21 October 2020

NSA details the Top 25 vulnerabilities actively exploited by Chinese nation-state hackers


NSA details the Top 25 vulnerabilities actively exploited by Chinese nation-state hackers

The National Security Agency issued a security advisory, detailing the top 25 vulnerabilities that are being consistently targeted or exploited by Chinese hacker groups in attacks against National Security Systems (NSS), the U.S. Defense Industrial Base (DIB), and the Department of Defense (DoD) information networks.

“Many of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the Internet. Once a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside,” the security advisory reads.

All of the listed CVEs are already publicly known and have patches available.

The cyber agency advises organizations to take actions to ensure their systems are protected against vulnerabilities listed below:

  • CVE-2019-11510 - a flaw affects Pulse Secure VPNs, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords.

  • CVE-2020-5902 - in F5 BIG-IP 8 proxy / load balancer devices, the Traffic Management User Interface (TMUI) - also referred to as the Configuration utility - has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

  • CVE-2019-19781 - an issue in Citrix Application Delivery Controller (ADC) and Gateway allows directory traversal, which can lead to remote code execution without credentials.

  • CVE-2020-8193, CVE-2020-8195, CVE-2020-8196 - vulnerabilities affect Citrix ADC and Gateway, as well as SDWAN WAN-OP systems. The three bugs allow unauthenticated access to certain URL endpoints and information disclosure to low-privileged users.

  • CVE-2019-0708 (BlueKeep) - a remote code execution vulnerability exists within Remote Desktop Services 10 when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.

  • CVE-2020-15505 - A remote code execution vulnerability in the MobileIron 13 mobile device management (MDM) software that allows remote attackers to execute arbitrary code via unspecified vectors.

  • CVE-2020-1350 (SIGRed) - a remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

  • CVE-2020-1472 (Netlogon) - an elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.

  • CVE-2019-1040 - a tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.

  • CVE-2018-6789 - Sending a handcrafted message to Exim mail transfer agent may cause a buffer overflow. This can be used to execute code remotely.

  • CVE-2020-0688 - a Microsoft Exchange validation key remote code execution vulnerability exists when the software fails to properly handle objects in memory.

  • CVE-2018-4939 - certain Adobe ColdFusion versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.

  • CVE-2015-4852 - the WLS Security component in Oracle WebLogic 15 Server allows remote attackers to execute arbitrary commands via a crafted serialized Java object.

  • CVE-2020-2555 - a vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware. This easily exploitable vulnerability allows an unauthenticated attacker with network access via T3 to compromise Oracle Coherence systems.

  • CVE-2019-3396 - the Widget Connector macro in Atlassian Confluence 17 Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

  • CVE-2019-11580 - attackers who can send requests to an Atlassian Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution.

  • CVE-2020-10189 - Zoho ManageEngine Desktop Central allows remote code execution because of deserialization of untrusted data.

  • CVE-2019-18935 - Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can result in remote code execution.

  • CVE-2020-0601 (CurveBall) - a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.

  • CVE-2019-0803 - an elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.

  • CVE-2017-6327 - the Symantec Messaging Gateway can encounter a remote code execution issue.

  • CVE-2020-3118 - a vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.

  • CVE-2020-8515 - DrayTek Vigor devices allow remote code execution as root (without authentication) via shell metacharacters.

Back to the list

Latest Posts

ShadowSyndicate ransomware group targeting Aiohttp flaw

ShadowSyndicate ransomware group targeting Aiohttp flaw

Organizations are urged to update to Aiohttp v3.9.
18 March 2024
The International Monetary Fund discloses cyberattack affecting 11 email accounts

The International Monetary Fund discloses cyberattack affecting 11 email accounts

The organization did not share any additional details regarding the nature of the attack.
18 March 2024
E-Root Marketplace operator sentenced to 3.5 years in prison

E-Root Marketplace operator sentenced to 3.5 years in prison

It is estimated that over 350,000 compromised credentials were listed for sale on the E-Root Marketplace.
18 March 2024