Skip to main content

Fix now: High risk vulnerabilities at large, September 2020

04.Sep.2020
Simon Roe, Product Manager Outpost24
Since the start of the pandemic we’ve been writing about the latest CVEs to look out for in our risk based vulnerability management blog. As we head into the Autumn and the nights begin to draw in, threat actors continue to exploit vulnerabilities the world over. Let’s take a look at some that have raised their profile in the last couple of weeks.
High risk vulnerabilities

Scripting Engine Memory Corruption Vulnerability

CVE Description CVSSv3 Score Farsight Rating Last seen (Farsight)
CVE-2020-1380 RCE in the scripting engine of Internet Explorer 7.5 38.46 2020-08-26

 

The first one is a new remote code execution vulnerability that exists in the scripting engine of Internet Explorer 11. Already exploited in the wild, hence its maximum likelihood score, the vulnerability affects the jscript9.dll part of the JavaScript just in time engine which is different from the usual zero days that affect Vbscript.dll or jscript.dll, resulting in threat actors being able to execute code on the target machine. There are some excellent writeups on the technicalities of the vulnerability if you want to know more, but as always, this one is a must fix as part of the monthly Microsoft patch Tuesday and details can be found here.

 

IBM Guardium data encryption

CVE Description CVSSv3 Score Farsight Rating Last seen (Farsight)
CVE-2019-4695 Web pages can be locally stored for access by another use TBC 3.59 2020-08-26
CVE-2019-4692 Sensitive information disclosure to unauthorised users TBC 7.97 2020-08-26
CVE-2019-4701 Enabled by default active debugging code can be created for unintended entry points TBC 7.97 2020-08-26
CVE-2019-4713 Remote code execution through specially crafted requests TBC 7.97 2020-08-26
CVE-2019-4699 Error messages include sensitive information regarding environment, users or associated data 2.7 7.97 2020-08-26
CVE-2019-4697 Storage of credentials in plain text which can be read by an authenticated user 5.3 7.97 2020-08-26
CVE-2019-4698 Does not require users to have strong password by default TBC 7.97 2020-08-26
CVE-2019-4694 Contains hard coded credentials such as password or crypto keys used for own inbound authentication 6.8 7.97 2020-08-26
CVE-2019-4693 Stores user credentials in plain text which can be read by a local privileged user TBC 7.97 2020-08-26
CVE-2019-4691 Cross site scripting vulnerability 5.4 7.97 2020-08-26
CVE-2019-4688 Does not set the secure attribute on authorisation cookies 3.7 7.97 2020-08-26
CVE-2019-4689 Failure to properly enable HTTP strict transport security could result in man in the middle attack 5.9 7.97 2020-08-26

 

A whole slew of vulnerabilities released affecting the IBM Guardium data encryption solution. If you are a customer of this technology, we strongly recommend you check your versions and upgrade where possible. Details on the patches can be found here.

 

N.b there are many more vulnerabilities addressed in the patch than the ones listed here including some dating back to 2015. Also note that at the time of writing this blog many of the listed vulnerabilities were still awaiting their final CVSS score. Farsight rates these as having a higher than average risk of exploitation, though at the time of writing none have been exploited.

 

TreasuryXpress vulnerabilities

CVE Description CVSSv3 Score Farsight Rating Last seen (Farsight)
CVE-2019-20151 An XSS vulnerability allowing malicious JavaScript to be executed via the Note system resulting in the administrator executing the payload 6.1 38.46 2020-08-24
CVE-2019-20152 An XSS vulnerability that can result in malicious payloads being executed throughout the navigation bar 6.1 38.46 2020-08-24
CVE-2019-20150 Possible to force the application to expose saved SSH/SFTP credentials to a malicious host 6.5 3.59 2020-08-20

 

TreasuryXPress is a SaaS and on-premise cash flow management system allowing companies to seamlessly connect to banks and manage their internal cash flow. These vulnerabilities would allow compromise of the system through the execution of malicious code as well as extracting sensitive credentials used to connect to third parties.

As this is a SaaS platform primarily customers affected should contact TreasuryXpress directly to get an ETA on a fix. Where customers are using on premise, then likewise a patch to address these vulnerabilities should be requested from the vendor as soon as possible.

 

Wrap up

At the end of August and in particular the 26th we saw a number of vendors announcing multiple vulnerabilities affecting their platforms such as the ALEOS software platform, Bind 9.10, NCR SelfServ ATM’s, the DBHcms open source content management solution, parallels desktop, BIG-IP and Cisco’s DCMN platform.

We recommend our customers subscribe to bulletins from these vendors or other sources to ensure they do not miss any announcements relating to software and solutions deployed within their organizations and of course check any vulnerabilities they are concerned with through the Farsight risk rating score where applicable.

 

SUBSCRIBE TO OUR EMAIL

Looking for anything in particular?

Type your search word here