REDLEGG BLOG
Critical Vulnerability Alert.

Critical Vulnerabilities - July 2020 Recap

8/3/20 12:00 PM  |  by RedLegg Blog

Check out last month's list of critical vulnerabilities provided by RedLegg's threat research team.

*Important note: These are not the only vulnerabilities that were recently released; however, these are the vulnerabilities RedLegg has identified as critical and require immediate attention.

 

Critical Security Vulnerabilities Bulletin

 

F5 Networks BIG-IP RCE

Identifier: CVE-2020-5902

Exploit or POC: Yes

Update: https://support.f5.com/csp/article/K52145254

Description: This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.

Mitigation recommendation: If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no update candidate currently exists.

If you are using public cloud marketplaces (AWS, Azure, GCP, and Alibaba) to deploy BIG-IP Virtual Edition (VE), F5 recommends that you install the latest releases of BIG-IP versions listed in the Fixes introduced in column, subject to their availability on those marketplaces. See K84554955: Overview of BIG-IP systems software upgrades.

Important: F5 recommends that you install a fixed software version to fix this vulnerability.

If it is not possible to update quickly, you can use the following sections as temporary configuration mitigations until updating is complete:

Restrict Access:

Self IPs: addresses unauthenticated and authenticated attackers on self IPs, by blocking all access

Management interface: addresses unauthenticated attackers on management interface, by restricting access

TMUI httpd: addresses unauthenticated attackers on all interfaces

Command line

iControl REST

 

Windows DNS Server Vulnerability

Identifier: CVE-2020-1350

Exploit or POC: No

Update:https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

Description: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

Mitigation recommendation: To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

TcpReceivePacketSize

Value = 0xFF00

Note You must restart the DNS Service for the registry change to take effect.

The Default (also max) Value = 0xFFFF

The Recommended Value = 0xFF00 (255 bytes less than the max)

After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes. 

 

PAN-OS: Authentication Bypass in SAML Authentication

Identifier: CVE-2020-2021

Exploit or POC: No

Update: https://security.paloaltonetworks.com/CVE-2020-2021

Description: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0. In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Mitigation recommendation: This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.

 

SAP NetWeaver AS JAVA

Identifier: CVE-2020-6287

Exploit or POC: No

Update: https://nvd.nist.gov/vuln/detail/CVE-2020-6287

Description: SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

Mitigation recommendation: Patch

 

Junos OS: Receipt of certain genuine BGP packets from any BGP Speaker causes RPD to crash

Identifier: CVE-2020-1640

Exploit or POC: No

Update: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11024&actp=METADATA

Description: An improper use of a validation framework when processing incoming genuine BGP packets within Juniper Networks RPD (routing protocols process) daemon allows an attacker to crash RPD thereby causing a Denial of Service (DoS) condition. This framework requires these packets to be passed. By continuously sending any of these types of formatted genuine packets, an attacker can repeatedly crash the RPD process causing a sustained Denial of Service.

Mitigation recommendation: Patch

 

Critical Security Vulnerabilities Bulletin

 

Citrix: Privilege escalation vulnerability, input validation, Incorrect file permissions, Reflected code injection

Identifier: CVE-2020-8197, CVE-2020-8187, CVE-2020-8190, CVE-2020-8194

Exploit or POC: No

Update: https://support.citrix.com/article/CTX276688

Description:

CVE-2020-8197: Privilege escalation vulnerability on Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows a low privileged user with management access to execute arbitrary commands.

CVE-2020-8187: Improper input validation in Citrix ADC and Citrix Gateway versions before 11.1-63.9 and 12.0-62.10 allows unauthenticated users to perform a denial of service attack.

CVE-2020-8190: Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.

CVE-2020-8194: Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download.

Mitigation recommendation: https://support.citrix.com/article/CTX276688

 

Cisco: Hard Coded Credentials, Remote Code Execution, Privilege escalation.

Identifier: CVE-2020-3330, CVE-2020-3323, CVE-2020-3144, CVE-2020-3331, CVE-2020-3140

Exploit or POC: No

Update: https://tools.cisco.com/security/center/publicationListing.x

Description:

CVE-2020-3330: A vulnerability in the Telnet service of Cisco Small Business RV110W Wireless-N VPN Firewall Routers could allow an unauthenticated, remote attacker to take full control of the device with a high-privileged account.The vulnerability exists because a system account has a default and static password. An attacker could exploit this vulnerability by using this default account to connect to the affected system. A successful exploit could allow the attacker to gain full control of an affected device.

CVE-2020-3323: A vulnerability in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system of the affected device.

CVE-2020-3144: A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary commands with administrative commands on an affected device. The vulnerability is due to improper session management on affected devices. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.

CVE-2020-3331: A vulnerability in the web-based management interface of Cisco RV110W Wireless-N VPN Firewall and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied input data by the web-based management interface. An attacker could exploit this vulnerability by sending crafted requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the root user.

CVE-2020-3140: A vulnerability in the web management interface of Cisco Prime License Manager (PLM) Software could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device. The vulnerability is due to insufficient validation of user input on the web management interface. An attacker could exploit this vulnerability by submitting a malicious request to an affected system. An exploit could allow the attacker to gain administrative-level privileges on the system. The attacker needs a valid username to exploit this vulnerability.  

Mitigation recommendation: https://tools.cisco.com/security/center/publicationListing.x

 

TMUI RCE vulnerability

Identifier: CVE-2020-5902

Exploit or POC: No

Update: https://support.f5.com/csp/article/K52145254

Description: This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.

Mitigation recommendation: If you are running a version listed in the Versions known to be vulnerable column (In the link below), you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column (In the link below). If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Link: https://support.f5.com/csp/article/K52145254

 

Be In The Loop

To receive the latest, newest finds from our threat research team, subscribe to email notifications.

Get Future Security Bulletins

Get Blog Updates

Related Articles

Critical Vulnerabilities - January 2021 Bulletin 96bravo

Critical Vulnerabilities - January 2021 Bulletin

How do these critical vulnerabilities affect your business?  See the latest bulletin from our threat research team ...
Further Info, Resources On FireEye Security Breach 96bravo

Further Info, Resources On FireEye Security Breach

It has been brought to RedLegg’s attention that the breaches at Fireeye, The Treasury Department, and The Commerce ...
Critical Security Vulnerabilities Bulletin