Posts

Top CVE's exploited in the wild

SonicWALL Capture Labs Threat Research team observed the below vulnerabilities most exploited by hackers in the year 2019.

  • BlueKeep (CVE-2019-0708)
  • SharePoint Server (CVE-2019-0604)
  • Win32k (CVE-2019-0859)
  • ThinkPhp (CVE not assigned)
  • Atlassian Confluence (CVE-2019-3396)
  • Drupal (CVE-2019-6340)
  • Oracle WebLogic (CVE-2019-2725)
  • Exim Server (CVE-2019-10149)
  • Microsoft GDI (CVE-2019-0903)
  • Webmin Server (CVE-2019-15107)

BlueKeep (CVE-2019-0708)

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.

Affected Products: Windows 7, Windows XP, Windows Server 2008 and  Windows Server 2003.

Reference: https://securitynews.sonicwall.com/xmlpost/rdp-vulnerability-cve-2019-0708/

 

SharePoint Server (CVE-2019-0604)

An insecure deserialization vulnerability has been reported in Microsoft SharePoint Server. This vulnerability is due to insufficient validation user-supplied data to EntityInstanceIdEncoder.

Affected Products
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2010 & 2013
Microsoft SharePoint Server 2010, 2013 & 2019

Reference: https://securitynews.sonicwall.com/xmlpost/microsoft-sharepoint-server-flaw-cve-2019-0604-is-actively-being-exploited/

 

Win32k (CVE-2019-0859)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka ‘Win32k Elevation of Privilege Vulnerability’.

Affected Products
Microsoft Windows 7, 8.1, 10 & Rt 8.1
Microsoft Windows Server 2008, 2012, 2016 & 2019

Reference: https://securitynews.sonicwall.com/xmlpost/cve-2019-0859-exploits-active-in-the-wild/

 

ThinkPhp (CVE not assigned)

A command execution vulnerability exists in ThinkPHP CMS. The vulnerability is due to improper validation of the URL parameters in App.php.

Reference: https://securitynews.sonicwall.com/xmlpost/thinkphp-remote-code-execution-rce-bug-is-actively-being-exploited/

 

Atlassian Confluence (CVE-2019-3396)

A server side template injection vulnerability has been reported in Atlassian Confluence Server. This vulnerability is due to improper validation of the _template JSON parameter.

Affected Products:

Atlassian Confluence Server 6.14.x prior to 6.14.2
Atlassian Confluence Server 6.13.x prior to 6.13.3
Atlassian Confluence Server 6.12.x prior to 6.12.3
Atlassian Confluence Server 6.6.x prior to 6.6.12

 

Drupal (CVE-2019-6340)

A remote code execution vulnerability has been reported in the web services components of Drupal Core. The vulnerability is due to improper sanitization of data for certain Field Types from non-form sources prior to deserialization.

Affected Products:

Drupal Drupal 8.5.x prior to 8.5.11
Drupal Drupal 8.6.x prior to 8.6.10
Drupal Drupal 7.x

Oracle WebLogic (CVE-2019-2725)

An insecure deserialization vulnerability has been reported in Oracle Weblogic. This vulnerability is due to insufficient validation of XML data within the body of HTTP POST requests.

Affected Products

Oracle WebLogic Server 12.1.3.0.0
Oracle WebLogic Server 10.3.6.0.0

Reference: https://securitynews.sonicwall.com/xmlpost/oracle-weblogic-vulnerability-actively-being-exploited-in-the-wild/

 

Exim Server (CVE-2019-10149)

A remote command execution injection vulnerability has been reported in Exim server. This vulnerability is due to insufficient handling of recipient address in the deliver_message() function.

Affected Products: Exim versions 4.87 to 4.91

Reference: https://securitynews.sonicwall.com/xmlpost/exim-email-servers-are-still-under-attack/

 

Microsoft GDI (CVE-2019-0903)

A remote code execution vulnerability has been reported in the GDI component of Microsoft Windows. The vulnerability is due to the way that GDI handles objects in memory.

Affected Products:

Microsoft Windows 7, 8.1, 10
Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019

Webmin Server (CVE-2019-15107)

A command injection vulnerability has been reported in Webmin. The vulnerability is due to improper validation of user supplied input within password_change.cgi.

Affected Products: Webmin prior to 1.930

Reference: https://securitynews.sonicwall.com/xmlpost/hackers-continue-to-mount-attacks-on-webmin-servers/

 

Microsoft SharePoint server flaw CVE-2019-0604 actively being exploited in the wild

This week, SonicWall Capture Labs Threat Research team observed a huge spike in the hits targeting the Microsoft SharePoint server flaw. These HTTP requests are made to command and control the hosts that are infected with the exploits of CVE-2019-0604. It is seen to hit almost 100 countriesbut most observed only in the United States.

CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability:

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker can exploit these vulnerabilities by sending malicious crafted requests to a vulnerable SharePoint server or enticing a SharePoint user to upload a specially crafted SharePoint application package to a vulnerable server. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

Exploit:

Earlier this month, Canadian Center for Cyber Security and Saudi National Cyber Security Center have reported evidences of active exploitation of Microsoft SharePoint Remote Code Execution Vulnerability ( CVE-2019-0604).  The Threat actors exploited this vulnerability in order to deploy the China Chopper web shell. After establishing the initial foothold, threat actors utilized the web shell to run PowerShell scripts to download other malicious files including backdoor. The threat actors then installed HTTP backdoor to handle any requests to “hxxp://localhost:80/TEMPORARY_LISTEN_ADDRESSES/WSMAN”, or other folders such as WSMAN3 and SMSSERVICE. Through HTTP requests, malware receives commands encrypted by AES. The malware on the infected hosts has the ability to execute commands, download and upload files. The result is encoded and sent back to C&C server.

 

The majority of requests come from the IP address ‘188.166.64.99‘ trying to command & control the SharePoint servers that have been exploited already. The scan is so massive that around 30,000 SonicWall firewalls have observed these malicious HTTP requests and blocked them successfully. 

 

We have observed the following malicious HTTP requests :
  • hxxp://188.166.64.99/TEMPORARY_LISTEN_ADDRESSES/WSMAN
  • hxxp://188.166.64.99/TEMPORARY_LISTEN_ADDRESSES/WSMAN3
  • hxxp://188.166.64.99/TEMPORARY_LISTEN_ADDRESSES/SMSSERVICE

Trend Chart

The trend line below shows how this vulnerability in recent days has been actively exploited. 

Heat Map:

Heat map is based on the no of unique firewalls geographically hit by this attack

Fix:

Microsoft has released a patch that fixes the vulnerability. Please find the vendor advisory regarding this vulnerability: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604

The affected software versions are
  • Microsoft SharePoint Foundation 2010 Service Pack 2
  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Server 2010 Service Pack 2
  • Microsoft SharePoint Server 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS 14201 Microsoft SharePoint Remote Code Execution 4
IPS 14216 WSMAN Inbound Access
IPS 14217 SMSSERVICE Inbound Access
IPS 14218 Microsoft SharePoint Remote Code Execution 5
IPS 14219 Microsoft SharePoint Remote Code Execution 6
IPS 14231 Microsoft SharePoint ActionRedirect.aspx Access
IPS 14232 Microsoft SharePoint downloadexternaldata.aspx Access
IPS 14233 Microsoft SharePoint profileredirect.aspx Access
WAF 1711 Microsoft Sharepoint Picker.aspx Remote Code Vulnerability

Microsoft Security Bulletin Coverage for February 2019

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of February 2019. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2019-0540 Microsoft Office Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-0590 Scripting Engine Memory Corruption Vulnerability
IPS 14016:Scripting Engine Memory Corruption Vulnerability (FEB 19) 4
CVE-2019-0591 Scripting Engine Memory Corruption Vulnerability
IPS 14017:Scripting Engine Memory Corruption Vulnerability (FEB 19) 5
CVE-2019-0593 Scripting Engine Memory Corruption Vulnerability
IPS 13938:HTTP Client Shellcode Exploit 111
CVE-2019-0594 Microsoft SharePoint Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0595 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0596 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0597 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0598 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0599 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0600 HID Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0601 HID Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0602 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0604 Microsoft SharePoint Remote Code Execution Vulnerability
IPS 14201:Microsoft SharePoint Remote Code Execution 4
CVE-2019-0605 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0606 Internet Explorer Memory Corruption Vulnerability
IPS 14018:Internet Explorer Memory Corruption Vulnerability (FEB 19) 1
CVE-2019-0607 Scripting Engine Memory Corruption Vulnerability
IPS 14019:Scripting Engine Memory Corruption Vulnerability (FEB 19) 6
CVE-2019-0610 Scripting Engine Memory Corruption Vulnerability
IPS 14020:Scripting Engine Memory Corruption Vulnerability (FEB 19) 7
CVE-2019-0613 .NET Framework and Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0615 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0616 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0618 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0619 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0621 Windows Kernel Information Disclosure Vulnerability
ASPY5385:Malformed-File exe.MP.56
CVE-2019-0623 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0625 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0626 Windows DHCP Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0627 Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-0628 Win32k Information Disclosure Vulnerability
ASPY5386:Malformed-File exe.MP.57
CVE-2019-0630 Windows SMB Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0631 Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-0632 Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-0633 Windows SMB Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0634 Microsoft Edge Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0635 Windows Hyper-V Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0636 Windows Information Disclosure Vulnerability
ASPY5387:Malformed-File exe.MP.58
CVE-2019-0637 Windows Defender Firewall Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-0640 Scripting Engine Memory Corruption Vulnerability
IPS 14023:Scripting Engine Memory Corruption Vulnerability (FEB 19) 8
CVE-2019-0641 Microsoft Edge Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2019-0642 Scripting Engine Memory Corruption Vulnerability
IPS 14024:Scripting Engine Memory Corruption Vulnerability (FEB 19) 9
CVE-2019-0643 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0644 Scripting Engine Memory Corruption Vulnerability
IPS 14025:Scripting Engine Memory Corruption Vulnerability (FEB 19) 10
CVE-2019-0645 Microsoft Edge Memory Corruption Vulnerability
IPS 14027:Microsoft Edge Memory Corruption Vulnerability (FEB 19) 1
CVE-2019-0648 Scripting Engine Information Disclosure Vulnerability
IPS 14026:Scripting Engine Memory Corruption Vulnerability (FEB 19) 11
CVE-2019-0649 Scripting Engine Elevation of Privileged Vulnerability
There are no known exploits in the wild.
CVE-2019-0650 Microsoft Edge Memory Corruption Vulnerability
IPS 14028:Microsoft Edge Memory Corruption Vulnerability (FEB 19) 2
CVE-2019-0651 Scripting Engine Memory Corruption Vulnerability
IPS 14012:Scripting Engine Memory Corruption Vulnerability (FEB 19) 1
CVE-2019-0652 Scripting Engine Memory Corruption Vulnerability
IPS 14013:Scripting Engine Memory Corruption Vulnerability (FEB 19) 2
CVE-2019-0654 Microsoft Browser Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0655 Scripting Engine Memory Corruption Vulnerability
IPS 14014:Scripting Engine Memory Corruption Vulnerability (FEB 19) 3
CVE-2019-0656 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0657 .NET Framework and Visual Studio Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0658 Scripting Engine Information Disclosure Vulnerability
IPS 14015:Scripting Engine Information Disclosure Vulnerability (FEB 19) 1
CVE-2019-0659 Windows Storage Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0660 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0661 Windows Kernel Information Disclosure Vulnerability
ASPY5383:Malformed-File exe.MP.55
CVE-2019-0662 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0664 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0668 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0669 Microsoft Excel Information Disclosure Vulnerability
ASPY5384:Malformed-File xls.MP.65
CVE-2019-0670 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0671 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0672 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0673 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0674 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0675 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0676 Internet Explorer Information Disclosure Vulnerability
IPS 14021:Internet Explorer Information Disclosure Vulnerability (FEB 19) 1
CVE-2019-0686 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0724 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0728 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0729 Azure IoT Java SDK Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0741 Azure IoT Java SDK Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0742 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0743 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.

Adobe Coverage

CVE-2019-7089
ASPY 5381 : Malformed-File pdf.MP.326
CVE-2019-7090
ASPY 5382 : Malformed-File swf.MP.599