ccondon-r7 (256)

Remote command execution vuln in Apache HugeGraph-Server, an open-source graph database project. Vendor advisory was published April 22, 2024 and indicates that HugeGraph-Server 1.0.0 prior to 1.3.0 is affected on Java 8 and Java 11. Both those Java versions are on long-term support, which could potentially reduce viable attack surface area somewhat, but we also know both JDK versions are still common in enterprise environments.

Vendor advisory lists the vuln severity as “important” rather than critical, but this solid SecureLayer7 write-up notes the CVSS score should probably be a 9.8, and that the vuln allows an attacker to “bypass the sandbox restrictions and achieve RCE through Gremlin [a query language supported in HugeGraph], resulting in complete control over the server.” Take a look at their June 5, 2024 blog for a full walk-through of exploitation.

The ShadowServer Foundation said on Mastodon July 16 that they were observing RCE exploit attempts for this vulnerability from multiple sources against honeypots. I haven’t personally seen any confirmation of successful exploitation against real-world production environments, but that doesn’t mean it’s not happening. Multiple public exploits and scanners are available, but as of July 26, Rapid7 researchers haven’t tested public PoCs directly — exploitability is an estimate based on available info.

Vendor guidance is to upgrade to version 1.3.0 with Java 11 and enable the Auth system, which purportedly fixes the issue. HugeGraph admins can also “enable the “Whitelist-IP/port” function to improve the security of RESTful-API execution,” per the advisory.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited more recently (since it’s been exploited plenty before) or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

CISA KEV also notes this vulnerability has been used in ransomware attacks, so I’m adding that tag as well.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Researched or exploited by North Korean state-sponsored attackers according to a July 2024 bulletin from multiple U.S. government agencies (not on KEV, so maybe just researched?): https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Exploited by North Korean state-sponsored attackers according to a July 2024 bulletin from multiple U.S. government agencies: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Exploited by North Korean state-sponsored attackers according to a July 2024 bulletin from multiple U.S. government agencies: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Exploited by North Korean state-sponsored attackers according to a July 2024 bulletin from multiple U.S. government agencies: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

TL;DR: Neat! Doesn’t sound like something that’s going to be easily exploited or automated in pretty much any scenario, so I have little initial concern about widespread exploitation, or even exploitation at all. I’d expect a long tail of follow-on patches as various distros/products patch it out. Patch, sure, but no need for panic as far as we can tell.

As usual, happy to be proven wrong, but from the (very good!) Qualys technical write-up, this is a memory corruption bug where an adversary would have to win a race condition to exploit it successfully. The Qualys write-up even explicitly notes that “In our experiments, it takes ~10,000 tries on average to win this race condition; i.e., with 10 connections (MaxStartups) accepted per 120 seconds (LoginGraceTime), it takes ~1-2 days on average to obtain a remote root shell.”

Rapid7 pen testers have noted they have encountered vulnerable versions of this software on engagements.

On the one hand, it’s backdoored software, so “exploitation” could arguably have already occurred (in the form of an already executed supply chain attack). On the other hand, it’s not immediately clear that anyone has used this backdoor to do specific Bad Things™, so “exploited in the wild” doesn’t sound quite right either. Developers probably most at risk here rather than production systems, but it would appear this got caught pretty quickly.

Bad:

• Backdoor!
  
• In a popular command-line tool
  
• Made it into unstable branches/bleeding-edge releases of some distros (Kali, Arch, etc)
  
• “Open source is unsafe” commentary (c’mon, y’all)
  
• Salacious! Speculation runs rife! xz is drowning out Kate Middleton conspiracy theories in my timelines!
  

Good:

• Didn’t make it into prod systems, stable branches unaffected
  
• Not a simple attack
  
• Not clear that anyone is actively using this backdoor for badness — private SSH key still hasn’t shown up
  

Rapid7 observed pre-patch exploitation of this vulnerability from March through at least August of 2023. Several of the incidents our MDR team investigated ended in ransomware deployment. In September 2023, Cisco assigned CVE-2023-20269, which covers some of the attacker behavior Rapid7 incident responders observed: https://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/

This was disclosed as 0day in September 2023 and then kind of never spoken of again, true to form for Trend Micro product 0days (exhibit 1, exhibit 2, exhibit 3). For CVE-2023-41179, exploitation requires an attacker to have admin console access on the target system, hence the low exploitability rating. As usual with these things, there don’t appear to be any public details.

See the Rapid7 analysis for details on the exploit chain.

Rapid7 saw exploitation of this in customer environments in early December 2023. It’s also been used by the Cactus ransomware group.

Per Google’s Threat Analysis Group (TAG), this bug was exploited as a zero-day and has been used by at least four different threat actors to “steal email data, user credentials, and authentication tokens.” Threat campaigns have targeted Greece, Moldova, Tunisia, Vietnam, and Pakistan.

We’ve continued to see reports of exploitation for CVE-2023-27532. Almost a year out from the initial advisory, there’s been ransomware (Cuba, Akira) and other use of this vuln by financially motivated groups. Patch uptake has reportedly been pretty strong, but notably, this is a solid internal attack vector, so locking down internet exposure alone isn’t a sufficient mitigation plan.

Knocking down attacker value a bit because there appear to be only a few hundred of these exposed and vulnerable, and perhaps surprisingly, it’s been a few months since full details were released and there’s still no known exploitation. Unclear how common the engine is in real-world environments from talking to offensive security folks focused on healthcare. I think it’s fair to balance rightful sensitivity about anything that could compromise healthcare systems with some skepticism about the particular target in this case. If we see IRL exploitation, I’m happy to eat those words :)