Organizations are becoming accustomed to the new remote workforce normal. Currently, more people are working remotely than ever before and that trend appears to be staying long into the future. While working remotely has some benefits, there are drawbacks. One major drawback for IT and security teams is securing these remote devices. The transition has been difficult for many organizations. However, organization’s can’t be caught off guard. Many adversaries are taking advantage of this and are targeting highly prevalent vulnerabilities commonly left unpatched. These attacks are becoming increasingly common and sophisticated with state-level actors entering the fray more prevalently.
Because of this, the National Security Agency (NSA) issued a somewhat unexpected cybersecurity advisory detailing the most common vulnerabilities exploited by Chinese state-sponsored actors. While the vulnerabilities highlighted are not surprising, the CVEs do highlight the importance of these types of publications, especially upon review of the supporting details provided. It should not come as a surprise that targeted technologies would include remote access, communication, and collaboration tooling during a pandemic that pushes the bounds of an organization’s perimeters.
Of the 25 highlighted CVEs, 15 were published within the year and 9 are much older. There are some interesting takeaways from the highlighted vulnerabilities. First, the average age of these vulnerabilities is 471 days. This is a shockingly old set of vulnerabilities and highlights the industry’s limited capacity to patch vulnerable systems in a timely manner. Many organizations without strong automation and patch management solutions have found themselves unable to patch even years-old vulnerabilities, much less reach the critical 24/72 threshold for patching zero-day vulnerabilities (24 hour response) and critical vulnerabilities (72 hour response).
NSA Recommends Best Practices for Vulnerability Management
In its cybersecurity advisory, the NSA provides some best practices to consider for patching and protecting corporate systems from potential breach. Here’s a quick breakdown of those recommendations, and what you can do to address them with an automated endpoint management platform like Automox:
- Keep systems and products updated and patched as soon as possible after patches are released.
Automation is the only way to address the number of vulnerabilities patched each month. Most organizations take 102 days to patch systems, but with Automox you can confidently patch on day-0 of patch release, keeping your organization protected. Automation can ensure the next time the NSA releases a cybersecurity advisory like this you are already up to date and patched.
- Expect that data stolen or modified (including credentials, accounts, and software) before the device was patched will not be alleviated by patching, making password changes and reviews of accounts a good practice.
Patching solves the immediate problem of an exposed vulnerability, but good cyber hygiene principles require additional steps like password resets. Automox can automate post-breach remediation for password hygiene.
- Block obsolete or unused protocols at the network edge and disable them in device configurations.
Automox Worklets are an effective and automated way to quickly remediate unused protocols or any other configurations to improve your cyber hygiene across your entire environment, regardless of location or domain. Some worklet examples are: Disable LLMNR (Security Risk), How to Disable Remote Desktop Protocol Connection, and Disable SMBv1 Across Windows Devices.
- Enable robust logging of Internet-facing services and monitor the logs for signs of compromise.
Again, Automox Worklets can be used to ensure compliance for logging by enabling these services and ensuring they remain enabled.
You can read more about patch management best practices for remote workers in a previous blog.
Vulnerabilities You Can Patch Now in Automox
Using Automox, you can immediately patch the Windows OS vulnerabilities highlighted in the NSA brief. These include:
- CVE-2019-0708
- Found in Windows 10, XP, 7, Server 2003-2008
- CVE-2019-0708 is a remote code execution vulnerability that exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'. See How to Disable Remote Desktop Protocol Connection.
- CVE-2019-0803
- Found in Windows 7 - Windows 10, Server 2008-2019
- CVE-2019-0803 is an elevation of privilege vulnerability that exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0685, CVE-2019-0859.
- CVE-2019-1040
- Found in Windows 7 - Windows 10, Server 2008-2019
- CVE-2019-1040 is a tampering vulnerability that exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.
- CVE-2020-0601
- Found in Windows 10, Server 2016-2019
- CVE-2020-0601 is a spoofing vulnerability that exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
- CVE-2020-1350
- Found in Windows Server 2008-2019
- CVE-2020-1350 is a remote code execution vulnerability that exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'.
- CVE-2020-1472
- Found in Windows 7 - Windows 10, Server 2008-2019
- CVE-2020-1472 is an elevation of privilege vulnerability that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.
To search for and identify if known vulnerabilities exist and are patched on your systems, refer to the support documentation for more information. If you have any additional questions, please feel free to contact our technical support team.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.