For the third time in two weeks, Google has patched Chrome zero-day vulnerabilities that are being actively exploited in the wild: CVE-2020-16009 is present in the desktop version of the browser, CVE-2020-16010 in the mobile (Android) version. About the vulnerabilities (CVE-2020-16009, CVE-2020-16010) As per usual, Google has refrained from sharing much detail about each of the patched vulnerabilities, so all we know is this: CVE-2020-16009 is an inappropriate implementation flaw in V8, Chrome’s open source … More
The post Google fixes two actively exploited Chrome zero-days (CVE-2020-16009, CVE-2020-16010) appeared first on Help Net Security.
Google researchers have made public a Windows kernel zero day vulnerability (CVE-2020-17087) that is being exploited in the wild in tandem with a Google Chrome flaw (CVE-2020-15999) that has been patched on October 20.
CVE-2020-17087 is a vulnerability in the Windows Kernel Cryptography Driver, and “constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”
More technical information has been provided in the Chromium issue tracker entry, which was kept unaccessible to the wider public for the first seven days, but has now been made public.
The researchers have also included PoC exploit code, which has been tested on Windows 10 1903 (64-bit), but they noted that the affected driver (cng.sys) “looks to have been present since at least Windows 7,” meaning that all the other supported Windows versions are probably vulnerable.
Exploitation and patching
Shane Huntley, Director of Google’s Threat Analysis Group (TAG) confirmed that the vulnerability chain is being used for targeted exploitation and that the attacks are “not related to any US election-related targeting.”
The attackers are using the Chrome bug to gain access to the target system and then the CVE-2020-17087 to gain administrator access on it.
A patch for the issue is expected to be released on November 10, as part of the monthly Patch Tuesday effort by Microsoft.
Currently we expect a patch for this issue to be available on November 10.
While the bug is serious, the fact that it’s being used in targeted (and not widespread) attacks should reassure most users they’ll be safe until the patch is released.
Also, according to a Microsoft spokesperson, exploitation of the flaw has only been spotted in conjuction with the Chrome vulnerability, which has been patched in Chrome and other Chromium-based browsers (e.g., Opera on October 21, Microsoft Edge on October 22.
Users who have implemented those updates are, therefore, safer still.
A technical support intervention has revealed two zero-day vulnerabilities in the OS running on Cisco enterprise-grade routers that attackers are trying to actively exploit.
Cisco plans to release software updates to plug these security holes, but in the meantime administrators are advised to implement one or all of the provided mitigations.
About the vulnerabilities
The two zero-day flaws – CVE-2020-3566 and CVE-2020-3569 – affect the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software, running on Cisco enterprise-grade routers for service providers, data centers, enterprises, and critical infrastructure.
They can be exploited by an unauthenticated, remote attacker by sending crafted IGMP (Internet Group Management Protocol) traffic to an affected device.
“A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols,” Cisco explained.
Proposed mitigations include:
- Implementing a rate limiter for IGMP traffic
- implementing an access control entry (ACE) to an existing interface access control list (ACL). “Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface,” the company noted.
The company has also provided indicators of compromise, i.e., messages that can be seen in the system logs if a device is experiencing memory exhaustion based on exploitation of these vulnerabilities.
“These vulnerabilities affect any Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing,” they added.
The fix for CVE-2019-16759, a remote code execution vulnerability in vBulletin that was patched in September 2019, is incomplete, security researcher Amir Etemadieh has discovered.
The discovery and his publishing of PoC and full exploits spurred attackers to launch attacks:
A new VBulletin Zero Day got dropped yesterday by @Zenofex that revealed the CVE-2019-16759 patch was incomplete – within three hours https://t.co/LwbPuEoL5b was attacked, but we were ready for it. Disable PHP rendering to protect yourself until patched! https://t.co/7JtmEzcTFG pic.twitter.com/R4AcCoZt1B
— Jeff Moss (@thedarktangent) August 10, 2020
Several other admins confirmed that they’ve been hit.
Risk mitigation and prevention
Etemadieh explained how he discovered that the patch for CVE-2019-16759 was flawed in a blog post published on Sunday.
Today I released my research on vBulletin5 including a new pre-auth 0day RCE exploithttps://t.co/m7pd527lCr
POC: curl -s http://SITE/ajax/render/widget_tabbedcontainer_tab_panel -d ‘subWidgets[template]=widget_php&subWidgets[config][code]=echo%20shell_exec(“id”); exit;’ pic.twitter.com/JjThUBVTmc
— Amir Etemadieh (@Zenofex) August 9, 2020
It’s a quality write-up and contains a one-line PoC exploit and full exploits written Bash, Python and Ruby, as well as instructions on how to implement a fix until a more complete patch is released (in short, forum admins were advised to temporarily disable PHP widgets).
“Tenable Research has tested the proof of concept from Etemadieh and confirmed successful exploitation using the latest version of vBulletin,” Tenable research engineer Satnam Narang confirmed .
Internet Brands, the makers of vBulletin, have not been notified of this discovery prior to the publication, so they’ve scrambled to fix the flaw again.
New patches have been made available on Monday, for versions 5.6.2, 5.6.1 and 5.6.0 of vBulletin Connect, and they disable the PHP Module widget. The upcoming v5.6.3 will contain the patch.
“All older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible,” they advised, and noted that vBulletin Cloud sites are not affected by this issue.
vBulletin is the most popular internet forum software in use today and also powers many dark web forums. vBulletin flaws, especially when they allow remote code execution without authentication, are usually speedily leveraged by attackers, so admins are advised to implement the patches ASAP.
In May 2020, Microsoft patched CVE-2020-1048, a privilege escalation vulnerability in the Windows Print Spooler service discovered by Peleg Hadar and Tomer Bar from SafeBreach Labs. A month later, the two researchers found a way to bypass the patch and re-exploit the vulnerability on the latest Windows version. Microsoft assigned this vulnerability a new identification number – CVE-2020-1337 – and will patch it on August 2020 Patch Tuesday. They’ve also discovered a DoS flaw affecting … More
The post Researchers flag two zero-days in Windows Print Spooler appeared first on Help Net Security.
A zero-day vulnerability in Zoom for Windows may be exploited by an attacker to execute arbitrary code on a victim’s computer. The attack doesn’t trigger a security warning and can be pulled off by getting the victim to perform a typical action such as opening a received document file.
Acros Security, the creators of 0patch, have pushed out a micropatch that will close the security hole until Zoom Video Communications delivers a fix.
About the vulnerability
The vulnerability was discovered by an unnamed researcher and reported to Acros Security, who reported it to Zoom earlier today.
Is is present in all supported versions of the Zoom client for Windows, and the 0patch team created a micropatch for all (starting with v5.0.3 and all up to the latest one – v5.1.2).
The flaw is only exploitable if the client is installed on Windows 7 and older Windows systems, due to a specific system property.
“The flaw is likely also exploitable on Windows Server 2008 R2 and earlier though we didn’t test that; either way, our micropatch will protect you wherever you’re using the Zoom client,” Acros Security CEO Mitja Kolsek told Help Net Security.
“While Microsoft’s official support for Windows 7 has ended this January, there are still millions of home and corporate users out there prolonging its life with Microsoft’s Extended Security Updates or with 0patch,” he noted.
He also says that the flaw can be exploited through several attack scenarios, but they will refrain from publishing more detailed information and the PoC exploit until Zoom fixes the issue or decides not to fix it.
Options available to users
Until Zoom pushes out a fix, the options for users who wish to stay safe are as follows:
- Temporarily stop using Zoom
- Update Windows to a newer version
- Implement the micropatch.
“We were able to quickly create a micropatch that removes the vulnerability in four different places in the [software’s] code,” Kolsek noted. The micropatches are available for free to all 0patch users until a fix is released.
“0patch is designed such that when a vulnerable executable module is replaced by a new version, any micropatches that were made for that vulnerable module automatically stop applying (because the cryptographic hash of the module changes). When Zoom issues an updated Client for Windows and you install it on your computer, our micropatch will become obsolete,” he explained.
“In case this updated Zoom Client does not fix this vulnerability, we’ll port the micropatch and make it available for free as quickly as possible.”
Sophos has released an emergency hotfix for an actively exploited zero-day SQL injection vulnerability in its XG Firewalls, and has rolled it out to all units with the auto-update option enabled.
Aside from plugging the security hole, the hotfix detects if the firewall was hit by attackers and, if it was, stops it from accessing any attacker infrastructure, cleans up remnants from the attack, and notifies administrators about it so that they can perform additional remediation steps.
About the vulnerability and the attack
The flaw, which has yet to be assigned a CVE identification number, was previously unknown to Sophos and turned out to be a pre-auth SQL injection vulnerability that was exploited for remote code execution.
The zero-day affects all versions of XG Firewall firmware on both physical and virtual Sophos firewalls.
“Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units,” the company shared.
“The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected.”
The company says that the attack used a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for SFOS, the Sophos Firewall Operating System (i.e., the firmware).
The goal of the attack was to deliver malware that is able to collect information such as:
- The firewall’s public IP address
- Its license key
- The email addresses of user accounts that were stored on the device as well as that of the administrator account
- Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password
- A list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection
- Additional information about the firewall (e.g., firmware version, CPU type, etc.)
- A list of the IP address allocation permissions for the users of the firewall
All this information was written in a file, which was compressed, encrypted, and uploaded to a remote machine controlled by the attacker(s).
Those admins that have disabled the (default) auto-update option are advised to implement the hotfix.
The admins whose firewalls have been compromised should reset device administrator accounts, reboot the affected device(s), reset passwords for all local user accounts and for any accounts where the XG credentials might have been reused.
Sophos also advises admins to reduce attack surface by disabling HTTPS Admin Services and User Portal access on the WAN interface (if possible).
“While customers should always conduct their own internal investigation, at this point Sophos is not aware of any subsequent remote access attempts to impacted XG devices using the stolen credentials,” the company added.
Mozilla has released critical security updates for Firefox and Firefox ESR on Friday, patching two vulnerabilities that are being actively exploited by attackers.
fixed in Firefox 74.0.1 and Firefox ESR 68.6.1 are:
- CVE-2020-6819: A use-after-free flaw caused by a race condition while running the nsDocShell destructor
- CVE-2020-6820: A use-after-free caused by a race condition when handling a ReadableStream
No additional details about them have been provided and the bug entries in Mozilla’s bug database are still unaccessible to the wider public. The bugs have been rated “critical”, which means that chances are high they can lead to remote code execution (whether individually or concatenated together).
The vulnerabilities (and presumably their active exploitation) have been flagged by security researchers Francisco Alonso and Javier Marcos.
One of Alonso’s comments on Twitter seems to indicate that the flaws may also affect other browsers:
There is still lots of work to do and more details to be published (including other browsers). Stay tuned.
— Francisco Alonso (@revskills) April 3, 2020
Home users and enterprise admins are advised to implement the provided updates as soon as possible.
I would also urge home users to think about making Firefox update itself every time a new update is made available, as recommended by Mozilla. If you generally don’t think twice about installing offered updates, the “Automatically install updates” option might be the right thing for you.
The last actively exploited Firefox zero-day vulnerability before these was patched in January 2020.
While we wait for Microsoft to provide fixes for the two new Windows RCE zero-days that are being exploited in “limited targeted Windows 7 based attacks,” ACROS Security has released micropatches that can prevent remote attackers from exploiting the flaws.
About the micropatches for Windows zero-days
In a blog post published on Thursday, ACROS Security CEO Mitja Kolsek explained which attack vectors can be used to exploit the vulnerabilities and why Windows 10 users are at a lower risk of attack.
He also went through the each of the mitigations recommended by Microsoft and explained the pros and cons of implementing each of them, as well as noted that their own micropatches protect only against remote attack vectors.
“Obviously we can’t patch these vulnerabilities because we don’t know what they are, but we can infer from Microsoft’s advisory that blocking Adobe Type 1 PostScript fonts from reaching the vulnerable kernel parsing code would block attacks,” he explained.
“So we decided to find the common execution point that various Windows applications such as Windows Explorer, Font Viewer, and applications using Windows-integrated font support are using to pass a font to Windows, then place a bouncer there that would keep Adobe Type 1 PostScript fonts out.”
And so they did.
The micropatches are implemented through 0patch, the company’s platform for distributing, applying and removing microscopic binary patches to/from running processes. For the time being (and until Microsoft releases the fixes), users of the free subscription tier will also be able to implement it.
Also for the time being, micropatches are only available for fully updated Windows 7 64-bit and Windows Server 2008 R2 without Extended Security Updates (ESU).
“This provides protection for our users who continue using these Windows versions but were unable or unwilling to obtain ESU, and are now, somewhat ironically, the only Windows users with a patch for these vulnerabilities,” Kolsek noted.
They will continue porting it to other affected Windows versions but not Windows 10 and newer Windows Server versions because the exploitation risk is lower on those.
Since the start of the year, journalists and news outlets have become preferred targets of government-backed cyber attackers, Google’s Threat Analysis Group (TAG) has noticed.
“For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation. In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email,” shared Toni Gidwani, a security engineering manager at TAG.
Government-backed attackers also target foreign policy experts – for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks – as well as government officials, dissidents and activists.
Protecting Google accounts
Aside from trying to deliver malware to compromise the targets’ computer and/or smartphone, the attackers are also trying to compromise their online accounts – repeatedly.
“In 2019, one in five accounts that received a [government-backed phishing or malware attack] warning was targeted multiple times by attackers. If at first the attacker does not succeed, they’ll try again using a different lure, different account, or trying to compromise an associate of their target,” Gidwani said, and boasted about the effectiveness of Google’s protections when it comes to phishing and account hijacking.
“We’ve yet to see people successfully phished if they participate in Google’s Advanced Protection Program (APP), even if they are repeatedly targeted,” she claimed.
Google’s APP provides additional account security for those who are at an elevated risk of targeted attacks, by: requesting the person logging in to have a specific physical security key (as well as the password and the second authentication factor), preventing untrusted third-party apps to access the account, providing added download protection, insisting on a stricter account recovery process, etc.
The attackers haven’t failed to notice the effectiveness of the protections, Gidwani says, and have slowed down their onslaught. “In 2019, we sent almost 40,000 warnings, a nearly 25 percent drop from 2018,” she noted.
Google’s TAG also discovers attacks and tracks attackers exploiting zero-day vulnerabilities in popular software – in 2019, they discovered zero-day vulnerabilities affecting Android, Chrome, iOS, Internet Explorer and Windows.
“Last year, TAG discovered that a single threat actor was capitalizing on five zero-day vulnerabilities,” she shared.
“Finding this many zero-day exploits from the same actor in a relatively short time frame is rare. The exploits were delivered via compromised legitimate websites (e.g. watering hole attacks), links to malicious websites, and email attachments in limited spear phishing campaigns. The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues.”
Attackers are exploiting two new zero-days in the Windows Adobe Type Manager Library to achieve remote code execution on targeted Windows systems, Microsoft warns.
The attacks are limited and targeted, the company noted, and provided workarounds to help reduce customer risk until a fix is developed and released.
More about the new Windows zero-days
According to the security advisory published on Monday, the vulnerabilities arise from the affected library’s improper handling of a specially-crafted multi-master font – Adobe Type 1 PostScript format.
“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane,” the company shared, and said that the Outlook Preview Pane is not an attack vector for this vulnerability.
The flaws affect:
- Windows 10
- Windows 8.1
- Windows 7
- Windows RT 8.1
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows 2016
- Windows Server 2019
- Windows Server, version 1803
- Windows Server, version 1903
- Windows Server, version 1909
“For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities,” Microsoft added.
Mitigations and workarounds
Enhanced Security Configuration, which is on by default on Windows Servers, does not mitigate the vulnerabilities.
Offered workarounds include disabling the Preview Pane and Details Pane in Windows Explorer, disabling the WebClient service, and renaming the ATMFD.DLL file. Microsoft explains how to do all that and the impacts of these workarounds in the security advisory.
The company did not offer more details about the attacks nor did it say when the security updates will be released, but has noted that to receive them for Windows 7, Windows Server 2008, or Windows Server 2008 R2 users will have to have an Extended Security Updates (ESU) license.
Trend Micro has fixed two actively exploited zero-day vulnerabilities in its Apex One and OfficeScan XG enterprise security products, and advises customers to update to the latest software versions as soon as possible.
About the vulnerabilities
The two zero-days are:
- CVE-2020-8467, a critical flaw in the migration tool component of the two solutions that could allow remote attackers to execute arbitrary code on affected installations
- CVE-2020-8468, a high-risk content validation escape vulnerability affecting Apex One and OfficeScan agents, which could allow remote attackers to manipulate certain agent client components.
In both cases, attackers must authenticate to the target endpoint with valid, compromised credentials before attempting exploitation, which means that these flaws are likely to have been exploited by attackers who have already found their way into the enterprise network.
Affected versions Apex One 2019 (on premise) for Windows and OfficeScan XG SP1 and XG for Windows. Fixes have been implemented in:
- Apex One (on premise) CP 2117
- OfficeScan XG SP1 CP 5474
- OfficeScan XG CP 1988
In addition to these two zero-days, three additional critical security holes (CVE-2020-8470, CVE-2020-8598 and CVE-2020-8599) have been plugged in these updates. These allow remote attacks without authentication, but Trend Micro has not observed any attempted exploits of those vulnerabilities.
The company did not share the nature of the in-the-wild attacks.
For the third time in a year, Google has fixed a Chrome zero-day (CVE-2020-6418) that is being actively exploited by attackers in the wild.
The vulnerability was discovered and reported to the Chromium team by Clement Lecigne of Google’s Threat Analysis Group on February 18.
The fix was already in place a day later but, as the code is public, researchers from Exodus Intelligence managed to analyze it and develop proof-of-concept exploit code.
They released the exploit – which works only if Chrome’s sandbox is disabled or can be bypassed via another vulnerability – and pointed out that it’s a good thing Google has managed to reduce Chrome’s “patch gap” to two weeks.
“It took us around 3 days to exploit the vulnerability after discovering the fix. Considering that a potential attacker would try to couple this with a sandbox escape and also work it into their own framework, it seems safe to say that 1day vulnerabilities are impractical to exploit on a weekly or bi-weekly release cycle,” they noted.
This, of course, does not mean much in this particular instance, as CVE-2020-6418 was a zero-day to begin with (i.e., the exploit for it existed and was used before the patch).
The Chrome release (v80.0.3987.122) fixing CVE-2020-6418 and two other high-risk flaws was released for Windows, Mac, and Linux and will roll out over the coming days/weeks.
Those users and admins who have disabled the auto-updating feature on Chrome would do well to implement the update as soon as possible.
Sophos’ Paul Ducklin also pointed out that V8 is used in other applications and runtime environments, including the Chromium-based Microsoft Edge browser. (Brave, Opera, and Vivaldi are also Chromium-based web browsers and use V8).
“We’re assuming that if other V8-based applications do turn out to share this bug, they will soon be patched too – but as far as we know now, the in-the-wild exploit only applies to V8 as used in Chrome itself,” he added.
Organizations are not making progress in reducing their endpoint security risk, especially against new and unknown threats, a Ponemon Institute study reveals.
68% IT security professionals say their company experienced one or more endpoint attacks that compromised data assets or IT infrastructure in 2019, an increase from 54% of respondents in 2017.
Zero-day attacks continue to increase in frequency
Of those incidents that were successful, 80% were new or unknown, zero-day attacks. These attacks either involved the exploitation of undisclosed vulnerabilities or the use of new malware variants that signature-based, detection solutions do not recognize. Zero-day attacks continue to increase in frequency and are expected to more than double this year.
These attacks are also inflicting more bottom-line business damage. The study found that the average cost per endpoint breach increased to $9M in 2019, up more than $2M since 2018.
“Corporate endpoint breaches are skyrocketing and the economic impact of each attack is also growing due to sophisticated actors bypassing enterprise antivirus solutions,” said Larry Ponemon, Chairman of Ponemon Institute.
“Over half of cybersecurity professionals say their organizations are ineffective at thwarting major threats today because their endpoint security solutions are not effective at detecting advanced attacks.”
The third annual study surveyed 671 IT security professionals responsible for managing and reducing their organization’s endpoint security risk.
Increasing vulnerability during patch gaps
In addition to expressing concern over zero-day threats, respondents noted increasing vulnerability during patch gaps. In fact, 40% of companies say it’s taking longer to patch, with an average patch gap of 97 days due to the number of patches and their complexity.
Patch exploits will continue to be a hot-button issue in 2020 as the last remaining organizations upgrade to Windows 10 on the heels of Windows 7 end of life, and patch frequency increases.
An extra layer of security added to antivirus solutions
The shift to Windows 10 is also ushering in new enterprise security strategies that can be effective in thwarting more advanced threats. With Windows Defender AV built into the Windows 10 operating system, 80% of organizations report using or planning to use Defender AV for savings over their legacy antivirus solution.
Cost savings are being reallocated towards an added layer of advanced threat protection in endpoint stacks and an increase in IT resources. 51% of cybersecurity professionals say they’ve added an extra layer of security to their antivirus solutions.
Furthermore, since 2017 the number of IT departments reporting they have ample resources to minimize endpoint threats has increased from 36% to 44%.
“The move to Windows 10 provides the perfect opportunity for organizations to retool their endpoint security to better defend against the zero-day attacks and advanced threats that are evading legacy antivirus in 2020 and pose the biggest risk to their business,” said Andrew Homer, VP of Security Strategy at Morphisec.
“Forward thinking cybersecurity professionals are shifting to the free antivirus capability built into Windows 10 and reallocating their cost savings into an additional layer of advanced threat protection and increased IT resources.”
The study found that half of the companies who have adopted EDR cite costly customization (55%) and false-positive alerts (60%) as significant challenges.
In addition, of IT departments that haven’t adopted EDR yet, 65% say lack of confidence in the ability to prevent zero-day threats and 61% note security staffing limitations as the top reasons to avoid adoption.
Mozilla has patched a Firefox zero-day vulnerability (CVE-2019-17026) that is being exploited in attacks in the wild and is urging Firefox and Firefox ESR users to update their installations as soon as possible.
According to the accompanying security advisory, the vulnerability was flagged by researchers with Chinese internet security company Qihoo 360 and is being actively abused by attackers.
That’s the extent of the information that’s currently available regarding this flaw, although, according to Catalin Cimpanu, the company let it slip that there is an accompanying Internet Explorer zero-day abused in these ongoing attacks.
Previous zero-days and attacks
The last Firefox zero-day before this one was plugged in June 2019. In fact, there were two: CVE-2019-11707 (also a type confusion flaw) and CVE-2019-11708 (a sandbox escape). Together they were used (unsuccessfully) against Coinbase employees.
Whether this latest flaw is being used for a similar purpose or for an alternative one (e.g., de-anonymization of Tor Browser users) is unknown.
Whatever the case, the Tor Project has announced they will be releasing a new version of the Tor Browser to implement Mozilla’s fix “soon”.