EclecticIQ
August 12, 2020

EclecticIQ Monthly Vulnerability Trend Report - July 2020

EIQ_FC_Monthly Vulnerability Report-1This report provides an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Key Findings 
  • Throughout July 2020, proof-of-concept exploits, a mass scanner utility and attacks in the wild have been observed related to a vulnerability in the F5 Big-IP Traffic Management User Interface.
  • Microsoft has addressed 123 vulnerabilities as part of their July 2020 Patch Tuesday security advisory, including the wormable critical vulnerability in Windows DNS Server, dubbed SIGRed.
  • A critical vulnerability in the SAP NetWeaver Application Server (AS) Java has been patched, with a Proof-of-concept (PoC) following in the same week.
Analysis

Exploitation of Vulnerabilities

F5 Big-IP Traffic Management User Interface

Multiple PoC exploits and a mass scanning utility have been released for a critical Remote Code Execution (RCE) vulnerability present in versions of the BIG-IP Traffic Management User Interface (TMUI).

The vulnerability, designated as CVE-2020-5902, was disclosed July 1st, 2020 by F5 Networks and in the wild attacks were observed as soon as July 3rd, 2020. The flaw enables an attacker to remotely run commands as an unauthorized user and completely compromise a system, including intercepting controller application traffic.

The first IP addresses exploiting the vulnerability were posted on July 4th, 2020 with public exploit code being published a day later. The NCC Group observed exploitation of the vulnerability in the wild before and after the posting of the public exploits and scanner. The BIG-IP TMUI is used by some of the largest companies in the world.

Newly Discovered Vulnerabilities

"BootHole" Vulnerability in GRUB2 Bootloader

In late July 2020, security researchers at Eclypsium discovered a vulnerability, dubbed BootHole, in the GRUB2 bootloader and affects all systems using Secure Boot.

The vulnerability affects most signed versions of GRUB2 which is used by most Linux distributions, and Windows machines using Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority. This expands the attack surface to most laptops, desktops, servers and workstations, as well as network appliances and other special purpose equipment used in multiple industries.

Attackers could use the vulnerability to gain arbitrary code execution during the boot process, even when Secure Boot is enabled. This could lead to complete and silent takeover of a victim machine. Attacks in the wild using the booting process has been observed before, so we could expect imminent PoC exploits and/or in the wild attacks using BootHole in the coming months.

The researchers responsibly disclosed the issue to a variety of industry entities, OS vendors, computer manufacturers, and Computer Emergency Response Teams (CERTs). New bootloaders will have to be signed and deployed, and vulnerable bootloaders would have to be removed/revoked. This is an extremely time and resource consuming process and will likely take a long time to fully implement mitigation steps.

  • Course of Action: Update GRUB2 to Address BootHole Vulnerability
  • Course of Action: Vendors Using GRUB2 Update Installers, Boot loaders, and Shims

Patched Vulnerabilities

SIGRed Wormable Critical Vulnerability in Windows DNS Server

Microsoft released an update on July 14th 2020, as part of their monthly Patch Tuesday advisory, that addresses the critical remote code execution vulnerability in Windows DNS server. The critical vulnerability CVE-2020-1350 is a wormable remote code execution vulnerability affecting multiple Windows Server versions.

A vulnerability is wormable when it can spread to other vulnerable systems without any user interaction. The most famous account of a wormable vulnerability in recent memory would be the Malware: WannaCry ransomware that affected more than 200,000 computers over a 4 day period in 2017.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive urging United States government agencies to update affected systems, further emphasizing the seriousness of the flaw.

There is currently one publicly available denial-of-service (DOS) PoC exploit. As of July 2020 EclecticIQ analysts have not seen any evidence that this vulnerability is being actively exploited in the wild.

  • Course of Action: Update Windows Server to the latest patch
  • Course of Action: Review July 2020 Microsoft Patch Tuesday Advisory
Zoom patches zero‑day flaw in Windows client

Zoom, the popular videoconferencing platform, is affected by a zero-day vulnerability that could allow attackers to execute commands remotely on affected machines. However, user interaction is needed for the exploit to be successful. The flaw impacts devices running Windows 7 and earlier. Any users still running Windows 7 or earlier are open to various exploits, as these old versions of Windows are no longer supported by Microsoft with security updates. Consequently, the attack surface should be a lot smaller as companies have most likely updated to newer and supported versions of Windows.

As of July 2020, no CVE designation has been given to this vulnerability, but an official patch was issued by the company not long after the disclosure. Any affected systems should be patched against the vulnerability and updated if possible.

  • Course of Action: Update Affected Zoom Windows Client to Version 5.1.3

Microsoft Patch Tuesday 14 July 2020

Microsoft addressed 123 vulnerabilities as part of their July 2020 edition of the Patch Tuesday advisory. As of July, none of the vulnerabilities have been actively exploited in the wild. The advisory included the SIGRed vulnerability, as described above in this report.

Remote code vulnerabilities in the following products were addressed:

  • RemoteFX vGPU component of Microsoft's Hyper-V hypervisor technology
  • Jet Database Engine included with some Office applications
  • Microsoft Word
  • Microsoft Excel
  • Microsoft Outlook
  • Microsoft SharePoint
  • Windows LNK shortcut files
  • Various Windows graphics components

It is strongly recommended to review the advisory and test and apply patches to affected system accordingly.

  • Course of Action: Review July 2020 Microsoft Patch Tuesday Advisory

AA20-195A Critical Vulnerability in SAP NetWeaver AS Java

On July 13 2020, SAP released security update detailing and addressing a critical vulnerability CVE-2020-6287 in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard.

This flaw could enable an unauthenticated attacker to exploit the affected system through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications. As of July 2020, no exploitation of CVE-2020-6287 has been observed in the wild, but with a PoC exploit being published only three days after the patch release, imminent in-the-wild exploitation has become that more likely.

Due to the criticality and size of affected devices, the United States Cybersecurity and Infrastructure Security Agency (CISA) has recommended that organizations immediately apply patches, prioritizing internet-facing systems, and then internal systems. If patching is not immediately possible, organizations should mitigate the vulnerability by disabling the LM Configuration Wizard service.

  • Course of Action: Apply Patch for SAP NetWeaver AS JAVA (LM Configuration Wizard)
  • Course of Action: Mitigate CVE-2020-6287 by disabling the LM Configuration Wizard Service

Recommendations

EclecticIQ Fusion Center recommends to apply security updates to affected systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. This report is a summary of the main vulnerabilities EclecticIQ analysts have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they update their dependent systems even if they are not mentioned in this report.

We hope you enjoyed this post. Subscribe to our blog below for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.