This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
wmahmood
Flexera
Jan 19, 2021
08:45 AM
1 Kudo
Summary
422 advisories for 281 unique product from 66 unique vendors were issued from Mid December 2020 till mid-January 2021.
Several Microsoft patches were issued in this month’s Patch Tuesday which included a patch for Microsoft Malware Protection Engine that is linked to SUNSPOT malware.
Zero-Day Advisories
Microsoft issued a zero-day in their recent patch Tuesday on January 12 th . The advisory itself is moderately critical because of its local attack vector. However, it is linked t recent malware and cyber-attack. The vulnerability is reported in Microsoft Malware Protection engine which can be exploited to gain local escalation of privileges. CVE-2021-647 has 7.8 CVSS scores with a threat score of 28.
This vulnerability is particularly important as it is linked to SUNBURST and SUNSPOT vulnerabilities – as discussed in the previous blog. Microsoft Forefront Endpoint Security, Microsoft Malware Protection 1.x, Microsoft Security Essentials 4.x, Microsoft System Center Endpoint Protection, Microsoft Windows defender are the affected product.
Call to Action:
Microsoft recommends an update to version 1.1.17700.4.
In their security blog, Microsoft suggests that another target for the SUNBURST attack was to steal credentials, escalate privileges and move latterly to either steal and even create valid SMAL authentication token. Microsoft dubs it as SOLORIGATE. [1]
At this rate, the security industry is soon going to run out of interstellar acronyms for vulnerabilities and exploits.
Microsoft Patch Tuesday
January’s Microsoft Patch Tuesday edition had 11 KBS that fix 26 CVEs in 11 different products. [2] Another local escalation of privileges vulnerability CVE-2021-1648 was fixed which was an update to a previous update from December.
Patch Tuesday had updates for
Microsoft Windows
Microsoft Edge (EdgeHTML-based)
Microsoft Office and Microsoft Office Services and Web Apps
Microsoft Windows Codecs Library
Visual Studio
SQL Server
Microsoft Malware Protection Engine
.NET Core
.NET Repository
ASP .NET
Azure
A list of KBs listed for different Operating systems is as below: [2]
KB
Affected OS/Software
4598229
Windows 10, Version 1903, Windows Server, Version 1903, Windows 10, Version 1909, Windows Server, Version 1909
4598230
Windows 10, Version 1809, Windows Server 2019
4598242
Windows 10, Version 2004, Windows Server, Version 2004, Windows 10, Version 20H2, Windows Server, Version 20H2
4598275
Windows 8.1, Windows Server 2012 R2 (Security-only update)
4598278
Windows Server 2012 (Monthly Rollup)
4598279
Windows 7, Windows Server 2008 R2 (Monthly Rollup)
4598285
Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4598287
Windows Server 2008 (Security-only update)
4598288
Windows Server 2008 (Monthly Rollup)
4598289
Windows 7, Windows Server 2008 R2 (Security-only update)
4598297
Windows Server 2012 (Security-only update)
Advisories for different Operating Systems:
The number of Secunia advisories for various Operating systems are as below:
Fedora: 00
Red Hat Enterprise Linux: 27
Debian: 17
Amazon Linux: 24
Ubuntu: 19
SUSE Linux: 33
Oracle Linux: 17
CentOS Advisories: 08
Microsoft OS Advisories: 05
Advisories by Criticality
For easy understanding of Operations teams and management, Secunia Advisories are ranked into 5 simple and easy to understand criticalities. Secunia research follows a meticulous process which involves detailed analysis, peer review, and a QA process – among other things. Our customers can depend on the intelligence without indulging into more minute details of CVSS, impact and attack vector. All of these factors are considered during the ranking process. Further explained at this link.
Advisories by Average CVSS Score
A CVSS score is a metric used to measure the severity of a vulnerability. CVSS v3 specifications and the criteria details are at this link.
CVSS ranges from 0 to 10. 0 being the lowest and 10 being the highest score; the advisories spread is as below:
CVSS 3 Score
Advisories with Low CVSS3 under 4.0: 18 (4.2%)
Advisories with Mid CVSS3 range 4-7: 152 (36.02%)
Advisories with High CVSS3 range 7-10: 252 (59.72%)
Threat Score
Threat score is calculated based on criticality and its linkage to a recent or historical threat of either remote trojan horse, ransomware, used in penetration testing tools, availability of exploit kit, and cyber exploit. Each rule triggers an increase in the threat value. A detailed explanation of Threat Score calculation is available at this link .
Advisories with positive Threat Score (1+): 256 (60.66%)
None Threat Score SAIDs (=0): 166 (39.34%)
Low-Range Threat Score SAIDs (1-12): 92 (21.80%)
Medium-Range Threat Score SAIDs (13-23): 130 (30.81%)
High-Range Threat Score SAIDs (24-44): 11 ( 2.61%)
Critical-Range Threat Score SAIDs (45-70): 17 ( 4.03%)
Very Critical Threat Score SAIDs (71-99): 6 ( 1.42%)
Ransomware, Malware, and Exploit Kits:
Historically Linked to Ransomware: 10 (2.37%)
Historically Linked to Malware: 59 (13.98%)
Linked to a Recent Cyber Exploit: 60 (14.22%)
Related to a Historical Cyber Exploits: 154 (36.49%)
Included in Penetration Testing Tools: 176 (41.71%)
Conclusion
The affects pf SUNBURST vulnerabilities are still being unveiled and its aftershocks will be felt for quite some time – unfortunately. Microsoft has revealed that it is being used to steal and even creating new SAML authentication tokens.
A complete list of vulnerabilities, affected software, criticality, threat score, and relevant patch information is available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera. Stay Secure! References:
[1] https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/#Tracking-the-cross-domain-Solarigate-attack
[2] https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan
... View more
Dec 17, 2020
05:06 PM
1 Kudo
Summary
From Mid November till Mid December, 396 advisories were issued for 247 unique products.
Two zero-day advisories were issued during this period including a hotly debated SolarWind hack. It eclipses every other technology news due to its potential victims and sophistication.
Zero-Day Advisories
Solarwinds Orion Vulnerability a.ka. Sunburst
Solarwind reported that a vulnerability was injected into its Orion product platforms supply-chain system. It affects SolarWinds® Orion® Platform software, and SolarWinds Network Performance Monitor builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. [1]
An error related to SolarWinds.Orion.Core.BusinessLayer.dll containing a backdoor can be exploited to execute arbitrary code. Solarwinds digitally signed the Update containing the backdoor, so its users had no way of knowing if the Update was compromised.
Orion products downloaded, implemented, or updated during the relevant period contained the inserted backdoor. The relevant period is from March until June 2020. [2]
The vendor recommends updating to version 2019.4 HF 6 or 2020.2.1 HF 2.
The vulnerability is dubbed as Sunburst, and the list of the potentially affected customer is staggering. Solarwind lists US Armed forces, DoD agencies, UK defence sector, US department of treasury, UK NHS, NATO Support Agencies, and US president’s office among its customers.
The vulnerability is quite devastating because the software is a networking monitoring software which runs under a privileged account.
Flexera’ Secunia research has issued a Zero-day advisory SA99447 available in SVR, SVM and Data platform products. Further details are being added as they become available. Further details and its coverage in different products are available at this link
Microsoft Edge Chromium version:
A Google Chrome zero-day was reported on the 11th of November, which was covered in our previous blog. As a result, Microsoft Edge, based on the Chromium engine, also reported two vulnerabilities. One can be exploited to gain system access, and the other one has an unknown impact. Microsoft advises patching to 86.0.622.69.
Operating Systems:
The number of Secunia advisories for various Operating systems are as below:
Fedora: 07
Red Hat Enterprise Linux: 10
Debian: 15
Amazon Linux: 19
Ubuntu: 25
SUSE Linux: 53
Oracle Linux: 17
CentOS Advisories: 11
Microsoft OS Advisories: 4
Advisories for Browsers
Microsoft Internet Explorer (version 9 & 11): 1 Advisory.
Microsoft Edge (HTML Based - Legacy): 1 Advisory
Microsoft Edge (Chromium Based): 3 Advisories
Google Chrome: 2 Advisories
Mozilla Firefox: 2 Advisories
Mozilla Thunderbird – 1 Advisory
Microsoft Patch Tuesday
December Patch Tuesday was a little light as compared to November. On December 8th – Second Tuesday of December, Microsoft issued advisories for these software.
Microsoft Windows
Microsoft Edge (EdgeHTML-based)
Microsoft Edge for Android
ChakraCore
Microsoft Office and Microsoft Office Services and Web Apps
Microsoft Exchange Server
Azure DevOps
Microsoft Dynamics
Visual Studio
Azure SDK
Azure Sphere
A complete list of all applicable updates for August’s Patch Tuesday is here [3]
Patch Tuesday KBs
A digest of Patch Tuesday is listed here [4]
KB
Affected OS/Software
4592438
Windows 10, version 2004, Windows Server version 2004, Windows 10, version 20H2, Windows Server version 20H2
4592440
Windows 10 Version 1809, Windows Server 2019
4592449
Windows 10, version 1903, Windows Server version 1903, Windows 10, version 1909, Windows Server version 1909
4592468
Windows Server 2012 (Monthly Rollup)
4592471
Windows 7, Windows Server 2008 R2 (Monthly Rollup)
4592484
Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4592495
Windows 8.1, Windows Server 2012 R2 (Security-only update)
4592497
Windows Server 2012 (Security-only update)
4592498
Windows Server 2008 (Monthly Rollup)
4592503
Windows 7, Windows Server 2008 R2 (Security-only update)
4592504
Windows Server 2008 (Security-only update)
4593226
Windows 10, version 1607, Windows Server 2016
4593465
Exchange Server 2019, Exchange Server 2016
4593466
Exchange Server 2013
4593467
Exchange Server 2010 Service Pack 3
Advisories by Criticality
For easy understanding of Operations teams and management, Secunia Advisories are ranked into 5 simple and easy to understand criticalities. Secunia research follows a meticulous process which involves detailed analysis, peer review, and a QA process – among other things. Our customers can depend on the intelligence without indulging into more minute details of CVSS, impact and attack vector. All of these factors are considered during the ranking process. Further explained at this link.
Advisories by Average CVSS Score
A CVSS score is a metric used to measure the severity of a vulnerability. CVSS v3 specifications and the criteria details are at this link.
CVSS ranges from 0 to 10. 0 being the lowest and 10 being the highest score; the advisories spread is as below:
CVSS 3 Score
Advisories with Low CVSS3 under 4.0: 31 (7.83%)
Advisories with Mid CVSS3 range 4-7: 133 (33.59%)
Advisories with High CVSS3 range 7-10: 256 (60.24%)
Threat Score
Threat score is calculated based on criticality and its linkage to a recent or historical threat of either remote trojan horse, ransomware, used in penetration testing tools, availability of exploit kit, and cyber exploit. Each rule triggers an increase in the threat value. A detailed explanation of Threat Score calculation is available at this link .
Advisories with positive Threat Score (1+): 271 (68.43%)
None Threat Score SAIDs (=0): 125 (31.57%)
Low-Range Threat Score SAIDs (1-12): 124 (31.31%)
Medium-Range Threat Score SAIDs (13-23): 123 (31.06%)
High-Range Threat Score SAIDs (24-44): 16 ( 1.52%)
Critical-Range Threat Score SAIDs (45-70): 06 ( 1.52%)
Very Critical Threat Score SAIDs (71-99): 2 ( 0.51%)
Ransomware, Malware, and Exploit Kits:
Historically Linked to Ransomware: 05 (1.26%)
Historically Linked to Malware: 46 (11.62%)
Linked to a Recent Cyber Exploit: 116 (29.29%)
Related to a Historical Cyber Exploits: 172 (43.43%)
Included in Penetration Testing Tools: 178 (44.95%)
Conclusion
The method and the style of SolarWinds Orion platform trojan horse throws a curveball at the organizations and security professionals. We preach to keep the software patched but ironically those customers that didn’t apply the Update were better off. However, users had no way of knowing if the patch contains malware as it was digitally code-signed by the vendor.
There would be many lessons to be learned by the software vendors and tighten up their supply-chain and build and publishing process. It is too early to call about the after-effects and change of behaviour, but many organizations have to review their software processes.
Many organizations were also panicking to check if they have affected software installed, which points out the need for an up to date software inventory.
A complete list of vulnerabilities, affected software, criticality, threat score, and relevant patch information is available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera. Stay Secure! References:
[1] https://www.solarwinds.com/securityadvisory
[2] https://www.solarwinds.com/securityadvisory/faq
[3] https://support.microsoft.com/en-us/help/20200908/security-update-deployment-information-september-8-2020
[4] https://msrc.microsoft.com/update-guide/releaseNote/2020-Dec
... View more
Nov 16, 2020
09:43 AM
2 Kudos
Summary
This review is a combination of advisories issued in September up to mid - November. We want to issue the review in the week of Patch Tuesday as most companies have a patch cycle right after the Patch Tuesday.
In September, Secunia Research at Flexera issued 550 advisories for 317 different products. Up until 15th fo November, 323 advisories for 186 products.
In September, 3 Zero-day advisories in Google Chrome, Microsoft Edge, and FreeType. Up until mid of November, 4 Zero-day advisories were issued
Zero-Day and Highly Critical Vulnerabilities.
Definition of a Zero-day Vulnerability : A zero-day is a vulnerability which is being exploited in the wild on the day or prior its public disclosure. The vulnerability may or may not have a patch.
There is much confusion in security communities
Three zero-day in September and 4 zero-day until Mid-November. 97 highly critical in September and 66 in November so far.
Google Chrome
Three zero-day advisories in two consecutive months. Two zero-days in the first two weeks of November.
In September, a zero-day vulnerability was reported in the version 86.x. Three use-after-free error within media, PDFium, and printing can be exploited to execute arbitrary code. At the time, 86.0.4240.111 was a recommended update. However, another zero-day was reported on November the 2nd and version 86.0.4240.183 was a recommended solution. Yet again, another zero-day was reported on November the 11th in the previous version.
Call to Action: Upgrade to 86.0.4240.198.
Microsoft Edge Chromium
Multiple vulnerabilities were reported in Chromium which can be exploited that can result in system access.
Call to Action: Update to version: 86.0.622.51
Apple IOS and macOS
A zero-day vulnerability related to FontParser can be exploited to execute arbitrary code via a specially crafted font. A vulnerability in facetime can be exploited to send video in group facetime calls without knowing. It is advised to
Call to Action: Upgrade to version 12.4.9
A zero-day vulnerability is reported in the macOS kernel, which can be exploited to disclose memory contents.
Call to Action : Update to macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update, Security Update 2020-006 Mojave, or Security Update 2020-006 High Sierra.
Microsoft Windows 7 and Server 2008
Multiple vulnerabilities were reported in Windows 7 and Server 2008, which can be exploited to disclose sensitive version, DOS attack, escalation of privileges and system access.
Call to Action: Install the KB4586827, KB4586805, KB4586807, KB4586817.
Operating Systems:
Secunia advisories for different Operating systems are as below:
Fedora: 39
Red Hat Enterprise Linux: 83
Debian: 21
Amazon Linux: 64
Ubuntu: 62
SUSE Linux: 61
Oracle Linux: 48
CentOS Advisories: 7
Microsoft OS Advisories: 9
Top Vendors with the most Advisories (September till Mid November)
Advisories for Browsers
Microsoft Internet Explorer (version 11): 1 Advisory.
Microsoft Edge (HTML Based - Legacy): 1 Advisory
Microsoft Edge (Chromium Based): 4 Advisories
Google Chrome: 7 Advisories
Mozilla Firefox: 3 Advisories
Mozilla Thunderbird – 2 Advisory
Microsoft Patch Tuesday - October
On September 8th – Second Tuesday of September, Microsoft issued advisories for these software:
Microsoft Windows
Microsoft Office and Microsoft Office Services and Web Apps
Microsoft JET Database Engine
Azure Functions
Open Source Software
Microsoft Exchange Server
Visual Studio
PowerShellGet
Microsoft .NET Framework
Microsoft Dynamics
Adobe Flash Player
Microsoft Windows Codecs Library
A complete list of all applicable updates for August’s Patch Tuesday is here [1]
Patch Tuesday KBs
A digest of Patch Tuesday is listed here [2]
KB Article
Applies To
4577668
Windows 10 Version 1809, Windows Server 2019
4577671
Windows 10, version 1903, Windows Server version 1903, Windows 10, version 1909, Windows Server version 1909
4579311
Windows 10, version 2004
4580327
Windows 10
4580328
Windows 10, version 1709
4580330
Windows 10, version 1803
4580345
Windows 7, Windows Server 2008 R2 (Monthly Rollup)
4580346
Windows 10, version 1607, Windows Server 2016
4580347
Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4580353
Windows Server 2012 (Security-only update)
4580358
Windows 8.1, Windows Server 2012 R2 (Security-only update)
4580378
Windows Server 2008 Service Pack 2 (Monthly Rollup)
4580382
Windows Server 2012 (Monthly Rollup)
4580385
Windows Server 2008 Service Pack 2 (Security-only update)
4580387
Windows 7, Windows Server 2008 R2 (Security-only update)
4581424
Exchange Server 2019, Exchange Server 2016, Exchange Server 2013
Microsoft Patch Tuesday - November
On the second Tuesday of November the 10 th , Microsoft issued advisories for these software
Microsoft Windows
Microsoft Office and Microsoft Office Services and Web Apps
Internet Explorer
Microsoft Edge (EdgeHTML-based)
Microsoft Edge (Chromium-based)
ChakraCore
Microsoft Exchange Server
Microsoft Dynamics
Microsoft Windows Codecs Library
Azure Sphere
Windows Defender
Microsoft Teams
Azure SDK
Azure DevOps
Visual Studio
KB Article
Applies To
4486714
SharePoint Server 2019
4486717
SharePoint Server 2016
4586781
Windows 10, version 2004, Windows Server version 2004, Windows 10, version 20H2, Windows Server version 20H2
4586786
Windows 10, version 1903, Windows Server version 1903, Windows 10, version 1909, Windows Server version 1909
4586793
Windows 10 Version 1809, Windows Server 2019
4586805
Windows 7, Windows Server 2008 R2 (Security-only update)
4586807
Windows Server 2008 (Monthly Rollup)
4586808
Windows Server 2012 (Security-only update)
4586817
Windows Server 2008 (Security-only update)
4586823
Windows 8.1, Windows Server 2012 R2 (Security-only update)
4586827
Windows 7, Windows Server 2008 R2 (Monthly Rollup)
4586830
Windows 10, version 1607, Windows Server 2016
4586834
Windows Server 2012 (Monthly Rollup)
4586845
Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4486714
SharePoint Server 2019
4486717
SharePoint Server 2016
4588741
Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, Microsoft Exchange Server 2019
Advisories by Average CVSS Score
A CVSS score is a metric used to measure the severity of a vulnerability. CVSS v3 specifications and the criteria details are at this link.
CVSS ranges from 0 to 10. 0 being the lowest and 10 being the highest score; the advisories spread is as below:
CVSS 3 Score
Advisories with Low CVSS3 under 4.0: 53 (6.07%)
Advisories with Mid CVSS3 range 4-7: 301 (34.48%)
Advisories with High CVSS3 range 7-10: 519 (59.45%)
Threat Score
Threat score is calculated based on criticality and its linkage to a recent or historical threat of either remote trojan horse, ransomware, used in penetration testing tools, availability of exploit kit, and cyber exploit. Each rule triggers an increase in the threat value. A detailed explanation of Threat Score calculation is available at this link .
Advisories with positive Threat Score (1+): 591 (67.70%)
None Threat Score SAIDs (=0): 282 (32.30%)
Low-Range Threat Score SAIDs (1-12): 150 (17.18%)
Medium-Range Threat Score SAIDs (13-23): 393 (45.02%)
High-Range Threat Score SAIDs (24-44): 33 ( 3.78%)
Critical-Range Threat Score SAIDs (45-70): 5 ( 0.57%)
Very Critical Threat Score SAIDs (71-99): 10 ( 1.15%)
Ransomware, Malware, and Exploit Kits:
.
Historically Linked to Ransomware: 10 (1.15%)
Historically Linked to Malware: 108 (12.37%)
Linked to a Recent Cyber Exploit: 188 (21.53%)
Related to a Historical Cyber Exploits: 341 (39.06%)
Included in Penetration Testing Tools: 399 (45.70%)
Conclusion
The number of vulnerabilities is increasing, so we need to leverage threat intelligence to prioritize the patching effort. Install Patch Tuesday as soon as possible after testing it. Zero-days should be delayed, and an emergency change request/window should be introduced.
A complete list of vulnerabilities, affected software, criticality, threat score, and relevant patch information is available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera. Stay Secure! References:
[1] https://support.microsoft.com/en-us/help/20201013/security-update-deployment-information-october-13-2020
[2] https://msrc.microsoft.com/update-guide/releaseNote/2020-Oct
... View more
Oct 15, 2020
09:06 AM
Summary
In September, Secunia Research at Flexera issued 514 advisories for 389 unique versions of 289 products from 69 different vendors.
Apache Struts and Microsoft Exchange Server had notable vulnerabilities with a high threat score.
Since we can’t patch everything due to the sheer volume of vulnerabilities, prioritize remediation efforts from a risk management perspective. Threat intelligence is a crucial parameter in risk analysis.
Zero-Day and Highly Critical Vulnerabilities
No Zero-day advisory in September.
However, 78 highly critical advisories with 63 had a CVSS score between 9 and 10. Majority of these were for RedHat, SUSE, Microsoft SharePoint, and Exchange.
Apache Struts
Two highly critical vulnerabilities were reported in Apache Struts 2.5.22 and prior versions. CVE-2019-0230 with CVSS oft 9.8 where an error when applying forced OGNL evaluation inside a Struts tag attribute can be exploited to execute arbitrary code via a specially crafted request. CVE-2019-0233 with CVSS 7.5 where an error when handling file uploads can be exploited to cause a DoS condition via a specially crafted request. Both vulnerabilities are linked to malware and used in recent and historic cyber exploits.
In September, advisories are released for other software that uses the Apache Struts framework, namely IBM Sterling File Gateway, IBM Tivoli Netcool/OMNIbus Web GUI, and F5 BIG IP Application Acceleration Manager (AAM). In the coming months, we would probably see other vendors releasing patches or at least acknowledgement of these CVEs in their software.
Microsoft Exchange Server
CVE-2020-16875 has a threat score of 82, but Microsoft states that exploitation is highly unlikely. The patch KB4577352 was released as part of Patch Tuesday on September 8 th . However, the advisory was updated on September 17th. It affects Microsoft Exchange Server 2016 and 2019. An error related to Microsoft Exchange software when handling objects in memory can be exploited to corrupt memory and subsequently execute arbitrary code with system privileges via a specially crafted email sent to the Microsoft Exchange server.
Operating Systems
Secunia advisories for different Operating systems are as below:
Fedora: 18
Red Hat Enterprise Linux: 64
Debian: 11
Amazon Linux: 20
Ubuntu: 46
SUSE Linux: 43
Oracle Linux: 15
CentOS Advisories: 3
Microsoft OS Advisories: 4
Top Vendors with the most Advisories
Key Points
Red Hat had the highest number of advisories with 96 in total. However, 64 for RHEL and 18 for Fedora. Rest of the advisories for Ansible line of Products., RedHat JBoss,
Canonical Ltd. has second-highest advisories with 46 advisories for Ubuntu 12.04, 14.04, 16.04, and 18.04.
IBM ranks third and most notable vulnerability in its WebSphere software. An advisory SA93203 which was issued in January but CVE-2020-4578 was added, and solution section was updated.
SUSE at fourth with most vulnerabilities SLES flavour version 11,12, and 15.
Cisco is kept its position at fifth with most advisories for its IOS 12.x, 15.x, IOS XE 3.x.x, and Jabber among others.
Open Source software at the sixth level. Most vulnerabilities in Django REST, QEMU, OpenSSL, and WordPress.
Microsoft is in sixth place with 22 advisories. More details are in the Patch Tuesday section.
Advisories for Browsers
Microsoft Internet Explorer (version 9 & 11): 1 Advisory.
Microsoft Edge (HTML Based - Legacy): 1 Advisory
Microsoft Edge (Chromium Based): 3 Advisories
Google Chrome: 2 Advisories
Mozilla Firefox: 2 Advisories
Mozilla Thunderbird – 1 Advisory
Microsoft Patch Tuesday
On September 8th – Second Tuesday of September, Microsoft issued advisories for these software:
Microsoft Windows
Microsoft Edge (Edge HTML-based)
Microsoft Edge (Chromium-based)
Microsoft Chakra Core
Internet Explorer
SQL Server
Microsoft JET Database Engine
Microsoft Office and Microsoft Office Services and Web Apps
Microsoft Dynamics
Visual Studio
Microsoft Exchange Server
SQL Server
ASP.NET
Microsoft OneDrive
Azure DevOps
A complete list of all applicable updates for August’s Patch Tuesday is here [1]
Patch Tuesday KBs
A digest of Patch Tuesday is listed here [2]
KB Article
Applies To
4484488
SharePoint Foundation 2013
4484515
SharePoint Enterprise Server 2013
4486667
SharePoint Foundation 2010
4570333
Windows 10 Version 1809, Windows Server 2019
4571756
Windows 10, version 2004
4574727
Windows 10, version 1903, Windows Server version 1903, Windows 10, version 1909, Windows Server version 1909
4577015
Windows 10, version 1607, Windows Server 2016
4577038
Windows Server 2012 (Monthly Rollup)
4577048
Windows Server 2012 (Security-only update)
4577051
Windows 7, Windows Server 2008 R2 (Monthly Rollup)
4577053
Windows 7, Windows Server 2008 R2 (Security-only update)
4577064
Windows Server 2008 Service Pack 2 (Monthly Rollup)
4577066
Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4577070
Windows Server 2008 Service Pack 2 (Security-only update)
4577071
Windows 8.1, Windows Server 2012 R2 (Security-only update)
4577352
Exchange Server 2019, Exchange Server 2016
4484505
SharePoint Server 2019
4484506
SharePoint Enterprise Server 2016
4484525
SharePoint Foundation 2013
Advisories by Criticality
For easy understanding of Operations teams and management, Secunia Advisories are ranked into 5 simple and easy to understand criticalities. Secunia research follows a meticulous process which involves detailed analysis, peer review, and a QA process – among other things. Our customers can depend on the intelligence without indulging into more minute details of CVSS, impact and attack vector. All of these factors are considered during the ranking process. Further explained at this link.
Advisories by A verage CVSS Score
A CVSS score is a metric used to measure the severity of a vulnerability. CVSS v3 specifications and the criteria details are at this link.
CVSS ranges from 0 to 10. 0 being the lowest and 10 being the highest score; the advisories spread is as below:
CVSS 3 Score
Advisories with Low CVSS3 under 4.0: 35 (8.24%)
Advisories with Mid CVSS3 range 4-7: 134 (31.53%)
Advisories with High CVSS3 range 7-10: 256 (60.24%)
Threat Score
Threat score is calculated based on criticality and its linkage to a recent or historical threat of either remote trojan horse, ransomware, used in penetration testing tools, availability of exploit kit, and cyber exploit. Each rule triggers an increase in the threat value. A detailed explanation of Threat Score calculation is available at this link .
Advisories with positive Threat Score (1+): 346 (67.32%)
None Threat Score SAIDs (=0): 168 (32.68%)
Low-Range Threat Score SAIDs (1-12): 159 (30.93%)
Medium-Range Threat Score SAIDs (13-23): 171 (33.27%)
High-Range Threat Score SAIDs (24-44): 4 ( 0.78%)
Critical-Range Threat Score SAIDs (45-70): 10 ( 1.95%)
Very Critical Threat Score SAIDs (71-99): 2 ( 0.39%)
Ransomware, Malware, and Exploit Kits
Historically Linked to Ransomware: 10 (1.95%)
Historically Linked to Malware: 54 (10.51%)
Linked to a Recent Cyber Exploit: 89 (17.32%)
Related to a Historical Cyber Exploits: 229 (44.55%)
Included in Penetration Testing Tools: 199 (38.72%)
Conclusion
Patch Tuesday should be applied as soon possible after its initial release. Most organization focus on client and Server Operating system patches, but we have noticed that a lot of critical patches are released for software like Exchange, Office, and SharePoint.
Once the vulnerabilities in common frameworks are discovered, the software that uses or redistributes the software also issues patches for their versions. However, the process can take time and leaves the software vulnerable to attack as the exploit or POC are usually available for the base vulnerability.
Threat score is an essential parameter in risk analysis, and most organization ignores risk management and choose to patch a predefined set of software – which is a dangerous approach. We will discuss remediation from a risk management perspective in the next episode of the blog.
A complete list of vulnerabilities, affected software, criticality, threat score, and relevant patch information is available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera. Stay Secure! References:
[1] https://support.microsoft.com/en-us/help/20200908/security-update-deployment-information-september-8-2020
[2] https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Sep
... View more
Sep 15, 2020
08:59 AM
4 Kudos
Summary
In August, 425 advisories were issued for 354 unique versions of 258 products from 70 different vendors.
Two Zero-day vulnerabilities were reported by Microsoft, including one which was known to it for more than one and half year.
Microsoft’s August Patch Tuesday and vulnerabilities in other third party vendors and products are part of this months’ blog.
Zero-Day
Two Zero-day advisories were reported in Microsoft Windows and Internet Explorer 9 and 11.
CVE-2020-1464 is dubbed as “Windows Spoofing” vulnerability. Microsoft Windows uses code signing certificates to authenticate a software’s integrity and verify its publisher. A flaw in the system keeps a signature valid even after appending any content to the end of a Windows installer (.msi). It is dangerous in particular with .jar files which can be used for malicious purpose. Java loads its required resources in a single request. If the attacker successfully appends a malicious JAR file to a signed MSI installer; Microsoft Windows wouldn’t complain and validates the software. Just double-clicking on the file can result in successful exploitation. [1]
The security researchers informed Microsoft approximately one an half year ago, but it decided not to patch the vulnerability at the time. The fix was shipped in August’s Patch Tuesday.
CVE-2020-1380 was also fixed in August Patch Tuesday. The vulnerability is detected in Internet Explorer 9 and 11. It uses the ‘use after free’ bug in IE’s JavaScript ‘Just-in-time engine. Reportedly, the vulnerability can be exploited by merely visiting a specially crafted website. Refer to SA97055 for more details.
Call to Action
Deploy patches offered in Microsoft August’s Patch Tuesday release.
Operating Systems:
Secunia advisories for different Operating systems are as below:
Fedora: 28
Red Hat Enterprise Linux: 11
Debian: 16
Amazon Linux: 10
Ubuntu: 29
SUSE Linux: 47
Oracle Linux: 15
CentOS Advisories: 6
Microsoft OS Advisories (Including one Zero-day): 4
Top Vendors with the most Advisories
Key Points
IBM has topped with the 59 advisories in its various products like WebSphere, Tivoli, and other financial software.
Red Hat has second-highest advisories because we treat RHEL and Fedora under the same vendor.
48 Advisories for SUSE with 47 for SLES 11. 12, and 15 versions.
Canonical Ltd. ranked fourth with advisories for Ubuntu 12.04, 14.04, 16.04, and 18.04.
Cisco is fifth with most advisories for its 9000 and 300 series switches, 6000 series routers and one for widely used WebEx.
Microsoft is in sixth place with 22 advisories. More details are in the Patch Tuesday section.
Advisories for Browsers
Microsoft Internet Explorer (version 9 & 11): 2 Advisories.
Microsoft Edge (HTML Based - Legacy): 1 Advisory
Microsoft Edge (Chromium Based): 3 Advisories
Google Chrome: 3 Advisories
Mozilla Firefox: 3 Advisories
Mozilla Thunderbird – 2 Advisories
Microsoft Patch Tuesday
Microsoft issues security patches for its products on every second Tuesday of the month known as Patch Tuesday. On 11 th August – Second Tuesday of August, Microsoft issued advisories for these software:
Microsoft Windows
Microsoft Edge (EdgeHTML-based)
Microsoft Edge (Chromium-based)
Microsoft ChakraCore
Internet Explorer
Microsoft Scripting Engine
SQL Server
Microsoft JET Database Engine
.NET Framework
ASP.NET Core
Microsoft Office and Microsoft Office Services and Web Apps
Microsoft Windows Codecs Library
Microsoft Dynamics
A complete list of all applicable updates for August’s Patch Tuesday is here
Patch Tuesday KBs
4 Secunia Advisories cover updates for each OS pair.
KB Article
Applies To
4565349
Windows 10 Version 1809, Windows Server 2019
4566782
Windows 10, version 2004
4571694
Windows 10, version 1607, Windows Server 2016
4571702
Windows Server 2012 (Security-only update)
4571703
Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4571719
Windows 7, Windows Server 2008 R2 (Security-only update)
4571723
Windows 8.1, Windows Server 2012 R2 (Security-only update)
4571729
Windows 7, Windows Server 2008 R2 (Monthly Rollup)
4571730
Windows Server 2008 Service Pack 2 (Monthly Rollup)
4571736
Windows Server 2012 (Monthly Rollup)
4571746
Windows Server 2008 Service Pack 2 (Security-only update)
Advisories by Criticality
For easy understanding of Operations teams and management, Secunia Advisories are ranked into 5 simple and easy to understand criticalities. Secunia research follows a meticulous process which involves detailed analysis, peer review, and a QA process – among other things. Our customers can depend on the intelligence without indulging into more minute details of CVSS, impact and attack vector. All of these factors are considered during the ranking process. Further explained at this link.
Advisories by Attack Vector.
65% of vulnerabilities can be exploited from remote, which makes the remediation efforts even more critical.
Advisories by Average CVSS Score
A CVSS score is a metric used to measure the severity of a vulnerability. CVSS v3 specifications and the criteria details are at this link.
CVSS ranges from 0 to 10. 0 being the lowest and 10 being the highest score; the advisories spread is as below:
CVSS 3 Score
Advisories with Low CVSS3 under 4.0: 35 (8.24%)
Advisories with Mid CVSS3 range 4-7: 134 (31.53%)
Advisories with High CVSS3 range 7-10: 256 (60.24%)
Advisories by Solution
Threat Score
Like many other things in life, not every vulnerability is created equal. For the ease of our customers, we provide threat score as an add-on which helps in decision making and prioritization. Higher the score; bigger the risk!
Threat score is calculated based on criticality and its linkage to a recent or historical threat of either remote trojan horse, ransomware, used in penetration testing tools, availability of exploit kit, and cyber exploit. Each rule triggers an increase in the threat value. A detailed explanation of Threat Score calculation is available at this link .
Advisories with positive Threat Score (1+): 278 (65.41%)
None Threat Score SAIDs (=0): 147 (34.59%)
Low-Range Threat Score SAIDs (1-12): 119 (28.00%)
Medium-Range Threat Score SAIDs (13-23): 142 (33.41%)
High-Range Threat Score SAIDs (24-44): 12 (2.82%)
Critical-Range Threat Score SAIDs (45-70): 5 (1.18%)
Very Critical Threat Score SAIDs (71-99): 0 (0.00%)
Ransomware, Malware, and Exploit Kits:
Statistics clearly shows us that software vulnerabilities have a clear relationship with malware, cyber exploits and notorious ransomware. Remediating these vulnerabilities reduces exposure to these threats. Security is a multi-prong approach where one size fits all or one tool to rule them all is not enough. Just like with network, we require multiple layers of protection; similarly, we need to remediate known vulnerabilities along with a reputable anti-malware system.
Historically Linked to Ransomware: 05 (1.18%)
Historically Linked to Malware: 63 (14.82%)
Linked to a Recent Cyber Exploit: 70 (16.47%)
Related to a Historical Cyber Exploits: 193 (36.24%)
Included in Penetration Testing Tools: 275 (40.80%)
Conclusion
More than 60% of vulnerabilities can be exploited from remote while massively 92% advisories have a vendor patch while only 5% have either no fix or an upgrade option is available.
Most malware relies on vulnerabilities in everyday use software. Patching effort minimizes the risk and exposure. For Microsoft Windows environment, always deploy the Patch Tuesday and any out of band security updates. Don’t ignore third-party software as more than 86% of vulnerabilities are found in software other than Microsoft.
A complete list of vulnerabilities, affected software, criticality, threat score, and relevant patch information is available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera. References:
[1] https://blog.virustotal.com/2019/01/distribution-of-malicious-jar-appended.html
... View more
Aug 26, 2020
10:46 AM
Hello Milisav,
I have moved your post from the Software Vulnerability Manager Forum to Flexnet Manager forum due to its relevancy.
Regards,
Waqas
... View more
Aug 24, 2020
10:13 AM
Hello Waqas,
Artur or one of our support engineers can help you reset your 2 Factor Authentication if you can send us your username and company details. You can either create a case via the portal or send an email to support@flexera.com stating your company name and username. We would also have to verify your identity so if you can send us an email from your official email address.
Best Regards,
Waqas Mahmood
... View more
Aug 10, 2020
06:11 PM
6 Kudos
Summary
In July, Secunia research issued 674 advisories for 83 unique vendors in 361 products and 475 unique versions, while issued 97 rejection notice advisories. An increase of 34.5% advisories from the previous month.
A Zero-day vulnerability was reported in Cisco ASA firewall and FDA products.
Oracle overtook RedHat as a top vendor with most vulnerabilities.
The amount of browsers vulnerabilities and their relevant patches are Achilles’ heel of effective patch management.
Zero-Day
A vulnerability is reported in the web service system that allows remote access to Cisco ASA (Adaptive Security Appliance) – a network firewall and Cisco’s Firepower Threat Defence. An attacker can send a specially crafted HTTP request that can traverse the servers’ file system and also establish an SSL VPN or AnyConnect VPN session to the devices by impersonating another user. A lack of proper input validation causes it. There are reports of a publicly available exploit being used in targeted attacks.
Cisco ASA 9.6 till 9.14 are affected. Secunia Research has issued SA96432, which has further details.
Call to Action
Cisco ASA running lower than 9.6 version should migrate to the latest supported software 9.6.4.42 or above.
Versions from 9.6 till 9.14 needs to update to latest versions as described here.
Cisco FDA 6.2.2 till 6.6.0 are affected and should be updated to the latest fixed released versions as mentioned on the above link.
Operating Systems:
SUSE Linux = 58
Amazon Linux = 49
Ubuntu = 37
Fedora = 35
Oracle Linux = 34
Red Hat Enterprise Linux = 28
CentOS Advisories = 7
Microsoft OS Advisories = 7
Top Vendors with the most Advisories
Key Points
Oracle has taken over Red Hat as a top vendor with staggering 72 advisories.
Microsoft moved down to the 10 th place with 24 advisories. 7 for its primary OSes. A highly critical advisory – SA96100 affecting Windows 10 and Server 2019. Out of band patches were issued for Microsoft Edge Chromium.
Linux/Unix based Operating systems are among the top software with most vulnerabilities – as usual.
Advisories for Browers
Microsoft Internet Explorer 9 & 11: 1 Advisory - Apply Microsoft Update as listed on the official site
Microsoft Edge (HTML Based - Legacy): 1 Advisory - Update to the latest version as mentioned in the above link
Microsoft Edge (Chromium Based): 2 Advisories – Upgrade to 84.0.522.49
Google Chrome: 2 Advisories – Upgrade to 84.0.4147.125
Mozilla Firefox: 6 Advisories – Update to version 68.11
Mozilla Thunderbird – 3 Advisories – Update to 68.11.
Advisories by Criticality
Secunia Advisory criticalities are further explained at this link.
Advisories by Attack Vector.
65% of vulnerabilities can be exploited from remote, which makes the remediation efforts even more critical.
Advisories by Average CVSS Score
A CVSS score is a metric that is used to measure the severity of a vulnerability. CVSS3 specifications and the criteria details can be found at this link.
CVSS ranges from 0 to 10. 0 being the lowest and 10 being the highest score; the advisories spread is as below:
CVSS 3 Score
Advisories with Low CVSS3 under 4.0: 39 (5.79%)
Advisories with Mid CVSS3 range 4-7: 231 (34.27%)
Advisories with High CVSS3 range 7-10: 404 (59.94%)
Advisories by Solution
Threat Score
An add-on by Software Vulnerability Research and Software Vulnerability Manager is Threat Intelligence. We give a score from 0 to 100 depending upon its severity, exploit availability, inclusion in penetration testing tools and the likelihood of being exploited. A detailed explanation of Threat Score calculation is available at this link.
Advisories with positive Threat Score (1+): 405 (60.09%)
None Threat Score SAIDs (=0): 269 (39.91%)
Low-Range Threat Score SAIDs (1-12): 189 (28.04%)
Medium-Range Threat Score SAIDs (13-23): 169 (25.07%)
High-Range Threat Score SAIDs (24-44): 17 (2.52%)
Critical-Range Threat Score SAIDs (45-70): 14 (2.08%)
Very Critical Threat Score SAIDs (71-99): 16 (2.37%)
Ransomware, Malware, and Exploit Kits:
Historically Linked to Ransomware: 10 (1.48%)
Historically Linked to Malware: 79 (11.72%)
Linked to a Recent Cyber Exploit: 86 (12.76%)
Related to a Historical Cyber Exploits: 255 (37.83%)
Included in Penetration Testing Tools: 275 (40.80%)
Conclusion
The amount of reported vulnerabilities is on the rise. Linux/Unix based OS are most vulnerable. Browers patches are released from 3 to 6 times a month which makes patching effort quite tricky especially for Google Chrome and Mozilla Firefox. Zero days must be prioritized as a likelihood of an attack is very high.
A complete list of vulnerabilities affected versions, criticality, threat score, and relevant patch information are available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera.
... View more
Jul 17, 2020
10:48 AM
5 Kudos
Summary
501 advisories for 82 unique vendors in 354 products and 453 unique versions, while issued 111 rejected advisories. An 11% increase in the total number of advisories from the previous month.
Details of Secunia advisories are explained in this article.
Browsers
Three advisories were issued for Google Chrome. All were highly critical and had threat scores attached to them and exploits were linked to cyber attacks and historically linked to Penetration tools.
Two advisories for Mozilla Firefox and one for Internet explorer.
Call to Action
Keep your browsers updated due to exposure.
Secunia Advisory criticalities are further explained at this link
CVSS v3 is the industry standard to define the severity of the vulnerabilities, its exploitability, impact metrics, and environmental metrics.
The criteria for Threat Score calculation are outlined at this link.
Ransomware, Malware, and Exploit Kits:
When browsing a malicious page, a race condition in the SharedWorkerService could occur and lead to a potentially exploitable crash. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
Historically Linked to Ransomware: 9 (1.80%)
Historically Linked to Malware: 78 (15.57%)
Linked to a Recent Cyber Exploit: 43 (8.58%)
Related to a Historical Cyber Exploits: 240 (47.90%)
Included in Penetration Testing Tools: 216 (43.%)
Conclusion
The number of advisories increased in the month but similarly, 111 advisories were rejected which is 18% of total advisories. Secunia Research adds value by helping customers focus on high priority vulnerabilities and assets.
... View more
Jun 14, 2020
07:04 PM
2 Kudos
Summary
Secunia Research issued 448 advisories for 80 unique vendors in 253 products and 336 unique versions, and issued 76 rejected advisories. A 28% decrease in the total number of advisories from the previous month.
The number of updates for browsers is increasing—no Zero-day advisories in May.
Secunia advisories combine vulnerabilities for the same products together for easy consumption and decision making. 76 advisories were rejected so that security teams can focus on the correct priorities.
Browsers
The frequency for Brower advisories and updates is growing each month and usually need multiple update cycles.
Two highly critical advisories were issued for Google Chrome. Similarly, two highly critical advisories for Mozilla Firefox each.
One advisory for Microsoft Internet Explorer 11.x and 9.x, and Mozilla Thunderbird.
Call to Action
Keep your browsers updated due to exposure.
Update Mozilla Firefox 75.x and 68.x ESR.
Update Google Chrome to the latest version.
Install the updates for Internet Explorer 11.x and 9.x that were shipped with Patch Tuesday.
Operating Systems:
21 advisories for Red Hat Enterprise Linux 6,7,8 and 44 advisories for Fedora 30 and 31.
26 advisories for Ubuntu 14.04, 16.04 and 18.04
45 advisories for SUSE Linux Enterprise Linux Server (SLE) version 11 through 15
12 advisories for Oracle Linux 6 and 7.
20 advisories for Debian 10.x and GNU/Linux 9.x.
12 advisories for CentOS 6.x and 7.x.
18 advisories for Amazon Linux AMI and 2.
4 advisory for Microsoft Client and Server Operating systems. One for each Microsoft OS pair.
Advisories by Vendors
Advisories by Criticality
Secunia Advisory criticalities are further explained at this link.
Count of Advisories versus Attack Vector.
A large proportion of vulnerabilities (68%) can be exploited from remote – usually the case.
Advisories by CVSS Score
CVSS v3 is the industry standard to define the severity of the vulnerabilities, its exploitability, impact metrics, and environmental metrics.
Advisories by Solution Status
Threat Score
The criteria for Threat Score calculation are outlined at this link.
Ransomware, Malware, and Exploit Kits:
5 instances of kinsing , Loncom, and Mandrake with CVE-2020-6819 and CVE-2020-6820 related to Mozilla Firefox, ESR, Thunderbird, and Seamonkey. Similarly, Amazon Linux, Fedora, CentOS has shipped updates for these software.
CVE-2020-1048 can be exploited by Stuxnet malware. Vulnerability results in the elevation of Privileges in Windows Print Spooler services in Microsoft Windows Server 2019, 2016, 2012, 2008, and Windows 7, 8.1, and 10.
Historically Linked to Ransomware: 7 (1.12%)
Historically Linked to Malware: 50 (8.03%)
Linked to a Recent Cyber Exploit: 44 (7.06%)
Related to a Historical Cyber Exploits: 189 (30.34%)
Included in Penetration Testing Tools: 186 (29.86%)
Conclusion
The number of advisories decreased from the last month. However, the frequency of operating systems and browser patches is increasing.
A complete list of vulnerabilities affected versions, criticality, threat score, and relevant patch information are available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera.
... View more
May 19, 2020
03:45 AM
Hello,
Thanks for raising the case with our support team. We request our customers to contact our support department directly for credential related issues as we have to verify the stomer's identity and share the details privately.
I believe your issue was resolved by one of my colleagues.
Best Regards,
Waqas Mahmood
... View more
May 14, 2020
10:14 AM
Hi,
You can send us the log file by creating a support case via the community or email us at support@flexera.com.
The command cisa.exe -c -v -v -v > debug.log
Thanks.
... View more
May 03, 2020
04:12 PM
2 Kudos
Summary
623 advisories for 91 unique vendors in 406 products and 512 unique versions, while issued 107 rejected advisories. An increase of 40% advisories from the previous month.
Zero-day vulnerabilities in Mozilla Firefox and 3 Extremely Critical advisories were reported in Microsoft Operating systems.
Red Hat kept its position as a top vendor with the most amount of vulnerabilities, and Microsoft also held its 6 th position.
Kinsing and Loncom are the most prevalent malware, mainly affecting open-source operating systems and Mozilla Firefox.
Zero-Day
Two zero-day vulnerability was reported in Mozilla Firefox with CVE-2020-6819 and CVE-2020-6820 in Mozilla Firefox 68.x and 74.x. The vulnerabilities are linked to malware, cyber exploits, and used in penetration testing tools.
Three extremely critical advisories were issued for each set of Microsoft Operating systems. These advisories were part of Patch Tuesday. All advisories had a positive threat score, which means they were linked to malware and cyber exploits.
Call to Action
Update Mozilla Firefox 74.x to 74.0.1 and 68.x to 68.6.1.
Deploy Patch Tuesday as soon as they are released, but particularly for April. These patches shouldn’t be delayed too late for regular patch cycles.
Operating Systems:
125 advisories for Red Hat Enterprise Linux 7,8, and Fedora 30 and 31.
30 advisories for Ubuntu 14.04, 16.04 and 18.04
49 advisories for SUSE Linux Enterprise Linux Server (SLE) version 11 through 15
39 advisories for Oracle Linux 6 and 7 and two advisory for Oracle Solaris.
21 advisories for Debian 10.x and GNU/Linux 9.x.
10 advisories for CentOS 6.x.
11 advisories for Amazon Linux AMI and 2.
1 advisory for each of the Microsoft Client and Server Operating systems.
Advisories by Vendors
Key Points
Operating systems are always among top products with most vulnerabilities.
Microsoft had 26 advisories. Out of band patches were issued for Microsoft Edge and Office 2019/O365.
Networking products are non-operating products with the most vulnerabilities. These include F5 Networks, Juniper Networks, and Cisco.
Call to Action
Install the relevant patches for operating systems.
Now that everyone is using remote connectivity tools, make sure to update your Cisco WebEx Meeting Desktop app and Recording player applications.
Network equipment shouldn’t be ignored as they are the first line of defense against external attacks.
Update F5 BIG-IP Access Policy Manager (APM).
Update Juniper Junos OS 12.x, 14.x, 15.x,18.x, and 19.x.
Cisco 5500 Series Wireless Controller, IP Phone 8800, and 7800 Series.
Average Criticality per Vendor
5 being the highest criticality, the below graph shows the average criticality per vendor, which is sorted based on the number of advisories.
Advisories by Criticality
Secunia Advisory criticalities are further explained at this link.
If we remove Rejected advisories, then the criticality spread looks like as shown below.
Count of Advisories versus Attack Vector.
65% of vulnerabilities can be exploited from remote, which makes the remediation efforts even more critical.
Advisories by Average CVSS Score
A CVSS score is a metric that is used to measure the severity of a vulnerability. CVSS3 specifications and the criteria details can be found at this link.
CVSS 3 Score
Advisories with Low CVSS3 under 4.0: 24 (3.85%)
Advisories with Mid CVSS3 range 4-7: 228 (36.60%)
Advisories with High CVSS3 range 7-10: 371 (59.55%)
Here we rank the Vendors and average of CVSS scores for the vulnerabilities reported in their relevant advisories.
Advisories by Solution
Threat Score
The criteria for Threat Score calculation is outlined at this link.
Advisories with positive Threat Score (1+): 397 (63.72%)
None Threat Score SAIDs (=0): 226 (36.28%)
Low-Range Threat Score SAIDs (1-12): 204 (32.74%)
Medium-Range Threat Score SAIDs (13-23): 164 (26.32%)
High-Range Threat Score SAIDs (24-44): 22 (3.53%)
Critical-Range Threat Score SAIDs (45-70): 7 (1.12%)
Very Critical Threat Score SAIDs (71-99): 0 (0.00%)
Ransomware, Malware, and Exploit Kits
17 instances of kinsing and Loncom with CVE-2020-6819 in Oracle, Red hat Linux, SUSE and CentOS, Fedora, and Mozilla Firefox and Thunderbird.
4 instances of SafeStrip (Fake Antivirus), Snatch Ransomware, Mdrop, and Xhelper (Adware) in CentOS, Oracle Linux, and RedHat with CVE-2019-17666.
Historically Linked to Ransomware: 6 (0.96%)
Historically Linked to Malware: 59 (9.47%)
Linked to a Recent Cyber Exploit: 111 (17.82%)
Related to a Historical Cyber Exploits: 267 (42.86%)
Included in Penetration Testing Tools: 212 (34.03%)
Conclusion
The number of advisories is steadily increasing month over month - 67 % increase since February 2020. Zero and extremely critical vulnerabilities should be pathed on an emergency basis and shouldn’t wait for a regular patch cycle.
A complete list of vulnerabilities affected versions, criticality, threat score, and relevant patch information are available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera.
... View more
May 03, 2020
12:32 PM
3 Kudos
Summary
447 advisories for 67 unique vendors in 286 products and 344 unique versions, while issued 133 rejected advisories.
A zero-day vulnerability in Trend Micro Worry-Free Business Security was reported on March 17 th .
Red Hat was the top vendor with most vulnerabilities in Red Hat Enterprise Linux and Fedora Project
20 advisories for Microsoft products, which landed it on 6 th top vendor.
Linux-based Operating systems were once again among the top Operating systems with most advisories.
Zero-Day
A zero-day vulnerability in Trend Micro Worry-Free Business Security 9.x. The patch for this vulnerability was available on the day of its public disclosure.
An Extremely critical advisory was issued for Microsoft Windows Operating systems. Vulnerabilities in Adobe Type Manager Library can be exploited from remote, which can result in arbitrary code execution.
Call to Action
Update to the version 9.5 B1525 version.
Deploy Microsoft updates for Windows 7, 8.1, 10, and Server 2008, 2012, and 2016.
Key Points
Except for IBM, the vendors of Operating systems were among the top 10 list with most vulnerabilities.
Microsoft had 20 advisories and slipped back to 6 th position. Out of band patches were issued for Microsoft Edge on Feb 7 th and 26 th .
Call to Action
Make sure to Install relevant patches from Red Hat Linux, Ubuntu, IBM, SUSE, and yum update repositories.
Follow Not only the Patch-Tuesday but also install the Out of Band patches for Microsoft. The extremely critical advisory was issued on 23 rd March – not in the regular Patch Tuesday.
5 being the highest criticality, the below graph shows the average criticality per vendor, which is sorted based on the number of advisories.
Secunia Research at Flexera categories the severity of vulnerabilities into five criticalities ranging from Extremely to Not Critical. It helps executives, system administrators, and Non-security people to quickly understand the gravity of issues.
1. Extremely Critical, 2. Highly Critical 3. Moderately Critical 4. Less Critical 5. Not Critical
Count of Advisories versus Attack Vector.
The majority of vulnerabilities can be exploited by remote – 65%.
1. Remote. 2. Local Network. 3. Local System
Advisories by Average CVSS Score
CVSS is an industry-standard used to rank the severity of a vulnerability. CVSS 3 is the standard.
CVSS 3 Score
Advisories with Low CVSS3 under 4.0: 26 (5.82%)
Advisories with Mid CVSS3 range 4-7: 149 (33.33%)
Advisories w/ High CVSS3 range 7-10: 272 (54.70%)
Here we rank the Vendors and average of CVSS scores for the vulnerabilities reported in their relevant advisories.
Advisories by Solution
87% of vulnerabilities had a vendor patch available, while only 3.2% had no fix while the same amount had a vendor suggested workaround.
Threat Score
A detailed threat score helps security professionals to make the right decision when faced with multiple vulnerabilities at the same time.
Advisories with positive Threat Score (1+): 315 (70.47%)
None Threat Score SAIDs (=0): 132 (29.53%)
Low-Range Threat Score SAIDs (1-12): 223 (49.89%)
Medium-Range Threat Score SAIDs (13-23): 84 (18.79%)
High-Range Threat Score SAIDs (24-44): 0 (0.00%)
Critical-Range Threat Score SAIDs (45-70): 7 (1.57%)
Very Critical Threat Score SAIDs (71-99): 1 (0.22%)
Ransomware, Malware, and Exploit Kits:
4 instances of MyKing Botnet with CVE-2019-12418 in Ubuntu, Gentoo, and Debian, SUSE, Red Hat JBoss.
Historically Linked to Ransomware: 6 (134%)
Historically Linked to Malware: 45 (10.07%)
Linked to a Recent Cyber Exploit: 49 (10.96%)
Related to a Historical Cyber Exploits: 251 (56.15%)
Included in Penetration Testing Tools: 185 (41.39%)
Conclusion
There was an increase of 20% in advisories in March as compared to February. Relying on Patch-Tuesday to update Microsoft Operating system and products is not enough. An extremely critical advisory was issued as out-of-band for all Microsoft Operating systems.
A comprehensive information system is required, which can help to prioritize remediation based on the actual risk and exploit vector. A complete list of vulnerabilities affected versions, criticality, threat score, and relevant patch information are available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera.
... View more
Mar 08, 2020
03:52 PM
4 Kudos
Summary:
373 advisories for 62 unique vendors in 310 products and 390 unique versions, while issued 84 rejected advisories. Secunia Research helps Security teams cut the clutters in the noisy vulnerability space.
A zero-day vulnerability in Google Chrome was reported on February 24 th .
IBM was the top vendor with most vulnerabilities in Tivoli, WebSphere, DB2, and Java - among others.
Microsoft slipped back to the top 10 vendors with most advisories.
Linux-based Operating systems were once again among the top Operating systems with most advisories.
7 instances of Trident Exploit exploiting vulnerabilities in Remote Desktop of Microsoft Operating Systems.
Zero-Day
There are many misconceptions of Zero-day definition in the security industry. The most widely accepted and used by Secunia Research is “the vulnerability that is being actively exploited on or before the day of its public disclosure.” A patch may or may not exist on the day of its discourse.
A zero-day vulnerability in Google Chrome was disclosed on February 24th which is after three days of another patch. The patch for this vulnerability was available on the day of its public disclosure.
Call to Action
The patch for the Zero-day is 80.0.3987.122 while there has been another advisory for Google Chrome, so the latest patch version for Google Chrome is 80.0.3987.132 (at the time of publication).
Operating Systems:
28 advisories affecting Red Hat Enterprise Linux 6,7,8
32 advisories for Ubuntu 12.04, 14.04, 16.04 and 18.04
33 advisories for SUSE Linux Enterprise Linux Server (SLE) version 11 through 15
20 advisories for Oracle Linux 6 and 7 and one advisory for Linux Solaris.
17 advisories for Debian 10.x and GNU/Linux 9.x.
16 advisories for CentOS 6.x and 7.x
12 advisories for Amazon Linux AMI and 2.
1 advisory for each of the Microsoft Client and Server Operating systems.
Advisories by Vendors
Key Points
Almost all of the Linux/Unix based operating systems were vulnerable.
Microsoft had 17 advisories and slipped back to 8 th position. Out of band patches were issued for Microsoft Edge on Feb 7 th and 26 th .
IBM and Cisco are only vendors with advisories that are not affecting Operating Systems in the top 10 list.
Call to Action
Make sure to Install relevant patches from Linux, Ubuntu, IBM, SUSE, and yum update repositories.
Follow Not only the Patch-Tuesday but also install the Out of Band patches for Microsoft Product and Browsers. Advisories for Microsoft Edge were highly critical and had a positive threat score.
Average Criticality per Vendor
5 being the highest criticality, the below graph shows the average criticality per vendor, which is sorted based on the number of advisories.
Advisories by Criticality
Secunia Research at Flexera categories the severity of vulnerabilities into five criticalities ranging from Extremely to Not Critical. It helps executives, system administrators, and Non-security people to quickly understand the gravity of issues.
If we remove Rejected advisories, then the criticality spread looks like as shown below.
1. Extremely Critical, 2. Highly Critical 3. Moderately Critical 4. Less Critical 5. Not Critical
Count of Advisories versus Attack Vector.
57.9% of vulnerabilities can be exploited from remote, which makes the remediation efforts even more critical.
1. Remote. 2. Local Network. 3. Local System
Advisories by Average CVSS Score
A CVSS score is a metric that is used to measure the severity of a vulnerability. It takes into account the attack vector, complexity of exploit, and if the user interaction is required, and its impacts if it is successfully exploited.
CVSSv3 provides insights into the level of severity and criticality. It includes Base Score metrics, temporal score, and Environmental Score. Some parameters are constants and provided by Secunia Research, but some can be changed according to each organization’s needs and sensitivity of the affected asset.
CVSS 3 Score
Advisories with Low CVSS3 under 4.0: 11 (2.86%)
Advisories with Mid CVSS3 range 4-7: 152 (39.48%)
Advisories w/ High CVSS3 range 7-10: 222 (57.66%)
Here we rank the Vendors and average of CVSS scores for the vulnerabilities reported in their relevant advisories.
Advisories by Solution
87% of vulnerabilities had a vendor patch available, while only 3.2% had no fix while the same amount had a vendor suggested workaround.
Threat Score
Security teams have completing priorities, so patching or remediating everything is not possible. CSO/CISO have to make informed decision to prioritize the vulnerabilities and their limited resources based on risk. A detailed threat score helps security professionals to make the right decision when faced with multiple vulnerabilities at the same time.
Advisories with positive Threat Score (1+): 188 (50.40%)
None Threat Score Advisories (=0): 185 (49.60%)
Low-Range Threat Score Advisories (1-12): 156 (41.82%)
Medium-Range Threat Score Advisories (13-23): 23 (6.17%)
High-Range Threat Score Advisories (24-44): 7 (1.88%)
Critical-Range Threat Score Advisories (45-70): 1 (0.27%)
Very Critical Threat Score Advisories (71-99): 1 (0.27%)
Ransomware, Malware, and Exploit Kits:
5 instances of Fallout Exploit Kit with CVE CVE-2019-11135 in Oracle, Red hat Linux, SUSE and CentOS.
4 instances of Trident Exploit in Microsoft Windows Operating systems’ Remote Desktop exploiting vulnerability CVE-2020-0655 and 3 occurrences in CVE-2020-0660
3 instances of MyKings Botnet malware that can exploit CVE-2019-12418 in Avaya Call management system, Oracle Solaris, and Macfee Web Gateway. CVE-2019-12418
3 instances of Mdrop Trojenhorse affecting Red Hat and Oracle Linux Kernal. CVE-2019-17666
1 instance Satan malware exploiting CVE-2018-20843 affecting IBM Security Site Protector 3.x.
1 instance of Wcry Ransomeware is exploiting CVE-2020-0618 in Microsoft SQL Server 2012, 2014, and 2018.
Historically Linked to Ransomware: 1 (1.04%)
Historically Linked to Malware: 23 (6.17%)
Linked to a Recent Cyber Exploit: 46 (12.33%)
Related to a Historical Cyber Exploits: 162 (43.43%)
Included in Penetration Testing Tools: 63 (16.89%)
Conclusion
Update and install the Operating System patches regardless if it is Linux/Unix based system or a Microsoft Operating system. Browsers are the most prevalent software with extreme exposure to malicious resources. Browsers should be kept up-to-date, and remediation efforts shouldn’t be delayed for monthly patch cycles. Deploy the updates, upgrades, and patches where and when available where required.
A comprehensive information system is required, which can help to prioritize remediation based on the actual risk and exploit vector. A complete list of vulnerabilities affected versions, criticality, threat score, and relevant patch information are available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera.
... View more
Latest posts by wmahmood
Subject | Views | Posted |
---|---|---|
132 | Jan 19, 2021 08:45 AM | |
342 | Dec 17, 2020 05:06 PM | |
279 | Nov 16, 2020 09:43 AM | |
199 | Oct 15, 2020 09:06 AM | |
463 | Sep 15, 2020 08:59 AM | |
341 | Aug 26, 2020 10:46 AM | |
225 | Aug 24, 2020 10:13 AM | |
1029 | Aug 10, 2020 06:11 PM | |
604 | Jul 17, 2020 10:48 AM | |
350 | Jun 14, 2020 07:04 PM |
Activity Feed
- Got a Kudo for Monthly Vulnerability Review - Mid January 2021. Jan 20, 2021 03:37 AM
- Posted Monthly Vulnerability Review - Mid January 2021 on Software Vulnerability Management Blog. Jan 19, 2021 08:45 AM
- Tagged Monthly Vulnerability Review - Mid January 2021 on Software Vulnerability Management Blog. Jan 19, 2021 08:06 AM
- Got a Kudo for Monthly Vulnerability Review - Mid November to Mid December. Dec 21, 2020 08:30 AM
- Posted Monthly Vulnerability Review - Mid November to Mid December on Software Vulnerability Management Blog. Dec 17, 2020 05:06 PM
- Tagged Monthly Vulnerability Review - Mid November to Mid December on Software Vulnerability Management Blog. Dec 17, 2020 05:06 PM
- Got a Kudo for Monthly Vulnerability Review – October till Mid November 2020. Nov 16, 2020 11:56 PM
- Got a Kudo for Monthly Vulnerability Review – October till Mid November 2020. Nov 16, 2020 09:59 AM
- Posted Monthly Vulnerability Review – October till Mid November 2020 on Software Vulnerability Management Blog. Nov 16, 2020 09:43 AM
- Tagged Monthly Vulnerability Review – October till Mid November 2020 on Software Vulnerability Management Blog. Nov 16, 2020 09:43 AM
- Kudoed Upcoming Support for Intune in SVM for bkelly. Nov 16, 2020 09:24 AM
- Posted Monthly Vulnerability Review – September 2020 on Software Vulnerability Management Blog. Oct 15, 2020 09:06 AM
- Tagged Monthly Vulnerability Review – September 2020 on Software Vulnerability Management Blog. Oct 15, 2020 09:05 AM
- Kudoed The usage of PKI Certification (Certificates) within the SVM configuration. for SimonEdwards. Sep 24, 2020 03:55 AM
- Got a Kudo for Monthly Vulnerability Review – August 2020. Sep 16, 2020 01:13 AM
- Got a Kudo for Monthly Vulnerability Review – August 2020. Sep 15, 2020 03:15 PM
- Got a Kudo for Monthly Vulnerability Review – August 2020. Sep 15, 2020 03:10 PM
- Got a Kudo for Monthly Vulnerability Review – August 2020. Sep 15, 2020 09:04 AM
- Posted Monthly Vulnerability Review – August 2020 on Software Vulnerability Management Blog. Sep 15, 2020 08:59 AM
- Tagged Monthly Vulnerability Review – August 2020 on Software Vulnerability Management Blog. Sep 15, 2020 08:59 AM
Contact Me
Online Status |
Offline
|
Date Last Visited |
Jan 21, 2021
04:22 PM
|