Fix now: High risk vulnerabilities at large, October 13th
SAP NetWeaver AS JAVA
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-6287 | Lack of authentication | 10.00 | 38.46 | 2020-09-22 |
Announced back in July (13th July) and subsequently saw proof of concept code being released on the 16th July, and then further exploitation being successful in the wild. This vulnerability allowed for remote threat actors to run critical actions including, but not limited to, the creation of administrator accounts, due to the fact that the SAP NetWeaver AS Java system had a complete lack of authentication which essentially handed the threat actor the keys to the kingdom. Patched and more information on this vulnerability can be found here. (Note: an account is required to view the details).
BigIP traffic management RCE
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-5902 | Remote code execution in the TMUI | 9.8 | 38.46 | 2020-10-11 |
Affecting a number of versions of the BigIP traffic management user interface (the Configuration utility) including versions 15, 14, 13 and 12 (for more details see the F5 notification and remediation information) this vulnerability allows for remote code execution to take place in undisclosed pages.
This vulnerability was of significant interest to threat actors with active scans for the weakness taking place as early as July 6th, 6 days after the initial disclosure by F5. Since then several successful exploitations have taken place across the globe, and the vulnerability continues to be of interest to threat actors as recently as 11th October (at the time of writing).
For patch and detection information we suggest you head to the F5 page covering this, here, and if you haven’t done so already take steps to remediate as soon as possible.
MySQL vulnerabilities
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-14553 | Easily exploitable vuln –Pluggable Auth | 4.3 | 38.46 | 2020-10-11 |
| CVE-2020-14597 | Privilege exploitation. Server: Optimizer component | 4.9 | 38.46 | 2020-10-11 |
| CVE-2020-14614 | Dos of database. Server: Optimizer component | 4.9 | 38.46 | 2020-10-11 |
| CVE-2020-14539 | Complete DOS of MySQL. Server: Optimizer component | 6.5 | 38.46 | 2020-10-11 |
| CVE-2020-14575 | Complete DOS of MySQL. Server: Optimizer component | 4.6 | 38.46 | 2020-10-11 |
| CVE-2020-14559 | Access to unauthorized datasets. Server: Information Schema component | 4.3 | 38.46 | 2020-10-11 |
A number of MySQL vulnerabilities were disclosed on July 15th. All of these listed here were rated medium CVSS risk and as such, undoubtedly were ‘overlooked’ by organizations focusing on high and critical rated CVSS vulnerabilities that were released at a similar time.
Since July, both proof of concept exploits and successful real world compromises have been seen for each of these vulnerabilities which has pushed them to the highest likelihood rating (38.46) for Farsight and these all continue to be of great interest to threat actors globally.
As always, we strongly recommend organizations remediate these vulnerabilities, despite their lower (medium rated) CVSS scores. Information on patches can be found at this link.
Wrap up
This time around, the MySQL vulnerabilities caught our attention because of their low CVSS scores compared to their high likelihood risk rating. This is something we see often when working with our customers, and demonstrates how a risk based approach to vulnerability management changes as organizations focus on where there is a real risk of compromise.
As pointed out on our previous Fix now: High risk vulnerabilities at large blog article, we continue to see older vulnerabilities, from as early as 2014 making an interesting comeback demonstrating that organizations are still not remediating vulnerabilities that pose real and current threats to their businesses despite, no doubt, having a vulnerability management program in place.
And once again it’s not just server software that is targeted, we continue to see infrastructure components being compromised by threat actors to gain a foot hold into organizations networks.
We hope you’ve enjoyed this week’s entry. Let’s see what scares Halloween might bring us.
