Posts

Top CVE's exploited in the wild

SonicWALL Capture Labs Threat Research team observed the below vulnerabilities most exploited by hackers in the year 2019.

  • BlueKeep (CVE-2019-0708)
  • SharePoint Server (CVE-2019-0604)
  • Win32k (CVE-2019-0859)
  • ThinkPhp (CVE not assigned)
  • Atlassian Confluence (CVE-2019-3396)
  • Drupal (CVE-2019-6340)
  • Oracle WebLogic (CVE-2019-2725)
  • Exim Server (CVE-2019-10149)
  • Microsoft GDI (CVE-2019-0903)
  • Webmin Server (CVE-2019-15107)

BlueKeep (CVE-2019-0708)

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.

Affected Products: Windows 7, Windows XP, Windows Server 2008 and  Windows Server 2003.

Reference: https://securitynews.sonicwall.com/xmlpost/rdp-vulnerability-cve-2019-0708/

 

SharePoint Server (CVE-2019-0604)

An insecure deserialization vulnerability has been reported in Microsoft SharePoint Server. This vulnerability is due to insufficient validation user-supplied data to EntityInstanceIdEncoder.

Affected Products
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2010 & 2013
Microsoft SharePoint Server 2010, 2013 & 2019

Reference: https://securitynews.sonicwall.com/xmlpost/microsoft-sharepoint-server-flaw-cve-2019-0604-is-actively-being-exploited/

 

Win32k (CVE-2019-0859)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka ‘Win32k Elevation of Privilege Vulnerability’.

Affected Products
Microsoft Windows 7, 8.1, 10 & Rt 8.1
Microsoft Windows Server 2008, 2012, 2016 & 2019

Reference: https://securitynews.sonicwall.com/xmlpost/cve-2019-0859-exploits-active-in-the-wild/

 

ThinkPhp (CVE not assigned)

A command execution vulnerability exists in ThinkPHP CMS. The vulnerability is due to improper validation of the URL parameters in App.php.

Reference: https://securitynews.sonicwall.com/xmlpost/thinkphp-remote-code-execution-rce-bug-is-actively-being-exploited/

 

Atlassian Confluence (CVE-2019-3396)

A server side template injection vulnerability has been reported in Atlassian Confluence Server. This vulnerability is due to improper validation of the _template JSON parameter.

Affected Products:

Atlassian Confluence Server 6.14.x prior to 6.14.2
Atlassian Confluence Server 6.13.x prior to 6.13.3
Atlassian Confluence Server 6.12.x prior to 6.12.3
Atlassian Confluence Server 6.6.x prior to 6.6.12

 

Drupal (CVE-2019-6340)

A remote code execution vulnerability has been reported in the web services components of Drupal Core. The vulnerability is due to improper sanitization of data for certain Field Types from non-form sources prior to deserialization.

Affected Products:

Drupal Drupal 8.5.x prior to 8.5.11
Drupal Drupal 8.6.x prior to 8.6.10
Drupal Drupal 7.x

Oracle WebLogic (CVE-2019-2725)

An insecure deserialization vulnerability has been reported in Oracle Weblogic. This vulnerability is due to insufficient validation of XML data within the body of HTTP POST requests.

Affected Products

Oracle WebLogic Server 12.1.3.0.0
Oracle WebLogic Server 10.3.6.0.0

Reference: https://securitynews.sonicwall.com/xmlpost/oracle-weblogic-vulnerability-actively-being-exploited-in-the-wild/

 

Exim Server (CVE-2019-10149)

A remote command execution injection vulnerability has been reported in Exim server. This vulnerability is due to insufficient handling of recipient address in the deliver_message() function.

Affected Products: Exim versions 4.87 to 4.91

Reference: https://securitynews.sonicwall.com/xmlpost/exim-email-servers-are-still-under-attack/

 

Microsoft GDI (CVE-2019-0903)

A remote code execution vulnerability has been reported in the GDI component of Microsoft Windows. The vulnerability is due to the way that GDI handles objects in memory.

Affected Products:

Microsoft Windows 7, 8.1, 10
Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019

Webmin Server (CVE-2019-15107)

A command injection vulnerability has been reported in Webmin. The vulnerability is due to improper validation of user supplied input within password_change.cgi.

Affected Products: Webmin prior to 1.930

Reference: https://securitynews.sonicwall.com/xmlpost/hackers-continue-to-mount-attacks-on-webmin-servers/

 

CVE-2019-0859 exploits active in the wild

The SonicWall Capture Labs Threat Research observed CVE-2019-0859 being actively exploited in the wild.

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2019-0859 is a Use-After-Free vulnerability in the CreateWindowEx function. The exploit uses this vulnerability to elevate privilege and run shellcode.

 

The above code is used to execute arbitrary shellcode.

The injected shellcode payload (stored in $var_code) creates a named pipe. Any data read from the named pipe is executed directly as shellcode.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

ASPY 5452: Malformed-File exe.MP.64

This threat is detected pro-actively by Capture ATP w/RTDMI

Threat Graph:

IOC:

eea10d513ae0c33248484105355a25f80dc9b4f1cfd9e735e447a6f7fd52b569

9f9ea63ad90da73185ff84378844902bf5ce8af0f1b9c8895775697822652d4f

772392b04d05f4b219c20daafa9f2edf727f51ab09c9796e5cdfb4916432bb66

1dfc83d5bc38b88623d54103aa58a2c08b494bc0d0d1098e857dde87f0be0616

Microsoft Security Bulletin Coverage for April 2019

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of April 2019. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2019-0685 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0688 Windows TCP/IP Information Disclosure Vulnerability
ASPY 5456:Malformed-File exe.MP.66
CVE-2019-0730 Windows Elevation of Privilege Vulnerability
ASPY 5457:Malformed-File exe.MP.67
CVE-2019-0731 Windows Elevation of Privilege Vulnerability
ASPY 5458:Malformed-File exe.MP.68
CVE-2019-0732 Windows Security Feature Bypass Vulnerability
ASPY 5459:Malformed-File exe.MP.69
CVE-2019-0735 Windows CSRSS Elevation of Privilege Vulnerability
ASPY 5460:Malformed-File exe.MP.70
CVE-2019-0739 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0752 Scripting Engine Memory Corruption Vulnerability
IPS 14132:Scripting Engine Memory Corruption Vulnerability (APR 19) 1
CVE-2019-0753 Scripting Engine Memory Corruption Vulnerability
IPS 14133:Scripting Engine Memory Corruption Vulnerability (APR 19) 2
CVE-2019-0764 Microsoft Browsers Tampering Vulnerability
There are no known exploits in the wild.
CVE-2019-0786 SMB Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0790 MS XML Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0791 MS XML Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0792 MS XML Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0793 MS XML Remote Code Execution Vulnerability
IPS 14134:MS XML Remote Code Execution Vulnerability (APR 19)
CVE-2019-0794 OLE Automation Remote Code Execution Vulnerability
ASPY 5462:Malformed-File vbs.MP.1
CVE-2019-0795 MS XML Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0796 Windows Elevation of Privilege Vulnerability
ASPY 5461:Malformed-File exe.MP.71
CVE-2019-0801 Office Remote Code Execution Vulnerability
IPS 14124:Microsoft Office Remote Code Execution (APR 19) 1
CVE-2019-0802 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0803 Win32k Elevation of Privilege Vulnerability
ASPY 5453:Malformed-File dll.MP.4
CVE-2019-0805 Windows Elevation of Privilege Vulnerability
ASPY 5454:Malformed-File exe.MP.65
CVE-2019-0806 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14136:Chakra Scripting Engine Memory Corruption Vulnerability (APR 19) 3
CVE-2019-0810 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14137:Chakra Scripting Engine Memory Corruption Vulnerability (APR 19) 4
CVE-2019-0812 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0813 Windows Admin Center Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0814 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0815 ASP.NET Core Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2019-0817 Microsoft Exchange Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0822 Microsoft Graphics Components Remote Code Execution Vulnerability
ASPY 5455:Malformed-File ppt.MP.9
CVE-2019-0823 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0824 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0825 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0826 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0827 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0828 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0829 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2019-0830 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2019-0831 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2019-0833 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0835 Microsoft Scripting Engine Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0836 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0837 DirectX Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0838 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0839 Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0840 Windows Kernel Information Disclosure Vulnerability
ASPY 5451:Malformed-File exe.MP.63
CVE-2019-0841 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0842 Windows VBScript Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0844 Windows Kernel Information Disclosure Vulnerability
ASPY 5451:Malformed-File exe.MP.63
CVE-2019-0845 Windows IOleCvt Interface Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0846 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0847 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0848 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0849 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0851 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0853 GDI+ Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0856 Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0857 Team Foundation Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0858 Microsoft Exchange Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2019-0859 Win32k Elevation of Privilege Vulnerability
ASPY 5452:Malformed-File exe.MP.64
CVE-2019-0860 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14128:Chakra Scripting Engine Memory Corruption Vulnerability (APR 19) 1
CVE-2019-0861 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 14129:Chakra Scripting Engine Memory Corruption Vulnerability (APR 19) 2
CVE-2019-0862 Windows VBScript Engine Remote Code Execution Vulnerability
IPS 14130:VBScript Engine Remote Code Execution Vulnerability (APR 19) 1
CVE-2019-0866 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0867 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0868 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0869 Team Foundation Server HTML Injection Vulnerability
There are no known exploits in the wild.
CVE-2019-0870 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0871 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0874 Team Foundation Server Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2019-0875 Azure DevOps Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2019-0876 Open Enclave SDK Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2019-0877 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2019-0879 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.