Thank you for the great response at BSides San Francisco 2020, where we unveiled our real-time vulnerability alerting engine. By harnessing public data and applying data analytics, we cut through the noise and get real-time alerts only for highly seismic cloud vulnerability exposures (CVEs)—making vulnerability fatigue a thing of the past. If you missed our BSidesSF 2020 talk, you can watch the video “Real-Time Vulnerability Alerting” on YouTube. The real-time vulnerability alerting engine has been humming and churning data since BSides, and here are the consolidated results for the dozen dirtiest CVEs Q120.
Overview of Q1 Vulnerabilities
The X-axis for this graph represents each day of the Q120, while the Y-axis represents the vulnerability intelligence quotient calculated by the engine (see the BSides presentation for more info). For simplicity, the Y-axis has been divided into four colors—Red, Orange, Yellow, and Green—which represent the dirtiness (or criticality) of each vulnerability. Each blue dot represents a vulnerability. Its placement on the X-axis represents the date on the timeline and placement on the Y-axis represents criticality (i.e. vulnerability intelligence quotient). It’s possible for the same vulnerability to appear on multiple days, especially vulnerabilities with a high X-axis value.
#1 Dirtiest CVE Q120 – CVE-2020-0601 (CurveBall)
The title for being the dirtiest CVE Q120 goes to CVE-2020-0601—a vulnerability discovered by the United States’ National Security Agency (NSA) that affects how cryptographic certificates are verified by cryptography libraries in Windows which makes up CryptoAPI. Dubbed “CurveBall”, an attacker exploiting this vulnerability could potentially create their own cryptographic certificates (signed with Elliptic Curve Cryptography algorithms) that appear to originate from a legitimate certificate that is fully trusted by Windows by default. The Proof of Concept (POC) is available, and one of them can be found in GitHub here.
#2 – CVE-2020-0796 (EthernalDarkness/GhostSMB)
The second dirtiest CVE Q120 is CVE-2020-0796—also known as EthernalDarkness or GhostSMB. On March 10, this vulnerability was inadvertently shared, under the assumption that Microsoft was releasing a patch, which Microsoft released only after public details were available on March 12. This vulnerability would allow an unauthenticated attacker to exploit this issue by sending a specially crafted packet to a vulnerable SMBv3 server. Similarly, if an attacker could convince or trick a user into connecting to a malicious SMBv3 server, then the user’s SMB3 client could also be exploited. Regardless if the target or host is successfully exploited, this would grant the attacker the ability to execute arbitrary code. Microsoft later released an out-of-band patch to fix the issue, and the POC for this issue can be found on GitHub here.
#3 – CVE-2019-19781
The honor of the third dirtiest CVE Q120 goes to CVE-2019-19781, which affects Citrix Gateway and Citrix Application Discovery Controller. Initially, it was thought to be just a directory traversal vulnerability that would allow a remote, unauthenticated user to write a file to a location on disk. But on further investigation, it was found that this vulnerability would allow full remote code execution on the host.
Top 12 Dirtiest CVEs Q120
The prioritized list of the complete dirty dozen for Q1 2020 is in the table below.
|
Priority |
Vulnerability |
Description |
|
1 |
CVE-2020-0601 | Windows Elliptic Curve Cryptography (ECC) certificates spoofing |
|
2 |
CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability |
|
3 |
CVE-2019-19781 | Citrix Application Delivery Controller (ADC) and Gateway RCE |
|
4 |
CVE-2020-0688 | Microsoft Exchange Memory Corruption Vulnerability |
|
5 |
CVE-2020-0674 | Microsoft Scripting Engine Memory Corruption Vulnerability |
|
6 |
CVE-2020-0609 | Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability |
|
7 |
CVE-2020-0610 | Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability |
|
8 |
CVE-2020-1938 | Apache JServ Protocol (AJP) arbitrary file access |
|
9 |
CVE-2019-11510 | Pulse Secure Pulse Connect Secure arbitrary file reading vulnerability |
|
10 |
CVE-2019-17026 | Firefox and Thunderbird code execution |
|
11 |
CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability |
|
12 |
CVE-2019-18634 | Linux /etc/sudoers stack-based buffer overflow |
How CloudPassage Halo Can Help
CloudPassage Halo Customers can use Halo’s Server Secure service, our software vulnerability manager, to identify and prioritize the dozen dirtiest CVEs Q120 lurking in their environments.
CloudPassage Halo Servers Tab
Customers can also create custom reports to view details on the dozen dirtiest CVEs Q120.
CloudPassage Halo Vulnerability Report
To keep up to date on our new control policies as we release them and our quarterly reports on the Dozen Dirtiest CVEs Q120 and beyond, subscribe to the CloudPassage Blog in the upper right corner of this page.
Learn more about CloudPassage Halo Server Secure.
Get a free vulnerability assessment of your infrastructure in 30 minutes.
The post Dozen Dirtiest CVEs Q120 (Cloud Vulnerability Exposures) appeared first on Cybersecurity Insiders.
April 22, 2020 at 09:08AM
0 comments:
Post a Comment