Posts

Top CVE's exploited in the wild

SonicWALL Capture Labs Threat Research team observed the below vulnerabilities most exploited by hackers in the year 2019.

  • BlueKeep (CVE-2019-0708)
  • SharePoint Server (CVE-2019-0604)
  • Win32k (CVE-2019-0859)
  • ThinkPhp (CVE not assigned)
  • Atlassian Confluence (CVE-2019-3396)
  • Drupal (CVE-2019-6340)
  • Oracle WebLogic (CVE-2019-2725)
  • Exim Server (CVE-2019-10149)
  • Microsoft GDI (CVE-2019-0903)
  • Webmin Server (CVE-2019-15107)

BlueKeep (CVE-2019-0708)

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.

Affected Products: Windows 7, Windows XP, Windows Server 2008 and  Windows Server 2003.

Reference: https://securitynews.sonicwall.com/xmlpost/rdp-vulnerability-cve-2019-0708/

 

SharePoint Server (CVE-2019-0604)

An insecure deserialization vulnerability has been reported in Microsoft SharePoint Server. This vulnerability is due to insufficient validation user-supplied data to EntityInstanceIdEncoder.

Affected Products
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2010 & 2013
Microsoft SharePoint Server 2010, 2013 & 2019

Reference: https://securitynews.sonicwall.com/xmlpost/microsoft-sharepoint-server-flaw-cve-2019-0604-is-actively-being-exploited/

 

Win32k (CVE-2019-0859)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka ‘Win32k Elevation of Privilege Vulnerability’.

Affected Products
Microsoft Windows 7, 8.1, 10 & Rt 8.1
Microsoft Windows Server 2008, 2012, 2016 & 2019

Reference: https://securitynews.sonicwall.com/xmlpost/cve-2019-0859-exploits-active-in-the-wild/

 

ThinkPhp (CVE not assigned)

A command execution vulnerability exists in ThinkPHP CMS. The vulnerability is due to improper validation of the URL parameters in App.php.

Reference: https://securitynews.sonicwall.com/xmlpost/thinkphp-remote-code-execution-rce-bug-is-actively-being-exploited/

 

Atlassian Confluence (CVE-2019-3396)

A server side template injection vulnerability has been reported in Atlassian Confluence Server. This vulnerability is due to improper validation of the _template JSON parameter.

Affected Products:

Atlassian Confluence Server 6.14.x prior to 6.14.2
Atlassian Confluence Server 6.13.x prior to 6.13.3
Atlassian Confluence Server 6.12.x prior to 6.12.3
Atlassian Confluence Server 6.6.x prior to 6.6.12

 

Drupal (CVE-2019-6340)

A remote code execution vulnerability has been reported in the web services components of Drupal Core. The vulnerability is due to improper sanitization of data for certain Field Types from non-form sources prior to deserialization.

Affected Products:

Drupal Drupal 8.5.x prior to 8.5.11
Drupal Drupal 8.6.x prior to 8.6.10
Drupal Drupal 7.x

Oracle WebLogic (CVE-2019-2725)

An insecure deserialization vulnerability has been reported in Oracle Weblogic. This vulnerability is due to insufficient validation of XML data within the body of HTTP POST requests.

Affected Products

Oracle WebLogic Server 12.1.3.0.0
Oracle WebLogic Server 10.3.6.0.0

Reference: https://securitynews.sonicwall.com/xmlpost/oracle-weblogic-vulnerability-actively-being-exploited-in-the-wild/

 

Exim Server (CVE-2019-10149)

A remote command execution injection vulnerability has been reported in Exim server. This vulnerability is due to insufficient handling of recipient address in the deliver_message() function.

Affected Products: Exim versions 4.87 to 4.91

Reference: https://securitynews.sonicwall.com/xmlpost/exim-email-servers-are-still-under-attack/

 

Microsoft GDI (CVE-2019-0903)

A remote code execution vulnerability has been reported in the GDI component of Microsoft Windows. The vulnerability is due to the way that GDI handles objects in memory.

Affected Products:

Microsoft Windows 7, 8.1, 10
Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019

Webmin Server (CVE-2019-15107)

A command injection vulnerability has been reported in Webmin. The vulnerability is due to improper validation of user supplied input within password_change.cgi.

Affected Products: Webmin prior to 1.930

Reference: https://securitynews.sonicwall.com/xmlpost/hackers-continue-to-mount-attacks-on-webmin-servers/

 

Exim email servers are still under attack

Exim remote command execution vulnerability has been exploited in the wild since June. This week, Security researchers have observed that Exim vulnerability (CVE-2019-10149) is being exploited to install a new Watchbog Linux malware variant.  After successful exploitation, Watchbog will download and execute cryptocurrency miner payload on the compromised servers.  As per Shodan search from today, there are over 1.5 million unpatched Exim servers that are vulnerable to this attack. SonicWall Capture Labs Threat Research team continues to observe attempts to exploit this vulnerability.

Exim
Exim is a mail transfer agent (MTA) used on Unix-like operating systems. It contains implementations of SMTP server for incoming messages as well ,as a SMTP ( Simple Mail Transfer Protocol) or LMTP ( Local Mail Transfer Protocol ) client for outgoing emails.
SMTP
SMTP is a connection-oriented, text-based protocol in which a mail sender communicates with a mail receiver by issuing command strings and supplying necessary data over a Transmission Control Protocol (TCP) connection. An SMTP session consists of commands originated by an SMTP client (the initiating agent) and corresponding responses from the SMTP server (the listening agent) so that the session is opened, and session parameters are exchanged.

An SMTP transaction consists of the follwing three command/reply sequences:

1. MAIL command, to identify the sender, to establish the return address or bounce-address.
2. RCPT command, to establish a recipient of the message. This command can be issued multiple times, one for each recipient.
3. DATA command, to give the mail data and finally the end of mail data indicator confirming the transaction.

SMTP Mail Transaction:

CVE-2019-10149:

A command injection vulnerability has been reported in Exim. This is due to insufficient sanitization of recipient email addresses, whether the recipient is local or remote. In the vulnerable versions, local part of the receipt address is sent as input to the expand_string() method without enough validation. A remote attacker can exploit this vulnerability by attempting to send an email to a crafted recipient on the target server. Successful exploitation results in the execution of arbitrary commands as the root user.

 

Fig: Snapshot of the code snippet 

Local Exploitation:
The utility expand_string() in the above shown code recognizes the “${run{<command> <args>}}” specified as input, and because new->address is the recipient of the mail that is being delivered, a local attacker can simply send a mail to “${run{…}}@localhost” and execute arbitrary commands, as root.

 

Remote Exploitation (Non-default configuration):
The above exploitation method doesn’t work remotely as the Exim’s default configuration requires the local part of the recipient’s address (the part that precedes the @ sign) to be the name of a local user when requests come from the remote server.
But in various non-default configurations this vulnerability can be exploited remotely say If the “verify = recipient” ACL that checks the local part of the recipient’s address to be the name of a local user was removed manually by an administrator or If Exim was configured to recognize special tags like “+” in the recipient’s address then a remote attacker can simply use the local exploitation method i.e RCPT TO “local_user+${run{…}}@localhost” instead of local_user@localhost.

 

Remote Exploitation (Default Configuration):
Another elaborate way specified in the vulnerability report that allows remote exploitation in the Exim’s default configuration. If the attacker can set up a malicious email server on a domain they control and place the malicious string expansion in the local portion of the sender’s address and send a message with a valid recipient but crafted to bounce back to the attacker controlled email server. In order to make the outgoing message from Exim server fail i.e to set RECIP_FAIL_TIMEOUT, the attacker controlled server can very slowly send a long SMTP response over a 7 day period and finally send a response such as a 550 error to cause the outgoing message to be “frozen” by Exim. On the next scheduled queue run, Exim will then attempt to deliver the bounce message once again but because the message is older than the default permitted age for frozen messages, process_recipients is set to RECIP_FAIL_TIMEOUT, and the malicious string specified in the sender address is then expanded by the expand_string() utility and executed as root.

Trend Chart:

The below graph shows how this vulnerability has been actively exploited.
   Fig: IPS hits for the sig ID 14240 in the last 40 days
Majority of the exploit attempts come from the IP address “89.248.171.57”.  Exim users have also reported online that they have been hacked by this attacker. This attacker is still actively looking for vulnerable Exim servers.

Fix:

Exim version 4.87 to 4.91 is vulnerable by default. This vulnerability is fixed in version 4.92.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 14240 Exim deliver_message Remote Command Execution 1
IPS: 14241 Exim deliver_message Remote Command Execution 2
IPS: 14242 Exim deliver_message Remote Command Execution 3
IPS: 14243 Exim deliver_message Remote Command Execution 4