CVE-2022-36537

ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.

Recent assessments:

ccondon-r7 at March 01, 2023 6:39pm UTC reported:

The core vuln here is an info leak in ZK Framework, which — yep, you guessed it! — is a popular open-source Java library used to create enterprise mobile and web apps. The original advisory, NVD entry, and CVSS score are all predicated on the mere info leak, but as it turns out, other popular software that uses ZK Framework is vulnerable to full-on remote code execution via CVE-2022-36537. Both Huntress and NCC Group have noted that this bug is being exploited in vulnerable ConnectWise R1Soft Server Backup Manager software to gain initial access to target systems and then do a variety of not-good things, including installing malicious JDBC database drivers to backdoor systems, deploying ransomware, and so on.

Per various write-ups and public PoCs analyzed by @sfewer-r7, the following seems to happen:

• Attacker uses the CVE-2022-36537 to leak the contents of /Configuration/database-drivers.zul, which yields a unique secret ID value

• Armed with this value, attacker exploits vuln again to reach an endpoint that allows them to upload the JDBC driver, which functions as a handy backdoor

• Attacker can now use the REST API to issue commands to registered agents to do nefarious things, like, you know, deploy your ransomware of choice to downstream systems

• Oh and hey there are supply chain implications

We know the ConnectWise R1Soft vector is in active use and is easily exploitable, but this being a library vuln (so hot right now), that’s almost certainly not going to be the only attack vector. Some light recon done by folks smarter than me (namely the aforementioned @sfewer-r7) indicates there are plenty of other things that use ZK Framework. The question is which are vulnerable to remote exploits out of the box. Knocking this down an exploitability point overall simply because other applications may not be quite as easily exploitable remotely as the ConnectWise software.

If you’re using a vulnerable R1Soft Server Backup Manager version, please patch immediately. The NCC Group’s FOX IT team has a great write-up with IOCs and attack details.

cbeek-r7 at February 28, 2023 8:41am UTC reported:

The core vuln here is an info leak in ZK Framework, which — yep, you guessed it! — is a popular open-source Java library used to create enterprise mobile and web apps. The original advisory, NVD entry, and CVSS score are all predicated on the mere info leak, but as it turns out, other popular software that uses ZK Framework is vulnerable to full-on remote code execution via CVE-2022-36537. Both Huntress and NCC Group have noted that this bug is being exploited in vulnerable ConnectWise R1Soft Server Backup Manager software to gain initial access to target systems and then do a variety of not-good things, including installing malicious JDBC database drivers to backdoor systems, deploying ransomware, and so on.

Per various write-ups and public PoCs analyzed by @sfewer-r7, the following seems to happen:

• Attacker uses the CVE-2022-36537 to leak the contents of /Configuration/database-drivers.zul, which yields a unique secret ID value

• Armed with this value, attacker exploits vuln again to reach an endpoint that allows them to upload the JDBC driver, which functions as a handy backdoor

• Attacker can now use the REST API to issue commands to registered agents to do nefarious things, like, you know, deploy your ransomware of choice to downstream systems

• Oh and hey there are supply chain implications

We know the ConnectWise R1Soft vector is in active use and is easily exploitable, but this being a library vuln (so hot right now), that’s almost certainly not going to be the only attack vector. Some light recon done by folks smarter than me (namely the aforementioned @sfewer-r7) indicates there are plenty of other things that use ZK Framework. The question is which are vulnerable to remote exploits out of the box. Knocking this down an exploitability point overall simply because other applications may not be quite as easily exploitable remotely as the ConnectWise software.

If you’re using a vulnerable R1Soft Server Backup Manager version, please patch immediately. The NCC Group’s FOX IT team has a great write-up with IOCs and attack details.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4