Author: Animesh Jain | Qualys Blog

Automatically Discover, Prioritize and Remediate Windows Adobe Type Manager Library Remote Code Execution Vulnerability (ADV200006) using Qualys VMDR®

Posted by Animesh Jain in The Laws of Vulnerabilities on March 25, 2020

On March 23, Microsoft released zero day advisory ADV200006 to address two critical remote code execution vulnerabilities in Adobe Type Manager Library that affects multiple versions of Windows and Windows Server.

The vulnerabilities exist within the way that Windows parses OpenType fonts. For example, an attacker could convince a user to open a specially crafted document or view it in the Windows Preview pane. Windows Preview pane is used by the Windows Explorer (which is called File Explorer in Windows 10) file manager application to preview pictures, video, and other content. Successful exploitation would require an attacker to convince a user to open a malicious document or visit a malicious page that exploits the WebClient service which is normally listening for WebDAV file shares.

Qualys released a blog post earlier on how to identify ADV200006 in your environment:
Microsoft Released Out-of-Band Advisory – Windows Adobe Type Manager Library Remote Code Execution Vulnerability (ADV200006)

Here we describe how to resolve it with Qualys VMDR®.

Microsoft Released Out-of-Band Advisory – Windows Adobe Type Manager Library Remote Code Execution Vulnerability (ADV200006)

Posted by Animesh Jain in The Laws of Vulnerabilities on March 23, 2020

Today, Microsoft released an out-of-band security advisory ADV200006 to address two critical remote code execution vulnerabilities in Adobe Type Manager Library. Microsoft is also aware of limited, targeted attacks that attempt to leverage this vulnerability.

4 Comments
Permalink
Tags: 0-day adobe flash, adobe type manager, microsoft

Automatically Discover, Prioritize and Remediate Microsoft SMBv3 RCE Vulnerability (CVE-2020-0796) using Qualys VMDR

Posted by Animesh Jain in The Laws of Vulnerabilities on March 16, 2020

This month’s Patch Tuesday, Microsoft disclosed a critical “wormable” remote code execution (RCE) vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3) protocol. The exploitation of this vulnerability opens systems up to a ‘wormable’ attack, which means it would be easy to move from victim to victim.

Qualys released a blog post earlier on how to identify SMBv3 vulnerability in your environment:
Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796)

Here we describe how to resolve it with Qualys VMDR®.

No Comments
Permalink
Tags: cve-2020-0796, Microsoft patch tuesday, Patch Tuesday, smb, SMBv3, vmdr, vulnerability

Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796)

Posted by Animesh Jain in The Laws of Vulnerabilities on March 11, 2020

This month’s Patch Tuesday, Microsoft disclosed a remote code execution vulnerability in SMB 3.1.1 (v3) protocol. Even though initial release of the Patch Tuesday did not mention this vulnerability, details of the issue (CVE-2020-0796) were published accidentally on another security vendor’s blog. Microsoft published security advisory ADV200005 and technical guidance soon after the accidental disclosure of the vulnerability.

UPDATE March 12, 2020: Microsoft updated ADV200005 to include CVE-2020-0796 and released patches for affected Windows systems.

5 Comments
Permalink
Tags: cve-2020-0796, Microsoft patch tuesday, Patch Tuesday, smb, SMBv3, vulnerability

March 2020 Patch Tuesday – 115 Vulns, 26 Critical, Microsoft Word and Workstation Patches

Posted by Animesh Jain in The Laws of Vulnerabilities on March 10, 2020

This month’s Microsoft Patch Tuesday addresses 115 vulnerabilities with 26 of them labeled as Critical. Of the 26 Critical vulns, 17 are for browser and scripting engines, 4 are for Media Foundation, 2 are for GDI+ and the remaining 3 are for LNK files, Microsoft Word and Dynamics Business. Microsoft also issued a patch for an RCE in Microsoft Word. Adobe has not posted any patches for Patch Tuesday.

On the basis of volume and severity this Patch Tuesday is heavy in weight.

See details of the new detections, including description, consequence and solution.

No Comments
Permalink
Tags: microsoft, patch, Patch Tuesday, vulnerabilities, vulnerability management, windows

Automatically Discover, Prioritize and Remediate Apache Tomcat AJP File Inclusion Vulnerability (CVE-2020-1938) using Qualys VMDR

Posted by Animesh Jain in Qualys Technology, The Laws of Vulnerabilities on March 5, 2020

A severe vulnerability exists in Apache Tomcat’s Apache JServ Protocol. The Chinese cyber security company Chaitin Tech discovered the vulnerability, which is named “Ghostcat” and is tracked using CVE-2020-1938. The security issue has received a critical severity rating score of 9.8 based on CVSS v3 Scoring system.

Vulnerability Details:
Due to a file inclusion defect in the AJP service (port 8009) that is enabled by default in Tomcat, an attacker can construct a malicious request package for file inclusion operation, and then read the web directory file on the affected Tomcat server. If the system allows users to upload files, an attacker can upload malicious code to the server, and gain the ability to perform remote code execution.

No Comments
Permalink
Tags: AJP, apache tomcat, asset inventory, cve-2020-1938, patch management, policy compliance, threat protection, tomcat, vmdr, vulnerability management

Detections Released for ESU Updates on EOL Windows 7, 2008 and 2008 R2

Posted by Animesh Jain in Qualys Technology on February 13, 2020

For the February 2020 Patch Tuesday, Microsoft released security updates for Windows 7, 2008 and 2008 R2 systems which are already end of life. Qualys released Patch Tuesday detections (QIDs) which check for these new ESU patches as well.

Update: Qualys released IG QID 45424 to identify the presence of ESU on Windows 7, 2008/R2 systems.

2 Comments
Permalink
Tags: #VisualizeDataNotCSVs, dashboard, eol, esu, microsoft, qid

New EOL QIDs for Microsoft Windows 7 and 2008/R2

Posted by Animesh Jain in Qualys Technology on February 7, 2020

Qualys Vulnerability Signature, version 2.4.815-2, will include EOL QIDs (detections for end-of-life software) for Windows 7, Windows 2008, and Windows 2008 R2. Customers will be able to scan the QIDs shown below using Qualys Vulnerability Management (VM):

QID 105859 – EOL/Obsolete Operating System: Microsoft Windows 2008 R2 Detected
QID 105858 – EOL/Obsolete Operating System: Microsoft Windows 2008 Detected
QID 105793 – EOL/Obsolete Operating System: Microsoft Windows 7 Detected

1 Comment
Permalink
Tags: dashboard, eol, esu, microsoft, ms, qid, rpt, vm, windows

OpenBSD OpenSMTPD Remote Code Execution Vulnerability (CVE-2020-7247)

Posted by Animesh Jain in The Laws of Vulnerabilities on January 29, 2020

Qualys Research Labs discovered a vulnerability in OpenBSD’s OpenSMTPD mail server that allows an attacker to execute arbitrary shell commands with elevated privileges. OpenBSD developers have confirmed the vulnerability and also quickly provided a patch.

Proof-of-concept exploits are published in the security advisory.

Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) – How to Detect and Remediate

Posted by Animesh Jain in The Laws of Vulnerabilities on January 14, 2020

Update January 31, 2020: Client testing is now available at clienttest.ssllabs.com.

Update January 15, 2020: Detection dashboard now available.

Today, Microsoft released patch for CVE-2020-0601, aka Curveball, a vulnerability in windows “crypt32.dll” component that could allow attackers to perform spoofing attacks. This was discovered and reported by National Security Agency (NSA) Researchers. The vulnerability affects Windows 10 and Windows Server 2016/2019 systems.

This is a serious vulnerability and patches should be applied immediately. An attacker could exploit this vulnerability by using a spoofed code-signing certificate, meaning an attacker could let you download and install malware that pretended to be something legit, such as software updates, due to the spoofed digital signature. Examples where validation of trust may be impacted include:

HTTPS connections
Signed files and emails
Signed executable code launched as user-mode processes

Exploits/PoC:

There are no reports of active exploitation or PoC available in public domain at this point of time. However, per NSA advisory “Remote exploitation tools will likely be made quickly and widely available.”

All Posts

Exploits/PoC: