CVE In The Hook – Monthly Vulnerability Review (January 2020 Issue)

CVE In The Hook – Monthly Vulnerability Review (January 2020 Issue)

Every day, new common vulnerabilities and exploits are publicly exposed. While this brings these flaws to the public’s attention and allows users to patch them, it also alerts potential attackers to their existence.

Once a CVE is known, you should immediately take whatever steps you can to reduce the threat to you. In most cases, the responsible party will quickly release a fix once it comes to their attention. For known vulnerabilities without a fix (or zero-day vulnerabilities), you might need to take other mitigating steps.

The first step is to know whether your systems might be affected. Then, you need to know what the status of any potential fix is and what you can do to patch the vulnerability.

In this article, you’ll find all the most crucial information to address these Top Ten Severe Security Flaws for the month of January 2020 as well as the indicators generated by our vulnerability intelligence service in order to provide your organizations with a transverse approach to identify, scan, detect, block, fix and even exploit your resources. 

These JSON top-notch indicators are aligned with the security standards (CVE, CPE, CWE, CAPEC, ATT&CK) and third-party data-sources to allow your teams a better integration with their existing solutions.

Here is the list of CVEs covered by this CVE In The Hook – January Review

  • CVE-2020-7247: OpenSMTPD Privilege escalation and code execution vulnerability
  • CVE-2019-19781: Citrix ADC code execution vulnerability
  • CVE-2020-0601: Windows CryptoAPI spoofing and code execution vulnerability
  • CVE-2020-0609: Windows RD code execution vulnerability
  • CVE-2020-7980: Intellian Aptus Web Remote Code Execution
  • CVE-2020-0603: ASP.NET Core RCE Vulnerability
  • CVE-2020-0605: NET Framework RCE Vulnerability
  • CVE-2020-0611: Remote Desktop Client RCE Vulnerability
  • CVE-2020-3710: Adobe Illustrator and AEM Flaws
  • CVE-2019-17026: Mozilla Firefox RCE vulnerability

CVE-2020-7247 – OpenSMTPD Privilege escalation and code execution vulnerability

This vulnerability was first discovered in May 2018 and is still tracked as CVE-2020-7247. It’s a flaw found in the OpenSMTPD 6.6 mail server. More specifically, it’s an exploit of the smtp_mailaddr function in the smtp_session.c session component.

OpenSMTPD is an open-source mail server shipped with OpenBSD. However, some also use it for NetBSD, FreeBSD, and other operating systems. It’s a severe exploit with a 9.8 “critical” rating by the NIST.

CVE-2020-7247 local privilege escalation and remote code execution flaw. It effectively allows the attacker to run shell commands with root privileges. For example, attackers can run commands like “sleep” remotely.

However, there are some restrictions on what attackers can accomplish with a 64-character limit and certain characters that have to be escaped. As such, mass exploitation has been limited so far.

OpenSMTPD developers have acknowledged the flaw. On January 29, they released OpenSMTPD version 6.6.2p1 that contains a fix for the issue.

CVE-2020-7247 – vFeed JSON indicators screenshots

CVE-2019-19781 – Citrix ADC code execution vulnerability

This vulnerability has been identified in Citrix Application Delivery Controller (ADC) and Citrix Gateway. It is, therefore, a threat to all parties running enterprise Citrix software. This vulnerability also impacts Citrix SDWAN WANOP as it implements Citrix ADC as a load balancer.

This vulnerability is a path traversal bug. It allows attackers to send exploit code along with a request to the Citrix implementation. This code will then be executed on the device. This vulnerability can be exploited via the internet, and the attacker doesn’t need to provide any authentication.

Citrix is aware of the vulnerability and released a security advisory with mitigation steps on December 17, 2019. However, there is as of yet no patch or fix for the bug.

The ease with which it can be exploited and the severe harm it can do means it’s a critical vulnerability. Scans and exploitation attempts have picked up in the wild, but at first, attackers didn’t have access to a publicly available exploit. Since then, security researchers Project Zero India have released proof-of-concept exploit code.


CVE-2019-19781 – vFeed JSON indicators screenshots

CVE-2020-0601 – Windows CryptoAPI spoofing and code execution vulnerability

CVE-202-0601 is a spoofing vulnerability present in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. The Windows CryptoAPI Spoofing Vulnerability is also known as CurveBall or ChanOfFools.

It allows an attacker to sign a malicious executable as if it was from a trusted source. Both the system and the user will have no idea that it’s actually a harmful entity, making installing various forms of malware and ransomware on a computer much easier.

It affects Windows 10, Server 2016, and Server 2019 versions of crypt32.dll that implements the Windows CryptoAPI.

It’s a very simple vulnerability to exploit, and multiple code exploits were made public soon after it’s discovery. The NSA was the first to identify and report the bug and Microsoft has already provided a response via its Security Center. However, both NSA and Microsoft have stated they are unaware of any widespread exploitation of the bug soar.

That being said, users are urged to treat this with vulnerability with the utmost severity and patch their systems immediately as the threat of exploitation is critical.

Microsoft released a security update on January 14, 2020, with a patch for this issue. Google Chrome has also been updated to flag invalid certificates.

CVE-2020-0601 – vFeed JSON indicators screenshots

CVE-2020-0609 – Windows RD code execution vulnerability

Another flaw that affects Microsoft systems, it’s a remote code execution vulnerability impacting specifically Windows RD (Remote Desktop) Gateway Servers. It shares many similarities with CVE-2020-0601 with the same writeup for both from Microsoft.

An attacker would need to send a specifically crafted package via RDP to infect a system’s RD Gateway. The attacker could then execute code at the server-level with pre-authentication and without any user interaction. Because of this, these bugs are “wormable” and can spread from server to server on their own.

A patch has also been rolled out for this vulnerability with the same security update above.


CVE-2020-0609 – vFeed JSON indicators screenshots

CVE-2020-7980 – Intellian Aptus Web Remote Code Execution

This remote code execution vulnerability was present in Intellian Aptus Web systems. Attackers can exploit this bug by sending and executing commands via the Q field in a JSON string submitted to the cgi-bin/libagent.cgi URI web script file. This affects specifically the 1.24 version of the software.

One of the mitigating factors for the severity of this vulnerability is that attackers might require a valid SID cookie. However, it’s still potentially a critical flaw because it allows malicious users to execute arbitrary code remotely over the web.

The bug has been publicly known since at least 29 January 2020 exploit code is already freely available online which means this vulnerability should be addressed ASAP. Unfortunately, there has been no official response from Intellian as of yet and there is no word yet on an official patch to solve this problem.

CVE-2020-7980 – vFeed JSON indicators screenshots

CVE-2020-0603 – ASP.NET Core RCE Vulnerability

An exploitable remote code execution vulnerability discovered in ASP.NET which resides in different versions of ASP.NET core software. Once an attacker has successfully exploited the vulnerability, he/she can execute arbitrary commands and to take control of the machine and will be able to change, delete, view your data and even can create new user accounts.

The user’s action is required for the exploitation of this vulnerability. An attacker may trick the user into clicking on a file from the vulnerable ASP.NET core software. Hackers can also use email services to send you the affected clickable file.

The vulnerability affects the three ASP.NET core versions. The severity level for all of them marked as critical. Security updates released for these remote code execution vulnerabilities. The affected software includes ASP.NET Core version 2.1, 3.0 and 3.1 with critical severity

The vulnerabilities in ASP.NET core versions were never exploited and publicly disclosed. The exploitation for older or newer versions is also less likely to happen.

The security updates for all three affected ASP.NET core versions were officially released quickly to prevent any sort of vulnerability exploitation.

CVE-2020-0603 – vFeed JSON indicators screenshots

CVE-2020-0605 – .NET Framework RCE Vulnerability

This vulnerability resides in the .NET framework. The vulnerability impacts when the software is not able to check the source markup of a file.

Once the attacker has successfully exploited the vulnerability, he/she will be able to run arbitrary codes on behalf of the affected user. If the victim is the administrator of the machine, then the hacker can make things escalated quickly and gain remote access to the system. If a user account has limited rights, then it will not be severely affected.

Exploitation is only possible when a user clicks the infected file with the .NET affected framework. The attacker may convince you through email to click the file.

There is a long list of affected .NET framework versions. Some of them are mentioned here .NET Core 3.0, .NET Core 3.1, Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2, Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2. Check Full List Of Affected Versions

The vulnerability was not disclosed publicly, and security updates are released before any kind of misuse and exploitation. They are less likely to be exploited for newer and older versions. The denial of service is not applicable to this kind of vulnerability.

The security updates are released for all the affected versions. These security updates will help to prevent any kind of future vulnerability exploitation.

CVE-2020-0605 – vFeed JSON indicators screenshots

CVE-2020-0611 – Remote Desktop Client RCE Vulnerability

This vulnerability resides in the Remote Desktop client of the Windows operating system. When a user connects to a malicious server, his/her system gets compromised. Hacker will then able to run arbitrary commands on the victim’s machine. The remote code execution allows the attacker with full system control.

The attacker will use a server under their control. They will trick the user into connecting to their malicious server. Man-in-the-Middle, Social engineering, DNS Poisoning techniques can be used to exploit the vulnerability. A hacker may lay a trap by putting malicious code in a trustable server and wait for the user to come.

Here is a list of some affected versions of windows with their severity level and vulnerability impact Windows 10 for 32-bit Systems, Windows 10 for x64-based Systems, Windows 10 Version 1607 for x64-based Systems, Windows 10 Version 1607 for 32-bit Systems. View the full list of Affected Versions

The Remote Desktop vulnerability was not publicly disclosed, and there are exploitation cases found. The vulnerability is less likely to be exploitable by the latest and older versions of windows.

The security updates for Remote Desktop clients are released for all affected versions. These updates will prevent any kind of exploitation from the hacker’s side.

CVE-2020-0611 – vFeed JSON indicators screenshots

CVE-2020-3710 – Adobe Illustrator and AEM Flaws

There were various flaws found in Adobe Illustrator and CC. Most of these vulnerabilities are now patched. Nine significant vulnerabilities were patched within the regular updates pushed by Abode.

Attackers were able to execute arbitrary code by modifying the content of memory locations. Corruption attacks are the main highlight of these vulnerabilities. Along with CVE-2020-3710, there were other flaws designated as CVE-2020-3711, CVE-2020-3712, CVE-2020-3713, CVE-2020-3714.

Here is a list of affected adobe products by these vulnerabilities : Illustrator CC 2019 v24.02 and earlier, Adobe Experience Manager v6.5, v6,4, v6.3.

The vulnerabilities were timely reported to Abode, and there was no misuse or exploitation from the hacker’s side because the vulnerability was not disclosed publicly, and Adobe silently released the patches.

Nine major patches were released for affected Adobe software. Five of these patches were released for critical vulnerabilities. Some patches were also pushed with the regular updates.

CVE-2020-3710 – vFeed JSON indicators screenshots

CVE-2019-17026 – Mozilla Firefox RCE vulnerability

The critical vulnerabilities were found in Mozilla Firefox and Firefox Extended Support release. It could allow the hacker to run arbitrary code on the vulnerable machines. Once the hacker has successfully exploited the vulnerability, he could gain access to the system.

Here is a list of Mozilla systems affected by this vulnerability: Firefox version 72.0.1 or earlier, Firefox ESR version 68.4.1 or earlier.

The zero-days were ready for these vulnerabilities, and the hackers exploited it along with another Internet Explorer zero-day. Once the exploitation passed, then, it was reported to the Mozilla by Qihoo 360 ATA (Chinese cybersecurity firm).

The vulnerabilities are patched in the newer versions of Mozilla. The issues are fixed in Mozilla Firefox 72.0.2 and Firefox ESR 68.4.1 versions.

CVE-2019-17026 – vFeed JSON indicators screenshots

NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"
Strengthening Security: ToolsWatch Welcomes Dr. Magda Lilia Chelly and Vivek Ramachandran to Black Hat Arsenal’s Board of Review

Strengthening Security: ToolsWatch Welcomes Dr. Magda Lilia Chelly and Vivek Ramachandran to Black Hat Arsenal’s Board of Review

GISEC Armory Edition 1 Dubai 2024 – Call For Tools is Open

GISEC Armory Edition 1 Dubai 2024 – Call For Tools is Open

Black Hat Arsenal 2024 Next Stop Singapore !

Black Hat Arsenal 2024 Next Stop Singapore !

ToolsWatch introducing Armory at Gisec 2024 in Dubai: A New Arena for Cybersecurity Open Source Tools Announced

ToolsWatch introducing Armory at Gisec 2024 in Dubai: A New Arena for Cybersecurity Open Source Tools Announced

Unveiling the Awesome Lineup for Black Hat MEA Arsenal 2023 in Riyadh, KSA

Unveiling the Awesome Lineup for Black Hat MEA Arsenal 2023 in Riyadh, KSA

Announcing the First Black Hat / ToolsWatch SecTor Toronto 2023 Arsenal Tools and Their Impact on the Community

Announcing the First Black Hat / ToolsWatch SecTor Toronto 2023 Arsenal Tools and Their Impact on the Community