cbeek-r7 (99)

Last Login: April 12, 2024
Assessments
46
Score
99

cbeek-r7's Latest (20) Contributions

Sort by:
Filter by:
4

Great analysis team, we created a SIGMA rule for detecting activity based on the IOCs provided:

https://github.com/rapid7/Rapid7-Labs/blob/main/Sigma/CVE-2024-3400.yml

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2024-20767 highlights a vulnerability in a ColdFusion application, specifically within a server management component (/CFIDE/adminapi/_servermanager/servermanager.cfc). This component, intended for managing server operations, can be manipulated to execute unauthorized actions due to improper security checks on user access levels.

The vulnerability arises because the application fails to adequately verify the permissions of certain classes, allowing a class with a specific access level (identified as “3”) to bypass security measures. Attackers can exploit this oversight by dissecting the application’s files to target the getHeartBeat class, which is not properly secured. Once access is gained, attackers can call internal methods that should be restricted, leading to unauthorized actions such as reading sensitive files or downloading data dumps from the server.

This issue is particularly concerning because it allows attackers to use a unique identifier (UUID) generated by the application to fake authorization, gaining access to a servlet (PMSGenericServlet) meant for privileged operations. The exploitation of this servlet could lead to further unauthorized activities, such as reading or altering files on the server, by manipulating parameters like the username and filename in requests.

From an example at http://jeva.cc/2973.html, a POC would look like:
Get /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=10000

1
Ratings
Technical Analysis

Ivanti Standalone Sentry serves as a conduit, connecting devices with an organization’s ActiveSync-compatible email systems (like Microsoft Exchange Server) or other backend resources (such as Microsoft SharePoint server). It’s also capable of functioning as a Kerberos Key Distribution Center Proxy (KKDCP) server.

While specifics on the vulnerability remain undisclosed, Ivanti has stated that an unauthenticated attacker, if present on the same physical or logical network, could leverage CVE-2023-41724 to carry out unauthorized command execution on the operating system of the appliance.

The firm also highlighted that this security issue cannot be exploited over the internet by threat actors lacking a valid TLS client certificate obtained through EPMM.

This security flaw impacts all supported versions of Ivanti Standalone Sentry (versions 9.17.0, 9.18.0, and 9.19.0), in addition to older, no longer supported versions (below 9.17.0). Users of these older versions are encouraged to update to a supported release and apply the corresponding patch (versions 9.17.1, 9.18.1, or 9.19.1).

0
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

An HTTP POST request towards /dana-na/auth/saml-sso.cgi using the SAMLRequest as the vehicle with a base64 decoded XXE payload works and is already observed being abused in the wild.

1
Ratings
Technical Analysis

CISA

1

Thanks a lot Maxime for this excellent detailed analysis!

1
Ratings
Technical Analysis

CVE-2023-43208 is a significant security vulnerability in NextGen Healthcare’s Mirth Connect, a widely used open-source data integration platform in the healthcare sector. This vulnerability, identified as an unauthenticated remote code execution (RCE) issue, was addressed in Mirth Connect version 4.4.1, released on October 6, 2023.

The vulnerability is especially critical because it stems from an incomplete patch of a previous vulnerability, CVE-2023-37679. This previous issue was a similar RCE vulnerability, supposedly patched in Mirth Connect version 4.4.0. However, CVE-2023-43208 emerged due to the inadequate resolution of CVE-2023-37679, making it a patch bypass issue.

The technical specifics of CVE-2023-43208 relate to the insecure use of the Java XStream library for unmarshalling XML payloads. The vulnerability affects versions of Mirth Connect before 4.4.1 and is particularly alarming due to the ease of exploitation. Attackers could exploit this vulnerability for initial access or to compromise sensitive healthcare data.

The CVSS (Common Vulnerability Scoring System) score for CVE-2023-43208 is 9.8, categorizing it as a critical vulnerability.

In terms of available proofs of concept (PoCs) for exploiting this vulnerability, a POC script was included in Horizon’s write-up of this vulnerability: https://www.horizon3.ai/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/

Given the severity and ease of exploitation of CVE-2023-43208, it is strongly recommended for organizations using Mirth Connect to update to version 4.4.1 or later to mitigate the risks associated with this vulnerability. The critical nature of this vulnerability, combined with the sensitive environments in which Mirth Connect is typically deployed, underscores the importance of prompt and thorough patching efforts.

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Technical Analysis

CVE-2024-21306 is part of a series of vulnerabilities affecting the Bluetooth stacks in multiple operating systems, allowing attackers to pair a virtual Bluetooth keyboard without authentication or user confirmation.

This vulnerability impacts Windows systems when a Bluetooth keyboard has been paired with the computer and is either powered off or out of range. In this case, the Windows system can be exploited if the user interacts with a malicious pairing request in any way (clicking accept, reject, or close). This vulnerability has been fixed in the January 2024 Patch Tuesday updates for Windows 10, 11, and Server 2022.

This is part of a broader issue with Bluetooth vulnerabilities across various platforms, including Android, Linux, macOS, and iOS, each having its own conditions and methods of exploitation. The vulnerabilities generally allow for keystroke injection, posing significant security risks.

1
Ratings
Technical Analysis

CVE-2023-29357 is a critical vulnerability in Microsoft SharePoint Server, classified as an Elevation of Privilege (EoP) flaw. . This vulnerability allows attackers to use spoofed JSON web tokens (JWTs) to gain Administrator privileges on the SharePoint host. The exploit does not require the attacker to have any privileges or for the user to perform any action​​​

The vulnerability was identified by Nguyễn Tiến Giang (Jang) of StarLabs SG and demonstrated at ZDI’s Pwn2Own hacking contest in March 2023. In September 2023, a technical writeup of the flaw and its use in a two-bug exploit chain to achieve pre-authentication remote code execution (RCE) on the SharePoint server was published, along with proof-of-concept (PoC) code demonstrating the attack​. Write-up link: https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/

​​

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very Low
Technical Analysis

CVE-2018-15133 is a vulnerability in the Laravel Framework versions 5.5.40 and 5.6.x up to 5.6.29. It allows remote code execution as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. An attacker must know the application key to exploit this vulnerability, which would normally be unlikely but could occur if they had previously gained privileged access or successfully accomplished a prior attack​​​

1
Ratings
Technical Analysis

CVE-2024-20656 is an elevation of privilege vulnerability in Microsoft Visual Studio, specifically in the Diagnostics Hub Standard Collector. This vulnerability, if exploited, allows an attacker to gain SYSTEM privileges on affected systems. Vulnerabilities like these are often observed being used in ransomware attacks.

This vulnerability concerns an issue with the VSStandardCollectorService150 service, which is used for diagnostic purposes in Visual Studio and runs in the NT AUTHORITY\SYSTEM context. The flaw was discovered by security researcher Filip Dragović, who also released a proof-of-concept (PoC) exploit code.

The exploit starts with the creation of a dummy directory where the VSStandardCollectorService150 writes files. The attacker then uses a series of manipulations involving junction directories and symbolic links, culminating in replacing a critical binary with a commandeered version to gain a SYSTEM shell.

To mitigate this issue, Microsoft released a patch as part of their Patch Tuesday updates. Users of Visual Studio are advised to apply the security update to prevent exploitation of this vulnerability. The update applies to all Visual Studio 2015 Update 3 editions except Build Tools.

1
Ratings
Technical Analysis

CVE-2024-21887 is a command injection vulnerability in the web component of Ivanti Connect Secure (ICS) and Ivanti Policy Secure. This vulnerability, rated with a high severity CVSS score of 9.1, allows an authenticated user to execute arbitrary commands.

Details of CVE-2024-21887:

  • CVE-2024-21887 affects all supported versions of Ivanti ICS and Policy Secure 9.x and 22.x.
  • This vulnerability was exploited in the wild along with CVE-2023-46805 in a chained attack for unauthenticated remote code execution (RCE) as early as December 3, 2023.
  • The exploitation of these vulnerabilities was attributed to UTA0178, suspected to be a Chinese nation-state level threat actor.
  • These vulnerabilities were used in attacks involving the deployment of a custom web shell, GLASSTOKEN, on both internet-facing and internal assets for persistent network access.

Attack Mechanisms:

  • Attackers manipulated legitimate components of Ivanti Connect Secure, such as compcheck.cgi, to support the execution of remote commands and credential theft.
  • The attacks were characterized by reconnaissance efforts, lateral movement, and deployment of GLASSTOKEN for persistent remote access.

Mitigation and Updates:

  • As of the latest information, Ivanti has not released a patch for this vulnerability. However, they provided a mitigation script that should be used immediately.
  • Ivanti announced that patches for this vulnerability would be released in a staggered schedule, starting from the week of January 22, 2024.
  • Users and administrators of affected product versions are advised to apply the mitigation measures provided by Ivanti.

Detection of Compromise:

  • Organizations can detect potential compromise through network traffic analysis, VPN device log analysis, and the execution of the Integrity Checker Tool.
  • Monitoring for signs of compromise is recommended, including examining network traffic and VPN device logs.

Recommendation:

  • Immediate application of current workarounds is crucial until patches are released.
  • Continuous monitoring for signs of compromise is essential to ensure network security.
2
Ratings
Technical Analysis

CVE-2023-46805 is an authentication bypass vulnerability found in the web component of Ivanti Connect Secure (ICS), which was previously known as Pulse Connect Secure and Ivanti Policy Secure. This vulnerability affects all supported versions of Ivanti ICS and Policy Secure 9.x and 22.x.

Details of CVE-2023-46805:

  • The vulnerability allows an attacker to bypass control checks and access restricted resources.
  • It was exploited in the wild in a chained attack for unauthenticated remote code execution (RCE) as early as December 2023.
  • According to Volexity, a cybersecurity firm, the zero-day exploitation of these flaws was attributed to UTA0178, believed to be a Chinese nation-state level threat actor.
  • The attackers deployed webshells, including GLASSTOKEN, on both internet-facing and internal assets to maintain persistence on a network after compromise.

Mitigation and Updates:

  • As of the latest information, Ivanti has not released a patch for this vulnerability. However, they provided a mitigation script that should be used immediately.
  • Ivanti announced that patches for this vulnerability would be released in a staggered schedule, with the first version targeted to be available in the week of 22 January 2024 and the final version by the week of 19 February 2024.
  • Users and administrators of affected product versions are advised to apply mitigation measures provided by Ivanti.

Impact and Detection:

  • Attackers modified legitimate components of Ivanti Connect Secure, such as compcheck.cgi and lastauthserverused.js, to support execution of remote commands and credential theft.
  • Organizations can detect potential compromise through network traffic analysis, VPN device log analysis, and execution of the Integrity Checker Tool.

Recommendation:

  • It is crucial for users and administrators to apply the current workarounds immediately and to update the systems once patches are released.
  • Monitoring for signs of compromise is recommended, including examining network traffic and VPN device logs.
1
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Medium
Technical Analysis

CVE-2022-35737 is a vulnerability in SQLite, specifically in versions 1.0.12 through 3.39.x before 3.39.2. It allows for an array-bounds overflow if a string argument to a C API contains billions of bytes. This vulnerability can lead to various consequences, ranging from a simple application crash to arbitrary code execution.

  • The issue lies in the sqlite3_snprintf function’s code, used in C/C++ programming for database interaction. Passing an exceedingly large string input (over 2 GB) to this function can cause a crash, enabling a denial of service (DoS) attack.
  • This bug likely entered the code 22 years ago and remained undetected due to the improbability of passing gigabytes of data as function parameters at that time.
  • The vulnerability was closed with the release of SQLite 3.39.2 in July 2022. However, software that includes SQLite needs to be updated to incorporate this fix.

The vector string for this score is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network access for the attack, low attack complexity, no privileges required, no user interaction required, no scope change, and high impact on availability.

Affected Platforms:

  • This vulnerability affects various platforms, including those running Amazon Linux, where updates have been provided to address this issue.

Mitigation and Impact:

  • The vulnerability is specific to the interface for C applications and only if the code is compiled with certain parameters.
  • The practical exploitability of this vulnerability is still a subject of research, with limitations on its impact based on how SQLite is compiled and used in applications.

Additional Considerations:

  • This vulnerability is notable for its long presence in the SQLite code and the challenges in detecting it using standard testing methods like fuzzing.

In terms of exploitation, the vulnerability’s practical use for an attack is still under investigation, with researchers pointing to several limitations that reduce the likelihood of successful exploitation.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2023-49070 is a critical security vulnerability in Apache OFBiz, a comprehensive open-source enterprise resource planning (ERP) system. This vulnerability is classified as a pre-authentication remote code execution (RCE) issue, primarily stemming from an outdated and no longer maintained XML-RPC component in Apache OFBiz. The specific version affected is 18.12.09, and it is recommended that users upgrade to version 18.12.10 to mitigate the risk

In terms of severity, CVE-2023-49070 has a CVSS v3 Base Score of 9.8, which is considered critical. The CVSS scoring vector for this vulnerability indicates that the vulnerability is network exploitable, requires low attack complexity, no privileges, and no user interaction. It has an impact on confidentiality, integrity, and availability, all rated as high.

Additionally, the Exploit Prediction Scoring System (EPSS) score for CVE-2023-49070 indicates a 50.12% probability of exploitation activity in the next 30 days. ShadowServer is already observing scans being executed by using an available poc for this vulnerability: https://github.com/abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC. The patch provided for this vulnerability failed to remove root cause of the issue and it is advised to update again for CVE-2023-51467.(https://www.openwall.com/lists/oss-security/2023/12/26/3)

Given its critical nature, high likelihood of exploitation, and the potential for significant impact, it’s essential for organizations using Apache OFBiz to address this vulnerability promptly.

2
Ratings
Technical Analysis

During an investigation by Barracuda, it has been found that an attacker exploited a vulnerability known as Arbitrary Code Execution (ACE) in a third-party library called Spreadsheet::ParseExcel. This vulnerability was used to send a malicious Excel file via email to a select group of ESG devices.

The Spreadsheet::ParseExcel library is an open-source tool used in the Amavis virus scanner, which is part of the ESG appliance.

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic.

In cooperation with Mandiant, Barracuda believes this incident is linked to the ongoing efforts of a group associated with China, known as UNC4841.

1
Ratings
Technical Analysis

SonicWall Secure Mobile Access (SMA) 1000 series contains a pre-authentication path traversal vulnerability. This flaw could potentially allow an unauthenticated attacker to access files and directories stored outside the web root directory.

This vulnerability could enable an attacker to traverse the file system and gain unauthorized access to sensitive files and directories. Note: this vulnerability solely affects SMA 1000 firmware version 12.4.2.

PoC: cat file.txt| while read host do;do curl -sk “http://\(host:8443/images//////////////////../../../../../../../../etc/passwd" | grep -i 'root:' && echo \)host “Vulnerable”;done

1
Ratings
Technical Analysis

The Cybersecurity and Infrastructure Security Agency (CISA) is actively addressing a situation involving the unauthorized use of Unitronics programmable logic controllers (PLCs), specifically in the Water and Wastewater Systems (WWS) Sector. These PLCs, vital for water treatment processes, have been compromised by cyber attackers, particularly targeting a specific Unitronics PLC at a water facility in the United States. In reaction, the local water authority responsible for the facility promptly disconnected the compromised system from their network and reverted to manual operations. Fortunately, there is no immediate threat to the community’s drinking water or overall water supply.

Unauthorized access and efforts to breach the security of WWS systems pose a significant risk. Such actions can disrupt the provision of clean drinking water and the efficient treatment of wastewater in affected communities.

The cybercriminals in this instance seemingly gained access to the targeted device, a Unitronics Vision Series PLC equipped with a Human Machine Interface (HMI), by exploiting cybersecurity vulnerabilities. These vulnerabilities include inadequate password security measures and the PLC’s exposure to the internet.

By default the Unitronics PLC default password = “1111”

2
Ratings
Technical Analysis

On November 8, 2023, SysAid, an IT service management company, revealed a zero-day path traversal vulnerability, CVE-2023-47426, impacting on-premise SysAid servers. Microsoft’s threat intelligence team, the discoverers of this vulnerability, reported its exploitation in the wild by DEV-0950 (Lace Tempest) through “limited attacks.”

Microsoft, in a social media thread on the evening of November 8, underscored that Lace Tempest is associated with the distribution of Cl0p ransomware and highlighted the likelihood of ransomware deployment and/or data exfiltration when exploiting CVE-2023-47246. It’s worth noting that Lace Tempest was also responsible for the MOVEit Transfer and GoAnywhere MFT extortion attacks earlier this year.