vFeed ha publicado una lista en la que recopila y clasifica, en base a varios aspectos, las diez vulnerabilidades que fueron más explotadas a lo largo del año pasado. Una información que puede no coincidir al 100% con los datos de otras empresas de ciberseguridad, pero que si que coinciden en líneas generales y nos ayudan a saber por qué tipo de exploits tienen preferencia los ciberdelincuentes.
- CVE-2020-0796 (SMBGhost): Encabeza la lista de vulnerabilidades de 2020 esté problema de seguridad de SMB 3.1.1 detectada el mes de marzo. Según Microsoft, que publicó una guía sobre cómo evitar el problema, un atacante podía explotar esta vulnerabilidad para ejecutar código de forma arbitraria del lado del servidor SMB o del cliente SMB.
- CVE-2020-5902: La segunda de las vulnerabilidades más explotadas de 2020 fue ésta, que afectaba TMUI (ffic Management User Interface), la utilidad de configuración de las soluciones de red de F5 Network, y que permitía la ejecución remota de código en las mismas.
- CVE-2020-1472 (Zerologon): Poco queda por decir de esta vulnerabilidad, que parecía que iba a ser la última gran noticia de ciberseguridad del año (hasta que llegó SolarWinds, claro). Un problema en la implementación del cifrado de Netlogon que obligó a revisar a la carrera la seguridad de servidores con Windows Server.
- CVE-2020-0601 (CurveBall): Si despedimos 2020 con Zerologon, también hay que recordar que prácticamente lo empezamos con CurveBall, una vulnerabilidad crítica que afectaba a la API CryptoAPI, descubierta por la NSA y que fue rápidamente parcheada, a mitades de enero, por Microsoft.
- CVE-2020-14882: Si eres administrador de Oracle WebLogic Server seguro que esta CVE te es familiar, ¿verdad? Detectada en octubre, meses después hemos visto como seguía siendo activamente explotada, y como bastantes responsables de infraestructuras, pese a contar con actualizaciones para erradicar el riesgo, todavía se mantenían en versiones inseguras de este software.
- CVE-2020-1938 (GhostCat): Detectada en febrero de 2020, esta vulnerabilidad ocasiona que Apache Tomcat conceda un alto nivel de confianza a las conexiones AJP (Apache JServ Protocol), a diferencia de lo que hace con otros protocolos. En consecuencia, y sin necesidad de autenticarse, un atacante podía descargar y subir archivos a la aplicación web, así como ejecutar código arbitrario.
- CVE-2020-3452: Afecta la interfaz de servicios web del software Cisco ASA (Adaptive Security Appliance) y Cisco FTD (Firepower Threat Defense), y puede ser aprovechada por atacantes remotos no autenticados para leer archivos confidenciales dentro del sistema de archivos de servicios web en el dispositivo atacado.
- CVE-2020-0688: Un problema en el proceso de creación de claves criptográficas únicas durante la instalación de Microsoft Exchange, tuvo como resultado una de las vulnerabilidades más atractivas del año para ciberdelincuentes especializados en ransomware. Afortunadamente, Mictosoft lo identificó y solucionó rápidamente a finales de febrero.
- CVE-2020-16898 (Bad Neighbor): Afecta a la pila TCP/IP de Windows cuando ésta gestiona paquetes ICMPv6 elaborados para aprovechar esta vulnerabilidad, y permite la ejecución de código de forma remota. Los investigadores de McAfee la denominaron «Mal vecino» porque se puede emplear para detectar sistemas cercanos mediante ICMPv6 y emplear esta función para actuar como un gusano.
- CVE-2020-1350 (SIGRed): Solucionada en el patch tuesday de julio, su peligrosidad fue calificada con un 10 sobre 10. Afecta al servidor DNS de Windows Server y, al ser explotada, esta vulnerabilidad permite la ejecución de código malicioso de forma remota, simplemente enviando una solicitud especialmente generada para el servidor DNS.
Repaso a las vulnerabilidades más graves del 2020
1. vBulletin Remote Code Execution Vulnerability
- CVE Number: CVE-2020-17496
- Severity: Critical
We captured malicious sessions related to vBulletin Remote Code Execution Vulnerability. The vendor is widely used and the severity is critical. We published research on CVE-2020-17496 in September 2020.
2. WordPress File Manager Plugin Remote Code Execution Vulnerability
- CVE Number: CVE-2020-25213
- Severity: Critical
WordPress has a remote code execution vulnerability in the wp-file-manager plugin, which can write arbitrary PHP code into a specific directory.
3. Nette Code Injection Vulnerability
- CVE Number: CVE-2020-15227
- Severity: Critical
Nette is a PHP/Composer MVC framework. It is vulnerable to code injection attacks with specific URL parameters. This vulnerability is critical, which will lead to remote code execution.
4. Artica Web Proxy SQL Injection Vulnerability
- CVE Number: CVE-2020-17506
- Severity: Critical
Artica Web Proxy is a firewall software that is vulnerable to a SQL injection of the api key parameter in fw.login.php. The vulnerability can be used to bypass Artica and gain administrator privileges through SQL injection vulnerability.
5. Oracle WebLogic Server Remote Code Execution Vulnerability
- CVE Number: CVE-2020-14882; CVE-2020-14883; CVE-2020-14750
- Severity: Critical
Oracle WebLogic Server has a remote code execution vulnerability, which could lead to critical security issues. This flaw has a low attack complexity and is highlighted as “easily exploitable.”
1. PHPUnit Remote Code Execution Vulnerability
- CVE-2017-9841
Exposure of the /vendor endpoint allows remote attackers to gain arbitrary PHP code execution on the target. This vulnerability affects all 4.x versions before 4.8.28 and 5.x versions before 5.6.3.
2. ThinkPHP Remote Code Execution Vulnerability
- CVE-2019-9082
There’s a remote code execution vulnerability in the ThinkPHP framework due to the lack of validation of the input. The ThinkPHP framework with versions < 3.2.4 suffers from a remote command execution vulnerability due to insufficient check of the controller name in the URL.
3. Zeroshell Remote Command Execution Vulnerability
- CVE-2019-12725
There’s a remote code execution vulnerability in ZeroShell version 3.9.0. By wrapping the payload in new-line characters and placing the resulting payload in the x590type HTTP parameter, the attacker can achieve arbitrary code execution on the victim’s machine.
4. vBulletin Remote Code Execution Vulnerability
- CVE-2019-16759
vBulletin version 5.0.0 through 5.5.4 is susceptible to remote command execution due to lack of validation of the HTTP parameter widgetConfig[code].
5. D-Link Remote Command Execution Vulnerability
- CVE-2018-19986
Both D-Link DIR-818LW Rev.A 2.05.B03 and DIR-822 B1 202KRb06 devices are susceptible to a command injection vulnerability due to insufficient validation of the HTTP parameter RemotePort. An attacker can inject shell metacharacters and achieve arbitrary command execution.
- CVE-2019-19597
There’s a remote command execution vulnerability in D-Link DAP-1860 devices due to insufficient input sanitization in the HNAP_Auth HTTP header value. An attack can inject shell metacharacters and achieve arbitrary code execution.
6. GPON Home Routers Remote Code Execution Vulnerability
- CVE-2018-10561
The vulnerable versions of Dasan GPON routers are susceptible to authentication bypass because they don’t properly handle the URL. This vulnerability is often used in conjunction with CVE-2018-10562 to maximize the impact.
- CVE-2018-10562
There is a command injection vulnerability in Dasan GPON routers. The vulnerable versions don’t sanitize the dest_host parameter, resulting in dire consequences. The router saves ping results in /tmp and lurks the user to revisit it.
7. vBulletin Remote Code Execution Vulnerability
- CVE-2020-17496
There is a remote command execution vulnerability in vBulletin 5.5.4 through 5.6.2 via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request.
NOTE: This issue exists because of an incomplete fix for CVE-2019-16759.
8. ThinkPHP Remote Code Execution Vulnerability
- CVE-2018-20062
A specifically crafted value in the filter HTTP parameter can result in arbitrary code execution in the ThinkPHP framework. This bug affects versions <= 5.0.23.
9. Drupal Core Remote Code Execution Vulnerability
- CVE-2018-7600
Drupal allows remote attackers to execute arbitrary code due to an issue that affects multiple subsystems. It is caused by module misconfigurations.
10. DrayTek Vigor Remote Command Injection Vulnerability
- CVE-2020-15415
On DrayTek Vigor3900, Vigor2960 and Vigor300B devices before 1.5.1, shell metacharacters via cgi-bin/mainfunction.cgi/cvmcfgupload allow remote command execution in a filename when the text/x-python-script content type is used.
- CVE-2020-14472
There are some command injection vulnerabilities in the mainfunction.cgi file on Draytek Vigor3900, Vigor2960 and Vigor 300B devices before 1.5.1.1.
- CVE-2020-8515
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, Vigor300B 1.3.3_Beta, 1.4.2.1_Beta and 1.4.4_Beta allow remote code execution as root via shell metacharacters to the cgi-bin/mainfunction.cgi URI without authentication.
In addition to vulnerabilities with specific CVE numbers assigned, we also capture other vulnerabilities that occur with high frequency. Below are the top five:
- ThinkCMF local file inclusion vulnerability.
There’s a file inclusion vulnerability in ThinkCMF that can also result in remote code execution. This bug affects ThinkCMF with versions <= 2.2.3.
- D-Link DSL-2750B OS command injection vulnerability.
D-Link DSL-2750B router is susceptible to a command injection vulnerability, which Mirai and its variants often abuse for infection and propagation.
- MVPower DVR unauthenticated command execution vulnerability.
Mirai and its variants are found to exploit this command execution vulnerability in MVPower DVR devices for the purpose of infection.
- Zyxel EMG2926 router command injection vulnerability.
A lack of parameter validation in Zyxel EMG2926 routers results in a remote command vulnerability. It’s also one of the vulnerabilities being exploited by Mirai malware.
- Netgear DGN Device remote command execution.
It’s an unauthenticated remote command execution resulting from the lack of input sanitization in syscmd function of setup.cgi. This vulnerability exists in Netgear DGN devices DGN1000 (for those with firmware version < 1.1.00.48) and DGN2200 v1.
Bonus: Top 25 RCE Bug Bounty Reports
Los informes se divulgaron a través de la plataforma HackerOne y se seleccionaron de acuerdo con sus votos positivos, recompensa, nivel de gravedad, complejidad y singularidad.
#1
Title: Potential pre-auth RCE on Twitter VPN
Company: Twitter
Bounty: $20,160
#2
Title: RCE on Steam Client via buffer overflow in Server Info
Company: Valve
Bounty: $18,000
#3
Title: Struct type confusion RCE
Company: Shopify
Bounty: $18,000
#4
Title: Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution
Company: Valve
Bounty: $12,500
#5
Title: Git flag injection — local file overwrite to remote code execution
Company: GitLab
Bounty: $12,000
#6
Title: Remote Code Execution on www.semrush.com/my_reports on Logo upload
Company: SEMrush
Bounty: $10,000
#7
Title: Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message
Company: Valve
Bounty: $9,000
#8
Title: RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi)
Company: LocalTapiola
Bounty: $6,800
#9
Title: Remote Code Execution at http://tw.corp.ubnt.com
Company: Ubiquiti Inc.
Bounty: $5,000
#10
Title: Adobe Flash Player Regular Expression UAF Remote Code Execution Vulnerability
Company: Flash (IBB)
Bounty: $5,000
#11
Title: RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`
Company: Imgur
Bounty: $5,000
#12
Title: RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/
Company: Starbucks
Bounty: $4,000
#13
Title: [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File
Company: Mail.ru
Bounty: $4,000
#14
Title: Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice
Company: Starbucks
Bounty: $4,000
#15
Title: Attention! Remote Code Execution at http://wpt.ec2.shopify.com/
Company: Shopify
Bounty: $3,000
#16
Title: Unchecked weapon id in WeaponList message parser on client leads to RCE
Company: Valve
Bounty: $3,000
#17
Title: Drupal 7 pre auth sql injection and remote code execution
Company: The Internet Bug Bounty Program
Bounty: $3,000
#18
Title: RCE via ssh:// URIs in multiple VCS
Company: The Internet Bug Bounty Program
Bounty: $3,000
#19
Title: Remote Code Execution on Git.imgur-dev.com
Company: Imgur
Bounty: $2,500
#20
Title: GMP Deserialization Type Confusion Vulnerability [MyBB <= 1.8.3 RCE Vulnerability]
Company: PHP (IBB)
Bounty: $1,500
#21
Title: Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE
Company: Lob
Bounty: $1,500
#22
Title: Remote code execution using render :inline
Company: Ruby on Rails
Bounty: $1,500
#23
Title: RCE which may occur due to `ActiveSupport::MessageVerifier` or `ActiveSupport::MessageEncryptor` (especially Active storage)
Company: Ruby on Rails
Bounty: $1,500
#24
Title: Remote code execution on rubygems.org
Company: RubyGems
Bounty: $1,500
#25
Title: WordPress SOME bug in plupload.flash.swf leading to RCE
Company: Automattic
Bounty: $1,337
Bonus: 10 Zero Dollars RCE Reports
#1 Bonus
Title: Read files on application server, leads to RCE
Company: GitLab
Bounty: $0
#2 Bonus
Title: XXE in DoD website that may lead to RCE
Company: U.S. D.o.D.
Bounty: $0
#3 Bonus
Title: Remote Code Execution (RCE) in a DoD website
Company: U.S. D.o.D.
Bounty: $0
#4 Bonus
Title: Remote Unrestricted file Creation/Deletion and Possible RCE.
Company: Twitter
Bounty: $0
#5 Bonus
Title: RCE on █████ via CVE-2017–10271
Company: U.S. D.o.D.
Bounty: $0
#6 Bonus
Title: Ability to access all user authentication tokens, leads to RCE
Company: GitLab
Bounty: $0
#7 Bonus
Title: Remote Code Execution via Extract App Plugin
Company: Nextcloud
Bounty: $0
#8 Bonus
Title: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███
Company: U.S. D.o.D.
Bounty: $0
#9 Bonus
Title: Remote Code Execution in Rocket.Chat Desktop
Company: Rocket.chat
Bounty: $0
#10 Bonus
Title: [npm-git-publish] RCE via insecure command formatting
Company: Node.js third-party modules
Bounty: $0
I hope this article was helpful and I would like to thank you for your attention!
No hay comentarios:
Publicar un comentario