ÐÅÏ¢°²È«Öܱ¨-2020ÄêµÚ33ÖÜ

°ä²¼¹¦·ò 2020-08-17

> ±¾ÖÜ°²È«Ì¬ÊÆ×ÛÊö


2020Äê08ÔÂ10ÈÕÖÁ08ÔÂ16ÈÕ¹²ÊÕ¼°²È«·ì϶77¸ö £¬ÖµµÃ¹Ø×¢µÄÊÇApache Struts CVE-2019-0230´úÂëÖ´Ðзì϶£»Citrix Systems XenMobile Server CVE-2020-8211δÃ÷ËÁÒâ´úÂëÖ´Ðзì϶£»Schneider Electric APC Easy UPS On-Line `FileUploadServlet`õ辶±éÀú·ì϶£»SAP Business Objects Business Intelligence Platform XvfbÑéÖ¤Èƹý·ì϶; Shenzhen Hichip Vision Technology Firmware P2P·þÎñ´úÂëÖ´Ðзì϶¡£


±¾ÖÜÖµµÃ¹Ø×¢µÄÍøÂ簲ȫÊÂÎñÊÇFBIÖÒ¸æÒÁÀʺڿÍÀûÓÃF5 BIG-IP·ì϶¹¥»÷ADCÉ豸£»Check Point·¢ÏÖ¸ßͨµÄSnapdragonоƬ´æÔÚ400¶à¸ö·ì϶£»Nusenu·¢ÏÖδ֪×éÖ¯½Ù³ÖTor½üËÄ·ÖÖ®Ò»µÄ³ö¿Ú½Úµã£»Adobe°ä²¼°²È«¸üР£¬½¨¸´¶à¿î²úÆ·ÖеÄ26¸ö·ì϶£»FBIºÍNSA½áºÏÅû¶¶íÂÞ˹Õë¶ÔLinuxµÄ¶ñÒâÈí¼þDrovorub¡£


ƾ¾ÝÒÔÉÏ×ÛÊö £¬±¾ÖÜ°²È«ÍþвΪÖС£


³ÁÒª°²È«·ì϶Áбí


1. Apache Struts CVE-2019-0230´úÂëÖ´Ðзì϶


Apache Struts¿ò¼ÜÔÚ±»Ç¿ÔìʹÓÃʱ £¬»á¶Ô±êÇ©µÄÊôÐÔ½øÐжþ´ÎÇóÖµ·ì϶ £¬ÔÊÐíÔ¶³Ì¹¥»÷ÕßÀûÓ÷ì϶Ìá½»ÌØÊâµÄÒªÇó £¬¿ÉÖ´ÐÐËÁÒâ´úÂë¡£Ö»ÓÐÔÚStruts±êÇ©ÊôÐÔÖÐÇ¿ÔìʹÓÃOGNL±í°×ʽʱ £¬ÄÜÁ¦´¥·¢·ì϶¡£

https://cwiki.apache.org/confluence/display/ww/s2-059


2. Citrix Systems XenMobile Server CVE-2020-8211δÃ÷ËÁÒâ´úÂëÖ´Ðзì϶


Citrix Systems XenMobile Server´æÔÚδÃ÷°²È«·ì϶ £¬ÔÊÐíÔ¶³Ì¹¥»÷ÕßÀûÓ÷ì϶Ìá½»ÌØÊâµÄÒªÇó £¬Äܹ»ÀûÓ÷¨Ê½¸ßµÍÎÄÖ´ÐÐËÁÒâ´úÂë¡£

https://www.auscert.org.au/bulletins/ESB-2020.2780/


3. Schneider Electric APC Easy UPS On-Line `FileUploadServlet`õ辶±éÀú·ì϶


Schneider Electric APC Easy UPS On-Line `FileUploadServlet`´æÔÚĿ¼±éÀú·ì϶ £¬ÔÊÐíÔ¶³Ì¹¥»÷ÕßÄܹ»ÀûÓ÷ì϶Ìá½»ÌØÊâµÄÒªÇó £¬¿ÉÉÏ´«ËÁÒâÎļþµ½ËÁÒâĿ¼¡£

https://us-cert.cisa.gov/ics/advisories/icsa-20-224-02


4. SAP Business Objects Business Intelligence Platform XvfbÑéÖ¤Èƹý·ì϶


SAP Business Objects Business Intelligence Platform Xvfb´æÔÚÑéÖ¤Èƹý·ì϶ £¬ÔÊÐíÔ¶³Ì¹¥»÷ÕßÀûÓ÷ì϶Ìá½»ÌØÊâµÄÒªÇó £¬¿ÉδÊÚȨ½Ó¼ûÀûÓá£

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345


5. Shenzhen Hichip Vision Technology Firmware P2P·þÎñ´úÂëÖ´Ðзì϶


Shenzhen Hichip Vision Technology Firmware P2P·þÎñ´æÔÚ°²È«·ì϶ £¬ÔÊÐíÔ¶³Ì¹¥»÷ÕßÀûÓ÷ì϶Ìá½»ÌØÊâµÄÒªÇó £¬Äܹ»ÀûÓ÷¨Ê½¸ßµÍÎÄÖ´ÐÐËÁÒâ´úÂë¡£

https://redprocyon.com



> ³ÁÒª°²È«ÊÂÎñ×ÛÊö


1¡¢FBIÖÒ¸æÒÁÀʺڿÍÀûÓÃF5 BIG-IP·ì϶¹¥»÷ADCÉ豸


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾


Ô­ÎÄÁ´½Ó£º

https://www.bleepingcomputer.com/news/security/fbi-iranian-hackers-trying-to-exploit-critical-f5-big-ip-flaw/


2¡¢Check Point·¢ÏÖ¸ßͨµÄSnapdragonоƬ´æÔÚ400¶à¸ö·ì϶


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾


Ô­ÎÄÁ´½Ó£º

https://www.hackread.com/chip-flaws-turn-android-phones-into-spying-tool/


3¡¢Nusenu·¢ÏÖδ֪×éÖ¯½Ù³ÖTor½üËÄ·ÖÖ®Ò»µÄ³ö¿Ú½Úµã


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾


Ô­ÎÄÁ´½Ó£º

https://www.zdnet.com/article/a-mysterious-group-has-hijacked-tor-exit-nodes-to-perform-ssl-stripping-attacks/


4¡¢Adobe°ä²¼°²È«¸üР£¬½¨¸´¶à¿î²úÆ·ÖеÄ26¸ö·ì϶


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾

Ô­ÎÄÁ´½Ó£º

https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-code-execution-bugs-in-acrobat-and-reader/    


5¡¢FBIºÍNSA½áºÏÅû¶¶íÂÞ˹Õë¶ÔLinuxµÄ¶ñÒâÈí¼þDrovorub


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾


Ô­ÎÄÁ´½Ó£º

https://www.zdnet.com/article/fbi-and-nsa-expose-new-linux-malware-drovorub-used-by-russian-state-hackers/