EclecticIQ
May 22, 2020

EclecticIQ Monthly Vulnerability Trend Report - April 2020

EclecticIQ Fusion Center Monthly Vulnerability ReportThis report provides an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Key Findings
  • As part of the April 2020 Patch Tuesday advisory, Microsoft addressed 113 vulnerabilities across 11 products, including three 0-day flaws that were being actively exploited in the wild. 
  • Oracle has addressed 399 vulnerabilities as part of their quarterly critical patch update advisory in April 2020. 
  • An Oracle WebLogic Server vulnerability CVE-2020-2883 has been actively exploited in the wild. 
Analysis 

Exploitation of Vulnerabilities 

CVE-2020-2883 - Oracle WebLogic Server 

According to Oracle, numerous reports indicated attackers were targeting a vulnerability which was addressed by Oracle’s April 2020 Critical Patch Update. No details of the attacks were published by Oracle as of April 2020. 

The company released a patch for the critical remote code execution flaw, CVE-2020-2883 , within it’s WebLogic Server application. Oracle WebLogic Server is a popular application used in building and deploying enterprise Java EE applications. 

Affected versions of WebLogic Server include versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. 

Course of Action: 

  • Review April 2020 Oracle Critical Patch Update Advisory  
     

Patched Vulnerabilities 

Microsoft Patch Tuesday 14 April 2020 

Microsoft has issued fixes for 113 flaws across 11 products part of their April 2020 edition of Patch Tuesday, which included three 0-day bugs that were being actively exploited in the wild. 

Vulnerabilities in the following products has been addressed as part of the advisory: 

  • Microsoft Windows 
  • Microsoft Edge (EdgeHTML-based) 
  • Microsoft Edge (Chromium-based) 
  • ChakraCore 
  • Internet Explorer 
  • Microsoft Office and Microsoft Office Services and Web Apps 
  • Windows Defender 
  • Visual Studio 
  • Microsoft Dynamics 
  • Microsoft Apps for Android 
  • Microsoft Apps for Mac 

The three 0-day vulnerabilities patched as part of the advisory include: 

CVE-2020-1020 - Windows Adobe Type Manager Library 

A vulnerability in the Windows Adobe Type Manager Library lets attacker run code on vulnerable systems. Attacks can be executed remotely. The zero-day does not impact Windows 10. Details about this zero-day became public last month, but a patch was only released today. 

CVE-2020-0938 - Windows Adobe Type Manager Library 

This is a second bug in the same Windows Adobe Type Manager Library. Bug somewhat similar to the one above, but its existence was disclosed only today, unlike the first one. The Microsoft mitigation published last month, if applied, also blocked attacks exploiting this second bug. 

CVE-2020-1027 - Windows kernel 

A bug in the Windows kernel lets attackers elevate privileges to run code with kernel access. 

The increase in the number of vulnerabilities patched has been partly attributed to the hiring of a security researchers going by “SandboxEscaper”. Before hiring SandboxEscaper, the researcher was well known for posting Windows 0-day vulnerabilities. 

Course of Action: 

  • Review April 2020 Patch Tuesday Advisory 

Microsoft Out-of-Band patches 

Microsoft has released an out-of-band security update for Microsoft Office, Office 365 ProPlus and Paint 3D which are affected by multiple Autodesk Remote Code Execution (RCE) and Denial-of-service (Dos) vulnerabilities. 

All the vulnerabilities have received a severity rating of “important” and stem from Autodesk’s library for FBX, a popular file format that supports 3D models. The vulnerabilities have been assigned the following CVE designations and descriptions: 

  • CVE-2020-7080 - Buffer overflow vulnerability (RCE) 
  • CVE-2020-7081 - Type confusion vulnerability (RCE) 
  • CVE-2020-7082 - Use-after-free vulnerability (RCE) 
  • CVE-2020-7083 - Integer overflow vulnerability (DoS) 
  • CVE-2020-7084 - Null Pointer Dereference vulnerability (DoS) 
  • CVE-2020-7085 - Heap Overflow Vulnerability (Limited Code Execution) 

A Proof-of-Concept (PoC) exploit for CVE-2020-7085 was published on Twitter by a security researcher from F-Secure. 

Course of Action: 

  • Review Out-of-Band Advisory for Autodesk FBX Vulnerabilities   

Oracle Critical Patch Update Advisory April 2020 

As part of their quarterly critical patch update advisory, Oracle issued 399 new security patches across multiple product lines, including 286 that were remotely exploitable. 

Some of the products affected by the vulnerabilities include: 

  • Fusion Middleware  
  • Java Platform, Standard Edition Java SE 
  • Oracle Financial Services Applications suite 
  • Oracle MySQL 
  • Oracle’s Database Server line 

Multiple of the products listed in the advisory are affected by critical flaws. Oracle Financial Services Applications suite had 34 critical vulnerabilities patched, 14 of those being remotely exploitable. Forty-five bugs in Oracle MySQL were identified, nine being remotely exploitable with a CVSS rating of 9.8. 

Course of Action: 

  • Review April 2020 Oracle Critical Patch Update Advisory 

SAP Patch Day 

On 14th of April 2020, SAP Security Patch Day saw the release of 23 Security Notes. There are 3 updates to previously released Patch Day Security Notes. 

Some of the more notable vulnerabilities patched with a CVS score of 9 or higher include: 

  • CVE-2020-6238 - Missing XML Validation vulnerability in SAP Commerce 
  • CVE-2019-0330 - OS Command Injection vulnerability in SAP 
  • CVE-2020-6225 - Directory Traversal vulnerability in SAP NetWeaver (Knowledge Management) 
  • CVE-2020-6219 - Deserialization of Untrusted Data in SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer) 
  • CVE-2020-6230 - Code Injection vulnerability in SAP OrientDB 3.0 

Course of Action: 

  • Review SAP April 2020 Security Advisory 

VMware 

A critical flaw in VMWare vCenter Server was patched by the vendor in April 2020. The vulnerability CVE-2020-3952has been rated with a CVSS v3 score of 10.0, the highest rating there is. 

The flaw, a critical information-disclosure bug in VMware’s Directory Service (vmdir), could lead to the exposure of corporate virtual infrastructures if exploited. An attacker would need network access to an affected vmdir deployment to exploit the vulnerability leading to the possible extraction of highly sensitive information. 

Course of Action: 

  • Review VMware Security Advisory VMSA-2020-0006.1  
     
Recommendations 

EclecticIQ Fusion Center recommends to apply security updates to affected systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. This report is a summary of the main vulnerabilities EclecticIQ analysts have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors. 

Users should ensure they update their dependent systems even if they are not mentioned in this report. 

We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.