In hope that enterprises patch them, the US NSA shared a list of 25 vulnerabilities currently being targeted by Chinese hackers.
The US Govt. has long warned about cyber threats emanating from China. Now, the National Security Agency (NSA) is outlining specific vulnerabilities its observed Chinese state-sponsored actors are using.
In a cyber-security shared Tues., the NSA disclosed 25 vulnerabilities (.PDF) that Chinese hackers are actively exploiting. The list is not definitive, but it is intended to show CVEs that are being ‘operationalised’ by China.
The list includes some vulnerabilities that can be exploited to give attackers initial access to a victim network via the internet. When in – many of the vulnerable products are used by businesses for remote access or external web services – the vulnerabilities can act as a gateway for attackers.
Cybersecurity & Infrastructure Security Agency (CISA)
For those watching alerts published by the DHS’ Cybersecurity & Infrastructure Security Agency (CISA) over the past year, the list is none too surprising.
CISA & security researchers have been sounding the alarm around a handful of the vulnerabilities, many which can allow full system access & remote code-execution.
7 of the vulnerabilities actually date back to 2019 but does not mean they are not still being successfully exploited.
Some on the list, including an arbitrary file reading vulnerability in Pulse Secure VPN servers, CVE-2019-11510, & an arbitrary code execution vulnerability in Citrix VPN appliances, CVE-2019-19781, were among the most exploited bugs in 2020 in May, when the FBI & CISA posted its list of the most routinely exploited vulnerabilities.
The oldest vulnerability, CVE-2015-4852, exists in Adobe ColdFusion, suggesting that 5 years after it was discovered (& patched) that the flaw is still paying dividends for attackers.
Remote Code Execution
Other vulnerabilities, like a remote code execution vulnerability (CVE-2020-5902) in F5 BIG-IP devices, have been the story this summer for many administrators.
CISA commented in July that it began seeing attacks targeting unpatched F5 BIG-IP devices shortly after ‘proof of concept’ code surfaced online on July 4. CISA warned again in August that Iranian hackers were exploiting the vulnerability.
Other CVEs, like CVE-2020-1472, aka Zerologon, a privilege escalation vulnerability in Windows Server, have been publicised in the past month.
While all of the vulnerabilities have been patched by their vendor, organisations may not have applied the necessary fixes. The NSA is hoping that by publicising the vulnerabilities will encourage those who have not patched to do so.
“We hear loud & clear that it can be hard to prioritise patching & mitigation efforts,” NSA Cyber-security Director Anne Neuberger said in a press release. “We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cyber-security professionals will gain actionable information to prioritise efforts & secure their systems.”
The full list of vulnerabilities is:
1. CVE-2019-11510: On Pulse Secure VPNs, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords.
2. CVE-2020-5902: In F5 BIG-IP 8proxy / load balancer devices, the Traffic Management User Interface (TMUI) – also referred to as the Configuration utility-has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
3. CVE-2019-19781: An issue was discovered in Citrix Application Delivery Controller (ADC) & Gateway. They allow directory traversal, which can lead to remote code execution without credentials.
4, 5, 6. CVE-2020-8193, CVE-2020-8195, CVE-2020-8196: Improper access control & input validation, in Citrix ADC & Citrix Gateway & Citrix SDWAN WAN-OP, allows unauthenticated access to certain URL endpoints & information disclosure to low-privileged users.
7. CVE-2020-0708: A remote code execution vulnerability exists within Remote Desktop Services when an unauthenticated attacker connects to the target system using RDP & sends specially crafted requests
8. CVE-2020-15505: A remote code execution vulnerability in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code via unspecified vectors.
9. CVE-2020-1350: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.
10. CVE-2020-1472: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.
Message Integrity Check
11. CVE-2019-1040: A tampering vulnerability exists in Microsoft Windows when a ‘man-in-the-middle’ attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.
12. CVE-2018-6789: Sending a handcrafted message to Exim mail transfer agent may cause a buffer overflow. This can be used to execute code remotely.
13. CVE-2020-0688: A Microsoft Exchange validation key remote code execution vulnerability exists when the software fails to properly handle objects in memory.
14. CVE-2018-4939: Certain Adobe ColdFusion versions have an exploitable De-serialisation of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.
15. CVE-2015-4852: The WLS Security component in Oracle WebLogic Server allows remote attackers to execute arbitrary commands via a crafted serialised Java object.
16. CVE-2020-2555: A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware. This easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence.
17. CVE-2019-3396: The Widget Connector macro in Atlassian Confluence Server allows remote attackers to achieve path traversal & remote code execution on a Confluence Server or Data Centre instance via server-side template injection.18. CVE-2019-11580: Attackers who can send requests to an Atlassian Crowd or Crowd Data Centre instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution.
19. CVE-2020-10189: Zoho ManageEngine Desktop Central allows remote code execution because of de-serialisation of untrusted data.
Progress Telerik UI
20. CVE-2019-18935: Progress Telerik UI for ASP.NET AJAX contains a .NET de-serialisation vulnerability. Exploitation can result in remote code execution.
21. CVE-2020-0601: A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.
22. CVE-2019-0803: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.
Symantec Messaging Gateway
23. CVE-2017-6327: The Symantec Messaging Gateway can encounter a remote code execution issue.
24.CVE-2020-3118: A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device.
25. CVE-2020-8515: DrayTek Vigor devices allow remote code execution as root (without authentication) via shell metacharacters.
US House Intelligence Committee
The security advisory comes a few weeks after a US House Intelligence Committee report issued last month highlighted that Federal Agencies have some work to do in order to better counter Chinese threats.
“The US’ Intelligence Community has not sufficiently adapted to a changing geopolitical & technological environment increasingly shaped by a rising China,” the report observed.
“Absent a significant realignment of resources, the US Govt. & intelligence community will fail to achieve the outcomes required to enable continued US competition with China on the global stage for decades to come, & to protect the US health & security.”