EclecticIQ Monthly Vulnerability Trend Report - November 2020

Summary

This report provides an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Key Findings:

• Microsoft addressed 112 vulnerabilities, 24 of which are remote code execution (RCE) bugs, as part of their November 2020 Patch Tuesday advisory.
• Chinese-affiliated threat actor APT10 deployed a tool capable of exploiting the ZeroLogon vulnerability as part of their Tactics, Techniques, and Procedures (TTPs).
• Two critical vulnerabilities in the Google Chrome browser actively exploited in the wild.

Analysis

Exploitation of Vulnerabilities

Easily exploitable RCE in Oracle WebLogic Server under attack

At the end of October 2020 leading into November, the SANS Internet Storm Center (SANS ISC) warned [1] of the active exploitation of a critical and easily exploitable RCE vulnerability in Oracle WebLogic Server.

SANS ISC observed the activity in a controlled honeypot environment, stating:

“These exploit attempts are right now just verifying if the system is vulnerable. Our honeypots (up to now) do not return the "correct" response, and we have not seen follow-up requests yet.”

The vulnerability, tracked as CVE-2020-14882, affects the console component of Oracle WebLogic Server in multiple versions and could enable an unauthenticated threat actor with network access via HTTP to compromise and takeover vulnerable Oracle WebLogic Servers. The flaw was patched as part of Oracle's October Critical Patch Update advisory [2].

In the beginning of November, Oracle issued [3] an emergency patch for a related RCE vulnerability in Oracle WebLogic Server, tracked as CVE-2020-14750. This is rated as a critical flaw and is also remotely exploitable over HTTP without the need for authentication or user interaction.

With the ease of exploitation coupled with multiple proof-of-concept (PoC) exploits freely available online [4], the chance of vulnerable systems being targeted in the near future is high.

Oracle as well as the Cybersecurity and Infrastructure Security Agency (CISA) urged [5] users and administrators to review the advisory and apply the applicable patches as soon as possible.

Course of Action: Review Oracle October Patch Update Advisory October 2020

Course of Action: Review Oracle November Out-of-bounds patch for CVE-2020-14750

APT10 Deploys Tool Capable of Exploiting ZeroLogon Vulnerability in Campaign Targeting Japan-Linked Organizations

Chinese state affiliated Threat Actor: APT10 was observed deploying a tool capable of exploiting the ZeroLogon vulnerability CVE-2020-1472 during an APT10 Campaign Targeting Japanese-Linked Companies Worldwide. Specifics around the tool are unknown as of 30 November 2020.

The campaign spanned from mid-October 2019 to the beginning of October 2020, and targeted large, well-known organizations, many of which have links to Japan or Japanese companies.

ZeroLogon is an elevation of privilege vulnerability whereby an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). Researchers at Secura published a PoC exploit [6] as well as a tool [7] to scan for vulnerable hosts back in September 2020. The vulnerability was patched back in August as part of Microsoft's Patch Tuesday advisory [8].

Course of Action: Review August 2020 Patch Tuesday Advisory

Google Chrome Vulnerabilities Actively Exploited

According to researchers at Cybersecurity Help [9], two critical vulnerabilities in the Google Chrome browser, tracked as CVE-2020-16017 and CVE-2020-16013, are being actively exploited in the wild.

CVE-2020-16017 - Google Chrome Use-After-Free in Site Isolation Vulnerability

Site isolation refers to the Chrome component that isolates the data of different sites from each other. To exploit the flaw, a remote attacker can trick a victim into visiting an attacker-created web page which triggers the use-after-free error and executes arbitrary code on the target system.

CVE-2020-16013 - Google Chrome Improperly Implemented Security Check for Standard Vulnerability

This flaw occurs when the software does not implement or incorrectly implements one or more security-relevant checks. The specific security check is an improper implementation of V8, an open-source component of Chrome that handles JavaScript and WebAssembly. Exploitation methodology is similar to the use-after-free ability, with victims needing to visit a specially crafted web page.

Browser vulnerabilities can be particularly devastating. Multiple platforms, Windows, Mac OS, and Linux, support the software, making for a large vulnerable attack surface if unaddressed.

Course of Action: Update Google Chrome to Version 86.0.4240.198

Newly Discovered Vulnerabilities

RCE Vulnerabilities in Apache Unomi Discovered

Security researchers at Checkmarx discovered [10] a RCE vulnerability, tracked as CVE-2020-13942, in Apache Unomi versions prior to 1.5.2. The flaw could allow threat actors to remotely send malicious requests with MVEL and OGNL expressions that could contain arbitrary classes, resulting in RCE with the privileges of the Unomi application.

Apachi Unomi [11] is a Java Open-Source customer data platform designed to manage customers, leads and visitors’ data and help personalize customers experiences. Unomi can be used to integrate personalization and profile management within vastly different systems such as CMSs, CRMs, Issue Trackers, native mobile applications, etc.

If successfully exploited, the vulnerability could lead to a complete compromise of the victim system, and subsequently, the exposure of sensitive information.

Course of Action: Update Apache Unomi to Version 1.5.2

Patched Vulnerabilities

Critical Vulnerability in Cisco Security Manager Detailed

Cisco has disclosed [12] a critical security flaw affecting its Cisco Security Manager software, along with two other high-severity vulnerabilities in the product.

CVE-2020-27130 - Path-Traversal Vulnerability in Cisco Security Manager

Could allow a remote attacker without credentials to download files from an affected device.

The company published the advisory after Florian Hauser [13] of security firm Code White, who reported the bugs to Cisco, published PoC exploits for 12 vulnerabilities affecting Cisco Security Manager.

The other high-severity flaws include multiple Java deserialization vulnerabilities, tracked as CVE-2020-27131, which affects releases 4.21 and earlier. The flaws are due to the insecure deserialization of user-supplied content. Cisco has not fixed these Java deserialization vulnerabilities in the 4.22 release but plans to fix them in the next 4.23 release. Cisco stated that there are no workarounds and they have not listed any mitigations that could be used before a patch is issued.

A third flaw affecting Cisco Security Manager releases 4.21 and earlier, tracked as CVE-2020-27125, can allow an attacker to view insufficiently protected static credentials on the affected software. The credentials are viewable to an attacker looking at source code. This issue, with a severity rating of 7.1, is fixed in release 4.22.

Course of Action: Update Cisco Security Manager to Version 4.22

Microsoft Patch Tuesday November 2020

Microsoft addressed 112 vulnerabilities, 24 of which are RCE bugs, as part of their November 2020 Patch Tuesday advisory [14].

The advisory includes a previously exploited Windows zero-day vulnerability, tracked as CVE-2020-17087. Little information on the attacks is known, but the bug was exploited together with a Google Chrome Zero-day vulnerability to target Windows users.

• CVE-2020-17065, CVE-2020-17064, CVE-2020-17066, CVE-2020-17019 - Microsoft Excel Remote Code Execution Vulnerabilities
• CVE-2020-17084, CVE-2020-17083 - Microsoft Exchange Server Remote Code Execution Vulnerabilities
• CVE-2020-17068 - Windows GDI+ Remote Code Execution Vulnerability
• CVE-2020-17062 - Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
• CVE-2020-17061- Microsoft SharePoint Remote Code Execution Vulnerability
• CVE-2020-17091 - Microsoft Teams Remote Code Execution Vulnerability
• CVE-2020-17042 - Windows Print Spooler Remote Code Execution Vulnerability
• CVE-2020-17051 - Windows Network File System Remote Code Execution Vulnerability
• CVE-2020-17107, CVE-2020-17108, CVE-2020-17109, CVE-2020-17110,
• CVE-2020-17106 - HEVC Video Extensions Remote Code Execution Vulnerabilities
• CVE-2020-17101 - HEIF Image Extensions Remote Code Execution Vulnerability
• CVE-2020-17105 - AV1 Video Extension Remote Code Execution Vulnerability
• CVE-2020-17078,CVE-2020-17079,CVE-2020-17082,CVE-2020-17086 - Raw Image Extension Remote Code Execution Vulnerabilities
• CVE-2020-17104 - Visual Studio Code JSHint Extension Remote Code Execution Vulnerability

Course of Action: Review Patch Tuesday Advisory for November 2020

SAP Patches Several Critical Vulnerabilities with November 2020 Security Updates

SAP addressed several critical vulnerabilities affecting the company’s Solution Manager (SolMan), Data Services, ABAP, S4/HANA, and NetWeaver products as part of their November 2020 Security Patch Day advisory [15].

Some of the more notable and critical vulnerabilities include:

• CVE-2020-26824CVE-2020-26823CVE-2020-26821CVE-2020-26822- Missing Authentication Checks in SolMan
• CVE-2020-26808- Code Injection Vulnerability Affecting SAP AS ABAP and S/4 HANA
• CVE-2020-26820- Privilege Escalation Issue in SAP NetWeaver Application Server for Java

Course of Action: Review SAP Security Patch Day November 2020

Recommendations

EclecticIQ Fusion Center recommends applying security updates to affected systems as soon as they become available to mitigate the risks posed by the vulnerabilities mentioned in this report. This report is a summary of the main vulnerabilities EclecticIQ analysts have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they update their dependent systems even if they are not mentioned in this report.

References

1. https://isc.sans.edu/diary/rss/26734
2. https://www.oracle.com/security-alerts/cpuoct2020.html
3. https://www.oracle.com/security-alerts/alert-cve-2020-14750.html
4. https://github.com/jas502n/CVE-2020-14882
5. https://us-cert.cisa.gov/ncas/current-activity/2020/11/02/oracle-releases-out-band-security-alert
6. https://github.com/dirkjanm/CVE-2020-1472
7. https://github.com/SecuraBV/CVE-2020-1472
8. https://msrc.microsoft.com/update-guide/en-us/releaseNote/2020-Aug
9. https://www.cybersecurity-help.cz/vdb/SB2020111124
10. https://www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/
11. https://unomi.apache.org/
12. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-path-trav-NgeRnqgR
13. https://gist.github.com/Frycos/8bf5c125d720b3504b4f28a1126e509e
14. https://msrc.microsoft.com/update-guide/en-us
15. https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571