1,100 Oracle Weblogic servers vulnerable to CVE-2020-14882 can be easily compromised

Back in August 2020, we alerted that many global500 or fortune500 companies could be easily compromised by exploitation of known trivial vulnerabilities.

Now, we added a new check to our vulnscan category of information about an unauthenticated remote code execution on Oracle Weblogic servers. This vulnerability is named CVE-2020-14882. Here follows our test results.

 

  1. Searching for potentially vulnerable systems

The first thing we have to do before checking for vulnerable systems is to find potentially vulnerable systems. Fortunately, there is a specific filter to use to query ONYPHE in order to fetch this list:

category:datascan app.http.component.product:”Weblogic server” app.http.component.productvendor:”Oracle”

We found more than 14,000 exposed devices. But being exposed does not mean being exploitable. As we have developed our own non-intrusive check, we are able to verify in an innocuous way if they are vulnerable or not. Our checker just fetches Operating System and its version. Thus, we also have details about which kind of systems are used to host Weblogic servers.

As we don’t want to help cybercriminals and as there is already enough proof-of-concept codes available out there, we are not going to release our checker.

2. Count of vulnerable systems

By using a simple filter on our vulnscan category of information, we are able to know how many unique IP addresses are vulnerable, or how many unique domains and the count of unique fortune500/global500 companies. The filter is simply “cve:CVE-2020-14882“:

category:vulnscan cve:CVE-2020-14882

Beware, 2,000 is a misleading number as it does not return unique IP addresses result. Here are some screenshots from our back-end that allows to access the good numbers:

3. Operating System used to host Oracle Weblogic servers

As we fetch Operating System (OS) and their version information and set a specific field in our data, we are able to perform statistics based on these values:

top used operating systems

Linux is the most used OS with 76.2% followed by Windows Server 2012 R2 with 11.1% and Windows Server 2016 with 8.4%. Interestingly, we also find SunOS and AIX OSes, even though they are not wildly used at all.

4. Conclusion

More than 1,100 unique IP addresses are impacted, accounting for 231 unique domains and at least 5 unique big companies.

This check will be executed every week from now on, so we will have updated information available for our Eagle View customers.

Patches are available, so apply them as quickly as possible as this vulnerability may end up in the next NSA’s TOP25 most exploited vulnerabilities by cybercriminals.

Many global500 and fortune500 companies still vulnerable to known critical vulnerabilities

Since a few months now, cyber criminals are targeting vulnerabilities in VPN appliances from major brands to compromise and deploy ransomware on affected companies.

As we spoke about in a previous blog post, we are checking those vulnerabilities at Internet scale to help our customers find and fix their assets before the bad guys exploit them, eventually costing millions to recover.

In this blog post, we will introduce our new tagging capability which allows us the find all vulnerable global500 and fortune500 companies in a matter of an API query.

 

  1. Vulnerabilities we are able to detect

Today, we are checking 7 critical vulnerabilities. These vulnerabilities are exploitable remotely from the network with no user interaction and without any authentication required. They allow to perform remote code execution on affected targets and that is why cyber crooks love them.

Here is the list of CVE we are checking for:

Proportion of impacted devices by CVE

 

2. Introducing the fortune500 and global500 tags

Since August 22nd, we added lookup capabilities to our scanning engine. We have built a comprehensive inventory of fortune500 and global500 companies. Each time we receive an application response with a domain name set (example: adobe.com), we add tags when a match is found.

Searching using tag:global500 filter within category:vulnscan
Tag cloud for vulnerable companies

As you can see from the tag cloud, the most prevalent vulnerability found on big companies is the one impacting Cisco ASA (CVE-2020-3452). But what is worrying to us is the fact that some companies still have critical vulnerabilities on their Citrix Gateway, FortiNet FortiGate, SAP Netweaver Application Server or PulseSecure Pulse Connect Secure devices.

Also, you may note that no company is impacted by the #ghostcat or F5 Networks BIGIP vulnerabilities.

3. How many of these companies are impacted?

To count how many of them are vulnerable is not a direct and unique query. We can count either on the number of unique IP addresses or on the number of unique domains. However, a company can have multiple domains. According to our datasets, a correct guess is around 2 domains per company.

Furthermore, a company can use multiple device brands and thus may be counted multiple times when you do the math by counting on the below figures. So, from the following figures, simply divide by 2 to have an estimated guess of how many fortune500 and global500 companies are impacted for each vulnerability.

 

3.1. Cisco ASA devices

Around 180 companies impacted

3.2. SAP Netweaver Application Server

Around 30 companies impacted

3.3. Citrix Gateway

Around 8 companies impacted

3.4. PulseSecure Pulse Connect Secure

Around 3 companies impacted

3.5. Fortinet FortiGate

Only 1 company impacted

As our data shows, around 200 of the biggest companies are still impacted by critical known vulnerabilities with patches available. When you remove duplicates between fortune500 and global500, there is a total of 881 companies.

In the end, it is more than 20% of big companies which have known critical vulnerabilities, that is more than 1 company out of 5.

 

4. How to verify you are not impacted

Customers having an “Eagle View” subscription can check by themselves. This is the only subscription-level that allows querying the vulnscan category of information. Other Entreprise-level subscriptions do not give access to such data.

To avoid our online payment service to be exploited by malicious actors to fetch this sensitive information, we only sell Eagle Views after proper human interaction and validation that a true legitimate company lies behind the subscription request.

To check you are not vulnerable is as easy as running an API query against the current week if executed on Thursdays (scans are launched every Wednesdays) or querying against the previous week when executed on Mondays:

category:vulnscan -exists:cve domain:onyphe.io -weekago:0

Of course, you can also use the Alert API or script your queries using the Search API.

Conclusion

These vulnerabilities are massively exploited on the Internet. You don’t want to be the next big company falling for an unpatched VPN endpoint, losing millions, and losing your CEO job too. Contact us at sales[at]onyphe dot io for a demo.