Request a Demo

The Vulcan Vulnerability Digest - Top Threats to Address - March

The past couple of weeks have presented many challenges from a security standpoint. There’s a lot of noise around threat actors, phishing campaigns etc., and it might seem hard to differentiate between what’s actually requires attention and what doesnt.  

In order to do just that, I’ve compiled a list of these top threats that you should pay attention to. At Vulcan, however, we’re not big fans of ringing the alarm bells, just for the sake of it. That’s why I’ve added actionable steps for you to follow in order to overcome these threats. 

Hackers Exploiting Two Unpatched Windows 0-Day RCE Vulnerabilities in the Wild  

Microsoft have issued a new security advisory that warns billions of Windows users about two new critical, unpatched zero-day vulnerabilities. These RCE flaws affect all supported versions of the Windows OSIf exploited, these would allow hackers to take complete remote control of targeted computers. 

As explained by The Hacker News, both vulnerabilities reside within the Windows Adobe Type Manager Library, a font parsing software that not only parses content when open with a 3rd-party software, it’s also used by Windows Explorer to display the content of a file in the 'Preview Pane' or 'Details Pane' without having users to open it. 

All supported Windows and Windows Server operating systems are affected (Windows 7, 8.1, RT 8.1, 10, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019) 

So how can you fix it?

While there are no patches available at the moment, there are several workarounds that can be applied to mitigate the risk: 

Disable the Preview Pane and Details Pane in Windows Explorer 

To disable the Preview Pane and Details Pane feature: 

  • Open Windows Explorer, click Organize and then click Layout. 
  • Clear both the Details pane and Preview pane menu options. 
  • Click Organize, and then click Folder and search options. 
  • Click the View tab. 
  • Under Advanced settings, check the Always show icons, never thumbnails box. 
  • Close all open instances of Windows Explorer for the change to take effect. 

 

 

Disable the WebClient service 

To disable Windows WebClient service to prevent cyberattacks through the WebDAV client service. 

  • Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK. 
  • Right-click WebClient service and select Properties. 
  • Change the Startup type to Disabled. If the service is running, click Stop. 
  • Click OK and exit the management application. 

 

Rename ATMFD.DLL 

Rename Adobe Type Manager Font Driver (ATMFD.dll) file to temporarily disable the embedded font technology, which could cause certain 3rd-party apps to stop working. 

Enter the following commands at an administrative command prompt: 

For 32-bit system

d "%windir%\system32" 
takeown.exe /f atmfd.dll 
icacls.exe atmfd.dll /save atmfd.dll.acl 
icacls.exe atmfd.dll /grant Administrators:(F) 
rename atmfd.dll x-atmfd.dll

 

For 64-bit system

cd "%windir%\system32" 
takeown.exe /f atmfd.dll 
icacls.exe atmfd.dll /save atmfd.dll.acl 
icacls.exe atmfd.dll /grant Administrators:(F) 
rename atmfd.dll x-atmfd.dll 
cd "%windir%\syswow64" 
takeown.exe /f atmfd.dll 
icacls.exe atmfd.dll /save atmfd.dll.acl 
icacls.exe atmfd.dll /grant Administrators:(F) 
rename atmfd.dll x-atmfd.dll 

 

Restart the system. 

For more instruction and information please refer to: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006

Source: 

https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html?m=1

Critical Remote Code Execution Bug in Linux Based OpenWrt OS Affects Millions of Network Devices (CVE-2020-7982) 

A security researcher has uncovered a critical remote code execution vulnerability in OpenWrt OS that allows attackers to inject the malicious payload on the vulnerable systems. 

OpenWrt is a Linux based OS who’s main use to in embedded devices and network routers, routing network traffic. It’s currently installed on millions of devices worldwide. 

The RCE bug addressed in the package list parse the logic of OpenWrt’s opkg (Opkg Package Manager) fork lets the package manager ignore the SHA-256 checksums embedded in the signed repository index. This, in turn, allows an attacker to bypass the integrity checking of downloaded .ipk artifacts. 

As a stopgap solution, OpenWRT have removed the space in the SHA256sum from the package list shortly after I reported the bugsays Guido Vranken who first reported this flaw. “This helped mitigate the risk to users somewhat; users who updated their package lists following this change were no longer vulnerable, as subsequent installs would set out from a well-formed list that would not sidestep the hash verification. 

 The bug in checksum_hex2bin was fixed in this commit and integrated in OpenWRT versions 18.06.7 and 19.07.1, both released on February 1st 2020. 

So how can you fix it?

The following commands may be used once all repositories have been updated: 

cd /tmp 

opkg update 

 opkg download opkg 

 zcat ./opkg-lists/openwrt_base | grep -A10 "Package: opkg" | grep SHA256sum sha256sum ./opkg_2020-01-25-c09fe209-1_*.ipk 

 

Sources: 

https://gbhackers.com/severe-rce-vulnerability-in-openwrt/ 

https://blog.forallsecure.com/uncovering-openwrt-remote-code-execution-cve-2020-7982 

 

New Kubernetes DoS Vulnerabilities: CVE-2020-8551, CVE-2020-8552

Two security flaws that could lead to a recoverable denial of service in a Kubernetes cluster were discovereddisclosed on 3/23/2020, 

The Vulnerabilities: 

CVE-2020-8552  

This vulnerability affects the API server - the cluster’s gateway component for receiving, authenticating, authorizing and processing administration requests on the cluster. Exploiting this vulnerability could cause Denial of Service by consuming the memory of the API server and thus killing it. If an attacker can make an authorized resource request to an unpatched API server, the cluster would be vulnerable. 

CVE-2020-8552 affects the following versions: 

  • kube-apiserver v1.17.0 - v1.17.2 
  • kube-apiserver v1.16.0 - v1.16.6 
  • kube-apiserver < v1.15.10 

 

CVE-2020-8551

This vulnerability affects the Kubelet, the Kubernetes components controlling resources on a node. Exploiting it could cause Denial of Service by consuming the memory of a Kubelet, effectively killing it. The Kubelet's been found to be vulnerable to a DoS attack via the Kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.  

It is likely that this can only be exploitable from within the cluster by a malicious actor who already got a foothold there, for example by compromising a workload accessible from the Internet or being able to deploy a workload there.  

CVE-2020-8551 affects the following versions: 

  • kubelet v1.17.0 - v1.17.2 
  • kubelet v1.16.0 - v1.16.6 
  • kubelet v1.15.0 - v1.15.10 
  • kubelets prior to v1.15.0 are unaffecte 

 

 

So how can you fix it?

Patching: Both vulnerabilities are patched in the following Kubernetes versions:

  • v1.17.3 
  • v1.16.7 
  • v1.15.10 

 

MitigationsIn case upgrading your Kubernetes to any of these versions isn’t your preferred course of action at the moment, both of these can be mitigated by:    

  • Preventing unauthenticated or unauthorized access to the affected components 
  • The apiserver and kubelet should auto restart in the event of an OOM error 

 

 

Sources: 

https://blog.alcide.io/new-kubernetes-vulnerabilities-cve-2020-855-cve-2020-8552 

https://seclists.org/oss-sec/2020/q1/121 

 

Google Security Update Fixed Multiple High Severity Vulnerabilities in Chrome 

13 high severity vulnerabilities were recently found in Google Chrome, as reported by various external security researchersHowever, due to the COVID-19 outbreak, Google have announced that they will pass on the upcoming releases of both Chrome and Chrome OS. 

That being said, Google have released a new Chrome version, Chrome 80.0.3987.149, a stable channel update for Windows, Mac, and Linux. This version includes the fixes required for several high severity vulnerabilities. 

So how can you fix it?

Follow these steps to update for Windows, Mac, and Linux desktop users:

  • Open Chrome browser 
  • Head to "Settings"
  • Expand "Help" 
  • Click "About Google Chrome"
  • The browser will process the update 

Source:  

https://gbhackers.com/chrome-security-update/ 

 

To learn more about handling the biggest threats in your environment, speak with one of our experts.

Don’t miss out on the latest

Get notified on Industry updates.
we promise not to spam

Related Posts

Popular Articles

03.3.2020 | vulnerabilities , Ghostcat

| Posted by Yonatan Amitay
The Apache Tomcat servers that have been released over the last thirteen years are vulnerable to a bug called “Ghostcat” that allows hackers to take ...
Read more
  With nearly 15,000 new vulnerabilities discovered in 2017, and even more expected this year – the competition for ‘worst vulnerability’ is a tough ...
Read more

11.1.2018 | vulnerabilities

| Posted by Roy Horev
The best way to share information about the risks associated with vulnerabilities is via quantifying these risks – i.e. metrics. The question is, ...
Read more