Here we plan to announce vulnerabilities we consider relevant to ourself or our customers. Mostly to announce that we are at least aware of these vulnerabilities, in case you wondered. Maybe you find there is an overlap with vulnerabilities you should be aware of yourself?

This might not be an extensive list, but is performed at best effort.

CVE-2020-16891 | Windows Hyper-V Remote Code Execution Vulnerability

Published: 2020-10-13
MITRE CVE-2020-16891

“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.”

This is especially bad for “hotel” environment with multiple different tenants that should not be able to influence each other, but it is also bad for environments with different levels of security sensitivity within the same tenant.

There is no workarounds or possible mitigations in the configuration.

CVSS Base Score is 8.8

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2140691with the highest priority.

CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability

Published: 2020-10-13
MITRE CVE-2020-16898

“A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets.”

This vulnerability affects Windows 10, Server 2019 and Server Core versions (see full Security Advisory for proper details). It can be mitigated by disabling a network feature or blocking ICMPv6 Router Advertisement packets.

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave a workaround in place.

CVSS Base score is 9.8

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2139859 with the highest priority.

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

Published: 2020-07-29
MITRE CVE-2020-1472

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.

There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices.

If the guidelines from the KB article “How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472” are not followed, your organization risks devices in your environment being denied access when the enforcement phase starts in Q1 2021. If there are currently no non-compliant devices in your environment, you can move to enforcement mode for further protection in advance of required enforcement.

The Base CVSS score for this vulnerability is 10 (out of 10 possible).
The Temporal CVSS score (at 2020-08-19) is 9.

There is no known exploitation of this in the wild, and the details about the vulnerability is not publicly disclosed. Meaning there should be some time still before this is a major issue. And if it becomes exploited in the wild, Basefarm always recommends that domain controllers are not reachable on the public internet.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. Our goal is to have this mitigated on all servers within 1 week. We are tracking this internally as BF-VLN-2102348 with the highest priority.

CVE-2020-10713 – GRUB 2 boot loader buffer overflow – aka BootHole

Published: 2020-07-29
MITRE CVE-2020-10713

GRUB 2 is a “boot loader”, it precedes the actual operating system and allows for multiple options in what operating system to load and with what parameters given. An attacker with administrative privileges on a system, or physical access, can use this vulnerability to bypass the check of cryptographic signatures and run arbitrary code. GRUB 2 is the default boot loader for most popular GNU/Linux distributions, but it is independent of any OS so this vulnerability can also be exploited against Windows systems.

Some might say that game is over anyway if an attacker has administrative privileges or physical access, but this attack method provides a way for an attacker to establish persistence on a system perhaps invisible for an OS and its endpoint security platform.

RedHat reports “In CVE-2020-10713, an attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB.”

And for remediation “Red Hat recommends all customers to update their grub2 packages. Red Hat customers using Secure Boot need to update kernel, fwupdate, fwupd, shim and dbxtool packages containing newly validated keys and certificates. Users running Secure Boot with Red Hat Enterprise Linux 8 need to take additional steps to boot into previously released RHEL 8 kernels after applying the grub2 package updates.”

This vulnerability has a CVSS Base score of 8.2 with the CVSS vectors CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Basefarm is currently evaluating this vulnerability and its consequences for the continued secure operations of our customers and our own systems. Internally this is tracked in BF-VLN-2089662. At this early point we refer to the individual vendors for more information:

Microsoft ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB

Red Hat Boot Hole Vulnerability – GRUB 2 boot loader – CVE-2020-10713

This vulnerability was discovered and responsibly disclosed by Eclypsium, see their in depth technical writeup “There’s a Hole in the Boot”

Update 2020-07-31: There are some reports about the RHEL grub2 security update rendering systems unbootable. Patching for vulnerabilities IS important, but doing so in a responsible manner is also a priority.

CVE-2020-1350 – SIGRed Windows DNS Server Remote Code Execution Vulnerability

Published: 2020-07-14
MITRE CVE-2020-1350

“A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.”

The tricky part about this is that a lot of systems normally closed of from direct access to the internet has an indirect access to the internet via the forwarding capabilities built in to DNS. If you are able to resolve regular domains like “basefarm.com”, “microsoft.com” and “google.com”, and you are asking your Windows Domain Controller, that Domain Controller is vulnerable.

The recommended cause of action is to upgrade as soon as possible. This requires a reboot. There exists a workaround, if a reboot is not something you can do right now. This is a registry edit and only requires a restart of the DNS Service. We refer to official documentation for information about this workaround.

In our experience, and based on information currently available, we expect to see working exploits in the wild within a week, and see it likely that there will be widespread active attacks within 2 weeks.

Basefarm is tracking this vulnerability internally as BF-VLN-2084547, with the highest priority. All internal Basefarm servers vulnerable is scheduled to receive patches within 2020-07-15 18:00. We are currently chasing customer-specific servers and organizing emergency patching.

Update 2020-07-17 21:00 – All change-tickets for customer-specific servers have attention. 4% of the tickets is still in implementation status, 96% is either in Post-implementation Review status or Closed status. We continue to monitor intelligence sources for signs of active exploitation and will ensure priority for the remaining 4% of customers.

Update 2020-07-21 – All servers are patched or have implemented workarounds for this vulnerability.

Official Microsoft Security Advisory

CVE-2020-5902 F5 Big-IP – K52145254: TMUI RCE vulnerability

Published: 2020-07-01
MITRE CVE-2020-5902

“The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.”

“This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.”

CVSS Base score: 10 of 10

Basefarm is tracking the internal work with the vulnerability as BF-VLN-2077661. We have gone through the CVSS-calculator and made an Environmental score for our own prioritization as Basefarm does not expose the vulnerable TMUI, management port and/or Self IP to public traffic. We do not recommend anyone exposes the TMUI, management port and/or Self IP to the public internet, this should be on a management VLAN only reachable after authentication with multi-factor authentication. The reason for this is exactly the risks of vulnerabilities like this.

The recommended way to fix this is to upgrade to a newer version, but there also exists a temporary workaround. We refer to the BigIP knowledge-base article for details about this.

Tomcat

CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service

Published: 2020-06-25
MITRE CVE-2020-11996

“A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.”

CVSS Base score: 7.5 (or 5.9 if Attack Complexity turns out to be High)
CVSS Temporal Score: 6.5 as of 2020-06-26 (Unproven exploit code and Official Patch available)
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

This vulnerability is remedied by upgrading to new version. Basefarm recommends upgrading to these version as soon as possible, at least within a week.

CVE-2020-4415 – Stack-based Buffer Overflow vulnerability in IBM Spectrum Protect Server

Published: 2020-04-24
MITRE CVE-2020-4415

IBM Spectrum Protect server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. This could allow a remote attacker to execute arbitrary code on the system with the privileges of an administrator or user associated with the Spectrum Protect server or cause the Spectrum Protect server to crash.”

CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179990 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

This vulnerability is remedied by upgrading to version 8.1.9.300 or 7.1.10.100. Basefarm recommends upgrading to these version as soon as possible, at least within a week. Internally in Basefarm this progress is tracked as BF-VLN-2031464. (update 2020-04-27, Basefarm has fully upgraded all IBM Spectrum Protect Servers.)

Unassisted iOS Attacks via MobileMail in the wild

There has been discovered a vulnerability in the default mail application (MobileMail) for iOS.

The vulnerability allows an attacker to send an email to a victim (you) and without any action from you, the email will launch code prepared by the attacker on your device.
The fix for this is not released yet, it has been released as a public Beta-version.
Basefarm has decided to block this app from getting more mail from Basefarms Exchange servers.

Researchers has found attacks in the wild, exploiting this vulnerability, back in January 2018 on iOS 11. They state it is likely that the same threat operators are actively abusing these vulnerabilities presently.

There has been no wide exploitation, this is likely due to the fact that this is high value exploit, and the attacker was trying to minimize the risk for detection. There has been targeted attacks towards executives and VIPs in large organizations, MSSPs in Saudi Arabia and Israel (this can be used to make assumptions on who the threat operator is.), a journalist in Europe, etc.

Now that the vulnerability is exposed the value of it is dropping by the minute, and the threat operator has no reason to hold back any more. There is now a race between them and getting fixes out to the users.

Internally in Basefarm the activity related to this vulnerability is tracked in BF-VLN-2031243.

See also:

https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/

ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

Published: 2020-03-23
MITRE CVE-2020- (TBD)

Microsoft is warning about a vulnerability they have detected used in targeted attacks and that there is no patch for yet. No patch and detected in use, a place for the scary word “zero-day”, but this is not a tabloid.

“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.” This would not be so exciting if not document formats had the feature of including their own fonts in documents.

“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”

This affects Windows 10 (but read on), and all Windows Server from 2008 until 2019. Windows 10 has some mitigating features. As always, read the advisory for full details.

There exist no official patch for this as of now. There are some mitigations possible, like “Disable the Preview Pane and Details Pane in Windows Explorer”, “Disable the WebClient service” (WebDAV) and “Rename ATMFD.DLL”. Basefarm has not tested these and recommend everyone to have a test environment that resembles their production environment and test the mitigations before applying them.

Consider the usage of your servers, are there documents viewed on them? Are the documents from an unknown, potentially untrusted source? Do you value the integrity of that server and all it in turn has access too? It might be worth to consider implementing the mitigations. For many servers this use case is not a match and it is potentially better to wait for an official and tested patch.

Basefarm follows this vulnerability internally as BF-VLN-2011507 and asking our dedicated customer teams to follow up these recommendations.