CVE-2022-41040

CVE-2022-41082

Discovered: 9/30/2022

Impacted Tech: Microsoft Exchange Server 2013, 2016, 2019

Attacker Location: Internal

Highlights:

After limited exploitation was identified, Microsoft has made a statement and confirmed that there were two zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019.

According to Microsoft, authenticated access to the vulnerable Exchange server is required for an attacker to successfully exploit either vulnerability.

CVE-2022-41040 is a Server-Side Request Forgery, which involves attackers abusing the way that web applications, to import or read data from URLs and modify or access potentially sensitive data. Exploitation of this vulnerability would allow authenticated attackers to remotely trigger the CVE-2022-41082 Remote Code Execution (RCE) vulnerability.

Mitigation:

The mitigation script released by Microsoft on 10/4/2022 was updated because of a bypass to the mitigation. If you ran this script before October 4^th, 2022, please re-download and re-run the script for the updated vulnerability mitigation.

Customers with Exchange Emergency Mitigation Service (EEMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation is enabled automatically and is updated to include the URL Rewrite rule improvement.

For those without EEMS enabled, to mitigate the risk these vulnerabilities, Microsoft released the “Exchange On-premises Mitigation tool v2 (EOMTv2)” script which will mitigate CVE-2022-41040.

This script checks for the latest version of the script, downloads it, and mitigates the attacks via a URL Rewrite configuration.

A download to this script, along with additional instructions on how to manually mitigate the attacks will be provided on the following page.

Additionally, Microsoft recommended that customers disable remote PowerShell access for non-admin users in their organization.

References:

Microsoft confirms new Exchange zero-days are used in attacks (bleepingcomputer.com)

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center

EOMTv2 – Microsoft – CSS-Exchange – Mitigation Script

CVE-2022-37969

Discovered: September 13th, 2022

Impacted Tech:

Windows Common Log File System (CLFS)

Attacker Location: Local

Highlights:

A vulnerability (which has been actively exploited) in the Windows Common Log File System allows attackers to obtain the highest level of access, known as system privileges.

This vulnerability exists when the attacker uses the exploit code which has been publicly made available, but the attacker must already have access to a compromised device, or the ability to run code on the target system.

Remediation:

Microsoft released fixes for this vulnerability as part of their regularly scheduled monthly release of security fixes, September 2022; “Patch Tuesday”.

References:

Microsoft Security Response Center – 37969

CVE-2022-30190

Discovered: 5/30/2022

Impacted Tech: 

Microsoft Support Diagnostic Tool (MSDT) 

Attacker Location: Local

Highlights:

A vulnerability in Microsoft Support Diagnostic Tool (MSDT) allows attackers to remotely execute code on Windows systems. This vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.

Attackers who successfully exploit this vulnerability can run arbitrary code with the privileges of the calling application, and can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Remediation:

Microsoft has released an official workaround. Administrators and users should disable the MSDT URL protocol by:

1. Run Command Prompt as Administrator
2. To back up the registry key, execute the command reg export HKEY_CLASSES_ROOT\ms-msdt filename 
3. Execute the command reg delete HKEY_CLASSES_ROOT\ms-msdt /f

To undo the workaround:

1. Run the command prompt as administrator
2. To restore the registry key, execute the command reg import filename

Read more about the vulnerability via the Microsoft Security Response Center link below.

References:

Microsoft Security Response Center

PwnKit – Linux system service bug that gives root on all major distros, exploit released.

CVE-2021-4034

Discovered: 1/28/2022

Impacted Tech: All major Linux distributions

Attacker Location: Internal

Highlights:

An exploit for a vulnerability in Polkit’s pkexec component gives an attacker or any other unprivileged user root access on any system using the default configuration of Polkit, which runs in the default configuration of all major Linux distributions.

Following the release of this vulnerability, an exploit was quickly released to the public that which functioned as intended.

Remediation:

The author of Polkit released a patch on their GitLab and urged administrators to install the necessary updates to protect their networks. Additional Linux distributions such as Ubuntu and RedHat have released updates addressing the vulnerability as well.

There is a temporary mitigation for those who have not updated any affected operating systems.

The following command strips pkexec’s privileges to prevent this exploit from working:

chmod 0755 /usr/bin/pkexec

To check for any signs of this exploit in your environment, you can check the logs for the following entries:

“The value for the SHELL variable was not found the /etc/shells file”
or
“The value for environment variable […] contains suspicious content.”

References:

Gitlab – Polkit Update

Qualys Security Advisory

CVE-2021-44228 

Discovered: December 10th, 2021

Impacted Tech:

Apache Log4j 2 versions 2.0 to 2.14.1

Apache Struts

Attacker Location: 

External

Highlights: 

Log4j 2 is an open source Java logging library developed and maintained by Apache. 

A zero-day vulnerability recently discovered gives an attacker the ability to achieve remote code execution by supplying malicious data within a log file to an application utilizing the Log4j library.

This vulnerability can be reliably exploited and does not require authentication.

This vulnerability has been determined to be critical, and it is recommended that anyone running an application that utilizes the Log4j library to update to the latest version immediately.

If updating to version 2.15.0 is not possible, this vulnerability can be mitigated by setting the following parameter to “true” when starting a Java virtual machine:

log4j2.formatMsgNoLookups = true
(-Dlog4j2.formatMsgNoLookups=true in JVM command line)

References:

NVD – CVE-2021-44228 (nist.gov)

Log4j – Apache Log4j Security Vulnerabilities

CVE-2021-44228 – Log4j 2 Vulnerability Analysis – Randori Attack Team

Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec

CVE-2021-30858 and CVE-2021-30860

Discovered: September 13th, 2021

Impacted Tech: Apple products running the following software: 

macOS Big Sur 

macOS Catalina 

watchOS

iOS

iPadOS

Safari

Attacker Location: External

Highlights: 

These vulnerabilities have been given the scores 8.8 out of 10 and 7.8 out of 10, which are rated as HIGH by the National Institute of Standards and Technology (NIST). 

According to Citizenlab, which is the company who discovered this exploit, this zero-day zero-click exploit targeting iMessage was discovered while analyzing a phone used by a Saudi activist which had been infected with NSO Group’s Pegasus spyware. 

Citizenlab claims that attackers were able to use this exploit, which they have named FORCEDENTRY, to gain control of any device running previous versions of the above listed software through a maliciously crafted PDF sent through iMessage. 

The exploit works by exploiting an integer overflow vulnerability in Apple’s image rendering Library, CoreGraphics. Apple has released several security updates to patch the FORCEDENTRY vulnerability, which are available for review in the “References” section of this report.

It is believed that NSO Group, an Israeli Cybersecurity company, discovered this vulnerability and used it to infect Apple devices with the Pegasus spyware. This spyware was sold to numerous governments in an attempt to spy on the phones of political activists, journalists, and other business people. The spyware has been discovered on 37 phones so far.

What should I do?

Anyone who uses an iPhone or iPad should update their device’s OS version to iOS 14.8 and iPadOS 14.8. 

Mac users should update their devices to Catalina 2021-005, or macOS Big Sur 11.6. 

For those who have an Apple Watch, they should update to watchOS 7.6.2.

The vulnerability targeting the Safari browser has also been patched in the recent Safari 14.1.2 update.

All versions of these software prior to the aforementioned versions are vulnerable to the FORCEDENTRY exploit, so it is extremely important to install the latest updates as soon as possible.

References:

FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild – The Citizen Lab

Apple patches “FORCEDENTRY” zero-day exploited by Pegasus spyware | Ars Technica

NVD – CVE-2021-30858 (nist.gov)

NVD – CVE-2021-30860 (nist.gov)

CVE-2020-29583

Discovered: Published on December 23, 2020

Impacted Tech: Zyxel VPN gateways, access point controllers, and firewalls

Attacker Location: External

Highlights: There are no public exploits available; however, SANS Institute has noticed a large spike in scanning activity for Zyxel products.

The CVSS score is 7.8 out of 10 which is considered a “high” severity flaw.

What should I do?

Zyxel advises all customers to update their products the latest firmware version immediately.

References:

1. https://www.bankinfosecurity.com/researchers-warn-attackers-are-scanning-for-zyxel-products-a-15723
2. https://isc.sans.edu/ssh_usernames.html?username=zyfwp
3. https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
4. https://www.zyxel.com/support/CVE-2020-29583.shtml

If you use the SolarWinds Orion product, stop what you’re doing and read this

Emergency Directive 21-01

Discovered: SolarWinds acknowledged the hack on December 13^th

Impacted Tech: SolarWinds Orion

Attacker Location: Internal

Highlights: This was virtually impossible to defend against due to the supply chain compromise and the installation of a backdoor via trojanized updates.

It has been largely attributed to Russia’s Foreign Intelligence Service (SVR), also known as APT29 or Cozy Bear [1].

The SEC stated that there were no more than 18,000 customers that had a version of Orion with the backdoor installed [2] [3]. Some of the largest targets reported so far are the U.S. Department of Treasury, U.S. Department of Commerce, U.S. Department of Homeland Security, U.S. Cybersecurity and Infrastructure Agency, U.S. Department of State, and cybersecurity company FireEye [4]. This campaign may have started as early as spring 2020 [5].

The attackers evaded detection by masking their own traffic as the Orion Improvement Program protocol and then saved all of the data inside of legitimate plugin files so as to not arouse suspicion of the network defenders.  The malicious code did not allow anti-virus to detect it, because it deployed blocklists to prevent any anti-virus from running in the first place [6].

The password to SolarWinds’ update server in 2019 was allegedly “solarwinds123” according to security researcher Vinoth Kumar.  He reportedly alerted the company to this issue at the time [7].

This is currently being actively exploited in the wild [8].

What should I do?

The Cybersecurity and Infrastructure Agency issued Emergency Directive 21-01 to mitigate the threat.  If agencies have the capability, they are to forensically image the system memory and/or host operating systems hosting all instances of SolarWinds Orion and analyze the network traffic for the indictors of compromise.  After that, it instructed all affected agencies to disconnect or power down SolarWinds Orion products, block all traffic to and from hosts where any version of SolarWinds Orion software has been installed, and identify and remove all threat actor-controlled accounts and identified persistence mechanisms [8].

According to SolarWinds’ Security Advisory, it is recommended that customers upgrade from Orion Platform v2020.2 or 2020.2 HF 1 to the current version Orion Platform version 2020.2.1 HF 2 immediately if they utilize any of the following products [9]:

Application Centric Monitor (ACM)

Database Performance Analyzer Integration Module* (DPAIM*)

Enterprise Operations Console (EOC)

High Availability (HA)

IP Address Manager (IPAM)

Log Analyzer (LA)

Network Automation Manager (NAM)

Network Configuration Manager (NCM)

Network Operations Manager (NOM)

Network Performance Monitor (NPM)

NetFlow Traffic Analyzer (NTA)

Server & Application Monitor (SAM)

Server Configuration Monitor (SCM)

Storage Resource Monitor (SRM)

User Device Tracker (UDT)

Virtualization Manager (VMAN)

VoIP & Network Quality Manager (VNQM)

Web Performance Monitor (WPM)

References:

[1] https://www.crowdstrike.com/blog/who-is-cozy-bear/

[2] SEC Filing Reveals Number of Customers Impacted: https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/

[3] SEC Filing: https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm

[4] Governmental Agencies and Companies affected: https://www.zdnet.com/article/solarwinds-said-no-other-products-were-compromised-in-recent-hack/

[5] FireEye Threat Research: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[6] CISA Active Exploitation Alert: https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software

[7] ‘Hackers used SolarWinds’ dominance against it in sprawling spy campaign’ by Reuters: https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8

[8] CISA Emergency Directive: https://cyber.dhs.gov/ed/21-01/

[9] SolarWinds Security Advisory: https://www.solarwinds.com/securityadvisory

More reading:

‘Microsoft quarantining malicious Orion application binaries in quarantine’ by ZDNet: https://www.zdnet.com/article/microsoft-to-quarantine-solarwinds-apps-linked-to-recent-hack-starting-tomorrow/

FireEye Countermeasures: https://github.com/fireeye/sunburst_countermeasures

‘FireEye Discovered SolarWinds Breach While Probing Own Hack’ by Bloomberg: https://www.bloomberg.com/news/articles/2020-12-15/fireeye-stumbled-across-solarwinds-breach-while-probing-own-hack

CVE-2020-17049

Discovered: Published on December 8 along with the first phase of patching

Impacted Tech: Kerberos Key Distribution Center running on Windows 2000 or later

Attacker Location: Internal

Highlights: Public exploits available

An feature bypass vulnerability exists in the Kerberos Key Distribution Center which allows attackers to escalate privilege, impersonate users, and/or move laterally on the target network.

What should I do?

Microsoft released a patching guide to the phased approach they’ve taken to fix this vulnerability. The first phase of patching is from December 8th’s set of patches and they’ve released guides and workarounds for those who cannot patch immediately.

The researcher who discovered the vulnerability, Jake Karnes of NetSPI, published two great breakdowns of the vulnerability, which we have linked below.

References:

Low-Level Overview: https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/
High-Level Overview: https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-overview/
Microsoft Patching Help: https://support.microsoft.com/en-us/help/4598347/managing-deployment-of-kerberos-s4u-changes-for-cve-2020-17049

CVE-2020-16898

Discovered: Proof-of-Concept released & vulnerability patched by Microsoft on October 13

Impacted Tech: Windows IPv6 stack | Windows 10 & Windows Server 2019

Attacker Location: Anywhere they can communicate directly with the vulnerable machine

Highlights: Potentially wormable

The vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. To trigger the vulnerability, the packets must use Option Type 25 (Recursive DNS Server Option) and the length field value must be even.

What should I do? Apply the patch as quickly as possible. If patching is not possible, “the best mitigation is disabling IPv6, either on the NIC or at the perimeter of the network by dropping ipv6 traffic if it is non-essential. Additionally, ICMPv6 Router Advertisements can be blocked or dropped at the network perimeter.”

To detect malicious traffic: Check ICMPv6 traffic for packets with an ICMPv6 Type field of 134, and ICMPv6 Option field of 25, which indicates a Router Advertisement and Recursive DNS Server option. If the RDNSS option has a length field value that is even, drop or flag the packet.

References:

MSFT Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
Proof of Concept: http://blog.pi3.com.pl/?p=780
McAfee’s Article (source of the above quotes): https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/