Vulnerability 1: UPDATED Microsoft Exchange Server RCE (9.8 Critical)
Description: Microsoft Exchange Server has a new remote code execution vulnerability (RCE). These RCE’s enable an attacker to gain allow an attacker to execute code on a computer via a file that could be sent via email or delivered by USB and when downloaded can deploy a reverse shell to the attacker from that target computer to execute commands remotely.
In terms of this particular vulnerability, attackers can run post-exploit scripts that unlock further privileges for the attacker. In this case, attackers can run a ‘post-authentication arbitrary file write’ script that could authenticate with the Exchange server and can be used to write a file to ANY path on the server. This could lead to more privileges for the attacker and allow them more access to certain parts of your exchange server.
Likelihood: High – It is very likely that an attack would occur due to the vulnerability being discovered only a few weeks ago. Furthermore, due to extended access, an attacker could gain, through post-exploitation, the likelihood increases even more.
Recommendation: We recommend patching these vulnerabilities immediately for Microsoft Exchange Server 2013/2016/2019. We also recommend implementing web shell mitigation to prevent the use of unauthorized access to wider network assets, steps can be found here: Web Shell Mitigation Steps.
Likelihood: Medium – Although it is likely that an attacker would exploit this vulnerability, due to the security controls and readiness of Google to release and identify patches, there is a medium to low likelihood that your device would get compromised. Furthermore, Google has developed exploit variants for this sort of attack and they’ve already developed a patch.
Recommendation: Due to it being a backend vulnerability, within Google’s chromium platform, our recommendation is to constantly check your chrome browser for any updates, and patch it immediately.
Vulnerability 3: Cisco RV Series Bypass File Upload Vulnerability (7.3 High)
Description: Cisco has a file upload vulnerability. A file upload vulnerability allows an attacker to send a well-crafted HTTP request to a device and, using this HTTP request, can grant unauthenticated access to a remote attacker. The remote attacker can then proceed to upload files to administrator-level directories and below.
Likelihood: Medium – The level of access that an attacker could gain to the target system is extremely high, but the attacker would have had to do extensive reconnaissance about their target to understand how vulnerable the system is and what resources use that system to connect to the internet.
Recommendation: We recommend patching the following RV Series Cisco Routers: 160, 160W, 260, 260P, 260W, 340, 340W, 345, 345P, to the latest version as soon as possible. Furthermore, we also recommend, at least, implementing an ‘inactivity timeout’ for every session, and to maintain session identifier information confidential by e.g not exposing the session identifier in the URL or by setting appropriate flags on the session identifier token, to prevent the attackers from exploiting the improper session management attack vector.