NSA list: what you need to know about the top vulnerabilities currently targeted by Chinese hackers Part 2
No 11. Windows NTLM Tampering Vulnerability
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2019-1040 | A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker can successfully bypass the NTLM MIC (Message Integrity Check) protection | 5.9 | 38.46 | 2020-06-24 |
Not one we have covered in our Farsight blogs before, this vulnerability was first reported back in June 2019. Looking at the Farsight risk score it received, the 38.46 likelihood score back in September 2019. And according to our data, the vulnerability has waned in interest since June of this year. As always though we recommend organizations patch this one, details can be found here.
No 12. Exim Mail listener
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2018-6789 | A buffer overflow in the base64d function could result in remote code execution | 9.8 | 38.46 | 2020-07-07 |
Another new one for the blog, this 2018 vulnerability continues to be a target for exploitation. With Farsight continuing to see interest through the early part of the summer of 2020. For the majority of its existence this vulnerability has trended at a likelihood of exploitation of 8.16 until May of this year (2020) when it jumped to 38.46 most likely in response to more targeted efforts to exploit.
No 13. Microsoft Exchange memory corruption
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-0688 | A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory | 8.8 | 38.46 | 2020-10-16 |
Announced back in February, this vulnerability has been rated as a 38.46 likelihood twice, the first time in April when we saw a surge of interest around the vulnerability and then again in July 2020 where it has since remained. This vulnerability is an example of how the risk scores can fluctuate over a period of time though it provides a customer with a good early warning indicator of future risk potential. Information on remediation and patch can be found here.
No 14. Coldfusion arbitrary code execution
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2018-4939 | Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution | 9.8 | 38.46 | 2020-07-03 |
Another new (to the blog) and our 2nd 2018 vulnerability of the list. This one again highlights that age is not a barrier to interest for threat actors wishing to exploit and compromise organizations. This one scores lower on the Farsight likelihood rating (5.0) until May 2020 when it gained its 38.46 likelihood score again no doubt in relation to exploitation in the wild and increased threat actor interest. For patch information see this link.
No 15. Oracle Weblogic server code execution
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2015-4852 | Allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001 | 7.5 (v2) | 38.46 | 2019-10-31 |
A five year old vulnerability that people have probably long but forgotten about. With no CVSSv3 rating it may be slipping through your remediation cracks especially if you have switched to only focusing on CVSSv3 as your guide. This vulnerability predates the Farsight machine learning model (from Cyr3con) however from its first assessment the vulnerability had been trending around a 9.14 likelihood of exploitation up until May 2020 when it received its current 38.46 likelihood rating. For more information on this one, see this entry on the Oracle website.
No 16. Oracle Coherence vulnerability
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-2555 | Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence | 9.8 | 38.46 | 2020-05-16 |
First announced on 15th January 2020, Farsight initially rated this as 1, or no more or less likely to be exploited than the average vulnerability. It wasn’t until April when the vulnerability jumped to 36.49 and received its 38.46 rating in July 2020. Information on the remediation and patching for this one can be found link.
No 17. Widget Connector Macro path traversal vulnerability
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2019-3396 | Vulnerability allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection | 9.8 | 38.46 | 2020-08-31 |
Announced back in April 2019, the initial Farsight rating for this vulnerability 38.46 and it hasn’t changed since, indicating that this has always been perceived as a high risk for our customers. Information on the vulnerability and remediation effort can be found here.
No 18. Atlassian Crowd Data Center vulnerability
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2019-11580 | A remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center | 9.8 | 3.39 | 2020-06-24 |
This one was announced in March 2019, initially with a Farsight rating of 2 and hasn’t really changed much since. It’s interesting that NSA sees this as a target for Chinese threat actors despite what we see in our own analysis. You can find information on the vulnerability here.
No 19. Zoho ManageEngine RCE
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-10189 | Zoho ManageEngine Desktop Central 10 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class | 9.8 | 3.39 | 2020-09-18 |
This vulnerability was announced back in March 2020 with a Farsight rating of 1.66 where it remained until May 2020 where it received its 38.46 rating. For information on vulnerability and remediation information see this here
No 20 -25 The final six
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2019-18935 | Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function | 9.8 | 3.39 | 2020-08-21 |
| CVE-2020-0601 | Curveball | 8.1 | 38.46 | 2020-06-24 |
| CVE-2019-0803 | Elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory | 7.8 | 38.46 | 2020-06-23 |
| CVE-2017-6327 | Potential remote code execution exists in The Symantec Messaging Gateway before 10.6.3-267 | 8.8 | 38.46 | 2020-07-03 |
| CVE-2020-3118 | A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code | 8.8 | 9.65 | 2020-02-06 |
| CVE-2020-8515 | DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root without authentication | 9.8 | 38.46 | 2020-04-23 |
The standout vulnerability on this closing list is obviously Curveball (CVE-2020-0601) which garnered a lot of media coverage and interest back in January (2020). From a Farsight perspective, on the 16th January it received a 14.11 rating, rising to 26.87 by the 28th January before settling at 25.75 between February and May before receiving its 28.5 rating.
The other interesting one, CVE-2020-3118 stands out due to its lower likelihood rating (9.65) having only recently (21st October) received that rating. This one is one to watch in the coming weeks to see if threat actors continue to exploit this vulnerability or the NSA coverage meaning it will dwindle in excitement.
Wrap up
That’s the last 15 covered. As you can see in all but two cases, the likelihood is trending at the maximum risk rating (38.46) and in many cases has been sat at that value for a significant amount of the vulnerability’s lifespan to date.
Farsight’s predictive exploit technology utilises a number of factors in the machine learning model to determine the likelihood of exploitation, providing our customers with an ability to track vulnerabilities based on real world threat intelligence.
With Outscan’s ability to determine an assets exposure and for organizations to rate an assets business impact, customers can leverage risk based vulnerability insights to address the top 10% of riskiest vulnerabilities based on the infrastructure that is first and foremost critical to their organization, putting themselves at times, ahead of the threat with the ability to remediate potentially harmful vulnerabilities in a shorter timeframe.
