Fidelis Blog


Dozen Dirtiest CVEs Q120 (Cloud Vulnerability Exposures)

Thank you for the great response at BSides San Francisco 2020, where we unveiled our real-time vulnerability alerting engine. By harnessing public data and applying data analytics, we cut through the noise and get real-time alerts only for highly seismic cloud vulnerability exposures (CVEs)—making vulnerability fatigue a thing of the past. If you missed our BSidesSF 2020 talk, you can watch the video “Real-Time Vulnerability Alerting” on YouTube. The real-time vulnerability alerting engine has been humming and churning data since BSides, and here are the consolidated results for the dozen dirtiest CVEs Q120.

CVEs Q120
Overview of Q1 Vulnerabilities

The X-axis for this graph represents each day of the Q120, while the Y-axis represents the vulnerability intelligence quotient calculated by the engine (see the BSides presentation for more info). For simplicity, the Y-axis has been divided into four colors—Red, Orange, Yellow, and Green—which represent the dirtiness (or criticality) of each vulnerability. Each blue dot represents a vulnerability. Its placement on the X-axis represents the date on the timeline and placement on the Y-axis represents criticality (i.e. vulnerability intelligence quotient). It’s possible for the same vulnerability to appear on multiple days, especially vulnerabilities with a high X-axis value.

#1 Dirtiest CVE Q120 – CVE-2020-0601 (CurveBall)

The title for being the dirtiest CVE Q120 goes to CVE-2020-0601—a vulnerability discovered by the United States’ National Security Agency (NSA) that affects how cryptographic certificates are verified by cryptography libraries in Windows which makes up CryptoAPI. Dubbed “CurveBall”, an attacker exploiting this vulnerability could potentially create their own cryptographic certificates (signed with Elliptic Curve Cryptography algorithms) that appear to originate from a legitimate certificate that is fully trusted by Windows by default. The Proof of Concept (POC) is available, and one of them can be found in GitHub here.

#2 – CVE-2020-0796 (EthernalDarkness/GhostSMB)

The second dirtiest CVE Q120 is CVE-2020-0796—also known as EthernalDarkness or GhostSMB. On March 10, this vulnerability was inadvertently shared, under the assumption that Microsoft was releasing a patch, which Microsoft released only after public details were available on March 12. This vulnerability would allow an unauthenticated attacker to exploit this issue by sending a specially crafted packet to a vulnerable SMBv3 server.  Similarly, if an attacker could convince or trick a user into connecting to a malicious SMBv3 server, then the user’s SMB3 client could also be exploited. Regardless if the target or host is successfully exploited, this would grant the attacker the ability to execute arbitrary code. Microsoft later released an out-of-band patch to fix the issue, and the POC for this issue can be found on GitHub here.

#3 – CVE-2019-19781

The honor of the third dirtiest CVE Q120 goes to CVE-2019-19781, which affects Citrix Gateway and Citrix Application Discovery Controller. Initially, it was thought to be just a directory traversal vulnerability that would allow a remote, unauthenticated user to write a file to a location on disk. But on further investigation, it was found that this vulnerability would allow full remote code execution on the host.

Top 12 Dirtiest CVEs Q120

The prioritized list of the complete dirty dozen for Q1 2020 is in the table below.

tr:nth-child(even) {background-color: #f2f2f2;}





CVE-2020-0601 Windows Elliptic Curve Cryptography (ECC) certificates spoofing


CVE-2020-0796 Windows SMBv3 Client/Server Remote Code Execution Vulnerability


CVE-2019-19781 Citrix Application Delivery Controller (ADC) and Gateway RCE


CVE-2020-0688 Microsoft Exchange Memory Corruption Vulnerability


CVE-2020-0674 Microsoft Scripting Engine Memory Corruption Vulnerability


CVE-2020-0609 Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability


CVE-2020-0610 Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability


CVE-2020-1938 Apache JServ Protocol (AJP) arbitrary file access


CVE-2019-11510 Pulse Secure Pulse Connect Secure arbitrary file reading vulnerability


CVE-2019-17026 Firefox and Thunderbird code execution


CVE-2019-0604 Microsoft SharePoint Remote Code Execution Vulnerability


CVE-2019-18634 Linux  /etc/sudoers stack-based buffer overflow


How CloudPassage Halo Can Help

CloudPassage Halo Customers can use Halo’s Server Secure service, our software vulnerability manager, to identify and prioritize the dozen dirtiest CVEs Q120 lurking in their environments.

CVEs Q120 halo servers tab
CloudPassage Halo Servers Tab

Customers can also create custom reports to view details on the dozen dirtiest CVEs Q120.

CVEs Q120 Halo Vulnerability Report
CloudPassage Halo Vulnerability Report

To keep up to date on our new control policies as we release them and our quarterly reports on the Dozen Dirtiest CVEs Q120 and beyond, subscribe to the CloudPassage Blog in the upper right corner of this page.

Learn more about CloudPassage Halo Server Secure.

Get a free vulnerability assessment of your infrastructure in 30 minutes.

Stay up to date on all things security

Subscribe to the Threat Geek Blog