This blog series is aimed to provide an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, it will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
Key Findings
- A new Metasploit Module has been created for the exploitation of the "BlueKeep" Remote Desktop Protocol vulnerability CVE-2019-0708 .
- Details on a new attack which utilizes the Rowhammer technique, dubbed RAMBleed and designated as CVE-2019-0174 , was published in June.
- The security researcher "SandboxEscaper" published another zero-day exploit CVE-2019-0841 which bypasses Microsoft’s patch from May 2019.
Analysis
Operating Systems
MacOS
Researchers at Trend Micro have discovered a double free vulnerability CVE-2019-8635 in macOS. The vulnerability is caused by a memory corruption flaw in the AMD component. If successfully exploited, an attacker can obtain privilege escalation and execute malicious code on the system with root privileges.
Apple has provided a fix for the memory corruption issue by improving memory handling.
Course of Action:
- Apply macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra
An exploit against MacOS has been demonstrated that allows threat actors to generate 'synthetic' clicks to elevate privileges and execute content MacOS Mojave Synthetic Clicks .
A synthetic click registers the same as a physical click, giving threat actors 'hands on the keyboard' access. Attack patterns demonstrated by the researchers include Attack Pattern: Generating Synthetic Clicks to Interact with MacOS which happens without the knowledge of the user and Attack Pattern: Loading Malicious Signed App for Use With Synthetic Clicks .
At the time of writing, the flaw is considered a zero-day vulnerability and Apple has not addressed the issue as of yet.
Windows
The security researcher with the moniker "SandboxEscaper" continued the trend of publishing previously unknown zero-day vulnerabilities by announcing a new privilege escalation vulnerability in June 2019.
The new exploit, dubbed ByeBear, bypasses Microsoft’s patch from May 2019, and allows a threat actor to gain SYSTEM level rights over vulnerable Windows machines Attack Pattern: Exploit CVE-2019-0841 to gain SYSTEM level privileges.
The exploit has been independently confirmed to affect Windows 10 versions 1809 and 1903. The new zero-day will be patched by Microsoft during the June 2019 Patch Tuesday updates.
SandBoxEscaper has proven to be consistent and highly skilled with the discovery of zero-day vulnerabilities.
A module that exploits the recently reported "BlueKeep" vulnerability CVE-2019-0708 has been created for the popular exploitation framework Tool: Metasploit . Given that many systems remain vulnerable to BlueKeep, the new Tool: BlueKeep - Metasploit Module has not been publicly released yet.
The new module can be combined with Mimikatz to extract the login credentials for the targeted system and take full control over it.
Metasploit modules increases accessibility to exploits greatly, as Metasploit and it's modules are bundled together with popular penetration testing operating systems such as Kali Linux.
Consequently, EclecticIQ Fusion Center analysts assesses with high confidence, as soon as the module is released, that the number of attacks targeting systems vulnerable to BlueKeep is going to increase.
Courses of Action:
- BlueKeep Temporary Mitigation
- Apply Microsoft May 2019 Security Patches
A new Remote Code Execution (RCE) vulnerability affecting Opteva-branded automated teller machines (ATMs) from Diebold Nixdorf, was discovered in the exposed OS service SpiService.exe that listens on port 8043 Exposed Vulnerable Service SpiService.exe on ATM (Opteva) .
The vulnerable service resides in older Opteva ATMs running version 4.x software and may be exploited to plant reverse shells on exposed systems which subsequently gives control over the device to the attackerAttack Pattern: Exploiting Spiservice.exe to create reverse shell .
Courses of Action:
- Upgrade to latest version 4.1.22
- Follow the secure code guideline for HTTP SOAP
- Use Spiservice as an internal service
A local privilege escalation vulnerability affecting the Rapid7 InsightIDR intruder analytics solution has been patched by the vendor. The vulnerability CVE-2019-5629 resides in Rapid7 Windows InsightIDR Agent and allows a local attacker to obtain full SYSTEM-level access to an affected device.
An attacker with non-administrator privileges to the targeted system may replace the folder and the DLL file with maliciously crafted files and use them to add a new admin user to the operating system Attack Pattern: Exploit CVE-2019-5629 to Gain SYSTEM Privileges .
The vulnerability was patched with the release of Insight Windows Agent version 2.6.5.
- Course of Action: Update Insight Windows Agent to Version 2.6.5
NVIDIA addressed a major arbitrary command execution flaw affecting its GeForce Experience (GFE) application. The vulnerability CVE-2019-5678 may be exploited by an attacker with local system access for code execution, information disclosure or denial-of-service (DoS) attack. It is possible to make valid requests to the GFE server from any origin.
GFE is a supplementary application installed alongside GeForce products in order to give a user added functionality.
Course of Action:
- Download GeForce Experience Security Update Version 3.19.04
Linux
Security researchers have published a new attack Attack Pattern: RAMBleed , that allows an attacker to read bits from RAM memory.
RAMBleed uses the Attack Pattern: Rowhammer to write (flip) bits in the victim's memory. The security researchers used the attack to exploit OpenSSH 7.9 and read the RSA key.
The vulnerability has been designated as CVE-2019-0174 affects DIMM, DDR3 and DDR4 with targeted row refresh technologies, which have been historically been vulnerable to Rowhammer.
The report on RAMBleed cn be found here: RAMBleed: Reading Bits in Memory Without Accessing Them
Courses of Action:
- Memory Encryption for RAMBleed
- Probabilistic Memory Allocator for RAMBleed
- Hardware Mitigations for RAMBleed
- Flushing Keys from Memory for RAMBleed
Routers
Cisco
Multiple vulnerabilities affecting the Cisco’s Data Center Network Manager (DCNM) were published in June. The two critical flaws ( CVE-2019-1620 , CVE-2019-1619 ) allow a remote, unauthenticated attacker to execute arbitrary code with admin privileges.
The DCNM is also affected with other serious issues, such as information disclosure flaws CVE-2019-1621, CVE-2019-1622 .
Course of Action:
- Upgrade to Cisco DCNM Software Release 11.2(1)
Another vulnerability CVE-2019-1848 was discovered affecting Cisco products, this one residing in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, adjacent attacker to bypass authentication and access critical internal services. The vulnerability is due to insufficient access restriction to ports necessary for system operation.
An attacker could exploit this vulnerability by connecting an unauthorized network device to the subnet designated for cluster services. A successful exploit could allow an attacker to reach internal services that are not hardened for external access.
Cisco has released software updates that address this vulnerability.
Course of Action:
- Upgrade to Cisco DCNM Software Release 11.2(1)
Web Browsers
Firefox
A new version of the Tor Browser has been released by it's developers, which addresses a critical Firefox vulnerability CVE-2019-11707 .
In June 2019, Mozilla released Firefox 76.0.3 to address a zero-day flaw actively exploited in the wild. The fix for this vulnerability has been ported to the bundled Firefox browser in Tor Browser 8.5.2. The bundled NoScript add-on has also been upgraded to version 10.6.3 in order to address the flaw.
Course of Action:
- Update to Tor Browser 8.5.2
- Update to Firefox 67.0.3 and Firefox ESR 60.7.1
Recommendations
EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
Users should ensure they manually update their own systems dependent even if they are not mentioned in this report.
We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.
