EclecticIQ Monthly Vulnerability Trend Report - August 2020

Key Findings 

• A previous patch for a Remote Code Execution (RCE) vulnerability in the popular vBulletin forum software was discovered to be insufficient, with researchers posting Proof-of-Concept (PoC) exploits and in the wild attacks following soon after.
• A vulnerability was discovered in Thales IoT devices that could put millions of devices at risk.
• A "Zero-Day" vulnerability patched as part of the August 2020 edition of the Microsoft Patch Tuesday advisory has been a known issue since 2018.

Exploitation of Vulnerabilities

Multiple Versions of vBulletin Vulnerable to Remote Code Execution Vulnerability

A security researcher, Amir Etemadieh, discovered that the September 2019 patch for the remote code execution vulnerability, CVE-2019-16759, did not sufficiently address the flaw. In the wild attacks were observed after Etemadieh posted PoC exploits for the vulnerability.

The PoCs are trivial to use even for inexperienced attackers. Widespread attacks on vulnerable systems can be expected in the coming weeks before the official patch is released.

New mitigation patches have been made available for versions 5.6.2, 5.6.1 and 5.6.0 of vBulletin Connect, and they disable the PHP Module widget. The upcoming v5.6.3 will contain an official patch.

• Course of Action: Patch Outdated Versions of vBulletin to Disable PHP Module

Newly Discovered Vulnerabilities

Zoom Vulnerabilities Showcased at DEF CON

At the annual DEF CON security conference held in August 2020, a security researcher, Mazin Ahmed, presented multiple vulnerabilities present in the popular Zoom video conferencing app. Some of the flaws that affect the Linux based version of the application could allow an attacker to exfiltrate Zoom user data and/or run malware as a sub-process of a trusted application. The attacker would need access to an already compromised system to perform some of these attacks. Because of this factor, the vulnerability would most likely be leveraged in the later stages of a more sophisticated attack.

The other vulnerabilities involve an externally accessible Kerberos authentication service ("ca01.idm.meetzoom.us") and a TLS/SSL issue that lets malware inject custom certificate fingerprints into the local Zoom database.

Ahmed privately reported the vulnerability to Zoom in April and July 2020, with the company issuing a patch on the 3rd of August. Zoom has become a critical component for most companies following the shift to a work-from-home structure during the COVID-19 pandemic.

• Course of Action: Update Outdated Zoom Instances to Version 5.2.4

"Achilles" Research Finds over 400 Vulnerabilities in Qualcomm DSP Chips

Security researchers at Check Point Research have discovered over 400 different pieces of vulnerable code in one Qualcomm DSP processor. Qualcomm Technologies is one of the leading manufacturers of mobile based processors with the Qualcomm Snapdragon processor included in millions of Android devices worldwide.

Attackers could leverage the vulnerabilities to:

1. Exfiltrate data such as photos, videos, real-time microphone data, GPS and location as well as recording phone-calls
2. Perform a Denial of Service (DoS) type attack on the device by rendering the phone unresponsive
3. Install malware which could aid in making the attacker undetectable and/or give persistent access

The official CVE's assigned to the vulnerabilities are as follows:

• CVE-2020-11201
• CVE-2020-11202
• CVE-2020-11206
• CVE-2020-11207
• CVE-2020-11208
• CVE-2020-11209

The researchers notified the relevant government officials and relevant mobile vendors before publishing their findings.

ReVoLTE Research Demonstrates Attacks on Encrypted 4G Calls

Academics have detailed new attack vectors exploiting 4G encrypted calls. Voice over LTE (VoLTE) is a packet-based telephony service seamlessly integrated into the Long Term Evolution (LTE) standard. VoLTE has been adopted by most major telecommunication providers. Dubbed ReVoLTE, the research focuses on a flaw in the LTE implementation to recover the contents of an encrypted VoLTE call. The exploitation can lead to the recording of an encrypted phone call, with attackers being able to decrypt it at a later stage

Attackers would need to be on the same mobile tower (base station) as the intended victim. The attacker sniffs encrypted radio traffic of a specific person within the cell of a vulnerable base station. After the call ends, the attacker calls back the target and keeps the call ongoing for a while. In the second call, the attacker sniffs encrypted radio traffic and records the encrypted sound. A process is then followed to decrypt the recorded traffic.

The researchers have published an app that can determine if a specific network that a device is on is vulnerable or not.

• Course of Action: Test Network with Mobile Sentinel App

CVE-2020-15858 Puts IoT Devices at Risk

Internet of Things (IoT) device popularity have been growing at a rapid pace, and could grow to 55.9 billion by 2025. These devices are used everywhere from personal home automation, security systems to Industrial Control Systems (ICS). With popularity comes the potential for a massive attack surface if not secured properly.

Researchers at IBS's X-Force Red have discovered a new vulnerability in devices from one of the more well-known and widely used manufacturers, Thales. The vulnerability has been designated as CVE-2020-15858, and is a flaw in the Cinterion models EHS8, BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62 modules used in millions of internet-connected devices. The modules are circuit boards that enable communication over 3G and 4G networks in IoT devices.

These devices store sensitive information such as passwords, certificates and encryption keys. With this type of information exposed and potentially accessible by threat actors, it can be leveraged to control critical devices within critical industries. Devices used for ICS and medical purposed can be manipulated which underscores the criticality of IoT security and the severity of a vulnerability like CVE-2020-15858.

• Course of Action: Apply the Patch Issued by Manufacturers for CVE-2020-15858

Patched Vulnerabilities

Microsoft Patch Tuesday August 2020

Among the 120 vulnerabilities fixed this month, 17 bugs have received the highest severity rating of "Critical," and there are also two zero-days — vulnerabilities that have been exploited by hackers before Microsoft was able to provide today's patches.

CVE-2020-1464 - A Zero-Day vulnerability that could be used to bypass security features and load improperly signed files. No technical details or exploitation discussed as to deter malicious actors from easily exploiting the vulnerability.

According to security researchers Tal Be'ery and Peleg Hadar, CVE-2020-1464 is not a new vulnerability but have been actively exploited since 2018. Internally known as GlueBall by the researchers, an exploit for the flaw was first uploaded to VirusTotal in August 2018, subsequently being reported to Microsoft soon after. Microsoft replied to the VirusTotal analysis of the GlueBall sample that they would not fix the vulnerability.

CVE-2020-1380 - A Remote Code Execution Zero-Day vulnerability that resides in the scripting engine that ships with Internet Explorer. According to researchers at Kaspersky, the flaw has been exploited by threat actors in the wild. The scripting engine is not only present in Internet Explorer, but affects Microsoft Office as well. This is due to that Office uses the same scripting engine to embed and render web pages inside Office documents. Basic phishing attachment or link attacks, where an attacker sends a malicious Office document, could then be used to exploit the vulnerability.

• Course of Action: Review August 2020 Patch Tuesday Advisory

TeamViewer

TeamViewer, the popular remote-support software, recently released a new version that includes a patch for a severe vulnerability CVE-2020-13699. The flaw resides in the way TeamViewer quotes its custom URI handlers. This could be exploited to let remote attackers steal the targets system password and subsequently compromise it.

The threat actor could leverage the TeamViewer's URI scheme from a web-page to trick the application installed on the victim's system into initiating a connection to the attacker-owned remote SMB share. This can be executed without requiring much interaction from the targets. A social engineering component would still be needed to convince the target to visit a web page containing an embedded malicious iframe. Once clicked by the victim, TeamViewer will automatically launch its Windows desktop client and open a remote SMB share.

No in the wild exploitation of this vulnerability has been observed as of August 2020. The likelihood of exploitation is high, given the popularity of the software.

• Course of Action: Update TeamViewer to Version 15.8.3

Recommendations

EclecticIQ Fusion Center recommends to apply security updates to affected systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. This report is a summary of the main vulnerabilities EclecticIQ analysts have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they update their dependent systems even if they are not mentioned in this report.

About this report

This report provides an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Receive our next report

We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.