The NSA has blown the lid off 25 computer security vulnerabilities Chinese government hackers are using to break into networks, steal data, and so on. The US super-spies said they went public with their list to help IT staff prioritize bug fixing. That is to say: if you're unsure of which patches to apply, do these first.
The cynical among you may be thinking the NSA has found other bugs to exploit in the world's computer systems, so y'all might as well go ahead and patch the ones the Chinese are still abusing. Who could blame you.
Speaking of programming blunders, Google today patched a security hole in Chrome that was exploited in the wild by miscreants. The vulnerability, CVE-2020-15999, lies in the software's Freetype parsing. Version 86.0.4240.111 of the browser for Windows, macOS, and Linux addresses the bug and others, and will be rolled out over the coming days.
Need Security ASAP
The NSA's list of 25 flaws [PDF] are programming blunders that are publicly known and for which patches exist. Seven affect remote access gateways, seven involve internal servers, one affects mobile device management, two are privilege escalations, two affect Active Directory, three involve network equipment, and three affect public-facing servers, according to this handy poster.
One of the bugs, involving Oracle WebLogic, is at least five years old; the rest were patched circa 2018 to this year.
“We hear loud and clear that it can be hard to prioritize patching and mitigation efforts,” NSA Cybersecurity Director Anne Neuberger said in a canned statement on Tuesday. “We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems."
Without further ado, here they are:
- CVE-2019-11510: In Pulse Secure VPNs, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords.
- CVE-2020-5902: In F5 BIG-IP proxy / load balancer devices, the Traffic Management User Interface (TMUI) - also referred to as the Configuration utility - has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
- CVE-2019-19781: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway. They allow directory traversal, which can lead to remote code execution without credentials.
- CVE-2020-8193, CVE-2020-8195, CVE-2020-8196: Improper access control and input validation, in Citrix ADC and Citrix Gateway and Citrix SDWAN WAN-OP, allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users.
- CVE-2019-0708: A remote code execution vulnerability exists within Microsoft Windows' Remote Desktop Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.
- CVE-2020-15505: A remote code execution vulnerability in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code via unspecified vectors.
- CVE-2020-1350: A remote code execution vulnerability exists in Microsoft Windows Domain Name System servers when they fail to properly handle requests.
- CVE-2020-1472: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using Microsoft's Netlogon Remote Protocol (MS-NRPC).
- CVE-2019-1040: A tampering vulnerability exists in Microsoft Windows when a miscreant-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.
- CVE-2018-6789: An issue was discovered in the base64d function in the SMTP listener in Exim. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.
- CVE-2020-0688: A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.
- CVE-2018-4939: Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable deserialization of untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2015-4852: The WLS Security component in Oracle WebLogic Server 10.3.6.0, 22.214.171.124, 126.96.36.199, and 188.8.131.52 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001.
- CVE-2020-2555: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence.
- CVE-2019-3396: The Widget Connector macro in Atlassian Confluence Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
- CVE-2019-11580: Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.
- CVE-2020-10189: Zoho ManageEngine Desktop Central allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class.
- CVE-2019-18935: Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution.
- CVE-2020-0601: A spoofing vulnerability exists in the way Microsoft Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.
- CVE-2019-0803: An elevation of privilege vulnerability exists in Microsoft Windows when the Win32k component fails to properly handle objects in memory.
- CVE-2017-6327: The Symantec Messaging Gateway can encounter an issue of remote code execution.
- CVE-2020-3118: A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device.
- CVE-2020-8515: DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 184.108.40.206_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters.
While Russian hackers remain king of online disinformation, China is more focused on stealing data for economic advantage. The NSA warns defense contractors to be on particular alert, though these are all holes everyone should patch. ®