NSA publishes list of top flaws targeted by Chinese hackers

On Thursday, the US National Security Agency has published a comprehensive report detailing the top 25 flaws that are currently being steadily scanned, targeted, and misused by Chinese state-sponsored hacking organizations.

All 25 security flaws are widely known and have fixes available from their vendors, ready set to be installed.

Exploits for a number of flaws are also openly available. Some have been misused by more than just Chinese hackers, being also merged into the cache of ransomware gangs, low-level malware groups, and nation-state actors from other countries like Russia and Iran.

“Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks,” the NSA said today.

The US cyber-security agency exhorts organizations in the US public and private sector to fix systems for the following flaws.

These include:

1) CVE-2019-11510 – On Pulse Secure VPN servers, an unverified remote attacker can send a specially crafted URI to perform an arbitrary file reading susceptibility. This may lead to exposure of keys or passwords.

2) CVE-2020-5902 – On F5 BIG-IP proxies and load balancer, the Traffic Management User Interface (TMUI) —also referred to as the Configuration utility— is weak to a Remote Code Execution (RCE) susceptibility that can allow remote invaders to take over the entire BIG-IP device.

3) CVE-2019-19781 – Citrix Application Delivery Controller (ADC) and Gateway systems are vulnerable to a directory traversal bug, which can lead to remote code execution without the attacker having to possess valid credentials for the device. These two issues can be chained to take over Citrix systems.

4+5+6) CVE-2020-8193, CVE-2020-8195, CVE-2020-8196 – Another set of Citrix ADC and Gateway bugs. These ones also affect SDWAN WAN-OP systems as well. The three flaws allow unverified access to certain URL endpoints and information revelation to low-privileged users.

7) CVE-2019-0708 (aka BlueKeep) – A remote code execution vulnerability exists within Remote Desktop Services on Windows operating systems.

8) CVE-2020-15505 – A remote code execution vulnerability in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code and take over remote company servers.

9) CVE-2020-1350 (aka SIGRed) – A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

10) CVE-2020-1472 (aka Netlogon) – A promotion of privilege susceptibility exists when an attacker founds a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).

11) CVE-2019-1040 – A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.

12) CVE-2018-6789 – Sending a handmade message to an Exim mail transfer agent may cause a buffer overflow. This can be used to perform code remotely and take over email servers.

13) CVE-2020-0688 – A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.

14) CVE-2018-4939 – Certain Adobe ColdFusion versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.

15) CVE-2015-4852 – The WLS Security component in Oracle WebLogic 15 Server allows remote attackers to perform arbitrary commands via a crafted episodic Java object.

16) CVE-2020-2555 – A susceptibility exists in the Oracle Coherence product of Oracle Fusion Middleware. This easily useable flaw lets unauthenticated attacker with network access via T3 to compromise Oracle Coherence systems.

17) CVE-2019-3396 – The Widget Connector macro in Atlassian Confluence 17 Server allows remote attackers to attain path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

18) CVE-2019-11580 – Hackers who can send requests to an Atlassian Crowd or Crowd Data Center instance can exploit this susceptibility to install arbitrary plugins, which permits remote code execution.

19) CVE-2020-10189 – Zoho ManageEngine Desktop Central allows remote code execution because of deserialization of untrusted data.

20) CVE-2019-18935 – Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization susceptibility. Exploitation can lead to remote code execution.

21) CVE-2020-0601 (aka CurveBall) – A deceiving flaw exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. A hacker could exploit the flaw by using a deceived code-signing certificate to sign a malicious executable, making it seem that the file was from a reliable, genuine source.

22) CVE-2019-0803 – An advancement of privilege susceptibility exists in Windows when the Win32k component fails to correctly handle objects in memory.

23) CVE-2017-6327 – The Symantec Messaging Gateway can encounter a remote code execution issue.

24) CVE-2020-3118 – A susceptibility in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, end-to-end attacker to perform arbitrary code or cause a reload an affected device.

25) CVE-2020-8515 – DrayTek Vigor devices allow remote code execution as root (without authentication) via shell metacharacters.