It’s time for yet another edition of the Bishop Fox CVE digest (see our previous installment from January/February here). In case you missed the big news in CVEs from this past month or so, we’ll cover notable happenings and any takeaways for your organization. For starters, attackers are continuing to target unpatched security vulnerabilities in the wild, which only reinforces the importance of timely patching after identifying affected instances in your environment. And what is old has become new again; as you’ll see, most of the below bugs weren’t even discovered this year – some date as far back as 2018. Regardless of the age of these vulnerabilities, the threat is still very relevant and these bugs are under active exploitation today. Finally, all of these vulnerabilities exist – alarmingly – in security products and services, showing that attackers have set their sights on the very enterprise security products we depend on when securing our organizations.
Read on for an overview of the featured CVEs – and how to ensure your organization stays safe from these old-but-new threats.
Found in Trend Micro’s Apex One and Worry-Free Business Security 10.0 SP1 on Windows, this high-risk vulnerability can result in local privilege escalation. Trend Micro updated their August 2020 security advisory this past month to include knowledge of recent exploitation by attackers. The advisory did not go into any significant detail about the attackers weaponizing this bug, but some sources have indicated that this bug is being used by nation-state actors during post-exploitation. This vulnerability only adds to the unfortunate trend of abusing security products, which you’ll see throughout this piece. It harkens back to the famous quote “Quis custodiet ipsos custodes?” or “Who will guard the guards themselves?” from Roman satirist and poet Juvenal. In today’s context, there is a real concern with the integrity of security products that often run with elevated privileges. If an attacker gets the right foothold in one of these products and effectively compromises it, those privileges become theirs, too. To prevent that situation from manifesting, it’s imperative to ensure these products are continuously up to date with security protections.
All of these bugs affect the relatively popular Pulse Connect Secure VPN. The impact of these bugs is so severe that the United States Cybersecurity and Information Security Agency (CISA) was moved to release an official alert regarding them and urging both private and public sector organizations to check their risk level. Let’s start with the most recent – and perhaps most pressing – security issue of the bunch. CVE-2021-22893 is a critical-risk (10.0 rating on the CVSS scale) authentication bypass vulnerability which could be leveraged to perform arbitrary code execution. An official fix isn’t out for this CVE as of this blog post’s publication, but should be in early May. In the meantime, there is an official Pulse-issued tool you can use to determine your vulnerability and temporary workarounds that should help until the patch is available.
But the older Pulse Connect CVEs all have official solutions, which you can read about here, here, and here (TL;DR – ensure, as always, that your software is up to date). CVE-2020-8260 is a high-risk (7.2 CVSS rating) security vulnerability that would allow an attacker to “perform an arbitrary code execution using uncontrolled gzip extraction.” CVE-2020-8243 is another high-risk bug that could enable “an authenticated attacker to upload [a] custom template to perform an arbitrary code execution.” And last but not least, CVE-2019-11510 is a critical-risk pre-authentication arbitrary file read vulnerability that could expose sensitive information upon successful exploitation. (CAST Operator Jon Williams actually wrote about that bug way back when it was newly discovered.)
The third entry in our CVE digest constitutes of various CVEs in the Fortinet operating system, which powers many Fortinet services and products. Like the above Pulse VPN CVEs, these issues earned a CISA joint alert with the FBI. This security triad consists of two critical-risk bugs and one medium-risk bug: CVE-2020-12812 is an improper authentication vulnerability, CVE-2019-5591 is a default configuration vulnerability, and CVE-2018-13379 is a path traversal vulnerability. Similar to the Trend Micro bug, the FBI indicated that these issues are potentially being sought after by APTs, which makes applying the long-overdue patches for remediation so important. The FBI also indicated that unpatched instances of these vulnerabilities could play a role in “future attacks” conducted by APTs.
Finally, CVE-2020-14882 in Oracle WebLogic is a critical vulnerability (9.8 rating) that could lead to remote code execution. This bug made its first wave of news in autumn of 2020 – and reportedly was under active exploitation even at that time. This bug is especially appealing for attackers because it requires no authentication to leverage and is fairly straightforward to exploit. Simply send one malicious HTTP request and you are in control of the targeted server. Although a patch has existed since late last year to mitigate against this CVE, it appears many organizations have yet to actually implement it.
Unfortunately, there is no way that organizations (or individuals even) can prevent these sorts of issues from occurring. Attackers will always be attracted to the lowest-hanging fruit, which in this case is unpatched security vulnerabilities that may have fallen by the wayside for any number of reasons. To constantly stay a step ahead of attackers, it’s a perpetual cat-and-mouse game of looking out for security advisories as they go live, being aware of where your assets are and their patch level, and then chasing down impacted assets to apply and test patches. An accurate and real-time view of your attack surface can help identify where any out-of-date software is running. The more accurate your asset inventory, the more peace of mind for your security team – and your organization as a whole.