ccondon-r7 (158)

Last Login: October 12, 2021
Assessments
47
Score
158
6th Place

ccondon-r7's Contributions (73)

Sort by:
Filter by:
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Being exploited in the wild as of April 2021. Juniper Networks has a write-up on seeing payloads being delivered by the Sysrv botnet. Kinda surprising it took that long.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Both Palo Alto Networks and Netlab360 (ostensibly, since Netlab360 doesn’t specify any CVEs) have write-ups on widespread attacks leveraging this bug starting in April and going through at least August, including ransomware campaigns. QNAP’s advisory is pretty sparse, but from the news coverage it sounds like this was a hard-coded creds bug that allowed an attacker to log into a vulnerable device (which evidently QLocker and ech0raix ransomware operators did). Yikes—hopefully folks have patched by now.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

This is another of those products I hadn’t ever heard of before we started hearing about compromises. There’s a Metasploit module available here, hence the relatively high exploitability rating: https://github.com/rapid7/metasploit-framework/pull/15525

Mitigation is to lock down admin access, sensibly: https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020-cve-2021-21307/7643

1

Thanks @JoyGhoshs. Assuming you were attacking a target that you had permission to attack, we would not consider that to be exploitation in the wild. (If you were attacking a target that you did not have permission to attack…well, we aren’t lawyers, but that’s a pretty bad idea and probably not legal!)

To be considered “in the wild,” exploitation generally needs to take place outside lab environments and not within pen testing engagements. In other words, we only mark things “exploited in the wild” when threat actors are exploiting vulnerable targets to achieve some type of objective.

2

Hey @JoyGhoshs, great write-up, thanks! I was trying to find some kind of confirmation somewhere that this is exploited in the wild, though, and I’m not coming up with anything—have you observed active attacks by adversaries (not pen testers) against this somewhere, or were you reporting it as “Exploited in the wild” simply because details are available?

1

Those are great, @NinjaOperator, thanks for sharing!

3
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Low
Technical Analysis

Sounds from Microsoft’s out-of-band advisory like this is seeing limited, targeted attacks and folks are only vulnerable in non-default configurations (i.e., “by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack”). All this plus user interaction required = another social engineering opportunity for attackers with specific targets, but probably not a big concern as far as widespread, automated exploitation goes. No patch yet, but sounds like the most out-of-the-box mitigation is just to use the default option of opening docs in a protected manner.

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

Check out the Rapid7 analysis for details on the exploit chain. Seems like a lot of the PoC implementations so far are using admin mailboxes, but I’d imagine folks are going to start finding ways around that soon.

2
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

Zero-day LPE vulnerability affecting Windows 10 v1809 and later (so Win10 and Win11 preview), arises from SAM file’s being READ-enabled for all local users. SAM file has gold, e.g., hashed user/admin passwords. PoC to retrieve registry hives publicly available, no patch as of July 21, 2021. JonasLyk and research community reported and confirmed the issue on Twitter Monday, July 19. Guidance from Microsoft is to apply a couple of workarounds—defenders likely behind the attack curve already. Details: https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/

5
Ratings
Technical Analysis

Critical RCE in the Windows Print Spooler service, with all versions of Windows vulnerable by default, can also be used for LPE. A myriad of public exploits and tools are available to aid in exploitation, and remediation requires the additional step of disabling Point and Print (by setting two registry keys to 0) after patch application. Without disabling Point and Print, RCE and LPE are still possible via multiple vectors (MS-PAR, MS-RPRN) regardless of patch level. Exploitation detected in the wild, only expected to increase. Patch and disable Point and Print, or else disable Print Spooler altogether. See the Rapid7 analysis for more info.

Update August 12, 2021: Crowdstrike is reporting that PrintNightmare is now being incorporated into Magniber ransomware attacks against South Korean organizations.

1
Ratings
Technical Analysis

Rapid7 researchers have confirmed that a fully patched (as of June 2021) Windows Server 2019 is exploitable with at least one of the public exploits. There’s still a lot of confusion in the community about what exactly is exploitable and why (e.g., permissions requirements), but don’t let the complexity inherent to these researcher conversations convince you NOT to act. Disable the print spooler, quickly. More info: https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Trivial RCE with a one-line request. Rapid7 Labs is seeing this product in quite a few large enterprises—patch quickly. Shout-out to Portswigger for their excellent write-up: https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464

Update July 12, 2021: We now have reliable private reports of exploitation in the wild.

1
Ratings
Technical Analysis

This feels like it could be similar to CVE-2020-3187, which got a lot of attention last summer but was pretty overhyped. Summarizing a few conversations among researchers: This looks like stored XSS, user interaction is required to trigger it (would be a much bigger deal if no interaction were necessary), attacker still needs to go phishing or similar for efficacy. Could be that there’s a caveat to those caveats that increases the vuln’s value, but until proven otherwise, we’re gonna rate this low-to-moderate on the value scale. Definitely a good idea to keep ASAs updated, though, irrespective of the value of any particular bug. H/T to @wvu-r7 and @hrbrmstr for the convo!

2
Ratings
Technical Analysis

If the fast and furious exploitation of CVE-2021-21972 earlier this year is any indication, attackers are likely to jump on this latest vCenter Server vulnerability quickly. Exploitation does require network access to port 443, but @hrbrmstr and team already identified thousands of vulnerable vCenter Server instances exposed to the public internet (ouch), and phishing/cred reuse makes relatively easy work for attackers looking for network access. With the prevalence of the ransomware threat to most organizations at the moment, this is one to patch on an emergency basis. We definitely don’t recommend waiting for a typical patch cycle here. See the Rapid7 analysis for further info.

1

Hi @2020Cyberworld, thanks for the detailed assessment! I see you’ve reported a few vulns as exploited in the wild—are you seeing this and the other vulns you’ve reported used in active (not pen testing) attacks?

1
Technical Analysis

Ah, another day, another Win32k privilege escalation used in the wild. Securelist has a good write-up on this bug, which they discovered because it was used in a BITTER APT zero-day attack in (it sounds like) conjunction with CVE-2021-1732 (there’s a Metasploit module for the second vuln).

2
Ratings
Technical Analysis

One of three vulnerabilities CISA and the FBI have warned are being exploited by APTs to gain initial access to government and other services. The other two vulnerabilities in the alert are CVE-2018-13379, a pre-authentication path traversal bug that has been actively and widely exploited for years now, and CVE-2020-12812 (an MFA bypass).

2
Ratings
  • Exploitability
    Very High
Technical Analysis

CISA and the FBI put out a joint warning that this is one of several FortiOS vulnerabilities APTs are exploiting to gain initial access to government and other services. We know, however, that plenty of non-APT attackers have also targeted Fortinet devices over the past several years. See the page for CVE-2018-13379 as an example. These things are high value and give attackers internal network access—keep ‘em updated on a hair trigger!

2
Technical Analysis

There is now public threat intelligence that the Purple Fox exploit kit has incorporated this vulnerability and is exploiting it.

3

SSRF, so hot right now!

1
Technical Analysis

Interesting, this slid under the radar a bit. I’m not seeing any definitive evidence that this was confirmed to be exploited in the wild, but the Bleeping Computer article on it from December 14, 2020 says Sophos was investigating whether it had been exploited. There was kiiiiind of a lot going on December 14, 2020, what with the SolarWinds supply chain attack revelations ramping up, so I’m not surprised there was no further community attention paid to this. In any event, upgrading to supported products probably a good call.

1
Technical Analysis

Heap-based buffer overflow used in “limited, targeted attacks” according to Adobe’s advisory: https://helpx.adobe.com/security/products/acrobat/apsb21-09.html

2
Ratings
Technical Analysis

This is an actively exploited zero-day in the WebKit browser engine affecting iPhone 6s and later models, as well as a slew of iPad models (and some Apple Watch versions, according to the Bleeping Computer article, though Apple’s characteristically sparse advisory makes no mention of the watch). Discovered by Google’s Threat Analysis Group, requires a user to open maliciously crafted web content. Update those iDevices, kids.

1

@chavez243ca Thanks! That’s fair, although I suspect with the widespread interest the community will probably continue to push out details at a solid pace.

2

Thanks, @pwsh!

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Microsoft released details on an active state-sponsored threat campaign (attributed to HAFNIUM) that is exploiting on-prem Exchange Server installations. Microsoft’s observation was that these were limited, targeted attacks, but as of March 3, 2021, ongoing mass exploitation has been confirmed by multiple sources. More in the Rapid7 analysis tab.

1

This is great, we were casually looking at this, too, but you’ve done the work for us!

4
Ratings
Technical Analysis

Update March 3: Exploitation in the wild was confirmed over the weekend. See the Rapid7 analysis for more updates.

There are reports of opportunistic scanning for vulnerable vCenter Server endpoints and a bunch of PoC that’s made its way to GitHub over the past twelve hours or so. There hasn’t been confirmation of in-the-wild exploitation yet, but it’s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As @wvu-r7 points out in the Rapid7 analysis, the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I’d be a little surprised if we didn’t see a follow-on CVE at some point for an authentication bypass.

4
Ratings
Technical Analysis

Since this got a little more attention later in 2020, it’s probably good to note here that there are a number of different implementations of Oracle Coherence, and the likeliest attack vector that we’ve seen is WebLogic Server. WebLogic had a number of vulnerabilities that were exploited in the wild (some widely, e.g., CVE-2020-14882 and CVE-2020-14750) in 2020. Definitely a good idea to keep tight WebLogic patch cycles whenever possible.

2

Hey @oosman-rak ! I saw you reported this as exploited in the wild, but I haven’t been able to find any sources on exploitation myself. I’m definitely interested in knowing where this is being exploited so we can maybe make a note to look into it!

1

Interesting, Will Dormann from CERT has similarly said that there has been no clear confirmation of whether CVE-2020-10148 or a totally different vulnerability allows for SUPERNOVA installation/Orion server compromise (tweet from January 8, 2020): https://twitter.com/wdormann/status/1347690102638735361

That’s a good distinction to keep making—I suppose I should revise my statement that “everyone else in the world seems to have linked the two unequivocally” since there are at least a couple of folks who haven’t!

The upshot for defenders, unfortunately, is that there may be more SolarWinds Orion vulnerability news to come. I do hope the company is clear and fast about disclosing further facts as their investigations confirm them. Delaying and obscuring here would be absolutely no help at all.

3
Ratings
Technical Analysis

It looks like CISA updated their guidance for U.S. federal agencies last night and told them to update to SolarWinds Orion 2020.2.1 HF2 within 48 hours (“by the end of the year”) or take Orion systems offline. It’s warranted, especially since there may be other issues in the Orion code base that have yet to be discovered or disclosed. Organizations that come into the new year still on affected versions of Orion would be well-advised to consider conducting incident response investigations to determine whether they have been compromised.

The SolarWinds advisory as of December 30, 2020 doesn’t explicitly say this CVE was the vulnerability that allowed for installation of the SUPERNOVA malware, though they implicitly make the link by calling the patch that resolves CVE-2020-10148 the “SUPERNOVA patch.” Maybe I’m picking at nits there since everyone else in the world seems to have linked the two unequivocally! In any event, this CVE is an active threat and folks who haven’t updated to SolarWinds Orion 2019.4 HF6 or 2020.2.1 HF2 should do so immediately and look for indicators of compromise and suspicious activity.

Edit: Keeping an eye on this thread tracking mass scanning for hosts vulnerable to CVE-2020-10148 too: https://twitter.com/bad_packets/status/1344008582019203072

1

Months later (feels like years some days, huh?) I still really appreciate this analysis! Thanks for writing it :)

2
Ratings
  • Exploitability
    Very Low
Technical Analysis

Since this bug was released a couple months ago, I haven’t seen any sources that have indicated there’s been in-the-wild exploitation. Typical notes on memory corruption vulnerabilities being difficult to weaponize as reliable RCE apply here.

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Technical Analysis

Google Project Zero researcher Maddie Stone, who originally disclosed this vulnerability to Microsoft, reported on December 23, 2020 that the patch is incomplete and can be bypassed.

Quoting her post here: “The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The “fix” simply changed the pointers to offsets, which still allows control of the args to the memcpy.”

Stealing directly from a conversation with Metasploit’s Windows exploit expert @zeroSteiner, it sounds like this bug isn’t terribly useful as an LPE “because the slpwow64 process doesn’t run with elevated privileges—just an elevated integrity, which Microsoft doesn’t consider a security boundary anymore anyway.” Project Zero-reported vulns tend to draw media and researcher attention and there’s quite a lot of detail publicly available between Stone’s original report and this in-depth Kaspersky write-up, so we may see more exploitation even if the impact of the bug by itself isn’t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE’s utility for the IE 11 use case!

6
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

I’ve seen some news headlines with very scary-sounding words (“ransacking networks!”) on this, which is dismaying. It’s completely understandable that folks would be alarmed by a zero-day (now patched), but when we get into the details of this one a bit, I would tend to doubt that it’s going to be a good candidate for mass exploitation (note that I’m not telling anyone not to patch, just that headlines aren’t always reality!).

Even before getting into the weeds a little more, we can see from the CVSSv3 metrics that this requires high-privileged access and carries a 7.2 severity rating. I’ve watched researchers prove severity ratings wrong in the past, to be sure, but looking at the advisory, we can see that any attempt at exploitation would require an attacker to have access to the admin configurator on port 8443, plus admin credentials for the configurator account. If you have that level of access as an attacker, you can do all sorts of nefarious things with it, but those requirements don’t lend themselves to easy exploitation. It’s a good one to patch, but it also sounds like this is another case where strong password policies (especially for admin accounts!) would go a long way toward mitigating the risk of vulns both known and unknown. Ensuring that management interfaces are not exposed to the internet is another good move!

The NSA reported this vulnerability to VMware directly as a zero-day, which likely means they were seeing a specific threat actor deploy it in targeted intelligence operations. We haven’t seen any other reports of exploitation yet. From reading the docs, it looks like admins are required to change the password upon configuration, so the tried and true combo of admin:admin shouldn’t be possible.

4
Ratings
  • Attacker Value
    Low
Technical Analysis

Sorta relying here on the fact that memory corruption vulns are difficult to weaponize or even trigger reliably, and it sounds like there will be lots of different implementations of the vulnerable libraries, so uniform attack surface area is going to be scarce. Rapid7’s IoT research lead noted as well that TCP stack issues like this may well require the attacker to be on same subnet, and it’s unlikely that upstream routers would accept unexpected/malformed packets. There’ll be lots of fragmented vendor advisories trickling out in bits, I’d expect. There may be more detail out on which to base assessments later this week.

1
Ratings
Technical Analysis

Exploit code for VPN credential-stealing is readily available, as is information on unpatched targets. The vuln is known to be exploited by nation state-sponsored threat actors as well as run-of-the-mill attackers. Fortinet customers who discover vulnerable FortiOS VPN devices on their networks will want to conduct incident response investigations in addition to patching.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

There’s a zero-day patch bypass out for this CVE, and active attacks are continuing against internet-facing WebLogic deployments. See the Rapid7 analysis tab for full guidance.

3
Ratings
Technical Analysis

Pulse Secure’s 2019 vulns are garnering another wave of attention this week as a result of the NSA’s newly published list of CVEs exploited by Chinese state actors. Out of the batch of 2019 disclosures from Orange Tsai’s and Meh Chang’s research, CVE-2019-11510, an pre-authenticated arbitrary file read, was the highest priority for attackers and defenders. The pre-auth file read was a necessary primitive for CVE-2019-11539, a post-authentication vuln that enables attackers to execute commands as root on vulnerable Pulse Secure VPN servers.

Exploit chain: CVE-2020-11510 provides necessary info (plaintext/hashed creds, session IDs) that enables a remote attacker to leverage CVE-2020-11539 to execute commands with the highest privilege level. There’s a Metasploit exploit out that automates the exploit chain, but note that a valid admin session is needed. The original blog from the researchers who disclosed the vulns does a great job of explaining in-depth technical details, too—do check it out if you haven’t done so!

Pulse Secure patched these vulnerabilities in April, 2019. Technical details, public research, and exploits were released over the next six months. There’s been plenty of information available to attackers for quite some time now—I hope organizations have patched given the severity of the bugs and the critical position of SSL VPNs.

1

@elligottmc Sounds fair enough (not sure if Brent is active on here these days!), yep. This topic was our catch-all when Citrix hadn’t specified the included CVEs yet.

1
Ratings
  • Attacker Value
    Very High
Technical Analysis

The generally short shelf life of many browser vulnerabilities is offset by their value to attackers—and in some cases very nicely offset. This Chrome 0day arises from a heap buffer overflow in FreeType, a commonly-used open-source font engine. The public availability of patch details significantly improves shelf life calculus for attackers and exploit developers.

2
Ratings
Technical Analysis

There were a lot of vulns out this week, a number of which got quite a bit more news cycle attention than this one (lookin’ at you, Bad Neighbor). Unlike a few of those higher-hype bugs, however, this one is an active threat. Like other significant vulnerabilities from this year, the fact that this is authenticated isn’t a barrier for attackers and alas, shouldn’t be a consolation for those tasked with securing SharePoint environments.

@tsellers-r7 has a really great Twitter thread here on the number of publicly exposed, vulnerable SharePoint installations and version/support complexities that defenders may not realize they need to take into account. Metasploit Framework will also have module out in next week’s release.

2
Ratings
Technical Analysis

There’s high attacker value here if an attacker A) wants to cause a little mayhem, and/or B) can actually turn the DoS into reliable RCE. The first option is probably the likelier outcome in the immediate future. If Positive Technologies or Tripwire releases a PoC, the likelihood of broad exploitation probably rises significantly. For now, “patch fast but don’t panic” is good advice, as it always is with VPNs. There’s full analysis for this bug in the Rapid7 Analysis tab here.

2
Ratings
  • Attacker Value
    Very High
Technical Analysis

According to Black Arrow, it looks like this CVE is being exploited to deliver Kaiten malware. This is another of the batch Orange Tsai wrote about from among their MobileIron discoveries last month. @wvu-r7 has a bit more context on the auth bypass in his assessment of CVE-2020-15506, too.

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

We’re consistently seeing reports of this vulnerability being exploited in the wild and used to compromise organizations. I’m upping its attacker value rating based on the fact that evidently attackers are finding value in it.

1
2

@VoidSec Ah, that’s exactly what I was wondering! I’m really sorry your client was compromised, and thank you for reporting this as exploited in the wild.

2

Hey @VoidSec! Thanks for the assessment! I noticed you reported this as being exploited in the wild—I have absolutely no doubt that’s true, but I haven’t seen any confirmed reports of active exploitation (only public exploits being available). Have you seen differently? Wondering if I need to tweak my monitoring source list :)

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

There’s more info in Rapid7’s analysis here, but as @tsellers-r7 and @smcintyre-r7 pointed out privately today, need for authenticated session + exposed PowerShell endpoint + user who belongs to specific Exchange groups = less opportunity for wide-scale attacks than something like February’s Exchange vuln. I’m interested to see how Steven Seeley’s exploit works if he releases it, though. Might be cause for quick re-evaluation.

3
Ratings
Technical Analysis

Same initial evaluation as CVE-2020-3566—namely that successful exploitation doesn’t appear thus far to yield useful access for attackers, though disruption to critical business services is still a major concern for service providers. If the DoS enables a new threat vector, attacker value on these vulns rises. I’m going to leave exploitability blank for the time being. Rapid7 has analysis here.

2
Ratings
Technical Analysis

At face value, this doesn’t seem to be a terribly high-value vuln from an attacker point of view. That’s not to say that impact to availability and disruption of business processes isn’t high-impact for infrastructure and service providers, just that the vulnerability is a denial of service that currently doesn’t look to offer attackers useful access. That changes pretty quickly if it turns out DoS exploitation gives rise to a different threat vector.

2
Ratings
  • Attacker Value
    High
Technical Analysis

This made CISA’s list of most exploited vulns from 2016-2019—fairly notable since it’s a 2019 vulnerability and had less time to percolate than others. There are newer SharePoint vulnerabilities and exploits out now that may replace this one, but the generalized takeaway is that SharePoint is a highly attractive attack target with a number of public exploits and proofs-of-concept available for known vulns.

1
Ratings
Technical Analysis

SANS ISC has said they’re seeing “small numbers of exploit attempts.” The exploit they’ve detected is identifying vulnerable systems “by reading benign LUA source code files.”

https://isc.sans.edu/diary/26426

3
Ratings
Technical Analysis

The exposed target population may be comparatively low to, say, the whole of the internet, but Rapid7 Labs has noted—rightly so—that a couple thousand exposed gateways is still a pretty concerning state of affairs when those gateways are protecting industrial control systems. Pre-authenticated RCE in VPN products guarding ICS/OT networks during a pandemic is, as the kids say, bad news bears—and that’s not to make light, because this ain’t light. The good news is that there are patches out for all these vulns, even though the downtime required to patch and verify effectively might be nothing to sneeze at. Longer analysis and recommendations by smart people here.

Researchers from around Rapid7’s world (and likely others, too!) have said today that there is likely lower-hanging fruit that will be surfaced in the coming days, particularly around nerve-wracking findings such as exposed Telnet administration ports. There’s a lot of well-justified attention on this grouping of vulns, and with that attention comes increased focus on attack opportunities in general…and the stuff we see clogging up our security noise machines won’t be the only stuff well-resourced attackers are paying attention to. Patch as soon as possible (and yep, easier said than done).

2
Ratings
Technical Analysis

I’m going to quote @hrbrmstr here: Since the registry config workaround doesn’t require a system restart, it seems like this is going to be a niche exploitation issue for organizations that haven’t config’d or patched their way to safety.

Still haven’t seen PoC past the DoS from maxpl0it (which is a very good Twitter username, unrelatedly) that surfaced quickly after the vuln details were published. Anecdotally, a few other researchers have mused that this probably isn’t the ripest or most valuable target for exploitation (famous last words, eh?).

5
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is an incredibly attractive and simple attack target: It’s an easily exploitable vulnerability in a highly-exposed HTTP interface (frequently user- and internet-facing) where successful exploitation allows remote, unauthenticated attackers to create user accounts with the highest possible privileges and generally declare themselves the feudal lords of critical SAP estates.

It’s difficult to imagine that widespread exploitation would take much time at all. SAP included a mitigation in the patch release details, but with so many mitigation bypasses coming out for other recent critical vulns, it’s definitely advisable to take CISA’s guidance to heart—i.e., patch over mitigation wherever possible and as quickly as possible.

3

Hey there, friend, just wanted to say thanks for all the great technical assessments recently. The team’s started looking forward to your evaluations. Much appreciated!

2

Nice, saw your gist with check logic, too—Metasploit should have an exploit out shortly. Sounds from the researcher working on it that his check method is similar. Thanks for the assessment, super appreciated!

4
Ratings
  • Attacker Value
    Very High
Technical Analysis

There have been several reports of exploitation in the wild as of July 4. The one I’ve seen cited the most is here.

1
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

Vuln affects versions 5.0.0 to 5.5.4 and is weaponized in the form of a Metasploit module: https://github.com/rapid7/metasploit-framework/pull/13512
Credit to Charles Fol for discovery and Zenofex for fast analysis and slick weaponization.

I keep thinking that it’s unlikely enterprises use vBulletin and this must be more of a risk to small- and medium-sized businesses, but looking at some of the companies that are said to be vBulletin customers, I suppose that’s not necessarily true. Article on in-the-wild exploitation here.

2

Nice, what a great assessment! Knowledge like this is exactly what we wanted to be able to capture and highlight when AttackerKB was first dreamt up. Thanks so much—if you ever want to collaborate on a Metasploit module (scanner, exploit, LPE, post-exploitation) for a vuln you’ve been looking at, let us know and we’ll be happy to help out!

1

@aaronsvk This is great! You’re the person who discovered the vuln, too, yes? Really nice work.

1

I appreciate that you included a specific threat model scenario here, thanks!

1

I can’t upvote this enough. What a great clarification on vulnerability definition!

3

Your Twitter thread on this was really helpful as @wvu-r7 was working through module code, thanks!

3
Ratings
Technical Analysis

There’s a Metasploit exploit module out for this now, and pen testers have reported that seeing vulnerable Exchange servers is common on engagements. As zeroSteiner has pointed out on Twitter, all that’s needed for reliable code execution is a domain user with a mailbox: https://twitter.com/zeroSteiner/status/1234983584177328129.
TrustedSec has a great write-up on IoCs here: https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium