hrbrmstr (72)
Last Login: April 26, 2023
hrbrmstr's Latest (20) Contributions
Technical Analysis
Attacker Value
“Reflected XSS” means an authenticated user has to pass a malicious, specially-crafted URL onto the iControl REST API.
“Undisclosed REST API endpoints” means it will take some time (perhaps, not much, but “it depends” given the black-box nature of F5 kit) to discover these weak entry points.
Once weak REST endpoints are known, an attacker has to get their crafted URL into some context where an F5 REST API user can pass it on in an authenticated context.
It is unlikely F5 users would click on obvious REST API URLs from non-trusted parties (nor that it would do much good depending on how authentication state is maintained). URL shorteners or on-hover cloaking could be used to trick said admins, but then there’s the “an attacker would have to know who are F5 iControl admins” hard part.
There are a handful of third-party iControl REST API projects on GitHub and Docker. It is theoretically possible a highly motivated attacker could target organizations via these projects, but all have a small number of GH stars, which suggests they aren’t super-popular/used.
It is unlikely opportunistic attackers will (a) dedicate resources to discovering the flawed REST API endpoints, and (b) be able to identify F5 iControl users to target.
This may be a useful weakness for more sophisticated attackers performing targeted attacks.
Mitigation
If one cannot patch their systems, F5 has noted that it is possible to mitigate this vulnerability, by permitting management access to F5 products only over a secure network, and limiting access to only trusted users (though these are the users attackers are targeting, so it’s a bit of a head-scratcher).
For more information about securing access to BIG-IP systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x – 16.x) and K13092: Overview of securing access to the BIG-IP system.
Technical Analysis
Technical Analysis
Ben Murphy’s dissection — https://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ — is pretty thorough.
Technical Analysis
To exploit this vulnerability an attacker would need to have access to at least one client and a domain that replies with a large volume of referral records, without glue records, that point to external victim sub domains. While resolving a name from the attacker client, for each referral record found, the resolver contacts the victim domain. This action can generate a large number of communications between the recursive resolver and the victim’s authoritative DNS server to cause a Distributed Denial of Service (DDoS) attack.
This has had quite the bit of coverage (I’ll add these to AKB metadata as well when I get a chance):
- (celeb vuln site) http://www.nxnsattack.com/
- (ISC advisory) https://kb.isc.org/docs/cve-2020-8616
- (paper) https://arxiv.org/abs/2005.09107
- (Wired exclusive) https://www.wired.com/story/dns-ddos-amplification-attack/
- (RIPE commentary) https://labs.ripe.net/Members/petr_spacek/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack
- (CISA) https://www.us-cert.gov/ncas/current-activity/2020/05/20/isc-releases-security-advisory-bind
- (CISA) https://www.us-cert.gov/ncas/current-activity/2020/05/20/microsoft-releases-security-advisory-windows-dns-servers
84 of the Fortune 500 are vulnerable.
Massive numbers (~1M) of old ISC BIND versions on the internet.
While this does appear to require some wrangling, in certain configurations, it’s a 1,000x amplification factor.
IMO PoC will be forthcoming fairly quickly.
Impacts other vendors DNS implementations (PowerDNS, Knot, Unbound all confirmed; others likely impacted).
It’s “just” DoS, but 2020 DBIR noted the significant uptick of that in 2019 and it’s been “a thing” in 2020.
Service disruptions for remote workforce could be severe.
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP
- Mitigation: Update affected Citrix devices with the latest security patches
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Pulse Connect Secure 9.0R1 – 9.0R3.3, 8.3R1 – 8.3R7, 8.2R1 – 8.2R12, 8.1R1 – 8.1R15 and Pulse Policy Secure 9.0R1 – 9.0R3.1, 5.4R1 – 5.4R7, 5.3R1 – 5.3R12, 5.2R1 – 5.2R12, 5.1R1 – 5.1R15
- Mitigation: Update affected Pulse Secure devices with the latest security patches.
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
- Associated Malware: Kitty
- Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core.
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
- Associated Malware: Toshliph, UWarrior
- Mitigation: Update affected Microsoft products with the latest security patches
- IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133m
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
- Associated Malware: FINSPY, FinFisher, WingBird
- Mitigation: Update affected Microsoft products with the latest security patches
- IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133f
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Adobe Flash Player before 28.0.0.161
- Associated Malware: DOGCALL
- Mitigation: Update Adobe Flash Player installation to the latest version
- IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133d
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016
- Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit
- Mitigation: Update affected Microsoft products with the latest security patches
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Microsoft SharePoint
- Associated Malware: China Chopper
- Mitigation: Update affected Microsoft products with the latest security patches
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
- Associated Malware: Dridex
- Mitigation: Update affected Microsoft products with the latest security patches
- IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133i, https://www.us-cert.gov/ncas/analysis-reports/ar20-133j, https://www.us-cert.gov/ncas/analysis-reports/ar20-133k, https://www.us-cert.gov/ncas/analysis-reports/ar20-133l, https://www.us-cert.gov/ncas/analysis-reports/ar20-133n, https://www.us-cert.gov/ncas/analysis-reports/ar20-133o
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
- Associated Malware: JexBoss
- Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
- Associated Malware: FINSPY, LATENTBOT, Dridex
- Mitigation: Update affected Microsoft products with the latest security patches
- More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-0199
- IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133g, https://www.us-cert.gov/ncas/analysis-reports/ar20-133h, https://www.us-cert.gov/ncas/analysis-reports/ar20-133p
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
- Associated Malware: Loki, FormBook, Pony/FAREIT
- Mitigation: Update affected Microsoft products with the latest security patches
- More Detail: https://nvd.nist.gov/vuln/detail/CVE-2017-11882
- IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133e
Technical Analysis
The devil (or, lack thereof) is in the details:
The attacker can view and delete files within the web services file system only. The web services file system is enabled for the WebVPN and AnyConnect >features outlined in the Vulnerable Products section of this advisory; therefore, this vulnerability does not apply to the ASA and FTD system files or underlying >operating system (OS) files. The Web Services files that the attacker can view may have information such as WebVPN configuration, bookmarks, web cookies, >partial web content, and HTTP URLs.
- No RCE, but somewhat sensitive (and, definitely some org-internal) data is accessible.
- Reboot fixes damage.
- Temporary DoS (to the web services) is in play since this vector weirdly allows delete access.
- The really important system files are not accessible
- Fairly trivial for an attacker to gain access to file-system layout from images or previous vulnerabilities so any intelligent use of a working PoC (when one is out) won’t be super noisy but it should still be fairly easy for any capable org to monitor for abnormal HTTP interactions via device logs.
some chatter abt this in RIPE’s dns-wg. Akamai claims they’ve had protection from things like this for a while https://www.ripe.net/ripe/mail/archives/dns-wg/2020-May/003724.html