Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2020-11698

Disclosure Date: September 17, 2020 •

CVE-2020-11698 CVSS v3 Base Score: 9.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Execution

Techniques

Validation

Exploitation for Client Execution

Validated

Initial Access

Techniques

Validation

Exploit Public-Facing Application

Validated

Metasploit Module

exploit/freebsd/webapp/spamtitan_unauth_rce

Description

An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to inject commands into the file snmpd.conf that would allow executing commands on the target server.

Add Assessment

cdelafuente-r7 (78)

November 03, 2020 6:26pm UTC (3 years ago)•

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Unauthenticated Vulnerable in default configuration

Technical Analysis

SpamTitan Gateway is an anti-spam appliance that protects against unwanted emails and malwares. Versions 7.01, 7.02, 7.03 and 7.07 are vulnerable to Remote Code Execution as root due to improper input sanitization. Note that only version 7.03 needs authentication and no authentication is required for versions 7.01, 7.02 and 7.07.

The attack consists in abusing the SpamTitan Gateway UI SNMP Management Settings feature to inject dangerous SNMPD command directives into the SNMP server configuration file. This is can be done in two steps:

Send an HTTP POST request to the snmp-x.php page with a specially crafted community parameter:
...[SNIP]...&community=<community>" <ip>\nextend <random name> <payload>.
This will end up being added to snmp.conf like this:
…[SNIP]...
rocommunity "<community>" <ip>
extend <random name> <payload>
…[SNIP]...
Send an SNMP Get-Request to correct OID to trigger the payload.

Since a proof o concept and a Metasploit module are available, it is highly recommended to upgrade to the latest available version.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

titanhq

Products

spamtitan 7.07

Metasploit Modules

exploit/freebsd/webapp/spamtitan_unauth_rce (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/webapp/spamtitan_unauth_rce.rb)

References

Canonical

CVE-2020-11698 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11698)

Miscellaneous

https://www.spamtitan.com

https://github.com/felmoltor

https://twitter.com/felmoltor

https://sensepost.com/blog/2020/clash-of-the-spamtitan

https://www.spamtitan.com/

https://sensepost.com/blog/2020/clash-of-the-spamtitan/

http://packetstormsecurity.com/files/159470/SpamTitan-7.07-Remote-Code-Execution.html

http://packetstormsecurity.com/files/160809/SpamTitan-7.07-Command-Injection.html

Rapid7

Very High

CVE-2020-11698

Very High

Very High

None

None

Network

CVE-2020-11698

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Very High

CVE-2020-11698

Very High

Very High

None

None

Network

CVE-2020-11698

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification