The number of vulnerabilities continues to increase so much that the technical teams in charge of the patch management find themselves drowning in a myriad of critical and urgent tasks. Therefore we have taken the time to review the profile of the most critical vulnerabilities & issues that impacted year 2019.
After this frenzy during these attacks’ first weeks , the spirits tend to calm down and decrease in vigilance. And that’s when the smartest go on the attack. Remember the second wave of WannaCry which caught some strayers off guard.
We reviewed the 5 Top 2019 Vulnerabilities as well as the indicators generated by our vulnerability intelligence service in order to provide your organizations with a transverse approach to identify, scan, detect, block, fix and even exploit your resources. These JSON top-notch indicators are aligned with the security standards (CVE, CPE, CWE, CAPEC, ATT&CK) and third-party data-sources to allow your teams a better integration with their existing solutions.
CVE-2019-3396 : Vulnerability in Atlassian Confluence Widget Connector
The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
Target: Atlassian Confluence Widget Connector
Code name: N/A
Weakness Type : CWE-22 (Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) )
Exploitable: Yes.
Wormable: Yes: CVE-2019-3396 leveraged for dropping Gandcrab ransomware
vFeed JSON Indicators (screenshots)
CVE-2019-0708 : Remote Desktop Services Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Target: Windows
Code name: BlueKeep
Weakness Type : CWE-20 (Improper Input Validation)
Exploitable: Yes.
Wormable: Yes: Worm spotted leveraging CVE-2019-0708 exploits
vFeed JSON Indicators (screenshots)
CVE-2019-10149 : Exim deliver_message() Remote Command Execution Vulnerability
CVE-2019-10149 is a remote command execution vulnerability introduced in Exim version 4.87 which was released on April 6, 2016. In default configurations, a local attacker is capable of exploiting this vulnerability to execute commands as the “root” user “instantly” by sending mail to a specially crafted mail address on localhost that will be interpreted by the expand_string function within the deliver_message() function.
Target: Exim 4.87 to 4.91
Code name: The Return of the WIZard
Weakness Type : CWE-20 (Improper Input Validation)
Exploitable: Yes.
Wormable: Yes: Malware spotted leveraging actively CVE-2019-10149 PoCs (report)
vFeed JSON Indicators (screenshots)
CVE-2019-15107 : Remote Code Execution Vulnerability in Webmin
On August 17, Webmin version 1.930 was released to address a remote code execution (RCE) vulnerability (CVE-2019-15107) present in Webmin versions 1.882 to 1.921. According to the Virtualmin site, “Webmin is the world’s most popular Linux/UNIX systems management UI, with over three million downloads per year.” These vulnerabilities do have publicly available exploit modules, which puts many virtual UNIX management systems at risk.
Target: Webmin prior to version 1.92
Code name: Roboto
Weakness Type : CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’) )
Exploitable: Yes.
Wormable: Yes: Botnet targets servers vulnerable to CVE-2019-15107 (report backdoors exploited in the wild)
vFeed JSON Indicators (screenshots)
CVE-2019-2725 : De-serialization vulnerability in Oracle WebLogic Server
This CVE-2019-2725 alert addresses, a deserialization vulnerability in Oracle WebLogic Server. The issue is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided as soon as possible.
Target: Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0
Code name: N/A
Weakness Type : CWE-284 (Improper Access Control)
Exploitable: Yes.
Wormable: Yes: ‘Sodinokibi’ Ransomware Exploits Critical Oracle WebLogic Flaw. (Another actively-exploited WebLogic zero-day)
vFeed JSON Indicators (screenshots)