Fix now: Vulnerabilities targeting the FireEye Breach
According to FireEye CEO Kevin Mendia, "the stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies…. some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team." What follows is a non-exhaustive list of CVEs and Github countermeasures published by FireEye in the aftermath to help companies prevent from being targeted. It’s worth noting that over the weekend several other Security vendors have reported seeing these tools in action in the wild.
From a vulnerability management standpoint it's important to ensure you can proactively identify whether your systems and endpoints are affected by these vulnerabilities, and deploy patches or fixes to resolve them if you haven’t done so. Detection scripts are available in the Outpost24 vulnerability database (Outscan) for all of the CVEs here.
Pulse Secure File reading vulnerability
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2019-11510 | Pulse Secure file reading vulnerability | 10.00 | 38.46 | 2019-05-09 |
Described by NVD as follows here, “In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability.”
This vulnerability was first mentioned back in our April blog and again as part of our summary of the NSA’s top 25 vulnerabilities where it appeared as the number 1 entry. The check was created in Outscan in May 2019, and on release of Farsight in February 2020 would have had this highest risk rating (38.46).
Netlogin/Zerologin Active Directory escalation of privileges
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2020-1472 | Nelogin/Zerologin vuln | 9.3 | 38.46 | 2020-08-12 |
Described by NVD, as follows here, “An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.”
This vulnerability AKA the Zerologin vulnerability was covered in our September Farsight blog as well as being on the NSA’s list at no 10, covered again in the part 1 blog. The check was added to Outscan in August where it received a 7.57 initial Farsight rating, jumping to its current 38.46 in September 2020.
Fortigate SSL VPN information disclosure
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2018-13379 | Fortigate SSL VPN Pre-Auth arbitrary file reading | 9.8 | 38.46 | 2019-05-06 |
Described by NDV here as “An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.”
Not previously covered in our Farsight blogs, when this vulnerability was added to Outscan it would have received a Farsight rating of 38.46 where it has remained since.
RCE in adobe ColdFusion
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2018-15961 | RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) | 9.8 | 38.46 | 2018-11-09 |
Described by NVD here as “Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.”
When Farsight was launched this vulnerability would have garnered a likelihood score of 38.46. This vulnerability has not previously been seen in any of our blogs.
RCS in Microsoft Sharepoint
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2019-0604 | RCE for Microsoft Sharepoint | 9.8 | 38.46 | 2019-02-12 |
Described by NVD here as “A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'.”
Mentioned as part of the CERT top 10 routinely exploited vulnerability released in May 2020, and covered in our Farsight June blog. Though interestingly it wasn’t mentioned in the NSA’s report on the top 25 targeted vulnerabilities. When Farsight launched, this vulnerability would have had the maximum likelihood risk rating of 38.46.
Bluekeep
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2019-0708 | RCE of Windows Remote Desktop Services | 9.8 | 38.46 | 2019-05-15 |
Described by NVD here as “A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability.”
When Farsight launched this vulnerability would have been given a 38.46 risk rating. This vulnerability was covered in our blog covering the NSA press release here and featured as one of the first vulnerabilities we covered in the Farsight blogs.
Atlassian Crowd RCE
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2019-11580 | Atlassian Crowd remote code execution | 9.8 | 3.39 | 2019-07-22 |
Described by NVD here as “Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.”
This vulnerability differs from the others in that it currently has a low likelihood score. Whilst not ‘1.0’, reflecting the average vulnerabilities, Farsight has not seen significant activity around this vulnerability. It peaked at 8.5 back in the summer and has since dropped and held steady at 3.39. Anticipate this one increasing as the stolen tools become more prolific in their use.
This one was covered in part 2 of the NSA Chinese vulnerability lists.
Citrix ADC & Gateway RCE
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2019-19781 | RCE of Citrix Application Delivery Controller and Citrix Gateway | 9.8 | 38.46 | 2019-12-18 |
A well-known vulnerability from the end of 2019, beginning of 2020, described (here) by the NVD as “An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.”
Covered in Farsight blogs as the number 2 on the list of Chinese targeted vulnerabilities, and in our April blog. At the initial launch of Farsight this vulnerability had a likelihood of 30.25, jumping to the maximum score in May 2020.
Zoho ManageEngine RCE
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2020-10189 | Zoho ManageEngine Desktop Central 10 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class | 9.8 | 38.46 | 2020-03-30 |
Described by NVD here, as “Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.”
This vulnerability was announced back in March 2020 with a Farsight rating of 1.66 where it remained until May 2020 where it received its 38.46 rating. It was covered in the NSA blog, part 2 where it ranked 19th out of 25.
Windows local privilege escalation
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2014-1812 | Windows local privilege escalation | 9.0 | 38.46 | 2014-05-14 |
Due to its age this vulnerability only has a CVSSv2 score. The NVD describes this vulnerability here, as “The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability.”
Not previously covered, this vulnerability has a likelihood score of 38.46 as one would expect.
Confluence RCE
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2019-3398 | Confluence Authenticated Remote Code Execution | 8.8 | 38.46 | 2019-04-23 |
Described by NVD as Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.
Like the previous vulnerability, this is one we have not covered previously in our blogs. At the time of Farsight’s launch, this vulnerability would have had a likelihood score of 3.12, jumping to the maximum 38.46 on 8th May 2020 where it has remained since.
Microsoft Exchange RCE
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2020-0688 | Remote command execution in Microsoft Exchange | 8.8 | 38.46 | 2019-02-11 |
NVD describe this one as a remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.
At Farsight’s launch this vulnerability would have received a likelihood score of 6.35, recaching 38.46 likelihood on 8th July 2002. Between the launch of Farsight and the 8th of July the vulnerability saw a lot of movement in its likelihood scores jumping to just over 37 in April, then falling back to the low 20’s in May until it finally reached the maximum.
Like the majority of the vulnerabilities on this list, this was featured in the NSA’s top 25 vulnerabilities targeted by Chinese state actors and we covered in our blog.
Microsoft Windows Privilege escalation
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2016-0167 | local privilege escalation on older versions of Microsoft Windows | 7.8 | 19.59 | 2016-04-13 |
Described by NVD as The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0143 and CVE-2016-0165.
Another we haven’t previously covered in our Farsight blogs. This would have received a likelihood risk score of 6.06 at the time of Farsight’s launch. It has since risen to 19.59 as recently at the 6th December. With the publicity of the FireEye hack and the noted use of the tools take in the wild we expect to see the risk of this vulnerability increase in the coming days and weeks.
RCS in Microsoft Outlook
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2017-11774 | RCE in Microsoft Outlook via crafted document execution (phishing) | 7.8 | 38.46 | 2017-10-11 |
Described by NVD as Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to how Microsoft Office handles objects in memory, aka "Microsoft Outlook Security Feature Bypass Vulnerability."
Another previously undiscussed vulnerability as far as our Farsight blog is concerned, this would have debuted a Farsight’s launch with a likelihood score of 38.46.
Escalation of privilege in Microsoft Exchange server
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2018-8518 | Microsoft Exchange Server escalation of privileges | 7.4 | 8.16 | 2018-12-19 |
Described by NVD as an elevation of privilege vulnerability exists in Microsoft Exchange Server, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server. This vulnerability received a likelihood score of 5.87 at the time of launch down from its launch score of 35 back in 2018. Over the last few weeks we have started to see a small movement in the risk of the vulnerability and again, like other fully expect this to increase in risk in the coming days and weeks. Another one not previously features in any of our Farsight blogs, nor was it on the NSA’s list published earlier this year.
ZoHo ManageEnginer Arbitrary pre-auth file upload
| CVE | Description | CVSSv3 Score | likelihood | Added to Outscan |
|---|---|---|---|---|
| CVE-2019-8394 | arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus | 6.5 | 38.46 | 2020-04-06 |
Described by NCD as Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. This vulnerability has the lowest CVSS score of the 16 listed by FireEye. Despite this low CVSSv3 score it remains at the top of the Farsight likelihood risk scoring with a 38.46 which it received in May 2020. Prior to that, at the time the vulnerability was added to Outscan it would have had a likelihood score of 3.66, jumping straight to the maximum in May as noted.
A word on the SolarWinds Orion compromise
On the 14th of December, FireEye announced they had discovered that one or more updates from SolarWinds had been weaponised and was likely a route into the FireEye network. We immediately added detection scripts for SolarWinds to both Outscan (via the webapp policy) and to Appsec Scale on the 15th of December to better equip Outpost24 customers with the ability to detect the presence of SolarWinds and the versions they have installed. More information on the issue and remediation can be found in the SolarWinds advisory here
Wrap up
This is just a quick look at 16 CVEs targeted by FireEye’s tools. In all cases bar one these vulnerabilities carry the highest risk rating, and for the most part have done so since we launched Farsight or soon after the vulnerability was added to the Outscan database.
For Outpost24 customers using Farsight risk based vulnerability prioritization tools, an early warning would have been provided to allow you to respond and remediate in a timely manner ahead of potential threats. For customers who don’t have Farsight, the high/critical CVSS scores should have prompted your organization to patch on discovery, though it is safe to say that if FireEye were using these vulnerabilities as part of their red teaming exercises many organizations have yet to remediate them. We strongly recommend organizations do so as soon as possible.
