Most exploited vulnerabilities in this month

September 29, 2018

SonicWall Threat Research Lab has observed the vulnerabilities that are actively being exploited from the beginning of this month. Please find below the list of vulnerabilities, vendor advisory information  and the SonicWall signatures to protect against these exploits 

CVE-2017-11882 | Microsoft Office EQNEDT32 Stack Buffer Overflow

This is a stack buffer overflow vulnerability in Microsoft Office. The vulnerability is due to incorrect handling of embedded Equation Editor OLE objects in Office documents. A remote attacker could exploit this vulnerability by enticing a user to open a specially crafted file. Successful exploitation could lead to arbitrary code execution under the context of the currently logged on user.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

GAV: 21982  Malformed.doc.MP.10
GAV: 4094 JScript.Doc_229

CVE-2017-0147 | Microsoft Windows SMB Server SMBv1 CVE-2017-0147 Information Disclosure

This is an information disclosure vulnerability in the SMBv1 component of Microsoft Windows SMB server. The vulnerability is due to improper handling of SMBv1 requests. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted SMB messages to a target server. Successful exploitation could result in the disclosure of sensitive information from the target server

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147

GAV Cloud ID: 55251134 WannaCrypt

CVE-2010-2568 | Microsoft Windows LNK File Code Execution

This exists in Microsoft Windows that may allow execution of arbitrary code on the target machine. The vulnerability is due to a design weakness in Windows Shell which incorrectly parses shortcuts in such a way that malicious code may be executed when the crafted file is opened either manually or automatically with Windows Explorer. This can be most likely exploited through removable drives containing malicious LNK files, especially on systems that have AutoPlay enabled.

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-046

IPS: 13508 LNK File HTTP Download 2

CVE-2017-8570 | Microsoft Office Remote Code Execution Vulnerability

This is a remote code execution vulnerability in Microsoft Office. The vulnerability is due to incorrect handling of embedded OLE objects in Office documents. A remote attacker could exploit this vulnerability by enticing a user to open a specially crafted file. Successful exploitation could lead to arbitrary code execution under the context of the currently logged on user. 

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570

GAV: 32260 JScript.RTF_4

CVE-2013-3346 | Adobe Acrobat Reader ToolButton Use After Free

A use after free vulnerability exists in Adobe Acrobat and Reader. The vulnerability is due to an error in the handling of callback functions associated with ToolButton objects. A remote attacker can exploit this vulnerability by enticing the user to open a specially crafted file. Successful exploitation could result in arbitrary code execution in the context of the currently affected user.

http://www.adobe.com/support/security/bulletins/apsb13-15.html

IPS: 6207 HTTP Client Shellcode Exploit 42

CVE-2010-2883 | Adobe Acrobat and Reader CoolType.dll Stack Buffer Overflow

A code execution vulnerability exists in Adobe Acrobat and Reader. The vulnerability is due to a stack-based buffer overflow error within the CoolType.dll module when handling PDF files containing TTF fonts. Remote attackers could exploit this vulnerability by enticing target users to open a malicious PDF document. Successful exploitation would result in arbitrary code execution in the context of the logged on user.

http://www.adobe.com/support/security/advisories/apsa10-02.html

GAV– 43643 Malformed.pdf.MT.2

CVE-2015-1641| Microsoft Office Component CVE-2015-1641 Use After Free

This is a remote code execution vulnerability in Microsoft Office. The vulnerability is due to improper manipulation of objects in memory while parsing specially crafted Office files. A remote attacker can exploit this vulnerability by enticing a user open a maliciously crafted Office file. Successful exploitation could result in code execution in the context of the affected user.

https://technet.microsoft.com/en-us/library/security/ms15-033.aspx

GAV: 43643 Malformed.pdf.MT.2

CVE-2018-8174 | Microsoft Windows VBScript Engine CVE-2018-8174 Use After Free

A memory corruption vulnerability exists in the Microsoft Windows VBScript engine. The vulnerability is due to the way that the VBScript engine handles certain objects in memory.
A remote attacker can exploit this vulnerability by enticing a user to open a crafted web page using Internet Explorer or a crafted Microsoft Office document.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174

IPS: 4604 HTTP Client Shellcode Exploit 1

CVE-2018-8120 | Win32k Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. This affects Win32k, Windows, Windows Kernel, Windows Common Log File System Driver, DirectX Graphics Kernel & Windows Image. A local, authenticated attacker could exploit these vulnerabilities by running a maliciously crafted application on the target system. Successful exploitation allows the attacker elevate their privileges to an administrative level on the target.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120

GAV Cloud Id: 66194921 Btrojan Exploit

The risk posed by these vulnerabilities can be mitigated by upgrading to the latest non-vulnerable version