Main author: Miguel Baez, Senior Threat Analyst
This report is aimed to provide customers with an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
Key Findings:
- Major updates released for Microsoft Windows, Apple macOS, and Linux.
- Linux kernels suffered two vulnerabilities which could allow an attacker to remotely cause DoS or DDoS conditions known as SegmentSmack ( CVE-2018-5390 ) and FragmentSmack ( CVE-2018-5391 ).
- Total of 7 exploits for known vulnerabilities identified since 01 August.
Analysis
Routers
Several vulnerabilities were found affecting MikroTik routers in August:
CVE-2018-1159
CVE-2018-1158
CVE-2018-1157
CVE-2018-1156
One vulnerability in particular ( CVE-2018-14847 ) was being actively exploited in a cryptojacking campaign which enslaved devices across Brazil ( MikroTik Routers Enslaved in Massive Coinhive Cryptojacking Campaign ).
Operating Systems
August saw an actively exploited flaw ( CVE-2018-8414 ) in Microsoft Windows Shell, which originates due to improper validation of file paths. By exploiting this flaw, a remote attacker might execute arbitrary code on the targeted system by convincing victims into opening a specially crafted file received via an email or a web page.
Linux suffered two vulnerabilities which could allow an attacker to remotely cause DoS or DDoS conditions known as SegmentSmack ( CVE-2018-5390 ) and FragmentSmack ( CVE-2018-5391 ). The Linux kernel project released an update to address the vulnerabilities ( Linux Kernel Project Rolled Out Security Updates to Fix Two DoS Vulnerabilities ).
A zero-day vulnerability was found in Apple's macOS High Sierra operating system which could allow a local attacker to virtually "click" a security prompt and load a kernel extension ( Apple 0-Day (Re)Opens Door to ‘Synthetic’ Mouse-Click Attack ).
Security researchers exposed an API-breaking vulnerability in Android-devices (CVE-2018-9489), which allows any application installed on a device to access sensitive information ( Android OS API-Breaking Flaw Offers Useful WiFi Data to Bad Actors ).
Browsers
Microsoft patched a flaw ( CVE-2018-0871 ) in the Edge browser that could allow threat actors to steal local files from a victim’s computer ( Microsoft Edge Flaw Lets Hackers Steal Local Files ).
A severe use-after-free vulnerability ( CVE-2018-8373 ) was also found in the VBScript engine of the latest versions of Windows operating systems and affects Internet Explorer to run ShellCode ( Use-after-free (UAF) Vulnerability CVE-2018-8373 in VBScript Engine Affects Internet Explorer to Run Shellcode ).
Mozilla patched six critical flaws in Firefox:
- The first critical flaw ( CVE-2018-12359 ) is a buffer overflow bug that occurs while adjusting the computed size of the canvas element for rendering canvas content, which might cause data to be written outside of the computed boundaries.
- The second critical flaw ( CVE-2018-12360 ) is a use-after-free vulnerability that occurs when deleting an input element during a mutation event handler triggered by focusing that element.
- The third is a critical integer overflow vulnerability ( CVE-2018-12361 ) that resides in SwizzleData code and occurs while calculating buffer sizes.
- The two last critical flaws ( CVE-2018-5187 , CVE-2018-5188 ) are comprised of a number of memory safety bugs in Firefox 61, Firefox ESR 60.1, 52.9, and Thunderbird 60. These vulnerabilities might allow attackers to run arbitrary code by exploiting memory corruption.
Databases
Security researchers found a Proof of Concept (PoC) code that can exploit the recently discovered vulnerability ( CVE-2018-11776 ) affecting the Apache Struts framework ( PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability ). This vulnerability is being exploited in the wild as noted below.
IBM patched two severe vulnerabilities ( CVE-2018-11756 , CVE-2018-11757 ) in its IBM Cloud Functions that allowed one to exploit an Apache OpenWhisk vulnerability to overwrite the user functions code ( IBM Cloud Functions Is Affected by Two Function Runtime Vulnerabilities ).
Protocols
Security researchers believe an Iranian telecommunication company hijacked Telegram's traffic using a well-known BGP Hijacking technique, which allowed them to reroute traffic from IP addresses found in corrupted Internet routing tables ( Telegram Traffic From Around the World Took a Detour Through Iran ).
Security researchers from the Georgia Institute of Technology published details at the Usenix18 conference of a side channel attack on the fixed-window constant-time implementation of RSA inOpenSSL 1.1.0g ( One&Done OpenSSL Side Channel Attack ).
Security researchers have discovered a new spam campaign aimed at targeting corporate networks around the world with the LokiBot malware. Upon infection, Loki Bot steals passwords from browsers, messaging applications, mail and FTP clients ( Loki Bot Steals Corporate Passwords ).
The Internet Systems Consortium (ISC) warned that a severe vulnerability in the “deny-answer-aliases" feature in BIND software could be exploited to launch denial-of-service (DoS) attacks; the feature helps recursive server operators protect users against DNS rebinding attacks ( CVE-2018-5740 ).
Administrative Tools
Security experts discovered that since September 2011 OpenSSH is affected by a serious flaw ( CVE-2018-15919 ), making it still vulnerable to an Oracle attack ( OpenSSH Versions Since 2011 Vulnerable to Oracle Attack ).
Other Vulnerabilities
The following vulnerabilities were also published since 1st July, but do not fit into the categories above:
CVE-2018-11616
CVE-2018-5925
CVE-2018-5924
CVE-2018-13415
CVE-2018-13417
CVE-2018-6970
CVE-2018-12989
CVE-2018-13416
CVE-2017-8988
CVE-2017-8989
CVE-2018-15132
CVE-2018-15202
CVE-2018-0871
CVE-2017-6213
CVE-2017-6215
CVE-2017-5692
CVE-2018-11338
These include two vulnerabilities in HP Inkjet printers ( CVE-2018-5925 , CVE-2018-5924 ), an out-of-bound memory read vulnerability ( CVE-2018-6970 ) in three VMWare Horizon products, and an information disclosure vulnerability ( CVE-2018-8234 ) in Edge when it improperly marks files, aka "Microsoft Edge Information Disclosure Vulnerability."
Exploits for Vulnerabilities
Since 01 August, the following exploits of vulnerabilities have been captured as Attack Patterns and TTPs by EclecticIQ analysts:
Attack Pattern: Exploitation of CVE-2017-0144 to Drop PowerGhost Script
Attack Pattern: Exploiting CVE-2018-11776 RCE in Apache Struts
Attack Pattern: Exploiting CVE-2018-11776 to download CNRig
Attack Pattern: Scanning for Apache Struts devices vulnerable to CVE-2018-11776
Attack Pattern: Spearphishing with Word Document to Drop RAT by Gorgon Group in Political Campaign
Attack Pattern: Muhstik Botnet used for DDoS attack
Attack Pattern: Exploitation of CVE-2017-0144 to Drop PowerGhost Script
The above Attack Patterns are sometimes related to tactics by threat actors, but also are sometimes observed as behaviors not always linked to a certain adversary. Some of these may come from updated or new Metasploit modules, or they may stem from research into APT groups and their most recent TTPs.
Recommendations
EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
Users should ensure they manually update their own systems dependent even if they are not mentioned in this report.
We hope you enjoyed this post. Follow our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.