CVE-2020-1350 – SIGRed Windows DNS Server Remote Code Execution Vulnerability

Published: 2020-07-14
MITRE CVE-2020-1350

“A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.”

The tricky part about this is that a lot of systems normally closed of from direct access to the internet has an indirect access to the internet via the forwarding capabilities built in to DNS. If you are able to resolve regular domains like “basefarm.com”, “microsoft.com” and “google.com”, and you are asking your Windows Domain Controller, that Domain Controller is vulnerable.

The recommended cause of action is to upgrade as soon as possible. This requires a reboot. There exists a workaround, if a reboot is not something you can do right now. This is a registry edit and only requires a restart of the DNS Service. We refer to official documentation for information about this workaround.

In our experience, and based on information currently available, we expect to see working exploits in the wild within a week, and see it likely that there will be widespread active attacks within 2 weeks.

Basefarm is tracking this vulnerability internally as BF-VLN-2084547, with the highest priority. All internal Basefarm servers vulnerable is scheduled to receive patches within 2020-07-15 18:00. We are currently chasing customer-specific servers and organizing emergency patching.

Update 2020-07-17 21:00 – All change-tickets for customer-specific servers have attention. 4% of the tickets is still in implementation status, 96% is either in Post-implementation Review status or Closed status. We continue to monitor intelligence sources for signs of active exploitation and will ensure priority for the remaining 4% of customers.

Update 2020-07-21 – All servers are patched or have implemented workarounds for this vulnerability.

Official Microsoft Security Advisory

CVE-2020-5902 F5 Big-IP – K52145254: TMUI RCE vulnerability

Published: 2020-07-01
MITRE CVE-2020-5902

“The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.”

“This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.”

CVSS Base score: 10 of 10

Basefarm is tracking the internal work with the vulnerability as BF-VLN-2077661. We have gone through the CVSS-calculator and made an Environmental score for our own prioritization as Basefarm does not expose the vulnerable TMUI, management port and/or Self IP to public traffic. We do not recommend anyone exposes the TMUI, management port and/or Self IP to the public internet, this should be on a management VLAN only reachable after authentication with multi-factor authentication. The reason for this is exactly the risks of vulnerabilities like this.

The recommended way to fix this is to upgrade to a newer version, but there also exists a temporary workaround. We refer to the BigIP knowledge-base article for details about this.

Tomcat

CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service

Published: 2020-06-25
MITRE CVE-2020-11996

“A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.”

CVSS Base score: 7.5 (or 5.9 if Attack Complexity turns out to be High)
CVSS Temporal Score: 6.5 as of 2020-06-26 (Unproven exploit code and Official Patch available)
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

This vulnerability is remedied by upgrading to new version. Basefarm recommends upgrading to these version as soon as possible, at least within a week.

Aerospace and military companies in the crosshairs

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

ESET researchers are warning about targeted phishing attacks agains high-profile aerospace and military companies in Europe. The attacker will approach individual personnel about possible job vacancies, some file-sharing then commences with the pretense of informing about this vacancy, this is in reality malware giving the attacker foothold on the victims machine.

Be vigilant about files you get from strangers, and people who makes contact on social media and LinkedIn.

Top 5 Security News

Zoom continues to face security issues

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

Zoom has become very popular as people are working from home and unable to travel, but faced backlash after multiple security vulnerabilities was discovered earlier this year. Now Cisco Talos discovered two more security vulnerabilities that could lead to remote code execution. One of the bugs was in zooms giphy animated gif code that could lead to path traversal and arbitrary file write, and the other one was in Zooms message processing code where a specially crafted message could lead to arbitrary code execution. Both vulnerabilities was disclosed to Zoom and a patch was released
before Talos publicly released the information. Just another reminder to keep software up to date.

Zoom also announced that they will no longer offer end-to-end encryption to its free user but offer it as part of its premium feature for paid customers. The move has been criticized by security experts, especially in lieu of all the recent security vulnerabilities discovered in their platform. Eric Yuan, Zooms CEO claim that the move is to work together with FBI and local law enforcement in case someone use Zoom for a bad purpose

Top 5 Security links:

NATO Condemns Cyber-Attacks

Fraudulent iOS VPN Apps Attempt to Scam Users

Hackers Compromise Cisco Servers Via SaltStack Flaws

Malware Campaign Hides in Resumes and Medical Leave Forms

Zero-day in Sign in with Apple

Woman holding laptop and media files

Zero click bugs in Apple operating systems

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

According to Google’s project zero there are vulnerabilities in Apples operating systems media managements. The vulnerabilities could let an attacker gain access by sending a specially crafted image or video to a target and no interaction would be needed from the user to be exploited.
The vulnerabilities was found using fuzzing techniques on previously found bugs, and the vulnerabilities they found have now been fixed.

More on this topic:

Google discloses zero-click bugs impacting several Apple operating systems

Top 5 Security links

CVE-2020-4415 – Stack-based Buffer Overflow vulnerability in IBM Spectrum Protect Server

Published: 2020-04-24
MITRE CVE-2020-4415

IBM Spectrum Protect server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. This could allow a remote attacker to execute arbitrary code on the system with the privileges of an administrator or user associated with the Spectrum Protect server or cause the Spectrum Protect server to crash.”

CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179990 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

This vulnerability is remedied by upgrading to version 8.1.9.300 or 7.1.10.100. Basefarm recommends upgrading to these version as soon as possible, at least within a week. Internally in Basefarm this progress is tracked as BF-VLN-2031464. (update 2020-04-27, Basefarm has fully upgraded all IBM Spectrum Protect Servers.)

Unassisted iOS Attacks via MobileMail in the wild

There has been discovered a vulnerability in the default mail application (MobileMail) for iOS.

The vulnerability allows an attacker to send an email to a victim (you) and without any action from you, the email will launch code prepared by the attacker on your device.
The fix for this is not released yet, it has been released as a public Beta-version.
Basefarm has decided to block this app from getting more mail from Basefarms Exchange servers.

Researchers has found attacks in the wild, exploiting this vulnerability, back in January 2018 on iOS 11. They state it is likely that the same threat operators are actively abusing these vulnerabilities presently.

There has been no wide exploitation, this is likely due to the fact that this is high value exploit, and the attacker was trying to minimize the risk for detection. There has been targeted attacks towards executives and VIPs in large organizations, MSSPs in Saudi Arabia and Israel (this can be used to make assumptions on who the threat operator is.), a journalist in Europe, etc.

Now that the vulnerability is exposed the value of it is dropping by the minute, and the threat operator has no reason to hold back any more. There is now a race between them and getting fixes out to the users.

Internally in Basefarm the activity related to this vulnerability is tracked in BF-VLN-2031243.

See also:

https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/

Zoom faces a privacy and security backlash

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

The use of the Zoom video conference application has exploded in popularity amid the ongoing coronavirus pandemic but this has lead to the importance of scrutiny from a security and privacy perspective which as uncovered lots of privacy and security issues and even zero day vulnerabilities.
As result of this Zoom now faces a privacy and security backlash.

More on this topic:

Wired article on Zoom

Even Doc Searls has written a series of four posts about Zoom and privacy.

 

Top 5 Security links

In COVID-19 Scam Scramble, Cybercrooks Recycle Phishing Kits

Hackers Install Secret Backdoor on Thousands of Microsoft SQL Servers

Online Credit Card Skimmers Are Thriving During the Pandemic

‘Zombie’ Windows win32k bug reanimated by researcher

Privacy vs. Surveillance in the Age of COVID-19

Covid-19 phishing on the rise

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Criminals continue to use the covid-19 pandemic for personal gain and according to Barracuda networks the amount of phishing emails have spikes by over 650% since the end of February.

But even as the campaigns are revving up their attempts at tricking people, their attempts remain largely the same as before the pandemic started. The tools, methods and payloads stays pretty much the same, but now trying to leverage the fear and need for information during a crisis. The company proofpoint.com made en excellent one-slide summary of what is new seen below.

 

 

Top 5 Security links