ccondon-r7 (286)

Critical unauthenticated remote code execution vulnerability in Veeam Backup & Replication, a perennially popular target for abuse (including by ransomware groups). Rapid7 has a blog here on this vulnerability, as well as other Veeam vulns patched over the summer of 2024.

CVE-2024-40711 is being exploited by multiple ransomware crews, including Akira, Fog, and a new group called Frag, per Sophos X-Ops. Sophos’s blog on exploitation notes they began seeing MDR cases in October 2024. The CVE was added to CISA KEV on October 17, roughly 7 weeks after it was disclosed. Cybersecurity Dive has some solid additional context here.

Veeam Backup & Replication generally shouldn’t be exposed to the internet, but several technical reports have noted that this bug is still a great target for attackers who purchase initial access to corporate networks from access brokers. Public proof-of-concept code is available. Patch this one on an emergency basis if you haven’t already.

CVE-2024-31497 is a cryptographic flaw (specifically CWE-338, or “Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)”) in PuTTY 0.68 through 0.80. The vulnerability allows attackers to recover and compromise private PuTTY keys — it was fixed in version 0.81, which was released April 15, 2024. Per Openwall (one of the many advisories on this issue):

“The PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents.”

Rating this vuln relatively low for value and exploitability since it only affects 521-bit ECDSA keys, which are less common. Other key sizes and algorithms aren’t affected. The Openwall advisory notes that while the nonce generation for other curves is also slightly biased, that bias is not enough to perform lattice-based key recovery attacks. Reddit has a good series of comments on the issue, all of which are happily very down-to-earth :)

As of November 2024 there’s no known exploitation in the wild, which makes sense given the caveats to exploitation and narrow scope of the bug. A number of downstream advisories have been released for products that implement PuTTY, e.g., this Citrix XenCenter bulletin. Orgs that use 521-bit ECDSA keys should revoke and regenerate, and folks who use PuTTY in their own product implementations should update to the latest version.

There was good reason to mark attacker value and exploitability as being lower for this bug a few years back, since these firewalls auto-updated for most organizations and not many details were publicly available upon disclosure in 2022. As of 2024, however, we know that a considerable number of suspected or known state-sponsored adversaries — primarily but not only Chinese state-sponsored attackers — have used this vulnerability to target governments and other organizations. Known targets have included Ukraine, South Asian government and other orgs (including Pakistan, Afghanistan, Bhutan, India, Nepal, and Sri Lanka!), and orgs with Tibet-aligned interests.

Why such success in South Asia? While this bug is known to have been exploited as a zero-day, which would have preempted patching in some cases, it’s also possible that the firewall’s auto-update mechanism was less commonly enabled in South Asia (e.g., because of expired licenses or some other circumstance that meant auto-updates could have been disabled). CVE-2022-1040 was added to CISA KEV on March 31, 2022.

In October 2024, Sophos released a report on Pacific Rim (Chinese APT) attacks targeting this and other vulnerabilities in their products. It’s a useful timeline of targeted threat activity and emphasizes once more that this bug did, in fact, have high attacker value in a variety of specific cases, whether for espionage or other objectives.

This is one of a list of vulnerabilities disclosed in Synacor’s Zimbra Collaboration Suite recently — this particular issue lies in Zimbra’s postjournal service and evidently allows for unauthenticated command execution. Multiple sources are reporting either attempted or successful exploitation along with insights on post-exploitation behavior.

One of the technical staff on Zimbra commented to HelpNetSecurity that the postjournal service “may be optional or not enabled on most systems,” which probably means a lower exploitable target population. Zimbra has historically been a target for both APT and commodity attackers, so for orgs that run this software, it’s a good idea to patch up (and/or verify the vulnerable service isn’t enabled).

Scoring this as a Medium for attacker value as of now since 1) attackers like Zimbra and are into whatever lets ‘em read emails (particularly from gov servers!); and 2) this config doesn’t seem to be the default, and some of the public write-ups do mention misses on getting exploits working.

More references:

• Zimbra advisory page
  
• Root cause analysis and PoC (Project Discovery)
  
• Additional context (Bleeping Computer)
  

Other Zimbra CVE analysis in AttackerKB:

• CVE-2022-41352
  
• CVE-2022-27295
  
• CVE-2022-27294
  
• CVE-2022-37393
  
• CVE-2022-30333
  
• CVE-2022-37042
  
• (etc)

TL;DR: Unpatched command injection vulnerability in an end-of-life IP camera, being exploited to drop a Mirai botnet malware variant. Public PoC since 2019, no CVE assignment until 2024. It’d be awfully helpful if the description of this CVE included the apparent names of the affected vendor and product — respectively, AVTECH SECURITY Corporation and AVTECH IP Camera.

Akamai’s Aline Eliovich discovered this 0day independently after Akamai detected in-the-wild exploitation dating back to March 2024. Per their great blog, “analysis showed activity for this variant as early as December 2023. The proof of concept (PoC) for CVE-2024-7029 has been publicly available since at least 2019, but it never had a proper CVE assignment until August 2024.” Censys also has a write-up here with good historical background.

CISA published an ICS alert for this issue in August 2024 noting that successful exploitation allows an attacker to inject and execute commands as the owner of the running process. The CISA alert mentions that “it is suspected that prior versions of other IP cameras and NVR (network video recorder) products are also affected: AVM1203: firmware version FullImg-1023-1007-1011-1009 and prior.” The vulnerability is not on CISA KEV as of September 17, 2024 (potentially because there’s no fix and therefore nothing to mandate of KEV-bound teams).

As a quick addendum to @sfewer-r7’s excellent assessment, I’ve seen this vulnerability compared with CVE-2020-16898 in a few news articles, alongside the dreaded “w” word (“wormable”). Notably, that older bug never got exploited broadly — in fact, I still haven’t seen any good technical evidence that it was exploited at all.

There’s no guarantee this new vuln will follow that same trajectory, but if it actually gets used in the wild, I’d expect it to be used in highly targeted attacks by skilled adversaries (personally, my money’s on Chinese state-sponsored threat actors).

(Edit August 22, 2024: This is now on CISA KEV and is listed as observed in ransomware attacks.)

There seems to only be one main (public) report of exploitation that folks are quoting for this CVE, but the UC Berkeley researcher’s statement indicated fairly high confidence that they were seeing actual exploitation against honeypots, not just scanning.

Notably, this vuln is not on CISA KEV as of August 2024, which may mean there wasn’t enough evidence to definitively confirm successful in-the-wild attacks. I’ve also not seen any public reports of EITW against production systems. Multiple public PoCs were available as of January 2024 (some testing notes from the Splunk team here). A Metasploit modules is also available.

We’ve seen attacks on CI/CD pipelines and tooling escalate the past year or two, so I’d expect bugs like this to get at least triage and recon attention from adversaries, including APTs.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited outright or used in some other capacity: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Not on CISA KEV as of August 7, 2024.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited outright or used in some other capacity: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

On CISA KEV and also listed as “Known” for ransomware usage, so adding those tags, too. Lots of CLFS driver bugs have been used in both 0day and n-day attacks the past few years — in December 2023, Securelist published a whole series on CLFS driver exploits used in ransomware attacks. This vuln isn’t in that series, but five others are, underscoring the trend.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited outright or used in some other capacity: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Not on CISA KEV as of August 7, 2024.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited outright or used in some other capacity: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Not on CISA KEV as of August 7, 2024.

Exploited by North Korean state-sponsored attackers according to a July 2024 bulletin from multiple U.S. government agencies: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Also made CISA’s “Routinely Exploited Vulnerabilities” list for 2022 (published in August 2023).

Remote command execution vuln in Apache HugeGraph-Server, an open-source graph database project. Vendor advisory was published April 22, 2024 and indicates that HugeGraph-Server 1.0.0 prior to 1.3.0 is affected on Java 8 and Java 11. Both those Java versions are on long-term support, which could potentially reduce viable attack surface area somewhat, but we also know both JDK versions are still common in enterprise environments.

Vendor advisory lists the vuln severity as “important” rather than critical, but this solid SecureLayer7 write-up notes the CVSS score should probably be a 9.8, and that the vuln allows an attacker to “bypass the sandbox restrictions and achieve RCE through Gremlin [a query language supported in HugeGraph], resulting in complete control over the server.” Take a look at their June 5, 2024 blog for a full walk-through of exploitation.

The ShadowServer Foundation said on Mastodon July 16 that they were observing RCE exploit attempts for this vulnerability from multiple sources against honeypots. I haven’t personally seen any confirmation of successful exploitation against real-world production environments, but that doesn’t mean it’s not happening. Multiple public exploits and scanners are available, but as of July 26, Rapid7 researchers haven’t tested public PoCs directly — exploitability is an estimate based on available info.

Vendor guidance is to upgrade to version 1.3.0 with Java 11 and enable the Auth system, which purportedly fixes the issue. HugeGraph admins can also “enable the “Whitelist-IP/port” function to improve the security of RESTful-API execution,” per the advisory.