Posts

Critical CVE's of the year 2020

CVE-2020-1472 Zerologon – A vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers, making it possible for a hacker to impersonate any computer, including the root domain controller.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-netlogon-elevation-of-privilege-vulnerability-cve-2020-1472/

CVE-2020-0796 SMBGhost – A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka ‘Windows SMBv3 Client/Server Remote Code Execution Vulnerability’.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-smbv3-remote-code-execution-vulnerability-cve-2020-0796/

CVE-2020-1350 SIGRed – A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka ‘Windows DNS Server Remote Code Execution’ Vulnerability.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-dns-server-remote-code-execution-vulnerability-cve-2020-1350/

CVE-2020-0601 Curveball – A vulnerability that affects the certificate verification function in the Crypt32.dll module provided by Microsoft.

Ref: https://securitynews.sonicwall.com/xmlpost/windows-cryptoapi-spoofing-vulnerability-cve-2020-0601/

CVE-2020-5902 – A critical vulnerability in the F5 BIG-IP Traffic Management User Interface (TMUI) also known as the Configuration Utility

Ref: https://securitynews.sonicwall.com/xmlpost/cve-2020-5902-hackers-actively-exploit-critical-vulnerability-in-f5-big-ip/

CVE-2020-14882 – A critical and easily exploitable remote code execution vulnerability (CVE-2020-14882) in Oracle WebLogic Server.

Ref: https://securitynews.sonicwall.com/xmlpost/cve-2020-14882-oracle-weblogic-remote-code-execution-vulnerability-exploited-in-the-wild/

CVE-2020-0688 Microsoft Exchange Memory Corruption Vulnerability – A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.

Ref: https://securitynews.sonicwall.com/xmlpost/hackers-are-actively-trying-to-exploit-vulnerable-microsoft-exchange-servers/

CVE-2020–25213 – A vulnerability in WordPress File Manager (wp-file-manager) plugin versions prior to 6.9 that allows remote attackers to upload and execute arbitrary PHP code.

Ref: https://securitynews.sonicwall.com/xmlpost/cve-2020-25213-wordpress-plugin-wp-file-manager-actively-being-exploited-in-the-wild/

Breach of FireEye Offensive Tools

On December 8, 2020, Cyber Security Firm FireEye disclosed an incident that resulted in theft of their offensive security tools (OSTs) used by their Red-Team to test the security posture of their customers.

Some of these tools look like the well-known offensive framework Cobalt Strike. This is evident in the naming convention used by FireEye,

In response to the breach, FireEye has provided Red Team tools countermeasures which are available on Github. These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV, and HXIOC. Since none of these tools leverage 0-day vulnerability, FireEye also provided a listing of CVEs used by these tools.

An important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities which are known to exploit.

SonicWall Capture Labs Threat Research team provides protection against the list of CVEs shown above as well as the Beacon tool used by FireEye Red-Team with the following signatures

IPS:14422 Pulse Connect Secure Information Disclosure
IPS:15143 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 1
IPS:15156 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 2
IPS:15158 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 3
IPS:15185 Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 4
IPS:15081 Fortinet SSL VPN Web Portal Directory Traversal
IPS:13910 Adobe ColdFusion Arbitrary File Upload 1
IPS:14689 Microsoft SharePoint Remote Code Execution (FEB 19)
IPS:14225 Remote Desktop Services Remote Code Execution (MAY 19)
IPS:14725 Citrix NetScaler ADC/Gateway Directory Traversal 2
IPS:14886 ManageEngine Desktop Central Insecure Deserialization
IPS:14826 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688)
IPS:14888 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 2
IPS:14889 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 3
IPS:14890 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688) 4
IPS:11556 Win32k Elevation of Privilege (MS16-039) 2
IPS:2007 FireEye RUBEUS nonce 2 TCP
IPS:2009 FireEye RUBEUS nonce 2 UDP
IPS:15285 FireEye BEACON CSBundle USAToday Server
IPS:15286 FireEye RUBEUS Process
IPS:15287 FireEye GORAT Build ID
IPS:15288 FireEye BEACON CSBundle Original Stager

Windows Netlogon Elevation of Privilege Vulnerability CVE-2020-1472

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a network device.
This vulnerability also called Zerologon has a CVSS score of 10.

Netlogon Remote Protocol

The Netlogon Remote Protocol is used for secure communication between machines in a domain and domain controllers (DCs) The communication is secured by using a shared session key computed between the client and the DC that is engaged in the secure communication. The session key is computed by using a preconfigured shared secret that is known to the client and the DC. The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) is a core authentication component of Active Directory that provides authentication for user and computer accounts.

Vulnerability (CVE-2020-1472)

The vulnerability arises from a flaw in the cryptographic implementation of the Netlogon protocol, specifically in its usage of AES-CFB8 encryption. MS-NRPC uses an initialization vector (IV) of 0 (zero) in AES-CFB8 mode when authenticating computer accounts.Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain.

The successful exploitation of the vulnerability will allow an attacker to

  • Impersonate any computer on the network,
  • Disable security features that protect the Netlogon process
  • Change a computer’s password associated with its Active Directory account.

Affected products

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 2004 (Server Core installation)

Microsoft has patched this vulnerability and is urging to prioritize patching Domain Controllers, as this is likely the primary target.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • IPS 15143:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)1
  • IPS 15156:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 2
  • IPS 15158:Windows Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) 3

Microsoft Security Bulletin Coverage for August 2020

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of August 2020. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2020-1380 Scripting Engine Memory Corruption Vulnerability
IPS 15107:Scripting Engine Memory Corruption Vulnerability (CVE-2020-1380)
IPS 15109:Scripting Engine Memory Corruption Vulnerability (CVE-2020-1380)2

CVE-2020-1464 Windows Spoofing Vulnerability
ASPY 5983:Malformed-File msi.MP.1

CVE-2020-1472 Netlogon Elevation of Privilege Vulnerability
IPS 15143:Windows Netlogon Elevation of Privilege Vulnerability(CVE-2020-1472)

CVE-2020-1480 Windows GDI Elevation of Privilege Vulnerability
IPS 2282:BAD-FILES: Suspicious Executable File Download 9

CVE-2020-1529 Windows GDI Elevation of Privilege Vulnerability
ASPY 5982:Malformed-File exe.MP.150

CVE-2020-1566 Windows Kernel Elevation of Privilege Vulnerability
ASPY 5452:Malformed-File exe.MP.64

CVE-2020-1567 MSHTML Engine Remote Code Execution Vulnerability
IPS 15105:MSHTML Engine Remote Code Execution (CVE-2020-1567)

CVE-2020-1570 Scripting Engine Memory Corruption Vulnerability
IPS 15106:Scripting Engine Memory Corruption Vulnerability (CVE-2020-1570)

CVE-2020-1578 Windows Kernel Information Disclosure Vulnerability
ASPY 5981:Malformed-File exe.MP.152

CVE-2020-1584 Windows dnsrslvr.dll Elevation of Privilege Vulnerability
ASPY 5980:Malformed-File exe.MP.151

CVE-2020-1587 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
ASPY 5979:Malformed-File exe.MP.153

Adobe Coverage:

CVE-2020-9697 Acrobat Reader Disclosure of Sensitive Data
ASPY 5984:Malformed-File pdf.MP.334

CVE-2020-9693 Acrobat Reader Arbitrary Code Execution
ASPY 5985:Malformed-File pdf.MP.335

Following vulnerabilities do not have exploits in the wild :

CVE-2020-0604 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1046 .NET Framework Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1337 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1339 Windows Media Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1377 Windows Registry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1378 Windows Registry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1379 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1383 Windows RRAS Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1417 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1455 Microsoft SQL Server Management Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1459 Windows ARM Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1466 Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2020-1467 Windows Hard Link Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1470 Windows Work Folders Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2020-1473 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1474 Windows Image Acquisition Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1475 Windows Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1476 ASP.NET and .NET Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1477 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1478 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1479 DirectX Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1483 Microsoft Outlook Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1484 Windows Work Folders Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1485 Windows Image Acquisition Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1486 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1487 Media Foundation Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1488 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1489 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1490 Windows Storage Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1492 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1493 Microsoft Outlook Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1494 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1495 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1496 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1497 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1498 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1499 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1500 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1501 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-1502 Microsoft Word Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1503 Microsoft Word Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1504 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1505 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1509 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1510 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1511 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1512 Windows State Repository Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1513 Windows CSC Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1515 Windows Telephony Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1516 Windows Work Folders Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1517 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1518 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1519 Windows UPnP Device Host Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1520 Windows Font Driver Host Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1521 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1522 Windows Speech Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1524 Windows Speech Shell Components Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1525 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1526 Windows Network Connection Broker Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1527 Windows Custom Protocol Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1528 Windows Radio Manager API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1530 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1531 Windows Accounts Control Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1533 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1534 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1535 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1536 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1537 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1538 Windows UPnP Device Host Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1539 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1540 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1541 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1542 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1543 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1544 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1545 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1546 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1547 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1548 Windows WaasMedic Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1549 Windows CDP User Components Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1550 Windows CDP User Components Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1551 Windows Backup Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1552 Windows Work Folder Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1553 Windows Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1554 Media Foundation Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1555 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1556 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1557 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1558 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1560 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1561 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1562 Microsoft Graphics Components Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1563 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1564 Jet Database Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1565 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1568 Microsoft Edge PDF Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1569 Microsoft Edge Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2020-1571 Windows Setup Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1573 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1574 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1577 DirectWrite Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1579 Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1580 Microsoft Office SharePoint XSS Vulnerability
There are no known exploits in the wild.
CVE-2020-1581 Microsoft Office Click-to-Run Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2020-1582 Microsoft Access Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1583 Microsoft Word Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-1585 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2020-1591 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2020-1597 ASP.NET Core Denial of Service Vulnerability
There are no known exploits in the wild.