Vulnerability Trends Summary
This report shows monthly top 10 trends on security vulnerabilities and how hackers, malware and exploit kits are exploiting those vulnerabilities. We assign vulnerability trends value as a percentage of how each vulnerability is gaining the attention of cyber security communities, attackers and malware. Companies can benefit from the report to have more cyber threat insights and anticipate attacks wave that might target their public assets in the following months.
You can download the full vulnerability digest report by clicking here.
You can subscribe to the monthly vulnerability digest report by clicking here.
The following chart shows the trends.
In March 2020, a new critical and exploitable vulnerability in SMB v3.1.1 (SMBGhost/CVE-2020-0796 ) has the most attraction for attackers and cyber security communities. This vulnerability has more than 70% of overall March trends.
The next in line is MS Exchange key validation RCE (CVE-2020-0688) which was published in Feb 2020 but still dominating the trends in March.
The following table shows the details of the trends.
You can download the full vulnerability digest report by clicking here.
You can subscribe to the monthly vulnerability digest report by clicking here.
1.CVE-2020-0796 | SMBGhost
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
2.CVE-2020-0688 | MS Exchange Key Validation RCE
A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.
Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.
3.CVE-2020-8816 | Pi-Hole RCE
Pi-hole is affected by a Remote Code Execution vulnerability. An authenticated user of the Web portal can execute arbitrary command with the underlying server with the privileges of the local user executing the service.
Exploitation of this vulnerability can be automated.
| CVSS Rate | 10.0 CRITICAL |
| Exploited | Yes |
| Links | https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/ |
4.CVE-2020-1938 | Apache Tomcat AJP (GhostCat)
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be
surprising. Prior to Tomcat 9.0.31, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required.
Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible.
| CVSS Rate | 9.8 CRITICAL |
| Exploited | Yes |
| Links | http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31 https://github.com/w4fz5uck5/CVE-2020-1938-Clean-Version |
5.CVE-2020-0787| Windows BITS Privilege Escalation
An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, aka ‘Windows Background Intelligent Transfer Service Elevation of Privilege
Vulnerability’.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
| CVSS Rate | 7.8 HIGH |
| Exploited | Yes |
| Links | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0787 https://itm4n.github.io/cve-2020-0787-windows-bits-eop/ |
6.CVE-2020-0729 | Windows LNK RCE
A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, aka ‘LNK Remote Code Execution Vulnerability’.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
| CVSS Rate | 8.8 HIGH |
| Exploited | No |
| Links | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0729 |
7.CVE-2020-7982 | OpenWRT OPKG package injection
An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads (which are installed without verification).
These code-execution exploits are limited in their scope because adversaries must either be in a position to conduct a man-in-the-middle attack or tamper with the DNS server that a device uses to find the update on the Internet. That means routers on a network that has no malicious users and using a legitimate DNS server are safe from attack. Researcher also speculates that packet spoofing or ARP cache poisoning may also make attacks possible, but he cautions that he didn’t test either method.
| CVSS Rate | 8.1 HIGH |
| Exploited | Yes |
| Links | https://openwrt.org/advisory/2020-01-31-1 https://blog.forallsecure.com/uncovering-openwrt-remote-code-execution-cve-2020-7982 |
8.CVE-2020- 10189 | ManageEngine Desktop Central RCE
ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible.
| CVSS Rate | 9.8 CRITICAL |
| Exploited | Yes |
| Links | https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/ https://srcincite.io/pocs/src-2020-0011.py.txt |
9.CVE-2020-0551| Intel Load Value Injection
Load value injection in some Intel(R) Processors utilizing speculative execution may allow an authenticated
user to potentially enable information disclosure via a side channel with local access.
Load value injection in some Intel(R) Processors utilizing speculative execution may allow an authenticated
user to potentially enable information disclosure via a side channel with local access.
| CVSS Rate | 5.6 medium |
| Exploited | Yes |
| Links | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00334.html https://github.com/bitdefender/lvi-lfb-attack-poc |
