Tag Archives: Remote Code Execution Vulnerability

Two unpatched remote code execution flaws in Adobe Type Manager Library affect all Windows Versions. Keep the mitigations forever!

29 March 2020

Mohit Kumar‘s post (1) that was published past Monday on The Hacker News should instill fright to all users who haven’t migrated to Windows 10 yet.

The good news is that this vulnerability requires user interaction. Microsoft states in security advisory ADV200006 (2) that “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.” As always, user training is as crucial!

In addition, the impact on Windows 10 users is limited because the malicious code runs in an AppContainer which is destroyed once the preview is closed.

The bad news is that Microsoft recognized attacks where this vulnerability is leveraged (the vulnerability is in the Wild). And, a patch is not available yet.

In the meantime, Microsoft provides important mitigations in ADV200006. These mitigations must be kept on all pre-Windows 10 systems where no Extended Security Update (ESU) support is available.

The most interesting mitigation is to “Disable the Preview Pane and Details Pane in Windows Explorer”. I always disable preview features in Explorer and Outlook. Simply put, preview requires that documents are “executed”, so preview may also execute embedded malicious code.

My advice for all critical infrastructure operators is:

  • Deactivate all preview features in the Windows OS and in all applications.
  • Deactivate any kind of macros and scripting without notification.
  • Deactivate all trusted locations in all applications.
  • And, of course, the user should not be able to reverse this settings.

With this, the security baseline is raised at moderate effort.

Have a great week.


1. Kumar M. Warning — Two Unpatched Critical 0-Day RCE Flaws Affect All Windows Versions [Internet]. The Hacker News. 2020 [cited 2020 Mar 29]. Available from: https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html

2. MSRC. ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability [Internet]. Microsoft Security Response Center. 2020 [cited 2020 Mar 29]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

CVE-2020-0796 – New Critical SMB V3 Vulnerability. Time to Panic?

22 March 2020

On March 12, 2020 Microsoft published a CVSS V3.1 severity 10 vulnerability in the SMBv3 protocol. CVE-2020-0796 (1), also called CoronaBlue, impacts the Windows 10 client and server versions 1903 and 1909.

The bad news first. CoronaBlue is like Eternalblue/WannaCry a wormable remote code execution vulnerability. A single Windows 10 system with SMBv3 protocol installed and port 445 open to the internet is enough for infiltration of a network.

The good news is that only few systems with Windows 10 version 1903 or 1909 have port 445 exposed to the internet. Theses Windows versions are just too new.

Nevertheless, immediate patching is required because a proof of concept exploit code was published on March 14, 2020.

In addition, Microsoft recommends deactivating SMBv3 compression unless the patches are installed and activated (2).

But the most important advice Microsoft gives is:

Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks.

This advice holds for all SMB versions. There is no need to access Windows systems through the SMB protocol from the internet. Therefore, this protocol should be blocked by the internet facing firewall of DMZs. No exceptions! Apparently, some thousand CISOs do not care:

Windows systems with SMB ports open to the internet.

Windows systems with SMB ports open to the internet.

Have a great week. And check your firewall rules!


References

  1. NIST NVD. NVD – CVE-2020-0796 [Internet]. NIST Information Technology Laboratory. 2020 [cited 2020 Mar 22]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2020-0796
  2. MSRC. CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability [Internet]. Microsoft Security. [cited 2020 Mar 22]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

Mean Time to Hardening: The Next-Gen Security Metric falls short in tackling the patching problem

12 January 2020

In report “Mean Time to Hardening: The Next-Gen Security Metric”,(1) published at 12/30/2019 on ThreatPost, Richard Melick proposes a new metric MMTH (Mean time to Hardening) to tackle the patch problem. I like the 24/72 MTTH approach. But when it comes to attacks of APTs on critical infrastructures this approach is from my point of view not effective.

Let me illustrate this with an example. CVE-2017-5638, a remote command execution vulnerability in the Apache Struts framework, was used in the Equifax attack (2) in 2017. In the case of remote command execution vulnerabilities, especially if the systems are operated in the DMZ, the 24/72 MTTH approach is the best strategy to survive. But let us look on the timeline.

NVD Exploit-DB Exploit-DB
CVE-2017-5638 EDB-ID 41570 EDB-ID 41614
Published NDV Published Exploit-DB Published Exploit-DB
3/11/2017 3/7/2017 3/15/2017

Exploit 41570 was published 4 days before the CVE was published. The 24/72 MTTH strategy will fail in this case. Exploit 41614 was published 4 days after the CVE was published, so the 24/72 MTTH strategy is successful.

Figure 1

Figure 1

This is not an isolated case. Between 2013 and 2019 56% of the exploits were published before or at the same day the vulnerability was published in the NVD. For mapping the exploits in the Exploit-DB to the CVEs the NVD reference map for the Exploit-DB (3) is used. Figure 2 shows the details in the range 30 days before and after the CVE publication date.

Figure 2

Figure 2

Figure 3

Figure 3

34% of the exploits for Remote Code/Command Execution (RxE) vulnerabilities like CVE-2017-5638 or CVE-2017-0144 (WannaCry) were published before or at the same day the vulnerability was published. Figure 4 shows the details. RxEs are selected from the NVD as follows: CVSS V2.0: Attack Vector: Network, Attack Complexity: Low + Medium, Authentication: None, Loss of Integrity: Complete, Keywords “remote code execution” or “exec arbitrary”.

Figure 4

Figure 4

So, the 24/72 MMTH approach falls short if the exploit is published before the vulnerability.

Please keep in mind that we only investigated published vulnerabilities and exploits. We can expect, that many yet unpublished, and unused, vulnerabilities exist in the arsenals of the APTs.

In the case of critical infrastructures, we are well advised to invest in solutions which increase the resilience against cyber-attacks. A simple Apparmor profile would probably have prevented the attack on Equifax. Whitelisting solutions should be considered in environments where industrial control systems are operated. This makes the 24/72 MTTH approach to patching not obsolete. We just buy time.

Have a great week.


References

  1. Melick R. Mean Time to Hardening: The Next-Gen Security Metric [Internet]. threatpost. 2019 [cited 2020 Jan 12]. Available from: https://threatpost.com/mean-time-hardening-next-gen-security-metric/151402/
  2. Brook C. Equifax Confirms March Struts Vulnerability Behind Breach [Internet]. threatpost. 2017 [cited 2020 Jan 12]. Available from: https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/
  3. NIST NVD. CVE – CVE Reference Map for Source EXPLOIT-DB [Internet]. [cited 2020 Jan 12]. Available from: https://cve.mitre.org/data/refs/refmap/source-EXPLOIT-DB.html

Critical Wormable Vulnerability CVE-2019-0708 patched. Is the world a safer place now?

19 May 2019

Microsoft released (1) a patch for the critical Remote Code Execution vulnerability CVE-2019-0708 (2) in Remote Desktop Services on May 14th, 2019. The vulnerability is wormable. A malware that exploits the vulnerability can spread from vulnerable computer to vulnerable computer in a way WannaCry did in 2017. Fortunately, only Windows XP, Windows 2003 Server, Windows 7 and Windows 2008 Server are impacted.

How big is the problem?

A Shodan search shows that about 30% of the Windows 2008 server systems directly connected to the internet are impacted. The Windows 2003 problem is much larger although Microsoft stopped the extended support for this version in July 2015.

Table 1: CVE-2019-0708 Impacted Systems. Source: Shodan. Data generated: 5/19/2019 7:30 pm

How to mitigate?

Since CVE-2019-0708 is a remote code execution vulnerability patches or other mitigating measures should be applied directly.

Microsoft provided patches with the May 2019 patch set, even for Windows 2003 Server and Windows XP, to prevent similar effects to that of WannaCry on the global economy. As an immediate step, Microsoft recommends deactivating RDP access to the impacted systems.

Is the world a safer place now?

Far from it. A brief analysis shows that many of the impacted systems provide applications based on a WAMP technology stack (Windows, Apache, MySQL, PHP). And in many cases remote code execution vulnerabilities in Apache or PHP are not patched. With this, the overall security level remains as bad as before Microsoft released the patches.

Without vulnerability and application life cycle management such problems cannot be solved. Apache, MySQL and PHP can be operated on top of an outdated Windows OS, but critical vulnerabilities in these components must be patched directly to avoid a large financial impact in the worst case.

The Equifax data breach from 2017 is just one example. In this case an unpatched remote code execution vulnerability in the Apache Struts framework opened the door for the attackers. Equifax (3) estimates that it has spent $1.4 billion so far to recover from the breach.

Have a great week.


References

  1. MSRC Team. Prevent a worm by updating Remote Desktop Services (CVE-2019-0708) – MSRC [Internet]. 2019 [cited 2019 May 19]. Available from: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
  2. NIST NVD. NVD – CVE-2019-0708 [Internet]. 2019 [cited 2019 May 19]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2019-0708
  3. Olenick D. Equifax data breach recovery costs pass $1 billion [Internet]. SC Media. 2019 [cited 2019 May 19]. Available from: https://www.scmagazine.com/home/security-news/data-breach/equifax-data-breach-recovery-costs-pass-1-billion/

SpeakUp – Lateral movement made easy

10 March 2019

A remote command-injection vulnerability dubbed SpeakUp (CVE-2018-20062) (1) in the ThinkPHP development framework was widely reported in the news some weeks ago. Technically, SpeakUp is simply one more command-injection vulnerability with CVSS V3.0 base score Critical that results in full loss of integrity if exploited.

CVE-2018-20062 alike Vulnerabilities 2018

CVE-2018-20062 alike Vulnerabilities 2018

CVE-2018-20062-class vulnerabilities are quite rare. As of 10 March 2019 only 182 of the 16517 vulnerabilities published in 2018 belong to this class. Exploitation of any of these vulnerabilities results in full loss of integrity of the attacked system. In the worst case, the compromised system becomes the new base of operations for the attacker and allows him to compromise further systems.

Tara Seals provides a brief outline (2) on ThreatPost of the initial infection routine. For more details see the Checkpoint Research report (3) about SpeakUp.

Lateral movement in Linux-based networks places special challenges on the attacker. In general, vulnerabilities in applications must be used for propagation. SpeakUp uses an impressive arsenal of old vulnerabilities in application frameworks for propagation. Seals writes:

“To spread, SpeakUp’s propagation code exploits known vulnerabilities in six different Linux distributions, including JBoss Enterprise Application Platform security bypass vulnerabilities (CVE-2012-0874); a JBoss Seam Framework remote code execution (RCE) flaw (CVE-2010-1871); a JBoss AS 3/4/5/6 RCE exploit; a Oracle WebLogic wls-wsat Component Deserialization RCE (CVE-2017-10271); a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2018-2894); a Hadoop YARN ResourceManager command-execution exploit; and an Apache ActiveMQ Fileserver File Upload RCE vulnerability (CVE-2016-3088).”

The table below shows some details of the above mentioned vulnerabilities.

CVE

Application Framework

CVSS Base Score

Attack Vector

CVE-2012-0874

JBoss Enterprise Application Platform (EAP)

6.8 (CVSS v2.0)

V:N/AC:M/Au:N/C:P/I:P/A:P (CVSS v2.0)

CVE-2010-1871

JBoss Enterprise Application Platform (EAP)

6.8 (CVSS v2.0)

(AV:N/AC:M/Au:N/C:P/I:P/A:P) (CVSS v2.0)

CVE-2017-10271

Oracle WebLogic Server

7.5 (CVSS v3.0)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS v3.0)

CVE-2018-2894

Oracle WebLogic Server

9.8 (CVSS v3.0)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSS v3.0)

CVE-2016-3088

Fileserver web application in Apache ActiveMQ

9.8 (CVSS v3.0)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSS v3.0)

Any of the listed vulnerabilities enables the attacker to create new operations bases. In the worst case, he can jump across network boundaries, e.g. from the DMZ into the company intranet or from the company intranet into the production network.

How to stop this kind of attacks?

From the tactical point of view, vulnerability management is the key to stop this kind of attacks as early as possible. CVE-2018-20062-class vulnerabilities and remote code or script execution vulnerabilities must be patched directly after they show up on the market. At least in the DMZ and on systems on both sides of network boundaries. This will prevent the attacker from lateral movement.

Vulnerability management relies on asset management. And on CI/CD across the entire application stack because without automated testing it is not possible to make sure that the application is still working after the patches have been applied.

From a strategic point of view, measures must be applied to enlarge the resilience of application systems against cyber attacks. This includes e.g. micro segmentation or Web Application Firewalls but also Linux native enhancements like AppArmor or SELinux.

And this holds for both, cloud and on-premise hosted applications.

Have a great week.


References

1. NIST NVD. NVD – CVE-2018-20062 [Internet]. 2018 [cited 2019 Feb 6]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-20062

2. Seals T. SpeakUp Linux Backdoor Sets Up for Major Attack [Internet]. threatpost. 2019 [cited 2019 Feb 6]. Available from: https://threatpost.com/speakup-linux-backdoor/141431/

3. Check Point Research. SpeakUp: A New Undetected Backdoor Linux Trojan [Internet]. Check Point Research. 2019 [cited 2019 Feb 6]. Available from: https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/


 

Adobe Flash zero day exploited in the wild. Remote code execution vulnerabilities are hacker’s favorites!

8 December 2018

On December 5th, 2018 Adobe published security bulletin APSB18-41[1] for critical vulnerability CVE-2018-15928 in the widely used Flash Player. Gigamon Applied Threat Research (ATR) reported the vulnerability on November 29th, 2018 to Adobe. They detected the issue some days before while analyzing a malicious word document that was uploaded to VirusTotal from a Ukrainian IP address. For a detailed analysis of the attack and the vulnerability see [2][3].

Successful exploitation of CVE-2018-15928 could lead to Arbitrary Code Execution in the context of the current user. Due to RedHat the CVSS3 Base Metrics is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H with a CVSS3 Base Score of 8.8.

Zero days are not a rare phenomenon. Between 2013 and 2017[4] about 60% of the exploits were disclosed before the related CVE was published.

For about 20% of vulnerabilities in the NVD exploits are published in the exploit database[5]. Only about 1% of the vulnerabilities are exploited in the wild. Thus CVE-2018-15928 is a really rare event.

Remote code/script execution (RxE) vulnerabilities like CVE-2018-15928 represent about 20% of all vulnerabilities. 43% of the exploits published between 1988 and 2018 are related to RxE vulnerabilities.

Remote Code Execution Vulnerabilities. Data: 1988-2018

RxE Vulnerabilities. Data: 1988-2018

Exploits for Remote Code Execution Vulnerabilities. Data: 1988-2018

Exploits for RxE Vulnerabilities. Data: 1988-2018

About 5% of the RxE vulnerabilities are exploited in the wild.

This means, that RxE vulnerabilities are 5 times more often exploited in the wild then Non-RxE vulnerabilities. They are hacker’s favorites!

What does the mean for our vulnerability management strategy?

  • The remediation process must be started directly upon publication of an RxE vulnerability in the NVD or the disclosure of an exploit for an RxE in the exploit database.
  • In scope for the first remediation wave must be at least all systems facing the internet, e.g. workstations, servers in the DMZ or in public clouds.
  • Gathering intelligence about new vulnerabilities from a plethora of publicly available sources (OSINT) is a time-consuming task. A threat intelligence service can speed-up information gathering and reduces the workload of your IT security staff.
  • In addition, since remediation takes some time, it makes sense to invest in means for enhancing the resilience of application systems.

Expect the worst and be prepared. Or, to echo Hamlet:

To be, or not to be, that is the question:
Whether ’tis nobler in the mind to suffer
The slings and arrows of outrageous fortune,
Or to take arms against a sea of troubles,
And by opposing, end them? To die: to sleep;

Have a good weekend.


  1. Adobe. Security updates available for Flash Player | APSB18-42 [Internet]. 2018 [cited 2018 Dec 8]. Available from: https://helpx.adobe.com/security/products/flash-player/apsb18-42.html

  2. Gigamon Threat Research Team. Adobe Flash Zero-Day Exploited In the Wild [Internet]. Gigamon ATR Blog. 2018 [cited 2018 Dec 8]. Available from: https://atr-blog.gigamon.com/2018/12/05/adobe-flash-zero-day-exploited-in-the-wild/

  3. Qihoo 360 Advanced Threat Response Team. Operation Poison Needles – APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day [Internet]. 2018 [cited 2018 Dec 8]. Available from: http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN.html

  4. Jochem K. About 60% of exploits are published before the CVE. What does this mean for your cyber security strategy? [Internet]. IT Security Matters. 2018 [cited 2018 Dec 8]. Available from: https://klausjochem.me/2018/11/04/about-60-of-exploits-are-published-before-the-cve-what-does-this-mean-for-your-cyber-security-strategy/

  5. Offensive Security. Offensive Security’s Exploit Database Archive [Internet]. Exploit Database. [cited 2018 Nov 4]. Available from: https://www.exploit-db.com/

To patch or not to patch this is not the question – New Remote Code Execution Vulnerability in Drupal CMS

21 October 2018

Lindsey O’Donnell’s report “Two Critical RCE Bugs Patched in Drupal 7 and 8” [1] published yesterday on Threatpost gives website operators every reason to enter panic mode.

The vulnerabilities are not published in the NIST NVD yet, but Drupal released two security advisories [2] [3] with details.

Why panic? In the past 16 years 177 vulnerabilities [4] related to Drupal were published. That sounds like a lot but consider that 1,075,609 websites were powered with Drupal core in October 2018 [5].

Fortunately, only 13 exploits were published since 2002. On 29 March 2018 the remote code execution vulnerability CVE-2018-7600 (Drupalgeddon2) was published. Within 20 days after publication three exploits were available. Thousands of sites were compromised in the aftermath.

CVE-2018-7602 (Drupalgeddon3) was published on 19 July 2018. In this case exploits were available 81 and 86 days before the CVE was published.

Drupal Exploits since 2010

Table: Drupal Exploits since 2010. Click to enlarge.

The table above shows the vulnerabilities with published exploits for the Drupal CMS since 2010. Negative values in column Number of days exploit published after CVE published indicate that the exploit was published before the CVE was published. These are the magic zero-day exploits, the worst-case scenario for website operators because a warning time does not exist.

Except of the green highlighted exploit all exploits were used in the wild, means, they were used in attacks. In addition, except of the green highlighted exploit all CVE were remote code execution or injection vulnerabilities.

For the newly published remote code execution vulnerabilities we can expect

  • that exploits will be published with a probability of about 7% and
  • that if exploits are published, they will be published before or at the day the CVE is published.

With this, website operators must directly patch once they become aware of a new remote code execution vulnerability.

In addition, I would recommend to take additional preventive measures, e.g. to implement a Web Application Firewall or a Host based Intrusion Detection/Prevention System to make the installation more resilient against new vulnerabilities. If the website is operated on Linux it makes sense to activate  AppArmor [6].

Have a great week.


  1. O’Donnell L. Two Critical RCE Bugs Patched in Drupal 7 and 8 [Internet]. Threatpost | The first stop for security news. 2018 [cited 2018 Oct 20]. Available from: https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/
  2. Drupal ST. Drupal Core – Multiple Vulnerabilities – SA-CORE-2018-006 [Internet]. Drupal.org. 2018 [cited 2018 Oct 20]. Available from: https://www.drupal.org/sa-core-2018-006
  3. 3.Drupal ST. Mime Mail – Critical – Remote Code Execution – SA-CONTRIB-2018-068 [Internet]. Drupal.org. 2018 [cited 2018 Oct 20]. Available from: https://www.drupal.org/sa-contrib-2018-068
  4. CVE Details. Drupal Drupal : CVE security vulnerabilities, versions and detailed reports [Internet]. CVE Details. The ultimate security vulnerability datasource. 2018 [cited 2018 Oct 21]. Available from: https://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 
  5. Drupal.org. Usage statistics for Drupal core | Drupal.org [Internet]. 2018 [cited 2018 Oct 21]. Available from: https://www.drupal.org/project/usage/drupal
  6. theMiddle. AppArmor: Say Goodbye to Remote Command Execution. [Internet]. Secjuice.com. 2018 [cited 2018 Oct 21]. Available from: https://www.secjuice.com/apparmor-say-goodbye-to-remote-command-execution/