EclecticIQ
March 18, 2020

EclecticIQ Monthly Vulnerability Trend Report - February 2020

EIQ_FC_Monthly Vulnerability Report-2This blogpost provides an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Key Findings
  • Microsoft patched 99 vulnerabilities as part of their February 2020 patch Tuesday advisory. This is an unusually high number, as January 2020 only addressed 49 vulnerabilities.
  • A WordPress plugin called ThemeGrill Demo Importer, that has been installed on over 100,00 websites, suffers from a severe vulnerability which allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator .
  • The Cisco Discovery Protocol (CDP) suffers from multiple critical vulnerabilities. The flaws have been dubbed (CDPwn).
Analysis 

Exploitation of Vulnerabilities

CVE-2020-6418

A Zero-day vulnerability in Google Chrome CVE-2020-6418 that was actively under attack has been patched by Google in February 2020. This is the third Zero-day vulnerability to be patched by Google in the last year.

The only information available on the flaw is that it’s a type confusion vulnerability in the V8 JavaScript engine used by Google Chrome. No details of the attack observed in the wild has been released.

The new Chrome version v80.0.3987.122 has been released to address the vulnerability as well as two other high-risk flaws. It is highly recommended to update exposed Windows, Mac and Linux systems.

Course of Action:

  •  Update to Chrome release v80.0.3987.122

ThemeGrill Demo Importer

The ThemeGrill Demo importer WordPress plugin installed on 100,00 websites suffers from ThemeGrill Demo Importer Remote Unauthenticated Database Wipe and Authorization Bypass Vulnerability. Versions 1.3.4 to 1.6.2 are vulnerable and are actively being exploited in the wild with over 17,000 attacks being blocked according to the initial reporters of the vulnerability, website security company WebARX.

No known Proof of Concept (PoC) exploit is currently publicly available, but a list of known malicious IP addresses can be found here: IP Addresses Attacking ThemeGrill Demo Importer Vulnerability.

The vendor released version 1.6.3 to address the vulnerability. Users are encouraged to upgrade for mitigation.

Course of Action:

  • Update ThemeGrill Demo Importer to version 1.6.3

CVE-2020-8818

A PoC has been released for a patched vulnerability CVE-2020-8818 in a plugin for Magento. The CardGate Payments plugin is vulnerable to an origin authentication flaw which makes it possible for an attacker to change plugin settings such as the merchant ID or secret key.

This could lead to the attacker hijacking the payment process, enabling cybercriminals to route payments meant for a merchant towards an account that they control. A PoC exploit for the vulnerability can be found here.

The CardGate Payments plugin versions up to 2.0.30 for Magento 2 need to be patched. CardGate Payment Gateway Module 2.0.30 also needs to be updated for the same reason.

Course of Action:

  • Update Magento to the Latest Version

Patched Vulnerabilities

Patch Tuesday February 2020

In February 2020, Microsoft released fixes for 99 vulnerabilities, which is an unusually high number.

As reported in the EclecticIQ Monthly Vulnerability Trend Report for January 2020, the critical Remote Code Execution (RCE) vulnerability in Internet Explorer CVE-2020-0674 exists within the way that the scripting engine handles objects in memory. The vulnerability could lead to memory corruption which enables remote code execution in the context of the current user of the vulnerable system.

Previous mitigation measures were suggested in the absence of an official patch, but CVE-2020-0674 has been officially addressed by Microsoft as part of the February 2020 advisory.

More vulnerabilities in Microsoft's Remote Desktop Protocol (RDP) client has been patched as of February 2020. The two flaws, CVE-2020-0681 and CVE-2020-0734, are severe as they could lead to remote code execution when a user connects to a malicious server.

CVE-2020-0738 is a critical memory corruption flaw in Windows Media Foundation. There are multiple ways an attacker could exploit the vulnerability, such as through social engineering attacks to persuade a user to open a specially crafted document, or by redirecting a user to a malicious webpage.

Course of Action:

  • Apply February 2020 Patch Tuesday

Newly Discovered Vulnerabilities

CVE-2020-1938 “Ghostcat”

A vulnerability in Tomcat and JBoss instances which is being identified as “GhostCat” and tracked as CVE-2020-1938, is a flaw that could let unauthenticated remote attackers read the content of any file on a vulnerable web server (or servlet container) and obtain sensitive configuration files or source code, or execute arbitrary code if the server allows the uploading of files.

Active scanning for the vulnerability has already been detected, with PoC exploits being published by various security researchers. It is only a matter of time that the scanners and the PoC exploits are combined to automate the exploitation of vulnerable servers.

If updating or upgrading is not immediately possible in your environment, Chaitin Tech's research team recommends disabling the AJP Connector altogether if not actively used or configure the requiredSecret attribute for the AJP Connector to set authentication credentials.

Course of Action:

  • Update Apache Tomcat to Version 9.0.31, 8.5.51, and 7.0.100

CDPwn

Security researchers have disclosed details about five vulnerabilities in the widely-deployed Cisco Discovery Protocol (CDP). CDP is a proprietary Layer 2 data link protocol for gathering information about networked devices. It's implemented in almost all of Cisco's products, including routers, switches, IP phones, and IP cameras. This makes the number of devices vulnerable in the tens of millions. The vulnerabilities have been collectively referred to as "CDPwn".

A summary of the vulnerabilities follows:

  • CVE-2020-3120 - Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability
  • CVE-2020-3119 - Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability
  • CVE-2020-3118 - Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability
  • CVE-2020-3111 - Cisco IP Phone Remote Code Execution and Denial of Service Vulnerability
  • CVE-2020-3110 - Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability

Typically, the chain of compromise would involve the exploitation of a low-level security Internet-of-Things (IoT) device as an initial entryway to further exploit the network consisting of CDPwn vulnerable devices.

Course of Action:

  • Update Cisco Devices Vulnerable to CDPwn
Recommendations

EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they manually update their own systems even if no security vulnerabilities have been reported.

We hope you enjoyed this post. Subscribe to our blog below for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.