Well, we made it through the first month of 2021! (Hopefully without any scratches or bruises 😅). As stewards of the lush and vast landscape of security vulnerabilities, we felt obliged to share with you the top trending CVEs of the past month. So, without further ado, The Top Trending CVEs of January 2021:
1. CVE-2020-29583
Vulnerability Impact
This CVE is a high severity vulnerability that affects Zyxel firewalls and AP controllers. A hardcoded credential vulnerability was identified in the user account of Zyfwp in some firewalls and AP controllers.
The account was created to send automatic firmware updates to the connected access points through FTP. Some patches are available for these vulnerabilities on the website of the vendor.
Business Unit Impact
- May lead to compromise of firewalls and AP controllers in the network.
- May allow for persistence because of new user creation.
- This account can be used by someone to login into the SSH server or web interface with admin privileges.
Techniques and Procedures
The vulnerabilities have identifying information of CVE-2020-29583. CVE-2020-29583 affects Zyxel firewalls version V4.60 and its AP controllers running firmware versions V6.00 through V6.10.
CVE-2020-29583 is caused as a result of an undocumented account (zyfwp) with a fixed password. This account password can be found in clear text located in the firmware. Some attackers can use this account to login to the web interface or ssh server with admin privileges.
Recommendations for CVE-2020-29583
- Zyxel has released a patch for the hardcoded credential vulnerability of firewalls and AP controllers.
- Audit logs must be evaluated to know if vulnerable devices were accessed through the hardcoded account.
- Security experts are advised to install the applicable firmware updates for the best protection.
Visit the Vicarius Research Center for more information on CVEs and how to remediate them. You can also try a 30-day free trial of our TOPIA solution.
Prefer to listen instead? We got you covered 😏
2. CVE-2021-1647
Microsoft released an update to plug more than eighty security holes in its Windows operating system and other software. Ten of the flaws give Microsoft a critical rating, which means criminals can exploit them to gain control of unpatched systems with little or no interaction from Windows users.
Microsoft’s monthly security patches include an essential patch for Microsoft’s Defender antivirus that was exploited before the patch was released. Cyber criminals exploit this vulnerability to gain privileges to execute malicious code on vulnerable devices where Defender is installed.
Details of CVE-2021-1647
- Low or no privileges are required for attack success.
- This vulnerability has been exploited in the wild.
- There is a critical impact on the availability, integrity, and confidentiality of exploited systems.
- User interaction is not required.
Mitigation Guide
- Microsoft reports proof of concept (POC) exploit code is available and will possibly be further developed and refined.
- Impacted versions of Windows include Windows 7 to Windows Server 2016.
- Details of exploitation are scarce while Microsoft’s guidance also indicates exploitation.
With the availability of a new patch, Microsoft has released patches for all the affected operating systems. Cybersecurity experts should assess and rate patching for critical systems. While the attack vector is local because it is file-based, Microsoft Exchange and other public services must be patched first because they have the most exposure to exploitation.
Visit the Vicarius Research Center for more information on CVEs and how to remediate them.
Prefer to listen instead? We got you covered 😏
3. CVE-2020-28052
This vulnerability grants privilege to a remote attacker to brute-force password hashes.
The vulnerability arises from a comparison error in OpenBSDBCrypt.checkPassword() function in core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java when matching passwords and hashes together.
A remote cyber attacker can pass incorrect passwords that the library grants as legal, bypass authentication procedures, and gain illicit access to the application that exploits a vulnerable version of Bouncy Castle.
In some cases where Bcrypt.doCheckPassword() is used to check a password, positive exploitation will cause an authentication bypass.
Exploitation
An attacker must brute-force password attempts until the bypass is activated. Many passwords can be bypassed from multiple attempts. Some password hashes may take more attempts; this is determined by the number of bytes that are between 0 and 60. All password hashes can be bypassed with sufficient attempts. In some cases, password hashes can be bypassed with little effort.
Affected Software
- Bouncy Castle 1.65 (released 3/31/2020) and Bouncy Castle 1.66 (released 7/4/2020) are affected by CVE-2020-28052.
- Bouncy Castle 1.67 (released 11/1/2020) fixes this vulnerability. The versions that are before 1.65 are not affected by CVE-2020-28052.
Impact
Bcrypt hashing-based authentication can be used for verification checks in APIs and web applications.
Bcrypt hashing is used to check user passwords. When the authentication bypass is activated, cyber attackers may perform the same operations as an authorized user. This includes gaining administrator-level access to a sign-on system.
Visit the Vicarius Research Center for more information on CVEs and how to remediate them.
Prefer to listen instead? We got you covered 😏
Photo by camilo jimenez on Unsplash
