CVE-2020-5754 – CVE-2020-5754 is a type confusion vulnerability... (How to Fix)

Q: What is the severity of CVE-2020-5754?

CVE-2020-5754 has a CVSS score of 9.1 (CRITICAL). CVE-2020-5754 is a type confusion vulnerability in Webroot endpoint agents that allows remote attackers to crash the agent or read its memory contents by sending specially crafted TCP packets to its listening port. This affects organizations using Webroot endpoint protection with vulnerable agent versions. Attackers can potentially gain unauthorized access to sensitive memory data.

📋 TL;DR

CVE-2020-5754 is a type confusion vulnerability in Webroot endpoint agents that allows remote attackers to crash the agent or read its memory contents by sending specially crafted TCP packets to its listening port. This affects organizations using Webroot endpoint protection with vulnerable agent versions. Attackers can potentially gain unauthorized access to sensitive memory data.

💻 Affected Systems

Products:

Webroot Endpoint Protection

Versions: All versions prior to v9.0.28.48

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: The Webroot agent runs with SYSTEM/root privileges on Windows/macOS respectively, amplifying the impact of successful exploitation.

📦 What is this software?

Endpoint Agents by Webroot

View all CVEs affecting Endpoint Agents →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or lateral movement within the network.

🟠

Likely Case

Denial of service through agent crashes and potential memory disclosure that could reveal sensitive information or facilitate further attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and updated agents, potentially only causing temporary service disruption.

🌐 Internet-Facing: HIGH - The agent listens on a TCP port that could be exposed to the internet, allowing remote exploitation without authentication.

🏢 Internal Only: HIGH - Even internally, any system with network access to the agent port can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Tenable published detailed research including proof-of-concept code. Exploitation requires network access to the agent's TCP port (default 27015).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v9.0.28.48 and later

Vendor Advisory: https://community.webroot.com/announcements-3/webroot-endpoint-agent-vulnerability-cve-2020-5754-316667

Restart Required: Yes

Instructions:

1. Update Webroot Management Console to latest version. 2. Deploy agent update to all endpoints. 3. Restart endpoints to ensure new agent version is active. 4. Verify agent version is v9.0.28.48 or higher.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Webroot agent TCP port (default 27015) using firewall rules

Windows: netsh advfirewall firewall add rule name="Block Webroot Port" dir=in action=block protocol=TCP localport=27015
Linux: iptables -A INPUT -p tcp --dport 27015 -j DROP

Disable Remote Management

all

Configure Webroot agent to disable remote management features if not required

🧯 If You Can't Patch

Implement strict network segmentation to isolate Webroot agents from untrusted networks
Monitor for unusual network traffic to Webroot agent ports and agent crash events

🔍 How to Verify

Check if Vulnerable:

Check Webroot agent version in system tray or via Webroot Management Console. Versions below v9.0.28.48 are vulnerable.

Check Version:

Windows: Check Webroot system tray icon or C:\ProgramData\WRData\wrlog.txt. macOS: Check /Library/Application Support/Webroot/wrlog.txt

Verify Fix Applied:

Confirm agent version is v9.0.28.48 or higher in Webroot Management Console or local agent interface.

📡 Detection & Monitoring

Log Indicators:

Webroot agent crash logs
Unexpected termination of wrservice.exe (Windows) or WebrootService (macOS)
Memory access violations in system logs

Network Indicators:

Unusual TCP traffic to port 27015
Multiple connection attempts to Webroot agent port from single source
Malformed packets to Webroot port

SIEM Query:

source="webroot" AND (event="crash" OR event="terminated") OR destination_port=27015 AND protocol=TCP AND bytes_sent>1000

📊 Metadata

CVE ID: CVE-2020-5754

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-843

Published: June 15, 2020

Last Updated: November 21, 2024

🔗 References

https://www.tenable.com/security/research/tra-2020-36 Exploit,Third Party Advisory
https://www.tenable.com/security/research/tra-2020-36 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-5754, you might also want to check these: