The NSA (National Security Agency) recently published a security advisory about the publicly known vulnerabilities currently being exploited by Chinese state-sponsored actors. While this security advisory is focused on the activities of state-sponsored actors, it does show the threats and vulnerabilities considered most useful for exploitation. Taking a quick look at the list could provide you with some valuable information on what your security team need to be defending against right now.
All these vulnerabilities have patches available to mitigate or resolve them, demonstrating again the importance of regular security patching.
1. Pulse Secure VPN
Now, more than ever, VPNs are being used in more businesses to facilitate remote working, so a VPN vulnerability like this one needs to be taken seriously by your security managers. Detailed information on this vulnerability along with some third party advisories can be found here.
CVE-2019-11510 can be exploited by simply sending a maliciously crafted URI to perform an unauthenticated arbitrary file reading. This vulnerability could be used to steal keys or passwords and has been given the top CVSS score of 10.0 Critical.
This vulnerability affects Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.
2. F5 BIG-IP
CVE-2020-5902 has a vulnerability that can be exploited in the Traffic Management User Interface (TMUI) to perform a remote code execution. Anytime arbitrary code can be run, the consequences can be incredibly serious – in the words of F5’s security advisory:
All information present on an infiltrated system should be considered compromised. This includes, but is not limited to, logs, configurations, credentials, and digital certificates.
This vulnerability has been given a CVSS score of 9.8 Critical. More information on this vulnerability can be found here
This vulnerability affects BIG-IP versions 15.0.0-184.108.40.206, 14.1.0-220.127.116.11, 13.1.0-18.104.22.168, 12.1.0-22.214.171.124, and 11.6.1-126.96.36.199.
3. Citrix Application Delivery Controller (ADC) and Gateway
A vulnerability inside of Citrix Application Delivery controller and Gateway systems allows for traversal of directories and remote code execution.
CVE-2019-19781 opens the door for attackers to perform remote code execution on these systems which could allow for total takeovers of the systems to occur. The vulnerability holds a 9.8 Critical CVSS score.
CVE-2019-19781 affects Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0.
4,5 and 6. More Citrix ADC and Gateway vulnerabilities
3 more vulnerabilities inside of Citrix Application Delivery Controller and Gateway systems are present on this NSA list, meaning they are commonly utilised and exploited by Chinese state-sponsored actors, along with many other cyber criminals. These three vulnerabilities share characteristics, vulnerable versions, and are used together so they appear together in the NSAs advisory.
CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 are bugs that can allow for unauthenticated access to URL endpoints and allow low privileged users access to privileged information through information disclosure. Any vulnerability that is being actively exploited requires immediate attention from your security team, and luckily, these three, like all others on this list, have patches available right now that can fix or mitigate them. The vulnerabilities have a 6.5 Medium and 4.3 Medium CVSS scores.
These three vulnerabilities affect Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7
7. Bluekeep (Remote Desktop Services)
Bluekeep is a vulnerability in Remote Desktop services that allows unauthenticated attacker the ability to connect to systems using RDP and send specially crafted requests. We published an article about Bluekeep back in May of 2019, yet over a year after Microsoft published patches to remediate the problem there are enough unpatched systems still around for Bluekeep to make it into this top 10 list.
CVE-2019-0708 allows attackers to perform remote code execution on victim systems via connecting to the machine with RDP and then sending specially crafted requests. More information on the vulnerability can be found here. Bluekeep has a CVSS score of 9.8 Critical.
Bluekeep affects Microsoft Windows®11 XP – 7, Microsoft Windows Server®12 2003 – 2008, and while you may have been mitigating this vulnerability previously through disabling RDP, if RDP has been re-enabled to facilitate remote working, make sure that your security team are on top of patching this vulnerability.
8. MobileIron MDM (Mobile Device Management)
MobileIron’s Mobile Device Management Software is used to manage, monitor and secure mobile devices that are required to access business critical information. While it is used to secure devices the MDM software contains a remote code execution vulnerability that can allow for attackers to execute arbitrary code.
CVE-2020-15505 allows attackers to run arbitrary code on company systems and could allow for remote takeovers of company servers. This vulnerability has a CVSS score of 9.8 Critical and should be patched immediately if your business uses MobileIron’s MDM software. More information can be found here.
CVE-2020-15505 affects MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 188.8.131.52 and earlier.
9. Windows Domain Name System
Windows Domain Name Systems contains a vulnerability that has be coined SIGRed. This vulnerability allows for remote code execution to be completed when the server does not correctly handle requests.
CVE-2020-1350 allows attackers to run arbitrary code on Windows DNS servers when they do not correctly handle requests. With the highest possible CVSS score of 10.0 Critical, it is imperative that the latest patches be applied to your Windows DNS sever as soon as possible. More information, along with links to advisories and patches can be found here.
CVE-2020-1350 affects Microsoft Windows Server® 2008 – 2019.
Netlogon is a windows service that authenticates users and is used in the Windows Client Authentication Architecture. Netlogon is present as standard and runs in the background if not explicitly disabled by the system administrator so a vulnerability in this service is incredibly far reaching.
CVE-2020-1472 is a privilege escalation vulnerability that could allow attackers access to sensitive information or privileges. It works through establishing a secure channel connection to a domain controller utilising the Netlogon remote protocol (MS-NRPC). This vulnerability has a CVSS score of 10.0 Critical, and should be at the top of any security teams list for immediate patches. More information on this vulnerability can be found here.
CVE-2020-1472 affects Microsoft Windows Server® 2008 – 2019.
How you can protect your network from these vulnerabilities
- Adopting a monthly security patching cycle is the cornerstone of effective cyber-security. All these vulnerabilities have had patches available for many months which resolve the flaws.
- Running regular vulnerability scans will help identify any device on your network that has not been patched.
- Performing security hardening will make it harder for malicious users to identify and exploit any unpatched vulnerabilities on your network.