ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

Published: 2020-03-23

Microsoft is warning about a vulnerability they have detected used in targeted attacks and that there is no patch for yet. No patch and detected in use, a place for the scary word “zero-day”, but this is not a tabloid.

“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.” This would not be so exciting if not document formats had the feature of including their own fonts in documents.

“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”

This affects Windows 10 (but read on), and all Windows Server from 2008 until 2019. Windows 10 has some mitigating features. As always, read the advisory for full details.

There exist no official patch for this as of now. There are some mitigations possible, like “Disable the Preview Pane and Details Pane in Windows Explorer”, “Disable the WebClient service” (WebDAV) and “Rename ATMFD.DLL”. Basefarm has not tested these and recommend everyone to have a test environment that resembles their production environment and test the mitigations before applying them.

Consider the usage of your servers, are there documents viewed on them? Are the documents from an unknown, potentially untrusted source? Do you value the integrity of that server and all it in turn has access too? It might be worth to consider implementing the mitigations. For many servers this use case is not a match and it is potentially better to wait for an official and tested patch.

Basefarm follows this vulnerability internally as BF-VLN-2011507 and asking our dedicated customer teams to follow up these recommendations.

Covid-19 forces changes

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Helpdesksecurity writes “A time of chaos is a time for opportunity for unscrupulous individuals and groups, and COVID-19 is seemingly an unmissable boon for cyber crooks.

We’ve already covered a variety of COVID-19-themed scams, phishing attempts, hoaxes and malware delivery campaigns, but new and inventive approaches are popping up daily.”

Top 5 Security links

Infosec preparedness during Covid-19 outbreak

Our customers’ business continuity is of paramount importance for Basefarm. We are fully aware that several of our clients provide services that are absolutely critical for our society. Basefarm is following the ongoing outbreak closely and is constantly considering the implications for secure operations for us and our customers.

There are several ways that this outbreak can affect secure operations. In short Basefarm recommends increased security awareness and consciousness, especially in regards to remote work.

Keeping software updated has always been an important part of secure operations, and it is important that this work is still prioritized. Lack of available resources over an increased period of time might affect a businesses capability to perform these actions.

The risk of a breach going unnoticed increases significantly if there is manual work needed to be performed in order to detect a potential breach. If there is a significant increase in sick leave this activity will suffer. Automation of these processes are recommended.

Working remotely
It is normal for employees to have a lower guard when working remotely, due to the lesser focus on security awareness.

  • The current situation is such that deviations from normal security procedures have a higher acceptance than normal. Consider in which parts this is acceptable, while the employees should still able to perform their work in a secure way.
  • Ensure there are routines for handling of alerts and alarms.
  • Remind employees about routines for alerting about security nonconformity.
  • Consider strengthening the IT-support function. As many employees might not be used to remote work they might have an increase need for support. If the employees find it hard to get help they might take unwanted shortcuts.
  • Only use privately owned IT equipment to work remotely if this is agreed with and approved by the employer. Privately owned equipment might not be up to the same standards as corporate equipment.
  • Update all equipment used for remote work.
  • Use a secure connection to all corporate network and services, like VPN.
  • Ensure that credentials are strong and use multi-factor authentication where possible.
  • Remote work might increase the exposure of business sensitive information. Increase the awareness around what kind of information that is OK to handle when working remotely.
  • SARS-coronavirus-2 in cyber attacks and malspam
    Cyber threat actors have always, and will always, leverage recent events and news to increase the likelihood of victims opening emails, clicking links or opening attachments.

    Several security consultancy services are reporting about campaigns using the covid-19 outbreak as a theme for their phishing, and this will probably increase in the future.

    Basefarm recommends to stay vigilant when reviewing suspect email and links. Some threat actors are setting up fake websites and using covid-19 themed domains. The goal is to steal credentials or infect victims.

    In general threat actors are often aiming to pray on their victims’ fear, and to make it seem time critical.

    There has been examples of malspam imitating well-known organizations like WHO, and government health authorities that victims will be familiar with. Combined with fear, uncertainty and doubt the attacker might see more success.

    General awareness and vigilance online

    Fake news and disinformation about the covid-19 outbreak spread quickly online and have a wide reach. Fake accounts on social media are created in large numbers and are used to spread bad information. Awareness and critical thinking when faced with sensational news, and verifying sources, helps handle the flow of information.

    Talk together

    The trifecta of fearmongering, urgency and discretion/secrecy is a well-known repeating pattern in successful frauds. The attacker impersonates someone important whom the victim should trust, and asks the victim to do something for them. It is urgent, so the attacker wants the victim to do this as fast as possible, and they add some reason for this to be secret. That way they hope the victims gets too stressed to stop and consider the situation.

    The solution here is to talk together. Accept that some things need a little bit more time to proceed. Stop and consider. Give the employees enough confidence to double check and verify odd requests. Talk together.

    And wash your hands.

CVE-2020-0852 | Microsoft Word Remote Code Execution Vulnerability

Published: 2020-03-10
MITRE CVE-2020-0852

“A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.”

This vulnerability was overshadowed by the SMBv3 remote code execution vulnerability “announced” at the same time, as we have written about earlier. Basefarm evaluated this to be just as likely, if not more, to cause major infections in a corporate environment. It requires some user action to successfully exploit, but opening a document is not an action most users considers risky.

Basefarm recommends applying this patch as soon as possible, even though there is no known exploitation and no proof of concept published, because if a campaign starts up exploiting this on a Friday afternoon you will not have enough time to react.

This affects Microsoft Office (certain versions) AND Sharepoint Server 2019.
Basefarm is tracking this internally as BF-VLN-2004690.

CVE-2020-0796 | Server Message Block 3.0 (SMBv3) Remote Code Execution

Published: 2020-03-10
MITRE CVE-2020-0796

As of writing, Microsoft has not released any official information, but FortiGuard writes that there exists a “(…) Buffer Overflow Vulnerability in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.”

And as affected products FortiGuard mentions Windows 10, and Semi-Annual Channel (Windows Server 1903 and 1909). But as Microsoft has not released any official information this might be subject to change.

Basefarm does not recommend anyone to expose SMB and port 445 to an untrusted network. There also exists unofficial mitigation by adding a registry key to disable compression on the SMBv3 protocol. Basefarm is following the developments here, but as of writing there is no known proof of exploit or exploitation in the wild, there is also no official fix for this vulnerability.

Update 2020-03-11:

Microsoft has now released an advisory where they confirm previously known details and adds “to exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

So this vulnerability is more of a client-issue than a server issue. The known workaround to disable compression in SMBv3 prevents exploitation against an SMB Server, not an SMB Client.

Still no official fix, no known exploitation in the wild and no proof of concept available.

Basefarm is tracking this is a client issue in BF-VLN-2003557 and will most likely force all our clients to install this as soon as an official fix is available. We recommend others do too.

Nation state actors plays the long game

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

“Qihoo 360, one of the most prominent cybersecurity firms, today published a new report accusing the U.S. Central Intelligence Agency (CIA) to be behind an 11-year-long hacking campaign against several Chinese industries and government agencies.”

“According to Qihoo 360, the hacking tools developed by the CIA, such as Fluxwire and Grasshopper, were used by the APT-C-39 group against Chinese targets years before the Vault 7 leak.”

Read more

Top 5 Security News

Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!
Let’s Encrypt is Revoking Three Million Certificates on March 4
670+ Subdomains of Microsoft are Vulnerable to Takeover
Emoji to Zero-Day: Latin Homoglyphs in Domains and Subdomains
CPR evasion encyclopedia: The Check Point evasion repository

Reality Check: The Story of Cybersecurity

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

“Often, hackers are portrayed as “technical sorcerers” while defenders are “hapless techies focused on zero-day vulnerabilities and only the most advanced threat vectors,” but in reality, that’s not true.
Cybercriminals are not always sophisticated, and in fact, more script kiddies exist than technically savvy hackers.
The difference is that cybercriminals are more organized and create tools and exploit kits that allow less sophisticated actors to become well equipped in launching attacks.”

said Rohit Ghai, president of RSA, in his keynote at the RSA Conference in San Francisco this week.

“The security landscape needs to change the narrative of its story. So we need to reclaim our narrative, reorganize our defense, and rethink our culture.”
this was his solicitation to the cyber security community.

more talks from the RSA Conference 2020 or download the RSAC 2020 Trend Report


Top 5 Security News

RSAC 2020: Lack of Machine Learning Laws Open Doors To Attacks

New Wi-Fi Encryption Vulnerability Affects Over A Billion Devices

New LTE Network Flaw Could Let Attackers Impersonate 4G Mobile Users

FBI recommends using passphrases instead of complex passwords

Gmail Is Catching More Malicious Attachments With Deep Learning


CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Published: 02/11/2020 | Last Updated : 02/11/2020
MITRE CVE-2020-0688

“A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.

Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.”

Zero Day Initiative recently published a write-up about this vulnerability, and some key points to know is “Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState.” and “Due to the use of static keys, an authenticated attacker can trick the server into deserializing maliciously crafted ViewState data. With the help of, an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel web application, which runs as SYSTEM.”

So this is bad. On the bright side it requires an authenticated user, but considering the amount of leaked credentials these days it could be better.

We agree with Zero Day Initiative when they say “if you’re an Exchange Server administrator, you should treat this as a Critical-rated patch and deploy it as soon as your testing is complete. Microsoft lists this with an Exploit Index of 1, which means they expect to see exploits within 30 days of the patch release. As demonstrated, that certainly seems likely.”

Update 2020-03-04: Exploit for this vulnerability is now a part of the metasploit framework and exploitation is very easy, just needs any domain user.

Internally Basefarm is tracking this as BF-VLN-1994667.

CVE-2020-1938 – Apache Tomcat AJP Request Injection and potential Remote Code Execution

Published by Apache: 2020-02-24
MITRE CVE-2020-3158

“When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising.”

There is not enough details available yet, but the vulnerability has at least a CVSS Base score of 8.1, High. This depends on how hard it is to exploit, etc.

There is proof of concept published, but as of writing no known public exploitation of this vulnerability.

Basefarm customers will be upgraded as part of normal patching routines.

CVE-2020-3158 – Cisco Smart Software Manager On-Prem Static Default Credential Vulnerability

Published by Cisco: 2020-02-19
MITRE CVE-2020-3158

“A vulnerability in the High Availability (HA) service of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to access a sensitive part of the system with a high-privileged account.”

The vulnerability has a CVSS Base score of 9.8, Critical.

Basefarm has triaged this vulnerability and found that we are not using the Cisco Smart Software Manager On-Prem software. Basefarm will not track this vulnerability further.