RCE Vulnerability in F5’s BIG-IP (CVE-2020-5902)
Last Wednesday a new critical Remote Code Execution vulnerability (CVE-2020-5902 CVSSv3 10) was published for F5’s Traffic Management User Interface (TMUI). This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected. F5 recommends to update to a corrected version of this software, especially since the first attempts to exploit this flaw have been made public and Metasploit has added a PoC to its exploitation framework. Moreover, US Cybercom urged last Friday to patch with no delay. In the event of not being able to apply F5’s patch, the company has indicated a series of temporary mitigating measures. Meanwhile, researchers have begun sharing rules for the detection of exploitation attempts in IDS systems that might be useful to verify that everything is working correctly after patching and to rule out any exploitation attempts. A few days after being known to the public, security researchers Chase Dardaman and Rich Mirch together with the CriticalStart TeamAres found a bypass allowing exploitation of the bug on devices where mitigation measures were implemented. Successful exploitation of BIG-IP devices allows attackers to fully compromise the system, get user credentials, or laterally traverse the device’s internal network. The researchers who uncovered this bypass are working with F5 Security Incident Response Team (SIRT) to update the CVE-2020-5902 security advisory.
More details: https://support.f5.com/csp/article/K52145254
Attacks against Manage Service Providers (MSPs)
The US Secret Service sent out a security alert in June warning US public and private sectors about an increase in attacks against managed service providers, MSPs. These services provide remote management software for companies and are built around a server-client software architecture that would enable an attacker with access to the server to view and manipulare data in the clients’ systems. The alert informs about the identification of attacks following this pattern to achieve the compromise of point-of-sale systems, to perform business email compromise (BEC) scams, and to deploy ransomware (malawre families such as Sodinokibi/REvil are known to make use of this entry vector). Some days after the warning was released, popular MSP ConnectWise fixed an Automate API flaw that was abused in several intrusions.
DXC identifies ransomware attack involving its Xchanging subsidiary
Global IT services and solutions provider DXC Technology announced over the weekend a ransomware attack on systems of its Xchanging subsidiary. Xchanging is known as a managed service provider for businesses in the insurance industry but its list of customers includes companies from other fields. The company reported the incident on July 5th, expressing confidence that it did not spread outside Xchanging’s network. It is unclear when the company detected the attack but so far, the investigation has not reveal any indication of data being affected. The number of customers affected has not been disclosed and as usual with such incidents, the company is working with law enforcement and authorities on the investigation. No information about the family of the ransomware used in the attack has been revealed yet.
Banking Trojan Cerberus Discovered on Google Play
Avast Cybersecurity Team has published a report on the detection of a Cerberus banking Trojan on Google Play targeting Android users in Spain. According to the researchers, this malicious software had remained obfuscated in an application called “Calculadora de Moneda“. This application was accepted by Google Play sometime last March and, although at first it did not cause any harm to the victims, once it gained the trust of the users the application started to activate a code that allowed to connect to a Command & Control server. From there, the C&C instructed the application to download an additional APK to the affected devices: Cerberus. Among the features of this tool: ability to create overlays on legitimate banking applications in order to exfiltrate victim’s credentials, read SMS to obtain unique access codes or get details of the second authentication factor. It is estimated that the malicious application was downloaded more than 10,000 times.
New Vulnerability in PAN-OS
Just one week after fixing a critical vulnerability in PAN-OS (CVE-2020-2021), Palo Alto Networks has fixed a new serious flaw in PAN-OS GlobalProtect. This is a command injection vulnerability in the operating system that would allow an unauthenticated remote attacker to execute arbitrary operating system commands with root privileges on unpatched devices. It has got the identifier CVE-2020-2034 and a CVSS 3.x severity of 8.1, as it can be exploited by attackers with network access to vulnerable servers as part of a more complex attack that does not require user interaction. PAN-OS versions < 9.1.3, < 9.0.0 < 8.1.15, 8.0 and 7.1 are affected. The flaw cannot be exploited if the GlobalProtect portal is not enabled and, in addition, the attacker needs certain information about the firewall configuration or will need to perform some kind of brute-force attack in order to exploit the vulnerability. Telefónica is taking the appropriate action to identify and patch the vulnerability.
Juniper security bulletin
Yestarday, Juniper published a security bulletin that patches 19 vulnerabilities in their products. Amidst all of them, it is worth highlighting a critical vulnerability (CVSSv3 9.8) with the reference CVE-2020-1654. This issue appears when processing a malformed HTTP message that may lead to a Denial of Service (DoS) or Remote Code Execution (RCE) if the ICAP (Internet Content Adaptation Protocol) redirect service is enabled. The affected products are Juniper Networks Junos OS on SRX Series, versions 18.1, 18.2, 18.3, 18.4, 19.1, 19.2 & 19.3. To remediate the issue, it is recommended to apply the updates provided by Juniper.