EclecticIQ

newspaper-fold Blog

EclecticIQ Monthly Vulnerability Trend Report - October 2020

November 2, 2020

EclecticIQ Monthly Vulnerability Trend Report

Key Findings

  • Microsoft addressed a total of 87 vulnerabilities in its October 2020 Patch Tuesday advisory, including a critical vulnerability in the Windows TCP/IP stack.
  • Security researchers discovered 55 flaws in Apple services.
  • Threat actors gained unauthorized access to election support systems by chaining multiple high-profile vulnerabilities.

Exploitation of Vulnerabilities

NSA Advisory Details the Top 25 Vulnerabilities Exploited by Chinese State-Sponsored Actors

In September 2020, the Cybersecurity and Infrastructure Security Agency (CISA) detailed [1] the Tactics, Techniques, and Procedures (TTPs) employed by the Chinese Ministry of State Security (MSS) over the previous 12 months. In October 2020, the National Security Agency (NSA) posted a security advisory [2] on the Top 25 vulnerabilities being exploited by Chinese State-Sponsored Actors

The vulnerabilities that both agencies highlighted include:

CVE-2020-5902

In F5 BIG-IP 8 proxy / load balancer devices, the Traffic Management User Interface (TMUI) - also referred to as the configuration utility - has a Remote Code Execution (RCE) vulnerability in undisclosed pages. The vulnerability affects F5 BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1.

Course of Action: Review F5 Security Advisory K52145254

CVE-2019-19781

An issue was discovered in Citrix 9 Application Delivery Controller (ADC) and Gateway. The flaw allows for directory traversal, which can lead to RCE without the need for credentials. Affects Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.

Course of Action: Apply Official Fixes for Citrix Devices Affected by CVE-2019-19781

CVE-2019-11510

A vulnerability in Pulse Secure VPNs enables an unauthenticated remote attacker to send a specially crafted URI to perform an arbitrary file read. This may lead to exposure of sensitive information such as passwords. Affects Pulse Connect Secure (PCS) versions 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.

Course of Action: Apply Official Patches for Vulnerable Pulse Secure VPN Versions

CVE-2020-0688

A RCE vulnerability in the Microsoft Exchange validation key where the software fails to properly handle objects in memory. Affects Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 29 and earlier, 2013 Cumulative Update 22 and earlier, 2016 Cumulative Update 13 and earlier and 2019 Cumulative Update 2 and earlier.

Course of Action: Apply March 2020 Patch Tuesday

Some of the more critical and well-known vulnerabilities mentioned in the NSA advisory include:

CVE-2019-0708

RCE vulnerability in Remote Desktop Services. Also known as "BlueKeep", CVE-2019-0708 has been widely exploited due to the popularity of Remote Desktop Services among organizations. The vulnerability is trivial to exploit with multiple scanners [3], Proof of Concept (PoC) exploits [4] as well as a Metasploit module [5] published since its discovery back in May 2019. Successful exploitation enables the attacker to send specially crafted requests to the victim.

Course of Action: Apply Microsoft May 2019 Security Patches

CVE-2020-15505

A vulnerability in MobileIron Core could allow an attacker to execute remote exploits without authentication

Course of Action: Update MobileIron Products to Mitigate Critical Vulnerabilities

CVE-2020-1350

A RCE vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

Course of Action: Review July 2020 Microsoft Patch Tuesday Advisory

CVE-2020-1472

Also known as "ZeroLogon", CVE-2020-1472 is an elevation of privilege vulnerability where an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).

Course of Action: Review August 2020 Patch Tuesday Advisory

It is recommended to review the cybersecurity advisory and apply all relevant security measures and patches as detailed by the NSA.

Threat Actors are Targeting CVE-2020-3118 Flaw in Cisco Devices

The Cisco IOS XR Software Discovery Protocol suffers from a string format vulnerability, enabling an unauthenticated threat actor to execute arbitrary code or cause a reload an affected device.

The flaw, designated as CVE-2020-3118 and detailed in the February 2020 edition [6] of the EclecticIQ Monthly Vulnerability Trend Report, was addressed by Cisco together with four other vulnerabilities, collectively known as “CDPwn”, in February 2020.

Cisco updated the advisory on the vulnerability with details surrounding exploitation:

“In October 2020, the Cisco Product Security Incident Response Team (PSIRT) received reports of attempted exploitation of this vulnerability in the wild. Cisco recommends that customers upgrade to a fixed Cisco IOS XR Software release to remediate this vulnerability.”

Course of Action: Update Cisco Devices Vulnerable to CDPwn

Vulnerabilities Exploited Against SLTT, Critical Infrastructure, and Elections Organization

CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with the Windows Netlogon "ZeroLogon" vulnerability, CVE-2020-1472, which was detailed in the September edition [8] of the EclecticIQ Monthly Vulnerability Trend Report and mentioned above.

In the alert [8], posted on October 09, 2020, CISA states that the threat actors are chaining multiple vulnerabilities during a single intrusion to compromise a network or application. The ZeroLogon vulnerability is a natural inclusion in Tactics, Techniques and Procedure (TTPs) for actors looking to exploit networks for the foreseeable future, as the recent disclosure of the vulnerability and general slow security patch adoption among organizations will increase the success rate of exploitation.

Some of the targeted victims include federal and state, local, tribal, and territorial (SLTT) government networks, with CISA assessing that there may be some risk to election information as the targets could contain sensitive data pertaining to the United States Presidential election, 2020. CISA stated that some of the observed activity resulted in unauthorized access to elections support systems, but they currently have no evidence the integrity of election data has been compromised.

The following vulnerabilities were observed as part of initial access exploitation:

  • CVE-2020-15505 - RCE Vulnerability in MobileIron Core & Connector
  • CVE-2018-13379 - Path Traversal Vulnerability in the FortiOS SSL VPN Web Portal

Other vulnerabilities listed without any confirmed exploitation to gain initial access:

  • CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance
  • CVE-2019-11510 - Arbitrary File Disclosure Vulnerability in Pulse Connect Secure
  • CVE-2020-2021 - Authentication Bypass in SAML Authentication
  • CVE-2020-5902 - F5 BIG-IP Traffic Management User Interface (TMUI) RCE Vulnerability

All vulnerabilities mentioned in the CISA advisory are high profile flaws in popular software, with proof-of-concept exploits readily available online.

Course of Action: Review CISA Alert AA20-283A

Newly Discovered Vulnerabilities

Denial-of-Service (DoS) Vulnerability in ATIKMDAG.SYS AMD Graphics Driver

Researchers at Cisco Talos recently discovered [9] a DoS vulnerability in the ATIKMDAG.SYS driver affecting some AMD Graphics Cards.

An attacker could send the victim a specially crafted API request, even from a guest account, to cause an out-of-bound read, leading to a denial-of-service condition.

Cisco Talos disclosed the flaw to AMD, which they subsequently acknowledged publicly, but stated that they do not plan to have an official patch until Q1 of 2021.

Privilege Escalation Vulnerability in the Linux Kernel

Unit42 researchers discovered a new memory corruption vulnerability in the Linux kernel, CVE-2020-14386, which could enable privilege escalation attacks on in a Linux environment.

The researchers posted [10] details around the discovery of the vulnerability, together with a proposed patch. It is recommended to apply an official patch for the affected versions of Linux when released.

Course of Action: Review Patch by Palo Alto Networks for CVE-2020-14386

Security Researchers Discover 55 Security Flaws in Apple Services

Five security researchers spent three months researching vulnerabilities in various Apple services. The team includes some of the most reputable researchers within the "Bug Bounty" community - described as the crowdsourcing of vulnerability and exploit research into specific company owned assets.

The results [11] of the research are 55 newly discovered flaws with 11 considered as critical, 29 high, 13 medium, and two low in severity. On the severity of the vulnerabilities, the researchers stated:

“...we found a variety of vulnerabilities in core portions of their [Apple] infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.”

In early October 2020, Apple remediated many of the discovered vulnerabilities, some within 1-2 business days (with some being fixed in as little as 4-6 hours). Apple is a "hardened-target" among the Bug Bounty community, meaning that it is difficult to find any vulnerabilities within the scope of the bug bounty program. At the time of writing, the researchers were paid US$288,500 for the discovery thus far, with more potential payouts pending.

Course of Action: Apply Apple Supplied Security Updates

Patched Vulnerabilities

Microsoft Patch Tuesday October 2020

Microsoft addressed 87 vulnerabilities as part of their October 2020 Patch Tuesday advisory [12], a sharp decline in the amount addressed in previous months. This included 21 RCE vulnerabilities for products like Excel, Outlook, the Windows Graphics component, and the Windows TCP/IP stack. The most high-profile and critical flaw is CVE-2020-16898, also known as "Bad Neighbor".

CVE-2020-16898 - "Bad Neighbor"

Bad Neighbor, CVE-2020-16898, is an RCE Vulnerability in the Windows TCP/IP stack, which exists due to improper handling of ICMPv6 Router Advertisement packets. Windows 10 and Windows Server 2019 versions are vulnerable to CVE-2020-16898.

An attacker could craft a “wormable” exploit to achieve RCE. PoC's have been published [13] demonstrating a DoS condition, with full RCE exploits to be expected in the coming months

Other vulnerabilities of note in the advisory include:

CVE-2020-16899 - Windows TCP/IP Denial of Service Vulnerability

CVE-2020-16952 and CVE-2020-16951 - Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2020-16947 - Microsoft Outlook Remote Code Execution Vulnerability

CVE-2020-16931, CVE-2020-16929, CVE-2020-16930 and CVE-2020-16932 - Microsoft Excel Remote Code Execution Vulnerabilities

CVE-2020-16918 and CVE-2020-17003 - Base3D Remote Code Execution Vulnerability

CVE-2020-1167 and CVE-2020-16923 - Microsoft Graphics Components Remote Code Execution Vulnerability

CVE-2020-16891 - Windows Hyper-V Remote Code Execution Vulnerability

Course of Action: Review Patch Tuesday Advisory for October 2020

Recommendations

EclecticIQ Fusion Center recommends applying security updates to affected systems as soon as they become available, to mitigate the risks posed by the vulnerabilities mentioned in this report. This report is a summary of the main vulnerabilities EclecticIQ analysts have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they update their dependent systems even if they are not mentioned in this report.

References

  1. https://us-cert.cisa.gov/ncas/alerts/aa20-258a
  2. https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
  3. https://github.com/search?q=CVE-2019-0708+scanner 
  4. https://github.com/search?q=CVE-2019-0708+poc
  5. https://www.exploit-db.com/exploits/47120
  6. https://blog.eclecticiq.com/eclecticiq-monthly-vulnerability-trend-report-february-2020
  7. https://blog.eclecticiq.com/eclecticiq-monthly-vulnerability-trend-report-september-2020
  8. https://us-cert.cisa.gov/ncas/alerts/aa20-283a
  9. https://blog.talosintelligence.com/2020/10/vuln-spotlight-amd-driver-dos-oct-2020.html
  10. https://www.openwall.com/lists/oss-security/2020/09/03/3
  11. https://samcurry.net/hacking-apple/ 
  12. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
  13. http://blog.pi3.com.pl/?p=780

About this report

This report provides an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

3 more posts you might like