reconnaissance

SecurityTrails Blog · Sep 11 · SecurityTrails team

Top CVE's exploited in the wild

In previous posts, we’ve explored ways to avoid security issues by hardening DNS servers, and also by following best SSH Security practices. However, today we are not going to show you how to protect against attacks. Instead, we will show you the top 10 most dangerous vulnerabilities exploited in the wild during the current year.

Before we start talking about CVE's, let’s analyze the meaning of some main concepts.

What is a vulnerability?

In the software world, a vulnerability is a programming error or bug, one that opens an application’s door for internal or external intrusions. This enables attackers to run unauthorized tasks, get system information, and access the database, among many other things that normally would never be allowed.

There are many different types of vulnerabilities, with importance graded in terms of how much the application data has been exposed, as well as to the system running the app.

Vulnerabilities are stored and sorted in what we call CVE.

What is CVE?

CVE stands for Common Vulnerabilities and Exposures; in other words, it’s a type of reference made for cybersecurity threats listed in popular infosec security lists and databases.

Once a software vulnerability is found and reported, a CVE will be issued for that case. It will have a standardized reference name for that specific security issue and will include a description and publish date.

CVE entries are maintained by MITRE and the US National Vulnerability Database (NVD) of the Department of Homeland Security.

The main goal of the CVE database is to help software and hardware companies share important security data across the world in seconds, enabling involved parties and infosec professionals to access trustworthy reports for each affected software.

One of the best things about CVE is the fact that it is free and publicly available for anyone to download or explore online.

Since its launch date in September 1999, the CVE database has grown tremendously, generating some pretty interesting statistics about official CVEs reported to the MITRE organization. A good example is the number of vulnerabilities reported per year. To illustrate, the stats in the following screenshot were crawled from the NVD official feed and published by CVEdetails:

Evolution of reported CVEs since 1999
Fig 01. Evolution of reported CVEs since 1999. Courtesy of cvedetails.com

Top 10 high score CVEs exploited in 2018

Now, let’s learn about the top ten most dangerous vulnerabilities found in recent CVE reports from the current year:

1. CVE-2011-3172 – Published: 2018-06-08 – Security Score 10

This CVE affects the famous SUSE Linux Enterprise distribution, in particular, the pam_modules, enabling remote attackers to successfully log in to disabled user system accounts. This bug is affecting all versions prior to SUSE Enterprise Linux 12.0

2. CVE-2012-2166 – Published: 2018-02-08 – Security Score 10

IBM data storage models XIV Storage System 2810-A14 and 2812-A14 devices before level 10.2.4.e-2 and 2810-114 and 2812-114 devices before level 11.1.1 seem to have used hardcoded passwords for some user accounts. This can be exploited by remote attackers to access user-protected areas by using unknown vectors.

3. CVE-2014-0593 – Published: 2018-06-08 – Security Score 10

The set_version script, shipped with obs-service-set_version used as source validator for the OBS (Open Build Service), had a serious security flaw that prevented the script from sanitizing the input introduced by the system user inversions prior to 0.5.3-1.1. This code error allowed attackers to run code execution inside the running server.

4. CVE-2014-3205 – Published: 2018-02-23 – Security Score 10

Seagate BlackArmor NAS opened up a pretty bad backdoor with a simple hardcoded password. This exploit allowed remote attackers to gain access, by merely locating the password inside the backupmgt/pre_connect_check.php application file.

5. CVE-2014-3206 – Published: 2018-02-23 – Security Score 10

Following the previous CVE #4, more bad news for the same product. Seagate BlackArmor NAS was allowing remote attackers to execute random code by using the session parameter located inside the localhost/backupmgt/localJob.php application file.

The same exploit could be used by using the auth_name parameter, located inside the localhost/backupmgmt/pre_connect_check.php file.

6. CVE-2014-3413 – Published: 2018-04-05 – Security Score 10

It seems that hardcoded passwords are affecting more products, like MySQL server in Juniper Networks Junos Space before version 13.3R1.8.

This MySQL server version was burdened with an unspecified account that included a hardcoded password; this allowed remote attacks to obtain administrator access over the databases.

7. CVE-2014-5279 – Published: 2018-02-06 – Security Score 10

Docker, the famous virtual container app service, had a serious coding issue that enabled unauthenticated TCP connections by default, allowing remote attackers to gain system privileges to execute random code from child containers. This affected the Docker daemon when it was managed by boot2docker 1.2 version.

8. CVE-2014-5334 – Published: 2018-01-08 – Security Score 10

Before version 9.3-M3, FreeNAS had a blank admin password set by default, allowing attackers to gain root administration privileges while using the WebGui login interface.

9. CVE-2014-6120 – Published: 2018-04-12 – Security Score 10

IBM Rational AppScan Source 8.0 – 8.0.0.2 and 8.5 – 8.5.0.1 and Security AppScan Source 8.6 – 8.6.0.2, 8.7 – 8.7.0.1, 8.8, 9.0 – 9.0.0.1, and 9.0.1 allow remote attackers to exploit the installation server by issuing random commands.

10. CVE-2014-6436 – Published: 2018-01-12 – Security Score 10

Number 10 goes to Aztech ADSL models running on models DSL5018EN (1T1R), DSL705E, and DSL705EU. These devices used an improper method of managing user sessions, allowing remote attackers to avoid user authentication and execute arbitrary commands with administrative privileges over the web-based login.

Conclusion

It’s always a good practice to follow newly-discovered CVEs to prevent security issues in your online companies and projects. In doing so, you’ll find some pretty cool details about how software applications are affected by exploits.

In fact, one of the most interesting things we found in this list of top 10 CVEs from 2018 was that three of them could be exploited because their software developers had incorporated hardcoded passwords, a practice that should always be avoided because of its high impact on systems and application security.

Yet another surprise finding a blank password inside the FreeNAS software. That’s even worse than using hardcoded passwords.

While sometimes your software and web apps can be exploited because of software bugs, in other situations your company can be attacked because you are exposing too much information in your domain names, IP addresses and DNS records.

Luckily, SecurityTrails is here to prevent cybersecurity issues for your company’s applications. You’ll be able to audit all your websites and IP space as well as DNS servers. At the end of the day, this can definitely help keep you out of the bad guy’s radar.


Get the relevant information for eliminating external and internal threats with SecurityTrails tools that are designed to obtain and analyze all security intelligence data. Sign up to SecurityTrails and take your company's security to the next level.