Après le rapport sur les 10 vulnérabilités les plus exploitées publié durant cet été par le FBI, c’est au tour la National Security Agency américaine (NSA) de publier une liste des principales vulnérabilités actuellement les plus ciblées.
La NSA exhorte les secteurs public et privé d’appliquer les correctifs (patchs) ou des mesures d’atténuation qui existent et qui sont disponibles et prêts à être installés pour empêcher une exploitation de ces vulnérabilités.
La liste publiée donne des informations détaillées sur les 25 principales vulnérabilités qui sont actuellement constamment scannées, ciblées et exploitées et réexploitées par des groupes de pirates parfois financés par des États.
Les exploits de certaines de ces 25 vulnérabilités sont accessibles au public et ont été exploités par plus que de simples pirates informatiques qui les ont incorporés dans leur arsenal pour les utiliser pour des opérations de ransomwares ou d’installation de logiciels malveillants.
La plupart des vulnérabilités énumérées ci-dessous peuvent être exploitées pour obtenir en premier un accès initial aux réseaux des victimes en utilisant des exploits directement accessibles depuis Internet ensuite servir de passerelles vers les réseaux internes selon la NSA.
Liste des vulnérabilités :
1) CVE-2019-11510 – On Pulse Secure VPN servers, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords 2) CVE-2020-5902 – On F5 BIG-IP proxies and load balancer, the Traffic Management User Interface (TMUI) —also referred to as the Configuration utility— is vulnerable to a Remote Code Execution (RCE) vulnerability that can allow remote attackers to take over the entire BIG-IP device.
3) CVE-2019-19781 – Citrix Application Delivery Controller (ADC) and Gateway systems are vulnerable to a directory traversal bug, which can lead to remote code execution without the attacker having to possess valid credentials for the device. These two issues can be chained to take over Citrix systems.
4+5+6) CVE-2020-8193, CVE-2020-8195, CVE-2020-8196 – Another set of Citrix ADC and Gateway bugs. These ones also impact SDWAN WAN-OP systems as well. The three bugs allow unauthenticated access to certain URL endpoints and information disclosure to low-privileged users.
7) CVE-2019-0708 (aka BlueKeep) – A remote code execution vulnerability exists within Remote Desktop Services on Windows operating systems.
8) CVE-2020-15505 – A remote code execution vulnerability in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code and take over remote company servers.
9) CVE-2020-1350 (aka SIGRed) – A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.
10) CVE-2020-1472 (aka Netlogon) – An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).
11) CVE-2019-1040 – A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.
12) CVE-2018-6789 – Sending a handcrafted message to an Exim mail transfer agent may cause a buffer overflow. This can be used to execute code remotely and take over email servers.
13) CVE-2020-0688 – A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.
14) CVE-2018-4939 – Certain Adobe ColdFusion versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.
15) CVE-2015-4852 – The WLS Security component in Oracle WebLogic 15 Server allows remote attackers to execute arbitrary commands via a crafted serialized Java object.
16) CVE-2020-2555 – A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware. This easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence systems.
17) CVE-2019-3396 – The Widget Connector macro in Atlassian Confluence 17 Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
18) CVE-2019-11580 – Attackers who can send requests to an Atlassian Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution.
19) CVE-2020-10189 – Zoho ManageEngine Desktop Central allows remote code execution because of deserialization of untrusted data.
20) CVE-2019-18935 – Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can result in remote code execution.
21) CVE-2020-0601 (aka CurveBall) – A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.
22) CVE-2019-0803 – An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.
23) CVE-2017-6327 – The Symantec Messaging Gateway can encounter a remote code execution issue.
24) CVE-2020-3118 – A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.
25) CVE-2020-8515 – DrayTek Vigor devices allow remote code execution as root (without authentication) via shell metacharacters.