US-CERT- AA21-209A: Top Routinely Exploited Vulnerabilities

Started by Netwörkheäd, August 05, 2021, 06:02:42 AM

Previous topic - Next topic

Netwörkheäd

AA21-209A: Top Routinely Exploited Vulnerabilities

[html]Original release date: July 28, 2021 | Last revised: August 4, 2021

Summary

This Joint Cybersecurity Advisory was coauthored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI). 



This advisory provides details on the top 30 vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021.  



Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system. 



https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint_CSA%20Top%20Routinely%20Exploited%20Vulnerabilities.pdf">Click here for a PDF version of this report.


Technical Details

Key Findings



In 2020, cyber actors readily exploited recently disclosed vulnerabilities to compromise unpatched systems. Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years. Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.



Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organizations to conduct rigorous patch management.



CISA, ACSC, the NCSC, and FBI consider the vulnerabilities listed in table 1 to be the topmost regularly exploited CVEs by cyber actors during 2020. 



Table 1:Top Routinely Exploited CVEs in 2020




   
      
         
         
         
      
   
   
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
   

         

Vendor


         

         

CVE


         

         

Type


         

         

Citrix


         

         

CVE-2019-19781


         

         

arbitrary code execution


         

         

Pulse


         

         

CVE 2019-11510


         

         

arbitrary file reading


         

         

Fortinet


         

         

CVE 2018-13379


         

         

path traversal


         

         

F5- Big IP


         

         

CVE 2020-5902


         

         

remote code execution (RCE)


         

         

MobileIron


         

         

CVE 2020-15505


         

         

RCE


         

         

Microsoft


         

         

CVE-2017-11882


         

         

RCE


         

         

Atlassian


         

         

CVE-2019-11580


         

         

RCE


         

         

Drupal


         

         

CVE-2018-7600


         

         

RCE


         

         

Telerik


         

         

CVE 2019-18935


         

         

RCE


         

         

Microsoft


         

         

CVE-2019-0604


         

         

RCE


         

         

Microsoft


         

         

CVE-2020-0787


         

         

elevation of privilege


         

         

Netlogon


         

         

CVE-2020-1472


         

         

elevation of privilege


         


 



In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.



CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries' use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. 



Organizations are encouraged to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation. Most can be remediated by patching and updating systems. Organizations that have not remediated these vulnerabilities should investigate for the presence of IOCs and, if compromised, initiate incident response and recovery plans. See the Contact Information section below for how to reach CISA to report an incident or request technical assistance.



2020 CVEs



CISA, ACSC, the NCSC, and FBI have identified the following as the topmost exploited vulnerabilities by malicious cyber actors from 2020: CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, CVE-2020-5902, CVE-2020-15505, CVE-2020-0688, CVE-2019-3396, CVE-2017-11882, CVE-2019-11580, CVE-2018-7600, CVE 2019-18935, CVE-2019-0604, CVE-2020-0787, CVE-2020-1472.[https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF">1][https://media.defense.gov/2021/May/07/2002637232/-1/-1/0/ADVISORY FURTHER TTPS ASSOCIATED WITH SVR CYBER ACTORS.PDF">2][https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF">3] Among these vulnerabilities, CVE-2019-19781 was the most exploited flaw in 2020, according to U.S. Government technical analysis.CVE-2019-19781 is a recently disclosed critical vulnerability in Citrix's Application Delivery Controller (ADC)—a load balancing application for web, application, and database servers widely use throughout the United States.[https://www.cyber.gov.au/acsc/view-all-content/advisories/2020-001-4-remediation-critical-vulnerability-citrix-application-delivery-controller-and-citrix-gateway">4][https://www.ncsc.gov.uk/news/citrix-alert">5] Nation-state and criminal cyber actors most likely favor using this vulnerability because it is easy to exploit, Citrix servers are widespread, and exploitation enables the actors to perform unauthorized RCE on a target system.[https://us-cert.cisa.gov/ncas/alerts/aa20-296a">6] 



Identified as emerging targets in early 2020,[https://us-cert.cisa.gov/ncas/alerts/aa20-133a">7] unremediated instances of CVE-2019-19781 and CVE-2019-11510 continued to be exploited throughout the year by nation-state advanced persistent threat actors (APTs) who leveraged these and other vulnerabilities, such as CVE-2018-13379[https://www.cyber.gov.au/acsc/view-all-content/alerts/apt-exploitation-fortinet-vulnerabilities">8][https://www.ncsc.gov.uk/news/critical-risk-unpatched-fortinet-vpn-devices">9], in VPN services[https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/Mitigating Recent VPN Vulnerabilities - Copy.pdf">10][https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities">11] to compromise an array of organizations, including those involved in COVID-19 vaccine development.[https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF">12][https://www.cyber.gov.au/acsc/view-all-content/advisories/summary-tactics-techniques-and-procedures-used-target-australian-networks">13]



The CVE-2019-11510 vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorized credentials for all users on a compromised Pulse VPN server and can retain unauthorize access after the system is patched unless all compromised credentials are changed. Nation-state APTs also commonly exploited CVE-2020-15505 and CVE-2020-5902.[https://us-cert.cisa.gov/ncas/alerts/aa20-010a">14][https://us-cert.cisa.gov/ncas/alerts/aa20-010a">15][https://www.cisa.gov/blog/2020/07/16/emergency-directive-ed-20-03-windows-dns-server-vulnerability">16][https://www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability">17]



2021 CVEs



In 2021, cyber actors continued to target vulnerabilities in perimeter-type devices. In addition to the 2020 CVEs listed above, organizations should prioritize patching for the following CVEs known to be exploited. 




       
  • Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 

       

            
    • See CISA's Alert: Mitigate Microsoft Exchange Server Vulnerabilities for more information on identifying and mitigating malicious activity concerning these vulnerabilities.

    •    

       

  •    
  • Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
       

            
    • See CISA's Alert: Exploitation of Pulse Connect Secure Vulnerabilities for more information on how to investigate and mitigate this malicious activity.

    •    

       

  •    
  • Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
       

            
    • See the Australia-New Zealand-Singapore-UK-U.S. Joint Cybersecurity Advisory: Exploitation of Accellion File Transfer Appliance for technical details and mitigations.

    •    

       

  •    
  • VMware: CVE-2021-21985
       

            
    • See CISA's Current Activity: Unpatched VMware vCenter Software for more information and guidance. 

    •    

       

  •    
  • Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 
       

            
    • See the CISA-FBI Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks for more details and mitigations. 

    •    

       



Mitigations and Indicators of Compromise



One of the most effective best practices to mitigate many vulnerabilities is to update software versions once patches are available and as soon as is practicable. If this is not possible, consider applying temporary workarounds or other mitigations, if provided by the vendor. If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems). This advisory highlights vulnerabilities that should be considered as part of the prioritization process. To further assist remediation, automatic software updates should be enabled whenever possible. 



Focusing scarce cyber defense resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries' operations. For example, nation-state APTs in 2020 extensively relied on a single RCE vulnerability discovered in the Atlassian Crow, a centralized identity management and application (CVE-2019-11580) in its reported operations. A concerted focus on patching this vulnerability could have a relative broad impact by forcing the actors to find alternatives, which may not have the same broad applicability to their target set. 



Additionally, attackers commonly exploit weak authentication processes, particularly in external-facing devices. Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.



Tables 2–14 provide more details about, and specific mitigations for, each of the top exploited CVEs in 2020. 



Note: The lists of associated malware corresponding to each CVE below are not meant to be exhaustive but intended to identify a malware family commonly associated with exploiting the CVE.

 



Table 2: CVE-2019-19781 Vulnerability Details




   
      
         
      
   
   
      
         
         
      
      
         
         
      
      
         
      
      
         
      
      
         
      
      
         
      
   

         

Citrix Netscaler Directory Traversal (CVE-2019-19781)


         

         

Vulnerability Description

         Citrix Netscaler Application Delivery Control (ADC) is vulnerable to RCE and full system compromise due to poor access controls, thus allowing directory traversal. 


         

         

CVSS 3.02 



         

Critical


         

         

Vulnerability Discussion, IOCs, and Malware Campaigns



         

The lack of adequate access controls allows an attacker to enumerate system directories for vulnerable code (directory traversal). In this instance, Citrix ADC maintains a vulnerable Perl script (newbm.pl) that, when accessed via HTTP POST request (POST https://$TARGET/vpn/../vpn/portal/scripts/newbm.pl), allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software (webshell or reverse-shell executable) using embedded commands (e.g., curl, wget, Invoke-WebRequest) and gain unauthorized access to the OS. 



         

Multiple malware campaigns, including NOTROBIN, have taken advantage of this vulnerability.


         

         

Fix



         

https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/">Patch Available


         

         

Recommended Mitigations



         

                
  • Implement the appropriate refresh build according to the vulnerability details outlined by the vendor: Citrix: Mitigation Steps for CVE-2019-19781

  •             
  • If possible, only allow the VPN to communicate with known Internet Protocol (IP) addresses (allow-list).

  •          

         

         

Detection Methods



         
         

         

Vulnerable Technologies and Versions

         Citrix ADC and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0


         

         

References and Additional Guidance



         
         


 



Table 3: CVE 2019-11510 Vulnerability Details




   
      
         
      
   
   
      
         
         
      
      
         
         
      
      
         
      
      
         
      
      
         
      
      
         
      
   
Pulse Secure Connect VPN (CVE 2019-11510)

         

Vulnerability Description

         Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials. 


         

         

CVSS 3.0



         

Critical

          


         

         

Vulnerability Discussion, IOCs, and Malware Campaigns

         Improper access controls allow a directory traversal that an attacker can exploit to read the contents of system files. For example, the attacker could use a string such as https://sslvpn.insecure-org.com/dana-na/../dana/html5/acc/guacmole/../../../../../../etc/passwd?/dana/html5/guacamole/ to obtain the local password file from the system. The attacker can also obtain admin session data and replay session tokens in the browser. Once compromised, an attacker can run arbitrary scripts on any host that connects to the VPN. This could lead to anyone connecting to the VPN as a potential target to compromise.  



         

Multiple malware campaigns have taken advantage of this vulnerability, most notably REvil/Sodinokibi ransomware.


         

         

Fix



         

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101">Patch Available

          


         
Recommended Mitigations
         

                
  • Upgrade to the latest Pulse Secure VPN.

  •             
  • Stay alert to any scheduled tasks or unknown files/executables. 

  •             
  • Create detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read local system files.

  •          

         
Detection Methods
         

                
  • CISA developed a tool to help determine if IOCs exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510: cisagov/check-your-pulse.

  •             
  • Nmap developed a script that can be used with the port scanning engine: http-vuln-cve2019-11510.nse #1708.

  •          

         

         

Vulnerable Technologies and Versions

         Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 are vulnerable.


         

         

References



         
         


 



Table 4: CVE 2018-13379 Vulnerability Details




   
      
         
      
   
   
      
         
         
      
      
         
         
      
      
         
      
      
         
      
      
         
      
      
         
      
   
Fortinet FortioOS Secure Socket Layer VPN (CVE 2018-13379)

         

Vulnerability Description

         Fortinet Secure Sockets Layer (SSL) VPN is vulnerable to unauthenticated directory traversal, which allows attackers to gain access to the sslvpn_websession file. An attacker is then able to exact clear-text usernames and passwords. 


         

         

CVSS 3.0



         

Critical

          


         

         

Vulnerability Discussion, IOCs, and Malware Campaigns

         Weakness in user access controls and web application directory structure allows attackers to read system files without authentication. Attackers are able to perform a HTTP GET request http://$SSLVPNTARGET?lang=/../../../..//////////dev/cmdb/sslvpn_websession. This results the server responding with unprintable/hex characters alongside cleartext credential information. 



         

Multiple malware campaigns have taken advantage of this vulnerability. The most notable being Cring ransomware (also known as Crypt3, Ghost, Phantom, and Vjszy1lo). 


         

         

Fix



         

https://www.fortiguard.com/psirt/FG-IR-18-384">Patch Available

          


         
Recommended Mitigations
         

                
  • Upgrade to the latest Fortinet SSL VPN. 

  •             
  • Monitor for alerts to any unscheduled tasks or unknown files/executables.  

  •             
  • Create detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read the sslvpn_websessions file. 

  •          

         
Detection Methods
         

                
  • Nmap developed a script that can be used with the port scanning engine: Fortinet SSL VPN CVE-2018-13379 vuln scanner #1709.

  •          

         

         

Vulnerable Technologies and Versions

         Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 are vulnerable.


         
References
         
         


 



Table 5: CVE-2020-5902 Vulnerability Details




   
      
         
      
   
   
      
         
         
      
      
         
         
      
      
         
      
      
         
      
      
         
      
      
         
      
   
F5 Big IP Traffic Management User Interface (CVE-2020-5902)

         

Vulnerability Description

         The Traffic Management User Interface (TMUI), also referred to as the Configuration Utility, has an RCE vulnerability in undisclosed pages. 


         

         

CVSS 3.0

         Critical


         

         

Vulnerability Discussion, IOCs, and Malware Campaigns

         This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected. 


         
Fix

         https://support.f5.com/csp/article/K52145254">Upgrade to Secure Versions Available

          

         

Recommended Mitigations

         Download and install a fixed software version of the software from a vendor approved resource. If it is not possible to update quickly, restrict access via the following actions.



         

                
  • Address unauthenticated and authenticated attackers on self IPs by blocking all access.

  •             
  • Address unauthenticated attackers on management interface by restricting access. 

  •          

         
Detection Methods
         

                
  • F5 developed a free detection tool for this vulnerability: https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/">f5devcentral / cve-2020-5902-ioc-bigip-checker. 

  •             
  • Manually check your software version to see if it is susceptible to this vulnerability.

  •          

         

         

Vulnerable Technologies and Versions

         BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT) 15.1.0, 15.0.0-15.0.1, 14.1.0-14.1.2, 13.1.0-13.1.3, 12.1.0-12.1.5, and 11.6.1-11.6.5 are vulnerable.


         
References
         
         


 



Table 6: CVE-2020-15505 Vulnerability Details




   
      
         
      
      
         
         
      
      
         
         
      
      
         
      
      
         
      
      
         
      
      
         
      
   
MobileIron Core & Connector (CVE-2020-15505)

         

Vulnerability Description



         

MobileIron Core & Connector, Sentry, and Monitoring and Reporting Database (RDB) software are vulnerable to RCE via unspecified vectors.


         

         

CVSS 3.0



         

Critical


         

         

Vulnerability Discussion, IOCs, and Malware Campaigns



         

CVE-2020-15505 is an RCE vulnerability in MobileIron Core & Connector versions 10.3 and earlier. This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.



         

Multiple APTs have been observed exploiting this vulnerability to gain unauthorized access.


         

         

Fix



         

https://www.ivanti.com/blog/mobileiron-security-updates-available">Patch Available


         

         

Recommended Mitigations



         

                
  • Download and install a fixed software version of the software from a vendor approved resource.

  •          

         

         

Detection Methods



         

                
  • None. Manually check your software version to see if it is susceptible to this vulnerability. 

  •          

         

         

Vulnerable Technologies and Versions



         

MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0, and 10.6.0.0; Sentry versions 9.7.2 and earlier and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier are vulnerable.


         

         

References



         
         


 



Table 7: CVE-2020-0688 Vulnerability Details




   
      
         
      
      
         
         
      
      
         
         
      
      
         
      
      
         
      
      
         
      
      
         
      
   
Microsoft Exchange Memory Corruption (CVE-2020-0688)

         

Vulnerability Description



         

An RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.


         

         

CVSS 3.0



         

High


         

         

Vulnerability Discussion, IOCs, and Malware Campaigns

         CVE-2020-0688 exists in the Microsoft Exchange Server when the server fails to properly create unique keys at install time. An authenticated user with knowledge of the validation key and a mailbox may pass arbitrary objects for deserialization by the web application that runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install. 



         

A nation-state APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.


         

         

Fix



         

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688">Patch Available


         

         

Recommended Mitigations



         

                
  • Download and install a fixed software version of the software from a vendor approved resource.

  •          

         

         

Detection Methods



         
         

         

Vulnerable Technologies and Versions



         

Microsoft Exchange Server 2019 Cumulative Update 3 and 4, 2016 Cumulative Update 14 and 15, 2013 Cumulative Update 23, and 2010 Service Pack 3 Update Rollup 30 are vulnerable.


         

         

References



         
         


 



Table 8: CVE-2019-3396 Vulnerability Details




   
      
         
      
      
         
         
      
      
         
         
      
      
         
      
      
         
      
      
         
      
      
         
      
   
Microsoft Office Memory Corruption (CVE 2017-11882)

         

Vulnerability Description



         

Atlassian Confluence Server and Data Center Widget Connector is vulnerable to a server-side template injection attack.


         

         

CVSS



         

Critical


         

         

Vulnerability Discussion, IOCs, and Malware Campaigns



         

Confluence Server and Data Center versions released before June 18, 2018, are vulnerable to this issue. A remote attacker is able to exploit a server-side request forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance. A successful attack is able to exploit this issue to achieve server-side template injection, path traversal, and RCE on vulnerable systems.



         

Multiple malware campaigns have taken advantage of this vulnerability; the most notable being GandCrab ransomware.


         

         

Fix



         

Patch Available


         

         

Recommended Mitigations



         

                
  • Download and install a fixed software version of the software from a vendor-approved resource.

  •          

         

         

Detection Methods



         
         

         

Vulnerable Technologies and Versions



         

All versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are vulnerable.


         

         

References



         
         


 



Table 9: CVE 2017-11882 Vulnerability Details




   
      
         
      
      
         
         
      
      
         
         
      
      
         
      
      
         
      
      
         
      
      
         
      
   
Microsoft Office Memory Corruption (CVE 2017-11882)

         

Vulnerability Description



         

Microsoft Office is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code, in the context of the current user, by failing to properly handle objects in memory. It is also known as the "Microsoft Office Memory Corruption Vulnerability." 



         

Cyber actors continued to exploit this four-year-old vulnerability in Microsoft Office that the U.S. Government publicly assessed last year was the most frequently targeted. Cyber actors most likely continue to exploit this vulnerability because Microsoft Office use is ubiquitous worldwide, the vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems.


         

         

CVSS 3.0



         

High


         

         

Vulnerability Discussion, IOCs, and Malware Campaigns



         

Microsoft Equation Editor, a component of Microsoft Office, contains a stack buffer overflow vulnerability that enables RCE on a vulnerable system. The component was compiled on November 9, 2000. Without any further recompilation, it was used in all currently supported versions of Microsoft Office. Microsoft Equation Editor is an out-of-process COM server that is hosted by eqnedt32.exe, meaning it runs as its own process and can accept commands from other processes.



         

Data execution prevention (DEP) and address space layout randomization (ASLR) should protect against such attacks. However, because of the manner in which eqnedt32.exe was linked, it will not use these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to eqnedt32.exe, unless applied system-wide. This provides the attacker with an avenue to lure targets into opening specially crafted documents, resulting in the ability to execute an embedded attacker commands.



         

Multiple cyber espionage campaigns have taken advantage of this vulnerability. CISA has noted CVE-2017-11882 being exploited to https://us-cert.cisa.gov/ncas/alerts/aa20-266a">deliver LokiBot malware.


         

         

Fix



         

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882">Patch Available


         

         

Recommended Mitigations



         
         

         

Detection Methods



         

                
  • Microsoft Defender Antivirus, Windows Defender, Microsoft Security Essentials, and the Microsoft Safety Scanner will all detect and patch this vulnerability.

  •          

         

         

Vulnerable Technologies and Versions



         

                
  • Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 are vulnerable.

  •          

         

         

References



         
         


 



Table 10: CVE 2019-11580 Vulnerability Details




   
      
         
      
      
         
         
      
      
         
         
      
      
         
      
      
         
      
      
         
      
      
         
      
   
Atlassian Crowd and Crowd Data Center Remote Code Execution (CVE 2019-11580)

         

Vulnerability Description



         

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds.


         

         

CVSS 3.0



         

Critical


         

         

Vulnerability Discussion, IOCs, and Malware Campaigns



         

Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits RCE on systems running a vulnerable version of Crowd or Crowd Data Center.


         

         

Fix



         

https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html">Patch Available


         

         

Recommended Mitigations



         
         

         

Detection Methods



         
         

         

Vulnerable Technologies and Versions



         

All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.


         

         

References



         
         


 



Table 11: CVE 2018-7600 Vulnerability Details




   
      
         
      
      
         
         
      
      
         
         
      
      
         
      
      
         
      
      
         
Drupal Core Multiple Remote Code Execution (CVE 2018-7600)

         

Vulnerability Description



         

Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allow remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.


         

         

CVSS 3.0



         

Critical


         

         

Vulnerability Discussion, IOCs, and Malware Campaigns



         

An RCE vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Failed exploit attempts may result in a denial-of-service condition. A remote user can send specially crafted data to trigger a flaw in the processing of renderable arrays in the Form Application Programming Interface, or API, and cause the target system to render the user-supplied data and execute arbitrary code on the target system.



         

Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining.


         

         

Fix



         

https://www.drupal.org/sa-core-2018-002">Patch Available


         

         

Recommended Mitigations



         

                
  • Upgrade to the most recent version of Drupal 7 or 8 core. If running 7.x, upgrade to Drupal 7.58. If running 8.5.x, upgrade to Drupal 8.5.1.

  •          

         

         

Detection Methods



         
         

         

Vulnerable Technologies and Versions

Let's not argue. Let's network!