CVE In The Hook – Monthly Vulnerability Review (February 2020 Issue)

Posted on March 9, 2020

Almost for as long as computers have been around, there have been vulnerabilities and individuals willing to exploit them for their gain, and your detriment. These vulnerabilities aren’t decreasing, but actually increasing as the complexity and diversity of our technologies and software systems expand over time.

In many cases, these vulnerabilities are picked up by everyday security-conscious users or task groups specifically set up to identify these types of flaws. When that happens, it’s only a matter of time before they are exploited by hackers – or until exploit code that can be used by anyone becomes freely available.

Staying up to date with the latest discoveries in this regard is key to keeping your systems, and yourself, secure. With that in mind, here are some of the severe vulnerabilities recently uncovered, present in systems many of us use on a daily basis.

In this article, you’ll find all the most crucial information to address these Top Five Severe Security Flaws for the month of February 2020 as well as the indicators generated by our vulnerability intelligence service in order to provide your organizations with a transverse approach to identify, scan, detect, block, fix and even exploit your resources.

These JSON top-notch indicators are aligned with the security standards (CVE, CPE, CWE, CAPEC, ATT&CK) and third-party data-sources to allow your teams a better integration with their existing solutions.

Here is the list of CVEs covered by this CVE In The Hook – February 2020 Issue:

CVE-2020-1938: Apache Tomcat/Apache JServe Protocol trust vulnerability
CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability
CVE-2020-6418: Google Chrome V8 Heap Corruption
CVE-2020-9442: OpenVPN (Windows) Privilege Escalation
CVE-2020-0753: Windows Error Reporting Privilege Escalation

CVE-2020-1938 : Apache Tomcat/Apache JServe Protocol trust vulnerability

Although only recently discovered (24 February 2020), this vulnerability must have been present in Apache Tomcat servers for at least ten years. It occurs when using Apache JServe Protocol (AJP) to accept incoming connections to Apache Tomcat servers.

This vulnerability stems from the fact that Tomcat grants AJP connections a higher level of trust than typical HTTP connections. The exploit lives in the AJP connector. When accepting connections from untrusted sources, this could potentially allow attackers to exploit this vulnerability in a number of ways. For example, retrieving files from the Tomcat server and processing files as a JSP.

In some cases, attackers may even be able to upload files to the server, resulting in remote code execution. However, so far, there hasn’t been any evidence of exploitation in the wild.

Apache has released fixes for this vulnerability. Users can upgrade to Apache Tomcat 9.0.31, 8.5.51, or 7.0.100 or later to patch it.

CVE-2020-1938 – vFeed JSON indicators screenshots

CVE-2020-0688 : Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Present in Microsoft Exchange, this vulnerability actually stems from Microsoft Exchange software failing to handle memory under certain conditions properly. Hence, a Microsoft Exchange Memory Corruption Vulnerability. CVE-2020-0688 is severe enough to warrant a critical 8.8 score from the NVD.

More precisely, the vulnerability is caused when Exchange fails to create keys during installation properly. An attacker with an Exchange mailbox can then pass arbitrary objects to be deserialized by the web application. With system privileges, there is a lot of damage any code passed to the application can do.

It was identified by an anonymous party working with Trend Micro’s Zero Day Initiative. Reported on the 11/26/2019, it has been around for a while.

According to Microsoft, there are no known exploitation in the wild, despite exploit code being available. Microsoft has already released an update that addresses the issue by fixing how Exchange creates keys during install.

CVE-2020-0688 – vFeed JSON indicators screenshots

CVE-2020-6418 : Google Chrome V8 Heap Corruption

This vulnerability occurs in versions prior to the 80.0.3987.122 (64-bit) version of Chrome. Type confusion in this version of the browser software can lead to heap corruption, which is exploitable via a crafted HTML page. The vulnerability occurs in Windows, Mac, and Linux environments running Chrome.

Although there is active exploitation of this vulnerability in the wild, it’s not inherently as severe as other vulnerabilities on this list. Chrome described its vulnerability as ‘high’ while NVD rated it 6.5. Unfortunately, there isn’t much data available on how severe or widespread attacks as a result of this vulnerability have been.

The vulnerability was discovered and reported by Clement Lecigne of Google’s Threat Analysis Group. An update was released on 02/24/2020 to patch the issue that led to the vulnerability. Exploit code is already widely available and has been since before the patch release.

CVE-2020-6418 – vFeed JSON indicators screenshots

CVE-2020-9442 : OpenVPN (Windows) Privilege Escalation

CVE-2020-9442 affects instances of OpenVPN running on Windows machines. As of today, there isn’t any evidence of widespread exploitation in the wild. It’s identified as a high-severity threat by the NVD. One important factor that limits the exploitation of the bug is that an attacker needs to be a local user on the environment in question.

Insecure permissions for the %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10 folder allows local users – without admin rights – to potentially copy a malicious drvstore.dll file to that location. Whenever the OpenVPN client is installed or updated, the malicious code will be loaded by the tapinstall and the shellcode executed.

Doing so can allow attackers to gain extra privileges, which can lead to other points of attack. This is an example of an exploit code that would enable the user to escalate their privileges.

CVE-2020-9442 – vFeed JSON indicators screenshots

CVE-2020-0753 : Windows Error Reporting Privilege Escalation

This vulnerability exists as a result of WER improperly handling and executing files. This could lead to malicious code being executed. In turn, this can be exploited by an attacker to escalate their privileges, gain sensitive system information, or unlock functionality that they should not have access to.

It’s listed as a high-severity vulnerability in the NVD, but, despite its supposed severity, Microsoft doesn’t regard it as being very likely to be exploited. There aren’t any reports of mass exploitation, and no exploit code is yet openly available.

Although bearing the exact same description, it’s a distinct vulnerability from CVE-2020-0753.

Microsoft has also taken care of patching this vulnerability during the most recent patch Tuesday.

CVE-2020-0753 – vFeed JSON indicators screenshots

In Conclusion

The above is just a short, curated list among hundreds, if not thousands, of active vulnerabilities. In fact, Microsoft alone addressed 99 new vulnerabilities during their latest patch Tuesday. Keeping your system’s up to date is the most effective way to future-proof it as much as possible. The next in line is staying on top of updates like these so that. Doing so means you are taking the appropriate steps to mitigate any threats as soon as possible. You can leverage our vulnerability intelligence service to help speed up the process as well.