Combining Citrix vulnerabilities to steal user sessions
On July 7th, Citrix published a security bulletin to correct up to 11 vulnerabilities. A few days later, a report was released with detailed information on these flaws and was accompanied by a proof of concept. Last weekend, a new investigation has been published showing how, by combining three of those 11 vulnerabilities – CVE-2020-8193, CVE-2020-8195 y CVE-2020-8196, a threat agent could obtain currently authenticated users’ session data. According to researchers from the NCC Group, these flaws are actively exploited by cybercriminals, who use CVE-2020-8193 to evade authentication and CVE-2020-8195 or CVE-2020-8196 to steal VPN sessions data from the user’s device. Moreover, other attempts to extract other pieces of information from the user’s device have also been spotted. In order for a system to be vulnerable, the attacker must have access to the device’s NSIP interface. If said interface is not exposed on the internet, the risk of exploitation decreases.
SAP patches critical vulnerability
SAP has issued a patch to correct a critical vulnerability affecting over 40,000 clients using SAP NetWeaver AS JAVA versions from 7.30 to 7.50. The bug in this configuration assistant has been tagged with the identifier CVE-2020-6287 with a CVSS of 10. An unauthenticated threat agent could exploit this flaw through the HTTP protocol to take over control from SAP applications due to a lack of authentication requests in a web component of the affected software. This vulnerability is considered critical given that the affected applications are usually exposed on the Internet. It is recommended for SAP users to patch this flaw as soon as possible.
Anchor_DNS: New Linux Backdoor
A new report has been published indicating that developers of the popular malware TrickBot are also responsible for the recent development of a new version of the Anchor_DNS backdoor for Linux systems. This backdoor, which is mainly used for DNS communication with the Command & Control server, is that it is installed as a Cron Job and goes on to check the infected device’s public IP through requests to external URLs. Once this is done, the backdoor starts transmitting information through DNS queries to the C2 server under control of the attackers. This Linux version also supports Windows systems running through SMB or IPC.
Critical Vulnerability in Windows DNS Server
Microsoft has published their monthly patch including a fix for a vulnerability classified as CVE-2020-1350 with a CVSS v3 of 10. This is a critical flaw in Windows DNS Server whose exploitation could allow an attacker to remotely execute code in those Windows domain environments, especially in domain controllers without applied patches. Due to an improper handling of requests, it leads to the potential execution of arbitrary code in the context of the Local System account. It is strongly recommended to update urgently according to the manufacturer’s instructions.
Adobe fixes 13 vulnerabilities
Adobe has released software updates to patch a total of 13 new security vulnerabilities affecting 5 of its widely used applications: Adobe Creative Cloud Desktop Application, Adobe Media Encoder, Adobe Genuine Service, Adobe ColdFusion, Adobe Download Manager. Out of these 13 vulnerabilities, 4have been rated critical, and 9are important in severity. None of the security vulnerabilities fixed in this batch of Adobe updates were publicly disclosed or being exploited in the wild.
- Adobe Creative Cloud Desktop Application versions 5.1 and earlier for Windows operating systems contain four vulnerabilities, one of which is a critical symlink issue (CVE-2020-9682) leading to arbitrary file system write attacks.
- Adobe Media Encoder contains two critical arbitrary code execution (CVE-2020-9650 and CVE-2020-9646) and one important information disclosure issues, affecting both Windows and macOS users running Media Encoder version 14.2 or earlier.
- Adobe Download Manager has been found vulnerable to only one flaw (CVE-2020-9688) that’s critical in severity and could lead to arbitrary code execution in the current user context through command injection attack.
- Finally, Adobe Genunine Service and Adobe ColdFusion suffered important severity privilege escalation issues.
Cisco security updates
Cisco has published patches for up to 31 vulnerabilities in its products, 5 of them considered critical, 11 high and 15 medium:
- CVE-2020-3330 CVSS 9.8: Default static passwords in Cisco Small Business RV110W Wireless-N Firewall VPN could allow an unauthenticated, remote attacker to take full control of the device with a high-privileged account.
- CVE-2020-3323 CVSS 9.8: Vulnerability in Cisco Small Business RV110W, RV130, RV130W and RV215W that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device due to improper validation of user-supplied input in the web-based management interface.
- CVE-2020-3144 CVSS 9.8: vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router that could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary commands with administrative commands on an affected device.
- CVE-2020-3331 CVSS 9.8: Flaw in routers RV110W and RV215W series that could allow the execution of arbitrary code due to an improper validation of user-supplied input data by the web-based management interface
- CVE-2020-3140 CVSS 9.8: Vulnerability in the Cisco Prime License Manager (PLM) product that could allow an unauthenticated, remote attacker to gain administrative-level privileges on the system of the affected device
According to the Cisco Product Security Incident Response Team (PSIRT), they are not aware of any public announcements or malicious use of these vulnerabilities.