The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures.
The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption in Cisco Secure Firewall and Snort to detect exploitation of these vulnerabilities. For an example of this, see how it can be done to protect against exploits used by the Hafnium threat actor here.
Below, we'll outline the vulnerabilities the NSA highlighted, along with Snort rules that will keep users protected from exploitation. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
CVE-2018-13379 is a directory traversal vulnerability in Fortinet FortOS that results in attackers accessing and downloading system files. This can result in the attacker obtaining VPN credentials, which could allow an initial foothold into a target network. The patch for this vulnerability is available and should be applied immediately.
Snort SIDs 51370 - 51372
CVE-2019-9670 is an XML External Entity Injection (XXE) vulnerability in the mailboxd component of the Synacore Zimbra Collaboration Suite that can allow an attacker to gain access to credentials to further their access or as an initial foothold into a target network. The patch for this vulnerability is available and should be applied immediately.
Snort SID 49898
CVE-2019-11510 is an arbitrary file disclosure vulnerability in Pulse Secure Pulse Connect Secure. This information disclosure vulnerability can be abused by attackers to access sensitive information, including private keys and credentials. The patch for this vulnerability is available and should be applied immediately.
Snort SIDs 51288, 51289 and 51390
CVE-2019-19781 is a directory traversal vulnerability in Citrix Application Delivery Controller and Gateway that can allow attackers to execute arbitrary code. The patch for this vulnerability is available and should be applied immediately.
Snort SIDs 52512, 52513, 52603, 52620 and 52662
CVE-2020-4006 is a command injection vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector. This particular vulnerability requires valid credentials to the configurator admin account and allows for arbitrary commands to be executed on the underlying operating systems. The patch for this vulnerability is available and should be applied immediately.
Snort SIDs 57182 - 57185