Fix now: High risk vulnerabilities at large, July 2020
DLink Router Vulns
The vulnerabilities mentioned by Palo Alto, and covered in SC magazine are listed below
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-13782 | D-Link DIR-865L Ax 1.20B01 Beta devices allow Command Injection | 9.8 | 10.95 | 2020-06-03 |
| CVE-2020-13786 | D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF | 8.8 | 9.25 | 2020-06-04 |
| CVE-2020-13784 | D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator | 7.5 | 4.99 | 2020-06-03 |
Firstly, at the time of the initial penning of the blog (22nd June) these vulnerabilities had not seen any real threat actor interest since early June. To quote Palo Alto from the SC magazine article on June 16th 2020, “These vulnerabilities, together, can be used to run arbitrary commands, exfiltrate data, upload malware, steal user credentials or delete data”.
The interest in these kinds of vulnerabilities has spiked since the Covid-19 lockdown measures were applied across many countries around the world, and just like our previous blogs where we talked about Netgear vulnerabilities affecting home workers (scoring 38.46 out of 38.50 in Farsight in May). Organizations who have remote workers should really be considering the impact of these vulnerabilities on their attack surface and remediating these vulnerabilities based on the predicted likelihood score from Farsight and aligned with your risk appetite. Patch information can be found here.
GitLab CE & EE vulnerabilities
On the 19th June a number of vulnerabilities affecting Gitlab CE and EE versions were published. At the time of writing this article, these vulnerabilities were trending above the average (1.0) but were still at the lower end of the risk scale (between 3.37 and 9.40) in Farsight on the predicted likelihood of exploitability in the wild.
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-4450 | Remote code execution | 9.8 | 38.46 | 2020-06-06 |
| CVE-2020-13273 | A Denial of Service vulnerability allowed exhausting the system resources in GitLab CE/EE 12.0 and later through 13.0.1 | 7.5 | 7.10 | 2020-06-20 |
| CVE-2020-13275 | A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1 | 8.0 | 4.45 | 2020-06-20 |
| CVE-2020-13274 | A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts in all previous GitLab versions through 13.0.1 | 7.5 | 3.37 | 2020-06-20 |
| CVE-2020-13262 | Client-Side code injection through Mermaid mark up in GitLab CE/EE 12.9 and later through 13.0.1 | 6.1 | 7.10 | 2020-06-20 |
| CVE-2020-13265 | User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification | 4.3 | 6.53 | 2020-06-20 |
| CVE-2020-13276 | User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1 | 7.4 | 9.40 | 2020-06-20 |
| CVE-2020-13272 | OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 | 7.5 | 7.96 | 2020-06-20 |
| CVE-2020-13264 | Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 | 5.3 | 8.70 | 2020-06-20 |
| CVE-2020-13261 | Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 | 6.3 | 8.42 | 2020-06-20 |
N.b. the CVSSv3 scores listed in this blog are those taken from GitLab’s own assessment of the vulnerabilities. At the time of writing NVD had not completed their analysis and published their official CVSS scores. We have a long list of vulnerabilities disclosed on the 19th June affecting Gitlab CE and EE versions 12.0 through to 13.0.1. As many of our readers will be running application development using the Software Development Lifecycle approach of continuous development and integration, we highly recommend that patches to the Gitlab clients are applied as a matter of urgency. Despite these ranking lower (i.e. they don’t have a high likelihood of exploit currently) it is still very early in the vulnerabilities lifecycle and its possible this can change quickly. Request Farsight to keep track of the latest predicted likelihood score.
Windows Defender
The risk this poses is currently low, but still elevated above the average at 2.24 likelihood of exploitation, a recently (10th June) announced flaw in Windows Defender.
| CVE | Description | CVSS Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-1170 | An elevation of privilege vulnerability exists in Windows Defender that leads arbitrary file deletion on the system | 7.8 | 2.24 | 2020-06-21 |
| CVE-2020-1163 | An elevation of privilege vulnerability exists in Windows Defender that leads arbitrary file deletion on the system | 7.8 | 2.92 | 2020-06-10 |
Whilst a low risk, when analysing the vulnerability in more detail it seems, ‘to exploit the vulnerability, an attacker would first have to log on to the system,’ and therefore would require access to the system first before making use of this elevation of privilege vulnerability.
And on the surface CVE-2020-1163 appears to be the same vulnerability but is slightly different from one another and certainly 1163 has seen less interest since its public release than 1170.
As always the case, apply the Microsoft security patches to update Defender on a monthly basis. More information on the vulnerabilities can be found here (1170) and here (1163).
Wrap up
This week’s CVE’s to find and fix have been dominated by GitLab releases, and a couple of interesting but not yet exploited vulnerabilities in more home broadband routers (on top of the Netgear vulnerabilities we covered in April) as well as a nod to a couple of vulnerabilities in Windows Defender. Whilst the majority of the workforce are still predominantly working from home, it’s important for organizations to maintain remediation of company laptops and other machines being used by home workers, to ensure we are on top of any possible gaps in the expanded attack surface. Even though, this week, the vulnerabilities are trending lower in the Farsight risk rating, they still pose potential future threats and should be looked at with careful consideration, monitoring and remediation when relevant. As always if you need help with understanding whether your company is affected by these vulnerabilities contact us now.
