ccondon-r7 (282)

There was good reason to mark attacker value and exploitability as being lower for this bug a few years back, since these firewalls auto-updated for most organizations and not many details were publicly available upon disclosure in 2022. As of 2024, however, we know that a considerable number of suspected or known state-sponsored adversaries — primarily but not only Chinese state-sponsored attackers — have used this vulnerability to target governments and other organizations. Known targets have included Ukraine, South Asian government and other orgs (including Pakistan, Afghanistan, Bhutan, India, Nepal, and Sri Lanka!), and orgs with Tibet-aligned interests.

Why such success in South Asia? While this bug is known to have been exploited as a zero-day, which would have preempted patching in some cases, it’s also possible that the firewall’s auto-update mechanism was less commonly enabled in South Asia (e.g., because of expired licenses or some other circumstance that meant auto-updates could have been disabled). CVE-2022-1040 was added to CISA KEV on March 31, 2022.

In October 2024, Sophos released a report on Pacific Rim (Chinese APT) attacks targeting this and other vulnerabilities in their products. It’s a useful timeline of targeted threat activity and emphasizes once more that this bug did, in fact, have high attacker value in a variety of specific cases, whether for espionage or other objectives.

This is one of a list of vulnerabilities disclosed in Synacor’s Zimbra Collaboration Suite recently — this particular issue lies in Zimbra’s postjournal service and evidently allows for unauthenticated command execution. Multiple sources are reporting either attempted or successful exploitation along with insights on post-exploitation behavior.

One of the technical staff on Zimbra commented to HelpNetSecurity that the postjournal service “may be optional or not enabled on most systems,” which probably means a lower exploitable target population. Zimbra has historically been a target for both APT and commodity attackers, so for orgs that run this software, it’s a good idea to patch up (and/or verify the vulnerable service isn’t enabled).

Scoring this as a Medium for attacker value as of now since 1) attackers like Zimbra and are into whatever lets ‘em read emails (particularly from gov servers!); and 2) this config doesn’t seem to be the default, and some of the public write-ups do mention misses on getting exploits working.

More references:

• Zimbra advisory page
  
• Root cause analysis and PoC (Project Discovery)
  
• Additional context (Bleeping Computer)
  

Other Zimbra CVE analysis in AttackerKB:

• CVE-2022-41352
  
• CVE-2022-27295
  
• CVE-2022-27294
  
• CVE-2022-37393
  
• CVE-2022-30333
  
• CVE-2022-37042
  
• (etc)

TL;DR: Unpatched command injection vulnerability in an end-of-life IP camera, being exploited to drop a Mirai botnet malware variant. Public PoC since 2019, no CVE assignment until 2024. It’d be awfully helpful if the description of this CVE included the apparent names of the affected vendor and product — respectively, AVTECH SECURITY Corporation and AVTECH IP Camera.

Akamai’s Aline Eliovich discovered this 0day independently after Akamai detected in-the-wild exploitation dating back to March 2024. Per their great blog, “analysis showed activity for this variant as early as December 2023. The proof of concept (PoC) for CVE-2024-7029 has been publicly available since at least 2019, but it never had a proper CVE assignment until August 2024.” Censys also has a write-up here with good historical background.

CISA published an ICS alert for this issue in August 2024 noting that successful exploitation allows an attacker to inject and execute commands as the owner of the running process. The CISA alert mentions that “it is suspected that prior versions of other IP cameras and NVR (network video recorder) products are also affected: AVM1203: firmware version FullImg-1023-1007-1011-1009 and prior.” The vulnerability is not on CISA KEV as of September 17, 2024 (potentially because there’s no fix and therefore nothing to mandate of KEV-bound teams).

As a quick addendum to @sfewer-r7’s excellent assessment, I’ve seen this vulnerability compared with CVE-2020-16898 in a few news articles, alongside the dreaded “w” word (“wormable”). Notably, that older bug never got exploited broadly — in fact, I still haven’t seen any good technical evidence that it was exploited at all.

There’s no guarantee this new vuln will follow that same trajectory, but if it actually gets used in the wild, I’d expect it to be used in highly targeted attacks by skilled adversaries (personally, my money’s on Chinese state-sponsored threat actors).

(Edit August 22, 2024: This is now on CISA KEV and is listed as observed in ransomware attacks.)

There seems to only be one main (public) report of exploitation that folks are quoting for this CVE, but the UC Berkeley researcher’s statement indicated fairly high confidence that they were seeing actual exploitation against honeypots, not just scanning.

Notably, this vuln is not on CISA KEV as of August 2024, which may mean there wasn’t enough evidence to definitively confirm successful in-the-wild attacks. I’ve also not seen any public reports of EITW against production systems. Multiple public PoCs were available as of January 2024 (some testing notes from the Splunk team here). A Metasploit modules is also available.

We’ve seen attacks on CI/CD pipelines and tooling escalate the past year or two, so I’d expect bugs like this to get at least triage and recon attention from adversaries, including APTs.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited outright or used in some other capacity: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Not on CISA KEV as of August 7, 2024.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited outright or used in some other capacity: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

On CISA KEV and also listed as “Known” for ransomware usage, so adding those tags, too. Lots of CLFS driver bugs have been used in both 0day and n-day attacks the past few years — in December 2023, Securelist published a whole series on CLFS driver exploits used in ransomware attacks. This vuln isn’t in that series, but five others are, underscoring the trend.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited outright or used in some other capacity: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Not on CISA KEV as of August 7, 2024.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited outright or used in some other capacity: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Not on CISA KEV as of August 7, 2024.

Exploited by North Korean state-sponsored attackers according to a July 2024 bulletin from multiple U.S. government agencies: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Also made CISA’s “Routinely Exploited Vulnerabilities” list for 2022 (published in August 2023).

Remote command execution vuln in Apache HugeGraph-Server, an open-source graph database project. Vendor advisory was published April 22, 2024 and indicates that HugeGraph-Server 1.0.0 prior to 1.3.0 is affected on Java 8 and Java 11. Both those Java versions are on long-term support, which could potentially reduce viable attack surface area somewhat, but we also know both JDK versions are still common in enterprise environments.

Vendor advisory lists the vuln severity as “important” rather than critical, but this solid SecureLayer7 write-up notes the CVSS score should probably be a 9.8, and that the vuln allows an attacker to “bypass the sandbox restrictions and achieve RCE through Gremlin [a query language supported in HugeGraph], resulting in complete control over the server.” Take a look at their June 5, 2024 blog for a full walk-through of exploitation.

The ShadowServer Foundation said on Mastodon July 16 that they were observing RCE exploit attempts for this vulnerability from multiple sources against honeypots. I haven’t personally seen any confirmation of successful exploitation against real-world production environments, but that doesn’t mean it’s not happening. Multiple public exploits and scanners are available, but as of July 26, Rapid7 researchers haven’t tested public PoCs directly — exploitability is an estimate based on available info.

Vendor guidance is to upgrade to version 1.3.0 with Java 11 and enable the Auth system, which purportedly fixes the issue. HugeGraph admins can also “enable the “Whitelist-IP/port” function to improve the security of RESTful-API execution,” per the advisory.

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited more recently (since it’s been exploited plenty before) or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

CISA KEV also notes this vulnerability has been used in ransomware attacks, so I’m adding that tag as well.