cPanel 2FA bypass vulnerability can be exploited through brute force

A two-factor authentication (2FA) bypass vulnerability affecting the popular cPanel & WHM software suite may allow attackers to access secured accounts, Digital Defense researchers have found.

cPanel 2FA bypass

The vulnerability has been patched last week and, by now, web hosting providers have hopefully upgraded their installations. Still, admins of sites that are managed through cPanel should check whether their provider did perform the update (and demand they do it if they haven’t).

About the cPanel 2FA bypass vulnerability

cPanel & WebHost Manager (WHM) is a suite of tools used by many hosting providers and users. The former use the WHM interface to automate server management and web hosting tasks, and the latter use the cPanel interface to manage their sites, intranets, and online properties.

SEC-575, as it has been labeled by the cPanel Security Team, makes the two factor authentication feature available to users vulnerable to brute force attack.

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes. This allowed an attacker to bypass the two-factor authentication check using brute force techniques,” the team explained.

The flaw is not deemed to be critical, mainly because exploiting it also requires that attackers have valid credentials for a targeted account. Still, attackers could overcome that hurdle with a convincing phishing email.

“Digital Defense’s internal testing demonstrated that an attack can be accomplished in minutes,” the company noted.

The vulnerability has been fixed (along with two others) in cPanel & WHM versions 92.0.2, 90.0.17, and 86.0.32.

“Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk,” the cPanel Security Team explained the fix.

Drupal-based sites open to attack via double extension files (CVE-2020-13671)

Admins of sites running on Drupal are urged to plug a critical security hole (CVE-2020-13671) that may be exploited by attackers to take over vulnerable sites.

CVE-2020-13671

They have also been urged to check that the vulnerability hasn’t already been covertly leveraged by attackers.

About the vulnerability (CVE-2020-13671)

CVE-2020-13671 exists because Drupal core (the standard release of Drupal) does not properly sanitize certain filenames on uploaded files.

A malicious file with a double extension (e.g., php.txt) could be “interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations,” the Drupal security team noted.

They have provided security updates with the fix and recommended admins to upgrade to Drupal version 9.0.8, 8.9.9, 8.8.11 or 7.74, depending on which Drupal branch they are currently using.

The team did not say that they aware of the vulnerability being actively exploited, but recommended admins to audit all previously uploaded files to check for malicious extensions.

“Look specifically for files that include more than one extension, like filename.php.txt or filename.html.gif, without an underscore (_) in the extension. Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions: phar, php, pl, py, cgi, asp, js, html, htm, phtml. This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis,” they advised.

Drupal-based sites form a big target

Drupal vulnerabilities are often exploited by attackers. Drupal is free and open-source content management system, and is the fourth most widely used CMS after WordPress, Shopify and Joomla.

But though the number of sites depending on Drupal is much, much smaller that the number of WordPress-based sites, it is still over a million.

Admins should also be aware that while Drupal v7.x is still maintained and receives security updates, it will reach end-of-life in November of 2021, so those who use it are urged to start planning the upgrade to a newer version, preferably 9.x.

VMware patches serious vulnerabilities in ESXi hypervisor, SD-WAN Orchestrator

VMware has patched critical vulnerabilities affecting its ESXi enterprise-class hypervisor and has released a security update for its SD-WAN Orchestrator, plugging a handful of serious security holes.

vulnerabilities ESXi hypervisor

Vulnerabilities in ESXi hypervisor exploited during a hacking competition

During the Tianfu Cup Pwn Contest that was held in Chengdu, China, earlier this month, Xiao Wei and Tianwen Tang, two researchers from the Qihoo 360 Vulcan Team, exploited two previously unknown vulnerabilities to thoroughly compromise VMWare’s ESXi hypervisor:

  • CVE-2020-4004, deemed “critical”, is a use-after-free vulnerability in XHCI USB controller that can be used by attackers with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host
  • CVE-2020-4005, deemed “important”, is a VMX elevation-of-privilege vulnerability that can be used by attackers with privileges within the VMX process to escalate their privileges on the affected system

CVE-2020-4004 affects various versions of ESXi, but also VMware Fusion (Mac virtualization solution), VMware Workstation Player (desktop hypervisor application) and VMware Cloud Foundation (ESXi). CVE-2020-4005 affects ESXi and VMware Cloud Foundation. Most patches are already available, but those for Cloud Foundation are still pending.

Users are advised to peruse this advisory and see whether they should update their installations.

VMware SD-WAN Orchestrator vulnerabilities

VMware has also released security updates for both supported branches (3.x and 4.x) of SD-WAN Orchestrator, its enterprise solution for provisioning virtual services in the branch, the cloud, or the enterprise data center.

They fix six vulnerabilities, including SQL injection vulnerabilities, a directory traversal file execution flaw, and default passwords for predefined accounts which may lead to to a Pass-the-Hash attack. In that last instance, the update does nothing – it’s on administrators to change the default passwords of the preconfigured accounts on SD-WAN Orchestrator before production use.

The vulnerabilities are not deemed to be critical, as attackers need to be authenticated in order to exploit them.

Nevertheless, admins have been advised to upgrade their SD-WAN Orchestrator installations to version 4.0.1, 3.4.4, or 3.3.2 P3.

Half of the vulnerabilities have been discovered and reported by Ariel Tempelhof of Realmode Labs, the other half by Christopher Schneider, Cory Billington and Nicholas Spagnola, penetration test analysts at State Farm.

There are currently no reports of these vulnerabilities being exploited in the wild.

Cisco Webex vulnerabilities may enable attackers to covertly join meetings

Cisco Webex vulnerabilities

Cisco has fixed three bugs in its Cisco Webex video conferencing offering that may allow attackers to:

  • Join Webex meetings without appearing in the participant list (CVE-2020-3419)
  • Covertly maintain an audio connection to a Webex meeting after being expelled from it (CVE-2020-3471)
  • Gain access to information (name, email, IP address, device info) on meeting attendees without being admitted to the meeting (CVE-2020-3441)

About the Cisco Webex vulnerabilities

The three flaws were discovered by IBM researchers, after the company’s research department and the Office of the CISO decided to analyze their primary tool for remote meetings (i.e., Cisco Webex).

“These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants,” the researchers shared.

“These flaws affect both scheduled meetings with unique meeting URLs and Webex Personal Rooms. Personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner’s name and organization name. These technical vulnerabilities could be further exploited with a combination of social engineering, open source intelligence (OSINT) and cognitive overloading techniques.”

The vulnerabilities can all be exploited by unauthenticated, remote attackers, either by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site or by browsing the Webex roster.

More details about the possible attacks are available in this blog post, though details about the flaws will be limited until more users are able to implement the provided updates/patches.

Patches and security updates

The bugs affect both Cisco Webex Meetings sites (cloud-based) and Cisco Webex Meetings Server (on-premises).

Cisco addressed them in Cisco Webex Meetings sites a few days ago and no user action is required.

Users of Cisco Webex Meetings Server are advised to upgrade to 3.0MR3 Security Patch 5 or 4.0MR3 Security Patch 4, which contain the needed fixes.

CVE-2020-3419 also affects all Cisco Webex Meetings apps releases 40.10.9 and earlier for iOS and Android, so users are urged to implement the provided updates.

Google fixes two actively exploited Chrome zero-days (CVE-2020-16009, CVE-2020-16010)

For the third time in two weeks, Google has patched Chrome zero-day vulnerabilities that are being actively exploited in the wild: CVE-2020-16009 is present in the desktop version of the browser, CVE-2020-16010 in the mobile (Android) version. About the vulnerabilities (CVE-2020-16009, CVE-2020-16010) As per usual, Google has refrained from sharing much detail about each of the patched vulnerabilities, so all we know is this: CVE-2020-16009 is an inappropriate implementation flaw in V8, Chrome’s open source … More

The post Google fixes two actively exploited Chrome zero-days (CVE-2020-16009, CVE-2020-16010) appeared first on Help Net Security.

Magento, Visual Studio Code users: You need to patch!

Microsoft and Adobe released out-of-band security updates for Visual Studio Code, the Windows Codecs Library, and Magento.

Visual Studio Code security

All the updates fix vulnerabilities that could be exploited for remote code execution, but the good news is that none of them are being actively exploited by attackers (yet!).

Microsoft’s updates

Microsoft has fixed CVE-2020-17023, a remote code execution vulnerability in Visual Studio Code, its free and extremely popular source-code editor that’s available for Windows, macOS and Linux.

“To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious ‘package.json’ file,” Microsoft explained.

If the target uses an account with administrative privileges, the attacker can take complete control of the affected system.

The vulnerability, discovered by Justin Steven, stems from a botched fix for a previously addressed RCE flaw (CVE-2020-16881).

Microsoft has also fixed a RCE (CVE-2020-17022) in the way that Microsoft Windows Codecs Library handles objects in memory, which could be triggered by a program processing a specially crafted image file.

It only affects Windows 10 users, and only if they installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store.

“Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” the company noted, and explained that “servicing for store apps/components does not follow the monthly ‘Update Tuesday’ cadence, but are offered whenever necessary.”

Adobe’s updates

After fixing just one Adobe Flash Player flaw on October 2020 Patch Tuesday, Adobe has followed up with security updates for several Magento Commerce and Magento Open Source versions.

The updates carry patches for nine vulnerabilities, most of which are exploitable without credentials. Just one of those – CVE-2020-24408, a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component – is exploitable by an attacker that has no administrative privileges.

Among the plugged security holes are two critical ones:

  • CVE-2020-24407 – a file upload allow list bypass that could be exploited to achieve code execution
  • CVE-2020-24400 – an SQL injection that could allow for arbitrary read or write access to database

Critical flaw in SonicWall’s firewalls patched, update quickly! (CVE-2020-5135)

Earlier this week SonicWall patched 11 vulnerabilities affecting its Network Security Appliance (NSA). Among those is CVE-2020-5135, a critical stack-based buffer overflow vulnerability in the appliances’ VPN Portal that could be exploited to cause denial of service and possibly remote code execution.

CVE-2020-5135

About CVE-2020-5135

The SonicWall NSAs are next-generation firewall appliances, with a sandbox, an intrusion prevention system, SSL/TLS decryption and inspection capabilities, network-based malware protection, and VPN capabilities.

CVE-2020-5135 was discovered by Nikita Abramov of Positive Technologies and Craig Young of Tripwire’s Vulnerability and Exposures Research Team (VERT), and has been confirmed to affect:

  • SonicOS 6.5.4.7-79n and earlier
  • SonicOS 6.5.1.11-4n and earlier
  • SonicOS 6.0.5.3-93o and earlier
  • SonicOSv 6.5.4.4-44v-21-794 and earlier
  • SonicOS 7.0.0.0-1

“The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access,” Tripwire VERT explained.

“This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”

By using Shodan, both Tripwire and Tenable researchers discovered nearly 800,000 SonicWall NSA devices with the affected HTTP server banner exposed on the internet. Though, as the latter noted, it is impossible to determine the actual number of vulnerable devices because their respective versions could not be determined (i.e., some may already have been patched).

A persistent DoS condition is apparently easy for attackers to achieve, as it requires no prior authentication and can be triggered by sending a specially crafted request to the vulnerable service/SSL VPN portal.

VERT says that a code execution exploit is “likely feasible,” though it’s a bit more difficult to pull off.

Mitigation and remediation

There is currently no evidence that the flaw is being actively exploited nor is there public PoC exploitation code available, so admins have a window of opportunity to upgrade affected devices.

Aside from implementing the offered update, they can alternatively disconnect the SSL VPN portal from the internet, though this action does not mitigate the risk of exploitation of some of the other flaws fixed by the latest updates.

Implementing the security updates is, therefore, the preferred step, especially because vulnerabilities in SSL VPN solutions are often targeted by cybercriminals and threat actors.

October 2020 Patch Tuesday forecast: Trick or treat?

It’s October and that means Halloween will be here at the end of the month. It won’t be much fun if we only get to ‘dress up’ and look at each other via video conference. But then, we’ve had a lot of ‘tricks’ thrown at us this last month – Zerologon, explosion of ransomware, COVID phishing attacks, and more. Will we get more tricks next week or are we in for a treat on Patch Tuesday?

October 2020 Patch Tuesday forecast

The Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472, also referred to as the Zerologon vulnerability, dominated the news this past month. The US Department of Homeland Security issued Emergency Directive 20-04 on September 18, requiring all government agencies with a domain controller to update their servers within three days.

Microsoft has also issued updated guidance since the August Patch Tuesday release to clarify the steps needed to secure systems with this vulnerability. Per the outlined process in the article, the first step is to apply the August 11 updates which will begin enforcement of Secure RPC (Remote Procedure Call), but still allow non-compliant devices to connect and log the connections. Full enforcement will begin with the deployment of the February 9, 2021 updates.

All systems in your environment should be updated and monitored between now and February to verify they are configured and using the secure channels properly. Once the February updates are deployed, only vulnerable systems explicitly listed in group policy will be allowed to connect to the domain controller.

It’s not unexpected that the education community has been hit the hardest by cyberattacks in the past several months. Students of all ages are now spending many hours online in daily remote learning sessions and are constantly exposed to a full host of attacks. The Microsoft Security Intelligence center is showing that 62% of malware encounters are affecting this industry.

As funny as it may sound, this is partially an ‘education’ issue. Most students haven’t received any form of security training and need to be aware of phishing attacks and what to look for, the importance of strong passwords, the need to keep personal or ‘sensitive’ information private, and similar practices we in the industry often take for granted.

With the sudden increase of connections from personal computers, many of which are running out-of-date software, it is more important than ever to maintain solid security practices for the infrastructure and support systems. Teachers should be running authorized software and IT must be prepared to apply the latest security updates, especially for programs like Zoom, WebEx, GoToMeeting, etc., which are critical for remote learning. We’ll weather this storm and the good news is that we’ll have a more security-aware group entering the workforce in the upcoming years.

October 2020 Patch Tuesday forecast

  • Microsoft continues to address record numbers of vulnerabilities each month. Expect that to continue in October. Microsoft Exchange Server received a major update last month, so I don’t expect another one. But we will see the standard updates for operating systems and Office, and extended support updates for Windows 7 and Server 2008.
  • Select service stack updates (SSUs) should appear as they usually do.
  • The last security updates for Adobe Acrobat and Reader were in August. There are no pre-announcements on their web site, but we may see an update.
  • Apple will most likely release major security updates for iTunes and iCloud later in October if they maintain their quarterly schedule.
  • Google Chrome 86 was released this Tuesday with significant security updates. Don’t expect any updates around Patch Tuesday.
  • Security updates were released on September 22 for Mozilla Firefox and Thunderbird. We could see some additional updates next week.

In summary, expect the standard set of Microsoft releases, maybe some updates from Adobe, and probably two from Mozilla. Based on this limited list of updates, It sounds like we should be in for a treat!

HP Device Manager vulnerabilities may allow full system takeover

Three vulnerabilities affecting HP Device Manager, an application for remote management of HP Thin Client devices, could be chained together to achieve unauthenticated remote command execution as SYSTEM, security researcher Nick Bloor has found.

HP Device Manager vulnerabilities

The vulnerabilities have been patched by HP nearly two weeks ago, but additional vulnerability and research details published on Monday may help attackers to craft a working exploit.

The vulnerabilities

Thin clients are low-performance computers optimized for establishing a remote connection with a server-based computing environment.

HP Device Manager allows IT admins to remotely deploy, update, and manage thousands of HP Thin Clients through a single console.

The three vulnerabilities discovered by Bloor “may allow locally managed accounts within HP Device Manager to be susceptible to dictionary attacks due to weak cipher implementation (CVE-2020-6925) and allow a malicious actor to remotely gain unauthorized access to resources (CVE-2020-6926), and/or allow a malicious actor to gain SYSTEM privileges (CVE-2020-6927).”

CVE-2020-6925 and CVE-2020-6926 affect all versions of HP Device Manager, CVE-2020-6927 (a privilege escalation vulnerability) affects HP Device Manager 5.0.0 to 5.0.3.

CVE-2020-6925 doesn’t impact customers who are using Active Directory authenticated accounts, HP pointed out, and CVE-2020-6927 doesn’t impact customers who are using an external database and have not installed the integrated Postgres service.

Fixes and mitigations

HP has provided a security update for the HP Device Manager 5.0.x branch – HPDM v5.0.4 – and will include the fixes for the 4.x branch in HP Device Manager 4.7 Service Pack 13.

Mitigations that partially mitigate these issues are also available, and include:

  • Limiting incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
  • Removing the dm_postgres account from the Postgres database; or updating the dm_postgres account password within HP Device Manager Configuration Manager; or
    creating an inbound rule within Windows Firewall configuration to configure the PostgreSQL listening port (40006) for localhost access only.

Admins are advised to implement the offered security updates or mitigations as soon as possible.

Use an NVIDIA GPU? Check whether you need security updates

NVIDIA has released security updates for the NVIDIA GPU Display Driver and the NVIDIA Virtual GPU Manager that fix a variety of serious vulnerabilities.

NVIDIA GPU security updates

The driver security update should be implemented by users of the company’s desktop, workstation and data center GPUs, while the vGPU software update is available for the Virtual GPU Manager component on Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, and Nutanix AHV enterprise virtualization solutions.

NVIDIA GPU Display Driver security updates

Four security holes have been plugged in the Display Driver:

  • CVE‑2020‑5979 affects the Control Panel component and may lead to privilege escalation
  • CVE‑2020‑5980 affects multiple components and may lead to code execution or DOS
  • CVE‑2020‑5981 affects the DirectX11 user mode driver and can, according to NVIDIA, lead to DoS
  • CVE‑2020‑5982 affects the kernel mode layer and can lead to DoS.
CVE‑2020‑5980

CVE‑2020‑5980 was unearthed by Andy Gill of Pen Test Partners and the discovery detailed in a blog post published on Thursday.

The vulnerability allows for DLL hijacking, i.e., exploitation of execution flow of an application via external DLLs.

“If a vulnerable application is configured to run at a higher privilege level, then the malicious DLL that is loaded will also be executed at a higher level, thus achieving escalation of privilege. Often the application will behave no differently because malicious DLLs may also be configured to load the legitimate DLLs they were meant to replace or where a DLL doesn’t exist,” Gill explained.

CVE‑2020‑5981

CVE‑2020‑5981 was discovered by Piotr Bania of Cisco Talos. The CVE number covers multiple vulnerabilities and, Cisco claims, they could be exploited to achieve remote code execution (and not just DoS).

“An adversary could exploit these vulnerabilities by supplying the user with a malformed shader, eventually allowing them to execute code on the victim machine. These bugs could also allow the attacker to perform a guest-to-host escape through Hyper-V RemoteFX on Windows machines,” they say.

Users are advised to check which NVIDIA display driver version is currently installed on their system(s) and update it if necessary (updates are available from here).

NVIDIA vGPU Software security updates

Vulnerabilities CVE‑2020‑5983 to CVE‑2020‑5989 are found in the vGPU plugin and could lead to DoS, information disclosure, code execution, tampering, and privilege escalation.

Users are advised to upgrade to vGPU Software versions 11.1, 10.4, or 8.5 – updates are available through the NVIDIA Licensing Portal.

CISA orders federal agencies to implement Zerologon fix by Monday

If you had any doubts about the criticality of the Zerologon vulnerability (CVE-2020-1472) affecting Windows Server, here is a confirmation: the US Cybersecurity and Infrastructure Security Agency (CISA) has issued on Friday an emergency directive instructing federal agencies to “immediately apply the Windows Server August 2020 security update to all domain controllers” – and to do so by the end of Monday (September 21).

CISA Zerologon

“If affected domain controllers cannot be updated, ensure they are removed from the network,” CISA advised.

To make sure the order has been complied with, the agency asks department-level Chief Information Officers (CIOs) or equivalents to submit completion reports by Wednesday.

About the vulnerability

Security updates fixing CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC), were provided by Microsoft in August, and the researchers who discovered the bug revealed more technical information about it last week.

That release was followed by the publication of a slew of PoC exploits.

Zerologon’s severity stems from the fact that it can be leveraged by an unauthenticated attacker with network access to a domain controller to impersonate any domain-joined computer, including a domain controller.

“Among other actions, the attacker can set an empty password for the domain controller’s Active Directory computer account, causing a denial of service, and potentially allowing the attacker to gain domain administrator privileges. The compromise of Active Directory infrastructure is likely a significant and costly impact,” CERT/CC says.

The risk

“CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” the agency noted in the emergency directive.

“This determination is based on the following: the availability of the exploit code in the wild increasing likelihood of any upatched domain controller being exploited; the widespread presence of the affected domain controllers across the federal enterprise; the high potential for a compromise of agency information systems; the grave impact of a successful compromise; and the continued presence of the vulnerability more than 30 days since the update was released.”

State and local governments should heed this call as well, not to mention organizations in the private sector.

We’re still to hear about the vulnerability being actively exploited in the wild, but it’s just a matter of time until attackers gain the ability to leverage it and start doing it.

Are your domain controllers safe from Zerologon attacks?

CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) for which Microsoft released a patch in August, has just become a huge liability for organizations that are struggling with timely patching.

Secura researchers – the very same ones who found and disclosed the flaw to Microsoft – have published additional technical details on Monday, and just a few hours later several PoC exploit/tools have been published on GitHub.

CVE-2020-1472

About CVE-2020-1472

CVE-2020-1472 (aka Zerologon) affects all supported Windows Server versions, but the danger is highest for servers that function as Active Directory domain controllers in enterprise networks.

The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password,” Secura researchers explained.

“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”

“In a hypothetical attack, one could use this vulnerability to deploy ransomware throughout an organization and maintain a persistent presence if cleanup and restoration efforts miss any additional malicious scripts,” Tenable security response manager Ryan Seguin noted.

“Organizations with network-accessible backups could end up with a perfect storm if a ransomware group destroys backups to increase their likelihood of payout from the victim organization.”

Exploitation

Many PoC exploits have been released security researchers in the past day (1, 2, 3, 4), and the effectiveness of some of them has been confirmed:

Secura researchers published a Python script organizations can used to check whether a domain controller is vulnerable or not.

Remediation

Systems that have received the patch released in August are safe from attack, as it enforces secure NRPC for all Windows servers and clients in the domain. All Active Directory domain controllers should be updated, including read-only domain controllers.

“The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions,” Microsoft explained.

But complete remediation will happen after organizations deploy Domain Controller (DC) enforcement mode, which requires all Windows and non-Windows devices to use secure NRPC or to explicitly allow the account by adding an exception for any non-compliant device.

While organization can deploy DC enforcement mode immediately by enabling specific registry key, on February 9, 2021, DCs will be placed in enforcement mode automatically.

This phased rollout is due to the fact that there are many non-Windows device implementations of the Netlogon Remote Protocol, and vendors of non-compliant implementations have been given enough time to provide customers with the needed updates.

September 2020 Patch Tuesday: Microsoft fixes over 110 CVEs again

On this September 2020 Patch Tuesday:

  • Microsoft has plugged 129 security holes, including a critical RCE flaw that could be triggered by sending a specially crafted email to an affected Exchange Server installation
  • Adobe has delivered security updates for Adobe Experience Manager, AEM Forms, Framemaker and InDesign
  • Intel has released four security advisories
  • SAP has released 10 security notes and updates to six previously released notes

September 2020 Patch Tuesday

Microsoft’s updates

Microsoft has released patches for 129 CVEs, 23 of which are “critical”, 105 “important”, and one “medium”-risk (a security feature bypass flaw in SQL Server Reporting Services). None of them are publicly known or being actively exploited.

Trend Micro Zero Day Initiative’s Dustin Childs says that patching CVE-2020-16875, a memory corruption vulnerability in Microsoft Exchange, should be top priority for organizations using the popular mail server.

“This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server. That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” he explained. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon.”

Another interesting patch released this month is that for CVE-2020-0951, a security feature bypass flaw in Windows Defender Application Control (WDAC). Patches are available for Windows 10 and Windows Server 2016 and above.

“This patch is interesting for reasons beyond just the bug being fixed. An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. This behavior should be blocked by WDAC, which does make this an interesting bypass. However, what’s really interesting is that this is getting patched at all,” Childs explained.

“Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.”

Many of the critical and important flaws fixed this time affect various editions of Microsoft SharePoint (Server, Enterprise, Foundation). Some require authentication, but many do not, so if you don’t want to fall prey to exploits hidden in specially crafted web requests, pages or SharePoint application packages, see that you install the required updates soon.

Satnam Narang, staff research engineer at Tenable, pointed out that one of them – CVE-2020-1210 – is reminiscent of a similar SharePoint remote code execution flaw, CVE-2019-0604, that has been exploited in the wild by threat actors since at least April 2019.

CVE-2020-0922, a RCE in Microsoft COM (Common Object Model), should also be patched quickly on all Windows and Windows Server systems.

“As COM is the base framework of Microsoft services like ActiveX, OLE, DirectX, and Windows Shell, if left unpatched it would give a malicious player a large target to focus on when seeking out vulnerabilities in a network. Given that the exploit can be taken advantage of through a simple malicious JavaScript or website, potentially delivered through a phishing email, it is necessary to address to minimize a network’s attack surface,” noted Richard Melick, Senior Technical Product Manager, Automox.

He also advised organizations in the financial industry who use Microsoft Dynamics 365 for Finance and Operations (on-premises) and Microsoft Dynamics 365 (on-premises) to quickly patch CVE-2020-16857 and CVE-2020-16862.

“Impacting the on-premise servers with this finance and operations focused service installed, both exploits require a specifically created file to exploit the security vulnerability, allowing the attacker to gain remote code execution capability. More concerning with these vulnerabilities is that both flaws, if exploited, would allow an attacker to steal documents and data deemed critical. Due to the nature and use of Microsoft Dynamics in the financial industry, a theft like this could spell trouble for any company of any size,” he added.

Jimmy Graham, Sr. Director of Product Management, Qualys, says that Windows Codecs, GDI+, Browser, COM, and Text Service Module vulnerabilities should be prioritized for workstation-type devices.

Adobe’s updates

Adobe has released security updates for Adobe Experience Manager (AEM) – a web-based client-server system for building, managing and deploying commercial websites and related services – and the AEM Forms add-on package for all platforms, Adobe Framemaker for Windows and Adobe InDesign for macOS.

The AEM and AEM Forms updates are more important than the rest.

The former fix eight critical and important flaws, most of which allow arbitrary JavaScript execution or HTML injection in the browser. The latter plug three critical security holes that carry the same risk (i.e., that of an attacker running malicious code on a victim’s machine).

The Adobe Framemaker update fixes two critical flaws that could lead to code execution, and the Adobe InDesign update five of them, but as vulnerabilities in these two offerings are not often targeted by attackers, admins are advised to implement them after more critical updates are secured.

None of the fixed vulnerabilities are being currently exploited in the wild.

Intel’s updates

Intel took advantage of the September 2020 Patch Tuesday to release four advisories, accompanying fixes for the Intel Driver & Support Assistant, BIOS firmware for multiple Intel Platforms, and Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).

The latter fixes are the most important, as they fix a privilege escalation flaw that has been deemed to be “critical” for provisioned systems.

SAP’s updates

SAP marked the September 2020 Patch Tuesday by releasing 10 security notes and updates to six previously released ones (for SAP Solution Manager, SAP NetWeaver, SAPUI5 and SAP NetWeaver AS JAVA).

Patches have been provided for newly fixed flaws in a variety of offerings, including SAP Marketing, SAP NetWeaver, SAP Bank Analyzer, SAP S/4HANA Financial Products, SAP Business Objects Business Intelligence Platform, and others.

ATM makers fix flaws allowing illegal cash withdrawals

ATM manufacturers Diebold Nixdorf and NCR have fixed a number of software vulnerabilities that allowed attackers to execute arbitrary code with or without SYSTEM privileges, and to make illegal cash withdrawals by committing deposit forgery and issueing valid commands to dispense currency.

ATM illegal cash withdrawals

About the vulnerabilities

“Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30 do not encrypt, authenticate, or verify the integrity of messages between the cash and check deposit module (CCDM) and the host computer. An attacker with physical access to internal ATM components can intercept and modify messages, such as the amount and value of currency being deposited, and send modified messages to the host computer,” the CERT Coordination Center at Carnegie Mellon University explained the root of CVE-2020-9062.

A deposit forgery attack starts with the attacker depositing actual currency and modifying messages from the CCDM to the host computer to indicate a greater amount or value than was actually deposited, and ends with the attacker making a withdrawal of this artificially increased amount or value of currency (at an ATM operated by a different financial institution).

A similar vulnerability (CVE-2020-10124) with the same attack potential has been found in NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00: the software does not encrypt, authenticate, or verify the integrity of messages between the bunch note accepter (BNA) and the host computer.

Two additional flaws (CVE-2020-10125 and CVE-2020-10126), stemming from the software’s poor implementation of certificates to validate BNA software updates and improper validation of the softare updates for the BNA, may allow an attacker to execute arbitrary code on the host, with or without SYSTEM privileges.

NCR SelfServ ATMs running APTRA XFS 05.01.00 or older also sport two more flaws:

  • CVE-2020-9063 stems from the lack of authentication and integrity protection of the USB HID communications between the currency dispenser and the host computer
  • CVE-2020-10123 is caused by the currency dispenser’s inadequate authentication of session key generation requests from the host computer, allowing the attacker to issue valid commands to dispense currency

Attack prevention

To exploit all of these flaws, attackers must have physical access to internal ATM components, but if they succeed, they can fiddle with the host system and steal money from banks.

Affected organizations are advised to peruse the security advisories and to implement the offered firmware and software updates, as well as make specific configuration changes.

Diebold also advised them to limit physical access to the ATM and its internal components, adjust deposit transaction business logic, and implement fraud monitoring.

Intel, SAP, and Citrix release critical security updates

August 2020 Patch Tuesday was expectedly observed by Microsoft and Adobe, but many other software firms decided to push out security updates as well. Apple released iCloud for Windows updates and Google pushed out fixes to Chrome. They were followed by Intel, SAP and Citrix. Intel’s updates It’s not unusual for Intel to take advantage of a Patch Tuesday. This time they released 18 advisories. Among the fixed flaws are: DoS, Information Disclosure and EoP … More

The post Intel, SAP, and Citrix release critical security updates appeared first on Help Net Security.

Cisco fixes critical flaws in data center and SD-WAN solutions

Cisco has released another batch of critical security updates for flaws in Cisco Data Center Network Manager (DCMN) and the Cisco SD-WAN Solution software.

Cisco data center flaws

Cisco Data Center Network Manager flaws

Cisco Data Center Network Manager is the network management platform for all NX-OS-enabled deployments, spanning new fabric architectures, IP Fabric for Media, and storage networking deployments for the Cisco Nexus-powered data center.

These latest updates fix:

  • One critical authentication bypass vulnerability (CVE-2020-3382) in the solution’s REST API that could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device
  • Five high-risk flaws that could allow an authenticated, remote attacker to inject arbitrary commands on the affected device, write arbitrary files in the system with the privileges of the logged-in user, perform arbitrary actions through the REST API with administrative privileges, and interact with and use certain functions within the Cisco DCNM
  • Three medium-risk bugs (XSS, SQL injection, information disclosure)

The vulnerabilities affect various versions of the Cisco Data Center Network Manager software and their exploitability occasionally depends on how the Cisco DCNM appliances were installed. But the fixes are all included in the latest Cisco DCNM software releases: 11.4(1) and later.

The flaws were either reported by security researchers or found by Cisco during internal security testing, and there is no indication that any of them are actively exploited.

The Cisco SD-WAN Solution software flaws

Cisco SD-WAN gives users the ability to manage connectivity across their WAN from a single dashboard: the Cisco vManage console.

The company has found:

  • A critical buffer overflow vulnerability (CVE-2020-3375) affecting Cisco SD-WAN Solution software that could be exploited by sending crafted traffic to an affected device and could allow the attacker to gain access to information that they are not authorized to access, make changes to the system that they are not authorized to make, and execute commands on an affected system with privileges of the root user
  • A critical vulnerability (CVE-2020-3374) in the web-based management interface of Cisco SD-WAN vManage Software that could be exploited by sending crafted HTTP requests to it and could allow the attacker to access sensitive information, modify the system configuration, or impact the availability of the affected system.

Again, there is no indication that these flaws are being exploited, but Cisco urges admins to implement the security updates as soon as possible, as there are no workarounds for addressing these flaws.

Security advisories for all of the fixed flaws can be found here.

62,000 QNAP NAS devices infected with persistent QSnatch malware

There are approximately 62,000 malware-infested QNAP NAS (Network Attached Storage) devices located across the globe spilling all the secrets they contain to unknown cyber actors, the US CISA and the UK NCSC have warned.

QNAP NAS malware

Dubbed QSnatch, the sophisticated malware targets QTS, the Linux-based OS powering QNAP’s NAS devices, and is able to log passwords, scrape credentials, set up an SSH backdoor and a webshell, exfiltrate files and, most importantly, assure its persistence by preventing users from installing updates that may remove it and by preventing the QNAP Malware Remover app from running.

QSnatch and its reach

Various versions of the malware have been around for many years now. The two agencies have identified two campaigns aimed at spreading it, the last one dating back to late 2019.

Interestingly enough, they still don’t know how the malware is delivered, but it “appears to be injected into the device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it.” It’s likely that the attackers were exploiting a remotely exploitable vulnerability in the firmware, which has since been patched.

“QSnatch collects confidential information from infected devices, such as login credentials and system configuration. Due to these data breach concerns, QNAP devices that had been infected may still be vulnerable to reinfection after removing the malware,” QNAP explained after delivering security updates in November 2019.

In mid-June, the number of infected devices worldwide was 62,000, with approximately 7,600 in the US and 3,900 in the UK.

QNAP NAS malware

What to do if your QNAP NAS has been infected?

The agencies say that the infrastructure used by the malicious cyber actors in both campaigns is not currently active, but unpatched devices are likely to be compromised.

“The malware appears to gain persistence by preventing updates from installing on the infected QNAP device. The attacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed,” they noted.

Since it hasn’t been confirmed that a successful update removes the malware, the general advice is to run a full factory reset on the device before completing the firmware upgrade, then check whether the updates have been applied. This will “destroy” the malware, but also all the data stored on the device.

QNAP has provided additional security recommandations and detailed instructions for preventing QSnatch infections.

The agencies additionally advise organizations to block external connections when the device is intended to be used strictly for internal storage.

Adobe out-of-band security updates for Photoshop, Prelude, Bridge

A week after July 2020 Patch Tuesday, Adobe has released out-of-band security updates to fix thirteen vulnerabilities – twelve of which critical – in Adobe Photoshop, Bridge, Prelude, and Reader Mobile.

Adobe out-of-band security

The good news is that none of these vulnerabilities are currently being exploited in the wild, and that most of them are in products that have historically not been a target for attackers.

Out-of-band updates

Adobe considers the update for the mobile versions of Reader for Android to be the one users and admins should implement soon, even though it fixes “just” a single information disclosure flaw.

The Adobe Photoshop updates deliver fixes for Photoshop CC 2019 and Photoshop 2020 on Windows and macOS, which resolve five critical out-of-bounds read/write issues that could lead to arbitrary code execution.

The Adobe Prelude update (for Windows and macOS) fix four out-of-bounds read/write flaws that may allow successful arbitrary code execution, and the Adobe Bridge update (for Windows and macOS) three.

Aside from the Mobile Reader update, the others are not that pressing – although they are important for individuals and organizations that work on photo and video production: Photoshop is widely used for editing images and producing digital art, Adobe Prelude is a logging tool for tagging media with metadata for searching, post-production workflows, and footage lifecycle management, and Adobe Bridge is a digital asset management app.

All of the out-of-bounds read/write vulnerabilities fixed in this round of security updates were flagged by Mat Powell of Trend Micro Zero Day Initiative and, according to ZDI’s Dustin Childs, they can be triggered if the target opens a specially crafted file (MOV, MP4, 3GP) or visits a malicious website.

Last week, Adobe fixed a wide variety of flaws in Adobe ColdFusion, Adobe Genuine Service, Adobe Download Manager, Adobe Media Encoder and Adobe Creative Cloud Desktop Application.

Cisco patches critical flaws in VPN routers and firewalls

Cisco has fixed 33 CVE-numbered flaws in a variety of its devices, including five critical ones affecting RV-series VPN routers and firewalls and Cisco Prime License Manager, which is used by enterprises to manage user-based licensing.

Cisco patches VPN routers

About the vulnerabilities

With the recent onslaught of critical vulnerabilities affecting networking and security devices, it’s been a tough month for enterprise admins.

The pressure continues with this latest batch of Cisco security updates – the only good news is that none of the patched security holes is being exploited in the wild.

Cisco Small Business RV110W Wireless-N VPN Firewalls with firmware releases prior to v1.2.2.8 can be taken over by attackers via a system account has a default and static password (CVE-2020-3330).

Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers are plagued by a vulnerable web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device (CVE-2020-3323). The same interface on those same devices also sports an authentication bypass flaw that could be triggered via a crafted HTTP request sent to the affected device and could allow the attacker to gain administrative access on the affected device (CVE-2020-3144).

The RV110W Wireless-N VPN Firewalls and RV215W Wireless-N VPN Routers also have a hole that could be exploited by sending crafted requests to a targeted device and could allow the attacker to execute arbitrary code with the privileges of the root user (CVE-2020-3331).

Finally, the flaw affecting Cisco Prime License Manager is “just” a privilege escalation vulnerability, but it’s still deemed to be critical (CVE-2020-3140). Admins in charge of keeping Cisco Unified Communications Manager (Unified CM) Software, Cisco Unified CM Session Management Edition (SME) Software, and Cisco Unity Connection Software up-to-date should also see whether they need to implement this update, since Cisco PLM can be installed as part of that software.

Other, less critical vulnerabilities that have been fixed are found in a variety of Cisco SD-WAN solutions, Cisco WebEx, Cisco Vision Dynamic Signage Director, Cisco Data Center Network Manager, Cisco Meetings App, and Cisco Content Security Management Appliance.

All the relevant security advisories can be found here.

Critical flaw gives attackers control of vulnerable SAP business applications

SAP has issued patches to fix a critical vulnerability (CVE-2020-6287) that can lead to total compromise of vulnerable SAP installations by a remote, unauthenticated attacker.

CVE-2020-6287

The flaw affects a variety of SAP business solutions, including SAP Enterprise Resource Planning (ERP), SAP Supply Chain Management (SCM), SAP HR Portal, and others.

About the vulnerability (CVE-2020-6287)

Discovered and reported by Onapsis researchers and dubbed RECON, CVE-2020-6287 is due to the lack of authentication in a web component (LM Configuration Wizard) of the SAP NetWeaver AS for Java versions 7.30 to 7.50. The vulnerability can be exploited through an HTTP interface – typically exposed to end users and often to the internet.

“If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications. The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability,” the US Cybersecurity and Infrastructure Security Agency (CISA) explained.

Onapsis is set to release a report with more information about the flaw, but the CVSS base score it received (10.0) defines it as being easily remotely exploitable without prior authentication and without user interaction.

Patch quickly

The vulnerable component is used in many of SAP’s solutions: SAP S/4HANA, SAP Enterprise Resource Planning (ERP), SAP Enterprise Resource Planning (PLM), SAP Customer Relationship Management (CRM), SAP Supply Chain Management (SCM), SAP Enterprise Portal, SAP Solution Manager, and many others.

“Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems,” the agency noted.

“Organizations that are unable to immediately patch should mitigate the vulnerability by disabling the LM Configuration Wizard service (see SAP Security Note #2939665). Should these options be unavailable or if the actions will take more than 24 hours to complete, CISA strongly recommends closely monitoring your SAP NetWeaver AS for anomalous activity.

Onapsis researchers say that a scan they performed showed 2,500 vulnerable SAP systems exposed to the internet.

Attackers are probing Citrix controllers and gateways through recently patched flaws

Earlier this week, Citrix released security updates for Citrix Application Delivery Controller (ADC), Citrix Gateway, and the Citrix SD-WAN WANOP appliance, and urged admins to apply them as soon as possible to reduce risk.

Citrix ADC gateway

At the time, there was no public attack code and no indication that any of the fixed flaws were getting actively exploited.

On Thursday, though, SANS ISC’s Dr. Johannes Ullrich spotted attackers attempting to exploit two of the Citrix vulnerabilities on his F5 BigIP honeypot (set up to flag CVE-2020-5902 exploitation attempts).

About the vulnerabilities

The fixed flaws are 11 in total, ranging from information disclosure and DoS bugs to elevation of pivelege, XSS and code injection flaws.

The security advisory Citrix published noted them and laid out the pre-conditions needed for their exploitation, but does not contain too many details.

“We are limiting the public disclosure of many of the technical details of the vulnerabilities and the patches to further protect our customers. Across the industry, today’s sophisticated malicious actors are using the details and patches to reverse engineer exploits. As such, we are taking steps to advise and help our customers but also do what we can to shield intelligence from malicious actors,” Citrix CISO Fermin Serna explained, and made sure to note that the patches provided fully resolve all issues.

He also pointed out that of the 11 vulnerabilities, there are six possible attacks routes, and five of those have barriers to exploitation.

Finally, he added that the vulnerabilities have no link to CVE-2019-19781, the remote code execution flaw that’s been heavily exploited by attackers since late December/early January.

About the recent exploitation attempts

Dr. Ullrich said that they are seeing some scans that are looking for systems that haven’t been patched yet.

“One interesting issue is that most of the scans originate from a single ISP so far, suggesting that this may be just one group at this point trying to enumerate vulnerable systems,” he told Help Net Security.

“Vulnerable systems leak information about the system if hit with these exploits. So these are not as dangerous as the code execution issues we saw with Citrix over new year, or the F5 issues. But enumerating systems, and using the leaked information may lead to additional more targeted follow on attacks later.”

One of the exploited vulnerabilities allows arbitrary file downloads, the other allows retrieval of a PCI-DSS report without authentication.

“Some of the other vulnerabilities patched with this update are ‘interesting’, but more tricky to exploit,” he added.