Atlassian FishEye and Crucible CVE-2017-14591 Remote Code Execution Vulnerability

     Me when I discovered @Centurion's Detection Lab.

So Much Win

Chris Long, Detection & Incident Response Analyst at Palantir, released Detection Lab this past Monday. From his own Medium post, "Detection Lab is a collection of Packer and Vagrant scripts that allow you to quickly bring a Windows Active Directory online, complete with a collection of endpoint security tooling and logging best practices."
Detection Lab consists of four hosts:

  • DC: A Windows 2016 domain controller
  • WEF: A Windows 2016 server that manages Windows Event Collection
  • Win10: A Windows 10 host simulating a non-server endpoint
  • Logger: An Ubuntu 16.04 host that runs Splunk and a Fleet server

From the Detection Lab GitHub, "this lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts."

The feature list should close the deal for you:

  • Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured.
  • A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
  • Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
  • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
  • osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
  • Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration
  • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
  • SMBv1 Auditing is enabled

Chris really wanted defenders to "have a quick and easy way to bring up a lab environment, complete with tooling and pre-configured logging." Detection Lab represents many of his weekends worth of work, over many months, and for that, we salute him. Well done, Chris!

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
APPLE-SA-2017-12-13-7 Additional information for APPLE-SA-2017-12-6-4 tvOS 11.2
APPLE-SA-2017-12-13-2 tvOS 11.2.1
ADVISORY - Kemp Load Balancers - Module Application Firewall Pack (AFP) - Web Application Firewall (WAF) does not inspect HTTP POST data - CVE-2017-15524
APPLE-SA-2017-12-13-5 Safari 11.0.2
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple iCloud/iTunes CVE-2017-13864 Security Bypass Vulnerability
Huawei Smart Phones CVE-2017-8216 Local Security Bypass Vulnerability
Drupal Services Single Sign-On Client Module Cross Site Scripting Vulnerability
Atlassian Bamboo CVE-2017-14590 Remote Code Execution Vulnerability

Enlarge / A five-foot-tall (1.5 meter) outdoor K5 security robot patrols the grounds of the Washington Harbour retail-residential center in the Georgetown district of Washington, DC, July 26, 2017. (credit: ROB LEVER/AFP/Getty Images))

As of Thursday morning local time, a San Francisco animal adoption agency will immediately halt its recent use of a controversial security robot.

The move comes after the San Francisco SPCA had been scrutinized for its deployment of a Knightscope K9 to mitigate vandalism and the presence of homeless people at its Mission District office. Knightscope, a Silicon Valley startup, declares on its website that its robots are the "security team of the future."

That robot made headlines when Business Insider reported Tuesday that "Robots are being used to deter homeless people from setting up camp in San Francisco."

Read 24 remaining paragraphs | Comments

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Cisco WebEx Network Recording Player CVE-2017-12359 Buffer Overflow Vulnerability
IBM Sterling File Gateway CVE-2017-1632 Cross Site Scripting Vulnerability
GraphicsMagick CVE-2017-17501 Heap-Based Buffer Overflow Vulnerability
Atlassian Bamboo CVE-2017-14589 Remote Code Execution Vulnerability
Apple iOS and tvOS CVE-2017-13903 Security Bypass Vulnerability
IBM Sterling File Gateway Directory Traversal and Information Disclosure Vulnerabilities
IBM Support Tools for Lotus WCM CVE-2017-1536 Cross Site Scripting Vulnerability
jBPM Migration CVE-2017-7545 XML External Entity Injection Vulnerability
Lynx 'HTML.c:HTML_put_string()' Function Use After Free Information Disclosure Vulnerability
Microsoft Windows Kernel CVE-2017-11847 Local Privilege Escalation Vulnerability
Microsoft Edge Scripting Engine CVE-2017-11836 Remote Memory Corruption Vulnerability
Internet Storm Center Infocon Status