CVE In The Hook – Monthly Vulnerability Review (March 2020 Issue)

Posted on April 7, 2020

There is no shortage of potential threats to your digital security. In fact, the number and diversity of attacks, vulnerabilities, and exploits are growing at an increasing pace. From operating systems to client programs to firmware for our network devices – nothing remains untouched for long.

Luckily, the digital security field consists of an active and dedicated community, as well as government organizations, to bring possible threats to light, document them, and provide affected users with solutions and safeguards.

The most critical thing for us as individuals is to stay in the loop on the latest news. And then respond ASAP according to our level of exposure and potential for loss.

In this article, you’ll find all the most crucial information to address these Top Five Severe Security Flaws for the month of March 2020 as well as the indicators generated by our vulnerability intelligence service in order to provide your organizations with a transverse approach to identify, scan, detect, block, fix and even exploit your resources.

These JSON top-notch indicators are aligned with the security standards (CVE, CPE, CWE, CAPEC, ATT&CK) and third-party data-sources to allow your teams a better integration with their existing solutions.

Here is the list of CVEs covered by this CVE In The Hook – March 2020 Issue:

CVE-2020-0796 : Microsoft Server Message Block Remote Code Execution Vulnerability
CVE-2020-7961 : Liferay Portal 7.2.0 Remote Code Execution using JSONWS
CVE-2020-0729 : Microsoft Windows LNK Remote Code Execution Vulnerability
CVE-2020-3119 : Cisco Discover Protocol Arbitrary Code Execution
CVE-2020-7982 : OpenWrt and LEDE Man-in-the-middle arbitrary code execution

CVE-2020-0796 – Microsoft Server Message Block Remote Code Execution Vulnerability

This is an extremely severe vulnerability existing within Microsoft MSB (SMBv3), potentially impacting anyone with the Windows 10 operating system. Its severity is rated as a critical 10.0 by the NIST. The vulnerability can be exploited against either a client or a server.

An attacker can exploit the vulnerability by sending a packet to the server with a bad offset field in the transformation header that will cause the decompressor buffer to overflow and crash the server. To exploit a client, the attack will only need to mimic a server and convince the client to connect to it.

Microsoft acknowledged this vulnerability on 12 March 2020 as a threat to both current and older software versions, before any known exploitation has taken place. The next day (13 March), Microsoft released updates with vulnerability patches as well as workarounds for users. Since 15 March, remote code execution exploits have been available.

CVE-2020-0796 – vFeed Vulnerability JSON IoC (screens)

CVE-2020-7961 – Liferay Portal 7.2.0 Remote Code Execution using JSONWS

This vulnerability was found to exist in the Java development platform Liferay Portal version 7.2.0 and earlier. It was discovered on 25 November 2019 and is known to Liferay. The vulnerability occurs via the way in which Liferay Portals deserializes untrusted data. Attackers might be able to gain remote code execution using JSON web services (JSONWS).

Although the NIST is giving it a critical base score of 9.8, others don’t view it as seriously. Still, Liferay Portal users can suffer severe consequences if they are successfully attacked. Luckily, there doesn’t seem to be any mass exploitation in the wild.

A workaround provided by Liferay themselves is to JSONWS on their portals. However, the recommended solution is to upgrade from 7.2.0 to Liferay Portal 7.2 CE GA2. Via the same advisory above, users can also find patches for older versions on GitHub.

CVE-2020-7961 – vFeed Vulnerability JSON IoC (screens)

CVE-2020-0729 – Microsoft Windows LNK Remote Code Execution Vulnerability

Security researcher Shih-Fong Peng discovered this vulnerability, and Microsoft publicly disclosed it on 2 November 2019. According to Microsoft’s assessment, there hasn’t been any exploitation in the wild at that time, and it isn’t as likely to be exploited. Microsoft only recently released a fix for this vulnerability with its latest patch Tuesday in February 2020.

The vulnerability can be exploited using a malicious.LNK file. One use of.LNK files on Windows systems is to create shortcuts as well as containing saved searches. When Windows processes the file, it could give the attacker the same privileges to execute code as the device user. That means that this vulnerability could be extra severe for admin-level users as those with fewer privileges.

An exploit could reach the target device via a removable device, a remote share, or via any other form of file transfer.

CVE-2020-0729 – vFeed Vulnerability JSON IoC (screens)

CVE-2020-3119 – Cisco Discover Protocol Arbitrary Code Execution

Security company Armis, Inc. discovered this vulnerability in Cisco Discovery Protocol implementations for Cisco NX-OS Software. Nexus 3000 and 9000 switches are susceptible to this exploitation from this vulnerability. It stems from the Cisco Discovery Protocol parser not properly validating certain fields in a Cisco Discovery Protocol message.

An attacker can use this flaw to cause a stack overflow using a malicious packet sent via a CDP message. A successful attempt stack overflow will allow the attacker to execute arbitrary code with administrative privileges.

The severity of this vulnerability is only tempered by the fact that the attacker needs to be within the same broadcast domain as the target device. This vulnerability has been known since 5 February 2020 and has been addressed by Cisco in an advisory. There are no workarounds for the vulnerability, but a patch has been released since.

Possible exploitations are known for this vulnerability, although there isn’t any evidence of it yet.

CVE-2020-3119 – vFeed Vulnerability JSON IoC (screens)

CVE-2020-7982 – OpenWrt and LEDE Man-in-the-middle arbitrary code executio

OpenWrt is an open-source operating system powering a range of home routers and other embedded devices. The vulnerability derives from using unencrypted HTTPS connections to

deliver update packages as well as failure to correctly verify these packages. That is a result of a bug in the package manager preventing correct parsing of embedded checksums in the signed repository index.

This vulnerability makes it simple for a man-in-the-middle attacker to deliver a malicious package as if it’s an authorized update. This package will be installed without verification and could contain a backdoor or other malicious code from the attacker. However, actual exploitation is limited because the man-in-the-middle attacker needs to be part of the network or will have to tamper with the DNS settings that the software uses to find updates.

OpenWrt versions 18.06.0 to 18.06.6 and 19.07.0 as well as LEDE 17.01.0 to 17.01.7 are susceptible to this type of attack. Proof of concept code has been provided by security researcher, Guido Vranken, who found the vulnerability.

CVE-2020-7982 – vFeed Vulnerability JSON IoC (screens)

In Conclusion

In most cases, securing your device and protecting yourself from attack is as easy as downloading the update containing a patch for the indicated vulnerability. With exploit code freely available for potential attackers to use, it’s vital to do so as soon as possible.

In the future, keeping an eye on the advisories and updates from your product providers could be the difference between you being a statistic or escaping the possibility of being taken advantage of. You can leverage our vulnerability intelligence service to help speed up the process as well.