EclecticIQ Blog

EclecticIQ Monthly Vulnerability Trend Report - September 2019

October 18, 2019

EIQ_FC_Monthly Vulnerability Report-2

This blogpost aims to provide customers with an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Key Findings
  • A vulnerability that affects iPhone 4S to the iPhone 8 and iPhone X called checkm8 was discovered which could lead to unpatchable jailbreaks in affected device versions.
  • A heap-based overflow in Exim versions 4.92 up to 4.92.2, which could potentially be exploited remotely, was patched by the vendor.
  • An anonymous security researcher published details about a 0day vulnerability in vBulletin which could lead to code execution on the victim's system.
Analysis

Newly Discovered Vulnerabilities

iOS

An independent security researcher axi0mX posted an exploit on Github for a vulnerability in iBoot USB Code called checkm8. Checkm8 affects the A5 to A11 chips found in iPhone4S to the iPhone 8 and iPhone X. The vulnerability was patched in devices with A12 and A13 processors.

This exploit would allow future unpatchable Jailbreaks in the iOS devices affected. This vulnerability can only be triggered over USB and requires physical access, which means it cannot be exploited remotely. It is possible that the security researcher used the February 2019 leaked source code of iBoot to find the vulnerability.

This is an extremely impactful vulnerability which affects millions of iOS devices worldwide. It is unpatchable and will persist through iOS updates for the affected models.

Android

Trend Micro researchers have disclosed a Google Android v4l2 Double Free Privilege Escalation Vulnerability affecting Video4Linux 2 (v4l2) present in Android devices.

v4l2 is a collection of drivers and an Application Programming Interface for supporting real time video capture on Linux systems. The vulnerability could give a local attacker escalated privileges on a target’s device. An attacker requires local access in order to exploit the vulnerability.

Analysts have not observed public proof-of-concepts or exploits in the wild and assesses the likelihood for successful exploitation as low.

Intel Processors

Researchers at Vrije University in Amsterdam have discovered a new attack against Intel based CPUs dubbed NetCAT. The exploit is made possible by a vulnerability CVE-2019-11184 in all Intel chips that support the Data-Direct I/O Technology (Intel DDIO) and Remote Direct Memory Access (RDMA) features.

Not to be confused with the Netcat computer networking utility, the NetCAT attack is a type of side-channel attack which usually requires the attacker to have physical access or malware installed on the victim computer. However, members of the Vrije University's Systems and Network Security Group (VUSec), have shown that the Intel DDIO and RDMA features facilitate a side-channel attack via network packets sent to a computer's network card.

VUSec academics have shown that sending carefully crafted network packets to a DDIO-capable CPU allows an attacker to keep an eye on what else is being processed in the CPU. Attackers can't use the NetCAT attack to steal just any kind of data from a remote CPU, but only data that arrives as network packets and lands directly in the DDIO shared cache. 

Course of Action: 

  • Disable the DDIO and RDMA features on affected CPUs

Exim

A patch has been issued for a critical flaw CVE-2019-16928 in the Exim email server software which could potentially open up Exim-based servers to denial of service- or remote code execution attacks.

The flaw is a heap-based overflow vulnerability which can be exploited by sending the Exim process that receives messages an extremely long EHLO string. According to VuldDB, it is possible to exploit the vulnerability remotely. There are known technical details, but no exploit is available, according to the site.

The flaw impacts Exim versions between 4.92 up to 4.92.2.

Course of Action: 

  • Update to version 4.92.3 of Exim

vBulletin

An anonymous security researcher published details about a 0day vulnerability CVE-2019-16759 in vBulletin, a widely used internet forum software. The vulnerability allows an attacker to execute shell commands on the server running a vBulletin installation without the need for an authorized account on the forum.

The proof-of-concept exploitation was confirmed by security researchers not long after it was published.

Only vBulletin 5.x is vulnerable, with earlier versions not being affected by the 0day.

According to W3Techs, around 0.1% of all internet sites run a vBulletin forum. Even though the percentage looks insignificant, in actual fact this represents billions of users that could be affected that use the tens of thousands of vBulletin sites affected. According to the vButtelin website, some of the customers of their customers include Steam, EA, Zynga, NASA, Sony, BodyBuilding.com, the Houston Texans, and the Denver Broncos.

A couple of days after the details of the vulnerability was published, a script was uploaded to Github which queries the Shodan service for vulnerable servers:

Exploitation attempts was observed in the wild attempting to upload web shells to the targeted system as well as modifying the vulnerable snippets of the proof-of-concept code to include password validation.

EclecticIQ Fusion Center analysts assess with high confidence that the exploitation of vulnerable vBulletin websites will continue to increase in frequency.

Course of Action:

  •  Apply vBulletin Security patch for 5.5.2, 5.5.3, and 5.5.4

LastPass

Researcher Tavis Ormandy from Project Zero discovered a vulnerability CVE-2019-16371 affecting Chrome and Opera browser extensions of LastPass versions earlier than 4.33.0.

The flaw can be exploited with no user interaction as it relies on malicious JavaScript code. The victim is lured to visit a malicious site in order for the attacker to steal passwords previously entered on legitimate sites.

There are no indicators that CVE-2019-16371 has been exploited in the wild.

If automatic update is enabled, the patched version will be deployed automatically.

Course of Action:

  • Upgrade LastPass to version 4.33.0

Exploitation of Vulnerabilities

Chrome

A Chrome Turbofan Remote Code Execution vulnerability was exploited in a Surveillance and Exploitation of Uyghurs campaign.

The vulnerability results from incorrect optimization by the turbofan compiler, which causes confusion between access to an object array and a value array, and therefore allows to access objects as if they were values by reading them as if they were values (thus receiving their in memory address) or vice-versa to write values into an object array and thus being able to fake objects completely.

It is speculated that victims are lured to a malicious website and the vulnerability was used to deliver Malware Variant: Unknown Android Information Stealer se4rw3 to victims.

Patched Vulnerabilities

Cisco Routers

Cisco Systems released patches for 29 bugs that addressed flaws in a wide range of its products including routers and switches running the IOS XE networking software. Thirteen of the vulnerabilities revealed are rated high severity.

The most important vulnerabilities patched include:

  • CVE-2019-12646
  • CVE-2019-12647
  • CVE-2019-12648
  • CVE-2019-12649
  • CVE-2019-12650
  • CVE-2019-12651
  • CVE-2019-12652
  • CVE-2019-12653
  • CVE-2019-12654
  • CVE-2019-12655
  • CVE-2019-12667

Course of Action:

  • Apply Router and Switch Patches Released by Cisco

Internet Explorer

Microsoft released a patch for a Microsoft Internet Explorer scripting engine vulnerability CVE-2019-1367, which has been exploited in active attacks in the wild. 

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

Course of Action: 

  • Manually update systems immediately
Recommendations

EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they manually update their own systems even if no security vulnerabilities have been reported.

We hope you enjoyed this post. Subscribe to our blog below for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.