Here we plan to announce vulnerabilities we consider relevant to ourself or our customers. Mostly to announce that we are at least aware of these vulnerabilities, in case you wondered. Maybe you find there is an overlap with vulnerabilities you should be aware of yourself?

This might not be an extensive list, but is performed at best effort.

Local privilege escalation vulnerability in Linux

Published: 2021-06-11
CVE-2021-3560

“A flaw was found in polkit. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process.” The error is not handled correctly and the request is granted access.

As this vulnerability is very easy to exploit patching should be done as soon as possible.

Internally this is being tracked in BF-VLN-2292713 with the highest priority.

Microsoft Windows Multiple Security Updates Affecting TCP/IP | CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086

Published: 2021-02-09
MITRE CVE-2021-24074
MITRE CVE-2021-24094
MITRE CVE-2021-24086

“Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.”

CVSS Base Score is 9.8, 9.8 and 7.5.

All have potential workarounds that should have a minimal operational impact.

Currently there is no exploit in the wild. If an exploit is published this vulnerability will become critical to mitigate as fast as possible.

We are tracking this internally as BF-VLN-2216447 with the highest priority and is currently evaluating this vulnerability and how to best handle it and ensure operational stability for all our customers.

For further general details we point to the Microsoft Security Response Center blog post about the topic.

CVE-2021-3156 | Heap-Based Buffer Overflow in Sudo

Published: 2021-01-26
MITRE CVE-2021-3156

“The Qualys Research Team has discovered a heap overflow vulnerability in sudo, a near-ubiquitous utility available on major Unix-like operating systems. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.”

This is especially bad for multi-user environments where some users have login access, but should not have root access.

Through a responsible and coordinated vulnerability disclosure from Qualys’ part there should be updated version available for most affected systems. This vulnerability will probably affect most systems that make use of the sudo command.

CVSS Base Score is 7, but during our evaluation we did not agree that there are no privileges required. With the vector set to “Privileges Required” as “Low”, instead of “None” the CVSS score is 6.7. We consider this our environmental CVSS score for this vulnerability.

Currently there is no exploit in the wild. If an exploit is published this vulnerability will become critical to mitigate as fast as possible.

We are tracking this internally as BF-VLN-2208165 with an increased priority and have a goal of having all systems patched within 30 days.

CVE-2020-17095 | Windows Hyper-V Remote Code Execution Vulnerability

Published: 2020-12-08
MITRE CVE-2020-17095

“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data.”

This is especially bad for “hotel” environment with multiple different tenants that should not be able to influence each other, but it is also bad for environments with different levels of security sensitivity within the same tenant.

There is no workarounds or possible mitigations in the configuration.

CVSS Base Score is 8.5

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2180090 with the highest priority.

CVE-2020-16891 | Windows Hyper-V Remote Code Execution Vulnerability

Published: 2020-10-13
MITRE CVE-2020-16891

“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.”

This is especially bad for “hotel” environment with multiple different tenants that should not be able to influence each other, but it is also bad for environments with different levels of security sensitivity within the same tenant.

There is no workarounds or possible mitigations in the configuration.

CVSS Base Score is 8.8

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2140691with the highest priority.

CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability

Published: 2020-10-13
MITRE CVE-2020-16898

“A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets.”

This vulnerability affects Windows 10, Server 2019 and Server Core versions (see full Security Advisory for proper details). It can be mitigated by disabling a network feature or blocking ICMPv6 Router Advertisement packets.

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave a workaround in place.

CVSS Base score is 9.8

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2139859 with the highest priority.

CVE-2020-3992 | ESXi OpenSLP remote code execution vulnerability

Published: 2020-10-20
MITRE CVE-2020-3992

“A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.”

The workaround is to stop and disable the SLP service.

CVSS Base Score is 9.8

Basefarm and VMware recommends that you install the updates for this vulnerability as soon as possible. Basefarm also recommends that the management services of ESXi servers are not available for regular users, but are places on a protected network.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2146240 with the highest priority.

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

Published: 2020-07-29
MITRE CVE-2020-1472

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.

There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices.

If the guidelines from the KB article “How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472” are not followed, your organization risks devices in your environment being denied access when the enforcement phase starts in Q1 2021. If there are currently no non-compliant devices in your environment, you can move to enforcement mode for further protection in advance of required enforcement.

The Base CVSS score for this vulnerability is 10 (out of 10 possible).
The Temporal CVSS score (at 2020-08-19) is 9.

There is no known exploitation of this in the wild, and the details about the vulnerability is not publicly disclosed. Meaning there should be some time still before this is a major issue. And if it becomes exploited in the wild, Basefarm always recommends that domain controllers are not reachable on the public internet.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. Our goal is to have this mitigated on all servers within 1 week. We are tracking this internally as BF-VLN-2102348 with the highest priority.

CVE-2020-10713 – GRUB 2 boot loader buffer overflow – aka BootHole

Published: 2020-07-29
MITRE CVE-2020-10713

GRUB 2 is a “boot loader”, it precedes the actual operating system and allows for multiple options in what operating system to load and with what parameters given. An attacker with administrative privileges on a system, or physical access, can use this vulnerability to bypass the check of cryptographic signatures and run arbitrary code. GRUB 2 is the default boot loader for most popular GNU/Linux distributions, but it is independent of any OS so this vulnerability can also be exploited against Windows systems.

Some might say that game is over anyway if an attacker has administrative privileges or physical access, but this attack method provides a way for an attacker to establish persistence on a system perhaps invisible for an OS and its endpoint security platform.

RedHat reports “In CVE-2020-10713, an attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB.”

And for remediation “Red Hat recommends all customers to update their grub2 packages. Red Hat customers using Secure Boot need to update kernel, fwupdate, fwupd, shim and dbxtool packages containing newly validated keys and certificates. Users running Secure Boot with Red Hat Enterprise Linux 8 need to take additional steps to boot into previously released RHEL 8 kernels after applying the grub2 package updates.”

This vulnerability has a CVSS Base score of 8.2 with the CVSS vectors CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Basefarm is currently evaluating this vulnerability and its consequences for the continued secure operations of our customers and our own systems. Internally this is tracked in BF-VLN-2089662. At this early point we refer to the individual vendors for more information:

Microsoft ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB

Red Hat Boot Hole Vulnerability – GRUB 2 boot loader – CVE-2020-10713

This vulnerability was discovered and responsibly disclosed by Eclypsium, see their in depth technical writeup “There’s a Hole in the Boot”

Update 2020-07-31: There are some reports about the RHEL grub2 security update rendering systems unbootable. Patching for vulnerabilities IS important, but doing so in a responsible manner is also a priority.

CVE-2020-1350 – SIGRed Windows DNS Server Remote Code Execution Vulnerability

Published: 2020-07-14
MITRE CVE-2020-1350

“A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.”

The tricky part about this is that a lot of systems normally closed of from direct access to the internet has an indirect access to the internet via the forwarding capabilities built in to DNS. If you are able to resolve regular domains like “basefarm.com”, “microsoft.com” and “google.com”, and you are asking your Windows Domain Controller, that Domain Controller is vulnerable.

The recommended cause of action is to upgrade as soon as possible. This requires a reboot. There exists a workaround, if a reboot is not something you can do right now. This is a registry edit and only requires a restart of the DNS Service. We refer to official documentation for information about this workaround.

In our experience, and based on information currently available, we expect to see working exploits in the wild within a week, and see it likely that there will be widespread active attacks within 2 weeks.

Basefarm is tracking this vulnerability internally as BF-VLN-2084547, with the highest priority. All internal Basefarm servers vulnerable is scheduled to receive patches within 2020-07-15 18:00. We are currently chasing customer-specific servers and organizing emergency patching.

Update 2020-07-17 21:00 – All change-tickets for customer-specific servers have attention. 4% of the tickets is still in implementation status, 96% is either in Post-implementation Review status or Closed status. We continue to monitor intelligence sources for signs of active exploitation and will ensure priority for the remaining 4% of customers.

Update 2020-07-21 – All servers are patched or have implemented workarounds for this vulnerability.

Official Microsoft Security Advisory