object Model (DOM) based (environment or client-side) cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

Additional information about DOM-based XSS attacks and potential mitigations can be found at:

• https://www.owasp.org/index.php/DOM_Based_XSS
• https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting#DOM_Based_XSS_.28AKA_Type-0.29

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm4 A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an unauthenticated, remote attacker to conduct a Document Object Model (DOM) based (environment or client-side) cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

Additional information about DOM-based XSS attacks and potential mitigations can be found at:

• https://www.owasp.org/index.php/DOM_Based_XSS
• https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting#DOM_Based_XSS_.28AKA_Type-0.29

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm4
Security Impact Rating: Medium
CVE: CVE-2017-6700