Fix now: High risk vulnerabilities at large, June 2020 part 2
Internet Explorer vulnerability
We have seen renewed interest in a 2019 Internet Explorer vulnerability, we put this through our predictive risk based vulnerability prioritization tool Farsight to provide more context into the risk, which scores it as extremely high (38.46 out of a possible 38.50):
| CVE | Description | CVSS Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2019-0752 | Scripting Engine Memory Corruption Vulnerability | 7.5 | 38.46 | 2020-06-07 |
Prior to the 7th June, this vulnerability was last seen and being discussed in November 2019. This vulnerability has numerous POC and framework exploits available and has also been used successfully in the wild.. We recommend that for those organizations who still have this showing they should ensure outstanding Microsoft patches are applied to fix it as soon as possible – click here.
IBM Websphere
A new IBM Websphere vulnerability was announced last week, which is undergoing analysis by NVD but IBM’s own assumption of the criticality is 9.8 and this is matched with our tool Farsight as a highly exploitable risk at 38.46.
| CVE | Description | CVSS Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-4450 | Remote code execution | 9.8 | 38.46 | 2020-06-06 |
This vulnerability effects versions 8.5 and 9.0 and an interim fix has been made available here. Given Websphere could be the underlying platform running many organization’s critical business applications we strongly recommend applying the interim fix as soon as possible. Our predictive risk-based vulnerability prioritization tool Farsight is rating this as a likely exploit candidate despite the lack of any known POC exploit being available based on threat intelligence.
Two oldy but goodies return - VBScript Engine and Adobe Flash Player
| CVE | Description | CVSS Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2018-8174 | Windows VBScript Engine Remote Code Execution Vulnerability | 7.5 | 38.46 | 2020-06-07 |
| CVE-2018-4878 | Remote code execution in Adobe Flash Player | 9.8 | 38.46 | 2020-06-07 |
The VBScript engine vulnerability has continued to see interest throughout the first half of 2020. It has been exploited successfully in the wild previously and was fixed in this advisory by Microsoft back in 2018.
The Adobe Flash Player vulnerability was successfully exploited in January and February of 2018 and has resurfaced in May 2020 after seeing no interest after November 2019. Fixes for this can be found here. It’s worth pointing out that Adobe Flash has entered an End of Life phase and will no longer be supported after 31st December 2020.
It’s likely interest in these two vulnerabilities has been increased due to the effects of global lockdowns where employees may be using their own PC’s and Laptops for work purposes as we continue to follow social distancing rules, which may not be subject to the same thorough remediation and upgrade activities – unlike if we were actively office bound and in close proximity with our security teams.
SAP Adaptive Server Enterprise (Web services)
Finally, something a bit different, affecting SAP Adaptive server versions 15.7 and 16.0:
| CVE | Description | CVSS Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-6241 | Privilege escalation resulting in SQL injection | 8.8 | 38.46 | 2020-06-05 |
| CVE-2020-6253 | Authenticated user executing database queries resulting in SQL Injection | 7.2 | 38.46 | 2020-06-05 |
Both of these vulnerabilities were announced in May 2020, and since then have been exploited in the wild, for more information on these see the SAP wiki. Patches have been released to address both of these vulnerabilities and SAP strongly recommends applying these to protect your SAP landscape.
Wrap up
We hope these insights continue to be useful to you, as you plan and prioritize your remediation activities in your respective organizations. As always we remind you that the last seen dates and likelihood scores are correct at time of writing the blog and if there is anything you would like to see covered in the Farsight bi-weekly blog feel free to contact us.
We’ve highlighted the high risk vulnerabilities within this blog, following analysis from our integrated risk based vulnerability management tool Farsight to identify the critical risks for patching and help you prioritize. Subscribe to our email to ensure you get the latest updates.
