Legitimate Windows file ‘Certutil’ is abused by Office malware to download the second stage payload and spread threats.
In this report we will take a look at some of the more interesting vulnerabilities of early 2020, leveraging the expert insight of the Vulnerability Detection Team, part of Avira’s Protection Labs.
These are our top 5 vulnerability threats for early 2020. They make this list based on our assessment of their criticality, coverage and impact. Each are described in more detail below, or even have their own post.
During early 2020, Microsoft uncovered – and patched – more than 400 vulnerabilities, of which 40 were considered critical. Microsoft’s February patch release was by far the biggest, addressing nearly 100 issues.
A vulnerability of particular interest was one that enabled attackers to hijack Microsoft Teams accounts by sending specially created links of GIFs to the targeted user. Because the malicious content could be shared by any user, the impact was potentially “worm-able”
Two vulnerabilities, SMBGhost (discussed below) and BlueKeep (from 2019), both have significant potential for exploit, possibly as great as the WannaCry incident. Both make use of remote payloads and target default Windows services such as RDP and SMB. In November, Microsoft reported in-the-wild attempts at exploiting the BlueKeep vulnerability.
Google’s Project Zero have reported multiple actively exploited vulnerabilities to Microsoft. These included: CVE-2020-1027, a flaw that could lead to local privilege escalation scenario and four Zero-days in the wild. These were patched in Microsoft April Patch Tuesday and included CVE-2020-1027 (Windows Elevation of Privileges), CVE-2020-0938 (Adobe Font Manager), CVE-2020-1020 (Adobe Font Manager), and CVE-2020-0968 (Scripting Engine).
Two critical vulnerabilities affecting Apple’s Mail application have been reported by ZecOps. The vulnerabilities enable remote code execution and allow an attacker to remotely infect a device by email. According to researchers, the bugs in question are remote code execution flaws that reside in the MIME library of Apple’s mail app. The first results from an out-of-bounds write bug, and the second from a heap overflow. The vulnerabilities have been triggered in the wild. At the time of this blog post, Apple has not assigned a CVE number for either issue.
CVE-2020-0796, otherwise known as SMBGhost, is a remote code execution vulnerability that affects SMB (Server Message Block protocol) servers. This vulnerability allows attackers to create remote code execution by sending a specially crafted packet to a vulnerable SMBv3 server.
The vulnerability results from an integer overflow that exploits the way SMBv3 handles requests. SMBv3 clients connected to vulnerable servers are also exposed.
Several proof-of-concepts have been released for the SMBv3 issue that exploit the vulnerability in order to obtain local privilege escalation.
2020 opened with a vulnerability that affected the Windows cryptographic mechanism. The United States National Security Agency (NSA) reported a critical vulnerability (CVE-2020-0601) in Window’s Elliptic Curve Cryptography (ECC) certificate validation mechanism. This vulnerability allows an attacker to bypass the normal certificate validation mechanism and create their own cryptographic certificates which appear legitimate. We’ve a specific blog on this vulnerability if you would like more details.
In April, the Android operating system received a patch that fixes CVE-2020-0022, alias BlueFrag. The vulnerability affects Bluetooth functionality and allows zero-click short-distance remote code execution on latest Android versions. Stefan Nicula of Avira’s Vulnerability Detection team takes a look at the vulnerability in this blog.
Microsoft has reported a deserialization issue affecting their Mail Exchange Server. CVE-2020-0688 has been assigned to the issue.A successful exploitation of this vulnerability could allow an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.
At the beginning of the year, Avira’s Vulnerability Detection team identified and reported to Microsoft a number of malware samples abusing the CVE-2020-0674. This vulnerability could allow an attacker to remotely execute code via a specially crafted webpage. The vulnerability leverages a memory corruption discovered in jscript.dll library within the Internet Explorer Scripting engine.
Google Chrome recently introduced a patch to fix a Use-after-free vulnerability related to CVE-2020-6457. Although no details had been published at the time of writing, according to Google the vulnerability affects the speech recognition component of Chrome. From Google’s description, this vulnerability also involves a third-party component library.