On March 2, 2021 (US Time), Microsoft has released information regarding multiple vulnerabilities in Microsoft Exchange Server. A remote attacker may execute arbitrary code with SYSTEM privileges by leveraging these vulnerabilities. According to Microsoft, four of these vulnerabilities have already been exploited in limited targeted attacks, and it is recommended to take measures as soon as possible. For more information, please refer to the information provided by Microsoft.

Microsoft The_Exchange_Team
Released: March 2021 Exchange Server Security Updates
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

Microsoft Security Response Center
Multiple Security Updates Released for Exchange Server
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

Microsoft has released versions that address these vulnerabilities. Microsoft recommends prioritizing installing updates on Exchange Servers that are externally facing. Please consider to take measures as soon as possible by referring to the information provided by Microsoft.

• Microsoft Exchange Server 2019 (CU 8, CU 7)
• Microsoft Exchange Server 2016 (CU 19, CU 18)
• Microsoft Exchange Server 2013 (CU 23)

In addition, the security updates are also available for Microsoft Exchange Server 2010, which is no longer supported.

Information that explains the details of the observed attacks has been released by Microsoft and others. In addition to the details of the exploited vulnerabilities, the Microsoft's blog provides information on activities confirmed in the attack, investigation methods and indicator information for confirming the presence of damage from the attack. Please check the information as a reference for your investigation.

Microsoft
HAFNIUM targeting Exchange Servers with 0-day exploits
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Update: March 8, 2021 Update
Microsoft released a new blog and recommended to promptly apply countermeasures as well as to investigate if attacks exploiting these vulnerabilities have already been conducted. Microsoft also released PowerShell scripts on Github to investigate the evidence of compromise. In addition, other parties such as Volexity, FireEye and CISA have also released information on indicators and investigation methods for attacks that exploit these vulnerabilities. It is recommended to take measures and investigate as soon as possible by referring to the information by Microsoft and others.

Microsoft
Microsoft Exchange Server Vulnerabilities Mitigations - updated March 6, 2021
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

Microsoft
microsoft / CSS-Exchange
https://github.com/microsoft/CSS-Exchange/tree/main/Security

CISA
Alert (AA21-062A) Mitigate Microsoft Exchange Server Vulnerabilities
https://us-cert.cisa.gov/ncas/alerts/aa21-062a

Volexity
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

FireEye
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html

Multiple vulnerabilities were identified in Cisco products, a remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, remote code execution and sensitive information disclosure on the targeted system.
Notes: No patch is currently available.

• Denial of Service
• Remote Code Execution
• Information Disclosure

Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
• Cisco ASR 5000 21.5.27
• Cisco ASR 5500 21.5.27
• Cisco ASR 5500 21.11.15
• Cisco ASR 5500 21.14.22
• Cisco ASR 5500 21.20.2
• Cisco Virtual Packet Core 21.5.27
• Cisco Virtual Packet Core 21.11.15
• Cisco Virtual Packet Core 21.14.22
• Cisco Virtual Packet Core 21.20.2
Notes: Patch will be available on 31-Jul-2020
Please refer to the link below for detail:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-treck-ip-stack-JyBQ5GyC

• CVE-2020-11896
• CVE-2020-11897
• CVE-2020-11898
• CVE-2020-11899
• CVE-2020-11900
• CVE-2020-11901
• CVE-2020-11902
• CVE-2020-11903
• CVE-2020-11904
• CVE-2020-11905
• CVE-2020-11906
• CVE-2020-11907
• CVE-2020-11908
• CVE-2020-11909
• CVE-2020-11910
• CVE-2020-11911
• CVE-2020-11912
• CVE-2020-11913
• CVE-2020-11914

A vulnerability was identified in Adobe Reader Mobile, a remote attacker can exploit this vulnerability to obtain sensitive information on the targeted system.

• Information Disclosure

Before installation of the software, please visit the vendor web-site for more details.
The vendor has issued a fix :
https://play.google.com/store/apps/details?id=com.adobe.reader

• CVE-2020-9663

A vulnerability was identified in Adobe Photoshop, a remote attacker can exploit this vulnerability to trigger remote code execution on the targeted system.

• Remote Code Execution

Before installation of the software, please visit the vendor web-site for more details.
The vendor has issued a fix :
https://helpx.adobe.com/security/products/photoshop/apsb20-45.html

• CVE-2020-9683
• CVE-2020-9686
• CVE-2020-9684
• CVE-2020-9685
• CVE-2020-9687

A vulnerability has been identified in Microsoft Windows, a remote user can exploit this vulnerability to trigger sensitive information disclosure on the targeted system.
Notes: No patch is currently available.

• Information Disclosure

Workaround:
Given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the application.

• No CVE information is available

A vulnerability was identified in Python, a remote attacker can exploit this vulnerability to trigger remote code execution on the targeted system.

• Remote Code Execution

Before installation of the software, please visit the vendor web-site for more details.
The vendor has issued a fix :
https://docs.python.org/3/whatsnew/changelog.html#python-3-8-4-final

• CVE-2020-15523

Multiple vulnerabilities were identified in SQLite, a remote attacker could exploit some of these vulnerabilities to trigger denial of service condition and remote code execution on the targeted system.

• Denial of Service
• Remote Code Execution

Before installation of the software, please visit the vendor web-site for more details.
Update SQLite to version 3.32.3. TensorFlow must be updated to obtain the security fix.

• CVE-2020-13434
• CVE-2020-13435

A vulnerability was identified in IBM WebSphere Application Server, a remote attacker could exploit this vulnerability to trigger remote code execution on the targeted system.

• Remote Code Execution

Before installation of the software, please visit the vendor web-site for more details.
https://www.ibm.com/support/pages/node/6250059

• CVE-2020-4464

A vulnerability was identified in Cisco Webex Meetings and Cisco Webex Meetings Server, a remote user can exploit this vulnerability to perform data manipulation on the targeted system.

• Data Manipulation

Before installation of the software, please visit the vendor web-site for more details.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-html-BJ4Y9tX

• CVE-2020-3345

A vulnerability was identified in Fortinet FortOS, a remote attacker could exploit this vulnerability to bypass security restriction on the targeted system.

• Security Restriction Bypass

Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
• FortiOS 6.0.10 or later version
• FortiOS 6.2.4 or later version
• FortiOS 6.4.1 or later version

• CVE-2020-1281

Multiple vulnerabilities were identified in Apache Tomcat, a remote attacker could exploit some of these vulnerabilities to trigger denial of service condition and security restriction bypass on the targeted system.

• Denial of Service
• Security Restriction Bypass

Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
-10.0.0-M7 or later
- 9.0.37 or later
- 8.5.57 or later

• CVE-2020-13934
• CVE-2020-13935

Multiple vulnerabilities were identified in Oracle Products, a remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, remote code execution, sensitive information disclosure, data manipulation and bypass security restriction on the targeted system.

• Denial of Service
• Security Restriction Bypass
• Remote Code Execution
• Information Disclosure
• Data Manipulation

Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
Oracle Critical Patch Update Advisory

Microsoft has released monthly security update for their products:

• Denial of Service
• Elevation of Privilege
• Remote Code Execution
• Information Disclosure
• Spoofing
• Data Manipulation

Before installation of the software, please visit the vendor's web-site for more details.
• Apply fixes issued by the vendor.

Multiple vulnerabilities were identified in Android, a remote attacker could exploit some of these vulnerabilities to trigger elevation of privilege, remote code execution and sensitive information disclosure on the targeted system.

• Elevation of Privilege
• Remote Code Execution
• Information Disclosure

Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
https://source.android.com/security/bulletin/2020-06-01

• CVE-2017-9704
• CVE-2019-10597
• CVE-2019-14047
• CVE-2019-14062
• CVE-2019-14073
• CVE-2019-14076
• CVE-2019-14080
• CVE-2019-2219
• CVE-2019-9460
• CVE-2020-0113
• CVE-2020-0114
• CVE-2020-0115
• CVE-2020-0116
• CVE-2020-0117
• CVE-2020-0118
• CVE-2020-0119
• CVE-2020-0121
• CVE-2020-3614
• CVE-2020-3626
• CVE-2020-3628
• CVE-2020-3635
• CVE-2020-3642
• CVE-2020-3658
• CVE-2020-3660
• CVE-2020-3661
• CVE-2020-3662
• CVE-2020-3663
• CVE-2020-3665
• CVE-2020-3676
• CVE-2020-8428
• CVE-2020-8597
• CVE-2020-8647
• CVE-2020-8648

A vulnerability was identified in Fortinet products, a remote attacker could exploit this vulnerability to trigger denial of service on the targeted system.

• Denial of Service

Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
https://fortiguard.com/psirt/FG-IR-16-039

• CVE-2004-0230

Multiple vulnerabilities were identified in Google Chrome, a remote attacker could exploit some of these vulnerabilities to trigger remote code execution and security restriction bypass on the targeted system.

• Remote Code Execution
• Security Restriction Bypass

Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
• Google Chrome 83.0.4103.61

• CVE-2020-6465
• CVE-2020-6466
• CVE-2020-6467
• CVE-2020-6468
• CVE-2020-6469
• CVE-2020-6470
• CVE-2020-6471
• CVE-2020-6472
• CVE-2020-6473
• CVE-2020-6474
• CVE-2020-6475
• CVE-2020-6476
• CVE-2020-6477
• CVE-2020-6478
• CVE-2020-6479
• CVE-2020-6480
• CVE-2020-6481
• CVE-2020-6482
• CVE-2020-6483
• CVE-2020-6484
• CVE-2020-6485
• CVE-2020-6486
• CVE-2020-6487
• CVE-2020-6488
• CVE-2020-6489
• CVE-2020-6490
• CVE-2020-6491

A vulnerability was identified in ISC BIND, a remote attacker could exploit this vulnerability to trigger denial of service condition on the targeted system.

• Denial of Service

Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
• BIND 9.11.19
• BIND 9.14.12
• BIND 9.16.3
• BIND 9.11.19-S1

For detail, please refer to the link below:
https://kb.isc.org/docs/cve-2020-8616 and https://kb.isc.org/docs/cve-2020-8617

• CVE-2020-8617
• CVE-2020-8616

A vulnerability has been identified in Microsoft Windows DNS Server, a remote user can exploit this vulnerability to trigger denial of service on the targeted system.

• Denial of Service

• Workaround:
Enable RRL on a DNS server, please refer to DNS Server Response Rate Limiting

• No CVE information is available

• US-CERT
• Microsoft

Multiple vulnerabilities were identified in Red Hat Kernel, a remote attacker could exploit some of these vulnerabilities to trigger denial of service condition and elevation of privilege on the targeted system.

• Elevation of Privilege
• Denial of Service

• CVE-2017-18595
• CVE-2019-19768
• CVE-2020-10711
• CVE-2020-11884

Multiple vulnerabilities were identified in Android, a remote attacker could exploit some of these vulnerabilities to trigger elevation of privilege, remote code execution and sensitive information disclosure on the targeted system.

• Elevation of Privilege
• Remote Code Execution
• Information Disclosure

Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
• https://source.android.com/security/bulletin/2020-05-01

• CVE-2019-14053
• CVE-2019-14054
• CVE-2019-14066
• CVE-2019-14067
• CVE-2019-14077
• CVE-2019-14078
• CVE-2019-14087
• CVE-2019-19536
• CVE-2020-0024
• CVE-2020-0064
• CVE-2020-0065
• CVE-2020-0090
• CVE-2020-0091
• CVE-2020-0092
• CVE-2020-0093
• CVE-2020-0094
• CVE-2020-0096
• CVE-2020-0097
• CVE-2020-0098
• CVE-2020-0100
• CVE-2020-0101
• CVE-2020-0102
• CVE-2020-0103
• CVE-2020-0104
• CVE-2020-0105
• CVE-2020-0106
• CVE-2020-0109
• CVE-2020-0110
• CVE-2020-3610
• CVE-2020-3615
• CVE-2020-3616
• CVE-2020-3618
• CVE-2020-3623
• CVE-2020-3625
• CVE-2020-3630
• CVE-2020-3633
• CVE-2020-3641
• CVE-2020-3645
• CVE-2020-3680

• Android

A vulnerability was identified in OpenSSL, which could be exploited by attackers to trigger denial of service on the targeted system.
Note: Proof Of Concept Exploit Code Is Publicly Available

• Denial of Service

Before installation of the software, please visit the vendor web-site for more details.
Update to:
• Version 1.1.1g

• CVE-2020-1967

• openSSL
• US-CERT
• Security Affairs

Multiple vulnerabilities were identified in Oracle Products, a remote attacker could exploit some of these vulnerabilities to trigger denial of service, elevation of privilege, remote code execution, security restriction bypass, sensitive information disclosure and tampering on the targeted system.

One of the vulnerabilities (CVE-2020-2883) in Oracle WebLogic Server was currently being exploited in the wild. The risk level was increased to extremely high risk correspondingly.

• Denial of Service
• Elevation of Privilege
• Remote Code Execution
• Security Restriction Bypass
• Information Disclosure
• Data Manipulation

Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
• Oracle Critical Patch Update Advisory

Multiple vulnerabilities were identified in Adobe Magento, a remote attacker could exploit some of these vulnerabilities to trigger remote code execution, security restriction bypass and sensitive information disclosure on the targeted system.

• Remote Code Execution
• Security Restriction Bypass
• Information Disclosure

Before installation of the software, please visit the vendor's web-site for more details.
Apply fixes issued by the vendor:
• Magento Commerce 2.3.4-p2
• Magento Commerce 2.3.5-p1
• Magento Open Source 2.3.4-p2
• Magento Open Source 2.3.5-p1
• Magento Enterprise Edition 1.14.4.5
• Magento Community Edition 1.9.4.5

For detail, please refer to the link below:
https://helpx.adobe.com/security/products/magento/apsb20-22.html

• CVE-2020-9591
• CVE-2020-9588
• CVE-2020-9587
• CVE-2020-9586
• CVE-2020-9585
• CVE-2020-9584
• CVE-2020-9583
• CVE-2020-9582
• CVE-2020-9581
• CVE-2020-9580
• CVE-2020-9579
• CVE-2020-9578
• CVE-2020-9577
• CVE-2020-9576

Multiple vulnerabilities were identified in Oracle Products, a remote attacker could exploit some of these vulnerabilities to trigger denial of service, elevation of privilege, remote code execution, security restriction bypass, sensitive information disclosure and tampering on the targeted system.

One of the vulnerabilities (CVE-2020-2883) in Oracle WebLogic Server was currently being exploited in the wild. The risk level was increased to extremely high risk correspondingly.

• Denial of Service
• Elevation of Privilege
• Remote Code Execution
• Security Restriction Bypass
• Information Disclosure
• Data Manipulation

Before installation of the software, please visit the vendor's web-site for more details.
Oracle Critical Patch Update Advisory

Multiple vulnerabilities were identified in WordPress, a remote attacker could exploit some of these vulnerabilities to trigger cross-site scripting, security restriction bypass and sensitive information disclosure on the targeted system.

• Cross-Site Scripting
• Security Restriction Bypass
• Information Disclosure

Before installation of the software, please visit the vendor's web-site for more details.
Apply fixes issued by the vendor:
WordPress version 5.4.1

No CVE information is available

• WordPress
• US-CERT

Multiple vulnerabilities have been identified in Apple iOS. A remote attacker can exploit these vulnerabilities to trigger remote code execution, denial of service, sensitive information disclosure and data manipulation in the context of the Mail app (such as MobileMail on iOS 12 or maild on iOS 13) on the targeted system.

• Denial of Service
• Remote Code Execution
• Information Disclosure
• Data Manipulation

Note: Stable version of the patch is under development – only Beta version of the patch is available at the moment.

Multiple vulnerabilities were identified in Cisco products, a remote attacker could exploit some of these vulnerabilities to trigger remote code execution, security restriction bypass and sensitive information disclosure on the targeted system.

• Remote Code Execution
• Security Restriction Bypass
• Information Disclosure

Before installation of the software, please visit the vendor's web-site for more details.
Apply fixes issued by the vendor:
• Cisco UCS Director
Please refer to the link below for detail:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E

• Cisco Unified Communications Manager (UCM)
Please refer to the link below for detail:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-taps-path-trav-pfsFO93r

• Cisco Webex Meetings
Please refer to the link below for detail:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-player-Q7Rtgvby

• CVE-2020-3177
• CVE-2020-3194
• CVE-2020-3239
• CVE-2020-3240
• CVE-2020-3243
• CVE-2020-3247
• CVE-2020-3248
• CVE-2020-3249
• CVE-2020-3250
• CVE-2020-3251
• CVE-2020-3252

Adobe has released monthly security update for their products:

• Denial of Service
• Elevation of Privilege
• Information Disclosure

Before installation of the software, please visit the vendor's web-site for more details.
• Apply fixes issued by the vendor. Please refer to 'Details' column in the above table for details of individual product update or run software update

Multiple vulnerabilities were identified in Oracle Products, a remote attacker could exploit some of these vulnerabilities to trigger denial of service, elevation of privilege, remote code execution, security restriction bypass, sensitive information disclosure and tampering on the targeted system.

• Denial of Service
• Elevation of Privilege
• Remote Code Execution
• Security Restriction Bypass
• Data Manipulation

Before installation of the software, please visit the vendor's web-site for more details.
Apply fixes issued by the vendor:
Oracle Critical Patch Update Advisory

A vulnerability was identified in VMWare vCenter Server, a remote attacker could exploit this vulnerability to trigger sensitive information disclosure on the targeted system.

• Information Disclosure

Before installation of the software, please visit the vendor's web-site for more details.
Apply fixes issued by the vendor:
https://www.vmware.com/security/advisories/VMSA-2020-0006.html

• CVE-2020-3952

Microsoft has released monthly security update for their products:

• Denial of Service
• Elevation of Privilege
• Remote Code Execution
• Information Disclosure
• Spoofing

• Extended Security Updates (ESU)
• Windows
• Microsoft Apps
• Browser
• Developer Tools
• Microsoft Dynamics
• Microsoft Office

Before installation of the software, please visit the vendor's web-site for more details.
Apply fixes issued by the vendor

• https://www.cvedetails.com/vulnerability-list.php?vendor_id=26&year=2020&month=04

Multiple vulnerabilities were identified in Google Chrome, a remote attacker could exploit these vulnerabilities to trigger spoofing, remote code execution and security restriction bypass on the targeted system.

• Remote Code Execution
• Security Restriction Bypass
• Spoofing

Before installation of the software, please visit the vendor's web-site for more details.
Apply fixes issued by the vendor:

• Google Chrome 80.0.3987.87

• CVE-2019-18197
• CVE-2019-19880
• CVE-2019-19923
• CVE-2019-19925
• CVE-2019-19926
• CVE-2020-6381
• CVE-2020-6382
• CVE-2020-6385
• CVE-2020-6387
• CVE-2020-6388
• CVE-2020-6389
• CVE-2020-6390
• CVE-2020-6391
• CVE-2020-6392
• CVE-2020-6393
• CVE-2020-6394
• CVE-2020-6395
• CVE-2020-6396
• CVE-2020-6397
• CVE-2020-6398
• CVE-2020-6399
• CVE-2020-6400
• CVE-2020-6401
• CVE-2020-6402
• CVE-2020-6403
• CVE-2020-6404
• CVE-2020-6405
• CVE-2020-6406
• CVE-2020-6408
• CVE-2020-6409
• CVE-2020-6410
• CVE-2020-6411
• CVE-2020-6412
• CVE-2020-6413
• CVE-2020-6414
• CVE-2020-6415
• CVE-2020-6416
• CVE-2020-6417

Multiple vulnerabilities were identified in Google Chrome, a remote attacker could exploit these vulnerabilities to trigger spoofing, remote code execution and security restriction bypass on the targeted system.

• Remote Code Execution
• Security Restriction Bypass
• Spoofing

Before installation of the software, please visit the vendor's web-site for more details.
Apply fixes issued by the vendor:

• Google Chrome 80.0.3987.87

• CVE-2019-18197
• CVE-2019-19880
• CVE-2019-19923
• CVE-2019-19925
• CVE-2019-19926
• CVE-2020-6381
• CVE-2020-6382
• CVE-2020-6385
• CVE-2020-6387
• CVE-2020-6388
• CVE-2020-6389
• CVE-2020-6390
• CVE-2020-6391
• CVE-2020-6392
• CVE-2020-6393
• CVE-2020-6394
• CVE-2020-6395
• CVE-2020-6396
• CVE-2020-6397
• CVE-2020-6398
• CVE-2020-6399
• CVE-2020-6400
• CVE-2020-6401
• CVE-2020-6402
• CVE-2020-6403
• CVE-2020-6404
• CVE-2020-6405
• CVE-2020-6406
• CVE-2020-6408
• CVE-2020-6409
• CVE-2020-6410
• CVE-2020-6411
• CVE-2020-6412
• CVE-2020-6413
• CVE-2020-6414
• CVE-2020-6415
• CVE-2020-6416
• CVE-2020-6417

CERT-GH confirmed that information including Proof-of-Concept code about a vulnerability (CVE-2019-19781) in Citrix Application Delivery Controller and Citrix Gateway has been made public. A remote attacker leveraging this vulnerability may execute arbitrary code. On January 12, 2020, Bad Packets released information about scanning activities that appeared to be leveraging the vulnerability.

• Elevation of Privilege
• Remote Code Execution
• Security Restriction Bypass
• Information Disclosure
• Spoofing

Before installation of the software, please visit the vendor web-site for more details.
Update to the following versions via "Software Update":

• iOS 13.3.1
• iPadOS 13.3.1
• macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra
• tvOS 13.3.1
• watchOS 6.1.2
• Safari 13.0.5
• iTunes 12.10.4 for Windows

• CVE-2020-3828
• CVE-2020-3829
• CVE-2020-3831
• CVE-2020-3833
• CVE-2020-3836
• CVE-2020-3837
• CVE-2020-3838
• CVE-2020-3840
• CVE-2020-3842
• CVE-2020-3841
• CVE-2020-3844
• CVE-2020-3853
• CVE-2020-3856
• CVE-2020-3857
• CVE-2020-3858
• CVE-2020-3859
• CVE-2020-3860
• CVE-2020-3861
• CVE-2020-3868
• CVE-2020-3869
• CVE-2020-3870
• CVE-2020-3872
• CVE-2020-3873
• CVE-2020-3874
• CVE-2020-3875
• CVE-2020-3878

CERT-GH confirmed that information including Proof-of-Concept code about a vulnerability (CVE-2019-19781) in Citrix Application Delivery Controller and Citrix Gateway has been made public. A remote attacker leveraging this vulnerability may execute arbitrary code. On January 12, 2020, Bad Packets released information about scanning activities that appeared to be leveraging the vulnerability.

The method of confirming whether this vulnerability is exploited is as follows;

1. Check if there is any access to the device from a suspicious IP address.
   The log of HTTP traffic to the device is recorded in httpaccess.log and httperror.log
2. Check whether traffic that exploits the vulnerability is recorded in the device log.
   If the Proof-of-Concept code that exploits this vulnerability is executed, traffic including the following string is recorded in the device.
   /vpns/
   /vpn/../vpns/cfg/smb.conf
   /vpn/../vpns/portal/scripts/newbm.pl
   /vpn/../vpns/portal/backdoor.xml
   /vpns/portal/scripts/newbm.pl
3. Check the files under the following directory on the device.
   If there is a recently created unknown xml file, the file is a malicious file created by an attacker, it is possible that an attack has been already conducted to compromise the device.
   /var/tmp/netscaler/portal/templates
   /netscaler/portal/templates
4. Check device processes and corn jobs
   Execute commands on the device to check if there is any process or corn job running by the user "nobody".
   If this vulnerability is exploited, processes are executed by a user named "nobody". If such processes are running, it is possible that an attack has been already conducted to compromise the device.

As of January 17, 2020, Citrix has not provided solution for this vulnerability. Please consider applying "V. Mitigation" or discontinuing the use of the products.

Also, Citrix is planning to provide versions addressing the vulnerability on the following dates.
January 24, 2020
- Citrix NetScaler ADC and NetScaler Gateway version 10.5
On January 24, Citrix released the version 10.5 of Citrix NetScaler ADC and NetScaler Gateway that addresses this vulnerability. Since attacks leveraging the vulnerability are still being observed, we would recommend to apply solution and check whether system has been compromised as soon as possible.

Please consider to apply the following mitigation.

• Restrict unnecessary traffic by firewall, etc
• Apply workarounds provided by Citrix

Privilege Escalation Vulnerability has been reported in Microsoft Windows Installer which could allow an attacker to execute arbitrary code on a targeted system.

This vulnerability exists due to Windows Installer fails to properly sanitize input.  A local attacker could exploit this vulnerability by accessing the system and executing an application that submits malicious input to the affected system.  Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code with escalated privileges.

Apply appropriate updates as mentioned in the following
URL: https://portal.msrc.microsoft.com/en-US/security-guidance

Vendor Information
Microsoft
https://portal.msrc.microsoft.com/en-US/security-guidance

Microsoft
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0973
CVE Name

CVE-2019-0973

A Vulnerability has been reported in Windows kernel which could be exploited by remote attacker to disclose sensitive information on the targeted system.

This vulnerability exists in Windows kernel due to improper initialization of objects in the memory. An attacker could exploit this vulnerability by hosting specially crafted website.
Successful exploitation of this vulnerability could allow a remote attacker to obtain sensitive information to further compromise the users system.

Apply appropriate patches as mentioned in Microsoft Security Bulletin
URL: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1039
Vendor Information
Microsoft
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1039

Microsoft
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1039

Cisco
https://tools.cisco.com/security/center/viewAlert.x?alertId=60599
CVE Name

CVE-2019-1039

Multiple Vulnerability have been reported in Drupal which could be exploited by an attacker to execute arbitrary commands on a targeted system.

1. Access bypass Vulnerability

   This vulnerability exists due to insufficient check user permissions to access its workflows entities.  An attacker could exploit this vulnerability by Forms Steps provides an UI to create form workflows using form modes. Successful exploitation of this vulnerability could allow the attacker to see any entities that have been created through the different steps of its multistep forms.

2. Insecure session token management Vulnerability

   This vulnerability allows you to store external images on your server and apply your own Image Styles. The module exposes cookies to external sites when making external image requests.
An attacker could exploit this vulnerability successfully take control of the targeted website.

Apply appropriate updates as mentioned in the following URL:
https://www.drupal.org/sa-contrib-2019-064
https://www.drupal.org/sa-contrib-2019-065
Vendor Information
Drupal
https://www.drupal.org/security/contrib

Drupal
https://www.drupal.org/sa-contrib-2019-064

https://www.drupal.org/sa-contrib-2019-0645

This vulnerability has been reported Apple products which could allow a remote attacker to execute arbitrary code on the targeted system.

This use after free vulnerability exists in the XNU kernel of iOS and macOS due to improper memory management.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code with system privileges on the affected systems and allowing the jailbreak of the devices.

Apply appropriate security updates as mentioned in the Apple Security Advisory
Vendor Information
Apple
https://support.apple.com/en-in/HT210548
https://support.apple.com/en-in/HT210549

Multiple vulnerabilities have been reported in SAP products, which could be exploited by a remote attacker to execute arbitrary code, inject malicious code, obtain sensitive information, cause denial of service conditions, perform cross site scripting attacks or perform other unauthorized activities on a targeted system.

These vulnerabilities exist in SAP products due to unsafe deserialization error, insufficient encoding of user-controlled inputs, absence of HTTP Only flag in session cookie, incorrect hardening of the XML Parser, unencrypted communication error and other flaws in the affected software. A remote attacker can exploit these vulnerabilities by injecting malicious code, sending a specially crafted XML file, executing a "Go to statement", performing unauthorized queries, running/storing a malicious script or payload, giving a payload as keyword in the search and via other attack vectors.
Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code, inject malicious code, obtain sensitive information, cause denial of service conditions, perform cross site scripting attacks or perform other unauthorized activities on a targeted system.


Apply appropriate patches as mentioned on SAP website: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017
Vendor Information
SAP
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017

A Vulnerability has been reported in Azure Active Directory Authentication Library which could allow an authenticated attacker to perform actions in context of another user on the targeted system.

This vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow. An attacker could exploit this vulnerability by accessing a service configured for On-Behalf-Of flow Library that assigns incorrect tokens.
Successful exploitation of this vulnerability could allow an authenticated attacker to perform actions in context of another user.

Apply appropriate patches as mentioned in Microsoft security bulletin:
https://portal.msrc.microsoft.com/en-US/security-guidance
Vendor Information
Microsoft
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1258

Multiple vulnerabilities have been reported in Microsoft browsers and ChakraCore scripting engine, which could be exploited by a remote attacker to bypass security restrictions and execute arbitrary code on the targeted system.

1. Memory Corruption Vulnerability ( CVE-2019-1138 CVE-2019-1217 CVE-2019-1237 CVE-2019-1298 CVE-2019- 1300 )

   Multiple memory corruption vulnerabilities exist in Microsoft Edge due to improper handling of objects in the memory by the scripting engine. An attacker could exploit this vulnerability by hosting specially crafted website or websites that accept or host user provided content and convince user to view these websites. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code with the privileges of the current user which could lead to further system compromise.

2. Security Feature Bypass Vulnerability ( CVE-2019-1220 )

   This vulnerability exists in Microsoft Edge due to improper handling whitelist sites by the Edge. A remote attacker could exploit this vulnerability by convincing a user to visit a specially crafted website. Successful exploitation of this vulnerability could allow a remote attacker to access URLs in a less restricted Internet Security Zone.

3. Information Disclosure Vulnerability ( CVE-2019-1299 )

   This vulnerability exists in Microsoft Edge due to improper handling of objects in the memory. An attacker could exploit this vulnerability by hosting specially crafted website or websites that accept or host user-provided content and convince user to view these websites. Successful exploitation of this vulnerability could allow the remote attacker to gain access to unauthorized sensitive data, which could lead to further system compromise.

Apply appropriate patches as mentioned in Microsoft Security Bulletin
https://portal.msrc.microsoft.com/en-US/security-guidance
Vendor Information
Microsoft
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1138
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1217
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1237
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1298
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1300
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1220
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1299

A vulnerability has been reported in EXIM email server software which could allow an attacker to execute arbitrary code with root privileges.

This vulnerability exists in the EXIM email server software due to improper handling of peer distinguished names (DN) and ServerName Indication (SNI) during a TLS negotiation. A local or remote attacker could exploit this vulnerability by sending a specially crafted SNI data during a TLS negotiation leading to a buffer overflow error.

Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code with root privileges. Note: An Exim server which accepts TLS connections is vulnerable.

Apply appropriate patches as mentioned on EXIM website:
https://exim.org/static/doc/security/CVE-2019-15846.txt
Vendor Information
EXIM
https://exim.org/static/doc/security/CVE-2019-15846.txt