Over the past couple of weeks, we’ve seen some high profile security threats that require your immediate attention. In this digest we’ve rounded them all up. Now in order to help you address these threats, I’ve added actionable steps for you to follow in order to mitigate these risks.
Table of Contents:
- SMB Ghost RCE Exploit
- Critical VMware Vulnerability
- Git Vulnerability
- Security Updates for Multiple Cisco Products
- Four Zero-Day Vulnerabilities found in IBM
- Segmentation fault in SSL_check_chain
SMB Ghost RCE Exploit Demoed
A proof-of-concept RCE (remote code execution) exploit for the Windows 10 CVE-2020-0796 was demoed by researchers at Ricerca Security.
The vulnerability, called SMB Ghost is found in the Microsoft Server Message Block 3.1.1 (SMBv3) network communication protocol. It impacts systems running Windows 10, version 1903 and 1909, as well as Server Core installations of Windows Server, versions 1903 and 1909.
If you haven’t patched the vulnerable systems yet, we suggest doing it immediately.
Microsoft have released patches for all affected platforms, after several POC exploits had surfaced, including a DoS developed by Marcus Hutchins from Kryptos Logic.
How to Remediate:
- The Apply the patch KB4551762
The best course of action to take is to apply the patch released. However, if for any reason that cannot be done, you can mitigate the risk as previously shown in our blog
- Disable SMBv3 compression
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below:
Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD –Value 1 –Force |
A couple of notes about this: 1. No reboot is needed after making the change. 2. This workaround does not prevent exploitation of SMB clients.
- Block inbound and outbound SMB
Consider blocking outbound SMB connections (TCP port 445 for SMBv3) from the local network to the WAN. Also ensure that SMB connections from the internet are not allowed to connect inbound to an enterprise LAN.
Sources:
- https://www.bleepingcomputer.com/news/security/windows-10-smbghost-rce-exploit-demoed-by-researchers/
- https://www.bleepingcomputer.com/news/security/microsoft-releases-kb4551762-security-update-for-smbv3-vulnerability/
- https://vimeo.com/409855578
- https://www.bleepingcomputer.com/news/security/48k-windows-hosts-vulnerable-to-smbghost-cve-2020-0796-rce-attacks/
Critical VMware Vulnerability – CVE-2020-3952
Details around CVE-2020-3952, a major vulnerability in VMware’s vCenter with a CVSS score of 10 have now been published. This vulnerability exists within VMware’s Directory Service (vmdir), a centralized management platform for virtualized hosts and virtual machines that can manage hundreds of workloads.
The platform uses SSO (single sign-on) that includes not only vmdir, but also Security Token Service, admin server and vCenter Lookup Service. With that, when the vulnerability was disclosed, VMware said that vmdir “does not correctly implement access controls”.
Should an attacker gain network access to port 389 on an affected vmdir deployment, they could steal highly sensitive information, such as admin account credentials. Leveraging the SSO, that could enable access to vCenter Server or other services that are dependent on vmdir for authentication.
How to Remediate:
You can find the relevant patch here:
Product | Version | Running On | CVE Identifier | CVSSV3 | Severity | Fixed Version | Workarounds | Additional Documentation |
vCenter Server | 7.0 | Any | CVE-2020-3952 | N/A | N/A | Unaffected | N/A | N/A |
vCenter Server | 6.7 | Virtual Appliance | CVE-2020-3952 | 10.0 | Critical | 6.7u3f | None | KB78543 |
vCenter Server | 6.7 | Windows | CVE-2020-3952 | 10.0 | Critical | 6.7u3f | None | KB78543 |
vCenter Server | 6.5 | Any | CVE-2020-3952 | N/A | N/A | Unaffected | N/A | N/A |
Sources:
- https://www.darkreading.com/vulnerabilities—threats/researchers-explore-details-of-critical-vmware-vulnerability/d/d-id/1337589?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
- https://www.vmware.com/security/advisories/VMSA-2020-0006.html
Git Vulnerability – CVE-2020-5260
By exploiting this vulnerability, attackers could obtain host credentials from the Git client. In general, Git uses a credential helper to help users store and retrieve credentials. However, in the case that a URL contains an encoded newline, it could potentially inject unexpected values into the protocol stream of said credential helper. The malicious URL would have the Git client send these credentials to the attacker.
When the affected version of Git is used to execute a git close command on a malicious URL, this vulnerability will be triggered
POC:
With already a POC out there (HTTP PoC Endpoint for cve-2020-5260) which can be deployed to Heroku, make sure you Git is updated.
Affected Versions | Unaffected version |
Git 2.17.x <= 2.17.3 | Git 2.17.4 |
Git 2.18.x <= 2.18.2 | Git 2.18.3 |
Git 2.19.x <= 2.19.3 | Git 2.19.4 |
Git 2.20.x <= 2.20.2 | Git 2.20.3 |
Git 2.21.x <= 2.21.1 | Git 2.21.2 |
Git 2.22.x <= 2.22.2 | Git 2.22.3 |
Git 2.23.x <= 2.23.1 | Git 2.23.2 |
Git 2.24.x <= 2.24.1 | Git 2.24.2 |
Git 2.25.x <= 2.25.2 | Git 2.25.3 |
Git 2.26.x <= 2.26.0 | Git 2.26.1 |
How to Remediate:
The most effective way to protect against this vulnerability is to upgrade to Git 2.26.1.
If you can’t update immediately, reduce your risk with the following:
- Avoid running git clone with –recurse-submodules against untrusted repositories
- Avoid using the credential helper by only cloning publicly available repositories
GitHub has also taken proactive action in order to protect against these attacks. Specifically, we:
- Deployed a change to prevent malicious .gitmodules files from being pushed to GitHub.com
- Scheduled a GitHub Desktop release for later today that prevents exploiting this vulnerability
- Patched recent releases of GitHub Enterprise
Credit for finding these vulnerabilities goes to Felix Wilhelm of Google Project Zero.
Security Updates for Multiple Cisco Products
Cisco have recently released security updates for multiple products. The goal was to address vulnerabilities with a “High” and “Medium” score. Should these be exploited, a remote attacker to take control of an affected system. CISA (The Cybersecurity and Infrastructure Security Agency) has encouraged reviewing the following Cisco advisories and applying the necessary updates.
How to Remediate:
- IP Phones Web Server Remote Code Execution and Denial-of-Service Vulnerability cisco-sa-voip-phones-rce-dos-rB6EeRXs
- Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data cisco-sa-ucsd-mult-vulns-UNfpdW4E
- Wireless LAN Controller 802.11 Generic Advertisement Service Denial-of-Service Vulnerability cisco-sa-wlc-gas-dos-8FsE3AWH
- Wireless LAN Controller CAPWAP Denial-of-Service Vulnerability cisco-sa-wlc-capwap-dos-Y2sD9uEw
- Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerability cisco-sa-webex-player-Q7Rtgvby
- Mobility Express Software Cross-Site Request Forgery Vulnerability cisco-sa-mob-exp-csrf-b8tFec24
- IoT Field Network Director Denial-of-Service Vulnerability cisco-sa-iot-coap-dos-WTBu6YTq
- Unified Communications Manager Path Traversal Vulnerability cisco-sa-cucm-taps-path-trav-pfsFO93r
- Aironet Series Access Points Client Packet Processing Denial-of-Service Vulnerability cisco-sa-airo-wpa-dos-5ZLs6ESz
Four Zero-Day Vulnerabilities found in IBM’s Enterprise Security Software
A PoC and technical details of four unpatched zero-day vulnerabilities that affect an IBM enterprise security software were disclosed. This comes after IBM originally refused to acknowledge the responsibly submitted disclosure.
IBM Data Risk Manager (IDRM), designed to analyze sensitive business information assets of an organization and determine associated risks, is the affected software. It contains three Critical-severity vulnerabilities and a high-impact bug that can be exploited by an unauthenticated attacker reachable over the network:
- Authentication Bypass
- Command Injection
- Insecure Default Password
- Arbitrary File Download
When changed together, they could lead to RCE as root, as described by Pedro Ribeiro from Agile Information Security firm.
While Ribeiro had successfully tested the flaws against IDRM versions 2.0.1 to 2.0.3, he suggests that these will also work through 2.0.4 to the newest version 2.0.6, as “there is no mention of fixed vulnerabilities in any change log”.
Besides technical details, the researcher has also released two Metasploit modules for authentication bypass, remote code execution, and arbitrary file download issues.
Track them, as there’s no fix available just yet:
An IBM spokesperson told The Hacker News that “a process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”
Source: https://thehackernews.com/2020/04/ibm-data-risk-manager-vulnerabilities.html
Segmentation fault in SSL_check_chain – CVE-2020-1967
Server or client applications that call the SSL_check_chain() function during or
after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the “signature_algorithms_cert” TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm is received
from the peer. This could be exploited by a malicious peer in a Denial of
Service attack. This issue was found by Bernd Edlinger, using static analysis pass being implemented in GCC,-fanalyzer, and reported to OpenSSL
Affected Versions:
OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1 are affected by this issue.
This issue did not affect OpenSSL versions prior to 1.1.1d.
How to fix:
While OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue.
This issue did not affect OpenSSL versions prior to 1.1.1d.
- Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g (git commit) as recommended on OpenSSL advisory
Source: https://www.openssl.org/news/secadv/20200421.txt