hrbrmstr (63)

Last Login: October 19, 2020
Assessments
21
Score
63
10th Place

hrbrmstr's Contributions (27)

Sort by:
Filter by:
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Ben Murphy’s dissection — https://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ — is pretty thorough.

1

some chatter abt this in RIPE’s dns-wg. Akamai claims they’ve had protection from things like this for a while https://www.ripe.net/ripe/mail/archives/dns-wg/2020-May/003724.html

2
Ratings
Technical Analysis

To exploit this vulnerability an attacker would need to have access to at least one client and a domain that replies with a large volume of referral records, without glue records, that point to external victim sub domains. While resolving a name from the attacker client, for each referral record found, the resolver contacts the victim domain. This action can generate a large number of communications between the recursive resolver and the victim’s authoritative DNS server to cause a Distributed Denial of Service (DDoS) attack.

This has had quite the bit of coverage (I’ll add these to AKB metadata as well when I get a chance):

84 of the Fortune 500 are vulnerable.

Massive numbers (~1M) of old ISC BIND versions on the internet.

While this does appear to require some wrangling, in certain configurations, it’s a 1,000x amplification factor.

IMO PoC will be forthcoming fairly quickly.

Impacts other vendors DNS implementations (PowerDNS, Knot, Unbound all confirmed; others likely impacted).

It’s “just” DoS, but 2020 DBIR noted the significant uptick of that in 2019 and it’s been “a thing” in 2020.

Service disruptions for remote workforce could be severe.

2
Ratings
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP
  • Mitigation: Update affected Citrix devices with the latest security patches
1
Ratings
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Pulse Connect Secure 9.0R1 – 9.0R3.3, 8.3R1 – 8.3R7, 8.2R1 – 8.2R12, 8.1R1 – 8.1R15 and Pulse Policy Secure 9.0R1 – 9.0R3.1, 5.4R1 – 5.4R7, 5.3R1 – 5.3R12, 5.2R1 – 5.2R12, 5.1R1 – 5.1R15
  • Mitigation: Update affected Pulse Secure devices with the latest security patches.
1
Ratings
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
  • Associated Malware: Kitty
  • Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core.
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
  • Associated Malware: Toshliph, UWarrior
  • Mitigation: Update affected Microsoft products with the latest security patches
  • IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133m
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
  • Associated Malware: FINSPY, FinFisher, WingBird
  • Mitigation: Update affected Microsoft products with the latest security patches
  • IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133f
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

2
Ratings
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016
  • Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit
  • Mitigation: Update affected Microsoft products with the latest security patches
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Microsoft SharePoint
  • Associated Malware: China Chopper
  • Mitigation: Update affected Microsoft products with the latest security patches
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
  • Associated Malware: JexBoss
  • Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

2

Replying to expand guidance to ensure ports 636, 389, and 3268 should not be exposed to the internet unless one really knows what they’re doing. We’ve found vCenter nodes on all three of those common LDAP ports, even in the April studies.

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

The devil (or, lack thereof) is in the details:

The attacker can view and delete files within the web services file system only. The web services file system is enabled for the WebVPN and AnyConnect >features outlined in the Vulnerable Products section of this advisory; therefore, this vulnerability does not apply to the ASA and FTD system files or underlying >operating system (OS) files. The Web Services files that the attacker can view may have information such as WebVPN configuration, bookmarks, web cookies, >partial web content, and HTTP URLs.

  • No RCE, but somewhat sensitive (and, definitely some org-internal) data is accessible.
  • Reboot fixes damage.
  • Temporary DoS (to the web services) is in play since this vector weirdly allows delete access.
  • The really important system files are not accessible
  • Fairly trivial for an attacker to gain access to file-system layout from images or previous vulnerabilities so any intelligent use of a working PoC (when one is out) won’t be super noisy but it should still be fairly easy for any capable org to monitor for abnormal HTTP interactions via device logs.
5
Ratings
Technical Analysis

Nothing to add to the technical analysis by the others.

Dropping by to note that:

3
Ratings
Technical Analysis

Well, it’s bad when even Oracle decides to raise the alarm bells (wayback machine was down, so no permalink yet) about it.

They’ve detected active exploitation attempts against WebLogic servers.

T3 is Weblogic’s proprietary implementation of the RMI spec and is primarily used as a layer to enable JNDI calls by apps/clients.

It appears there’s PoC for it but I haven’t tested it yet. Since it’s yet-another deserialization vulnerability and there’s existing PoC code for similar RMI RCE, Oracle’s observations are likely correct.

1

Update for new version scan results from Monday (04-27).

Over 65K nodes found on the internet giving up version #s.

vers n
17.5.11.661 13794
17.5.9.577 13755
17.5.10.620 10535
17.5.3.372 5610
17.5.8.539 5414
17.5.7.511 2350
17.5.5.433 1856
17.5.6.488 1173
18.0.0.354 1088
17.5.4.429 991
17.0.6.181 797
17.1.4.254 783
17.1.3.250 719
17.0.8.209 626
17.5.0.321 492
17.1.2.225 490
17.5.1.347 385
17.1.1.175 303
18.0.1.367 218
18.0.0.339 193
17.0.5.162 192
16.05.5.233 182
16.05.8.320 167
17.0.3.131 160
16.05.6.266 145
16.01.1.202 118
16.05.3.183 117
16.05.7.305 108
18.0.0.321 100
17.0.2.116 82
17.0.0.80 72
16.05.9.331 70
16.05.4.215 68
17.5.0.310 59
17.0.1.98 56
16.01.2.222 51
18.0.0.285 50
17.5.4.409 46
17.0.4.144 44
16.01.3.265 40
15.01.0.447 38
17.0.9.217 37
16.05.1.139 33
16.05.2.160 24
15.01.0.376 23
16.05.0.117 22
17.1.0.152 22
18.0.0.255 17
17.0.7.191 11
17.5.2.381 11
15.01.0.418 10
15.01.0.407 9
17.0.10.240 8
18.0.0.180 4
16.01.0.144 2
16.01.0.190 1
16.01.4.342 1
16.01.5.353 1
16.05.0.098 1
17.0.0.32 1
18.0.0.102 1
18.0.0.113 1
18.0.1.368 1
1

It looks like there’s a coordinated, active campaign as well (via https://twitter.com/GossiTheDog/status/1254733650509389825?s=20 — NOTE internet archive seems to have issues with tweet archiving; as we explore making better permalinks, we need to figure that out for Tweets).

sophosfirewallupdate.com is a maldomain that has been identified in some XG log files.

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Vulnerability Rating/Info

I based the value and exploitability off of the Sophos vulnerability details page: https://community.sophos.com/kb/en-us/135412 / https://web.archive.org/web/20200426003614/https://community.sophos.com/kb/en-us/135412

Sophos indicates attackers have been actively compromising these appliances at least as of April 22, 2020 when at least one customer noticed odd field values in their admin console.

Given that the SQL injection can happen pre-auth, and that both the user-facing and admin-facing interfaces are vulnerable, means this is a pretty severe bug.

It appears to only provide access to usernames and hashed appliance passwords. Credential reuse is likely the culprit for at least the known successful post-SQLi compromise.

Exposure Analysis

We found over 72,000 exposed appliances. Many appear to be service provider/telecom/ISP provisioned and sitting on customer segments.

The top 20 countries (IP geolocation) make up ~80% of the exposure:

country n pct
United States 9126 12.54%
India 7989 10.98%
Germany 5433 7.47%
Japan 4680 6.43%
Italy 4338 5.96%
Australia 4168 5.73%
Turkey 3740 5.14%
Brazil 3526 4.85%
France 2567 3.53%
United Kingdom 1822 2.50%
South Africa 1779 2.44%
Canada 1658 2.28%
Spain 1644 2.26%
Malaysia 1496 2.06%
Switzerland 1261 1.73%
Colombia 1124 1.54%
Thailand 1087 1.49%
Netherlands 932 1.28%
Taiwan 681 0.94%
Portugal 611 0.84%

There are 2 primary externally facing HTTP paths:

  • Admin @ https://{host|ip}:{port}/webconsole/webpages/login.jsp
  • User @ https://{host|ip}:{port}/userportal/webpages/myaccount/login.jsp

I crafted a quick hack study to just see if we could get version info and we can. Sophos does the daft thing Microsoft does for OWA and refers to HTML resources by the version/build (e.g.):

<link rel="stylesheet"
      href="/themes/lite1/css/loginstylesheet.css?ver=17.5.9.577"
      type="text/css">

I’ll be doing a more thorough path study this week but we got back ~12,500 unique (by IP) responses. Here’s the breakdown (TLDR there’s a decent bit of exposure as of Sunday).

           Sophos XG Appliance Version Distribution                             
           ~65,000   Appliances   Provided   Version   Details;                 
           Only   ~25%   appear   to   be   patched   as   of   2020-04-27.     
                                                                                
                                                           # Sophos Appliances  
           0~                  5,000                10,000                15,000
5.01.0.376  x                     ~                     ~                     ~ 
5.01.0.407  x                     ~                     ~                     ~ 
5.01.0.418  x                     ~                     ~                     ~ 
5.01.0.447  x                     ~                     ~                     ~ 
6.01.0.190  x                     ~                     ~                     ~ 
6.01.1.202  xx                    ~                     ~                     ~ 
6.01.2.222  x                     ~                     ~                     ~ 
6.01.3.265  x                     ~                     ~                     ~ 
6.01.4.342  x                     ~                     ~                     ~ 
6.05.0.098  x                     ~                     ~                     ~ 
6.05.0.117  x                     ~                     ~                     ~ 
6.05.1.139  x                     ~                     ~                     ~ 
6.05.2.160  xx                    ~                     ~                     ~ 
6.05.3.183  x                     ~                     ~                     ~ 
6.05.5.233  xx                    ~                     ~                     ~ 
6.05.6.266  xx                    ~                     ~                     ~ 
6.05.7.305  xx                    ~                     ~                     ~ 
6.05.8.320  x                     ~                     ~                     ~ 
 17.0.0.32  x                     ~                     ~                     ~ 
 17.0.0.80  x                     ~                     ~                     ~ 
 17.0.1.98  x                     ~                     ~                     ~ 
17.0.2.116  xx                    ~                     ~                     ~ 
17.0.3.131  x                     ~                     ~                     ~ 
17.0.5.162  xx                    ~                     ~                     ~ 
17.0.6.181  xxxxx                 ~                     ~                     ~ 
17.0.7.191  xxxx                  ~                     ~                     ~ 
17.0.8.209  x                     ~                     ~                     ~ 
17.0.9.217  x                     ~                     ~                     ~ 
17.1.0.152  x                     ~                     ~                     ~ 
17.1.1.175  xx                    ~                     ~                     ~ 
17.1.2.225  xxxx                  ~                     ~                     ~ 
17.1.3.250  xxxxx                 ~                     ~                     ~ 
17.5.0.310  x                     ~                     ~                     ~ 
17.5.0.321  xxx                   ~                     ~                     ~ 
17.5.1.347  xxx                   ~                     ~                     ~ 
17.5.2.381  xxxxxxxxxxxxxxxxxxxxxxxxxx                  ~                     ~ 
17.5.3.372  x                     ~                     ~                     ~ 
17.5.4.429  xxxxxx                ~                     ~                     ~ 
17.5.5.433  xxxxxxxxx             ~                     ~                     ~ 
17.5.6.488  xxxxxx                ~                     ~                     ~ 
17.5.7.511  xxxxxxxxxxxxxxxxxxxxxxxxx                   ~                     ~ 
17.5.8.539  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    ~ 
7.5.10.620  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx                   ~ 
7.5.11.661  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    ~ 
18.0.0.102  x                     ~                     ~                     ~ 
18.0.0.113  x                     ~                     ~                     ~ 
18.0.0.180  x                     ~                     ~                     ~ 
18.0.0.285  x                     ~                     ~                     ~ 
18.0.0.321  xx                    ~                     ~                     ~ 
18.0.0.339  xxxxxx                ~                     ~                     ~ 
18.0.0.354  xx                    ~                     ~                     ~ 
18.0.1.368  x                     ~                     ~                     ~ 
            ~            Source: Rapid7 Project Sonar April 2020 HTTPS Studies~ 

As of 2020-04-28 ~25% appliances do not leave the “auto-update hotfix” setting on.

Our blog on it: https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/ | https://web.archive.org/web/20200428094002/https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/

3

Not sure if here or a new eval is the place but @todb-r7 mentioned this eval/PoC on Twitter and it has IoCs so we shld prbly have it be here along for the AKB ride: https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/ (yes, Tod incl zecops Twitter handle link, but direct blog link is prbly useful.

For good measure, I’ll add an archive.org link of it as well: https://web.archive.org/web/20200423020023/https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/

6
Ratings
Technical Analysis

Previous tech analyses cover this quite well, but my mind is literally broken trying to figure out how:

  • A bug in a function named VmDirLegacyAccessCheck which causes it to return “access granted” when permissions checks fail.
  • A security design flaw which grants root privileges to an LDAP session with no token, under the assumption that it is an internal operation.

made it past any semblance of code review.

Regardless of ^^, this is a bit worse since attackers can also be a bit less noisy.

Our LDAP Sonar studies do no attempt at auth and we get SearchResultEntry$PartialAttributes$vmwPlatformServicesControllerVersion from the search results query we perform, so it’ll be super easy for anyone to only target 6.7.0 systems. There are under 1,000 6.7.0 systems hanging off the internet on 389.

recog also pulls the version out directly if anyone is using that to post-process LDAP responses.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Low
Technical Analysis

Granted patching is not immediate and still lags in many orgs, but the trend for patching current systems (which is seems to apply to) is better than legacy and there is a working patch, thus I can’t see exploits working for long on major, mature organizations.

1

But, can’t I make a legit cert with this technique and stick it on an external web site and get unpatched systems to trust it as being authentic?