EclecticIQ Monthly Vulnerability Trend Report - September 2020

Key Finding

• A newly discovered privilege escalation vulnerability in Windows Netlogon could result in the complete takeover of a Domain Controller (DC) in a vulnerable network.
• Multiple vulnerabilities in various technologies have been systematically exploited by attackers.
• Microsoft addressed a total of 129 vulnerabilities in its September 2020 Patch Tuesday advisory, including 20 that are listed as critical.

Exploitation of Vulnerabilities

Threat Actors Exploiting Multiple Vulnerabilities in the Wild

The Cybersecurity and Infrastructure Security Agency (CISA) detailed the Tactics, Techniques, and Procedures (TTPs) employed by the Chinese Ministry of State Security (MSS) in an alert that was published [1] on the 14th of September 2020. Details include the exploitation of several critical vulnerabilities over the last 12 months:

CVE-2020-5902 - F5 Big-IP Vulnerability

EclecticIQ reported on the F5 Big-IP Vulnerability in the EclecticIQ Monthly Vulnerability Trend Report - July 2020 as well as in the standalone report: BIG-IP Traffic Management User Interface Exploited in the Wild. The flaw enables an attacker to remotely run commands as an unauthorized user and compromise a system, including intercepting controller application traffic. The publication [2] of a scanning tool together with multiple Proof of Concept (PoC) exploits [3] makes this an easy vulnerability to exploit.

CISA observed the exploitation of CVE-2020-5902 when responding to incidents at Federal Government and commercial entities alike. This is not surprising due to the low barrier of entry of finding targets and/or exploiting the flaw.

• Course of Action: Detect CVE-2020-5902 Exploitation with SIGMA Rule

CVE-2019-19781 - Citrix Virtual Private Network (VPN) Appliances

CVE-2019-19781 has been widely exploited since its discovery in December 2019. A recent incident includes Conduent Hit By Maze Ransomware where it was found that Conduent's Citrix server was vulnerable to CVE-2019-19781 for at least 8 weeks (about 2 months).

CISA observed threat actors attempting to discover vulnerable Citrix VPN Appliances, most likely using one of the many published [4] automated scanners [5], and successfully compromising Citrix Application Delivery Controllers using public exploits [6].

• Course of Action: Use the CVE-2019-19781 vulnerability tool to find vulnerable devices
• Course of Action: Apply Official Fixes for Citrix Devices Affected by CVE-2019-19781

CVE-2019-11510 - Pulse Secure VPN Servers

According to CISA, threat actors exploited CVE-2019-11510 at Federal Government and commercial entities to gain access to victim networks. Despite CVE-2019-11510 being patched [7] in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance

The CVE-2019-11510 Pulse Secure vulnerability was detailed over a year ago but is still actively exploited by threat actors. The discovery of the vulnerability was discussed in a report [8] detailing the exploitation of the flaw against Twitter owned assets, as well as the Black Hat 2019 presentation [9]. The critical flaw in Pulse Secure Pulse Connect Secure (PCS) has been exploited as detailed in the campaign Attacking VPNs With Known Vulnerabilities to spread the Malware Variant: Sodinokibi 1f2277 ransomware, as well as the incident Federal Agency Compromised by Malicious Cyber Actor.

CVE-2020-0688 - Microsoft Exchange Server

CVE-2020-0688 is a Remote Code Execution (RCE) vulnerability in Microsoft Exchange when the software does not properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'. This flaw was patched in Microsoft's February edition of their Patch Tuesday advisory, but it is still being exploited in the wild. CISA also observed threat actors exploiting CVE-2020-0688 for RCE to facilitate the collection of email from targeted victims' networks.

• Course of Action: Apply February 2020 Patch Tuesday

Unit42 security researchers detailed [10] the network attack trends observed from May 2020 - July 2020. Unit42 captured network traffic from firewalls around the world to determine what the most prevalent attack trends were during this time. The flaws that were exploited the most were CVE-2012-2311 and CVE-2012-1823, both command injection vulnerabilities in PHP CGI scripts.

Both CVE's are trivial to exploit as many PoC exploits [11] exist online, with almost no configuration needed to successfully exploit a vulnerable victim. The successful exploitation coupled together with the age of these vulnerabilities (both are older than 8 years) underscores the degree to which organizations are failing to properly secure their environments.

• Course of Action: Update Vulnerable Systems

Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496

Security researchers at Unit42 detailed [12] attacks targeting a bypass vulnerability for a previously detailed RCE flaw in the vBulletin Software. EclecticIQ analysts predicted successful exploitation in the EclecticIQ Monthly Vulnerability Trend Report - August 2020: “The PoCs are trivial to use even for inexperienced attackers. Widespread attacks on vulnerable systems can be expected in the coming weeks...”

The bypass itself has been designated as CVE-2019-16759 . Attackers have been scanning for vulnerable websites as part of initial reconnaissance. The reconnaissance payloads include executing system commands "echo" and "id", which can give attackers knowledge of whether the targets are vulnerable. Other attacks include reading sensitive files, installing web shells, or downloading Malware: Shellbot or a Mirai variant called "Sora" from attacker-controlled infrastructure.

• Course of Action: Patch Outdated Versions of vBulletin to Disable PHP Module

Newly Discovered Vulnerabilities

Exploitable flaw in Windows Netlogon "Zerologon" Detailed in Secura Report

A research paper [13] by Secura, a Dutch Cyber Security company, details a vulnerability dubbed "Zerologon". Microsoft patched the flaw, officially designated as CVE-2020-1472, in their August edition of their Patch Tuesday advisory. The vulnerability received a CVSSv3 score of 10.0, the highest scoring that can be obtained.

The researchers gave the following description of the vulnerability:

“The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords.”

If successfully exploited, an attacker could impersonate any computer on a vulnerable network, including the domain controller. This includes executing remote procedure calls on the impersonated machines' behalf. This is described as a privilege escalation vulnerability, meaning that the attacker would already need to have access to the network.

The researchers published a PoC [14] as well as a tool [15] to scan for vulnerable hosts. It is critical to identify vulnerable systems and apply security patches accordingly.

• Course of Action: Review August 2020 Patch Tuesday Advisory

MobileIron Exploitation Details Published

A security researcher with DEVCORE, Orange Tsai, published details on multiple critical vulnerabilities in the MobileIron Mobile Device Management (MDM) software.

The researcher issued [16] a detailed breakdown of how it was discovered in March 2020 when testing against Facebook assets. A PoC exploit has been published [17] for one of the flaws, designated as CVE-2020-15505. MobileIron issued patches for all impacted products on June 15, 2020.

The vulnerabilities include:

CVE-2020-15505 - A remote code execution vulnerability in MobileIron Core and Connector versions 10.6 and earlier, and Sentry versions 9.8 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.

CVE-2020-15506 - An Authentication Bypass vulnerability in MobileIron Core and Connector versions 10.6 and earlier that allows remote attackers to bypass authentication mechanisms via unspecified vectors.

CVE-2020-15507 - An arbitrary file reading vulnerability in MobileIron Core and Connector versions 10.6 and earlier that allows remote attackers to read files on the system via unspecified vectors.

• Course of Action: Update MobileIron Products to Mitigate Critical Vulnerabilities

Patched Vulnerabilities

Microsoft Patch Tuesday September 2020

Microsoft addressed a total of 129 vulnerabilities in its September 2020 Patch Tuesday advisory [18]. Out of the 129 flaws, 32 were classified as remote code execution issues with 20 of those being listed as critical.

The 20 critical vulnerabilities and affected technology include:

• CVE-2020-1252 - Windows
• CVE-2020-16862 and CVE-2020-16857 - On-premise Microsoft Dynamics 365 systems
• CVE-2020-1285 - Windows Graphics Device Interface (GDI)
• CVE-2020-1200, CVE-2020-1452, CVE-2020-1576, CVE-2020-1595, CVE-2020-1453 and CVE-2020-1210 - Microsoft SharePoint
• CVE-2020-1460 - Microsoft SharePoint Server
• CVE-2020-1508 CVE-2020-1593 - Windows Media Audio Decoder
• CVE-2020-0922 - Microsoft COM for Windows
• CVE-2020-0908 - Windows Text Service Module
• CVE-2020-1129 and CVE-2020-1319 - Microsoft Windows Codecs Library
• CVE-2020-0997 - Windows Camera Codec Pack
• CVE-2020-16874 - Visual Studio

Many of the critical vulnerabilities target widely used software such as Windows, SharePoint, and Office 365. This creates a large attack surface due to the popularity of the software and increases the urgency to review the advisory and apply patches and/or mitigation steps where considered appropriate.

• Course of Action: Review Patch Tuesday Advisory for September 2020

Recommendations

EclecticIQ Fusion Center recommends applying security updates to affected systems as soon as they become available, to mitigate the risks posed by the vulnerabilities mentioned in this report. This report is a summary of the main vulnerabilities EclecticIQ analysts have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors. Users should ensure they update their dependent systems even if they are not mentioned in this report.

References

1. https://us-cert.cisa.gov/ncas/alerts/aa20-258a
2. https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve2020-5902.nse
3. https://gist.github.com/cihanmehmet/07d2f9dac55f278839b054b8eb7d4cc5
4. https://cve-2019-19781.azurewebsites.net/
5. https://github.com/trustedsec/cve-2019-19781
6. https://github.com/projectzeroindia/CVE-2019-19781
7. https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
8. https://hackerone.com/reports/591295
9. https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
10. https://unit42.paloaltonetworks.com/network-attack-trends/
11. https://www.exploit-db.com/exploits/18836
12. https://unit42.paloaltonetworks.com/cve-2020-17496/
13. https://www.secura.com/blog/zero-logon
14. https://github.com/dirkjanm/CVE-2020-1472
15. https://github.com/SecuraBV/CVE-2020-1472
16. https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
17. https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505
18. https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Sep

About this report

This report provides an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.