This blogpost aims to provide customers with an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
Key Findings
- A vulnerability was discovered in Sudo versions prior to 1.8.28.
- A double-free vulnerability was discovered in WhatsApp‘s Gallery view implementation which enables privilege escalation attacks as well as Remote Code Execution (RCE).
- Microsoft released a security update in October addressing over 60 vulnerabilities, of which nine are critical.
Analysis
Newly Discovered Vulnerabilities
Operating Systems
A vulnerability CVE-2019-14287 was discovered in Sudo versions prior to 1.8.28, which enables an attacker with access to a Runas ALL sudoer account to bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID.
For example, this allows the bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command. The vulnerability requires a specific configuration in the sudoers file as shown in the example above, so no default installations are affected.
Course of Action:
- Update to Sudo version 1.8.28
Wireless
In October 2019, researchers at ESET discovered that some older Amazon devices are susceptible to vulnerabilities discovered in 2017. The two vulnerabilities, namely CVE-2017-13077 and CVE-2017-13078, are historically known as "KRACK". EclecticIQ Fusion Center analysts reported on the vulnerabilities EclecticIQ Fusion Center Alert - Krack: Vulnerability in WPA2 Protocol in 2017.
The newly reported vulnerable devices include Amazon Echo 1st generation and Amazon Kindle 8th generation. Using this attack, adversaries can perform man-in-the-middle attacks against a WPA2-protected network. While WPA2 wireless connections may be compromised, encrypted traffic sent over the wireless network will still be protected.
ESET Smart Home Research Team discovered the vulnerabilities during a test reproducing the installation of the pairwise encryption key (CVE-2017-13077) and the group key (CVE-2017-13078) in the four-way handshake. ESET states the vulnerabilities allow attackers to perform the following:
- Replay old packets to execute denial-of-service (DoS) attacks, disrupt network communication or replay attack;
- Decrypt any data or information transmitted by the victim;
- Forge data packets, cause the device to dismiss packets or even inject new packets (depending on the network configuration); and
- Intercept sensitive information, including passwords or session cookies
Course of Action:
- Install wpa_supplicant Application and Update to Latest Firmware Version
Mobile Apps
In October 2019 a security researcher discovered a WhatsApp Double-Free Vulnerability, CVE-2019-11932.
The danger stems from a double-free bug in WhatsApp. A double-free vulnerability refers to a memory corruption anomaly that could crash an app, or open up an exploit vector that attackers can abuse to obtain access to a device. In this case, a malicious GIF can be crafted and the attacker can just wait for the user to open the WhatsApp gallery.
The researcher explained that the flaw resides in WhatsApp‘s Gallery view implementation, which is used to generate previews for images, videos, and GIFs.
The vulnerability enables the following attack patterns:
- Remote Code Execution Through WhatsApp Double-Free Vulnerability
- Local Privilege Escalation Through WhatsApp Double-Free Vulnerability
The bug was acknowledged by Facebook and patched officially in WhatsApp version 2.19.244.
Course of Action:
- Update WhatsApp to 2.19.244 or above
Exploitation of Vulnerabilities
Operating Systems
Morphisec Lab researchers identified a zero-day Unquoted Path Vulnerability in Apple Software update component in iTunes for Windows. The vulnerability was exploited in the wild in a BitPaymer Ransomware campaign Apple Zero-Day Exploited In BitPaymer Campaign.
Course of Action:
- Upgrade to iTunes 12.10.1 for Windows
Patched Vulnerabilities
Microsoft patched 60 vulnerabilities in an October 2019 security release. Some of the more critical vulnerabilities include:
- CVE-2019-1333, a client-side remote code execution (RCE) flaw in Remote Desktop Services (RDS).
- CVE-2019-1238and CVE-2019-1239, RCE flaws associated with VBScript's memory handling process.
- CVE-2019-1307, CVE-2019-1308, CVE-2019-1335 and CVE-2019-1366, memory corruption vulnerabilities in the Microsoft Edge browser's Chakra Scripting Engine.
- CVE-2019-1372, an elevation-of-privilege flaw in Azure Stack associated with using the Azure App Service.
- CVE-2019-1060, an RCE flaw in Microsoft XML Core Services.
Course of Action:
- Apply Microsoft October 2019 Security Update
Recommendations
EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
Users should ensure they manually update their own systems even if no security vulnerabilities have been reported.
