Threat advisories

Top Middle East Cyber Threats – 7 July 2020

Jul-2020 5 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Microsoft Emergency Security Updates
Microsoft issued emergency security patches to plug a pair of serious vulnerabilities in its Windows Codecs library that impact several Windows 10 and Windows Server versions. Indexed as CVE-2020-1425 and CVE-2020-1457, the two remote-code execution (RCE) flaws are rated as ‘critical’ and ‘important’ in severity, respectively.
An attacker who can exploit CVE-2020-1425 could obtain information to further compromise the user’s system. Meanwhile, successful exploitation of the second flaw (CVE-2020-1457) could allow the attackers to execute arbitrary code on the targeted machine. Each flaw was given the “exploitation less likely” rating on Microsoft’s Exploitability Index. Affected users will be automatically updated by Microsoft Store.
Recommendations

Help AG encourages users and administrators to review the guidelines released by Microsoft and check if the updates have been implemented.
Customers are strongly advised to install the updates from official vendor website at all times.

Vulnerability in Linux (CVE-2020-15393)
Over the years, the Linux kernel has racked up one of the longest lists of vulnerabilities among open source projects. One such vulnerability dubbed CVE-2020-15393 was recently discovered by researchers wherein the Linux kernel through 5.7.6, usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak, aka CID-28ebeb8db770.
Recommendations

Help AG encourages users and administrators to urgently update the vulnerable asset according to the steps provided by the manufacturer.

Cisco products affected by Telnet Vulnerability
APPGATE published a blog post earlier this year concerning Telnet Servers (telnetd) vulnerability dubbed as CVE-2020-10188. Cisco in its official advisory outlined Vulnerable Products, including Cisco bug IDs for each device affected. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases. Cisco IOS XE Software is affected only if the device is configured with the persistent Telnet feature. The Telnet service that is used for TTY lines in Cisco IOS Software and Cisco IOS XE Software is not affected.
Recommendations

Help AG encourages users and administrators to review the detailed guidelines from Cisco and apply necessary workarounds as soon as possible.
Telnet is an insecure protocol. Customers are advised to instead use SSH or HTTPS on Cisco products that support them.
Cisco recommends its customers to leverage use of Cisco Software Checker determine their exposure to vulnerabilities across range of Cisco products.
Apply the Principle of Least Privilege wherever applicable to all systems and services.

Latest Vulnerabilities in Cisco WebEx
Recently, several vulnerabilities have been found in Cisco WebEx. CVE-2020-3336 is a vulnerability in the software upgrade process of Cisco TelePresence collaboration Endpoint Software and Cisco RoomOS Software. It could allow an authenticated, remote attacker to modify the filesystem to cause a denial of service (DoS) or gain privileged access to the root filesystem. The vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by sending requests with malformed parameters to the system using the console, Secure Shell (SSH), or web API. A successful exploit could allow the attacker to modify the device configuration or cause a DoS.
A vulnerability in the software update feature of Cisco WebEx Meetings Desktop App for Mac, CVE-2020-3342 could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. The vulnerability is due to improper validation of cryptographic protections on files that are downloaded by the application as part of a software update. An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid WebEx website. The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the user.
CVE-2020-3361 is yet another vulnerability in Cisco WebEx Meetings and Cisco WebEx Meetings Server and could allow an unauthenticated, remote attacker to gain unauthorized access to a vulnerable WebEx site. The vulnerability is due to improper handling of authentication tokens by a vulnerable WebEx site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco WebEx Meetings or Cisco WebEx Meetings Server site. If successful, the attacker could gain the privileges of another user within the affected WebEx site.
A vulnerability in Cisco WebEx Meetings Desktop App for Windows, CVE-2020-3347, could allow an authenticated, local attacker to gain access to sensitive information on an affected system. The vulnerability is due to unsafe usage of shared memory that is used by the affected software. An attacker with permissions to view system memory could exploit this vulnerability by running an application on the local system that is designed to read shared memory. A successful exploit could allow the attacker to retrieve sensitive information from the shared memory, including usernames, meeting information, or authentication tokens that could aid the attacker in future attacks.
Recommendations

Help AG encourages users and administrators to review the detailed guidelines from Cisco and apply necessary patches as soon as possible.
Run all software as a non-privileged user to minimize the impact of a successful attack.
Remind users not to visit websites or follow links provided by unknown or untrusted sources.
Inform and educate users about the threats posed by hypertext links, especially from untrusted sources, contained in emails or attachments.
Apply the Principle of Least Privilege to all systems and services.
When considering software upgrades, administrators are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.

References