Fix now: High risk vulnerabilities at large, September 2020
Scripting Engine Memory Corruption Vulnerability
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-1380 | RCE in the scripting engine of Internet Explorer | 7.5 | 38.46 | 2020-08-26 |
The first one is a new remote code execution vulnerability that exists in the scripting engine of Internet Explorer 11. Already exploited in the wild, hence its maximum likelihood score, the vulnerability affects the jscript9.dll part of the JavaScript just in time engine which is different from the usual zero days that affect Vbscript.dll or jscript.dll, resulting in threat actors being able to execute code on the target machine. There are some excellent writeups on the technicalities of the vulnerability if you want to know more, but as always, this one is a must fix as part of the monthly Microsoft patch Tuesday and details can be found here.
IBM Guardium data encryption
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2019-4695 | Web pages can be locally stored for access by another use | TBC | 3.59 | 2020-08-26 |
| CVE-2019-4692 | Sensitive information disclosure to unauthorised users | TBC | 7.97 | 2020-08-26 |
| CVE-2019-4701 | Enabled by default active debugging code can be created for unintended entry points | TBC | 7.97 | 2020-08-26 |
| CVE-2019-4713 | Remote code execution through specially crafted requests | TBC | 7.97 | 2020-08-26 |
| CVE-2019-4699 | Error messages include sensitive information regarding environment, users or associated data | 2.7 | 7.97 | 2020-08-26 |
| CVE-2019-4697 | Storage of credentials in plain text which can be read by an authenticated user | 5.3 | 7.97 | 2020-08-26 |
| CVE-2019-4698 | Does not require users to have strong password by default | TBC | 7.97 | 2020-08-26 |
| CVE-2019-4694 | Contains hard coded credentials such as password or crypto keys used for own inbound authentication | 6.8 | 7.97 | 2020-08-26 |
| CVE-2019-4693 | Stores user credentials in plain text which can be read by a local privileged user | TBC | 7.97 | 2020-08-26 |
| CVE-2019-4691 | Cross site scripting vulnerability | 5.4 | 7.97 | 2020-08-26 |
| CVE-2019-4688 | Does not set the secure attribute on authorisation cookies | 3.7 | 7.97 | 2020-08-26 |
| CVE-2019-4689 | Failure to properly enable HTTP strict transport security could result in man in the middle attack | 5.9 | 7.97 | 2020-08-26 |
A whole slew of vulnerabilities released affecting the IBM Guardium data encryption solution. If you are a customer of this technology, we strongly recommend you check your versions and upgrade where possible. Details on the patches can be found here.
N.b there are many more vulnerabilities addressed in the patch than the ones listed here including some dating back to 2015. Also note that at the time of writing this blog many of the listed vulnerabilities were still awaiting their final CVSS score. Farsight rates these as having a higher than average risk of exploitation, though at the time of writing none have been exploited.
TreasuryXpress vulnerabilities
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2019-20151 | An XSS vulnerability allowing malicious JavaScript to be executed via the Note system resulting in the administrator executing the payload | 6.1 | 38.46 | 2020-08-24 |
| CVE-2019-20152 | An XSS vulnerability that can result in malicious payloads being executed throughout the navigation bar | 6.1 | 38.46 | 2020-08-24 |
| CVE-2019-20150 | Possible to force the application to expose saved SSH/SFTP credentials to a malicious host | 6.5 | 3.59 | 2020-08-20 |
TreasuryXPress is a SaaS and on-premise cash flow management system allowing companies to seamlessly connect to banks and manage their internal cash flow. These vulnerabilities would allow compromise of the system through the execution of malicious code as well as extracting sensitive credentials used to connect to third parties.
As this is a SaaS platform primarily customers affected should contact TreasuryXpress directly to get an ETA on a fix. Where customers are using on premise, then likewise a patch to address these vulnerabilities should be requested from the vendor as soon as possible.
Wrap up
At the end of August and in particular the 26th we saw a number of vendors announcing multiple vulnerabilities affecting their platforms such as the ALEOS software platform, Bind 9.10, NCR SelfServ ATM’s, the DBHcms open source content management solution, parallels desktop, BIG-IP and Cisco’s DCMN platform.
We recommend our customers subscribe to bulletins from these vendors or other sources to ensure they do not miss any announcements relating to software and solutions deployed within their organizations and of course check any vulnerabilities they are concerned with through the Farsight risk rating score where applicable.
