In our latest update, Avira’s Vulnerability Detection Team takes a look at some of the most critical vulnerabilities of late 2020.
No vulnerability report for 2020 would be complete without touching on what some describe as ‘the largest and most sophisticated attack the world has ever seen.’ But we will also look at some other new and some not-so-new vulnerabilities that allow attackers root access to Unix-like and macOS systems and trigger Windows Defender scans.
Top 5 vulnerabilities
Our top 5 vulnerability threats for late-2020 make this list based on our assessment of their criticality, coverage, and impact.
This winter, we’ve seen multiple critical and high-risk vulnerabilities disclosed and patched across a wide range of software platforms. Microsoft and Apple patched several remote exploits. The disclosure of a supply chain attack in Solarwinds and a series of vulnerabilities (fixed at the beginning of 2021) rocked enterprises and governments’ security teams. Sometimes legitimate software can contain malware.
Overall, we’ve seen an increase in the number of vulnerabilities exploited in the wild and cybersecurity attacks increasing in the first months of 2021.
A series of vulnerabilities disclosed in SolarWinds Orion products
In December 2020, SolarWinds confirmed a sophisticated supply chain attack on their network monitoring software, Orion. Hackers created a backdoor that allowed them to compromise the security and integrity of Orion’s patching and update deployment mechanism. The incident impacted many companies and government agencies. A significant volume of research has since been published on the Sunburst backdoor.
A few days after FireEye published their alert on Sunburst, researchers at GuidePoint identified an unrelated malware named ‘SuperNova.’ SuperNova exploits a zero-day vulnerability to execute in-memory .NET web shells for reconnaissance and allow lateral movement. The vulnerability has been assigned CVE-2020-10148. It represents an authentication bypass issue that could allow remote attackers to execute API commands on the Orion Platform web interface.
The Remote Code Execution scenario occurs by manipulating the URI request sent to the webserver and includes specific parameters in the endpoint path that will trigger an authorization skip on the backend. Processing of API requests can then occur without requiring a valid authentication.
February 2021 saw three new zero-day vulnerabilities identified (CVE-2021-25274, CVE-2021-25275, and CVE-2021-25276) along with their corresponding proof of concept code. These vulnerabilities have no link to the SolarWinds attack and there are no reports of an exploit in the wild.
However, the most critical vulnerability of these is a deserialization issue. An external attacker can exploit it to obtain remote code execution. Because the vulnerability executes in the context of a Windows service running a local system account, risks are greater.
Apple released a fix for multiple high-risk vulnerabilities
Apple’s latest iOS 14.14 update version included security patches for three zero-day vulnerabilities. Apple believes they may have been exploited in the wild. Combining CVE-2021-1870 and CVE-2021-1871 could result in a complete remote code execution scenario.
One of the vulnerabilities affecting the WebKit allows a remote attacker to obtain arbitrary code execution on the victim’s device. In contrast, the other kernel-related vulnerabilities permit an attacker to elevate the privileges on the system.
Google patches a Chrome zero-day exploited in the wild
Heap-based buffer overflow in sudo
The discovery of a heap overflow vulnerability in the sudo utility tool available on all the major Unix-like operating systems shows that not all vulnerabilities are new. First introduced in July 2011, the vulnerability affects all legacy versions and their default configuration. It is assigned CVE-2021-3156
Successful exploitation could allow an unprivileged user on the local system to gain root access to the vulnerable host. Multiple proof-of-concept exploits were derived and published following the root cause analysis. We noticed Ubuntu, Debian, Fedora, and macOS in the list of vulnerable operating systems.
Privilege escalation vulnerability in Windows Defender
Discovering vulnerabilities in older popular software was a trend at the end of 2020. CVE-2021-24092 addressed a 12-year-old Windows Defender privileged escalation vulnerability in February 2021. The Defender remediation process is responsible for deleting file system and registry resources created by malicious software. When the vulnerable driver is loaded, there is no check to see if the log filename created already exists. This creates the possibility of a file overwrite.
Additionally, a recent vulnerability assigned CVE-2021-1647 represents a Remote Code Execution in the same Microsoft Defender antivirus software. This particular vulnerability has an increased risk as the external attacker can forge specific files that will run immediately when Microsoft Defender antivirus initiates a scan.
Using exploit files sent as an email attachment or an arbitrary download file, attackers can then launch non-interactive remote attacks. Upon receipt, these can trigger the antivirus scan. However, the overall CVSS score is not that great, considering the payload delivery scenario.
Vulnerabilities and exploits are a continuous threat. At Avira’s Vulnerability Detection lab, we constantly monitor exploitation activities and analyze the latest vulnerabilities to provide our customers with the best protection and detection capabilities.