Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2021/12/07/oh-no-zoho-active-exploitation-of-cve-2021-44077-allowing-unauthenticated-remote-code-execution/

CVE	Vendor Advisory	AttackerKB	IVM Content	Patching Urgency	Last Update
CVE-2021-44077	Zoho’s Advisory	In Progress	Under Evaluation	Immediately	December 7, 2021 5:00pm ET

Summary

Zoho customers have had a huge incentive lately to keep their software up to date, as recent Zoho critical vulnerabilities have been weaponized shortly after release by advanced attackers. (Rapid7 blogged as recently as November 9, 2021, about the Exploitation of Zoho ManageEngine). This trend continues with CVE-2021-44077, an unauthenticated remote code execution vulnerability affecting several of their products. To assist their customers, Zoho has since set up an online security response plan that includes an exploit detection tool to see if an organization’s installation is compromised.

Affected versions:

• ManageEngine ServiceDesk Plus, prior to version 11306
• ServiceDesk Plus MSP, prior to version 10530
• SupportCenter Plus, prior to version 11014

Details

On September 16, 2021, Zoho released a Security Advisory urging customers to upgrade their software in order to resolve an authentication bypass vulnerability. 67 days later, on November 22, 2021, they released an additional advisory for the 44077 CVE indicating that the previously mentioned update also fixed a remote code execution (RCE) vulnerability that is being exploited in the wild.

Last week, CISA released an alert detailing attacker tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). CVE-2021-44077 has also been added to CISA’s known exploited vulnerabilities catalog with a required remediation date of December 15, 2021, for US federal agencies.

Guidance

Rapid7 advises organizations that utilize any of the impacted versions listed above patch on an emergency basis, utilize Zoho’s exploit detection tool, and review CISA’s documentation of IOCs to determine whether a specific installation has been compromised. Additionally, we recommend that access to these products should exist behind a VPN and organizations immediately stay up to date on software versions. Attackers have had enough critical vulnerabilities of late to build a bit of a skillset in understanding how the Zoho software works, so future vulnerabilities will only be exploited even faster.

Rapid7 customers

InsightVM and Nexpose customers:
Our researchers are currently evaluating the feasibility of adding a vulnerability check.

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2021/11/30/ongoing-exploitation-of-windows-installer-cve-2021-41379/

On November 9, 2021, as part of Patch Tuesday, Microsoft released an update to address CVE-2021-41379, a “Windows Installer Elevation of Privilege Vulnerability” that had a modest CVSS score (5.5), without much fanfare. The original CVE allows an attacker to delete files on a system using elevated privileges.

Fast-forward to November 22, 2021, when after investigating the patch, the researcher that discovered the vulnerability, Abdelhamid Naceri, found that it did not fully remediate the issue and published proof-of-concept (PoC) code on GitHub proving exploitation of the vulnerability is still possible on patched versions of Windows allowing for SYSTEM-level privileges. The working PoC “overwrites Microsoft Edge elevation service ‘DACL’ and copies itself to the service location, then executes it to gain elevated privileges.”

With a zero-day exploit available, attackers have been chipping away at ways to utilize the vulnerability, especially in malware.

As of November 30, 2021, there is not an official patch from Microsoft to fully and effectively remediate this vulnerability. Community researchers and security practitioners have noted that other Microsoft zero-day vulnerabilities this year, such as CVE-2021-36934 (“HiveNightmare”/”SeriousSAM”), were not fixed until typical Patch Tuesday release cycles even if public exploit code had already made an appearance. We expect that this vulnerability will follow that same pattern and that we won’t see a new patch (and/or a new CVE, if Microsoft does indeed classify this as a patch bypass) until December 2021’s Patch Tuesday.

Affected versions

According to the researcher, all supported versions of Windows, including Windows 11 and Server 2022, are vulnerable to the exploit.

Guidance

With no official patch at this time, we recommend that organizations prepare to patch this as soon as the official fix is released. Meanwhile, Rapid7 researchers have confirmed that a number of antimalware programs have added detection of this exploit, so as usual, keep those programs up to date. Lastly, organizations can detect previous exploitation of this PoC by monitoring for EventID 1033 and “test pkg” (keeping in mind that the “test pkg” will only find this exact PoC and may be modified by more enterprising attackers).

Rapid7 customers

For Rapid7 InsightVM customers, we will be releasing vulnerability checks if and when Microsoft publishes patch information for the new vulnerability.

In the meantime, InsightVM customers can use Query Builder to find Windows assets by creating the following query: os.family contains windows. Rapid7 Nexpose customers can create a Dynamic Asset Group based on a filtered asset search for OS contains windows.

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2021/11/30/active-exploitation-of-apache-http-server-cve-2021-40438/

On September 16, 2021, Apache released version 2.4.49 of HTTP Server, which included a fix for CVE-2021-40438, a critical server-side request forgery (SSRF) vulnerability affecting Apache HTTP Server 2.4.48 and earlier versions. The vulnerability resides in mod_proxy and allows remote, unauthenticated attackers to force vulnerable HTTP servers to forward requests to arbitrary servers — giving them the ability to obtain or tamper with resources that would potentially otherwise be unavailable to them.

Since other vendors bundle HTTP Server in their products, we expect to see a continued trickle of downstream advisories as third-party software producers update their dependencies. Cisco, for example, has more than 20 products they are investigating as potentially affected by CVE-2021-40438, including a number of network infrastructure solutions and security boundary devices. To be exploitable, CVE-2021-40438 requires that mod_proxy be enabled. It carries a CVSSv3 score of 9.0.

Several sources have confirmed that they have seen exploit attempts of CVE-2021-40438 in the wild. As of November 30, 2021, there is no evidence yet of widespread attacks, but given httpd’s prevalence and typical exposure levels (and the fact that it’s commonly bundled across a wide ecosystem of products), it’s likely exploitation will continue — and potentially increase. Rapid7 and the community have analysis of this vulnerability in AttackerKB.

Affected versions

According to Apache’s advisory, all Apache HTTP Server versions up to 2.4.48 are vulnerable if mod_proxy is in use. CVE-2021-40438 is patched in Apache HTTP Server 2.4.49 and later.

Rapid7 Labs has observed over 4 million potentially vulnerable instances of Apache httpd 2.x:

Mitigation guidance

Apache HTTP Server versions 2.4.49 and 2.4.50 included other severe vulnerabilities that are known to be exploited in the wild, so Apache httpd customers should upgrade to the latest version (2.4.51 at time of writing) instead of upgrading incrementally.

We advise paying close attention particularly to firewall or other security boundary product advisories and prioritizing updates for those solutions. NVD’s entry for CVE-2021-40438 includes several downstream vendor advisories.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2021-40438 with both authenticated and unauthenticated vulnerability checks.

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2021/11/10/cve-2021-43287-allows-pre-authenticated-build-takeover-of-gocd-pipelines/

On October 26, 2021, open-source CI/CD solution GoCD released version 21.3.0, which included a fix for CVE-2021-43287, a critical information disclosure vulnerability whose exploitation allows unauthenticated attackers to leak configuration information, including build secrets and encryption keys. Both Rapid7 vulnerability researchers and community researchers were easily able to register a rogue agent, injecting themselves into GoCD builds and enabling full, pre-authenticated pipeline takeover. CVE-2021-43287 can be exploited with a single HTTP request.

While CVE-2021-43287 is still awaiting a formal CVSSv3 score and description, it’s no secret that CI/CD tooling and pipelines are high-value targets for both sophisticated and opportunistic attackers. GoCD customers should update to version 21.3.0 on an emergency basis, given the potential for exploitation to undermine the integrity of their software development pipelines. The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert and patch guidance. Rapid7’s vulnerability research team has a more detailed technical analysis of CVE-2021-43287 here.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2021-43287 with a remote vulnerability check available in the November 9, 2021 content release.

Post Syndicated from Jake Baines original https://blog.rapid7.com/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/

On April 14, 2021, GitLab published a security release to address CVE-2021-22205, a critical remote code execution vulnerability in the service’s web interface. At the time, GitLab described the issue as an authenticated vulnerability that was the result of passing user-provided images to the service’s embedded version of ExifTool. A remote attacker could execute arbitrary commands as the git user due to ExifTool’s mishandling of DjVu files, an issue that was later assigned CVE-2021-22204.

CVE-2021-22205 was initially assigned a CVSSv3 score of 9.9. However, on September 21, 2021 GitLab revised the CVSSv3 score to 10.0. The increase in score was the result of changing the vulnerability from an authenticated issue to an unauthenticated issue. Despite the tiny move in CVSS score, a change from authenticated to unauthenticated has big implications for defenders. Rapid7’s vulnerability research team has a full root cause analysis of CVE-2021-22205 in AttackerKB.

There are multiple recently published public exploits for this vulnerability, and it reportedly has been exploited in the wild since June or July of 2021. We expect exploitation to increase as details of the unauthenticated nature of this vulnerability become more widely understood.

According to GitLab’s April 2021 advisory, CVE-2021-22205 affects all versions of both GitLab Enterprise Edition (EE) and GitLab Community Edition (CE) starting from 11.9. The vulnerability was patched in the following versions:

• 13.10.3
• 13.9.6
• 13.8.8

Versions in the wild

At the time of writing (October 31, 2021), patches have been available for GitLab for more than six months. However, analysis of internet-facing GitLab instances suggests that a large number are still vulnerable.

We can see just short of 60,000 internet-facing GitLab installations. Unfortunately, GitLab’s web interface does not have an easy-to-extract version string. But by using the appearance of application_utilities about a year ago and then the migration of application_utilities into loading hints header, we can break the internet-facing GitLab installs into three categories: unpatched, maybe patched, and patched.

Of the 60,000 this is what we found:

• 21% of installs are fully patched against this issue.
• 50% of installs are not patched against this issue.
• 29% of installs may or may not be vulnerable.

Mitigation guidance

Rapid7’s emergent threat response team has a full technical analysis of CVE-2021-22205 in AttackerKB, along with several ways for GitLab customers to determine whether they may be running vulnerable versions.

GitLab users should upgrade to the latest version of GitLab as soon as possible.

Rapid7 customers

Our researchers are currently evaluating the feasibility of adding a vulnerability check for CVE-2021-22205.

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2021/10/06/apache-http-server-cve-2021-41773-exploited-in-the-wild/

On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 (and only in 2.4.49). The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild.

While the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both Rapid7 and community researchers have verified that the vulnerability can be used for remote code execution when mod_cgi is enabled. While mod_cgi is not enabled in the default Apache Server HTTP configuration, it’s also not an uncommon feature to enable. With mod_cgi enabled, an attacker can execute arbitrary programs via HTTP POST requests. The initial RCE proof of concept resulted in blind command execution, and there have been multiple proofs of concept that coerce the HTTP server into sending the program’s output back to the attacker. Rapid7’s research team has a full root cause analysis of CVE-2021-41773 here along with proofs of concept.

Rapid7 Labs has identified roughly 65,000 potentially vulnerable versions of Apache httpd exposed to the public internet. Our exposure estimate intentionally does not count multiple Apache servers on the same IP as different instances (this would substantially increase the number of exposed instances identified as vulnerable).

Mitigation guidance

Organizations that are using Apache HTTP Server 2.4.49 should determine whether they are using vulnerable configurations. If a vulnerable server is discovered, the server’s configuration file should be updated to include the filesystem directory directive with require all denied:

<Directory />
    Require all denied
</Directory>

Apache HTTP Server users should update to 2.4.50 or later as soon as is practical. For more information, see Apache’s advisory here.

Rapid7 customers

A remote vulnerability check is scheduled to be released to InsightVM and Nexpose customers in today’s (October 6, 2021) content update.

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/

On August 25, 2021, Atlassian published details on CVE-2021-26084, a critical remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability arises from an OGNL injection flaw and allows authenticated attackers, “and in some instances an unauthenticated user,” to execute arbitrary code on Confluence Server or Data Center instances.

The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if “Allow people to sign up to create their account” is enabled. To check whether this is enabled, go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

Proof-of-concept exploit code has been publicly available since August 31, 2021, and active exploitation has been reported as of September 2. Confluence Server and Data Center customers who have not already done so should update to a fixed version immediately, without waiting for their typical patch cycles. For a complete list of fixed versions, see Atlassian’s advisory here.

For full vulnerability analysis, including triggers and check information, see Rapid7’s analysis in AttackerKB.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2021-26084 with remote vulnerability checks as of the August 26, 2021 content release.

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/

On August 5, 2021, in a Black Hat USA talk, DEVCORE researcher Orange Tsai shared information on several exploit chains targeting on-premises installations of Microsoft Exchange Server. Among the exploit chains presented were ProxyLogon, which was exploited en masse in February and March of 2021, and ProxyShell, an attack chain originally demonstrated at the Pwn2Own hacking competition this past April. As of August 12, 2021, multiple researchers have detected widespread opportunistic scanning and exploitation of Exchange servers using the ProxyShell chain.

According to Orange Tsai’s demonstration, the ProxyShell exploit chain allows a remote unauthenticated attacker to execute arbitrary commands on a vulnerable on-premises instance of Microsoft Exchange Server via port 443. The exploit is comprised of three discrete CVEs:

• CVE-2021-34473, a remote code execution vulnerability patched April 13, 2021
• CVE-2021-34523, an elevation of privilege vulnerability patched April 13, 2021
• CVE-2021-31207, a security feature bypass patched May 11, 2021

While CVE-2021-34473 and CVE-2021-34523 were patched in April, Microsoft’s advisories note that they were inadvertently omitted from publication until July.

When chained, these vulnerabilities allow the attacker to bypass ACL controls, send a request to a PowerShell back-end, and elevate privileges, effectively authenticating the attacker and allowing for remote code execution. No public proof-of-concept (PoC) code has been released as of August 12, but there is ample evidence of multiple private exploits — not surprising, since ProxyShell was first demonstrated more than four months ago at Pwn2Own. A number of technical analyses of the chain have been published, and we expect public PoCs to be shared shortly.

Notably, there has been confusion about which CVE is which across various advisories and research descriptions — Microsoft, for instance, describes CVE-2021-34473 as a remote code execution vulnerability, but Orange Tsai’s Black Hat slides list CVE-2021-34473 as the initial ACL bypass. Community researchers have also expressed confusion over CVE numbering across the ProxyShell chain, but ultimately, the takeaway is the same: Organizations that have not patched these vulnerabilities should do so on an emergency basis and invoke incident response protocols to look for indicators of compromise.

Affected products

The following versions of Exchange Server are vulnerable to all three ProxyShell CVEs:

• Microsoft Exchange Server 2019 Cumulative Update 9
• Microsoft Exchange Server 2019 Cumulative Update 8
• Microsoft Exchange Server 2016 Cumulative Update 20
• Microsoft Exchange Server 2016 Cumulative Update 19
• Microsoft Exchange Server 2013 Cumulative Update 23

Organizations that rely on on-premises installations of Exchange Server and are not able to move to O365 should ensure that all Exchange instances are patched on a zero-day basis. In order to do this, it is vital that defenders keep up-to-date with quarterly Cumulative Updates, since Microsoft only releases security fixes for the most recent Cumulative Update versions.

While ProxyShell and March’s ProxyLogon exploit chain are the two attacks that have already resulted in widespread exploitation, they are not the only exploit chains targeting on-premises Exchange servers. Exchange continues to be valuable and accessible attack surface area for both sophisticated and run-of-the-mill threat actors, and we will certainly see additional widespread exploitation in the future.

Read more from our emergent threat response team on high-priority attack surface area, including Windows Print Spooler and Pulse Connect Secure VPNs.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to all three ProxyShell CVEs with authenticated vulnerability checks.

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/

Whether you attended virtually, IRL, or not at all, Black Hat and DEF CON have officially wrapped, and security folks’ brains are replete with fresh information on new (and some not-so-new) vulnerabilities and exploit chains. The “hacker summer camp” conferences frequently also highlight attack surface area that may not be net-new — but that is subjected to renewed and redoubled community interest coming out of Vegas week. See Rapid7’s summaries here and here.

Here’s the specific attack surface area and a few of the exploit chains we’re keeping our eye on right now:

• Orange Tsai stole the show (as always) at Black Hat with a talk on fresh Microsoft Exchange attack surface area. All in all, Orange discussed CVEs from what appears to be four separate attack chains —including the ProxyLogon exploit chain that made headlines when it hit exposed Exchange servers as a zero-day attack back in March and the “ProxyShell” exploit chain, which debuted at Pwn2Own and targets three now-patched CVEs in Exchange. Exchange continues to be a critically important attack surface area, and defenders should keep patched on a top-priority or zero-day basis wherever possible.
• Print spooler vulnerabilities continue to cause nightmares. DEF CON saw the release of new privilege escalation exploits for Windows Print Spooler, and Black Hat featured a talk by Sangfor Technologies researchers that chronicled both new Windows Print Spooler vulnerabilities and past patch bypasses for vulns like CVE-2020-1048 (whose patch was bypassed three times). Given that many defenders are still trying to remediate the “PrintNightmare” vulnerability from several weeks ago, it’s fair to say that Windows Print Spooler will remain an important attack surface area to prioritize in future Patch Tuesdays.
• There’s also a new vulnerability in Pulse Connect Secure VPNs that caught our attention — the vuln is actually a bypass for CVE-2020-8260, which came out last fall and evidently didn’t completely fade away — despite the fact that it’s authenticated and requires admin access. With CISA’s warnings about APT attacks against Pulse Connect Secure devices, it’s probably wise to patch CVE-2021-22937 quickly.
• And finally, the SpecterOps crew gave a highly anticipated Black Hat talk on several new attack techniques that abuse Active Directory Certificate Services — something we covered previously in our summary of the PetitPotam attack chain. This is neat research for red teams, and it may well show up on blue teams’ pentest reports.

Microsoft Exchange ProxyShell chain

Patches: Available
Threat status: Possible threat (at least one report of exploitation in the wild)

It goes without saying that Microsoft Exchange is a high-value, popular attack surface that gets constant attention from threat actors and researchers alike. That attention is increasing yet again after prominent security researcher Orange Tsai gave a talk at Black Hat USA last week revealing details on an attack chain first demonstrated at Pwn2Own. The chain, dubbed “ProxyShell,” allows an attacker to take over an unpatched Exchange server. ProxyShell is similar to ProxyLogon (i.e., CVE-2021-26855 and CVE-2021-27065), which continues to be popular in targeted attacks and opportunistic scans despite the fact that it was patched in March 2021.

Two of the three vulnerabilities used for ProxyShell were patched in April by Microsoft and the third was patched in July. As of August 9, 2021, private exploits have already been developed, and it’s probably only a matter of time before public exploit code is released, which may allow for broader exploitation of the vulns in this attack chain (in spite of its complexity!). Rapid7 estimates that there are, at least, nearly 75,000 ProxyShell-vulnerable exchange servers online:

We strongly recommend that Exchange admins confirm that updates have been applied appropriately; if you haven’t patched yet, you should do so immediately on an emergency basis.

One gotcha when it comes to Exchange administration is that Microsoft only releases security fixes for the most recent Cumulative Update versions, so it’s vital to stay up to date with these quarterly releases in order to react quickly when new patches are published.

ProxyShell CVEs:

• CVE-2021-31207
• CVE-2021-34473
• CVE-2021-34523​

Windows Print Spooler — and more printer woes

Patches: Varies by CVE, mostly available
Threat status: Varies by CVE, active and impending

The Windows Print Spooler was the subject of renewed attention after the premature disclosure of the PrintNightmare vulnerability earlier this summer, followed by new Black Hat and DEF CON talks last week. Among the CVEs discussed were a quartet of 2020 vulns (three of which were bypasses descended from CVE-2020-1048, which has been exploited in the wild since last year), three new remote code execution vulnerabilities arising from memory corruption flaws, and two new local privilege escalation vulnerabilities highlighted by researcher Jacob Baines. Of this last group, one vulnerability — CVE-2021-38085 — remains unpatched.

On August 11, 2021, Microsoft assigned CVE-2021-36958 to the latest Print Spooler remote code execution vulnerability which appears to require local system access and user interaction. Further details are limited at this time. However, as mitigation, Microsoft is continuing to recommend stopping and disabling the Print Spooler service. Even after this latest zero-day vulnerability is patched, we strongly recommend leaving the Print Spooler service disabled wherever possible. Read Rapid7’s blog on PrintNightmare for further details and updates.

Windows Print Spooler and related CVEs:

• CVE-2020-1048 (elevation of privilege vuln in Windows Print Spooler presented at Black Hat 2020; exploited in the wild, Metasploit module available)
• CVE-2020-1337 (patch bypass for CVE-2020-1048; Metasploit module available)
• CVE-2020-17001 (patch bypass variant for CVE-2020-1048)
• CVE-2020-17014 (patch bypass variant for CVE-2020-1048)
• CVE-2020-1300 (local privilege escalation technique known as “EvilPrinter” presented at DEF CON 2020)
• CVE-2021-24088 (new remote code execution vulnerability in the Windows local spooler, as presented at Black Hat 2021)
• CVE-2021-24077 (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)
• CVE-2021-1722 (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)
• CVE-2021-1675 (elevation of privilege vuln in Windows Print Spooler patched in June 2021)
• CVE-2021-34527, aka “PrintNightmare”
• CVE-2021-35449 (print driver local privilege escalation vulnerability, as presented at DEF CON 2021; Metasploit module in progress)
• CVE-2021-38085 (unpatched print driver local privilege escalation vulnerability, as presented at DEF CON 2021; Metasploit module in progress)
• CVE-2021-36958 (unpatched remote code execution vulnerability; announced August 11, 2021)

Currently, both PrintNightmare CVE-2021-34527 and CVE-2020-1048 are known to be exploited in the wild. As the list above demonstrates, patching print spooler and related vulns quickly and completely has been a challenge for Microsoft for the past year or so. The multi-step mitigations required for some vulnerabilities also give attackers an advantage. Defenders should harden printer setups wherever possible, including against malicious driver installation.

Pulse Connect Secure CVE-2021-22937

Patch: Available
Threat status: Impending (Exploitation expected soon)

On Monday, August 2, 2021, Ivanti published Security Advisory SA44858 which, among other fixes, includes a fix for CVE-2021-22937 for Pulse Connect Secure VPN Appliances running 9.1R11 or prior. Successful exploitation of this vulnerability, which carries a CVSSv3 score of 9.1, requires the use of an authenticated administrator account to achieve remote code execution (RCE) as user root.

Public proof-of-concept (PoC) exploit code has not been released as of this writing. However, this vulnerability is simply a workaround for CVE-2020-8260, an authentication bypass vulnerability that was heavily utilized by attackers, released in October 2020.

The Cybersecurity and Infrastructure Security Agency (CISA) has been monitoring the Exploitation of Pulse Connect Secure Vulnerabilities demonstrating that attackers have been targeting Ivanti Pulse Connect Secure products for over a year. Due to attacker focus on Pulse Connect Secure products, and especially last year’s CVE-2020-8260, Rapid7 recommends patching CVE-2021-22937 as soon as possible.

PetitPotam: Windows domain compromise

Patches: Available
Threat status: Threat (Exploited in the wild)

In July 2021, security researcher Topotam published a PoC implementation of a novel NTLM relay attack christened “PetitPotam.” The technique used in the PoC allows a remote, unauthenticated attacker to completely take over a Windows domain with the Active Directory Certificate Service (AD CS) running — including domain controllers. Rapid7 researchers have tested public PoC code against a Windows domain controller setup and confirmed exploitability. One of our senior researchers summed it up with: "This attack is too easy." You can read Rapid7’s full blog post here.

On August 10, 2021, Microsoft released a patch that addresses the PetitPotam NTLM relay attack vector in today’s Patch Tuesday. Tracked as CVE-2021-36942, the August 2021 Patch Tuesday security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through the LSARPC interface. Windows administrators should prioritize patching domain controllers and will still need to take additional steps listed in KB5005413 to ensure their systems are fully mitigated.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to the vulnerabilities in this post with authenticated vulnerability checks. Please note that details haven’t yet been released on CVE-2021-38085 and CVE-2021-36958; therefore, it’s still awaiting analysis and check development.

Post Syndicated from Erick Galinkin original https://blog.rapid7.com/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/

Vulnerability note: Members of the community including Will Dormann of CERT/CC have noted that the publicly available exploits which purport to exploit CVE-2021-1675 may in fact target a new vulnerability in the same function as CVE-2021-1675. Thus, the advisory update published by Microsoft on June 21 does not address these exploits and defenders should be on the look out for a new patch from Microsoft in the future.

On June 8, 2021, Microsoft released an advisory and patch for CVE-2021-1675 (“PrintNightmare”), a critical vulnerability in the Windows Print Spooler. Although originally classified as a privilege escalation vulnerability, security researchers have demonstrated that the vulnerability allows authenticated users to gain remote code execution with SYSTEM-level privileges. On June 29, 2021, as proof-of-concept exploits for the vulnerability began circulating, security researchers discovered that CVE-2021-1675 is still exploitable on some systems that have been patched. As of this writing, at least 3 different proof-of-concept exploits have been made public.

Rapid7 researchers have confirmed that public exploits work against fully patched Windows Server 2019 installations. The vulnerable service is enabled by default on Windows Server, with the exception of Windows Server Core. Therefore, it is expected that in the vast majority of enterprise environments, all domain controllers, even those that are fully patched, are vulnerable to remote code execution by authenticated attackers.

The vulnerability is in the RpcAddPrinterDriver call of the Windows Print Spooler. A client uses the RPC call to add a driver to the server, storing the desired driver in a local directory or on the server via SMB. The client then allocates a DRIVER_INFO_2 object and initializes a DRIVER_CONTAINER object that contains the allocated DRIVER_INFO_2 object. The DRIVER_CONTAINER object is then used within the call to RpcAddPrinterDriver to load the driver. This driver may contain arbitrary code that will be executed with SYSTEM privileges on the victim server. This command can be executed by any user who can authenticate to the Spooler service.

Mitigation Guidance

Since the patch is currently not effective against the vulnerability, the most effective mitigation strategy is to disable the print spooler service itself. This should be done on all endpoints, servers, and especially domain controllers. Dedicated print servers may still be vulnerable if the spooler is not stopped. Microsoft security guidelines do not recommend disabling the service across all domain controllers, since the active directory has no way to remove old queues that no longer exist unless the spooler service is running on at least one domain controller in each site. However, until this vulnerability is effectively patched, this should have limited impact compared to the risk.

On Windows cmd:

net stop spooler

On PowerShell:

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

The following PowerShell command can be used to help find exploitation attempts:

Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'

Rapid7 Customers

We strongly recommend that all customers disable the Windows Print Spooler service on an emergency basis to mitigate the immediate risk of exploitation. While InsightVM and Nexpose checks for CVE-2021-1675 were released earlier in June, we are currently investigating the feasibility of additional checks to determine whether the print spooler service has been disabled in customer environments.

We will update this blog as further information comes to light.