Adeline Zhang

Multiple Cisco Vulnerabilities Threat Alert-1

December 14, 2020


On November 18, 2020 (local time), Cisco released security advisories fixing vulnerabilities in multiple products. These vulnerabilities include three high-risk ones: CVE-2020-3531, CVE-2020-3586, and CVE-2020-3470.

Reference link:

Drupal Remote Code Execution Vulnerability (CVE-2020-13671) Threat Alert

December 11, 2020


On November 19, 2020 (Beijing time), Drupal released a security advisory that fixes a remote code execution vulnerability (CVE-2020-13671). Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.


XStream Remote Code Execution Vulnerability (CVE-2020-26217) Threat Alert

December 9, 2020


Recently, XStream released a security advisory that fixes a remote code execution vulnerability (CVE-2020-26217). The vulnerability may allow a remote attacker to execute arbitrary code by sending crafted requests to the web application that uses XStream and thereby taking control of the target server. XStream is a commonly used tool for converting between Java objects and XML.

The vulnerability is a variation of CVE-2013-7285. This time, it uses a different set of classes to bypass blacklist restriction in the deserialization process, thus leading to remote code execution.


Annual IoT Security Report 2019-9

IoT botnets

December 8, 2020


This chapter analyzes IoT threats from the perspective of vulnerabilities. We first analyze the change trends of IoT vulnerabilities and exploits 1 in the NVD and Exploit Database (Exploit-DB) in 2019 and then IoT exploits captured by NSFOCUS’s threat hunting system. The following dwells upon some representative exploits.


Trend Analysis on 2020 Q3 Phishing Email

December 7, 2020

Chapter 1. Brief on the risk

In phishing email attacks worldwide, Covid-19 is still an important topic. With the increasing availability of epidemic prevention material supplies in various countries and the transparency of news channels, attackers have begun to look for “hot issues” from other perspectives that may attract people’s attention.

With the impact of the pandemic, some companies have also begun to adjust their working systems, including the use of remote working. In this case, some companies need to notify every employee of the revised system and remote office network access methods. Naturally, attackers will not let go of this huge “opportunity”.

Consistent with the trend of real phishing attacks received internally by our company, external phishing attacks are gradually shifting from malicious links to malicious attachments. In order to prevent them from being intercepted by email security products or being checked and killed by anti-virus software on computers, more and more attackers are using a “multi-stage” attack mode, that is, malicious attachments in phishing emails only function for downloading and running malicious files. The actual malicious code is located in malicious files downloaded from the Internet.

In addition to new attack forms, attackers continue to innovate in attack technology. For example, in this quarter, attackers used new “zero font”, “hexadecimal IP address” and other methods to attack external users. In the third chapter of the report, the principles of these new attack techniques will also be discussed.


Annual IoT Security Report 2019-8

IoT botnets

December 4, 2020

Heuristic Recon via the Dual-Stack UPnP Service

In addition to the recon of IPv6 addresses based on their characteristics, we can also use UPnP to detect IoT assets by referring to the method described in a blog post 28 from Cisco Talos Labs.


UPnP is a set of protocols designed to achieve interconnectivity between devices on a LAN. Due to misconfiguration, many UPnP services are exposed on the Internet. We can use UPnP to uncover dualstack IoT devices — devices with both an IPv4 and IPv6 address. Two roles are available in the UPnP protocol, namely, the control point and device. Each time when the control point goes live, it sends an M-SEARCH message to the multicast address for searching for controllable devices.

After receiving the M-SEARCH message or joining the network, a device sends a NOTIFY message to the multicast address, notifying its own information to other devices. In a NOTIFY message, the LOCATION field indicates the link to the device description. Upon receiving the NOTIFY message sent by the device, the control point will access the link contained in the LOCATION field. Figure 2-16 shows the workflow of UPnP.


Windows Network File System Vulnerabilities (CVE-2020-17051, CVE-2020-17056) Threat Alert

December 2, 2020


On November 10, 2020 local time, Microsoft fixed two vulnerabilities in the Windows Network File System (NFS) in its monthly security updates, which are CVE-2020-17051 and CVE-2020-17056.

CVE-2020-17051 is a remote code execution vulnerability on the nfssvr.sys driver. It is said that the vulnerability can be reproduced to cause an immediate BSOD (Blue Screen of Death) within the driver [3].

CVE-2020-17056 is a remote out-of-bounds read vulnerability on the nfssvr.sys driver, which can lead to an address space layout randomization (ASLR) bypass.


Annual IoT Security Report 2019-7

IoT botnets

December 1, 2020

Heuristic Recon of IPv6 Addresses Based on Their Characteristics

Previously, we mentioned that IPv6 addresses, when assigned, can, for example, include random values in particular bytes or embed MAC addresses. With these facts in mind, we exercised some restrictions to narrow down the address space to be scanned.

Specifically, we employed the following approaches to conduct the recon based on data from the collection of IPv6 addresses available on Hitlist.

  • Recon of low-byte addresses and addresses containing random bits in particular bytes

For low-byte IPv6 addresses, the recon method is similar to that for IPv4 addresses. Such addresses contain 0s in all bytes except the least significant byte, so it is only necessary to base the scan on this part (least significant byte).

For those containing random bits in particular bytes than in the least significant byte, Scan6 uses hexadecimal notation to specify the scanning scope so as to traverse only specified bits. To do so, we ran the “scan6 -i eth0 -d ****:983:0-3000::1” command, in which 0-3000 (hexadecimal) specifies
the traversal scope. It took about 1 minute to complete a scan of 12,288 IPv6 addresses, with 3853 active ones found, as shown in Figure 2-13.


Microsoft’s November 2020 Patches Fix 112 Security Vulnerabilities Threat Alert

November 30, 2020


Microsoft released November 2020 security updates on Tuesday which fix 112 vulnerabilities ranging from simple spoofing attacks to remote code execution, including 17 critical vulnerabilities, 93 important vulnerabilities, and two low vulnerabilities. All users are advised to install updates without delay.

These vulnerabilities affect Azure DevOps, Azure Sphere, Common Log File System Driver, Microsoft Browsers, Microsoft Dynamics, Microsoft Exchange Server, Microsoft Graphics Component, Microsoft Office, Microsoft Office SharePoint, Microsoft Scripting Engine, Microsoft Teams, Microsoft Windows, Microsoft Windows Codecs Library, Visual Studio, Windows Defender, Windows Kernel, Windows NDIS, Windows Update Stack, and Windows WalletService.


Adobe Releases November’s Security Updates Threat Alert

November 28, 2020


On November 11, 2020 (local time), Adobe released security updates which address multiple vulnerabilities in Adobe Connect and Adobe Reader Mobile.



Subscribe to the NSFOCUS Blog