2019 (like so many years before it) has been full of noteworthy CVE releases from both independent researchers and organizations. As we end this year and start a new one, we’re taking a look back at some of the vulnerabilities that made headlines, scared us a little bit, or – at the very least – stirred us to apply the appropriate patches ASAP.
Several versions of Pulse SSL VPN
This CVE is a pre-authentication arbitrary file read vulnerability that, upon exploitation, could expose sensitive information such as session cookies and VPN client credentials. It could also lead to further device compromise. This CVE earned a 10.0 on NIST’s scale and a 9.9 critical rating on MITRE’s.
CVE-2019-11510 made a splash at Black Hat and DEFCON – continuing in the tradition of dropping 0-days in Vegas. Although presenters shielded exploitation information in their talk, savvy attackers began exploiting the vulnerability in the wild.
Patches were made available by Pulse Secure for all vulnerable versions of the software, but if you want to learn about an exploit created by Bishop Fox’s Jon Williams leveraging this CVE, go here.
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023
This CVE affects Telerik UI for ASP.NET AJAX – a UI component toolkit used in the design of web, mobile, and desktop applications. And as Bishop Fox’s Caleb Gross found out and described in a blog post, if this CVE is paired with the previously identified CVE-2017-11317, it’s possible to form an attack chain that could lead to arbitrary code execution.
Seeing that this severe vulnerability was only recently made public, if you use Telerik UI for ASP.NET AJAX at all, please patch ASAP. You can find that information here.
Many Microsoft OS versions (see affected versions here)
This is one hell of a zero-day. This elevation of privilege vulnerability impacts various Microsoft OS versions (there was evidence that it was actively being exploited in conjunction with a bug affecting Google Chrome). Exploitation would unfold in this way: Once an attacker gained authentication, they could run malicious code in kernel mode and take over a user’s system. And from there, game on; an attacker could “install programs; view, change, or delete data; or create new accounts with full user rights,” as Microsoft stated in their official advisory.
Microsoft released patches for affected systems as part of its December 2019 Patch Tuesday update.
CVE-2019-14994: Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16:
CVE-2019-15001: Jira Importers Plugin in Atlassian Jira Server and Data Center:
Wow, that was a mouthful, wasn’t it? Let’s start with CVE-2019-14994, which is an URL path traversal that can result in information disclosure. If an attacker exploited this CVE, they could view restricted issues in JIRA – potentially exposing information contained in sensitive tickets.
Meanwhile, CVE-2019-15001 is a server-side template injection vulnerability. Worst case scenario, this CVE could lead to remote code execution.
Given that many agile organizations rely on Jira in their operations (a guest post on the Atlassian website claims more than 18,000 organizations use the software) the exploitation of these bugs would have had disastrous and far-reaching consequences.
Cantemo Portal Version 3.8.4
CVE-2019-7551 is a high-risk cross-site scripting (XSS) bug. XSS repeatedly appears on the OWASP Top 10 list and with good reason: it’s one of the most frequently encountered application vulnerabilities. In the case of Cantemo Portal Version 3.8.4 (which is a high-performance media asset management tool), an attacker could leverage the XSS bug to gain administrative access and execute arbitrary code. Cantemo counts major news networks and other media outlets as customers, so you can imagine the repercussions of such a situation.
Bishop Fox’s Chris Davis was responsible for the discovery of the CVE. Bishop Fox worked closely with Cantemo in the responsible disclosure process, and it was abundantly clear they take security very seriously.
All Windows versions
All versions of Windows might be hard to wrap your head around, but these two CVEs impact every single one of them because they affect NTLM, Microsoft’s proprietary authentication protocol. The CVEs consist of three logic flaws: a bypass impacting the Message Integrity CODE (MIC) field, another in the SMB Session Signing, and one in the Enhanced Protection for Authentication (EPA). Even patching is not enough to protect users from the exploitation of these CVEs. To secure their systems, users need to make configuration changes as well.
While that may sound like extra work, it’s worth it to prevent an attacker from creating backdoors on your network or reading all of your emails.
These critical CVEs earned a place on our list because they involve Siemens SPPA-T3000, a distributed control system that is used at power plants in many nations, including the United States, Russia, and Germany. So, these CVEs came straight from the screenplay of a major blockbuster. If an attacker wanted to – and had the knowhow to do so – they could control a power plant, halt power to populations, reign chaos, etc. Something of a doomsday scenario. The CVEs include remote code execution, denial of service, and an unrestricted upload bug.
In order to pull off any exploits, an attacker would need access to Siemens’ Application or Automation Highway – which would be difficult for someone from the outside the organization to obtain. Siemens is currently in the process of remediating the identified bugs (there were 17 in total).