Acronis: Found multiple SAP NetWeaver vulnerable services

2021-02-14T14:49:11

Description

# Summary: Hello Team, I found two (**redapi.acronis.com** and **redapi2.acronis.com**) sap Netweaver vulnerable services. They do not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity, and Availability of the system, leading to Missing Authentication Check. # Steps To Reproduce: 1. Run the script {F1195428} 2. You will see random user created # POC: Just for the POC, I have created a random user with creds sapRpoc9049:Secure!PwD6751 (at redapi.acronis.com) {F1195413} # References: https://github.com/chipik/SAP_RECON https://nvd.nist.gov/vuln/detail/CVE-2020-6286 https://nvd.nist.gov/vuln/detail/CVE-2020-6287 https://launchpad.support.sap.com/#/notes/2934135 https://launchpad.support.sap.com/#/notes/2939665 **Please lemme know if you need any additional information reagarding this** ## Impact # Impact: This version of SAP netweaver does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity, and Availability of the system, leading to Missing Authentication Check.

{"nessus": [{"lastseen": "2022-06-16T15:39:08", "description": "The version of SAP NetWeaver AS Java detected on the remote host may be affected by multiple vulnerabilities, as referenced in SAP Security Note 2934135.\n\n- LM Configuration Wizard of SAP NetWeaver AS JAVA, does not perform an authentication check which allows an attacker without prior authentication, to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system (CVE-2020-6287).\n\n- The insufficient input path validation of certain parameter in the web service, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory (CVE-2020-6286).\n\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-07-15T00:00:00", "type": "nessus", "title": "SAP NetWeaver AS Java Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-6286", "CVE-2020-6287"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:/a:sap:netweaver_application_server"], "id": "SAP_NETWEAVER_AS_2934135.NASL", "href": "https://www.tenable.com/plugins/nessus/138506", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138506);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\"CVE-2020-6286\", \"CVE-2020-6287\");\n script_xref(name:\"IAVA\", value:\"2020-A-0298\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"SAP NetWeaver AS Java Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SAP NetWeaver AS Java server may be affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of SAP NetWeaver AS Java detected on the remote host may be affected by multiple vulnerabilities,\nas referenced in SAP Security Note 2934135.\n\n- LM Configuration Wizard of SAP NetWeaver AS JAVA, does not perform an authentication check which \nallows an attacker without prior authentication, to execute configuration tasks to perform critical \nactions against the SAP Java system, including the ability to create an administrative user, \nand therefore compromising Confidentiality, Integrity and Availability of the system (CVE-2020-6287).\n\n- The insufficient input path validation of certain parameter in the web service, allows an unauthenticated \nattacker to exploit a method to download zip files to a specific directory (CVE-2020-6286).\n\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's \nself-reported version number.\");\n # https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a89e2685\");\n # https://launchpad.support.sap.com/#/notes/2934135\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ff519fdb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6287\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/15\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sap:netweaver_application_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sap_netweaver_as_web_detect.nbin\");\n script_require_keys(\"installed_sw/SAP Netweaver Application Server (AS)\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443, 8000, 50000);\n\n exit(0);\n}\n\ninclude('install_func.inc');\ninclude('http.inc');\ninclude('vcf.inc');\n\napp = 'SAP Netweaver Application Server (AS)';\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nconstraints = [\n {'min_version' : '7.30', 'fixed_version' : '7.53', 'fixed_display' : 'See vendor advisory' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:38:12", "description": "An authentication bypass vulnerability exists in SAP NetWeaver AS JAVA (LM Configuration Wizard) due to insufficient authentication checks. An unauthenticated, remote attacker can exploit this by executing configuration tasks that perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-07-20T00:00:00", "type": "nessus", "title": "SAP NetWeaver : Authentication Bypass (CVE-2020-6287) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-6287"], "modified": "2022-04-25T00:00:00", "cpe": ["cpe:/a:sap:netweaver_application_server"], "id": "SAP_NW_CVE-2020-6287.NBIN", "href": "https://www.tenable.com/plugins/nessus/138762", "sourceData": "Binary data sap_nw_cve-2020-6287.nbin", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-03-16T16:20:58", "description": "PoC for CVE-2020-6287, CVE-2020-6286 (SAP RECON vulnerability)\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-15T15:20:09", "type": "githubexploit", "title": "Exploit for Path Traversal in Sap Netweaver Application Server Java", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6286", "CVE-2020-6287"], "modified": "2022-03-16T15:43:51", "id": "422E055A-09D9-5999-8596-B4036633B613", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:54:34", "description": "<b>[CVE-2020-6287] SAP NetWeaver AS JAVA (LM Configuration Wizar...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-08-13T09:12:37", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Sap Netweaver Application Server Java", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6286", "CVE-2020-6287"], "modified": "2021-08-19T10:38:43", "id": "1CA47E3F-F5D0-59BE-8F16-9671BB19B938", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-18T18:39:00", "description": "# CVE-2020-6287-exploit\n### PoC for CVE-2020-6287\n### The PoC in...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-20T18:45:53", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Sap Netweaver Application Server Java", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6286", "CVE-2020-6287"], "modified": "2022-01-18T17:25:12", "id": "DB41442F-7258-545C-BAD0-1F0FB13E16BD", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-16T16:18:04", "description": "<b>[CVE-2020-6286] SAP NetWeaver AS JAVA (LM Configuration Wizar...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-08-13T09:00:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Sap Netweaver Application Server Java", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6286"], "modified": "2022-03-16T15:43:59", "id": "BB10DCF1-2FBA-5DDC-B650-CEE45D356728", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-10T21:31:03", "description": "# Vulnerability Assessment and Indicator of Compromise (IoC) Sca...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-21T01:22:45", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Sap Netweaver Application Server Java", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6287"], "modified": "2022-02-10T19:07:30", "id": "26FAD860-F058-5B8B-999F-56C318A499D4", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:38:39", "description": "A directory traversal vulnerability exists in SAP NetWeaver. Successful exploitation of this vulnerability could lead to disclosure of file contents accessible by the prime user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-21T00:00:00", "type": "checkpoint_advisories", "title": "SAP NetWeaver Directory Traversal (CVE-2020-6286; CVE-2020-6287)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6286", "CVE-2020-6287"], "modified": "2020-07-21T00:00:00", "id": "CPAI-2020-0681", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:38:28", "description": "A remote code execution vulnerability exists in SAP NetWeaver. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-08-03T00:00:00", "type": "checkpoint_advisories", "title": "SAP NetWeaver Remote Code Execution (CVE-2020-6287)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6287"], "modified": "2020-08-03T00:00:00", "id": "CPAI-2020-0719", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2020-12-20T04:20:58", "description": "This episode is based on posts from [my Telegram channel avleonovcom](<https://t.me/avleonovcom>), published in the last 2 weeks. So, if you use Telegram, please subscribe. I update it frequently.\n\n![Barapass, Tsunami scanner, vulnerabilities in Windows DNS Server and SAP products, weird attack on Twitter](https://avleonov.com/wp-content/uploads/2020/07/Barapass-Tsunami-scanner-vulnerabilities-in-Windows-DNS-Server-and-SAP-products-weird-attack-on-twitter.png)\n\n## Barapass update\n\nI recently [released an update](<https://github.com/leonov-av/barapass>) to my password manager **barapass**. BTW, it seems to be my only pet project at the MVP stage, which I use every day. ![\ud83d\ude05](https://s.w.org/images/core/emoji/13.0.1/72x72/1f605.png)\n\nWhat's new:\n\n 1. Now I am sure that it works on Windows 10 without WSL. And you can run it beautifully even with the icon. ![\ud83d\ude0a](https://s.w.org/images/core/emoji/13.0.1/72x72/1f60a.png) Read more about installation in Windows [in this file](<https://github.com/leonov-av/barapass/blob/master/how_to_use_barapass_in_windows.txt>).\n 2. Not only "copy the next value to the clipboard" (or "revolver mode" ) is now possible in the search results section. You can also get the previous value or copy the same value one again if it was somehow erased in the clipboard. Previously, I had to retype the search request each time to do this, and it was quite annoying. By the way, I unexpectedly discovered that the user input history inside the application magically works in the Windows shell (using up and down arrows) without any additional coding. On Linux it does not.\n 3. You can set a startup command, for example, to decrypt the container.\n 4. The startup command and quick (favorite) commands are now in settings.json and not hard-coded.\n 5. settings.json, container files and decrypted files are now in "files" directory. It became more convenient to update barapass, just change the scripts in the root directory and that\u2019s it. I divided the scripts into several files, now it should be more clear how it works.\n\nSo, if you need a minimalistic console password manager in which you can easily use any encryption you like - welcome! You can read more about **barapass **[in my previous post](<https://avleonov.com/2019/09/17/barapass-console-password-manager/>).\n\n## Google Tsunami\n\nHave you heard about this new open source Tsunami vulnerability scanner released by Google ([github](<https://github.com/google/tsunami-security-scanner>))? What do you think about it? Is it the real thing or just another [useless automation layer over nmap](<https://github.com/google/tsunami-security-scanner/blob/master/docs/orchestration.md>)? I am now more for the second option. And I'm pretty skeptical that they will make effective and safe plugins for exploit-based vulnerability detection. The fact that this is 99.5% Java code doesn't make me enthusiastic as well. But, of course, I want to believe that it will be new "kubernetes" in the Vulnerability Management area. Let's discuss in [@avleonovchat](<https://t.me/avleonovchat>)\n\n![Google Tsunami poll](https://avleonov.com/wp-content/uploads/2020/07/image.png)\n\nVote here: <https://t.me/avleonovcom/731>\n\n## RCE in Windows DNS Server\n\nYep, yet another short post about **SIGRed **([video](<https://www.youtube.com/watch?v=PUlMmhD5it8>), [MS CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>)). Getting RCE with only a DNS request is really impressive. And it was there for 17 years! OMG, what attackers could do with this in corporate environment! [Checkpoint guys stated that](<https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/>) "Due to time constraints, we did not continue to pursue the exploitation of the bug (which includes chaining together all of the exploitation primitives), but we do believe that a determined attacker will be able to exploit it."\n\n![RCE in Windows DNS Server poll](https://avleonov.com/wp-content/uploads/2020/07/image-1.png)\n\nVote here: <https://t.me/avleonovcom/733>\n\n## SAP RECON\n\nIf your organization uses **SAP **(my condolences), you should initiate some patching right now and make sure this stuff is NOT available on your network perimeter. There is already an [exploit](<https://github.com/chipik/SAP_RECON>) available for these vulnerabilities:\n\n[CVE-2020-6287](<https://nvd.nist.gov/vuln/detail/CVE-2020-6287>) - unauthenticated attacker can "execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user" \n[CVE-2020-6286](<https://nvd.nist.gov/vuln/detail/CVE-2020-6286>) - unauthenticated attacker can make Path Traversal\n\nI also found a funny bug: **Nessus **has a [remote plugin](<https://www.tenable.com/plugins/nessus/138506>) to detect these vulnerabilities, but you were not be able to find it on **Tenable **website by "CVE-2020-6287" in [CVE filter](<https://www.tenable.com/plugins/search?q=cves%3A\\(%22CVE-2020-6287%22\\)&sort=&page=1>). Why? When they edited CVE list in plugin, they have put "CVE-2020-6286" there twice. \n\n![SAP RECON Nessus](https://avleonov.com/wp-content/uploads/2020/07/tenable3.png)\n\n![\ud83e\udd26\ud83c\udffb\u200d\u2642\ufe0f](https://s.w.org/images/core/emoji/13.0.1/72x72/1f926-1f3fb-200d-2642-fe0f.png) Sometimes such things happen. \n\n## Weird attack on Twitter\n\nA little bit about Twitter? Of course, [the last incident](<https://edition.cnn.com/2020/07/16/tech/twitter-hack-security-analysis/index.html>) puzzled me a lot. Let's say you have an access to the Twitter accounts of Bill Gates, Elon Musk, Obama, Apple and others, and you post a silly Bitcoin scam? Whaat? ![\ud83e\udd2a](https://s.w.org/images/core/emoji/13.0.1/72x72/1f92a.png)\n\n![Weird attack on Twitter](https://avleonov.com/wp-content/uploads/2020/07/Twitter_case.png)\n\nI recently had some practice in writing email templates for antiphishing trainings (btw, my [video about antiphishing](<https://www.youtube.com/watch?v=ODyJRBUZMfY>)) and was amazed what results can be achieved with regular email messages if you add a little bit of imagination and choose the right time. Even IT security professionals open files and urls, input credentials on fake sites, etc.!\n\nIt is absolutely clear that these attackers could have done something humongous. Starting from the massive gathering of user accounts / distribution of any malware through high-quality phishing websites and ending with advanced market manipulation. And instead of all this, some messages about bitcoins. It\u2019s strange.\n\n![Weird attack on Twitter poll](https://avleonov.com/wp-content/uploads/2020/07/image-2.png)\n\nVote here: <https://t.me/avleonovcom/741>\n\n![](http://feeds.feedburner.com/~r/avleonov/~4/AmsqOJSEpTc)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-18T18:31:16", "type": "avleonov", "title": "Barapass, Tsunami scanner, vulnerabilities in Windows DNS Server and SAP products, weird attack on Twitter", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350", "CVE-2020-6286", "CVE-2020-6287"], "modified": "2020-07-18T18:31:16", "id": "AVLEONOV:1ABE5F69187E5F9F8625DA462772F80C", "href": "http://feedproxy.google.com/~r/avleonov/~3/AmsqOJSEpTc/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T18:47:49", "description": "The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-07-14T13:15:00", "type": "cve", "title": "CVE-2020-6286", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6286"], "modified": "2020-07-15T18:15:00", "cpe": ["cpe:/a:sap:netweaver_application_server_java:7.40", "cpe:/a:sap:netweaver_application_server_java:7.50", "cpe:/a:sap:netweaver_application_server_java:7.30", "cpe:/a:sap:netweaver_application_server_java:7.31"], "id": "CVE-2020-6286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6286", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-28T21:39:08", "description": "SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T13:15:00", "type": "cve", "title": "CVE-2020-6287", "cwe": ["CWE-306"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6287"], "modified": "2022-04-28T18:57:00", "cpe": ["cpe:/a:sap:netweaver_application_server_java:7.30", "cpe:/a:sap:netweaver_application_server_java:7.50", "cpe:/a:sap:netweaver_application_server_java:7.40", "cpe:/a:sap:netweaver_application_server_java:7.31"], "id": "CVE-2020-6287", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6287", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-11-03T22:42:10", "description": "SAP NetWeaver AS JAVA (LM Configuration Wizard), versions \u2013 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at July 14, 2020 7:10am UTC reported:\n\nThis is an incredibly attractive and simple attack target: It\u2019s an easily exploitable vulnerability in a highly-exposed HTTP interface (frequently user- and internet-facing) where successful exploitation allows remote, unauthenticated attackers to create user accounts with the highest possible privileges and generally declare themselves the feudal lords of critical SAP estates.\n\nIt\u2019s difficult to imagine that widespread exploitation would take much time at all. SAP included a mitigation in the patch release details, but with so many mitigation bypasses coming out for other recent critical vulns, it\u2019s definitely advisable to [take CISA\u2019s guidance to heart](<https://us-cert.cisa.gov/ncas/alerts/aa20-195a#:~:text=On%20July%2013,%202020%20EST,%20SAP%20released%20the%20patch%20for,NetWeaver%20AS%20for%20Java%20component.&text=A%20remote,%20unauthenticated%20attacker%20can,cases,%20exposed%20to%20the%20internet>)\u2014i.e., patch over mitigation wherever possible and as quickly as possible.\n\n**Mad-robot** at July 15, 2020 6:34pm UTC reported:\n\nThis is an incredibly attractive and simple attack target: It\u2019s an easily exploitable vulnerability in a highly-exposed HTTP interface (frequently user- and internet-facing) where successful exploitation allows remote, unauthenticated attackers to create user accounts with the highest possible privileges and generally declare themselves the feudal lords of critical SAP estates.\n\nIt\u2019s difficult to imagine that widespread exploitation would take much time at all. SAP included a mitigation in the patch release details, but with so many mitigation bypasses coming out for other recent critical vulns, it\u2019s definitely advisable to [take CISA\u2019s guidance to heart](<https://us-cert.cisa.gov/ncas/alerts/aa20-195a#:~:text=On%20July%2013,%202020%20EST,%20SAP%20released%20the%20patch%20for,NetWeaver%20AS%20for%20Java%20component.&text=A%20remote,%20unauthenticated%20attacker%20can,cases,%20exposed%20to%20the%20internet>)\u2014i.e., patch over mitigation wherever possible and as quickly as possible.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server (AS) Java", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6287"], "modified": "2020-12-21T00:00:00", "id": "AKB:56338DBB-1286-429B-B980-5AEDD3A6E87C", "href": "https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:40:15", "description": "[![](https://thehackernews.com/images/-z8Uzw7Wp2Zk/Xw1bORR-XAI/AAAAAAAAAjM/4WKXCZsAtEw0zA9nzsUj0BUhmpjsEtR6wCLcBGAsYHQ/s728-e100/sap.jpg)](<https://thehackernews.com/images/-z8Uzw7Wp2Zk/Xw1bORR-XAI/AAAAAAAAAjM/4WKXCZsAtEw0zA9nzsUj0BUhmpjsEtR6wCLcBGAsYHQ/s728-e100/sap.jpg>)\n\nSAP has patched a [critical vulnerability](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675>) impacting the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, allowing an unauthenticated attacker to take control of SAP applications. \n \nThe bug, dubbed RECON and tracked as **CVE-2020-6287**, is rated with a maximum CVSS score of 10 out of 10, potentially affecting over 40,000 SAP customers, according to cybersecurity firm Onapsis, which [uncovered the flaw](<https://www.onapsis.com/recon-sap-cyber-security-vulnerability>). \n \n\"If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account, which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications,\" the US Cybersecurity and Infrastructure Security Agency (CISA) said in an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-195a>). \n \n\"The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability,\" it added. \n \nThe vulnerability is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and newer (up to SAP NetWeaver 7.5), putting several SAP business solutions at risk, including but not limited to SAP Enterprise Resource Planning, SAP Product Lifecycle Management, SAP Customer Relationship Management, SAP Supply Chain Management, SAP Business Intelligence, and SAP Enterprise Portal. \n \nAccording to Onapsis, RECON is caused due to a lack of authentication in the web component of the SAP NetWeaver AS for Java, thus granting an attacker to perform high-privileged activities on the susceptible SAP system. \n \n\"A remote, unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet,\" CISA said. \n \nBy exploiting the flaw to create a new SAP user with maximum privileges, the intruder can compromise SAP installations to execute arbitrary commands, such as modifying or extracting highly sensitive information as well as disrupting critical business processes. \n \nAlthough there's no evidence of any active exploitation of the vulnerability, CISA cautioned that the patches' availability could make it easier for adversaries to reverse-engineer the flaw to create exploits and target unpatched systems. \n \nGiven the severity of RECON, it's recommended that organizations apply critical patches as soon as possible and scan SAP systems for all known vulnerabilities and analyze systems for malicious or excessive user authorizations.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T07:17:00", "type": "thn", "title": "New Highly-Critical SAP Bug Could Let Attackers Take Over Corporate Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6287"], "modified": "2020-07-14T07:17:22", "id": "THN:D01CFEFA5701B3385F989E1BE705F6AA", "href": "https://thehackernews.com/2020/07/sap-netweaver-vulnerability.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:23", "description": "[![](https://thehackernews.com/images/-dxgYH4aIuuw/YGxlNUtGVCI/AAAAAAAACLs/oKpHnFXRhZwabJSwosFF7e-iA0QdpeyNgCLcBGAsYHQ/s0/sap.jpg)](<https://thehackernews.com/images/-dxgYH4aIuuw/YGxlNUtGVCI/AAAAAAAACLs/oKpHnFXRhZwabJSwosFF7e-iA0QdpeyNgCLcBGAsYHQ/s0/sap.jpg>)\n\nCyber attackers are actively setting their sights on unsecured SAP applications in an attempt to steal information and sabotage critical processes, according to new research.\n\n\"Observed exploitation could lead in many cases to full control of the unsecured SAP application, bypassing common security and compliance controls, and enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations,\" cybersecurity firm Onapsis and SAP [said](<https://onapsis.com/active-cyberattacks-mission-critical-sap-applications>) in a joint report published today.\n\nThe Boston-based company said it detected over 300 successful exploitations out of a total of 1,500 attempts targeting previously known vulnerabilities and insecure configurations specific to SAP systems between mid-2020 to March 2021, with multiple brute-force attempts made by adversaries aimed at high-privilege SAP accounts as well as chaining together several flaws to strike SAP applications.\n\nApplications that have been targeted include, but not limited to enterprise resource planning (ERP), supply chain management (SCM), human capital management (HCM), product lifecycle management (PLM), customer relationship management (CRM), and others.\n\nTroublingly, Onapsis report outlines weaponization of SAP vulnerabilities in less than 72 hours from the release of patches, with new unprotected SAP applications provisioned in cloud environments being discovered and compromised in less than 3 hours.\n\nIn one case, a day after SAP issued a patch for [CVE-2020-6287](<https://us-cert.cisa.gov/ncas/alerts/aa20-195a>) (more below) on July 14, 2020, a proof-of-concept exploit emerged in the wild, which was followed by mass scanning activity on July 16 and the release of a fully-functional public exploit on July 17, 2020.\n\nThe attack vectors were no less sophisticated. The adversaries were found to adopt a varied set of techniques, tools, and procedures to gain initial access, escalate privileges, drop web shells for arbitrary command execution, create SAP administrator users with high privileges, and even extract database credentials. The attacks themselves were launched with the help of TOR nodes and distributed virtual private servers (VPS).\n\n[![](https://thehackernews.com/images/-thOJEuCUSH4/YGxjK5MJGmI/AAAAAAAACLk/k5kYRCll1SYAktNePrl_GDL-cUcYgfNswCLcBGAsYHQ/s0/cyberattack.jpg)](<https://thehackernews.com/images/-thOJEuCUSH4/YGxjK5MJGmI/AAAAAAAACLk/k5kYRCll1SYAktNePrl_GDL-cUcYgfNswCLcBGAsYHQ/s0/cyberattack.jpg>)\n\nThe six flaws exploited by threat actors include \u2014\n\n * [**CVE-2010-5326**](<https://nvd.nist.gov/vuln/detail/CVE-2010-5326>) (CVSS score: 10) - Remote code execution flaw in SAP NetWeaver Application Server (AS) Java\n * [**CVE-2016-3976**](<https://nvd.nist.gov/vuln/detail/CVE-2016-3976>) (CVSS score: 7.5) - Directory traversal vulnerability in SAP NetWeaver AS Java\n * [**CVE-2016-9563**](<https://nvd.nist.gov/vuln/detail/CVE-2016-9563>) (CVSS score: 6.4) - XML External Entity ([XXE](<https://www.acunetix.com/blog/articles/xml-external-entity-xxe-vulnerabilities/>)) expansion vulnerability in BC-BMT-BPM-DSK component of SAP NetWeaver AS Java\n * [**CVE-2018-2380**](<https://nvd.nist.gov/vuln/detail/CVE-2018-2380>) (CVSS score: 6.6) - Directory traversal vulnerability in Internet Sales component in SAP CRM\n * [**CVE-2020-6207**](<https://nvd.nist.gov/vuln/detail/CVE-2020-6207>) (CVSS score: 9.8) - Missing authentication check in SAP Solution Manager\n * [**CVE-2020-6287**](<https://nvd.nist.gov/vuln/detail/CVE-2020-6287>) (CVSS score: 10) - RECON (aka Remotely Exploitable Code On NetWeaver) flaw in LM Configuration Wizard component \n\nFirst disclosed in July 2020, successful exploitation of [CVE-2020-6287](<https://thehackernews.com/2020/07/sap-netweaver-vulnerability.html>) could give an unauthenticated attacker full access to the affected SAP system, counting the \"ability to modify financial records, steal personally identifiable information (PII) from employees, customers and suppliers, corrupt data, delete or modify logs and traces and other actions that put essential business operations, cybersecurity and regulatory compliance at risk.\"\n\nOnapsis also said it was able to detect scanning activity for CVE-2020-6207 dating back to October 19, 2020, almost three months before the public release of a [fully-working exploit](<https://thehackernews.com/2021/01/beware-fully-functional-released-online.html>) on January 14, 2021, implying that threat actors had knowledge of the exploit prior to the public disclosure.\n\nFurthermore, a separate attack observed on December 9 was found to chain exploits for three of the flaws, namely CVE-2020-6287 for creating an admin user and logging in to the SAP system, CVE-2018-2380 for privilege escalation, and CVE-2016-3976 for access to high-privileged accounts and the database.\n\n\"This all happened within 90 minutes,\" Onapsis researchers noted.\n\nWhile no customer breaches have been uncovered, both SAP and Onapsis are urging businesses to perform a compromise assessment of applications, apply relevant patches, and address misconfigurations to prevent unauthorized access.\n\n\"The critical findings [...] describe attacks on vulnerabilities with patches and secure configuration guidelines available for months and even years,\" Onapsis CEO Mariano Nunez said. \"Unfortunately, too many organizations still operate with a major governance gap in terms of the cybersecurity and compliance of their mission-critical applications, allowing external and internal threat actors to access, exfiltrate and gain full control of their most sensitive and regulated information and processes.\"\n\n\"Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action,\" Nunez added.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also published an [alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) warning of ongoing nefarious cyber activity in the SAP threat landscape, stating that \"systems running outdated or misconfigured software are exposed to increased risks of malicious attacks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-06T13:43:00", "type": "thn", "title": "Watch Out! Mission Critical SAP Applications Are Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-5326", "CVE-2016-3976", "CVE-2016-9563", "CVE-2018-2380", "CVE-2020-6207", "CVE-2020-6287"], "modified": "2021-04-07T04:31:36", "id": "THN:3C21F3359B50A4527A83BD7E63B731B2", "href": "https://thehackernews.com/2021/04/watch-out-mission-critical-sap.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2021-02-16T15:27:17", "bounty": 0.0, "description": "Hi team.\n\n## Summary\n\nCVE-2020-6287 https://redapi2.acronis.com\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-6287\n\n>SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.\n\n\nYou can check. I created user with role 'Administrator'\n```\nsapRpoc9846:Secure!PwD7849\n```\n\n## Steps To Reproduce\n\n\n 1. clone https://github.com/chipik/SAP_RECON\n 1. `python3 RECON.py -a -H redapi2.acronis.com -P 443 -s`\n \n\nThanks.\n\n## Impact\n\nadministrative user on sap system", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-06T15:23:10", "type": "hackerone", "title": "Acronis: CVE-2020-6287 https://redapi2.acronis.com", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6287"], "modified": "2021-02-16T14:04:26", "id": "H1:1028392", "href": "https://hackerone.com/reports/1028392", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-10-15T22:16:50", "description": "A critical vulnerability, carrying a severity score of 10 out of 10 on the CvSS bug-severity scale, has been disclosed for SAP customers.\n\nSAP\u2019s widely deployed collection of enterprise resource planning (ERP) software is used to manage their financials, logistics, customer-facing organizations, human resources and other business areas. As such, the systems contain plenty of sensitive information.\n\nAccording to [an alert](<https://us-cert.cisa.gov/ncas/alerts/aa20-195a>) from the Department of Homeland Security, successful exploitation of the bug opens the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); administer purchasing processes; sabotage or disrupt operations; achieve operating system command execution; and delete or modify traces, logs and other files.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe bug ([CVE-2020-6287](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6287>)) has been named RECON by the Onapsis Research Labs researchers that found it, and it affects more than 40,000 SAP customers, they noted. SAP [delivered a patch](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675>) for the issue on Tuesday as part of its July 2020 Security Note.\n\n\u201cIt stands for Remotely Exploitable Code On NetWeaver,\u201d Mariano Nunez, CEO of Onapsis, told Threatpost. \u201cThis vulnerability resides inside SAP NetWeaver Java versions 7.30 to 7.50 (the latest version as of [our analysis publication]. All Support Packages tested to date were vulnerable. SAP NetWeaver is the base layer for several SAP products and solutions.\u201d\n\nAn attacker leveraging this vulnerability will have unrestricted access to critical business information and processes in a variety of different scenarios, according to the firm.\n\n## **NetWeaver Java Woes**\n\nThe bug affects a default component present in every SAP application running the SAP NetWeaver Java technology stack, according to Onapsis. This technical component is used in many SAP business solutions, such as SAP S/4HANA, SAP SCM, SAP CRM, SAP CRM, SAP Enterprise Portal, SAP Solution Manager (SolMan) and many others, the researchers said.\n\nAccording to DHS, the vulnerability is introduced due to the lack of authentication in a web component of the SAP NetWeaver AS for Java, allowing for several high-privileged activities on the SAP system. A remote, unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet.\n\n\u201cIf successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (`<sid>adm`), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications,\u201d according to the alert.\n\n## Impact\n\nPut another way, an unauthenticated attacker could create a new SAP user with maximum privileges, bypassing all access and authorization controls (such as segregation of duties, identity management, and governance, risk and compliance solutions) and gaining full control of SAP systems, Nunez said.\n\n\u201cWith SAP NetWeaver Java being a fundamental base layer for several SAP products, the specific impact would vary depending on the affected system,\u201d according to Onapsis, in a [technical analysis](<https://www.onapsis.com/recon-sap-cyber-security-vulnerability>) released on Tuesday. \u201cIn particular, there are different SAP solutions running on top of NetWeaver Java which share a common particularity: they are hyper-connected through APIs and interfaces. In other words, these applications are attached to other systems, both internal and external, usually leveraging high-privileged trust relationships.\u201d\n\nAnd while this is bad enough, the RECON vulnerability\u2019s risk increases when the affected solutions are exposed to the internet, to connect companies with business partners, employees and customers. These systems \u2013 Onapsis estimates there are at least 2,500 of them \u2013 have an increased likelihood of remote attacks, researchers said. Out of those vulnerable installations, 33 percent are in North America, 29 percent are in Europe and 27 percent are in Asia-Pacific.\n\n\u201cBecause of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise\u2019s IT controls for regulatory mandates\u2014potentially impacting financial (Sarbanes-Oxley) and privacy (GDPR) compliance,\u201d according to the writeup.\n\n## Patch Available\n\nSAP\u2019s patch should be applied immediately, researchers recommended. While for now there is no indication that this has been exploited yet, Nunez told Threatpost that SAP customers should be on high alert now that the vulnerability has been announced and the DHS has sent out its US CERT alert warning.____\n\n\u201cNow that the vulnerability and patch have been released, skilled hackers can quickly develop exploit code,\u201d he said. \u201cBecause there are many vulnerable Internet exposed SAP systems, the complexity of the attack is significantly less.\u201d\n\nThat said, because of the complexity of mission-critical applications and limited maintenance windows, organizations are often challenged to rapidly apply SAP security notes, the Onapsis team acknowledged.\n\n\u201cIt\u2019s difficult to patch mission-critical applications such as those from SAP because they need to be constantly available,\u201d Nunez told Threatpost. \u201cTesting can take a long time depending upon complexity and customization of the apps. Also, there are limited maintenance windows available to apply the patches.\u201d\n\nHe added, \u201cFor SAP customers, critical vulnerabilities such as RECON highlight the need to protect mission-critical applications, by extending existing cybersecurity and compliance programs to ensure these applications are no longer in a blind spot. These systems are the lifeblood of the business and under the scope of strict compliance requirements, so there is simply nothing more important to secure.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n\n_ _\n", "cvss3": {}, "published": "2020-07-14T11:45:02", "type": "threatpost", "title": "Critical SAP Bug Allows Full Enterprise System Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-6287"], "modified": "2020-07-14T11:45:02", "id": "THREATPOST:AA1F3088D813F95D476A024378F27010", "href": "https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-07T18:10:44", "description": "Active cyberattacks on known vulnerabilities in SAP systems could lead to full control of unsecured SAP applications, researchers are warning.\n\nAdversaries are carrying out a range of attacks, according to [an alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) from SAP and security firm Onapsis issued Tuesday \u2013 including theft of sensitive data, financial fraud, disruption of mission-critical business processes and other operational disruptions, and delivery of ransomware and other malware.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nSAP applications help organizations manage critical business processes \u2013 including enterprise resource planning (ERP), product lifecycle management, customer relationship management (CRM) and supply-chain management.\n\nFrom mid-2020 until today, Onapsis researchers have recorded more than 300 successful exploit attempts on unprotected SAP instances.\n\n## Who\u2019s at Risk?\n\nUnfortunately, the ongoing attacks could have far-reaching consequences, as SAP noted in the warning:\n\n\u201cThese are the applications that 92 percent of the Forbes Global 2000 have standardized on SAP to power their operations and fuel the global economy,\u201d the alert noted. \u201cWith more than 400,000 organizations using SAP, 77 percent of the world\u2019s transactional revenue touches an SAP system. These organizations include the vast majority of pharmaceutical, critical infrastructure and utility companies, food distributors, defense and many more.\u201d\n\nGovernment agencies should take particular notice of the spate of attacks, researchers said.\n\n\u201cSAP systems are a prominent attack vector for bad actors,\u201d Kevin Dunne, president at Pathlock, told Threatpost. \u201cMost federal agencies are running on SAP, as it has become the industry standard for government entities. However, these SAP implementations are often on-premise, and managed by the government entities themselves due to security concerns. These systems then become increasingly vulnerable when updates and patches are not applied in a timely fashion, leaving them wide open for interested hackers.\u201d\n\nThe technology sector is another hot target for attacks, according to Setu Kulkarni, vice president of strategy at WhiteHat Security.\n\n\u201cOur reporting has found that independent software vendors (ISVs) and technology companies have and inordinately high window of exposure,\u201d he told Threatpost. \u201cWe are seeing that ISVs and technology companies are lacking in their security rigor as they ultimately may pass on the security responsibilities to the companies that use the ISV to build products for their customers.\u201d\n\n## **Active Exploitation**\n\nThe attacks are brute-forcing high-privilege SAP user accounts, as well as exploiting a raft of known bugs: [CVE-2020-6287](<https://nvd.nist.gov/vuln/detail/CVE-2020-6287>), [CVE-2020-6207](<https://nvd.nist.gov/vuln/detail/CVE-2020-6207>), [CVE-2018-2380](<https://nvd.nist.gov/vuln/detail/CVE-2018-2380>), [CVE-2016-9563](<https://nvd.nist.gov/vuln/detail/CVE-2016-9563>), [CVE-2016-3976](<https://nvd.nist.gov/vuln/detail/CVE-2016-3976>) and [CVE-2010-5326](<https://nvd.nist.gov/vuln/detail/CVE-2010-5326>), according to the warning.\n\nThe adversaries are \u201cadvanced threat actors,\u201d according to Onapsis, as evidenced by how quickly they\u2019ve been able to develop exploits, among other things.\n\nThere is \u201cconclusive evidence that cyberattackers are actively targeting and exploiting unsecured SAP applications, through a varied set of techniques, tools and procedures and clear indications of sophisticated knowledge of mission-critical applications,\u201d the alert reads. \u201cThe window for defenders is significantly smaller than previously thought, with examples of SAP vulnerabilities being weaponized in less than 72 hours since the release of patches, and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.\u201d\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/06130028/SAp-1024x319.png)\n\nSource: Onapsis.\n\nThe issues are as follows:\n\n * CVE-2020-6287 is a [critical authentication bypass issue](<https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/>) in SAP NetWeaver Application Server Java allowing full account takeover;\n * CVE-2020-6207 is another critical authentication bypass bug, in SAP Solution Manager;\n * CVE-2018-2380 is a medium-severity flaw in SAP CRM, which allows an attacker to exploit insufficient validation of path information provided by users;\n * CVE-2016-9563 is also a medium-severity bug, this time in SAP NetWeaver AS Java. Remote authenticated users can exploit it to conduct XML External Entity (XXE) attacks, which allow them to interfere with XML processing;\n * CVE-2016-3976 is a high-severity directory traversal vulnerability in SAP NetWeaver AS Java that allows remote attackers to read arbitrary files;\n * And CVE-2010-5326 is an 11-year-old critical issue in the Invoker Servlet on SAP NetWeaver AS Java. It doesn\u2019t require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/06141350/SAP-vulnerability-groups-300x169.png)\n\nExploit uses \u2013 click to enlarge. Source: Onapsis.\n\nAfter initial access, Onapsis observed threat actors using the vulnerabilities to establish persistence, for privilege escalation, evasion and, ultimately, complete control of SAP systems, including financial, human capital management and supply-chain applications.\n\n\u201cAdditionally, attempts at chaining vulnerabilities to achieve privilege escalation for OS-level access were observed, expanding potential impact beyond SAP systems and applications,\u201d according to the analysis.\n\nAs an example, Onapsis said that one actor was able to scan and create an admin user utilizing an exploit utility for CVE-2020-6287. Upon successfully creating the profile and logging in, additional exploits were executed against CVE-2018-2380 for shell upload, as the attackers tried to access the operating system layer. Following that, exploits for CVE-2016-3976 were executed, targeting the download of a \u201ccredential store,\u201d which provides access to logins for high-privileged accounts and the core database. Worryingly, this all happened within 90 minutes, according to Onapsis.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/06132248/SAP-chaining-1024x568.png)\n\nExploit chaining. Source: Onapsis.\n\nInterestingly, the cyberattackers in some cases are patching the exploited vulnerabilities after they\u2019ve gained access to a victim\u2019s environment, Onapsis said.\n\n\u201cThis action illustrates the threat actors\u2019 advanced domain knowledge of SAP applications, access to the manufacturer\u2019s patches and their ability to reconfigure these systems,\u201d according to the firm. \u201cThis technique is often used by threat actors to deploy backdoors on seemingly patched systems to maintain persistence or to evade detection.\u201d\n\n## **Who\u2019s Behind the SAP Attacks?**\n\nThe activity is being mounted by multiple groups, who appear to be engaged in coordinated activity across vast swathes of infrastructure, according to the alert.\n\n\u201cAttackers [are] triggering exploitation from different source systems from the ones used to perform subsequent manual logins were detected, indicating the possibility of coordinated groups and/or actors leveraging wide-spread attack infrastructure,\u201d it reads. \u201cWhile this behavior is common when analyzing operating system and network-based attacks, this data provides evidence that the same approach is also used when targeting mission-critical applications, as these actors use TOR nodes and distributed VPS infrastructures to launch the attacks and escalate privileges.\u201d\n\nThe activity is originating from all over the world, including Hong Kong, India, Japan, the Netherlands, Singapore, South Korea, Sweden, Taiwan, United States, Vietnam and Yemen.\n\n## **How Can I Prevent an Attack?**\n\nThe main way to thwart these kinds of attacks is to patch the vulnerabilities. Also, any web-facing accounts should have unique passwords to disallow automated brute-force attempts to break in; and any systems that don\u2019t need to face the public web should be taken offline.\n\n\u201cAll observed exploited critical weaknesses have been promptly patched by SAP, and have been available to customers for months and years in some cases,\u201d the alert noted. \u201cUnfortunately, both SAP and Onapsis continue to observe many organizations that have still not applied the proper mitigations\u2026allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.\u201d\n\nAlso, while applying security patches in a timely fashion is critical to closing down the risk from major, known vulnerabilities, Pathlock\u2019s Dunne pointed out that patching can only remedy issues that are in the rear-view. With cyberattackers patching the bugs behind them, there also needs to be a way to detect malicious activity.\n\n\u201cFor a comprehensive, forward looking approach to SAP security, organizations need to implement a comprehensive solution to monitor user activities within the system, including interactions with sensitive data,\u201d he told Threatpost. \u201cThis way, even attackers that are able to breach SAP systems by known or unknown vulnerabilities can still be identified and their damage can be mitigated in real-time.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-06T18:47:57", "type": "threatpost", "title": "SAP Bugs Under Active Cyberattack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-5326", "CVE-2016-3976", "CVE-2016-9563", "CVE-2018-2380", "CVE-2020-6207", "CVE-2020-6287"], "modified": "2021-04-06T18:47:57", "id": "THREATPOST:4CFA3A7AC21D83FC03B1B74B2DA261BD", "href": "https://threatpost.com/sap-bugs-cyberattack-compromise/165265/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2020-10-29T14:42:12", "description": "![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/Trick-or-Treat--What-We-Can-Learn-from-the-Spookiest-Vulnerabilities-of-the-Year.jpg)\n\nSpooky season is in full swing, and we\u2019re not just talking about Halloween. [Security vulnerabilities](<https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/>) can range from tiny errors to large-scale gaps in protection, and all have different consequences. We put together a list of some of the scariest vulnerabilities of the year (the tricks!) and the remediation solutions that can help you stay on guard in the future (the treats!).\n\n## [SMBghost](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost?referrer=search>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/SMBGhost-1.png)\n\n**The Trick: **SMBghost is a [buffer overflow vulnerability](<https://blog.rapid7.com/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/>) when compression is enabled in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application. Yikes!\n\nThe impact that the exploitation of this vulnerability has is very high, due to this having the ability to be exploited remotely and the sense that it grants system-level access in kernel mode. This vulnerability has also been deemed as wormable, which makes it a priority for attackers to utilize.\n\n**The Treat: **Though the attacker value is very high, most [AttackerKB](<https://attackerkb.com/topics/2LCXe3EPAZ/cve-2020-0796---smbghost>) users have noted that the vuln\u2019s exploitability is relatively low. Microsoft has since released a patch for this vulnerability and suggests that users take proper precaution when enabling compression within SMB. Now, with many knowledge workers still stuck at home thanks to the pandemic, and therefore not spending a lot of time hanging out in SMB-heavy environments, this sequestration might actually be limiting the value of this and other SMB vulnerabilities\u2014maybe working from home might actually be good for security!\n\n## [BlueGate](<https://attackerkb.com/topics/Er1dwnOh2a/windows-remote-desktop-gateway-rce-cve-2020-0609?referrer=search>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/BlueGateway-1.png)\n\n**The Trick: **A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. A ghost-like attacker messing with your data? Pretty spooky.\n\n**The Treat: **This ghost is probably going away with regular and timely security patches. Though it goes against expert advice to deploy right smack on the internet, maintainers of such servers just need to keep up on their patches in the same way a typical IIS administrator does. The Microsoft-issued update addresses the vulnerability by correcting how RD Gateway handles connection requests.\n\n## [Ripple20](<https://attackerkb.com/topics/EZhbaWNnwV/ripple20-treck-tcp-ip-stack-vulnerabilities?referrer=search>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/ripple20-1.png)\n\n**The Trick: **In June, security firm JSOF published research on a collection of 19 vulnerabilities in a low-level TP/IP software library developed by Trek, a company that has distributed embedded internet protocols since the \u201990s. The 19 vulnerabilities \u201caffect hundreds of millions of devices (or more),\u201d thanks to the ripple effect of the supply chain. Consider \u201c19\u201d to be quite the opposite of a magic number. The 19 vulnerabilities are not equal in their severity and potential impact and are likely to persist for some time. \n\n\n**The Treat: **Is there any good news? Well, the practical attacker value of this suite of vulnerabilities is, on the whole, relatively low. This is in large part because of the lack of attack scalability: Each attack will, in all likelihood, need to be tailor-made for the target device, and even the value of targeting specific devices is heavily dependent on device capabilities and the context in which that device is used. The Treck TCP/IP stack is geared toward low-resource devices, which makes the Ripple20 vulnerabilities significantly less likely to be targeted in resource-heavy attacks such as crypto-mining or ransomware campaigns. If users want to change course from a scary ending to a happy one, users are best served by applying detections at the edge and internal network level to filter out malformed TCP/IP packets, IP fragments, and other lesser-used networking features, where possible.\n\n## [Bad Neighbor](<https://attackerkb.com/topics/17lFRTT1DO/cve-2020-16898-aka-bad-neighbor-ping-of-death-redux>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/bad-neighbor-1.png)\n\n**The Trick:** Bad Neighbor is a remote code execution vulnerability that arises when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploits this vulnerability could gain the ability to execute code on the target server or client. The vulnerability has garnered broad attention as potentially wormable. This bad neighbor is probably someone who gives out wormable apples instead of candy.\n\n**The Treat: **You can\u2019t call the homeowners association on this one, but we recommend applying the patch for CVE-2020-16898 (Bad Neighbor) as soon as possible. For those who are unable to patch immediately, consider disabling ICMPv6 RDNSS as a workaround.\n\n## [RECON](<https://blog.rapid7.com/2020/07/14/pay-attention-to-your-sap-security/>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/recon-1.png)\n\n**The Trick: **This critical [SAP vulnerability (RECON)](<https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java#rapid7-analysis>) from July affects the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. Though a few months have passed since its publication, it\u2019s still a big deal, especially since exploit code is publicly available. Businesses rely on SAP for a wide variety of processes, capturing everything from financial data to business intelligence. Most organizations use it as a tool to manage compliance and ensure access is provisioned (and, more importantly, deprovisioned) with urgency. The critical component to this vulnerability is that it does not require authentication to exploit, meaning any SAP NetWeaver system with the vulnerable components exposed to the internet\u2014currently estimated to be at least 4,000\u2014can be trivially compromised to wreak havoc on business systems. _So, yeah, this one is big-time scary._\n\n**The Treat:** This trick feels more like a long con. And how do you unravel the layers and remediate a long con? Conversations should begin with IT by identifying which physical or virtual assets are affected. SAP NetWeaver serves as the base layer for many SAP products, so many applications and processes are likely affected. Understanding how many systems you need to apply this patch to will help you begin to communicate estimated downtime to the business. Treating vulnerabilities, especially severe ones like this, is an exercise in diplomacy, politics, and trade-offs. For some, this will require removing SAP\u2019s direct access to the internet. For others, it will require implementing WAF and/or IPS rules. CISA strongly recommends closely monitoring SAP NetWeaver AS for anomalous activity. SAP customers should be on the lookout for unusual processes spawned under the context of users that match the <sid>adm naming convention. File metadata may also be a good way to identify when SAP NetWeaver software spawns non-SAP binaries. Rapid7 also recommends ensuring that any web service does not run using a privileged account. For others, it will result in accepting the risk. The key message here is to sit down with all stakeholders, including business leaders, to get on the same page about the severity of this vulnerability, develop and activate a treatment plan, and make sure to have, at a minimum, detective controls in place to respond.\n\n## [SigRed](<https://attackerkb.com/topics/egp32neD6z/cve-2020-1350-windows-dns-server-remote-code-execution-sigred>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/sigred-1.png)\n\n**The Trick: **A remote code execution vulnerability codenamed \u201cSigRed\u201d exists in Windows Domain Name System servers when they fail to properly handle requests. Successful exploitation can result in domain administrator privileges, compromising critical business data, assets, and infrastructure. If that wasn\u2019t scary enough, Homeland Security decided to get involved. The U.S. Department of Homeland Security issued an emergency directive on July 16, 2020 requiring federal agencies to patch or mitigate the vulnerability within 24 hours\u2014only the third time CISA\u2019s current director has taken such an action. As with any vulnerability known to be wormable, CVE-2020-1350, or SigRed, will make an attractive target for ransomware campaigns in addition to stealthier threat actors.\n\n**The Treat: **CISA put out urgent guidance to those who have Windows servers running DNS: patch on an emergency basis. Microsoft released guidance on mitigations for those who cannot patch, but as with other recent high-severity, high-urgency vulnerabilities, it is highly recommended that defenders prioritize patching over mitigation wherever possible. When attacker value is this high, don\u2019t just run for the hills\u2014instead, follow the rules and prioritize patching to keep monsters out of your servers.\n\n## [Curveball](<https://blog.rapid7.com/2020/01/16/cve-2020-0601-windows-cryptoapi-spoofing-vulnerability-what-you-need-to-know/>)\n\n![Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year](https://blog.rapid7.com/content/images/2020/10/curveball-1.png)\n\n**The Trick: **In January,** **a flaw [(CVE-2020-0601 or Curveball)](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2020-0601>) was found in the way the Microsoft Windows CryptoAPI performs certificate validation, allowing attackers to spoof X.509 vulnerabilities. This is core cryptographic functionality used by a number of different software components, with far-reaching impact ranging from programming languages to web browsers.\n\n**The Treat: **This year started out with a fright, but there are some silver linings. The mitigation steps taken by Microsoft and others (e.g., Google Chrome) to detect and alert users to exploitation attempts are a welcome development for defenders and users. Windows Update services were not affected by this due to extended hardening in years past, showing that defense-in-depth is important for maintaining critical infrastructure. This vulnerability also highlights a specification flaw that software projects should heed: Untested features are likely vulnerable features. Because this vulnerability is in an extremely seldom-used feature of the TLS specification that allows users to specify their own elliptical curves, it meant the feature was largely untested. Vulnerability hunters and defenders may be on the lookout for similar bugs in other TLS implementations in the future.\n\nIt\u2019s Halloween, not April fools, and these vulnerabilities are no joke. As with any security scare, it\u2019s important not only to remediate, but to reflect on what we can learn from these mistakes. If you\u2019re looking for more visibility into which of these vulnerabilities is present in your organization, learn more about [our vulnerability management tool, InsightVM](<https://www.rapid7.com/products/insightvm/>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2020-10-29T13:59:06", "type": "rapid7blog", "title": "Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0601", "CVE-2020-0609", "CVE-2020-0796", "CVE-2020-1350", "CVE-2020-16898", "CVE-2020-6287"], "modified": "2020-10-29T13:59:06", "id": "RAPID7BLOG:E36C557104ECB6E144C21C3C499B0492", "href": "https://blog.rapid7.com/2020/10/29/trick-or-treat-what-we-can-learn-from-the-spookiest-vulnerabilities-of-the-year/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-08T18:54:35", "description": "![Attackers Targeting Fortinet Devices and SAP Applications](https://blog.rapid7.com/content/images/2021/04/target.jpg)\n\n_The following blog was co-authored by Caitlin Condon and [Bob Rudis](<https://blog.rapid7.com/author/bob-rudis>), also known (in his own words) as \u201csome caveman from Maine.\u201d_\n\nLast week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI [published a joint alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>) to warn users that APT threat actors were likely exploiting unpatched Fortinet FortiOS devices to gain initial access to government, commercial, technology, and other organizations\u2019 networks. The alert highlighted three FortiOS vulnerabilities, all of which were previously known, and at least one of which (CVE-2018-13379) has been broadly exploited for more than 18 months. This week, CISA [published an additional alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) amplifying a threat report from security firm Onapsis, which describes [ongoing attacks against SAP applications](<https://onapsis.com/active-cyberattacks-mission-critical-sap-applications>).\n\nRapid7 has previously analyzed a number of the highest-severity vulnerabilities enumerated in this latest set of alerts. The CVEs included in these reports have been detailed below, along with recommendations for organizations seeking to defend themselves against ongoing exploitation. Notably, none of these vulnerabilities are new\u2014many of them are a year or more old, which underscores the need for a regular patch cycle, as well as a defined patch cycle exception process.\n\n## FortiOS vulnerabilities\n\nFortinet devices are what we call **network pivots**\u2014that is, the position they occupy in organizations\u2019 networks gives external attackers the ability to access internal networks if exploited successfully, which in turn allows for a range of secondary attacks and other nefarious activities. If at all possible, defenders should strongly consider implementing a \u201czero-day\u201d patch cycle for internet-exposed and other network pivot products, including (but not only) Fortinet and other VPNs. InsightVM and Nexpose customers can assess their exposure to all three FortiOS CVEs below with vulnerability checks.\n\n * CVE-2018-13379 is a pre-authentication information disclosure vulnerability that arises from a path traversal flaw in the web portal component of FortiOS SSL VPNs. The vulnerability allows external attackers to download FortiOS system files through specially crafted HTTP resource requests and has been [exploited in the wild since 2019](<https://us-cert.cisa.gov/ncas/current-activity/2019/10/04/vulnerabilities-exploited-multiple-vpn-applications>). Read our [full analysis of CVE-2018-13379 and its history here](<https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios?referrer=blog#rapid7-analysis>).\n * [CVE-2019-5591](<https://attackerkb.com/topics/sWpteHiN5z/cve-2019-5591?referrer=blog>) is a default configuration vulnerability in FortiOS that allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n * [CVE-2020-12812](<https://attackerkb.com/topics/8qnr47UsVL/cve-2020-12812?referrer=blog>) is an improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below that gives a user the ability to log in successfully without being prompted for the second factor of authentication (FortiToken) if that user changes the case of their username.\n\nSince the beginning of March, Rapid7 Labs' Heisenberg Honeypot fleet has seen nearly 60 IP addresses attempting common, known single `GET` request exploits against Fortinet devices (we\u2019ve grouped the IP addresses up to the hosting provider/ISP level):\n\n![Attackers Targeting Fortinet Devices and SAP Applications](https://blog.rapid7.com/content/images/2021/04/image2.png)\n\nUnfortunately, our fleet does not emulate Fortinet devices. Since these devices are fairly easy to distinguish on the internet (nearly 1 million of them in the image, below)\u2014due to the common, vendor SSL certificate they use\u2014it is surprising to see opportunistic exploit attempts versus just inventory/discovery scans.\n\n![Attackers Targeting Fortinet Devices and SAP Applications](https://blog.rapid7.com/content/images/2021/04/image1.png)Over 1 million Fortinet devices discovered by the latest Project Sonar scans (geolocated with MaxMind)\n\nThat last sentence should help organizations underscore why CISA and the FBI raised the Fortinet exploitation campaign to the level of a joint alert: Attackers can easily identify legitimate Fortinet endpoints on the internet, and it takes virtually no time from discovery to exploit if a target system is not patched and configured properly.\n\nOn April 3, 2021, Fortinet published [a post on patch and vulnerability management](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>) where they outlined their emergency response and patch release practices new alignment to ISO standards and further emphasized the need to keep internet-exposed Fortinet devices patched. They have a special knowledge base article on [how to keep notified about Fortinet patch releases](<https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD50697&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=184200521&stateId=1%200%20184202090%27>) and provide multiple ways for organizations to say current on Fortinet security updates. \n\nAs Fortinet notes in that post, these weaknesses have had patches available for quite some time, so if you\u2019re just getting around to fixing them, you may need to dedicate some further cycles to some forensic activity, as it is very likely one or more attackers have already taken advantage of these vulnerabilities.\n\nTo learn more about other vulnerabilities that functioned as network pivots for attackers, read [Rapid7\u2019s 2020 Vulnerability Intelligence Report](<https://www.rapid7.com/research/report/vulnerability-intelligence-report/>).\n\n## Actively exploited SAP vulnerabilities\n\nThe two most recent SAP vulnerabilities detailed in Onapsis\u2019 threat report are CVE-2020-6287, a CVSS-10 vulnerability in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard that has been actively exploited in the wild since July 2020, and SAP Solution Manager CVE-2020-6207. Both of these vulnerabilities allow broad compromise of SAP applications and environments.\n\n * CVE-2020-6287 is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5). It allows remote, unauthenticated attackers to exploit and fully compromise vulnerable SAP installations. Exploitation of CVE-2020-6287 through the HTTP interface allows for modification or extraction of highly sensitive information and disruption of critical business processes. For a list of affected applications and additional guidance, read Rapid7\u2019s [full analysis here](<https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java?referrer=blog#rapid7-analysis>).\n * CVE-2020-6207 arises from a missing authentication check in version 7.2 of SAP\u2019s Solution Manager product, allowing attackers to completely compromise all SMDAgents connected to the Solution Manager. \nSAP customers should pay close attention to their access logs and monitor for unauthorized user account creation; they should also ensure that web services in general do not run using privileged accounts. InsightVM and Nexpose customers can assess their risk to CVE-2020-6287 with a remote vulnerability check. A check for CVE-2020-6207 is currently under development.\n\nOther SAP vulnerabilities noted as being exploited in the wild include:\n\n * CVE-2018-2380 affects SAP CRM versions 7.01, 7.02, 7.30, 7.31, 7.33, and 7.54. The vulnerability allows an attacker to exploit insufficient validation of path information provided by users, letting characters representing "traverse to parent directory" pass through to the file APIs.\n * CVE-2016-9563 is a vulnerability in SAP NetWeaver Application Server (AS) Java 7.5 that allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI.\n * CVE-2016-3976 is a directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 that allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the fileName parameter to `CrashFileDownloadServlet`.\n * CVE-2010-5326 is a CVSS-10 vulnerability in the `Invoker` Servlet on SAP NetWeaver Application Server Java platforms that arises from a lack of authentication and allows remote attackers to execute arbitrary code via an HTTP or HTTPS request. It was used in attacks from 2013 to 2016.\nAttackers have used these vulnerabilities to establish persistence, escalate privileges, and evade detection. It is also possible that threat actors may build exploit chains that extend access beyond SAP applications to underlying operating systems. Further information and recommendations is [available from Onapsis here](<https://www.onapsis.com/active-cyberattacks-mission-critical-sap-applications>). \n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-04-08T17:18:07", "type": "rapid7blog", "title": "Attackers Targeting Fortinet Devices and SAP Applications", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-5326", "CVE-2016-3976", "CVE-2016-9563", "CVE-2018-13379", "CVE-2018-2380", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-6207", "CVE-2020-6287"], "modified": "2021-04-08T17:18:07", "id": "RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "href": "https://blog.rapid7.com/2021/04/08/attackers-targeting-fortinet-devices-and-sap-applications/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Acronis: Found multiple SAP NetWeaver vulnerable services

Description

Related