ccondon-r7 (89)

Last Login: January 20, 2021
Assessments
26
Score
89
9th Place

ccondon-r7's Contributions (45)

Sort by:
Filter by:
2

Hey @oosman-rak ! I saw you reported this as exploited in the wild, but I haven’t been able to find any sources on exploitation myself. I’m definitely interested in knowing where this is being exploited so we can maybe make a note to look into it!

2

@nonstate-actor Hey thanks for the comment, it’s appreciated! I think the idea behind the initial rating (which is subjective, and all users can give their own ratings by adding their own assessment, so feel free to do that too!) was that the software auto-updates immediately and there may not even be a way for users to disable the auto-update functionality. So the shelf life of the vuln is so short that it’s probably already over. Interested to hear more, though, please do consider adding an assessment! Those different opinions are super valuable.

1

Interesting, Will Dormann from CERT has similarly said that there has been no clear confirmation of whether CVE-2020-10148 or a totally different vulnerability allows for SUPERNOVA installation/Orion server compromise (tweet from January 8, 2020): https://twitter.com/wdormann/status/1347690102638735361

That’s a good distinction to keep making—I suppose I should revise my statement that “everyone else in the world seems to have linked the two unequivocally” since there are at least a couple of folks who haven’t!

The upshot for defenders, unfortunately, is that there may be more SolarWinds Orion vulnerability news to come. I do hope the company is clear and fast about disclosing further facts as their investigations confirm them. Delaying and obscuring here would be absolutely no help at all.

3
Ratings
Technical Analysis

It looks like CISA updated their guidance for U.S. federal agencies last night and told them to update to SolarWinds Orion 2020.2.1 HF2 within 48 hours (“by the end of the year”) or take Orion systems offline. It’s warranted, especially since there may be other issues in the Orion code base that have yet to be discovered or disclosed. Organizations that come into the new year still on affected versions of Orion would be well-advised to consider conducting incident response investigations to determine whether they have been compromised.

The SolarWinds advisory as of December 30, 2020 doesn’t explicitly say this CVE was the vulnerability that allowed for installation of the SUPERNOVA malware, though they implicitly make the link by calling the patch that resolves CVE-2020-10148 the “SUPERNOVA patch.” Maybe I’m picking at nits there since everyone else in the world seems to have linked the two unequivocally! In any event, this CVE is an active threat and folks who haven’t updated to SolarWinds Orion 2019.4 HF6 or 2020.2.1 HF2 should do so immediately and look for indicators of compromise and suspicious activity.

Edit: Keeping an eye on this thread tracking mass scanning for hosts vulnerable to CVE-2020-10148 too: https://twitter.com/bad_packets/status/1344008582019203072

1

Months later (feels like years some days, huh?) I still really appreciate this analysis! Thanks for writing it :)

2
Ratings
  • Exploitability
    Very Low
Technical Analysis

Since this bug was released a couple months ago, I haven’t seen any sources that have indicated there’s been in-the-wild exploitation. Typical notes on memory corruption vulnerabilities being difficult to weaponize as reliable RCE apply here.

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Technical Analysis

Google Project Zero researcher Maddie Stone, who originally disclosed this vulnerability to Microsoft, reported on December 23, 2020 that the patch is incomplete and can be bypassed.

Quoting her post here: “The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The “fix” simply changed the pointers to offsets, which still allows control of the args to the memcpy.”

Stealing directly from a conversation with Metasploit’s Windows exploit expert @zeroSteiner, it sounds like this bug isn’t terribly useful as an LPE “because the slpwow64 process doesn’t run with elevated privileges—just an elevated integrity, which Microsoft doesn’t consider a security boundary anymore anyway.” Project Zero-reported vulns tend to draw media and researcher attention and there’s quite a lot of detail publicly available between Stone’s original report and this in-depth Kaspersky write-up, so we may see more exploitation even if the impact of the bug by itself isn’t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE’s utility for the IE 11 use case!

6
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

I’ve seen some news headlines with very scary-sounding words (“ransacking networks!”) on this, which is dismaying. It’s completely understandable that folks would be alarmed by a zero-day (now patched), but when we get into the details of this one a bit, I would tend to doubt that it’s going to be a good candidate for mass exploitation (note that I’m not telling anyone not to patch, just that headlines aren’t always reality!).

Even before getting into the weeds a little more, we can see from the CVSSv3 metrics that this requires high-privileged access and carries a 7.2 severity rating. I’ve watched researchers prove severity ratings wrong in the past, to be sure, but looking at the advisory, we can see that any attempt at exploitation would require an attacker to have access to the admin configurator on port 8443, plus admin credentials for the configurator account. If you have that level of access as an attacker, you can do all sorts of nefarious things with it, but those requirements don’t lend themselves to easy exploitation. It’s a good one to patch, but it also sounds like this is another case where strong password policies (especially for admin accounts!) would go a long way toward mitigating the risk of vulns both known and unknown. Ensuring that management interfaces are not exposed to the internet is another good move!

The NSA reported this vulnerability to VMware directly as a zero-day, which likely means they were seeing a specific threat actor deploy it in targeted intelligence operations. We haven’t seen any other reports of exploitation yet. From reading the docs, it looks like admins are required to change the password upon configuration, so the tried and true combo of admin:admin shouldn’t be possible.

4
Ratings
  • Attacker Value
    Low
Technical Analysis

Sorta relying here on the fact that memory corruption vulns are difficult to weaponize or even trigger reliably, and it sounds like there will be lots of different implementations of the vulnerable libraries, so uniform attack surface area is going to be scarce. Rapid7’s IoT research lead noted as well that TCP stack issues like this may well require the attacker to be on same subnet, and it’s unlikely that upstream routers would accept unexpected/malformed packets. There’ll be lots of fragmented vendor advisories trickling out in bits, I’d expect. There may be more detail out on which to base assessments later this week.

1
Ratings
Technical Analysis

Exploit code for VPN credential-stealing is readily available, as is information on unpatched targets. The vuln is known to be exploited by nation state-sponsored threat actors as well as run-of-the-mill attackers. Fortinet customers who discover vulnerable FortiOS VPN devices on their networks will want to conduct incident response investigations in addition to patching.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

There’s a zero-day patch bypass out for this CVE, and active attacks are continuing against internet-facing WebLogic deployments. See the Rapid7 analysis tab for full guidance.

3
Ratings
Technical Analysis

Pulse Secure’s 2019 vulns are garnering another wave of attention this week as a result of the NSA’s newly published list of CVEs exploited by Chinese state actors. Out of the batch of 2019 disclosures from Orange Tsai’s and Meh Chang’s research, CVE-2019-11510, an pre-authenticated arbitrary file read, was the highest priority for attackers and defenders. The pre-auth file read was a necessary primitive for CVE-2019-11539, a post-authentication vuln that enables attackers to execute commands as root on vulnerable Pulse Secure VPN servers.

Exploit chain: CVE-2020-11510 provides necessary info (plaintext/hashed creds, session IDs) that enables a remote attacker to leverage CVE-2020-11539 to execute commands with the highest privilege level. There’s a Metasploit exploit out that automates the exploit chain, but note that a valid admin session is needed. The original blog from the researchers who disclosed the vulns does a great job of explaining in-depth technical details, too—do check it out if you haven’t done so!

Pulse Secure patched these vulnerabilities in April, 2019. Technical details, public research, and exploits were released over the next six months. There’s been plenty of information available to attackers for quite some time now—I hope organizations have patched given the severity of the bugs and the critical position of SSL VPNs.

1

@elligottmc Sounds fair enough (not sure if Brent is active on here these days!), yep. This topic was our catch-all when Citrix hadn’t specified the included CVEs yet.

1
Ratings
  • Attacker Value
    Very High
Technical Analysis

The generally short shelf life of many browser vulnerabilities is offset by their value to attackers—and in some cases very nicely offset. This Chrome 0day arises from a heap buffer overflow in FreeType, a commonly-used open-source font engine. The public availability of patch details significantly improves shelf life calculus for attackers and exploit developers.

2
Ratings
Technical Analysis

There were a lot of vulns out this week, a number of which got quite a bit more news cycle attention than this one (lookin’ at you, Bad Neighbor). Unlike a few of those higher-hype bugs, however, this one is an active threat. Like other significant vulnerabilities from this year, the fact that this is authenticated isn’t a barrier for attackers and alas, shouldn’t be a consolation for those tasked with securing SharePoint environments.

@tsellers-r7 has a really great Twitter thread here on the number of publicly exposed, vulnerable SharePoint installations and version/support complexities that defenders may not realize they need to take into account. Metasploit Framework will also have module out in next week’s release.

2
Ratings
Technical Analysis

There’s high attacker value here if an attacker A) wants to cause a little mayhem, and/or B) can actually turn the DoS into reliable RCE. The first option is probably the likelier outcome in the immediate future. If Positive Technologies or Tripwire releases a PoC, the likelihood of broad exploitation probably rises significantly. For now, “patch fast but don’t panic” is good advice, as it always is with VPNs. There’s full analysis for this bug in the Rapid7 Analysis tab here.

2
Ratings
  • Attacker Value
    Very High
Technical Analysis

According to Black Arrow, it looks like this CVE is being exploited to deliver Kaiten malware. This is another of the batch Orange Tsai wrote about from among their MobileIron discoveries last month. @wvu-r7 has a bit more context on the auth bypass in his assessment of CVE-2020-15506, too.

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

We’re consistently seeing reports of this vulnerability being exploited in the wild and used to compromise organizations. I’m upping its attacker value rating based on the fact that evidently attackers are finding value in it.

1
2

@VoidSec Ah, that’s exactly what I was wondering! I’m really sorry your client was compromised, and thank you for reporting this as exploited in the wild.

2

Hey @VoidSec! Thanks for the assessment! I noticed you reported this as being exploited in the wild—I have absolutely no doubt that’s true, but I haven’t seen any confirmed reports of active exploitation (only public exploits being available). Have you seen differently? Wondering if I need to tweak my monitoring source list :)

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

There’s more info in Rapid7’s analysis here, but as @tsellers-r7 and @smcintyre-r7 pointed out privately today, need for authenticated session + exposed PowerShell endpoint + user who belongs to specific Exchange groups = less opportunity for wide-scale attacks than something like February’s Exchange vuln. I’m interested to see how Steven Seeley’s exploit works if he releases it, though. Might be cause for quick re-evaluation.

3
Ratings
Technical Analysis

Same initial evaluation as CVE-2020-3566—namely that successful exploitation doesn’t appear thus far to yield useful access for attackers, though disruption to critical business services is still a major concern for service providers. If the DoS enables a new threat vector, attacker value on these vulns rises. I’m going to leave exploitability blank for the time being. Rapid7 has analysis here.

2
Ratings
Technical Analysis

At face value, this doesn’t seem to be a terribly high-value vuln from an attacker point of view. That’s not to say that impact to availability and disruption of business processes isn’t high-impact for infrastructure and service providers, just that the vulnerability is a denial of service that currently doesn’t look to offer attackers useful access. That changes pretty quickly if it turns out DoS exploitation gives rise to a different threat vector.

2
Ratings
  • Attacker Value
    High
Technical Analysis

This made CISA’s list of most exploited vulns from 2016-2019—fairly notable since it’s a 2019 vulnerability and had less time to percolate than others. There are newer SharePoint vulnerabilities and exploits out now that may replace this one, but the generalized takeaway is that SharePoint is a highly attractive attack target with a number of public exploits and proofs-of-concept available for known vulns.

1
Ratings
Technical Analysis

SANS ISC has said they’re seeing “small numbers of exploit attempts.” The exploit they’ve detected is identifying vulnerable systems “by reading benign LUA source code files.”

https://isc.sans.edu/diary/26426

3
Ratings
Technical Analysis

The exposed target population may be comparatively low to, say, the whole of the internet, but Rapid7 Labs has noted—rightly so—that a couple thousand exposed gateways is still a pretty concerning state of affairs when those gateways are protecting industrial control systems. Pre-authenticated RCE in VPN products guarding ICS/OT networks during a pandemic is, as the kids say, bad news bears—and that’s not to make light, because this ain’t light. The good news is that there are patches out for all these vulns, even though the downtime required to patch and verify effectively might be nothing to sneeze at. Longer analysis and recommendations by smart people here.

Researchers from around Rapid7’s world (and likely others, too!) have said today that there is likely lower-hanging fruit that will be surfaced in the coming days, particularly around nerve-wracking findings such as exposed Telnet administration ports. There’s a lot of well-justified attention on this grouping of vulns, and with that attention comes increased focus on attack opportunities in general…and the stuff we see clogging up our security noise machines won’t be the only stuff well-resourced attackers are paying attention to. Patch as soon as possible (and yep, easier said than done).

2
Ratings
Technical Analysis

I’m going to quote @hrbrmstr here: Since the registry config workaround doesn’t require a system restart, it seems like this is going to be a niche exploitation issue for organizations that haven’t config’d or patched their way to safety.

Still haven’t seen PoC past the DoS from maxpl0it (which is a very good Twitter username, unrelatedly) that surfaced quickly after the vuln details were published. Anecdotally, a few other researchers have mused that this probably isn’t the ripest or most valuable target for exploitation (famous last words, eh?).

5
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is an incredibly attractive and simple attack target: It’s an easily exploitable vulnerability in a highly-exposed HTTP interface (frequently user- and internet-facing) where successful exploitation allows remote, unauthenticated attackers to create user accounts with the highest possible privileges and generally declare themselves the feudal lords of critical SAP estates.

It’s difficult to imagine that widespread exploitation would take much time at all. SAP included a mitigation in the patch release details, but with so many mitigation bypasses coming out for other recent critical vulns, it’s definitely advisable to take CISA’s guidance to heart—i.e., patch over mitigation wherever possible and as quickly as possible.

3

Hey there, friend, just wanted to say thanks for all the great technical assessments recently. The team’s started looking forward to your evaluations. Much appreciated!

2

Nice, saw your gist with check logic, too—Metasploit should have an exploit out shortly. Sounds from the researcher working on it that his check method is similar. Thanks for the assessment, super appreciated!

3
Ratings
  • Attacker Value
    Very High
Technical Analysis

There have been several reports of exploitation in the wild as of July 4. The one I’ve seen cited the most is here.

1
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

Vuln affects versions 5.0.0 to 5.5.4 and is weaponized in the form of a Metasploit module: https://github.com/rapid7/metasploit-framework/pull/13512
Credit to Charles Fol for discovery and Zenofex for fast analysis and slick weaponization.

I keep thinking that it’s unlikely enterprises use vBulletin and this must be more of a risk to small- and medium-sized businesses, but looking at some of the companies that are said to be vBulletin customers, I suppose that’s not necessarily true. Article on in-the-wild exploitation here.

2

Nice, what a great assessment! Knowledge like this is exactly what we wanted to be able to capture and highlight when AttackerKB was first dreamt up. Thanks so much—if you ever want to collaborate on a Metasploit module (scanner, exploit, LPE, post-exploitation) for a vuln you’ve been looking at, let us know and we’ll be happy to help out!

1

@aaronsvk This is great! You’re the person who discovered the vuln, too, yes? Really nice work.

1

I appreciate that you included a specific threat model scenario here, thanks!

1

I can’t upvote this enough. What a great clarification on vulnerability definition!

3

Your Twitter thread on this was really helpful as @wvu-r7 was working through module code, thanks!

3
Ratings
Technical Analysis

There’s a Metasploit exploit module out for this now, and pen testers have reported that seeing vulnerable Exchange servers is common on engagements. As zeroSteiner has pointed out on Twitter, all that’s needed for reliable code execution is a domain user with a mailbox: https://twitter.com/zeroSteiner/status/1234983584177328129.
TrustedSec has a great write-up on IoCs here: https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium