Join online with today’s leading executives at the Data Summit on March 9th. Register here.
High-intensity remote code execution vulnerabilities affecting Microsoft Windows Server and some versions of Windows 10 have been added to CISA’s well-known exploit vulnerabilities catalog.
It is one of 15 bugs added to the list of vulnerabilities exploited by the Federal Cyber Security and Infrastructure Security Agency (CISA) to date.
The Microsoft Windows Remote Code Execution Flow (CVE-2020-0796) was initially released in March 2020 and has the highest possible severity rating – from 10.0 to 10.0. The vulnerability was widely publicized at the time of its announcement, and has been mentioned in the past by names including “EternalDarkness” and “SMBGhost”.
While it is not clear what caused the vulnerability to be added specifically to the CISA catalog, the new inclusion should serve as a reminder to any organizations with sensitive systems remaining to use available patches. VentureBeat has reached out to CISA to confirm that this is the first time vulnerabilities have been found to be exploited.
Notably, however, the deadline set by CISA for federal agencies to revise CVE-2020-0796 is six months away – August 10, 2022.
“Certainly, intelligence about whether exploitation is active,” John Bambanek, chief threat hunter at digital IT and security operations firm Netenrich, told VentureBeat in an email. “However, while you can wait until August to patch, say, eternal darkness, it’s hard to see any real urgency.”
The Microsoft Remote Code Execution (RCE) vulnerability is the most serious of the newly added vulnerabilities, although the other two have a severity rating of 9.8 out of 10.0. It is a code execution vulnerability that affects some versions of Jenkins (CVE-2018-1000861) and improper input validation vulnerabilities in some versions of Apache ActiveMQ (CVE-2016-3088).
Additions to the CISA list “based on evidence that risky artists are actively exploiting vulnerabilities,” CISA says on its advertising page.
“Such vulnerabilities are a frequent attack vector for all types of malicious cyber actors and pose a significant risk to the federal enterprise,” says CISA. By including vulnerabilities in its well-known exploit vulnerabilities catalog, CISA directed federal agencies to update their systems with available patches.
With one exception for all the newly added vulnerabilities, the remediation deadline is August 10. The deadline for Microsoft Windows Local Privilege Escalation Vulnerability (CVE-2021-36934) is February 24. The severity rating of this defect is 7.8.
Remote code execution
For CVE-2020-0796, the Windows RCE vulnerability “exists the way the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests,” Microsoft says on its disclosure page.
“An attacker who successfully exploits a vulnerability may gain the ability to execute code on a target server or client,” the company said.
“To exploit vulnerabilities against the server, an unauthorized attacker may send a specially designed packet to the targeted SMBv3 server,” Microsoft said. “In order to exploit a vulnerability against a client, an unauthorized attacker will need to configure a malicious SMBv3 server and persuade the user to connect to it.”
According to the company, the patch addressing vulnerabilities improves how the SMBv3 protocol handles such requests.
CVE-2020-0796 RCE vulnerabilities are versions of Microsoft Windows:
- Version 1903 (server core installation)
- Version 1909 (server core installation)
- Version 1903 for 32-bit systems
- Version 1903 for ARM64-based systems
- Version 1903 for x64-based systems
- Version 1909 for 32-bit systems
- Version 1909 for ARM64-based systems
- Version 1909 for x64-based systems
In an analysis posted in March 2020, VMware researchers said that in addition to enabling unauthorized users to execute code remotely by sending “specially designed” packets to sensitive SMBv3 servers, “if an attacker could persuade or trick a user to connect. SMBv3 server, then the user’s SMB3 client may also be exploited.
“Even if the target or host is successfully exploited, this will give the attacker the ability to execute arbitrary code,” VMware said.
In a blog post in March 2020, Tennable’s Satnam Narang pointed out that vulnerability was portrayed as “verbal”.
Narang said the vulnerabilities “evoke memories of EternalBlue, especially RCE vulnerabilities in CVE-2017-0144, Microsoft SMBv1 that were used as part of the WannaCry ransomware attack,” Narang said. “It’s definitely a fair comparison, because researchers are referring to it as EternalDarkness.”
Other newly added vulnerabilities in CISA’s well-known exploit vulnerabilities catalog include additional vulnerabilities in Microsoft products and two vulnerabilities in Apple software.
In an email to VentureBeat, Bud Broomhead, CEO of enterprise IoT security vendor Viakoo, said, “Congratulations to CISA for focusing on the serious vulnerabilities known to exploit security professionals.” “Many security teams are overworked and overwhelmed. The clarification from CISA on what their priorities and focus are is invaluable.”
Broomhead said that when a vulnerability is detected – as opposed to when it is added to the CISA list – in terms of the time – it comes down to when it is determined that vulnerabilities are actually being exploited, “Broomhead said. “With about 170,000 known vulnerabilities, those who are currently doing real harm should be given priority, not those who can do harm in principle.”
Here is a complete list of 15 vulnerabilities added to CISA’s catalog:
- CVE-2021-36934: Microsoft Windows SAM Local Privilege Escalation vulnerability
- CVE-2020-0796: Microsoft SMBv3 remote code execution vulnerability
- CVE-2018-1000861: Jenkins Stapler Web Framework Deliberalization of unreliable data vulnerabilities
- CVE-2017-9791: Apache struts 1 Invalid input validation vulnerability
- CVE-2017-8464: Microsoft Windows Shell (.lnk) Remote Code Execution Weakness
- CVE-2017-10271: Oracle Corporation Weblogic Server Remote Code Execution Weakness
- CVE-2017-0263: Microsoft Win32k privilege escalation vulnerability
- CVE-2017-0262: Microsoft Office Remote Code Execution Weakness
- CVE-2017-0145: Microsoft SMBv1 remote code execution vulnerability
- CVE-2017-0144: Microsoft SMBv1 remote code execution vulnerability
- CVE-2016-3088: Apache ActiveMQ Invalid input validation vulnerability
- CVE-2015-2051: D-Link DIR-645 Router Remote Code Execution
- CVE-2015-1635: Microsoft HTTP.sys remote code execution vulnerability
- CVE-2015-1130: Apple OS X authentication bypass vulnerability
- CVE-2014-4404: Apple OS X heap-based buffer overflow vulnerability
Venturebeat’s mission Digital Town Square is set to become a place for technical decision makers to gain knowledge about the changing enterprise technology and practices. Learn more