Threat Intelligence

Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)

February 17, 2021 by Daniel Brecht

Introduction

China is considered a world leader in cybercrime. It is amongst “the most hacker-active countries” in terms of intensity of outgoing attack traffic, “often making headlines for its state-sponsored cyberattacks and espionage operations. A former prominent Chinese hacker, interviewed by The New York Times, once revealed that the government not only promotes hacking but also actively employs skilled IT professionals and programmers for secret projects or secret missions.

The U.S. National Security Agency released a new cybersecurity advisory warning that Chinese-linked hacking groups are exploiting 25 known vulnerabilities to compromise systems as part of cyberespionage campaigns. This information is critical for network defenders who are called to take appropriate action and prioritize efforts to secure their devices against these threats by deploying patching and taking other mitigation efforts, says NSA Cybersecurity Director Anne Neuberger.

Most of the vulnerabilities reported by the NSA are publicly known but, if not addressed, can grant easy access to internal networks. Most of the vulnerabilities listed in this long but non-exhaustive list below can be exploited by Chinese hackers to gain initial access to victim networks using products that are directly accessible from the internet and act as gateways to internal networks.

The 25 CVEs

Short for Common Vulnerabilities and Exposures, CVEs are disclosed computer security flaws. CVE Records contain an identification number, a description and at least one public reference for known cybersecurity vulnerabilities.

CVE-2019-11510

Affected product: Pulse Connect Secure® (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1 and 9.0 before 9.0R3.4.

Description: In Pulse Secure VPNs, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file disclosure. The consequence is a possible exposure of passwords.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 10.0 Critical.

Mitigation: Apply the available patches to prevent future unauthorized disclosure of users’ credentials. NSA reminds of the importance of using SSLVPN/TLSVPN protocols that are compliant with CNSS policy.

Notes: It has been in the National Vulnerability Database since May 2019 and is currently awaiting a reanalysis.

 

CVE-2020-5902

Affected product: F5 BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1 and 11.6.1-11.6.5.1.

Description: The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. This allows malicious hackers or other users to execute systems commands remotely.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 9.8 Critical.

Mitigation: Install the latest software version. NSA also advises to disable the external interface from which the TMUI is accessible as per guidance Harden Network Devices CSI (U/OO/171339-16) and create an out-of-band management network as per guidance CSI (U/OO/169570-20).

Notes: It has been in the National Vulnerability Database since July 2020 and is currently awaiting a reanalysis.

 

CVE-2019-19781

Affected product: Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO and 5100-WO versions before 10.2.6b and 11.0.3b

Description: The Citrix® 9 Application Delivery Controller (ADC) and Gateway allow directory traversal, which can lead to allowing a remote user without credentials to write a file on disk and perform code execution.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 9.8 Critical.

Mitigation: Guidance info is available, including CSI Detect and Prevent Web Shell Malware U/OO/134094-20 and CSA Mitigate CVE-2019-19781 U/OO/103100-20

Notes: It has been in the National Vulnerability Database since December 2019 and is currently awaiting reanalysis.

 

CVE-2020-8193

Affected product: Citrix ADC and Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18, ADC FIPS versions before 12.1-55.179 and SD-WAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7.

Description: Improper access control and input validation in Citrix® ADC, Citrix® Gateway and Citrix® SDWAN WAN-OP. A user could bypass authorization and access information. An attacker can send a request to the NSIP address (the IP address dedicated to the management interface) and be able to gain access to the device without going through the administrator login process.  

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 6.5 Medium.

Mitigation: Guidance is available in CSI Detect and Prevent Web Shell Malware U/OO/134094-20.

Notes: It has been in the National Vulnerability Database since July 2020 and is currently awaiting reanalysis.

 

CVE-2020-8195

Affected product: Citrix ADC and Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18, ADC FIPS versions before 12.1-55.179 and SD-WAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7.

Description: Improper access control and input validation, in Citrix® ADC, Citrix® Gateway and Citrix® SDWAN WAN-OP. This vulnerability can lead to unauthorized information disclosure, including configuration files, when an attacker sends a specially crafted HTTP request that allows the bypassing of authorization mechanisms in the management interface.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 6.5 Medium.

Mitigation: Guidance is available in CSI Detect and Prevent Web Shell Malware U/OO/134094-20.

Notes: It has been in the National Vulnerability Database since July 2020 and is currently awaiting reanalysis.

 

CVE-2020-8196

Affected product: Citrix ADC and Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18, ADC FIPS versions before 12.1-55.179 and SD-WAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7.

Description: Improper access control and input validation, in Citrix® ADC, Citrix® Gateway and Citrix® SDWAN WAN-OP. This vulnerability can lead to unauthorized information disclosure, including configuration files, when an attacker sends a specially crafted HTTP request that allows the bypassing of authorization mechanisms in the management interface.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 4.3 Medium.

Mitigation: Guidance is available in CSI Detect and Prevent Web Shell Malware U/OO/134094-20.

Notes: It has been in the National Vulnerability Database since July 2020 and is currently awaiting reanalysis.

 

CVE-2019-0708

Affected product: Microsoft Windows®11 XP – 7, Microsoft Windows Server®12 2003-2008.

Description: This is a remote code execution vulnerability in Remote Desktop Services. An unauthenticated attacker connects to the Remote Desktop Services using the Remote Desktop Protocol (RDP) and sends specially crafted requests that allow for access and execution of arbitrary codes and data compromising as well as the creation of fraudulent user accounts.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 9.8 Critical.

Mitigation: Apply available patches as soon as possible. Guidance is available in CSA Patch Remote Desktop Services on Legacy Versions of Windows U/OO/152674-19 and ORN Outdated Software and Protocols Continue to Result in Endpoint and Network Compromise U/OO/802041-16.

Microsoft also advises users to disable Remote Desktop Services if they are not required. Additional actions can include blocking TCP Port 3389 (used by the Remote Desktop Protocol) in firewalls exposed to the internet. Also, it is advisable to enable Network Level Authentication in Windows 7 and Windows Server 2008 as it would require an attacker to first authenticate to Remote Desktop Services using a valid account on the target system.

Notes: It has been in the National Vulnerability Database since May 2019 and is currently awaiting reanalysis.

 

CVE-2020-15505

Affected product: MobileIron® Core and Connector versions 10.6 and earlier, and Sentry versions 9.8 and earlier.

Description: A remote code execution vulnerability in the MobileIron®13 mobile device management (MDM) software allows remote attackers to execute arbitrary code on a system.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 9.8 Critical.

Mitigation: Apply available patches. Guidance is also available in CSI Update and Upgrade Software Immediately U/OO/181147-19.

Notes: It has been in the National Vulnerability Database since July 2020 and is currently awaiting reanalysis.

 

CVE-2020-1350

Affected product: Microsoft Windows Server® 2008-2019.

Description: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 10.0 Critical.

Mitigation: Apply available patches. Guidance is also available in CSA Patch Critical Vulnerability in Windows Servers® using DNS Server Role U/OO/152726-20.

Microsoft advises that while awaiting patching, a workaround is to configure Windows® DNS servers to limit the size of acceptable DNS message packets over TCP to 65,280 bytes (0xFF00). This action will be reverted after patches are applied.

Notes: It has been in the National Vulnerability Database since July 2020.

 

CVE-2020-1472

Affected product: Microsoft Windows Server® 2008-2019.

Description: This refers to an elevation of privilege vulnerability that presents itself when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 10.0 Critical.

Mitigation: Apply available patches. Guidance is also available in Microsoft article KB4557222. Microsoft will release an additional security update in Q1 2021.

Notes: It has been in the National Vulnerability Database since August 2020 and is now awaiting reanalysis.

 

CVE-2019-1040

Affected product: Microsoft Windows® 7-10, Microsoft Windows Server® 2008-2019.

Description: A man-in-the-middle attacker can bypass the NTLM MIC (Message Integrity Check) protection in Windows. It’s a tempering vulnerability, as the malicious hacker can modify and lower the NTLM security features.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 5.9 Medium.

Mitigation: Apply available patches and limit the use of NTLM as much as possible; stop the use of NTLMv1.

Notes: It has been in the National Vulnerability Database since August 2020.

 

CVE-2018-6789

Affected product: Exim before 4.90.1.

Description: An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. Using a handcrafted message, an attacker can execute remote code.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 9.8 Critical.

Mitigation: Apply available patches.

Notes: It has been in the National Vulnerability Database since February 2020.

CVE-2020-0688

Affected product: Microsoft Exchange Server® 2010 Service Pack 3 Update Rollup 29 and earlier, 2013 Cumulative Update 22 and earlier, 2016 Cumulative Update 13 and earlier and 2019 Cumulative Update 2 and earlier.

Description: When Microsoft Exchange® fails to properly handle objects in memory, an attacker can exploit a validation key remote code execution vulnerability.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 8.8 High.

Mitigation: Apply available patches. Guidance is also available in CSI Detect and Prevent Web Shell Malware U/OO/134094-20.

Notes: It has been in the National Vulnerability Database since February 2020 and is pending reanalysis.

 

CVE-2018-4939

Affected product: Adobe ColdFusion (2016 release) Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions.

Description: Some Adobe ColdFusion versions have an exploitable library loading vulnerability and cross-site scripting vulnerability that can lead to arbitrary code execution and information disclosure.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 9.8 Critical.

Mitigation: Apply available patches.

Notes: It has been in the National Vulnerability Database since May 2018.

 

CVE-2015-4852

Affected product: Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0.

Description: This vulnerability affects Apache Commons and Oracle WebLogic Server. Attackers can execute remote commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is not provided. However, the vulnerability had a score of 7.5 High in CVSS version 2.0.

Mitigation: Apply available patches. Guidance can also be found in CSI Detect and Prevent Web Shell Malware U/OO/134094-20.

Notes: It has been in the National Vulnerability Database since November 2015 and is awaiting reanalysis.

 

CVE-2020-2555

Affected product: Oracle Coherence 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.

Description: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware. This remote code execution vulnerability is easily exploitable and allows unauthenticated attackers with network access via T3 to compromise and take over Oracle Coherence.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 9.8 Critical.

Mitigation: Apply available patches. Guidance can also be found in CSI Detect and Prevent Web Shell Malware U/OO/134094-20.

Notes: It has been in the National Vulnerability Database since January 2020 and is awaiting reanalysis.

 

CVE-2019-3396

Affected product: Atlassian Confluence before 6.6.12, 6.7.0 to before 6.12.3, 6.13.0 to before 6.13.3, and 6.14.0 to before 6.14.2

Description: The Widget Connector macro in Atlassian Confluence®17 Server allows remote code execution on a Confluence® Server or Data Center instance via server-side template injection.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 9.8 Critical.

Mitigation: Apply available patches. Guidance can also be found in CSA Patch Critical Vulnerability in Atlassian Confluence and CSI Detect and Prevent Web Shell Malware U/OO/134094-20.

Notes: It has been in the National Vulnerability Database since March 2019.

 

CVE-2019-11580

Affected product: Atlassian Crowd from 2.1.0 to before 3.0.5, 3.1.0 to before 3.1.6, 3.2.0 to before 3.2.8, 3.3.0 to before 3.3.5 and 3.4.0 to before 3.4.4.

Description: Through this vulnerability, attackers can install arbitrary plugins and perform remote code execution.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 9.8 Critical.

Mitigation: Apply available patches. Guidance can also be found in CSI Detect and Prevent Web Shell Malware U/OO/134094-20.

Notes: It has been in the National Vulnerability Database since June 2019 and is awaiting reanalysis.

 

CVE-2020-10189

Affected product: Zoho ManageEngine Desktop Central before 10.0.479.

Description: This vulnerability allows remote code execution because of the deserialization of untrusted data.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 9.8 Critical.

Mitigation: Apply available patches. Guidance can also be found in CSI Detect and Prevent Web Shell Malware U/OO/134094-20.

Notes: It has been in the National Vulnerability Database since March 2020 and is awaiting reanalysis.

 

CVE-2019-18935

Affected product: Progress Telerik UI for ASP.NET AJAX through 2019.3.1023.

Description: This .NET deserialization vulnerability can allow remote code execution.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 9.8 Critical.

Mitigation: Apply available patches. Guidance can also be found in CSI Detect and Prevent Web Shell Malware U/OO/134094-20. Also, “as of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.”

Notes: It has been in the National Vulnerability Database since December 2019 and is awaiting reanalysis.

 

CVE-2020-0601

Affected product: Microsoft Windows® 10, Server® 2016-2019.

Description: This spoofing vulnerability can be exploited by attackers through a spoofed code-signing certificate that could validate as a legitimate malicious executable.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 8.01 High.

Mitigation: Apply available patches. Guidance can also be found in CSA Patch Critical Cryptographic Vulnerability in Microsoft Windows® Clients and Servers U/OO/104201-20. Also, it is always possible to check a suspicious certificate through the Windows certificate utility and the OpenSSL®21 utility.

Notes: It has been in the National Vulnerability Database since January 2020 and is awaiting reanalysis.

 

CVE-2019-0803

Affected product: Microsoft Windows® 7-10, Microsoft Windows Server® 2008-2019.

Description:  This elevation of privilege vulnerability regards a problem in handling objects in memory and can be successfully exploited by an attacker that, running a specially crafted application, can run arbitrary code in kernel mode.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 7.8 High.

Mitigation: Apply available patches.

Notes: It has been in the National Vulnerability Database since April 2019 and is awaiting reanalysis.

 

CVE-2017-6327

 Affected product: Symantec Messaging Gateway before 10.6.3-267.

 Description:  This vulnerability might allow remote code execution.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 8.8 High.

Mitigation: Apply available patches and ensure to apply the principle of least privilege.

Notes: It has been in the National Vulnerability Database since August 2017 and is awaiting reanalysis.

 

CVE-2020-3118

Affected product: Cisco IOS XR 5.2.5, 6.5.2, 6.5.3, 6.6.25 and 7.0.1.

Description: This vulnerability in the Cisco Discovery Protocol is due to improper validation of string input from certain fields in Cisco Discovery Protocol messages. An attacker could send a malicious Cisco Discovery Protocol packet to an affected device in the same broadcast domain and execute remote codes with administrator privileges.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 8.8 High.

Mitigation: Apply available patches. It is also possible to disable the discovery protocols.

Notes: It has been in the National Vulnerability Database since February 2020.

 

CVE-2020-8515

Affected product: Vigor2960® 1.3.1_Beta, Vigor3900® 1.4.4_Beta, and Vigor300B® 1.3.3_Beta, 1.4.2.1_Beta and 1.4.4_Beta devices.

Description:  DrayTek Vigor®24 devices allow remote code execution as root (without authentication) via shell metacharacters.

Severity: Common Vulnerability Scoring System (CVSS) version 3.x score is 9.8 Critical.

Mitigation: Apply available patches and make sure to check the Access Control List and the list of Admin users or remote access profiles for fraudulent changes.

Notes: It has been in the National Vulnerability Database since February 2020 and is awaiting reanalysis.

Conclusion

This list of CVEs is by no means comprehensive, but it does show the most commonly and actively used vulnerabilities by Chinese hackers. As we can see, many of these issues have been identified and even patched months, if not years ago. If they are still being exploited, it means that, unfortunately, there is still not enough attention to the importance of timely patching. Many professionals don’t have the time to keep up with all the security updates that are released daily; take a look at the infographic (printable version) and use this list to identify what should be given priority in the next run of patches.

 

Sources

NSA Warns Chinese State-Sponsored Malicious Cyber Actors Exploiting 25 CVEs, nsa.gov

Vulnerabilities: Full Listing, NVD | NIST

Vulnerability Metrics, NVD

Understanding Vulnerability Scoring: CVSS Explained, Security Boulevard 

Posted: February 17, 2021
Articles Author
Daniel Brecht
View Profile

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.


Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117