Tenable Advises Chrome Users to Patch Zero-day-Vulnerability

October 23, 2020

Chrome users could potentially be at risk of arbitrary code execution (ACE) due to an actively exploited zero-day vulnerability. Technical details of the available exploit have not been disclosed yet but ACE flaws could allow an attacker to execute system commands, read, write or even delete files on the victim’s computer, create a backdoor to the system, gain network access or download a malicious program such as ransomware. While ACEs really are an open goal, the damage can be limited from access controls and permissions usually in place. It’s imperative that everyone using Chrome updates to version 86.0.4240.111 to address these high-severity vulnerabilities.

Comment is attributable to Rody Quinlan, Security Response Manager at Tenable:

The zero-day is a memory corruption flaw [CVE-2020-15999] described as a “heap buffer overflow in FreeType.” Successful exploitation of heap buffer overflows could lead to memory leakage which could potentially be used to lead to arbitrary code execution. As the Chrome flaw is being actively exploited in the wild, users are urged to update their browsers as soon as possible to reduce the risk of compromise.

Chrome is not the first browser with an actively exploited zero-day this year. Just over a week into 2020, Mozilla released an advisory for a zero-day vulnerability in Mozilla Firefox, CVE-2019-17026, and later again in April for CVE-2020-6819 and CVE-2020-6820. Mozilla Firefox advised users to upgrade as soon as possible as they were aware of attacks targeting the flaw.

Microsoft also released an out-of-band (OOB) advisory (ADV200001) in January for CVE-2020-0674, a zero-day remote code execution (RCE) vulnerability in Internet Explorer. While an OOB advisory for an RCE vulnerability from Microsoft is enough reason to take note, the advisory also stated that Microsoft was aware of targeted attacks in the wild.

With three of the most commonly used browsers actively targeted this year with zero-days, it is imperative organisations patch their systems as soon as updates are available.”

Tenable: NSA publishes list of top vulns targeted by foreign threat actors

October 21, 2020

The National Security Agency (NSA) published a list today of the top 25 vulnerabilities that are consistently being targeted by foreign threat actors. The plethora of publicly accessible systems running unpatched software means that threat actors do not need to finance the development or burn a zero day.

Please find below a comment from Satnam Narang, Staff Research Engineer at Tenable.

If you’re experiencing déjà vu from the National Security Agency (NSA) advisory listing the top 25 vulnerabilities being leveraged by foreign threat actors, your feeling is warranted. Many of the vulnerabilities in the advisory align with similar alerts that have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year.

It’s unmistakably clear that unpatched vulnerabilities remain a valuable tool for cybercriminals and state-sponsored threat actors. With many of the vulnerabilities listed in the advisory residing in remote access tools or external web services, it is extremely critical for organisations to prioritise patching these vulnerabilities.

As CISA noted in their Top 10 Routinely Exploited Vulnerabilities alert from earlier this year, threat actors do not need to finance the development of or acquire zero day vulnerabilities so long as there are a plethora of publicly accessible systems running unpatched software. This is further compounded by the availability of proof of concept code and exploit scripts that threat actors can easily co-opt as part of their own attacks, as we have seen in the case of the Copy Paste Compromises attacks reported by the Australian Cyber Security Centre.”

Tenable Selected as First Vulnerability Management Partner for Splunk Mission Control

October 21, 2020

NEW DELHI, India – October 21, 2020 – Tenable®, Inc., the Cyber Exposure company, today announced it has been selected as the first vulnerability management partner to integrate with Splunk’s new cloud-native, unified security operations platform, Mission Control. Security Operations Center (SOC) analysts will soon be able to gain real-time, data-driven visibility and insight from Tenable.io®, for vulnerability management in the cloud, across their entire digital infrastructure all within a unified SOC workflow.

Digital transformation has accelerated the rapid migration to the cloud. As organizations everywhere continue to embrace cloud-first technologies, new threats and security challenges have emerged for SOCs to overcome. Now more than ever, organizations require holistic visibility across their enterprise cloud environments to better measure, manage and reduce their cyber risk.

Splunk Mission Control enables customers to accelerate the value they receive from combining their Splunk security tools with those from best-of-breed partners, such as Tenable’s industry-leading vulnerability management solutions, on a common, cloud-native work surface. SOC analysts will be able to streamline the investigation and remediation of threats using the industry’s most accurate and comprehensive vulnerability data and coverage from Tenable. Security teams will also be able to take advantage of Tenable’s predictive technologies, such as Predictive Prioritization, to contextualize SOC alerts and triage threats based on business risk. Tenable’s predictive technologies are powered by Exposure.ai, which continuously analyzes 20 trillion aspects of threat, vulnerability and asset information with machine learning algorithms to predict critical exposure points before they can be leveraged in an attack.

When operating in such highly dynamic cloud environments, accuracy matters more than ever. You need confidence in the results of your vulnerability management program so you can determine which security threats warrant immediate action,” said Renaud Deraison, Chief Technology Officer and Co-Founder at Tenable. “Tenable’s latest integration with Splunk Mission Control empowers customers to confidently assess the state of their attack surface based on true business risk, all within a unified SOC workflow.”

Today’s announcement comes on the heels of Tenable’s launch of Frictionless Assessment – a game changer for cloud security that will allow customers to evaluate cloud assets without interruption, quickly detecting new vulnerabilities as their environments change without ever having to schedule a scan or deploy an agent. Frictionless Assessment for AWS will be available to Tenable.io customers later in the fourth quarter of 2020.

To learn more about Tenable and Splunk Mission Control, visit:

# # #

About Tenable

Tenable®, Inc. is the Cyber Exposure Company. Over 30,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include more than 50 percent of the Fortune 500, more than 30 percent of the Global 2000 and large government agencies. Learn more at www.tenable.com

Tenable Advises Enterprises to Patch RCE Windows Codecs and Visual Studio Code Vulnerabilities

October 20, 2020

On Friday, the US’ CISA issued an advisory for two Microsoft vulnerabilities not addressed in last week’s Patch Tuesday update.

Rody Quinlan, Security Response Manager at Tenable has offered the following perspective:

On Friday, October 16, the Cybersecurity & Infrastructure Security Agency (CISA) released an advisory in response to Microsoft’s out-of-band patches for CVE-2020-17022 and CVE-2020-17023, both with a CVSS of 7.8 and highlighted as “important” by Microsoft. The former is a remote code execution (RCE) vulnerability in the Microsoft Windows Codecs Library given how it handles objects in memory, specifically versions prior to 1.0.32762.0 or 1.0.32763.0 of the High-Efficiency Video Coding (HVEC) video codecs. The latter is an RCE vulnerability in Visual Studio Code that can be triggered by the opening of a malicious “package.json” file. This vulnerability stems from an unsuccessful patch for CVE-2020-16881 released as part of Microsoft’s regular Patch Tuesday updates in September.

While these are RCEs, both require a degree of social engineering to exploit. In the case of CVE-2020-17022, a threat actor would need to convince a victim to use a program to process a maliciously crafted image file. For CVE-2020-17023, a threat actor must convince a victim to clone a repository, with a malicious “package.json” and open it in Visual Studio Code. Exploitation of either vulnerability results in the execution of arbitrary code on the target system.

Microsoft does not commonly release out-of-band patches. However, in the case of CVE-2020-17022, Microsoft notes that, “These updates are for optional apps/components that are offered to customers as a download via the Microsoft Store,” hence the OOB patching approach. Microsoft also notes for CVE-2020-17022 that, “Affected customers will be automatically updated by Microsoft Store.” With CVE-2020-17023 requiring an update to be applied, coupled with an out-of-band advisory, we encourage administrators to patch quickly, despite this vulnerability requiring some level of user-interaction to exploit. While Microsoft highlights there has been no exploitation observed in the wild the follow up of the CISA advisory suggests that administrators should review the patches and apply the updates if necessary.

Tenable Advises Organisations to Patch Critical Vulnerabilities in Windows TCP/IP Stack

October 14, 2020

Microsoft patched 87 CVEs in the October 2020 Patch Tuesday release, including 11 CVEs rated critical. This release follows seven consecutive months of over 100 CVEs patched, in what has been an unusually busy year for Microsoft Patch Tuesday updates.

Please find below additional commentary from Satnam Narang, Staff Research Engineer at Tenable. A full analysis by Tenable can be found here.

This month’s Patch Tuesday includes fixes for 87 CVEs, 11 of which are rated critical. This marks the first time since February that Microsoft patched less than 100 CVEs. The most critical vulnerability in this month’s release is CVE-2020-16898, a remote code execution vulnerability in the Windows TCP/IP stack. Dubbed “Bad Neighbor” by researchers at McAfee, the flaw occurs because Windows TCP/IP stack does not properly handle ICMPv6 Router Advertisement packets.

To exploit this vulnerability, an attacker would need to send a malicious ICMPv6 Router Advertisement to their targeted Windows machine. It received a CVSSv3 score of 9.8, the highest score assigned to any vulnerability in this month’s release. Microsoft also patched CVE-2020-16899, a denial of service vulnerability in the Windows TCP/IP stack. Both vulnerabilities were discovered internally by Microsoft and are rated as ‘Exploitation More Likely,’ according to Microsoft’s Exploitability Index. Microsoft also addressed CVE-2020-16896, an information disclosure vulnerability in Windows Remote Desktop Protocol.

While the vulnerability is rated as ‘Important’ and received a CVSSv3 score of 7.5, Microsoft says exploitation is more likely. To exploit the flaw, an attacker would need to connect to a system that is running RDP and send specially crafted requests to it. This information could be used by the attacker for further compromise. RDP is a prime target for cybercriminals, especially those looking to launch ransomware attacks. If an organization is exposing RDP to the Internet, they need to ensure they’ve taken appropriate steps to harden RDP, which includes ensuring all patches are applied in a timely manner.”

%d bloggers like this: