Request a Demo

The Vulcan Vulnerability Digest - Top Threats Roundup - April 9th

With all the buzz around the latest campaigns and exploits, it might seem hard to know what really demands your attention. That’s why we’ve decided to round up the top security threats from the past couple of weeks that really require your attention. 

Now in order to help you address these threats, I’ve added actionable steps for you to follow in order to mitigate these risks.

Table of Contents:
  1. Critical RCE Vulnerability Remains Unpatched for 80% of Exchange Servers
  2. Critical Security Update for Chrome Released by Google
  3. Mozilla Releases Patch for Critical Vulnerabilities in Firefox and Firefox ESR
  4. Attackers Can Steal Windows Credentials and Run Programs Through Zoom
  5. Critical HP Support Assistant Bugs Exposes Windows PCs to Attacks

 

1. Critical RCE Vulnerability Remains Unpatched on 80% of Exchange Servers 

Microsoft have patched an RCE (Remote Code Execution) vulnerability with Microsoft Exchange Server. Should this vulnerability be exploited, an attacker could use the Exchange user account to compromise the system completely. 

It is believed that over 350,000 Exchange servers are exposed to this vulnerability.

How to Remediate

In order to remediate this vulnerability, follow the chart below for the relevant security update:

Product 

Article 

Download 

Impact 

Severity 

Supersedence 

Microsoft Exchange Server 2019 Cumulative Update 4

4536987

 

Security Update 

RCE

Important 

4523171

Microsoft Exchange Server 2019 Cumulative Update 3 

4536987  Security Update 

RCE 

Important 

4523171 

Microsoft Exchange Server 2016 Cumulative Update 15 

4536987  Security Update 

RCE 

Important 

4523171 

Microsoft Exchange Server 2016 Cumulative Update 14 

4536987  Security Update 

RCE 

Important 

4523171 

Microsoft Exchange Server 2013 Cumulative Update 23

4536988  Security Update  

RCE 

Important 

4523171 

Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30 

4536989  Security Update 

RCE 

Important 

4509410 

Sources:  

 

2. Critical Security Update for Chrome Released by Google

Google have released a critical security update for Chrome version 80.0.3987.162 for Windows, Mac, and Linux. This Chrome version is set out to address vulnerabilities that if exploited would enable an attack to take control of the affected systems. CISA (The Cybersecurity and Infrastructure Security Agency) have encouraged users and admins alike to review the Chrome Release and apply the necessary updates, accordingly. 

How to Remediate 

In order to mitigate the risk follow these steps to update for Windows, Mac, and Linux desktop users: 

  1. Open Chrome browser
  2. Head to "Settings" 
  3. Expand "Help" 
  4. "About Google Chrome"
  5. The browser will process the update 

 Source: https://www.us-cert.gov/ncas/current-activity/2020/04/01/google-releases-security-updates-chrome

3. Mozilla Releases Patch For Critical Vulnerabilities in Firefox and Firefox ESR

Mozilla have released new security updates, aimed to address critical vulnerabilities found in Firefox and Firefox ESR. Should these vulnerabilites be exploited, an attacker would be able to take control of an affected system. Both vulnerabilities have been exploited in the wild. As so, we urge you to patch them immediately. 

About the vulnerabilities 

CVE-2020-6819Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free.  

CVE-2020-6820Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free.

How to Remediate 

In order to mitigate the risk, we urge you to patch these vulnerabilities to the following versions: Firefox 74.0.1, Firefox ESR 68.6.1 

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Mozilla’s security advisory for Firefox 74.0.1 and Firefox ESR 68.6.1 and apply the necessary updates. 

Sources: 

 

4. Attackers Can Steal Windows Credentials and Run Programs Through Zoom

The Zoom Windows client is vulnerable to UNC path injection. An attacker could potentially steal the user’s Windows credentials should they click on a link found in their chat feature. 

Similarly to how Zoom converts any URL sent within the chat feature into a hyperlink so that members of the call could open the link in their browser, the Zoom client will convert Windows networking UNC paths into a clickable link in the chat messages as well, as discovered by security researcher @_g0dmode 

How to remediate: 

Zoom have released a new version of their client to address this issue – version 4.6.19253.0401. This version prevents all posted links, including URLs and UNC paths from being converted into hyperlinks.

Can’t patch every machine? 

If you’re looking to protect your entire organization from this vulnerability but cannot ensure that this patch will be deployed on every machine, there is a workaround available. Follow these guidelines, as originally posted by Lawrence Abrams in BleepingComputer to enable a Group Policy that’ll prevent your NTML credentials from automatically being sent to a remote server when clicking on a UNC: 

This policy is called 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' and is found under the following path in the Group Policy Editor: 

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers 

If this policy is configured to Deny All, Windows will no longer automatically send your NTLM credentials to a remote server when accessing a share. 

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers policy

Group Policy

It should be noted that when this policy is configured on domain-joined machines, it could cause issues when attempting to access shares.  You can view this article to learn more about adding exceptions to the above policy. 

If you are a Windows 10 Home user, you will not have access to the Group Policy Editor and will have to use the Windows Registry to configure this policy. 

This can be done by creating the RestrictSendingNTLMTraffic Registry value under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 key and setting it to 2. 

Windows Registry Editor Version 5.00 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] 
"RestrictSendingNTLMTraffic"=dword:00000002 

To properly create this value, Windows users will need to launch the Registry Editor as an Administrator. When the above Registry settings are properly configured, the RestrictSendingNTLMTraffic value will look like the following image:

Windows Registry Editor

Windows Registry Editor 

When configuring this policy, it is not necessary to reboot your computer.  

To revert to the default Windows behavior of sending your NTLM credentials, you can just disable the policy by deleting the RestrictSendingNTLMTraffic value. 

Sources: 

5. Critical HP Support Assistant Bugs Exposes Windows PCs to Attacks

Windows computers are exposed to RCE attacks through several critical HP Support Assistant vulnerabilities. Should these be exploited, attackers could elevate their privileges or delete arbitrary files. HP Support Assistant is pre-installed on new HP desktops and notebooks, making these vulnerabilities quite widespread.

Security researcher Bill Demirkapi found ten different vulnerabilities within the HP Support Assistant software. While some of these critcal flaws were patched – other not so much:

Patched and unpatched vulnerabilities (Bill Demirkapi) 

How to Remediate: 

In order to fully mitigate the flaws found by Demirkapi, you would need to uninstall the vulnerable software. This can be done by removing both HP Support Assistant and HP Support Solutions Framework from your computer. 

Sources: 

To learn more about remediating the most critical threats in your enterprise, speak with our team today

Don’t miss out on the latest

Get notified on Industry updates.
we promise not to spam

Related Posts

Popular Articles

03.3.2020 | vulnerabilities , Ghostcat

| Posted by Yonatan Amitay
The Apache Tomcat servers that have been released over the last thirteen years are vulnerable to a bug known as “Ghostcat” (CVE-2020-1938) that ...
Read more

07.15.2020 | vulnerabilities , SIGRed

| Posted by Yonatan Amitay
What is the SIGRed Vulnerability (CVE-2020-1350)? SIGRed (CVE-2020-1350) is a critical, wormable RCE (remote code execution) vulnerability in the ...
Read more
  With nearly 15,000 new vulnerabilities discovered in 2017, and even more expected this year – the competition for ‘worst vulnerability’ is a tough ...
Read more