Fix now: High risk vulnerabilities at large, April 2020

22.Apr.2020
Simon Roe, Product Manager Outpost24
With much of the world in lockdown, and many of us on enforced work from home measures due to COVID-19, keeping on top of the latest vulnerabilities may have fallen off your radar. But as the pandemic has unleashed a wave of cyber attacks to exploit remote workers and scam anxious customers, strengthening your cyber hygiene should be a priority.
Fix-now-high-risk-vulnerabilities-at-large

With much of the world in lockdown, and many of us on enforced work from home measures due to COVID-19, keeping on top of the latest vulnerabilities may have fallen off your radar. But as the pandemic has unleashed a wave of cyber attacks to exploit remote workers and scam anxious customers, strengthening your cyber hygiene should be a priority. More importantly, knowing which critical vulnerabilities and when to remediate is key to optimize efficiency when resources are tight. And we aim to do just that, by tapping into the power of our risk based vulnerability management tool Farsight, and providing insights into new and trending critical vulnerabilities that you should find and fix as we all try to weather the storm.

 

Risk based vulnerability management – A reminder

Farsight is Outpost24’s predictive vulnerability prioritization technology combining machine learning threat intelligence and vulnerability assessment for a complete view of risk, designed to provide our customers with an advanced warning of vulnerabilities that are likely to be exploited in the coming months. Many of our customers are already taking advantage of the predictive insights to move ahead of the threat and improve the efficiency of their vulnerability management programs.

Farsight rates vulnerabilities against the likelihood of exploitation – with a risk score between 1.0 and 38.5, the higher the risk score means the more likely a vulnerability, than the average (1.0) of being exploited in the wild.

 

Vulnerabilities (CVEs) to find and fix

Let’s take a look at the some of the new and trending vulnerabilities in April.

 

  • CVE-2020-0796 Microsoft SMBGhost – SMBv3 Remote Code Execution
    CVSSv3: 10.0; Farsight Likelihood: 38.5; Exploit: PoC; Patch: YES

    A potentially nasty one to start with. Affecting service message block 3.1.1 (Smbv3) unauthenticated attackers could send specially crafted packets to compromise the SMB server, and once compromised could use that to compromise SMB clients. First seen in March this year, this vulnerability has held the highest risk rating since it was announced.

    Since the patch was released, other PoC exploits in the form of a malicious PowerPoint mouse-over attack, links to this vulnerability have also become available. More of a reason to patch!

 

  • CVE-2019-1040 Microsoft Windows Tampering Vulnerability
    CVSSv3: 5.9; Farsight Likelihood: 38.49; Exploit: Exploited in the wild; Patch: YES, June 2019;

    A tampering vulnerability exists when the Microsoft Exchange Server fails to properly handle profile data. An attacker who successfully exploits this vulnerability could modify a targeted user's profile data. An older vulnerability, that at the time, had an organisation been focusing on CVSS based remediation (and not, of course just applying regular Microsoft monthly patch rollups) would have likely pushed this lower down the must do pile – after all its CVSS score ranked it as medium. Over the last few months, since the Covid-19 global lockdowns we have seen renewed interest in this vulnerability making it worthwhile to highlight this week.

 

  • CVE-2019-11510 Pulse Secure Authentication Bypass Vulnerability
    CVSSv3: 10.00; Farsight Likelihood: 38.46; Exploit: PoC; Patch: YES

    With many of us working from home, there is a possibility your organization uses the Pulse Secure VPN client. This vulnerability allows an attacker to send a specially crafted URI that, if used, results in an arbitrary file read vulnerability. First seen in Farsight in August 2019, this vulnerability has affected the following versions before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4. If you are using Pulse secure, you can easily check the version through the client using the Help – About option. An important one to fix to secure your remote workforce right now.

 

  • CVE-2019-19781 Citrix ADC Arbitrary Code Execution
    CVSSv3: 9.8; Farsight Likelihood:29.15; Exploit: PoC; Patch: YES

    This vulnerability affects Citrix Netscaler Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway and, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. First seen back in December 2019, the vulnerability affects over 25,000 endpoints and is trending as 29 times more likely to be exploited than the average in the coming months. Another fix ASAP candidate.

 

  • CVE-2020-0674 Internet Explorer Memory Remote Code Execution
    CVSSv3: 9.8; Farsight Likelihood:14.23; Exploit: No; Patch: Yes

    Currently with no exploit (Proof of concept or otherwise) available, and a lower Farsight likelihood – Although one could argue 14 times more likely to be exploited than the average vulnerability is still a higher risk – you may wonder why this is included. Again, as many of us are working from home we need to ensure we are still pushing patches down to remote windows machines – for those who are working on windows laptops provided by our companies – or for those who are allowing home workers to use their own devices – a request to update windows to the latest patch would not be remiss.

    The original patch was included in the various monthly rollups and security updates released in February by Microsoft.

 

  • CVE-2020-7982 OpenWRT Remote Code Execution
    CVSSv3: 5.9; Farsight Likelihood: 38.46; Exploit: Not currently; Patch: YES, Jan 2020;

    This vulnerability affects OpenWRT, a popular open source operating system that is run on several popular home routers including Asus, D-Link, Linksys, MikroTik, Netgear, TP-Link routers amongst others. This vulnerability could lead to a man in the middle attack, injecting arbitrary payloads that are installed without verification.

 

  • Netgear Router CVEs

    Following on the theme of the OpenWRT vulnerability, there has been a noticeable increase in attention for vulnerabilities affecting home router solutions and specifically Netgear routers, and as such, it’s worth reminding staff to ensure their home broadband routers are running the latest versions of manufacturers software. Here is a short list of the currently trending ones from Farsight.

 

CVE Product CVSSv3 Farsight Likehood*
CVE-2019-20761 NETGEAR R7800 8.0 37.79
CVE-2019-20757 NETGEAR R7800 6.8 36.09
CVE-2019-20649 NETGEAR MR1100 7.5 31.72
CVE-2019-20639 Certain NETGEAR devices 4.8 36.96
CVE-2019-20646 NETGEAR RAX40 9.8 31.45
CVE-2016-20647 NETGEAR RAX40 5.7 30.50

*all Outpost24 Farsight ratings are accurate at time of publication

These are just a small sample of the 10 or so. All of which are addressed by the latest versions of the Netgear firmware which can be obtained here.

 

Wrap up

As we go forwards we will track vulnerabilities that have a high likelihood of exploit available or are making the rounds in the press, providing you with insights both into how Farsight works and what vulnerabilities we think you should be focusing on. Make sure you bookmark our blog or sign up for our monthly newsletter for the next blog.

 

SUBSCRIBE TO OUR EMAIL

Looking for anything in particular?

Type your search word here