Key Findings
- Microsoft addressed a total of 87 vulnerabilities in its October 2020 Patch Tuesday advisory, including a critical vulnerability in the Windows TCP/IP stack.
- Security researchers discovered 55 flaws in Apple services.
- Threat actors gained unauthorized access to election support systems by chaining multiple high-profile vulnerabilities.
Exploitation of Vulnerabilities
NSA Advisory Details the Top 25 Vulnerabilities Exploited by Chinese State-Sponsored Actors
In September 2020, the Cybersecurity and Infrastructure Security Agency (CISA) detailed [1] the Tactics, Techniques, and Procedures (TTPs) employed by the Chinese Ministry of State Security (MSS) over the previous 12 months. In October 2020, the National Security Agency (NSA) posted a security advisory [2] on the Top 25 vulnerabilities being exploited by Chinese State-Sponsored Actors
The vulnerabilities that both agencies highlighted include:
CVE-2020-5902
In F5 BIG-IP 8 proxy / load balancer devices, the Traffic Management User Interface (TMUI) - also referred to as the configuration utility - has a Remote Code Execution (RCE) vulnerability in undisclosed pages. The vulnerability affects F5 BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1.
Course of Action: Review F5 Security Advisory K52145254
CVE-2019-19781
An issue was discovered in Citrix 9 Application Delivery Controller (ADC) and Gateway. The flaw allows for directory traversal, which can lead to RCE without the need for credentials. Affects Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.
Course of Action: Apply Official Fixes for Citrix Devices Affected by CVE-2019-19781
CVE-2019-11510
A vulnerability in Pulse Secure VPNs enables an unauthenticated remote attacker to send a specially crafted URI to perform an arbitrary file read. This may lead to exposure of sensitive information such as passwords. Affects Pulse Connect Secure (PCS) versions 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.
Course of Action: Apply Official Patches for Vulnerable Pulse Secure VPN Versions
CVE-2020-0688
A RCE vulnerability in the Microsoft Exchange validation key where the software fails to properly handle objects in memory. Affects Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 29 and earlier, 2013 Cumulative Update 22 and earlier, 2016 Cumulative Update 13 and earlier and 2019 Cumulative Update 2 and earlier.
Course of Action: Apply March 2020 Patch Tuesday
Some of the more critical and well-known vulnerabilities mentioned in the NSA advisory include:
CVE-2019-0708
RCE vulnerability in Remote Desktop Services. Also known as "BlueKeep", CVE-2019-0708 has been widely exploited due to the popularity of Remote Desktop Services among organizations. The vulnerability is trivial to exploit with multiple scanners [3], Proof of Concept (PoC) exploits [4] as well as a Metasploit module [5] published since its discovery back in May 2019. Successful exploitation enables the attacker to send specially crafted requests to the victim.
Course of Action: Apply Microsoft May 2019 Security Patches
CVE-2020-15505
A vulnerability in MobileIron Core could allow an attacker to execute remote exploits without authentication
Course of Action: Update MobileIron Products to Mitigate Critical Vulnerabilities
CVE-2020-1350
A RCE vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
Course of Action: Review July 2020 Microsoft Patch Tuesday Advisory
CVE-2020-1472
Also known as "ZeroLogon", CVE-2020-1472 is an elevation of privilege vulnerability where an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).
Course of Action: Review August 2020 Patch Tuesday Advisory
It is recommended to review the cybersecurity advisory and apply all relevant security measures and patches as detailed by the NSA.
Threat Actors are Targeting CVE-2020-3118 Flaw in Cisco Devices
The Cisco IOS XR Software Discovery Protocol suffers from a string format vulnerability, enabling an unauthenticated threat actor to execute arbitrary code or cause a reload an affected device.
The flaw, designated as CVE-2020-3118 and detailed in the February 2020 edition [6] of the EclecticIQ Monthly Vulnerability Trend Report, was addressed by Cisco together with four other vulnerabilities, collectively known as “CDPwn”, in February 2020.
Cisco updated the advisory on the vulnerability with details surrounding exploitation:
“In October 2020, the Cisco Product Security Incident Response Team (PSIRT) received reports of attempted exploitation of this vulnerability in the wild. Cisco recommends that customers upgrade to a fixed Cisco IOS XR Software release to remediate this vulnerability.”
Course of Action: Update Cisco Devices Vulnerable to CDPwn
Vulnerabilities Exploited Against SLTT, Critical Infrastructure, and Elections Organization
CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with the Windows Netlogon "ZeroLogon" vulnerability, CVE-2020-1472, which was detailed in the September edition [8] of the EclecticIQ Monthly Vulnerability Trend Report and mentioned above.
In the alert [8], posted on October 09, 2020, CISA states that the threat actors are chaining multiple vulnerabilities during a single intrusion to compromise a network or application. The ZeroLogon vulnerability is a natural inclusion in Tactics, Techniques and Procedure (TTPs) for actors looking to exploit networks for the foreseeable future, as the recent disclosure of the vulnerability and general slow security patch adoption among organizations will increase the success rate of exploitation.
Some of the targeted victims include federal and state, local, tribal, and territorial (SLTT) government networks, with CISA assessing that there may be some risk to election information as the targets could contain sensitive data pertaining to the United States Presidential election, 2020. CISA stated that some of the observed activity resulted in unauthorized access to elections support systems, but they currently have no evidence the integrity of election data has been compromised.
The following vulnerabilities were observed as part of initial access exploitation:
- CVE-2020-15505 - RCE Vulnerability in MobileIron Core & Connector
- CVE-2018-13379 - Path Traversal Vulnerability in the FortiOS SSL VPN Web Portal
Other vulnerabilities listed without any confirmed exploitation to gain initial access:
- CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance
- CVE-2019-11510 - Arbitrary File Disclosure Vulnerability in Pulse Connect Secure
- CVE-2020-2021 - Authentication Bypass in SAML Authentication
- CVE-2020-5902 - F5 BIG-IP Traffic Management User Interface (TMUI) RCE Vulnerability
All vulnerabilities mentioned in the CISA advisory are high profile flaws in popular software, with proof-of-concept exploits readily available online.
Course of Action: Review CISA Alert AA20-283A
Newly Discovered Vulnerabilities
Denial-of-Service (DoS) Vulnerability in ATIKMDAG.SYS AMD Graphics Driver
Researchers at Cisco Talos recently discovered [9] a DoS vulnerability in the ATIKMDAG.SYS driver affecting some AMD Graphics Cards.
An attacker could send the victim a specially crafted API request, even from a guest account, to cause an out-of-bound read, leading to a denial-of-service condition.
Cisco Talos disclosed the flaw to AMD, which they subsequently acknowledged publicly, but stated that they do not plan to have an official patch until Q1 of 2021.
Privilege Escalation Vulnerability in the Linux Kernel
Unit42 researchers discovered a new memory corruption vulnerability in the Linux kernel, CVE-2020-14386, which could enable privilege escalation attacks on in a Linux environment.
The researchers posted [10] details around the discovery of the vulnerability, together with a proposed patch. It is recommended to apply an official patch for the affected versions of Linux when released.
Course of Action: Review Patch by Palo Alto Networks for CVE-2020-14386
Security Researchers Discover 55 Security Flaws in Apple Services
Five security researchers spent three months researching vulnerabilities in various Apple services. The team includes some of the most reputable researchers within the "Bug Bounty" community - described as the crowdsourcing of vulnerability and exploit research into specific company owned assets.
The results [11] of the research are 55 newly discovered flaws with 11 considered as critical, 29 high, 13 medium, and two low in severity. On the severity of the vulnerabilities, the researchers stated:
“...we found a variety of vulnerabilities in core portions of their [Apple] infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.”
In early October 2020, Apple remediated many of the discovered vulnerabilities, some within 1-2 business days (with some being fixed in as little as 4-6 hours). Apple is a "hardened-target" among the Bug Bounty community, meaning that it is difficult to find any vulnerabilities within the scope of the bug bounty program. At the time of writing, the researchers were paid US$288,500 for the discovery thus far, with more potential payouts pending.
Course of Action: Apply Apple Supplied Security Updates
Patched Vulnerabilities
Microsoft Patch Tuesday October 2020
Microsoft addressed 87 vulnerabilities as part of their October 2020 Patch Tuesday advisory [12], a sharp decline in the amount addressed in previous months. This included 21 RCE vulnerabilities for products like Excel, Outlook, the Windows Graphics component, and the Windows TCP/IP stack. The most high-profile and critical flaw is CVE-2020-16898, also known as "Bad Neighbor".
CVE-2020-16898 - "Bad Neighbor"
Bad Neighbor, CVE-2020-16898, is an RCE Vulnerability in the Windows TCP/IP stack, which exists due to improper handling of ICMPv6 Router Advertisement packets. Windows 10 and Windows Server 2019 versions are vulnerable to CVE-2020-16898.
An attacker could craft a “wormable” exploit to achieve RCE. PoC's have been published [13] demonstrating a DoS condition, with full RCE exploits to be expected in the coming months
Other vulnerabilities of note in the advisory include:
CVE-2020-16899 - Windows TCP/IP Denial of Service Vulnerability
CVE-2020-16952 and CVE-2020-16951 - Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2020-16947 - Microsoft Outlook Remote Code Execution Vulnerability
CVE-2020-16931, CVE-2020-16929, CVE-2020-16930 and CVE-2020-16932 - Microsoft Excel Remote Code Execution Vulnerabilities
CVE-2020-16918 and CVE-2020-17003 - Base3D Remote Code Execution Vulnerability
CVE-2020-1167 and CVE-2020-16923 - Microsoft Graphics Components Remote Code Execution Vulnerability
CVE-2020-16891 - Windows Hyper-V Remote Code Execution Vulnerability
Course of Action: Review Patch Tuesday Advisory for October 2020
Recommendations
EclecticIQ Fusion Center recommends applying security updates to affected systems as soon as they become available, to mitigate the risks posed by the vulnerabilities mentioned in this report. This report is a summary of the main vulnerabilities EclecticIQ analysts have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
Users should ensure they update their dependent systems even if they are not mentioned in this report.
References
- https://us-cert.cisa.gov/ncas/alerts/aa20-258a
- https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
- https://github.com/search?q=CVE-2019-0708+scanner
- https://github.com/search?q=CVE-2019-0708+poc
- https://www.exploit-db.com/exploits/47120
- https://blog.eclecticiq.com/eclecticiq-monthly-vulnerability-trend-report-february-2020
- https://blog.eclecticiq.com/eclecticiq-monthly-vulnerability-trend-report-september-2020
- https://us-cert.cisa.gov/ncas/alerts/aa20-283a
- https://blog.talosintelligence.com/2020/10/vuln-spotlight-amd-driver-dos-oct-2020.html
- https://www.openwall.com/lists/oss-security/2020/09/03/3
- https://samcurry.net/hacking-apple/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
- http://blog.pi3.com.pl/?p=780
About this report
This report provides an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
