Monthly Vulnerabilities – December 2020
- Table of contents
The author
Gil
Table of contents
Related Articles
Research
Monthly Vulnerabilities – December 2020
Dec 23, 2020
Overview
This bulletin provides an overview of four critical vulnerabilities observed during December 2020, some of which are known to have been actively exploited, and it is recommended that organizations apply all necessary security updates and/or mitigation steps to prevent the exploitation of:
- CVE-2020-17049 – Kerberos Security Feature Bypass Vulnerability.
- CVE-2020-4006 – VMware Command Injection Vulnerability.
- CVE-2020-29491/CVE-2020-29492 – Dell Wyse Thin Client Insecure Default Configuration.
- CVE-2020-16875/CVE-2020-17132 – Microsoft Exchange Remote Code Execution.
CVE-2020-17049 – Kerberos Security Feature Bypass Vulnerability
Introduction
Described as a ‘security feature bypass’ vulnerability and dubbed ‘Bronze Bit’, CVE-2020-17049 relates to the way in which the Key Distribution Center (KDC) determines if a service ticket can be used for delegation via ‘Kerberos constrained delegation’.
Exploitation of this vulnerability requires access to the target environment along with obtaining a password hash from a service account that has constrained delegation. Subsequently, an attacker could tamper with a Kerberos service ticket without delegation in an attempt to force the KDC to accept it and authenticate to the service as any user.
Whilst originally ‘fixed’ by Microsoft in their November ‘Patch Tuesday’ release, December has seen a further security update to ‘fix known issues’ introduced by the previous release in addition to reports of ‘in the wild’ exploitation.
For reference, a full technical explanation of this vulnerability, including an overview of Kerberos authentication, have been shared by the researcher that discovered the flaw, Jake Karnes of NETSPI [1][2][3].
Impact
An attacker with sufficient access to a vulnerable Microsoft Windows Active Directory installation could exploit this vulnerability to impersonate a user and send requests to a service that would be processed under that user’s authority.
Affected versions of Microsoft Windows Server include:
- Windows Server versions 1903, 1909, 2004 & 20H2 (Server Core)
- Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016 & 2019 (Including Server Core)
Exploits available? Yes; Proof-of-concept examples have been shared [3]
Exploitation observed in the wild? Not as yet
CVSS v3 Base Score: 6.6
Detection
There is as yet not document method to detect the exploitation of this vulnerability due to the use of seemingly valid Kerberos service tickets.
Recommendations
In the first instance, Microsoft recommend that any Active Directory server with the ‘Domain Controller’ role has the appropriate 8 December 2020 update applied:
- KB4592438 – Windows Server versions 2004 & 20H2 (Server Core)
- KB4592449 – Windows Server versions 1903 & 1909 (Server Core)
- KB4592440 – Windows Server 2019 (Including Server Core)
- KB4592495 – Windows Server 2012 R2 (Including Server Core)
- KB4592497 – Windows Server 2012 (Including Server Core)
- KB4592503 – Windows Server 2008 R2 SP1 x64 (Including Server Core)
- KB4592504 – Windows Server 2008 SP2 (Including Server Core)
- KB4593226 – Windows Server 2016 (Including Server Core)
These updates should deploy in ‘Deployment’ mode and will add a `PerformTicketSignature` registry value to allow protection to be enabled on Domain Controllers.
Subsequently, the Microsoft article KB4598347 [4] details the configuration of this registry key to enabled ‘Enforcement’ mode which, after applying the appropriate update, suggests waiting for seven days to ensure that domain controller roles have been updated and that all outstanding ‘S4U2self’ Kerberos service tickets have expired.
Notably, 8 February 2020 will see this change being enforced and therefore requires that all domain controllers have the December 2020 update, or later, installed. On this date, domain controllers will be placed into ‘Enforcement’ mode and ignore any value assigned to the `PerformTicketSignature` registry key as the setting cannot be overridden.
References
[1] https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-overview/
[2] https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-theory/
[3] https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-attack/
CVE-2020-4006 – VMware Command Injection Vulnerability
Introduction
Following up on a ‘workaround’ published in November, VMware have now released security updates for products affected by a command injection vulnerability that could facilitate the remote execution of commands on vulnerable devices with escalated privileges.
VMware were first notified of the vulnerability in their administrative configurator, present within a number of products, by the United States National Security Agency (NSA) with reports suggesting that it has been observed as exploited by Russian-nexus threat actors.
Impact
The VMware advisory [1] for this vulnerability indicates that a threat actor requires both network access to the administrative configurator as well as valid credentials. Given this, exploitation would likely occur as part of a wider attack or following some initial compromise although vulnerabilities such as these can allow further escalation of privileges and lateral movement across a target network.
Affected VMware products include:
- VMware Cloud Foundation Version 4.x
- vRealize Suite Lifecycle Manager Version 8.x
Affected VMware components include:
- VMware Identity Manager 5
- Versions 3.3.1, 3.3.2 & 3.3.3 (Linux)
- VMware Identity Manager Connector
- Versions 3.3.1 & 3.3.2 (Linux)
- Versions 3.3.1, 3.3.2 & 3.3.3 (Windows)
- Versions 19.03.0.1 & 19.03.0.0 (Windows)
- VMware Workspace One Access
- Versions 20.01 & 20.10 (Linux)
- VMware Workspace One Access Connector
- Versions 20.10, 20.01.0.0 & 20.01.0.1 (Windows)
Exploits available? No
Exploitation observed in the wild? Yes
CVSS v3 Base Score: 7.2 (Downgraded from an initial 9.1 score)
Detection
Whilst no explicit detection method for this vulnerability has been offered by VMware, auditing and monitoring access to the administrative configurator may provide an indication of potential abuse, such as out-of-hours access or connections originating from unusual locations.
Recommendations
Organizations using the affected product versions should follow the advice provided in VMware knowledgebase article ‘81754’ [2] at their earliest convenience.
This article advises organizations to first backup their system configuration before downloading and applying the appropriate product patch from the VMware website.
Subsequently, confirmation that the vulnerable system has been patched should be obtained by verifying the ‘build’ version within the administrative configurator login page against the README.txt file within the patch package.
References
[1] https://www.vmware.com/security/advisories/VMSA-2020-0027.html
[2] https://kb.vmware.com/s/article/81754
CVE-2020-4006 – VMware Command Injection Vulnerability
Introduction
Following up on a ‘workaround’ published in November, VMware have now released security updates for products affected by a command injection vulnerability that could facilitate the remote execution of commands on vulnerable devices with escalated privileges.
VMware were first notified of the vulnerability in their administrative configurator, present within a number of products, by the United States National Security Agency (NSA) with reports suggesting that it has been observed as exploited by Russian-nexus threat actors.
Impact
The VMware advisory [1] for this vulnerability indicates that a threat actor requires both network access to the administrative configurator as well as valid credentials. Given this, exploitation would likely occur as part of a wider attack or following some initial compromise although vulnerabilities such as these can allow further escalation of privileges and lateral movement across a target network.
Affected VMware products include:
- VMware Cloud Foundation Version 4.x
- vRealize Suite Lifecycle Manager Version 8.x
Affected VMware components include:
- VMware Identity Manager 5
- Versions 3.3.1, 3.3.2 & 3.3.3 (Linux)
- VMware Identity Manager Connector
- Versions 3.3.1 & 3.3.2 (Linux)
- Versions 3.3.1, 3.3.2 & 3.3.3 (Windows)
- Versions 19.03.0.1 & 19.03.0.0 (Windows)
- VMware Workspace One Access
- Versions 20.01 & 20.10 (Linux)
- VMware Workspace One Access Connector
- Versions 20.10, 20.01.0.0 & 20.01.0.1 (Windows)
Exploits available? No
Exploitation observed in the wild? Yes
CVSS v3 Base Score: 7.2 (Downgraded from an initial 9.1 score)
Detection
Whilst no explicit detection method for this vulnerability has been offered by VMware, auditing and monitoring access to the administrative configurator may provide an indication of potential abuse, such as out-of-hours access or connections originating from unusual locations.
Recommendations
Organizations using the affected product versions should follow the advice provided in VMware knowledgebase article ‘81754’ [2] at their earliest convenience.
This article advises organizations to first backup their system configuration before downloading and applying the appropriate product patch from the VMware website.
Subsequently, confirmation that the vulnerable system has been patched should be obtained by verifying the ‘build’ version within the administrative configurator login page against the README.txt file within the patch package.
References
[1] https://www.vmware.com/security/advisories/VMSA-2020-0027.html
[2] https://kb.vmware.com/s/article/81754
CVE-2020-29491/CVE-2020-29492 – Dell Wyse Thin Client Insecure Default Configuration
Introduction
An insecure default configuration vulnerability [1] in Dell Wyse ThinOS versions 8.6 and earlier could allow an unauthenticated remote threat actor to gain access to sensitive information or manipulate the configuration of vulnerable thin clients.
The first of the two vulnerabilities, CVE-2020-29491, relates to the way in which thin clients access configurations from a file server that is accessed without authentication. Exploitation is a simple case of accessing this resource, albeit requiring the threat actor to be present on the target network, leading to the exposure of potentially sensitive data including credentials used for remote access.
The second and arguably more critical vulnerability, CVE-2020-29492, exists due to the file server hosting these configuration files allowing read/write access via FTP and therefore potentially allowing unauthorized modifications.
Based on the configuration options available to thin client administrators, numerous attack scenarios are possible including the theft of remote desktop protocol (RDP) credentials or even full access to remote desktop sessions.
Impact
Threat actors with network access allowing connections to a vulnerable file server hosting thin client configurations can easily gain the ability to interact, or interfere, with all associated thin clients.
Affected products include:
- Dell Wyse 3040, 5010, 5040, 5060, 5070, 5470 & 7010 Thin Clients (ENG, JPN) (Including those with PCoIP);
- Dell Wyse 5470 AIO Thin Clients (ENG, JPN) (Including those with PCoIP);
Exploits available? No; Manually exploitable.
Exploitation observed in the wild? No
CVSS v3 Base Score: 10.0
Detection
Whilst no explicit detection method for this vulnerability has been offered by Dell, auditing and monitoring access to the file server used for thin client configuration could provide an indication of potential unauthorized access.
Recommendations
Organizations using affected thin client products should consider securing their configuration file server to prevent unauthorized access:
- Enforcing the use of HTTPS rather than HTTP or FTP;
- Ensuring that ‘read-only’ access is configured rather than ‘read/write’;
Additionally, Dell suggest the use of Dell Wyse Management Suite and are providing eligible thin client customers with free upgrades to ‘ThinOS 9’ which, when deployed, does not support the vulnerable file server configuration.
References
[1] https://www.dell.com/support/kbdoc/en-uk/000180768/dsa-2020-281
CVE-2020-16875/CVE-2020-17132 – Microsoft Exchange Remote Code Execution
Introduction
Described as a remote code execution vulnerability in Microsoft Exchange 2016 and 2019, CVE-2020-16875 [1] relates to the improper validation of user-supplied template data when using the New-DlpPolicy (data loss prevention policy) cmdlet.
Whilst initially patched by Microsoft in September 2020, the recent publication [2] of an additional proof-of-concept exploit seeks to bypass the initial fixes and resulted in Microsoft releasing an additional update, CVE-2020-17132, in December 2020 [3].
Impact
Whilst requiring the threat actor to be an authenticated user in an undisclosed Microsoft Exchange role, likely obtained through other techniques, successful exploitation allows the execution of arbitrary code under the SYSTEM user context.
Affected products include:
- Microsoft Exchange Server 2016 (Cumulative Update 16 & 17)
- Microsoft Exchange Server 2019 (Cumulative Update 5 & 6)
- Microsoft Exchange Server 2013 (Cumulative Update 23)*
** Whilst not explicitly mentioned in the initial vulnerability notice, Exchange Server 2013 has a CVE-2020-17132 security update.*
Exploits available? Yes
Exploitation observed in the wild? No; But likely given the availability of PoC exploits.
CVSS v3 Base Score: 9.1
Detection
By default, cmdlets utilized within the Microsoft Exchange Management Shell or Exchange Admin Center (EAC) should result in audit log entries being generated.
Based on Microsoft’s documentation [4], this audit log is stored in a dedicated mailbox that can be accessed using the EAC and can be reviewed to identify potentially unauthorized activity.
Recommendations
Organizations with vulnerable Microsoft Exchange servers should consider applying the latest security updates to prevent exploitation:
- KB4593465 – Exchange Server 2016 (Cumulative Update 17 & 18)
- KB4593465 – Exchange Server 2019 (Cumulative Update 6 & 7)
- KB4593466 – Microsoft Exchange Server 2013 (Cumulative Update 23)
Organizations should also ensure that an appropriate level of audit logging is enabled and monitored to provide an early indication of unauthorized activity.
References
[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-16875
[3] https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-17132
