Get a demo
Voyager18 (research)

The Vulcan Vulnerability Digest - Network Security Threats

Derek Hays | April 23, 2020

Over the past couple of weeks, we’ve seen some high profile security threats  that require your immediate attention. In this digest we’ve rounded them all up. Now in order to help you address these threats, I’ve added actionable steps for you to follow in order to mitigate these risks.

Table of Contents:
  1. SMB Ghost RCE Exploit
  2. Critical VMware Vulnerability
  3. Git Vulnerability
  4. Security Updates for Multiple Cisco Products
  5. Four Zero-Day Vulnerabilities found in IBM
  6. Segmentation fault in SSL_check_chain

SMB Ghost RCE Exploit Demoed

A proof-of-concept RCE (remote code execution) exploit for the Windows 10 CVE-2020-0796 was demoed by researchers at Ricerca Security.  

The vulnerability, called SMB Ghost is found in the Microsoft Server Message Block 3.1.1 (SMBv3) network communication protocol. It impacts systems running Windows 10, version 1903 and 1909, as well as Server Core installations of Windows Server, versions 1903 and 1909. 

If you haven’t patched the vulnerable systems yet, we suggest doing it immediately. 

Microsoft have released patches for all affected platforms, after several POC exploits had surfaced, including a DoS developed by Marcus Hutchins from Kryptos Logic. 

How to Remediate: 

The best course of action to take is to apply the patch released. However, if for any reason that cannot be done, you can mitigate the risk as previously shown in our blog

  • Disable SMBv3 compression 

You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below:

Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD –Value 1 –Force 

 

A couple of notes about this: 1. No reboot is needed after making the change. 2. This workaround does not prevent exploitation of SMB clients.

  • Block inbound and outbound SMB 

Consider blocking outbound SMB connections (TCP port 445 for SMBv3) from the local network to the WAN. Also ensure that SMB connections from the internet are not allowed to connect inbound to an enterprise LAN. 

Sources: 

Critical VMware Vulnerability – CVE-2020-3952

Details around CVE-2020-3952, a major vulnerability in VMware’s vCenter with a CVSS score of 10 have now been published. This vulnerability exists within VMware’s Directory Service (vmdir), a centralized management platform for virtualized hosts and virtual machines that can manage hundreds of workloads. 

The platform uses SSO (single sign-on) that includes not only vmdir, but also Security Token Service, admin server and vCenter Lookup Service. With that, when the vulnerability was disclosed, VMware said that vmdir “does not correctly implement access controls”.   

Should an attacker gain network access to port 389 on an affected vmdir deployment, they could steal highly sensitive information, such as admin account credentials. Leveraging the SSO, that could enable access to vCenter Server or other services that are dependent on vmdir for authentication. 

How to Remediate:  

You can find the relevant patch here:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server 7.0 Any CVE-2020-3952 N/A N/A Unaffected N/A N/A
vCenter Server 6.7 Virtual Appliance CVE-2020-3952 10.0 Critical 6.7u3f None KB78543
vCenter Server 6.7 Windows CVE-2020-3952 10.0 Critical 6.7u3f None KB78543
vCenter Server 6.5 Any CVE-2020-3952 N/A N/A Unaffected N/A N/A

 

Sources:

Git Vulnerability – CVE-2020-5260

By exploiting this vulnerability, attackers could obtain host credentials from the Git client. In general, Git uses a credential helper to help users store and retrieve credentials. However, in the case that a URL contains an encoded newline, it could potentially inject unexpected values into the protocol stream of said credential helper. The malicious URL would have the Git client send these credentials to the attacker. 

When the affected version of Git is used to execute a git close command on a malicious URL, this vulnerability will be triggered 

POC:  

With already a POC out there (HTTP PoC Endpoint for cve-2020-5260) which can be deployed to Heroku, make sure you Git is updated. 

Affected Versions Unaffected version 
Git 2.17.x <= 2.17.3  Git 2.17.4 
Git 2.18.x <= 2.18.2  Git 2.18.3 
Git 2.19.x <= 2.19.3  Git 2.19.4 
Git 2.20.x <= 2.20.2  Git 2.20.3 
Git 2.21.x <= 2.21.1  Git 2.21.2 
Git 2.22.x <= 2.22.2  Git 2.22.3 
Git 2.23.x <= 2.23.1  Git 2.23.2 
Git 2.24.x <= 2.24.1  Git 2.24.2 
Git 2.25.x <= 2.25.2  Git 2.25.3 
Git 2.26.x <= 2.26.0  Git 2.26.1 
 
How to Remediate: 

The most effective way to protect against this vulnerability is to upgrade to Git 2.26.1.

If you can’t update immediately, reduce your risk with the following:

  • Avoid running git clone with –recurse-submodules against untrusted repositories 
  • Avoid using the credential helper by only cloning publicly available repositories 

GitHub has also taken proactive action in order to protect against these attacks. Specifically, we: 

  • Deployed a change to prevent malicious .gitmodules files from being pushed to GitHub.com 
  • Scheduled a GitHub Desktop release for later today that prevents exploiting this vulnerability 
  • Patched recent releases of GitHub Enterprise 

Credit for finding these vulnerabilities goes to Felix Wilhelm of Google Project Zero.

Source: https://github.blog/2020-04-14-git-credential-helper-vulnerability-announced/#upgrade-to-the-latest-git-version

Security Updates for Multiple Cisco Products

Cisco have recently released security updates for multiple products. The goal was to address vulnerabilities with a “High” and “Medium” score. Should these be exploited, a remote attacker to take control of an affected system. CISA (The Cybersecurity and Infrastructure Security Agency) has encouraged reviewing the following Cisco advisories and applying the necessary updates. 

How to Remediate: 

Source: https://www.us-cert.gov/ncas/current-activity/2020/04/16/cisco-releases-security-updates-multiple-products 

Four Zero-Day Vulnerabilities found in IBM’s Enterprise Security Software 

 A PoC and technical details of four unpatched zero-day vulnerabilities that affect an IBM enterprise security software were disclosed. This comes after IBM originally refused to acknowledge the responsibly submitted disclosure.

IBM Data Risk Manager (IDRM)designed to analyze sensitive business information assets of an organization and determine associated risks, is the affected software. It contains three Critical-severity vulnerabilities and a high-impact bug that can be exploited by an unauthenticated attacker reachable over the network: 

  • Authentication Bypass 
  • Command Injection 
  • Insecure Default Password 
  • Arbitrary File Download 

When changed together, they could lead to RCE as root, as described by Pedro Ribeiro from Agile Information Security firm.  

While Ribeiro had successfully tested the flaws against IDRM versions 2.0.1 to 2.0.3, he suggests that these will also work through 2.0.4 to the newest version 2.0.6, as “there is no mention of fixed vulnerabilities in any change log”. 

Besides technical details, the researcher has also released two Metasploit modules for authentication bypass, remote code execution, and arbitrary file download issues.

Track them, as there’s no fix available just yet: 

An IBM spokesperson told The Hacker News that “a process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued.” 

Source: https://thehackernews.com/2020/04/ibm-data-risk-manager-vulnerabilities.html 

Segmentation fault in SSL_check_chain – CVE-2020-1967  

Server or client applications that call the SSL_check_chain() function during or
after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the “signature_algorithms_cert” TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm is received
from the peer. This could be exploited by a malicious peer in a Denial of
Service attack. This issue was found by Bernd Edlinger, using static analysis pass being implemented in GCC,-fanalyzer, and reported to OpenSSL
 

Affected Versions: 

OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1 are affected by this issue.  

This issue did not affect OpenSSL versions prior to 1.1.1d. 

How to fix: 

While OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue.  

This issue did not affect OpenSSL versions prior to 1.1.1d. 

Source: https://www.openssl.org/news/secadv/20200421.txt

 

 

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy

strip-img-2.png

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management