CERT Recently Published Vulnerability Notes

CERT publishes vulnerability advisories called "Vulnerability Notes." Vulnerability Notes include summaries, technical details, remediation information, and lists of affected vendors. Many vulnerability notes are the result of private coordination and disclosure efforts.

CWE-78:Improper Neutralization of Special Elements used in an OS Command(‘OS Command Injection’) Multiple ZyXEL devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters,it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user,many ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such,it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. Exploit code for this vulnerability that targets NAS devices is available on the internet. For this reason,we have created a PoC exploit that has the ability to power down affected ZyXEL NAS devices.
Microsoft Internet Explorer contains a scripting engine,which handles execution of scripting languages such as VBScript and JScript. The scripting engine JScript component contains an unspecified memory corruption vulnerability. Any application that supports embedding Internet Explorer or its scripting engine component may be used as an attack vector for this vulnerability. This vulnerability was detected in exploits in the wild.
IBM ServeRAID Manager includes an embedded instance of Java version 1.4.2. Both ServeRAID Manager and Java 1.4.2 are no longer supported. ServeRAID Manager uses a Java Remote Method Invocation(RMI)on port 34571/tcp that listens on all interfaces by default. ServeRAID Manager runs with SYSTEM privileges on Microsoft Windows systems. An unauthenticated attacker with network access can exploit the vulnerable RMI interface to launch a remote class loader attack. This appears to be an instance of CVE-2011-3556. The ServeRAID product name is used for hardware and software components variously owned and maintained by IBM,Lenovo,and other vendors. This vulnerability applies to IBM ServeRAID Manager software and no products or components from Lenovo or any other vendor.
CVE-2020-3110 Cisco’s Video Surveillance 8000 Series IP cameras with CDP enabled are vulnerable to a heap overflow in the parsing of DeviceID type-length-value(TLV). The CVSS score reflected below is in regards to this vulnerability. CVE-2020-3111 Cisco Voice over Internet Protocol(VoIP)phones with CDP enabled are vulnerable to a stack overflow in the parsing of PortID type-length-value(TLV). CVE-2020-3118 Cisco’s CDP subsystem of devices running,or based on,Cisco IOS XR Software are vulnerable to improper validation of string input from certain fields within a CDP message that could lead to a stack overflow. CVE-2020-3119 Cisco’s CDP subsystem of devices running,or based on,Cisco NX-OS Software is vulnerable to a stack buffer overflow and arbitrary write in the parsing of Power over Ethernet(PoE)type-length-value(TLV). CVE-2020-3120 Cisco’s CDP subsystem of devices running,or based on,Cisco NX-OS,IOS XR,and FXOS Software are vulnerable to a resource exhaustion denial-of-service condition.
OpenSMTPD is an open-source server-side implementation of the Simple Mail Transfer Protocol(SMTP)that is part of the OpenBSD Project. OpenSMTPD’s smtp_mailaddr()function is responsible for validating sender and recipient mail addresses. If the local part of an address is invalid and the domain name is empty,smtp_mailaddr()will automatically add a domain name as opposed to failing because of the invalid local address. This will allow the invalid local address to pass through the function without validation.
Citrix has published a security bulletin that mentions a vulnerability that can be exploited to achieve arbitrary code execution by a remote,unauthenticated attacker. Although the bulletin does not describe details about the vulnerability,the mitigation steps describe techniques to block the handling of requests that contain a directory traversal attempt(/../)and also requests that attempt to access the/vpns/directory. Limited testing has shown that the affected Citrix software fails to restrict access to perl scripts that are available via the/vpns/path. An unauthenticated remote attacker may be able to provide crafted content to these scripts that result in arbitrary code execution. One technique that has been outlined involves the writing of an XML file using a directory traversal and the subsequent command execution by way of the Perl Template Toolkit. Other exploitation techniques may be possible. A link of the following form can be used to determine if a system is affected: https://CITRIXGATEWAY/vpn/../vpns/cfg/smb.conf For example,the following curl command can be used: curl https://CITRIXGATEWAY/vpn/../vpns/cfg/smb.conf –path-as-is -k -f The”CITRIXGATEWAY”string should be replaced with the name or IP of the system you wish to test. If retrieving the link results in a 403 Forbidden error,then the mitigations outlined below have likely been applied. However,if retrieving the link results in the contents of a smb.conf file,then the system is vulnerable.
Microsoft Windows Remote Desktop Gateway(RD Gateway)is a Windows Server component that provides access to Remote Desktop services without requiring the client system to be present on the same network as the target system. Originally launched as Terminal Services Gateway(TS Gateway)with Windows Server 2008,RD Gateway is a recommended way to provide Remote Desktop connectivity to cloud-based systems. For example,guidance has been provided for using RD Gateway with AWS,and also with Azure. The use of RD Gateway is recommended to reduce the attack surface of Windows-based hosts. Microsoft RD Gateway in Windows Server 2012 and later contain two vulnerabilities that can allow an unauthenticated remote attacker to execute arbitrary code with SYSTEM privileges. It is reported by Kryptos Logic that the flaws lie in handling of fragmentation. This vulnerability is exploitable by connecting to the RD Gateway service listening on UDP/3391.
The Microsoft Windows CryptoAPI,which is provided by Crypt32.dll,fails to validate ECC certificates in a way that properly leverages the protections that ECC cryptography should provide. As a result,an attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority. Any software,including third-party non-Microsoft software,that relies on the Windows CertGetCertificateChain()function to determine if an X.509 certificate can be traced to a trusted root CA may incorrectly determine the trustworthiness of a certificate chain. Microsoft Windows versions that support certificates with ECC keys that specify parameters are affected. This includes Windows 10 as well as Windows Server 2016 and 2019. Windows 8.1 and prior,as well as the Server 2012 R2 and prior counterparts,do not support ECC keys with parameters. For this reason,such certificates that attempt to exploit this vulnerability are inherently untrusted by older Windows versions.
CDNs use HTTP caching software to provide high availability and high performance by distributing the service spatially relative to end-users. The HTTP caching software interprets the HTTP request from a website visitor(web client)using the supplied HTTP headers to select and deliver appropriate content. The content can either be delivered from the local cache or collected by reaching the appropriate back end web servers. This vulnerability works by sending arbitrary headers into the HTTP request stream,which may be processed by the back end web server or by the HTTP caching software. If either the web server or the HTTP caching software is vulnerable,it will include the attackers injected content in the response without performing any type of sanitization. Once the attacker’s malicious content is returned,it will also be cached by the HTTP caching software. The HTTP caching software will continue to serve the malicious content to all future visitors of the website until the cache expires or is deleted. This allows the attacker to inject arbitrary content once and have multiple future visitors of the CDN hosted website collect the attacker’s content and execute unwanted scripts. HTTP header injection using traditional headers,like the Host header and X-Forwarded-Host header,is not a new attack method. New HTTP headers like X-Forwarded-Proto,Referer,Upgrade-Insecure-Requests,and X-DNS-Prefetch-Control have been created to provide more capabilities for HTTP processing. Cloud caching in addition to newly available headers allows for an increase in prolonged,large scale attacks against busy and popular websites. Some examples of the vulnerable headers are: Content-Security-Policy-Report-Only Forwarded Server-Timing Set-Cookie Strict-Transport-Security X-Forwarded-Proto Location Accept-Language Cookie X-Forwarded-For X-Forwarded-Host Referer Max-Forwards There are at least two common reasons why these attacks are possible: 1. Certain HTTP headers(e.g.,X-Forwarded-Host)are sent by the reverse proxy or CDN to the web server and are many times presumed to be generated/modified by the CDN and therefore trusted. 2. Certain HTTP headers(e.g.,User-Agent)are not sanitized by the CDN before being delivered to the web server.
A vulnerability in the SecureROM of some Apple devices can be exploited by an unauthenticated local attacker to execute arbitrary code upon booting those devices. SecureROM,which is located within the processor,contains the first code executed by the processor upon booting the device. Because SecureROM is read-only,it cannot be patched with a firmware update. Apple devices that implement processing chips A5 through A11 are vulnerable. This corresponds to iPhone models 4S through X; additionally,certain models of iPad,Apple Watch,iPod Touch,and Apple TV are vulnerable. See the Malwarebytes blog entry for a full list of affected devices. Further details about the vulnerability are available in Ars Technica’s interview with the vulnerability’s discoverer.
Telos AMHS is a web-based messaging system that supports DoD and Intelligence Community(IC)security marking requirements. AMHS versions prior to version 4.1.5.5 contain multiple XSS vulnerabilities and also fail to properly restrict access to information about other users on the system.
XLM macros Up to and including Microsoft Excel 4.0,a macro format called XLM was available. XLM macros predate the VBA macros that are more common with modern Microsoft Office systems,however current Microsoft Office versions still support XLM macros. SYLK and XLM macros XLM macros can be incorporated into SYLK files,as outlined by Outflank. Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users. This means that users may be a single click away from arbitrary code execution via a document that originated from the internet. SYLK and XLM macros with Microsoft Office for Mac It has been reported that Office 2011 for Mac fails to warn users before opening SYLK files that contain XLM macros. According to this post,Microsoft has reported that Office 2016 and Office 2019 for Mac properly prompt the user before executing XLM macros in SYLK files. The Problem If Office for the Mac has been configured to use the”Disable all macros without notification”feature,XLM macros in SYLK files are executed without prompting the user.
iTerm2 is a popular terminal emulator for macOS that supports terminal multiplexing using tmux integration and is frequently used by developers and system administrators. A vulnerability,identified as CVE-2019-9535,exists in the way that iTerm2 integrates with tmux’s control mode,which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5.
Several D-Link routers contain CGI capability that is exposed to users as/apply_sec.cgi,and dispatched on the device by the binary/www/cgi/ssi. This CGI code contains two flaws: The/apply_sec.cgi code is exposed to unauthenticated users. The ping_ipaddr argument of the ping_test action fails to properly handle newline characters. Any arguments after a newline character sent as ping_ipaddr in a POST to/apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable: DIR-655 DIR-866L DIR-652 DHP-1565 DIR-855L DAP-1533 DIR-862L DIR-615 DIR-835 DIR-825 We have made a proof-of-concept exploit available,which will disable network connectivity for one minute on affected devices.
Pulse Secure released an out-of-cycle advisory along with software patches for the various affected products on April 24,2019. This addressed a number of vulnerabilities including a Remote Code Execution(RCE)vulnerability with pre-authentication access. This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates. The CVE-2019-11510 has a CVSS score of 10. The CVEs listed in the advisory are: CVE-2019-11510 – Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability. CVE-2019-11509 – Authenticated attacker via the admin web interface can exploit this issue to execute arbitrary code on the Pulse Secure appliance. CVE-2019-11508 – A vulnerability in the Network File Share(NFS)of Pulse Connect Secure allows an authenticated end-user attacker to upload a malicious file to write arbitrary files to the local system. CVE-2019-11507 – A XSS issue has been found in Pulse Secure Application Launcher page. Pulse Connect Secure(PCS)8.3.x before 8.3R7.1,and 9.0.x before 9.0R3. CVE-2019-11543 – A XSS issue found the admin web console. Pulse Secure Pulse Connect Secure(PCS)9.0RX before 9.0R3.4,8.3RX before 8.3R7.1,and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2,5.4RX before 5.4R7.1,and 5.2RX before 5.2R12.1. CVE-2019-11542 – Authenticated attacker via the admin web interface can send a specially crafted message resulting in a stack buffer overflow. CVE-2019-11541 – Users using SAML authentication with Reuse Existing NC(Pulse)Session option may see authentication leaks CVE-2019-11540 – A vulnerability in the Pulse Secure could allow an unauthenticated,remote attacker to conduct a(end user)session hijacking attack. CVE-2019-11539 – Authenticated attacker via the admin web interface allow attacker to inject and execute command injection CVE-2019-11538 – A vulnerability in the Network File Share(NFS)of Pulse Connect Secure could allow an authenticated end-user attacker to access the contents of arbitrary files on the local file system. Exploitation of these vulnerabilities was demonstrated at various events and proved to be highly impactful due to the direct access to admin privileges and the consequent ability to infect multiple VPN connected users and their desktops. Initially there was a lack of clarity about CVE-2019-11510,as to whether it can be mitigated with the requirement of a client-certificate or two-factor authentication(2FA)to prevent this attack. CERT/CC has confirmed with the vendor that this vulnerability cannot be mitigated using client certificate and furthermore there is no viable alternative to updating the Pulse Secure VPN software to a non-vulnerable version. Even if client certificates are required for user authentication,CVE-2019-11510 can be exploited by an unauthenticated remote attacker to obtain session IDs of active users stored in/data/runtime/mtmp/lmdb/randomVal/data.mdb. The attacker can use these session IDs to impersonate as one of the active users. If a Pulse Secure administrator is currently active and the administrative access is available to the attacker,attacker could gain administrative access to Pulse Secure VPN. It is highly recommended that all Pulse Secure VPN administrators perform the required upgrade on all their affected products. If your Pulse Secure VPN has been identified as End of Engineering(EOE)and End of Life(EOL),we highly recommend replacement of the VPN appliance entirely without any delay – please check Pulse Secure advisory for this information. Timelines of specific events: March 22,2019–Security researcher O. Tsai and M. Chang responsibly disclose vulnerability to Pulse Secure April 24,2019 – Initial advisory posted and software updates posted by Pulse Secure to the Download Center April 25,2019–Assignment of CVE-2019-11510,CVE-2019-11509,CVE-2019-11508,CVE-2019-11507,CVE-2019-11543,CVE-2019-11542,CVE-2019-11541,CVE-2019-11540,CVE-2019-11539,CVE-2019-11538 April 26,2019 – Workaround provided for CVE-2019-11508 about disabling file sharing as a mitigation May 28 2019–Large commercial vendors get reports of vulnerable VPN through HackerOne July 31 2019–Full RCE use of exploit demonstrated using the admin session hash to get complete shell August 8 2019 – Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors(Pulse Secure)with detailed attack on active VPN exploitation August 24,2019–Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade October 7,2019–NSA produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by Advanced Persistent Threat actors