Remote Code Execution Vulnerabilities
Bill Crahen | August 20, 2020
Bill Crahen
August 20, 2020
In the security news lately we’ve been reading about and dealing with some very serious Remote Code Execution Vulnerabilities. Two of the biggest ones in the past month have dealt with Microsoft DNS Servers (CVE-2020-1350) and F5 Network’s BIG-IP (CVE-2020-5902) devices. So why are these so serious, how do they continue to show up and what can we do to stop them?
In many cases, such as the two CVE’s listed above, RCE’s are so serious because they allow an anonymous, unauthenticated bad actor to reach out over the network and compromise the system where the vulnerability exists, and once that system is “owned” it’s often easy to then take over other systems behind or next to it on the network (known as lateral movement). In the case of the F5 vulnerability there were thousands of F5’s that could be compromised via the Internet, so no firewall or other security controls needed to be bypassed first. For the Microsoft DNS vulnerability it’s not so common to have those directly exposed to the Internet, but it still would have been easy enough for a crafty individual (or State Actor) to trick a user into browsing to a link that then sends the compromising command to the DNS server.
As we have seen for many years now, the discovery of these vulnerabilities is not going away, in fact we will continue to see them increase as both good and bad people are out looking for them. The Microsoft DNS vulnerability existed for 17 years until Checkpoint purposefully went looking and found it. Therefore, it is really a race for the software (and now hardware) manufacturers and other security researchers to scour over code and improve their detection techniques while the bad actors are doing the same.
So how do we protect ourselves? First, recognize that it’s no longer safe to delay patching these known vulnerabilities. You should locate and sign up for security notifications from your software/hardware vendors, government entities, and even Twitter in order to receive notifications as soon as possible. At Envision we maintain an email list dedicated to critical alerts. As soon as we learn of relevant alerts, we summarize the information and share with customers (reach out if you want to be added). Once you receive an alert, it’s important to review your options for both mitigation and patching and do both as quickly as possible. If you have a SIEM in place identify Indicators of Compromise (IOC’s) that can help you determine if you have any systems already compromised and immediately take those offline for remediation. A couple of other items to consider is to upgrade your existing Antivirus/Endpoint Protection to a next generation Endpoint Detection and Response (EDR) platform that doesn’t rely entirely on signature updates for full protection. Additionally, review your system architectures and identify ways to segment systems to protect management interfaces and slow lateral movement. Stay safe out there and remember Envision is here to help.
