Tuesday, October 20th, wasn’t your usual Patch Tuesday announcement from Microsoft.
Instead, this cybersecurity advisory came from the NSA urging users to patch 25 vulnerabilities Chinese hackers were exploiting, quickly.
The list of vulnerabilities, many of them already known programming issues, was made public to draw urgency and help IT teams prioritize these patches. Of the 25, seven affect remote access gateways, seven involve internal servers, one affects mobile devices management, two are privilege escalations, two affect Active Directory, three involve network equipment, and three affect public-facing servers, per this infographic from the NSA.
We realize you may not be able to patch all vulnerable assets instantly. We recommend that you prioritize systems for patching based on risk: exposure, asset criticality and any applicable compensating controls. You can learn more about risk based prioritization here.
Here is the list of the 25 vulnerabilities that need to be patched ASAP:
CVEs Targeting Remote Secure Access
With CVE-2019-11510 in Pulse Secure VPNs, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords.
CVE-2020-5902: In F5 BIG-IP proxy / load balancer devices, the Traffic Management User Interface (TMUI) – also referred to as the Configuration utility – has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
CVE-2019-19781: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway. They allow directory traversal, which can lead to remote code execution without credentials.
CVE-2020-8193: Improper access control and input validation, in Citrix ADC and Citrix Gateway and Citrix SDWAN WAN-OP, allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users.
CVE-2020-8195: Improper input validation, in Citrix ADC and Citrix Gateway and Citrix SDWAN WAN-OP, resulting in limited information disclosure to low privileged users.
CVE-2020-8196: Improper access control in Citrix ADC and Citrix Gateway and Citrix SDWAN WAN-OP, resulting in limited information disclosure to low privileged users.
CVE-2019-0708: A remote code execution vulnerability exists within Microsoft Windows’ Remote Desktop Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.
CVEs Targeting Mobile Device Management
CVE-2020-15505: A remote code execution vulnerability in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code via unspecified vectors.
CVEs Targeting Active Directory for Lateral Movement & Credential Access
CVE-2020-1472: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using Microsoft’s Netlogon Remote Protocol (MS-NRPC).
CVE-2019-1040: A tampering vulnerability exists in Microsoft Windows when a miscreant-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.
CVEs Targeting Public Facing Servers
CVE-2020-1350: A remote code execution vulnerability exists in Microsoft Windows Domain Name System servers when they fail to properly handle requests.
CVE-2018-6789: An issue was discovered in the base64d function in the SMTP listener in Exim. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.
CVE-2018-4939: Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable deserialization of untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.
CVEs Targeting Internal Servers
CVE-2020-0688: A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory
CVE-2015-4852: The WLS Security component in Oracle WebLogic Server 10.3.6.0, 220.127.116.11, 18.104.22.168, and 22.214.171.124 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001.
CVE-2019-11580: Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.
CVE-2020-10189: Zoho ManageEngine Desktop Central allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class.
CVE-2020-2555: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence.
CVE-2019-3396: The Widget Connector macro in Atlassian Confluence Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
CVE-2019-18935: Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution.
CVEs Targeting User Workstations for Local Privilege Escalation
CVE-2020-0601: A spoofing vulnerability exists in the way Microsoft Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.
CVE-2019-0803: An elevation of privilege vulnerability exists in Microsoft Windows when the Win32k component fails to properly handle objects in memory.
CVEs Targeting Network Devices
CVE-2017-6327: The Symantec Messaging Gateway can encounter an issue of remote code execution.
CVE-2020-3118: A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device.
CVE-2020-8515: DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 126.96.36.199_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters.
Unfortunately, many enterprises struggle with patching and risk-based vulnerability management due to being overwhelmed with the number of alerts, lack of prioritization, lack of resources, and lack of guidance on fixing the issues.
Fortunately for Balbix customers, they can quickly identify vulnerabilities by typing the CVE number into the Balbix search. The return will provide a list of systems that have not been patched and prioritize those with the highest risk.
If you’re struggling with unseen risks and vulnerabilities in your network, Balbix can help.
Request a demo today, discover and identify all of your network assets, identify risk, and prioritize vulnerabilities based on risk to improve your overall cybersecurity posture quickly.