Bugs exploited most by Chinese Hackers

NSA released the top most bugs that are exploited actively by Chinese Hackers. Though all exploits are patchable and can be closed, it’s active still

Let’s see the top 25 exploits from recet to past

1) CVE-2019-11510 – Pulse Secure VPN servers, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords

2) CVE-2020-5902 – F5 BIG-IP proxies and load balancer, the Traffic Management User Interface (TMUI) —also referred to as the Configuration utility— is vulnerable to a Remote Code Execution (RCE) vulnerability that can allow remote attackers to take over the entire BIG-IP device.

[3+4+5+6]CVE-2019-19781, CVE-2020-8193, CVE-2020-8195, CVE-2020-8196 – Set of Citrix ADC and Gateway bugs. These ones also impact SDWAN WAN-OP systems as well. anonymous access is possible

7) CVE-2019-0708 (BlueKeep) – A remote code execution vulnerability exists within Remote Desktop Services on Windows operating systems.

8) CVE-2020-15505 – A remote code execution vulnerability in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code and take over remote company servers.

9) CVE-2020-1350 (SIGRed) – A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

10) CVE-2020-1472 (Netlogon) – An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).

11) CVE-2019-1040 – A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC protection.

12) CVE-2018-6789 – Sending a handcrafted message to an Exim mail transfer agent may cause a buffer overflow. This can be used to execute code remotely and take over email servers.

13) CVE-2020-0688 – A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.

14) CVE-2018-4939 – Certain Adobe ColdFusion versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.

15) CVE-2015-4852 – The WLS Security component in Oracle WebLogic Server allows remote attackers to execute arbitrary commands via a crafted serialized Java object

16) CVE-2020-2555 – A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware.

17) CVE-2019-3396 – The Widget Connector macro in Atlassian Confluence 17 Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

18) CVE-2019-11580 – Attackers who can send requests to an Atlassian Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution.

19) CVE-2020-10189 – Zoho ManageEngine Desktop Central allows remote code execution of deserialization of untrusted data.

20) CVE-2019-18935 – Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can result in remote code execution.

21) CVE-2020-0601 (aka CurveBall) – A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making to look a like legitimate.

22) CVE-2019-0803 – An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.

23) CVE-2017-6327 – The Symantec Messaging Gateway can encounter a remote code execution issue.

24) CVE-2020-3118 – A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.

25) CVE-2020-8515 – DrayTek Vigor devices allow remote code execution as root without credentials via shell metacharacters.

CHERI Architecture 💭Microsoft think to reduce Patches count

Microsoft has just completed a study of an experimental architecture that it now thinks would have mitigated about two-thirds of the memory-safety vulnerabilities fixed in 2019. 70% of the bugs are of memory safety bugs happened when software access the memory

The abundance of memory-safety bugs is one reason Microsoft is exploring the Rust programming language as a potential replacement for some Windows components written in C++.

Rewriting old code in another language like Rust is one option. Another option in Microsoft’s “quest to mitigate memory-corruption vulnerabilities” is CHERI or Capability Hardware Enhanced RISC (reduced instruction set computer) Instructions.

CHERI provides memory-protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits.

The group assessed the “theoretical impact” of CHERI on all the memory-safety vulnerabilities that Microsoft received in 2019 and concluded that it would have “deterministically mitigated” at least two-thirds of all those issues.

Its memory-protection features allow historically memory-unsafe programming languages such as C and C++ to be adapted for protection against widely exploited vulnerabilities.

CHERI ISA has the potential to save Microsoft a lot of money in delivering security patches in each month’s Patch Tuesday update, which regularly exceed 100 patches a month.

With additional mitigations recommended in its research paper, Microsoft also estimates the CHERI protections could have deterministically mitigated nearly half the vulnerabilities the MSRC addressed through a security update in 2019.