Activity Feed
- Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-adds-two-known-exploited-vulnerabilities-catalog)
- Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-adds-two-known-exploited-vulnerabilities-catalog)
Technical Analysis
Because this vulnerability only arises when the carousel is in use, and we can control the href attribute, the rating was given to be lower than usual.
example:
<div id="Carousel" class="carousel"></div> <a href="javascript:alert('xss')" data-slide="prev"> Previous Slide </a>
Bootstrap carousel component: https://getbootstrap.com/docs/4.6/components/carousel/
In the two scenarios where bootstrap was used by the target, there was either no carousel in use or, like most, a carousel with non-user controllable elements. Thus giving no way to exploit unless you are already an admin on the CMS.
While a successful exploitation of this vulnerability could lead to code execution and could even be used to capture higher privileged credentials, the real world exploitability of this vulnerability seems to be rather low.
So to summarize, to be able to actually exploit it we need:
- a website using an affected bootstrap version
- the website must implement the carousel component from bootstrap
- we must be able to control the href attribute given to the carousel
- no presence of a valid data-target attribute because it will override the href and the XSS would not be evaluated.
- News Article or Blog (https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/)
- News Article or Blog (https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/)
Technical Analysis
There was good reason to mark attacker value and exploitability as being lower for this bug a few years back, since these firewalls auto-updated for most organizations and not many details were publicly available upon disclosure in 2022. As of 2024, however, we know that a considerable number of suspected or known state-sponsored adversaries — primarily but not only Chinese state-sponsored attackers — have used this vulnerability to target governments and other organizations. Known targets have included Ukraine, South Asian government and other orgs (including Pakistan, Afghanistan, Bhutan, India, Nepal, and Sri Lanka!), and orgs with Tibet-aligned interests.
Why such success in South Asia? While this bug is known to have been exploited as a zero-day, which would have preempted patching in some cases, it’s also possible that the firewall’s auto-update mechanism was less commonly enabled in South Asia (e.g., because of expired licenses or some other circumstance that meant auto-updates could have been disabled). CVE-2022-1040 was added to CISA KEV on March 31, 2022.
In October 2024, Sophos released a report on Pacific Rim (Chinese APT) attacks targeting this and other vulnerabilities in their products. It’s a useful timeline of targeted threat activity and emphasizes once more that this bug did, in fact, have high attacker value in a variety of specific cases, whether for espionage or other objectives.
- News Article or Blog (https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/)
- News Article or Blog (https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/)
- News Article or Blog (https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/)
Nice one, @Lawlez, thanks for contributing!