EclecticIQ
April 16, 2020

EclecticIQ Monthly Vulnerability Trend Report - March 2020

EclecticIQ Fusion Center Monthly Vulnerability ReportThis report provides an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Key Findings 
  • A vulnerability in SMBv3 was leaked by Microsoft before an official patch could be released. 
  • Microsoft has issued fixes for 115 CVE-numbered flaws: 26 are critical, 88 important, and one of moderate severity as part of their March 2020 edition of Patch Tuesday. 
  • A Microsoft Exchange Validation Key Remote Code Execution vulnerability has actively been exploited in the wild. 
Analysis 

Exploitation of Vulnerabilities 
 
Microsoft Exchange Validation Key Remote Code Execution vulnerability 

A vulnerability, that was addressed in the February 2020 Microsoft Patch Tuesday release, has been actively targeted by threat actors according to open-source reports. Details of the attacks are unknown as of March 2020. 
 
The flaw, CVE-2020-0688, is a Microsoft Exchange Validation Key Remote Code Execution vulnerability affecting multiple version of Exchange. The Microsoft advisory on CVE-2020-0688 reads: 

“A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.” 

Course of Action: 

  • Apply February 2020 Patch Tuesday 
     

Windows zero‑day flaws in Adobe Type Manager 
 
During March 2020, Microsoft announced in an out‑of‑band advisory that two previously undisclosed vulnerabilities affecting all supported, as well a some non-supported versions of Windows, are actively being exploited in the wild.  
 
Both vulnerabilities have been rated as critical and have been exploited in limited targeted attacks. The flaws have been disclosed without any official patch being released in the hope that it will reduce customer risk until an official patch can be issued.  
 
The flaws have been described as remote code execution vulnerabilities in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font; Adobe Type 1 PostScript format. Adobe Type Manager is a font management tool that helps Windows handle and render fonts. 
 
One potential Attack Pattern that could be leveraged by threat actors includes tricking their targets into opening a malicious file or into viewing it in the Windows Preview pane. 
 
An official patch has been hinted to be part of the April 2020 addition of Microsoft Patch Tuesday, which will be released on April 14th. Significantly, machines running the retired operating systems such as Windows 7 won’t receive the update even after it’s shipped; unless their owners are enrolled in Microsoft’s Extended Security Updates (ESU) program. 
 
While the flaws are rated as critical for all affected systems, the company noted that on Windows 10 the potential for exploitation is limited. Microsoft stated: “For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities". 
 
As of the time of writing, the vulnerabilities have yet to be assigned CVE identifiers. 
 
Course of Action: 

  • Apply Mitigation and Workarounds as supplied by the Microsoft Advisory  

Newly Discovered Vulnerabilities 
 
Critical Microsoft SMB Vulnerability 
 
In March 2020, details about a new vulnerability which affects the implementation of Microsoft Server Message Block 3.1.1 (SMBv3) was leaked by Microsoft before an official patch could be released. It is thought that a miscommunication between Microsoft and security software vendors led to the pre-mature leaking of the vulnerability. 
 
CVE-2020-0796 is a vulnerability in how SMBv3 handles compression, which could lead to a buffer overflow condition. This could further enable remote unauthenticated attackers to execute arbitrary code on a vulnerable machine. 
 
EternalBlue is mostly remembered for it's enabling of the Malware: WannaCry ransomware attack back in 2017, where the malware spread to over 200,000 machines in a day. This is the effect of a "wormable" vulnerability such as EternalBlue, and explains the reaction of the security industry in the wake of this new SMBv3 potentially wormable vulnerability being disclosed. 
 
With file-sharing servers being directly vulnerable, and client devices needing a social engineering element to be exploited, CVE-2020-0796 could become wormable, but on a much smaller scale. Fortunately, older version of Windows, such as Windows 7 and Windows Server 2008 R2, which does not run SMBv3, are safe from CVE-2020-0796. This together with the means of exploitation makes the attack surface even smaller. 
 
An official patch was released mid-March 2020 addressing CVE-2020-0796, and it is highly recommended to patch affected systems as soon as possible. 
 
Course of Action: 

  • Apply Official Microsoft Patch for CVE-2020-0796  
     

Patched Vulnerabilities 
 
Patch Tuesday 10 March 2020 
 
Microsoft has issued fixes for 115 CVE-numbered flaws: 26 are critical, 88 important, and one of moderate severity as part of their March 2020 edition of Patch Tuesday. A number of the critical flaws, if exploited successfully, could lead to remote code execution. At the time of the advisory, none of the vulnerabilities were observed to be under active attack or exploitation.  
 
Some of the more notable vulnerabilities addressed include: 

  • CVE-2020-0852 - Microsoft Word Remote Code Execution Vulnerability 
     A remote code execution vulnerability exists within Microsoft Word software caused by the a failure to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. 
  • CVE-2020-0684 - LNK Remote Code Execution Vulnerability 
    This is a bug in Windows LNK shortcut files that allows malware to execute code on a system when a malicious LNK file is processed by the Windows OS. An attacker could present a user with removable media or over a remote share, which contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker's choice on the target system.
  • CVE-2020-0872 - RCE affecting Microsoft Application Inspector 
    A remote code execution vulnerability affecting Microsoft Application Inspector (version v1.0.23 or earlier), used to check open source components for unwanted or risky features. This flaw also requires social engineering to exploit. An attacker needs to convince a user to run Application Inspector on source code that includes a malicious third-party component.
  • CVE-2020-0905 - RCE affecting the Dynamics Business Central client 
    A remote code execution vulnerability affecting the Dynamics Business Central client which could allow attackers to execute arbitrary shell commands on a target system. The exploitation of the vulnerability is not straightforward, but any targeted servers are likely to be mission-critical. It is advised that any affected assets be patched as soon as possible. 

Course of Action: 

  • Apply March 2020 Patch Tuesday 
     

VMware patches privilege escalation vulnerability in Fusion, Horizon 
 
VMware has addressed two vulnerabilities affecting multiple products, which could enable privilege escalation or denial-of-service (DoS) conditions.  
 
The flaws have been designated as CVE-2020-3950 and CVE-2020-3951 which have been deemed important and low in severity, respectively.  
 
CVE-2020-3950 is a privilege escalation bug caused by the improper use of setuid binaries and CVE-2020-3951 is a vulnerability caused by a heap overflow error in Cortado Thinprint, a virtual printing engine used by VMware Workstation and the Windows Horizon Client. 
 
Course of Action: 

  • Update Affected VMWare Software 
     
Recommendations

EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they manually update their own systems even if no security vulnerabilities have been reported.

We hope you enjoyed this post. Subscribe to our blog below for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.