Please see Security Advisories for the week ending September 18, 2020
Please note CRITICAL advisories below:
- Exploit for Netlogon Remote Protocol Vulnerability, Zerologon (CVE-2020-1472)
- Samba Releases Security Update for CVE-2020-1472 (ZeroLogon)
- Drupal Releases Security Updates for Multiple Products
- Adobe Releases Security Update for Adobe Media Encoder
- Iran-Based Threat Actor Exploits VPN Vulnerabilities
________________________________
Exploit for Netlogon Remote Protocol Vulnerability, Zerologon (CVE-2020-1472)
Situation
Microsoft has patched a severe bug in August 2020 patch release that has been named Zerologon (CVE-2020-1472), an elevation of privilege vulnerability in Microsoft’s Netlogon. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory because it recently found publicly available code that is able to exploit the Zerologon vulnerability.
Problem
Zerologon (CVE-2020-1472) is an elevation of privilege vulnerability that is caused by a flaw in the cryptographic authentication scheme used by the Netlogon Remote Protocol. This vulnerability can allow an attacker to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.
Implication
If this vulnerability is successfully exploited an unauthenticated attacker can:
- Impersonate the identity of any computer on a network when trying to authenticate against the domain controller
- Disable security features in the Netlogon authentication process
- Change a computer’s password on the domain controller’s Active Directory
An attacker could effectively use this vulnerability to take over an organization’s network.
Need
Microsoft strongly recommends installing the August 2020 security update as soon as possible to protect against this type of attack.
For a brief overview:
For a more detailed overview:
https://www.secura.com/pathtoimg.php?id=2055
________________________________
Samba Releases Security Update for CVE-2020-1472 (ZeroLogon)
Situation
The Samba team has released a security update to address a critical vulnerability (CVE-2020-1472 or ZeroLogon) found in multiple versions of Samba.
Problem
The netlogon protocol contains a flaw that allows an authentication bypass. This was reported and patched by Microsoft as CVE-2020-1472 (ZeroLogon). Because the bug is a protocol level flaw, and Samba implements the protocol, Samba is also vulnerable.
Implication
If the ZeroLogon vulnerability is successful exploited it can allow an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and possibly obtain domain administrator privileges.
Need
The Samba team strongly recommends updating Samba to the most recent version to protect against this vulnerability. For additional information, workarounds, and update version please visit the links below.
Additional information and workarounds:
https://www.samba.org/samba/security/CVE-2020-1472.html
Patch information:
https://www.samba.org/samba/history/security.html
________________________________
Drupal Releases Security Updates for Multiple Products
Situation
Drupal has released 5 new security advisories against its Drupal 7,X.8,8,9.0 platforms where remote attackers could use the exploits to remotely compromise and take over the unpatched systems using cross site arguments or tricking administrators
Problem
Drupal has found and released patches for its Drupal 7,8.8,8.9,9.0 platforms, There were 5 critical vulnerabilities listed where remote attackers could use the exploits to remotely compromise and take over the unpatched systems using cross site arguments or using vulnerabilities in the permission check system when changing workspaces. Or they could exploit the file module to gain access to the metadata of a permanent private file.
Implication
Unpatched systems are vulnerable to the 5 exploits and leave the system open to remote attack and could compromise the system allowing remote takeover of the affected systems.
Need
Drupal has recommended updating to the latest version however versions Prior to 8.8 are considered end of life and do not receive security coverage so please update to 8.8.8.
If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2020/09/17/drupal-releases-security-updates
________________________________
Adobe Releases Security Update for Adobe Media Encoder
Situation
Adobe has released a security update to address vulnerabilities in their Adobe Media Encoder software.
Problem
This update resolves important out-of-bounds read vulnerabilities that could lead to information disclosure in the context of the current user.
Implication
If an attacker is able to successfully exploit this vulnerability, they could obtain sensitive information on the affected system.
Need
Adobe recommends updating Adobe Media Encoder to version 14.4 or higher to protect against this vulnerability. Additional information about the Adobe Media Encoder update can be found in the link below.
For a more detailed overview:
https://helpx.adobe.com/security/products/media-encoder/apsb20-57.html
________________________________
Iran-Based Threat Actor Exploits VPN Vulnerabilities
Situation
The CISA and FBI have observed APT groups Pioneer Kitten and UNC757 targeting the US government and US networks. They mainly exploit vulnerabilities found in Pulse Secure VPN, Citrix NetScaler, and F5.
Problem
The threat actors install web shells to maintain access and are seen selling and exfiltrating data.
First, they get initial access by using a publicly available exploit for CVE-2019-19781. Next, they execute scripts to maintain persistence. From there, they escalate privilege via Netscaler exploits and begin exfiltrating data and begin lateral movement.
Implication
The government has determined that the threat actors’ goal is to deploy ransomware to compromised networks and to exfiltrate as much data as possible.
Need
Patch Citrix CVE-2019-19781 as soon as possible, since this is the entry point of these attacks. In addition, patch the other vulnerabilities they are seen to exploit: CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.
For a more detailed overview:
